Jump to content


Photo

BTN633: XAUTH Authentication an IOS


  • Please log in to reply
6 replies to this topic

#1 Stefan Hora

Stefan Hora
  • Barracuda Guru
  • 142 posts

Posted 01 March 2012 - 04:48 AM

Is the authentication only based on a Certificate or Certificate and User/Password combined ?

#2 Michael Mack

Michael Mack
  • Barracuda Team Members
  • 19 posts
  • LocationMunich

Posted 05 March 2012 - 04:46 AM

Xauth is currently done in a combination of usercredentials and X.509 certs. There is a small How-to at the end of the Admin Guide 5.2.3. Important is that the Root Cert of the VPN Server is installed als *.pem File on the iPhone. And Phase I and Phase II paramters must match. Don't use 3DES for encryption.

I will publish a Webinar for Xauth IPSec VPN with NG Firewall within the next couple of days.

#3 Michael Mack

Michael Mack
  • Barracuda Team Members
  • 19 posts
  • LocationMunich

Posted 06 March 2012 - 10:40 AM

I will talk about Xauth and iOS devices in this webinar.

https://bu.barracuda...etail?id=BTN651

#4 Wojciech Krasniewski

Wojciech Krasniewski
  • Members
  • 2 posts
  • LocationKatowice, Poland

Posted 22 March 2012 - 08:57 AM

<edit>

Nevermind, I forgot import CA pem to iOS Device :-)

</edit>

I was on this webinar, and after this I tried configure XAuth on customer device, but in IKE logs I get this entries:

2012 03 22 13:11:54 Notice +0100 firewall_vpn_ike[31683]: x509_cert_subjectaltname: certificate does not contain subjectAltName
2012 03 22 13:11:55 Notice +0100 firewall_vpn_ike[31683]: message_parse_payloads: invalid next payload type <Unknown 120> in payload of type 8
2012 03 22 13:11:55 Notice +0100 firewall_vpn_ike[31683]: dropped message from 109.243.54.152 port 500 due to notification type INVALID_PAYLOAD_TYPE

Could you tell me what I do wrong.
I created CA cert, and two cerificates, one for VPN server which have subjectAltName with proper server address, and second for iphone without subjectAltName.
I did not pay attention when you created certificates for device, and I don't know do I need enter something in subjectAltName.

Could you upload somewhere a example base from XCA with proper certificates? Or maybe you have recorded this webinar :-)

#5 Michael Mack

Michael Mack
  • Barracuda Team Members
  • 19 posts
  • LocationMunich

Posted 28 March 2012 - 03:48 AM

Will provide a How to within the next couple of days and post it into the forum

#6 Manuel Huber

Manuel Huber
  • Members
  • 35 posts

Posted 13 June 2012 - 07:31 AM

Due to ongoing and frequent requests of customers to provide a VPN connection with the IOS included IPSEC client we´d like to have this How To.
Or Barracuda provides IPSEC connection with PSK instead of certicates....
thanks

#7 Michael Mack

Michael Mack
  • Barracuda Team Members
  • 19 posts
  • LocationMunich

Posted 20 June 2012 - 07:12 AM

IPSec xAuth and PSK is on the Roadmap, but i don't know for which release. Could take a time.

If there are still problems setting up xAuth pls let me know

Michael