03-15-2011 09:35 AM - edited 02-21-2020 05:13 PM
Hello,
I am trying to connect to our environment through Cisco Remote Access IPSec VPN from iPhone 4. Below are the versions
iPhone OS : 4.2.1
Cisco VPN: ASA5520, version 8.0(5)
I am able to connect successfully however I cannot connect to any server after VPN is established.
At the same time, I am able to connect over VPN via any internet PC. The difference I have observed till now is that when an Internet PC connects, the protocol encryption on ASDM shows 'IKE IPsecOverNatT 3DES' for the active session. On the other hand, when I connect through iPhone the protocol encryption is 'IKE IPsec 3DES'.
Is it possible to force iPhone to connect on IPsecOverNatT. Please suggest.
Thanks.
Solved! Go to Solution.
03-18-2011 02:54 AM
Hi,
I have almost the same configuration as you have - and it works.
There is only one difference - split-tunnel.
Can you try your IPhone traffic have fully tunneled?
HTH
Pavel
03-15-2011 11:38 AM
Hi,
How, did you make the test to server?
As far as I know, IP* has problem with DNS, so for example to connect via RDP, you have to use ip address of machine.
And about IPsecOverNatT or IPsec withou NAT, it depends on where you are located - if behind NAT, so it will be IPsecOverNat. If you are "directly on internet" so it will be without NAT.
May I ask, why do you want IPsecOverNatT?
HTH
Pavel
03-15-2011 11:28 PM
Hi Pavel,
Thanks for replying.
I succesfully connected to the office VPN (ASA5520) through the iPhone and was assigned the correct private IP from VPN pool.
Then I started the WYSE PocketCloud Pro application (pretty good for RDP) and created a manual connection against the private IP. I am not able to connect via the manual connection. The reason I am focusing on IPSecOverNATt is coz that is the only obvious difference in the connection I can notice. Hence, I would like the iPhone connect (current IKE over IPSec) to be IPSecOverNATt to rule out any issues due to different settings.
Secondly, the same PocketCloud application is able to connect through the non-manual auto-discovery mode but that is dependent on external factors such as installing a component on the remote machine and simultaneous logins into gmail account from client as well as server (strange).
Does iPhone support NAT-T. Is there any detailed guideline from Cisco or iPhone on how to make this work or any specific config for iPhone support. I believe it is almost there as VPN is connected and IP is assigned. Only the connectivity to the end destination has to be established.
Thanks for assistance.
03-16-2011 11:29 PM
Another observation.
I successfully connect to the VPN from iPhone (i.e. Phase 1 and Phase 2).
However, I do not see any newly generated connections in the ASA log after the tunnel is established. Whereas in case of VPN connection from a PC all RDP etc other connections can are shown in the logs.
Looks like iPhone is not sending out connections after the VPN is established.
How can I debug this problem. Any clue/hint is appreciated.
Thanks.
03-17-2011 03:54 AM
Please answer for my question
1.Are you connecting to VPN from iPhone using 3G or WiFi ?
2.Are you using your office wifi?
03-17-2011 04:15 AM
Hello there,
I have tried both, 3G and WiFi (from home and office). None of them works.
Thanks.
03-17-2011 05:48 AM
Can you tell me which VPN gateway that you are using ??
To the outside interface of your VPN gateway whether the following ports are opened.
UDP/TCP-10000
UDP-4500
UDP-500
Similarly tell me whether you have IPSec VPN and AnyConnect VPN configured on the same VPN gateway??
Thanks
03-17-2011 09:47 AM
Hello,
VPN gateway is ASA5520, version 8.0(5)
All the VPN ports are open because the same VPN configurations work for outside PC clients. iPhone is also assigned private IP from the same pool and the tunnel does get established.
Only IPSec VPN is configured on the ASA.
Thanks.
03-17-2011 11:23 AM
Hi,
How does look like part of configuration on ASA ?
group-policy xxxxx attributes
Can you post it?
BR
Pavel
03-18-2011 02:44 AM
Hello Pavel,
Please find below the requested information
group-policy vpnpolicy internal
group-policy vpnpolicy attributes
dns-server value x.x.x.x
vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnpolicy_splitTunnelAcl
access-list vpnpolicy_splitTunnelAcl standard permit any
Thanks for the help. Hope to get the iPhone working over VPN.
03-18-2011 02:54 AM
Hi,
I have almost the same configuration as you have - and it works.
There is only one difference - split-tunnel.
Can you try your IPhone traffic have fully tunneled?
HTH
Pavel
03-18-2011 03:35 AM
Excellent Pavel.
Thanks a bunch. That's why the traffic was routed out by iPhone to the internet instead of the ASA.
08-16-2012 08:18 AM
Hi
I am having the same issues as discussed here, can you please clarify where you configured all traffic to be tunneled for the iphone as on my ASA the policy is set to Tunnel all networks and when connecting with a pc client it works. From the Iphone it establishes the VPN but the Iphone cannot communicate with any internal host (as if all traffic is not been tunneled)
12-24-2016 07:23 AM
You both really seam very informed on the remote access of the VPN Access of the iPhone Remote ID port VPN IPSec setup. I have a Apple network with a Apple Airport Time Capsule W/2TB of Storage a MacBook Pro (early 2015 model) iPhone 6s Plus, w/U.S. Cellular data plan, iPad Air also on my U.S. Cellular Data Plan, Apple Watch series 1, Magic Mouse (Apple Bluetooth) for MacBook. And I have been HACKED SEVERELY WITH THESE VPN REMOTE ID PORTS, AND MY KNOWLEDGE IS NULL ON THEM. When I go to Game Center at certain times on my iPhone it will show my iCloud signed in then the screen resets quickly and shows "sign in" My maps always starts at a point where I believe my accounts and network are being HACKED FROM A PERSON LOCALLY! BUT I DO KNOW ARE USING REMOTE TCP PORTS OR THIS VPN REMOTE ID IPSec also is a screen that resets and flashes the screen as if to show me the screen after a reset! CAN U HELP ME I HAVE EVERYTHING SHUT DOWN EXCEPT MY CELL AND IPAD! And use a modem that they can reconfigure after connection of my devices! If I try to take the only Ethernet connection from my TWC modem used to go from Apple airport to say Roku player won't make internet connection have to unplug and reset?? Any help be great the IPS ip addresses on my phone are staticed??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide