{"id":124,"date":"2013-11-05T20:04:14","date_gmt":"2013-11-05T20:04:14","guid":{"rendered":"http:\/\/iddles.co.uk\/blogs\/?p=124"},"modified":"2013-11-05T20:04:14","modified_gmt":"2013-11-05T20:04:14","slug":"native-apple-ios-client-to-cisco-asa-vpn-using-certificate-authentication-part-2","status":"publish","type":"post","link":"https:\/\/iddles.co.uk\/index.php\/2013\/11\/05\/native-apple-ios-client-to-cisco-asa-vpn-using-certificate-authentication-part-2\/","title":{"rendered":"Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication \u2013 Part 2"},"content":{"rendered":"

So the previous thread we were discussing Apple iOS.\u00a0 Now you may have had the same issues with Andoid with it becomming more popular.
\nFirst issue when configuring the ASA is the IKEv1 key exchange that goes on.\u00a0 When a device attempts to connect, the client is asked to provide all of the key schemes that it supports.\u00a0 Android 4.1+ and IOS 7 give out (in order)
\nAndroid<\/span><\/b><\/p>\n\n\n\n\n\n\n\n\n\n\n
AES-CBC<\/td>\n256<\/td>\nSeconds<\/td>\n28800<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n256<\/td>\nSeconds<\/td>\n28800<\/td>\nMD5<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n128<\/td>\nSeconds<\/td>\n28800<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n128<\/td>\nSeconds<\/td>\n28800<\/td>\nMD5<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
3DES-CBC<\/td>\n<\/td>\nSeconds<\/td>\n28800<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
3DES-CBC<\/td>\n<\/td>\nSeconds<\/td>\n28800<\/td>\nMD5<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
DES-CBC<\/td>\n<\/td>\nSeconds<\/td>\n28800<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
DES-CBC<\/td>\n<\/td>\nSeconds<\/td>\n28800<\/td>\nMD5<\/td>\nDH Gp 2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

iOS 7<\/span><\/b><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
AES-CBC<\/td>\n256<\/td>\nSeconds<\/td>\n3600<\/td>\nSHA1<\/td>\nDH Gp 5<\/td>\n<\/tr>\n
AES-CBC<\/td>\n256<\/td>\nSeconds<\/td>\n3600<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n128<\/td>\nSeconds<\/td>\n3600<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n256<\/td>\nSeconds<\/td>\n3600<\/td>\nMD5<\/td>\nDH Gp 5<\/td>\n<\/tr>\n
AES-CBC<\/td>\n256<\/td>\nSeconds<\/td>\n3600<\/td>\nMD5<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n128<\/td>\nSeconds<\/td>\n3600<\/td>\nMD5<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
3DES-CBC<\/td>\n<\/td>\nSeconds<\/td>\n3600<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
3DES-CBC<\/td>\n<\/td>\nSeconds<\/td>\n3600<\/td>\nMD5<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
DES-CBC<\/td>\n<\/td>\nSeconds<\/td>\n3600<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
DES-CBC<\/td>\n<\/td>\nSeconds<\/td>\n3600<\/td>\nMD5<\/td>\nDH Gp 2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Now we have these values we can look at configuring the ASA to support native IOS and Andoid clients using x509 Certificate authentication.\u00a0\u00a0 Its pretty obvious that the top one is the most secure, trailing off to blatantly insecure…….
\nTime for post 3……..<\/p>\n","protected":false},"excerpt":{"rendered":"

So the previous thread we were discussing Apple iOS.\u00a0 Now you may have had the same issues with Andoid with it becomming more popular. First issue when configuring the ASA is the IKEv1 key exchange that goes on.\u00a0 When a device attempts to connect, the client is asked to provide all of the key schemes […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[5,7],"tags":[],"class_list":["post-124","post","type-post","status-publish","format-standard","hentry","category-mobile","category-networking","post-preview"],"_links":{"self":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=124"}],"version-history":[{"count":0,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/124\/revisions"}],"wp:attachment":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}