Anyone tried to connect GP from iphone/ipad with ClientCert?

emr_1 — Wed, 04 Jan 2012 07:56:25 GMT

I'm tring to connect GP from iPhone5 and iPad4.3.3 with Client Cert Auth.

I can't see the establishment of IPSec VPN, however, I could establish VPN from Windows with same client cert.

I want to see the working sample cofiguration.

Could anyone share the information?

My testbed:

-PA-5020 v4.1.1

-GP v1.1.1

-Windows 2003R2 as Client Cert CA

BTW, I know the following document and could not work well.

https://live.paloaltonetworks.com/docs/DOC-1972

Regards,

Emr

Re: Anyone tried to connect GP from iphone/ipad with ClientCert?

jdelio — Tue, 24 Jan 2012 21:31:02 GMT

This has been setup and works with other customers, the following should help:

On the PAN device
1: configure a Global Protect Portal (fairly simple and straight forward, refer to the Global Protect setup doc)
2: configure a Global Protect Gateway (this is where you get into the Xauth feature needed for iOS VPN)
A: server cert, authentication setup is as usual, do not use a client cert
B: enable tunnel mode
C: enable X-auth support (IPSEC will already be enabled, leave this as-is)
😧 make up a group name and a group password, leave ‘skip auth on IKE Rekey’ enabled
E: tunnel Gateway: I used the same as my GP Portal
F: client configuration tab of the GP gateway is more or less the same as NetConnect setup parameters so I will not cover them here
G: iOS VPN does not use HIP so do NOT create any HIP profiles
3: make sure you have security policy and NAT policy configured as needed
4: commit

On the iOS device:
General -> Network -> VPN -> Add a VPN Configuration
Select the IPSec tab
Description: choose a name
Server: the IP address or FQDN of your GP Portal
Account: username for VPN access
Password: password for the user in previous step
Use certificate: greyed out on my setup (I am not sure if we can enable this on iOS, need to do research)
Group name: use the same group name you created on the GP Gateway
Secret: the group password from your GP Gateway
Save the config
Connect the VPN
Test connectivity in your web browser on the iOS device.

I hope this helps.

topic Re: Anyone tried to connect GP from iphone/ipad with ClientCert? in General Topics

Anyone tried to connect GP from iphone/ipad with ClientCert?

Re: Anyone tried to connect GP from iphone/ipad with ClientCert?