So we got into 'a bit of a pickle' recently with the 2.0 Cisco IPSEC VPN client for the iPhone. We could not for the life of us work out what was going on. We checked the config, checked it again. We also used the awesome profile tool, to build a .mobileconfig file, push to iPhone - still no love. What possibly could be wrong...
So it turns out that our shared key was "too good".
There were certain characters in the shared key that would crash the IPSEC stack on the iPhone before it even thought about connecting. We checked the logs on the ASA, nada, nothing, zilch, zip. Lots of head scratching later, we tried an 'incorrect' key. Then the ASA sprang to life, IKE status all over the place.
So this may only affect a few of ya'll out there, but if you get this error, check your shared key. If you have already pushed out the key to a bunch of users it is time to log in to your ASA and set up a new "Group Name" (e.g. iPhoners) and generate a new group secret. Then you can get into the enterprise iPhone configuration utility (did we say we liked it already... oh yes) and you can then deliver .mobileconfig files to your users at your hearts content.
The .mobileconfig file format is pretty cool, you can just email it to folks, they click it in the iPhone Mail.app, and then TADA... VPN all set. Plus the .mobileconfig file is all just XML, so it can be tweaked really easily.
The config tool does a reasonable job of securing a shared secret with some level of cryptography inside the XML. Not sure what method is used, but it is probably as strong as the one that Cisco used. Never the less it is a lot easier to set up a quick end point with shared secrets than building out a whole PKI with certificates. If you secure the distribution of your .pcf files and .mobileconfig files you should be, as they say "all set" (for some value of set).
It would be wonderful to know exactly which and what combination of characters causes this fatal error, but once we reduced the complexity of our shared key password it was all tulips in springtime :)
Hope this helps someone out there...
©2009, O'Reilly Media, Inc. (707) 827-7000 / (800) 998-9938 All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. |
About O'Reilly
Academic Solutions Authors Contacts Customer Service Jobs Newsletters O'Reilly Labs Press Room Privacy Policy RSS Feeds Terms of Service User Groups Writing for O'Reilly |
Content Archive Business Technology Computer Technology Microsoft Mobile Network Operating System Digital Photography Programming Software Web Web Design |
More O'Reilly Sites
O'Reilly Radar Ignite Tools of Change for Publishing Digital Media Inside iPhone O'Reilly FYI makezine.com craftzine.com hackszine.com perl.com xml.com Partner Sites InsideRIA java.net O'Reilly Insights on Forbes.com |
This is just ridiculous. Poor programming is no reason to compromise security. Apple fucked up, and you're just too fanboi to care. Good luck with your insecure product.
Hey, what happened to Paul Kafasis' call to revolt against the App Store post? Came through in my RSS reader. Not live on the blog right now.
I've found in another case that this error is reported when racoon on the iPhone cannot read it's config file. Most likely your bad character was a ". That would cause a config file problem.
I found out, that the "shared secret with some level of cryptography" is only an base64 encryption. With an base64 encoder you'll get back your "secure" password. To find out the algorithm i downloaded the "iPhone Configuration Web Utility", which is an Ruby on Rails application. After the installation i get into the code and found out, that only a base64 decoding is in use.
It's a little weak for an VPN encryption.
We had the same problem and we narrowed it down to the double-quote character: "
If this double-quote character was in the group key string then the iphone would show the 'A fatal error has occurred' message.
Once we replaced the " with a different character - all was ok. Apple needs to fix this.
This post helped us narrow the issue down - many thanks!
I think my Iphone VPN connection suffers from this problem. The secret is very strong with ', ", . and other special characters and get the same fatal error you describe.
Unfortunately its outside my control to alter the key so I'm stuck with the non functioning VPN :(
Dear sir, madam,
I have configured My iPhone to connect my PIX trough VPN.
In the first time the first phrase wouldn't succeeded.
But I read this ( http://blogs.oreilly.com/iphone/2008/07/strong-passwords-can-hurt.html ) and that's now not really the problem. (to strong pw)
When I let the iPhone connect I see a popup 'Enter User Authentication' if I chose OK, its gone (I have the Dutch version)
If I see the syslog I see this: Authentication failed for user ''
it looks like the iPhone send an empty user account?
How can we fix this?
Regards,
Dennis
The Netherlands
Hey there. Another probably unsupported character I found is ` (backquote). There's no " in our preshared key, but there are actually two backquotes. and many more wicked characters, which make exceptionaly strong group key, but iPhone says "The VPN Shared Secret is incorrect".
I didn't have much time to dig into this, but I'll give it some time this or next weekend.
Great article. I was having the same problem. Once I took out the special characters all works good!
Thanks