Some parts I forgot from the last few posts.
The ASA also uses Group Policy (not AD group policy!) configuration. In here you set useful things such as DNS, domain and other properties. Its also the area to configure specifics for the IPSEC Phase 2 connection. I normally use a GP per connection as its allows some flexibility when making changes later on. You can also set some values within the default group policy that will be standard over the whole of your ASA, which depending on if inherit is turned on or not get set.
For Apple iOS devices IP Compression and PFS have to be turned on. On Android, these are not. You get a strange symptom (if set) where the Android handset claims its connected (and the ASA even issues an IP address) but the device never shows connected in ASDM. It was only with use of various debugs that I managed to find this out.
Group policies therefore are:
!Apple iOS group-policy GP_iOS internal group-policy GP_iOS attributes dns-server value 10.100.200.10 10.100.202.10 vpn-session-timeout none vpn-tunnel-protocol ikev1 ip-comp enable pfs enable default-domain value mydomain.local !Android group-policy GP_ANDR internal group-policy GP_ANDR attributes dns-server value 10.100.202.10 10.100.200.10 vpn-session-timeout none vpn-tunnel-protocol ikev1 default-domain value mydomain.local
That should complete all of the configuration requried to allow iOS and Android devices to connect to a Cisco ASA using the inbuilt native IPSEC client using x509 certificates. You really arn’t using Pre Shared Keys in this day and age are you ?