iPad VPN

Unanswered Question
Aug 13th, 2010
User Badges:

Has anyone created a IPSEC VPN tunnel for an iPad implementation?  I'm trying to find a secure way to

impmenent the iPad in our enviornment and I see that Apple says they support CISCO VPN.

Any documentation or instructions you can provide would be greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Mon, 08/16/2010 - 08:47
User Badges:
  • Silver, 250 points or more

The iPad IPSec VPN client has not been officially tested but I have seen it work with an ASA running 8.x using a similar configuration to the one below.

crypto ipsec transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
crypto isakmp nat-traversal

group-policy BasicPolicy internal
group-policy BasicPolicy attributes
  password-storage enable
username basic password uc/Xo0s4BJ1CCT.d encrypted
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group Basic type remote-access
tunnel-group Basic general-attributes
  default-group-policy BasicPolicy
tunnel-group Basic ipsec-attributes
  pre-shared-key letmein

We had a lot of problems with the iPad's VPN and the imbedded AT&T 3G card, until we found out that the trick is to enable NAT-T on the Cisco firewall.  We've tried this with both a 3005 VPN Concentrator and an ASA5510, it works great.  FYI, you only need to do this with AT&T's 3G, Verizon and most of the other WiFi connections that we tried work fine without NAT-T.  You don't need to do anything with the iPad client except plug in the standard info (default username, group name, and group password (they call it "shared secret").  It works with XAUTH Radius authentication like SecurID or PhoneFactor, too.

georglohr Sat, 09/03/2011 - 04:50
User Badges:

Dear all,

I tried everything as described above, but get no connection. The SA520 show in its logfile the entry:

12:45:48: [Cisco] [IKE] ERROR:  Aggressive mode of ..... [500] is not acceptable.

Do you have any idea ?



vabruno Wed, 09/07/2011 - 20:51
User Badges:


I know this might not be the answer you want to hear but I have tested both the IPSec and the ssl any connect client on both iPad and iPhone and had them both working. The bit issue with IPSec was that because you have to configure l2tp and terminate the tunnel on the default base group which lacks the group name/password and rely on the shared secret only we decided this was a security risk. If you are trying to rollout a remote access solution I would strongly suggest using Anyconnect ssl because this client uses DTLS and SSL fallback which is what you want for devices that use slower connection types I.e wifi or 3G. The Anyconnect also has persistence when transitioning media types and auto reconnect almost seamless to the user. We have rolled out Anyconnect to over 10k users and started the iPad pilot. You can buy the essentials Anyconnect client very cheap. IPSec is not reliable on mobile devices

Sent from Cisco Technical Support iPad App

georglohr Wed, 09/07/2011 - 23:22
User Badges:


unfortunately we have built our network with SA520 and SA540s which do not support Anyconnect.

I tested the IPAD IPSec connection with a cheap Fritz!Box (AVM) which was easy to configure and works perfect. I am wondering why CISCO cannot do this.



This Discussion