Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29642
Views
18
Helpful
37
Replies

ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSLVPN

ciscomoderator
Community Manager
Community Manager

‎01-31-2011 10:47 AM - edited ‎02-21-2020 05:08 PM

with Jason Gervia

Welcome  to the Cisco Networking Professionals Ask the  Expert conversation.  This is an opportunity to learn how you can extend your remote access  VPN capabilities to the various Apple IOS devices, including the iPad,  iPhone, and iTouch with Cisco expert Jason Gervia. Jason  is a Customer Support Engineer at the Cisco Technical Assistance Center  in North Carolina, where he has been for almost four years. He is  currently team lead of the VPN technology team. His area of expertise is  in the VPN and security realm, including Cisco IOS IPSec VPNs, public  key infrastructures, Cisco IOS SSL VPN, and Cisco Security Manager.  Jason holds CCIE Security certification 26894.

Remember to use the rating system to let Jason know if you have received an adequate response.

Jason  might not be able to  answer each question due to the volume expected  during this event.  Remember that you can continue the conversation on  the Security  discussion forums shortly after the event. This event lasts through February 11, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

Labels:
0 Helpful
37 Replies 37

lazarmihail
Level 1
Level 1

‎01-31-2011 12:30 PM

Hello,

We have a network in our small office and I need some help in order to solve the following issue:

In our network we have a cisco router Cisco 861w which have VPN capabilities. We configure it in order to access our internal apple time capsule from any part of the world. We have our internal network (wireless ) in VLAN 20, network range 192.168.2.0 / 24. Time capsule is also connecting wirelessly into the network by getting an IP address from VLAN 20. The router has also a management VLAN 1, witch has been   configured in the 192.168.1.0 /24 network. This VLAN is not giving any IP addresses for clients. VPN was configured on VLAN 10, network 192.168.10.0 /24.

Now,

When   we are connecting to our router thru VPN connection with an Windows 7   system operating system and cisco vpn client configured on it we have   access into the local network resources like time capsule and other  computers.

The problem arise when we are connecting thru a Mac OS X 10.6 computer, he is connecting to the VPN router but we don't have   access to local resources like time capsule or any other computer from   the network. When we make a connectivity test we where able to ping the   network 192.168.1.0 / 24 network but we where not able to ping   192.168.2.0 / 24 network.

Can you tell us what setting we are missing from the macbook pro laptop in order to have access to local resources thru VPN, or router configuration.

Thank you.
0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to lazarmihail

‎01-31-2011 03:12 PM

Lazar,


While not precisely an iphone/ipad/itouch connection, I'll try to answer this as best I can.

If you are connecting  with a MAC and can ping the 192.168.1/24 network, I would verify the following:

1)  Verify you are connecting to the same group as the windows machines

2)  Verify that you are getting an IP address in the same range as the windows machines - receiving same networks/routes via split tunneling(if you are split tunnelign)

3)  Can you ping the router interface address on the 192.168.2 network?

4)  Does your mac have any firewall installed on it?  Is the lan IP address in overlapping with the 192.168.2/24 address space?

If you wish, try attaching your config (minus any confidential data) and I can try to determine what the issue may be

lazarmihail
Level 1
Level 1
In response to Jason Gervia

‎02-01-2011 07:54 AM

Hello,

1)  Verify you are connecting to the same group as the windows machines

     * Yes, there is only one group created for VPN connections.

2)   Verify that you are getting an IP address in the same range as the  windows machines - receiving same networks/routes via split tunneling(if  you are split tunnelign)

     * Yes, I'm receiving an IP address from 192.168.10.0 / 24 network witch is the same as windows machines. Also I configure it for split tunneling and I'm receiving 192.168.2.1 autommaticaly as DNS server.

3)  Can you ping the router interface address on the 192.168.2 network?

     * From windows machines yes, I can ping 192.168.2.0 / 24 network but from MacBook I can't, only 192.168.1.0 / 24 network.

4)  Does your mac have any firewall installed on it?  Is the lan IP address in overlapping with the 192.168.2/24 address space?

     * On MacBook I don't have the firewall activated and is not overlaping with 192.168.2.0 network because I'm connecting thru a 3G network and the provider gives me a public address.

Please see attached configuration of the router and ap and give me an advice or a hint where to look in order to fix the problem because this MacBook start to give me head headings.

Thank You.

Mihail

79655-ap.txt.zip
0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to lazarmihail

‎02-02-2011 07:07 AM

Mihail

I analyzed your configuration and I don't see anything jumping out at me as to why you would be experiencing connectivity differences between MAC and Windows when connecting to that router.

I would verify the following:

1)  That you aren't seeing any dropped messages/logs on the router for packets to the mac when it's connected

2)  See if you can ping the 192.168.2.1 address (which is on the 192.168.2.x network, but still on the router)

You may also want to open a TAC case to resolve this, as there's no configuration in what you sent that would discriminate between MACs and Windows, which leads me to believe this is a VPN client issue of some sort.

