{"id":118,"date":"2013-01-03T15:57:37","date_gmt":"2013-01-03T15:57:37","guid":{"rendered":"http:\/\/iddles.co.uk\/blogs\/?p=118"},"modified":"2013-01-03T15:57:37","modified_gmt":"2013-01-03T15:57:37","slug":"native-apple-ios-client-to-cisco-asa-vpn-using-certificate-authentication-part-1","status":"publish","type":"post","link":"https:\/\/iddles.co.uk\/index.php\/2013\/01\/03\/native-apple-ios-client-to-cisco-asa-vpn-using-certificate-authentication-part-1\/","title":{"rendered":"Native Apple iOS Client to Cisco ASA VPN using Certificate Authentication &#8211; Part 1"},"content":{"rendered":"<p>I have been working on this for a while now.\u00a0 Because of a variety of reasons that I can&#8217;t go into here some of my configuration was mandatory.<br \/>\nThe Apple iOS (used on iPhone, iPad and iPod Touch) has an in-built VPN client that Cisco assisted with development.\u00a0 It supports PPTP, L2TP and IPSEC.\u00a0 Unless you are crazy you would only seriously use IPSEC.\u00a0 However, it only supports IPSEC using IKEv1 key negotiation.\u00a0 Unless you have a specific reason really only IKEv2 should be used a it has a number of performance and security benefits.\u00a0 So that causes a problem with iOS devices.<br \/>\nUsing a IKEv1 in conjunction with a group\/pre-shared key is well documented and simple to get working.\u00a0 If you are using Certificates then it gets a whole lot interesting.<br \/>\nOne fix is to use the AnyConnect client from the App Store.\u00a0 This is free to download and can be deployed using the Apple Configurator utility from a Mac OSX device.\u00a0 This allows SSL VPN as well as IPSEC IKEv2 connections (in version 3.0 of the AnyConnect iOS\/Andriod client) and has enterprise grade tools such as logging, diagnotics and a tool similar to the DART utility that the desktop AnyConnect has.<br \/>\nThe difficulty with this is that even though you have purchased SSL VPN user licences (AnyConnect Essentials or Premium) Cisco still want some more money in the guise of &#8216;AnyConnect Mobile&#8217; licence.\u00a0 These retail at around \u00a3500 but still another outlay you did not bargin for.\u00a0 Also your security policy may mandate the use of the built in client so its time to roll up your sleeves.<\/p>\n<h2>So what&#8217;s it doing ?<\/h2>\n<p>As with most things, being able to see what the iOS device is actually doing would be a good start.\u00a0 In Apples infinite wisdom any user messages are usually &#8220;cannot connect&#8221;, &#8220;unable to verify server&#8221; and not a lot else.<br \/>\nArmed with a Mac you do have a number of tools at your disposal.\u00a0 Of course if you are reading this it stands a good chance you are doing this is a company and you will need a Mac to deploy Enterprise profiles to iOS devices as lets face it you really, really should lock those babies down.<br \/>\n1) Remember the Mac OSX VPN client is very similar to the iOS VPN client so if its possible to replicate the configuration on the Mac, you may see something more useful to start with.\u00a0 In my experience you don&#8217;t but its worth mentioning.<br \/>\n2) Using Xcode its possible to see the iOS devices system log in realtime (equivalent of the \/var\/log\/messages file)\u00a0 From this you can see more useful messages from the client.\u00a0 To do this:<\/p>\n<ul>\n<li>Install either Xcode or the Apple Enterprise Configurator from http:\/\/www.apple.com\/support\/iphone\/enterprise\/\u00a0 I used Xcode<\/li>\n<li>Open Xcode, then select Window &gt; Organiser<\/li>\n<li>Connect to iOS device to your Mac using a USB cable<\/li>\n<li>You should then be able to select the device then Console Log<\/li>\n<\/ul>\n<p>3) For a low level view of what&#8217;s going on you can use the Mac to create a virtual interface to tunnel the iOS devices network traffic over.\u00a0 From then you can use TcpDump to take packet captures.<br \/>\nYou again need a Mac, USB cable and a utility from the App Store that you an pull the iOS&#8217;s UUID device down.\u00a0 This is important.\u00a0 I used UDID+ but there are others.\u00a0\u00a0 Quite how this will work when Apple remove it from iOS 6 is not well known&#8230;&#8230; anyhooo&#8230;..\u00a0 Once you have the UDID run the following on the Mac<\/p>\n<pre> $ # First get the current list of interfaces.\n $ ifconfig -l\n lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0\n $ # Then run the tool with the UDID of the device.\n $ rvictl -s 74bd53c647548234ddcef0ee3abee616005051ed<\/pre>\n<pre>Starting device 74bd53c647548234ddcef0ee3abee616005051ed \u00a0\u00a0 \u00a0[SUCCEEDED]<\/pre>\n<pre>$ # Get the list of interfaces again, and you can see the new virtual\n $ # network interface, rvi0, added by the previous command.\n $ ifconfig -l\n lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0<\/pre>\n<p>Then<\/p>\n<pre>$ sudo launchctl load -w \/System\/Library\/LaunchDaemons\/com.apple.rpmuxd.plist<\/pre>\n<p>Now that you know the name of the RVI, you can point your packet trace tool at it. For example, he&#8217;s how you might run tcpdump to take a packet trace from the RVI.<\/p>\n<pre>$ sudo tcpdump -i rvi0 -n<\/pre>\n<pre>tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode\n (BIOCPROMISC: Operation not supported on socket)\n tcpdump: WARNING: rvi0: no IPv4 address assigned\n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode\n listening on rvi0, link-type RAW (Raw IP), capture size 65535 bytes<\/pre>\n<p>\u2026<br \/>\nWhen you&#8217;re done you can remove the RVI with the following command.<\/p>\n<pre>$ rvictl -x 74bd53c647548234ddcef0ee3abee616005051ed<\/pre>\n<pre>Stopping device 74bd53c647548234ddcef0ee3abee616005051ed [SUCCEEDED]<\/pre>\n<p>That should get you into a position you can debug the client traffic.\u00a0 Simply open the captured traffic up in WireShark and you may have a clue&#8230;&#8230;.<br \/>\nIn part 2, Ill discuss ASA configuration and what works, what does not and what is an Cisco ASA bug !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have been working on this for a while now.\u00a0 Because of a variety of reasons that I can&#8217;t go into here some of my configuration was mandatory. The Apple iOS (used on iPhone, iPad and iPod Touch) has an in-built VPN client that Cisco assisted with development.\u00a0 It supports PPTP, L2TP and IPSEC.\u00a0 Unless [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[5,7,9,11],"tags":[19,20,27,40,57],"class_list":["post-118","post","type-post","status-publish","format-standard","hentry","category-mobile","category-networking","category-osx","category-security","tag-apple-ios","tag-asa","tag-cisco-ios","tag-ipsec","tag-vpn","post-preview"],"_links":{"self":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=118"}],"version-history":[{"count":0,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/118\/revisions"}],"wp:attachment":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}