Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1874
Views
0
Helpful
4
Replies

Cisco ipad ipsec vpn connects though no access to lan

Go to solution
ollie2783
Level 1
Level 1

‎07-13-2012 04:26 AM - edited ‎02-21-2020 06:11 PM

Hi Guys,

I'm trying to connect our ipads to vpn to access lan resources. The cisco ipad ipsec connects though no lan access and cannot ping anything not even interfaces on the router.

If i setup the cisco vpn on a laptop it works perfectly i can ping everything and can access resources on the lan so my guess is traffic is not going down the vpn tunnel between ipad and office.

cisco 877.

Attached is my config.

Any ideas ?

Thanks

Labels:
131525-ipad.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-13-2012 05:26 AM

The build-in iPad-client is not campatible with your setup.

You have three options:

1) remove the acl from your vpn-group. Without split-tunneling the client will work.

2) migrate back to the legacy config style with crypto-map. There you can use split-tunneling

3) migrate to AnyConnect.

The background of the problem is, that the iPad receives the split-tunneling-information. But instead of controlling with routing which traffic should go throuh the tunnel and which traffic is allowed without the VPN, the iPad tries to build one set of SAs for each line in your split-tunnel-ACLs. But with the virtual-template only one SA is allowed.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎07-13-2012 05:26 AM

The build-in iPad-client is not campatible with your setup.

You have three options:

1) remove the acl from your vpn-group. Without split-tunneling the client will work.

2) migrate back to the legacy config style with crypto-map. There you can use split-tunneling

3) migrate to AnyConnect.

The background of the problem is, that the iPad receives the split-tunneling-information. But instead of controlling with routing which traffic should go throuh the tunnel and which traffic is allowed without the VPN, the iPad tries to build one set of SAs for each line in your split-tunnel-ACLs. But with the virtual-template only one SA is allowed.

0 Helpful

Go to solution
ollie2783
Level 1
Level 1

‎07-13-2012 06:53 AM

I see. Seems bit strange as i have another line with almost identical vpn set and i can ping and access lan on that vpn.  What your saying makes sense i'll try removing acl from vpn group tonight.

Thanks

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to ollie2783

‎07-13-2012 07:27 AM

it depends on the order of your ACEs. With a little luck all your needed traffic was matched against the first ACE in your ACL.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
ollie2783
Level 1
Level 1
In response to Karsten Iwen

‎07-14-2012 08:40 AM

Thank you  i've been struggling for 3 days with this your explanation was spot on.

Thanks again

0 Helpful
Customers Also Viewed These Support Documents