0 Helpful

lazarmihail
Level 1
Level 1
In response to Jason Gervia

‎02-02-2011 10:00 AM

Hello,

Please read bellow the answer that I receive this night from apple :

"  if you're going to use a Cisco IPSec VPN with a Mac, you should use VPNTtacker, IPSecuritas or Shimo  (preferred in that order) rather than the built in Mac VPN client. You  need to match the configuration on the router precisely in order for  this to work. I would also suggest contacting Cisco support directly I'd  you continue to have problems.


I would also strongly advise against using a Time Capsule for anything business related. I recommend the Promise NS4600, but there are many alternatives.

That said, one way you could easily reach the Time Capsule from a Mac virtually anywhere is by using Apple's Back To my Mac feature, part of it's Mobile Me service.

Hope this helps. "

I will try tomorrow if one of the vpn clients software that they are advice are working or not.

Regards,

0 Helpful

Rajiv Dasmohapatra
Level 2
Level 2

‎02-01-2011 09:16 AM

Hi,

I have been provided with VPN access from office. I am using VPN client to connect to it from my windows laptop. I use Linux at home and I can connect to the VPN from there too. But I am not able to connect from my iPhone. I tried for apple support forums but no help.

The config is same for all the three. I am connecting to the same group also.

Please help.

BR // Rajiv

Sent from Cisco Technical Support iPhone App

0 Helpful

lazarmihail
Level 1
Level 1
In response to Rajiv Dasmohapatra

‎02-01-2011 09:55 AM

Well ... I discuss also with Apple support people but they told me that is not the MacBook fault and I should look in the settings of our router but I'm wondering if there is any whay to test the VPN connection using another client besides the Cisco VPN client which is soming with MacBook.

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to Rajiv Dasmohapatra

‎02-01-2011 10:31 AM

Rajiv,

Are you using IPSEC or SSL?

If using IPSEC

I would check on whatever headend you are connecting to (ASA, router) to see if packets from the iphone are actually reaching the gateway.  If this is ipsec, you may want to get the output from a 'debug crypto isakmp' (on a router), or 'debug crypto isakmp 127' (on an ASA) to see if any the gateway is seeing the isakmp packets from the iPhone

You may also want to download the Iphone Configuration utility from apple - you can use the console tab to see the logs that are being generated when you try to connect using the built in IPSec client

If you're using anyconnect on your iPhone, there are logs/debugs under Statistics-->Diagnostics.  You can view messages or debug logs as well as e-mail them if needed.

--Jason

0 Helpful

Rajiv Dasmohapatra
Level 2
Level 2
In response to Jason Gervia

‎02-03-2011 11:09 AM

Jason,

I am using IPSEC. I donwloaded the Iphone config utility and captured the console.  From what i find is, it says IKE failed. I am attaching the log file.

Please suggest.

BR // Rajiv

79806-device log2.txt.zip
0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to Rajiv Dasmohapatra

‎02-07-2011 05:52 PM

Rajiv,

I looked through the log files from the VPN client - you actually get  through phase 1 and XAUTH (phase 1.5)   I see it initiate phase 2, but the iphone immediately tears down phase 1 and stops the VPN connection.

Can you get a 'debug crypto ipsec 127' and 'debug crypto isakmp'  from the ASA vpn cluster member you connect to?  You may need to initiate directly to a cluster member without going through the vpn load balanced IP address.

--Jason

0 Helpful

robd.com.
Level 1
Level 1

‎02-01-2011 09:21 AM

This is great news for Apple Users...what about Android users? Do you have any time frame for an Android client?

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to robd.com.

‎02-01-2011 10:22 AM

Robert,


Unfortunately, this is a question I cannot answer - I would talk to your account team if you need further information on the availability of a cisco vpn client for the android platform.  Making a VPN client for the android requires collaboration between both Cisco and the manufacturer, given how the VPN client works.


However, l2tp over ipsec on the Android should work with the ASA as of 8.3(2)12

0 Helpful

jmprats
Level 4
Level 4

‎02-02-2011 03:00 AM

Hi, we have configured the ASA Clientless SSL access. We have problems with IPAD users because it is not compatible with ActiveX (so you can't execute RDP connection to terminal server) and java (port forwarding with RDP). So I guess I have to connect them with IpSec and execute the rdp client itself.

Is all this true?

Any guide or recomendation to configure IpSec for IPAD (Iphone) users in ASA?

Thanks

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to jmprats

‎02-02-2011 06:12 AM

Jmprats,


That is correct.  Due to the iPAD not supporting java or activex, the iPAD  cannot use the Cisco RDP plugin for ASA clientless SSLVPN access - as those are the only 2 methods the plugin supports.


If you use IPSec or AnyConnect, you should be able to give your iPAD VPN access and use an application to provide RDP access.

As far as IPSec configuration goes, it's the same configuration that you would use for windows, with the following 2 additional requirements:

Apple iPhone and MAC OS X Compatibility

The security appliance requires the following IKE (ISAKMP) policy settings for successful Apple iPhone or MAC OS X connections:

IKE phase 1—3DES encryption with SHA1 hash method.

IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.

Customers Also Viewed These Support Documents