Some parts I forgot from the last few posts.
\nThe ASA also uses Group Policy (not AD group policy!) configuration.\u00a0 In here you set useful things such as DNS, domain and other properties.\u00a0 Its also the area to configure specifics for the IPSEC Phase 2 connection.\u00a0\u00a0 I normally use a GP per connection as its allows some flexibility when making changes later on.\u00a0 You can also set some values within the default group policy that will be standard over the whole of your ASA, which depending on if inherit is turned on or not get set.
\nFor Apple iOS devices IP Compression and PFS have to be turned on.\u00a0 On Android, these are not.\u00a0 You get a strange symptom (if set) where the Android handset claims its connected (and the ASA even issues an IP address) but the device never shows connected in ASDM.\u00a0 It was only with use of various debugs that I managed to find this out.
\nGroup policies therefore are:<\/p>\n
!Apple iOS\ngroup-policy GP_iOS internal\ngroup-policy GP_iOS attributes\n\u00a0dns-server value 10.100.200.10 10.100.202.10\n\u00a0vpn-session-timeout none\n\u00a0vpn-tunnel-protocol ikev1\n\u00a0ip-comp enable\n\u00a0pfs enable\n\u00a0default-domain value mydomain.local\n!Android\n\u00a0group-policy GP_ANDR internal\n group-policy GP_ANDR attributes\n\u00a0 dns-server value 10.100.202.10 10.100.200.10\n\u00a0 vpn-session-timeout none\n\u00a0 vpn-tunnel-protocol ikev1\n\u00a0 default-domain value mydomain.local<\/pre>\nThat should complete all of the configuration requried to allow iOS and Android devices to connect to a Cisco ASA using the inbuilt native IPSEC client using x509 certificates.\u00a0\u00a0 You really arn’t using Pre Shared Keys in this day and age are you ?<\/p>\n","protected":false},"excerpt":{"rendered":"
Some parts I forgot from the last few posts. The ASA also uses Group Policy (not AD group policy!) configuration.\u00a0 In here you set useful things such as DNS, domain and other properties.\u00a0 Its also the area to configure specifics for the IPSEC Phase 2 connection.\u00a0\u00a0 I normally use a GP per connection as its […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[5,6,7,11],"tags":[],"class_list":["post-157","post","type-post","status-publish","format-standard","hentry","category-mobile","category-mobile-computing","category-networking","category-security","post-preview"],"_links":{"self":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=157"}],"version-history":[{"count":0,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions"}],"wp:attachment":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}