When you attempt to create a VPN from an iPhone to Astaro Security Gateway (ASG) using the Cisco VPN client, an error occurs stating that the iPhone '
Could Not Verify Server Certificate'.
Known to apply to the following Sophos product(s) and version(s)
Astaro Security Gateway / Sophos UTM
V7, V8, V9
When first set up, the hostname of the ASG was not a fully qalified domain name, or the FQDN has since changed.
To confirm this,
- Go to Remote Access | Cisco (tm) VPN Client and locate the server certificate.
- Go to Remote Access | Certificate Management and locate the certificate used in the VPN configuration ("local X509 Cert" by default).
The VPN ID should be an FQDN, if it is not, then you must create a new certificate as described below.
What To Do
Follow these steps to create a new server certificate that the iPhone can verify.
- To Create a new certificate, you will probably want to copy the information from the original certificate.To view this information,
- under Remote Access | Certificate Management click "download" for the required certificate, choose 'PEM' format.
- Open the certificate in any text editor.
- Still under Certificate Management, click "New Certificate".
- Enter information into the form to create a new certificate. Most fields are arbitrary, but you must make the VPN ID type "hostname" and the hostname must match the public hostname of the ASG.
- Save the certificate.
- Go to Remote Access | Cisco VPN Client and select the new certificate as the server certificate and save.