08-13-2010 08:56 AM
Has anyone created a IPSEC VPN tunnel for an iPad implementation? I'm trying to find a secure way to
impmenent the iPad in our enviornment and I see that Apple says they support CISCO VPN.
Any documentation or instructions you can provide would be greatly appreciated.
Thanks,
GLH
08-14-2010 03:32 PM
I think it should work with l2tp-IPSec since it works on both iPhone and iMac. Here is a guide.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219
08-16-2010 08:47 AM
The iPad IPSec VPN client has not been officially tested but I have seen it work with an ASA running 8.x using a similar configuration to the one below.
crypto ipsec transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal
group-policy BasicPolicy internal
group-policy BasicPolicy attributes
password-storage enable
username basic password uc/Xo0s4BJ1CCT.d encrypted
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group Basic type remote-access
tunnel-group Basic general-attributes
default-group-policy BasicPolicy
dhcp-server 10.10.253.1
tunnel-group Basic ipsec-attributes
pre-shared-key letmein
12-22-2010 10:35 PM
We had a lot of problems with the iPad's VPN and the imbedded AT&T 3G card, until we found out that the trick is to enable NAT-T on the Cisco firewall. We've tried this with both a 3005 VPN Concentrator and an ASA5510, it works great. FYI, you only need to do this with AT&T's 3G, Verizon and most of the other WiFi connections that we tried work fine without NAT-T. You don't need to do anything with the iPad client except plug in the standard info (default username, group name, and group password (they call it "shared secret"). It works with XAUTH Radius authentication like SecurID or PhoneFactor, too.
09-03-2011 04:50 AM
Dear all,
I tried everything as described above, but get no connection. The SA520 show in its logfile the entry:
12:45:48: [Cisco] [IKE] ERROR: Aggressive mode of ..... [500] is not acceptable.
Do you have any idea ?
Regards
Georg
09-07-2011 08:51 PM
Greg,
I know this might not be the answer you want to hear but I have tested both the IPSec and the ssl any connect client on both iPad and iPhone and had them both working. The bit issue with IPSec was that because you have to configure l2tp and terminate the tunnel on the default base group which lacks the group name/password and rely on the shared secret only we decided this was a security risk. If you are trying to rollout a remote access solution I would strongly suggest using Anyconnect ssl because this client uses DTLS and SSL fallback which is what you want for devices that use slower connection types I.e wifi or 3G. The Anyconnect also has persistence when transitioning media types and auto reconnect almost seamless to the user. We have rolled out Anyconnect to over 10k users and started the iPad pilot. You can buy the essentials Anyconnect client very cheap. IPSec is not reliable on mobile devices
Sent from Cisco Technical Support iPad App
09-07-2011 11:22 PM
Vabruno,
unfortunately we have built our network with SA520 and SA540s which do not support Anyconnect.
I tested the IPAD IPSec connection with a cheap Fritz!Box (AVM) which was easy to configure and works perfect. I am wondering why CISCO cannot do this.
Georg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide