cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10470
Views
0
Helpful
6
Replies

iPad VPN

GREG HARPER
Level 1
Level 1

Has anyone created a IPSEC VPN tunnel for an iPad implementation?  I'm trying to find a secure way to

impmenent the iPad in our enviornment and I see that Apple says they support CISCO VPN.

Any documentation or instructions you can provide would be greatly appreciated.

Thanks,

GLH

6 Replies 6

Yudong Wu
Level 7
Level 7

I think it should work with l2tp-IPSec since it works on both iPhone and iMac. Here is a guide.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219

Todd Pula
Level 7
Level 7

The iPad IPSec VPN client has not been officially tested but I have seen it work with an ASA running 8.x using a similar configuration to the one below.


crypto ipsec transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
crypto isakmp nat-traversal

group-policy BasicPolicy internal
group-policy BasicPolicy attributes
  password-storage enable
username basic password uc/Xo0s4BJ1CCT.d encrypted
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group Basic type remote-access
tunnel-group Basic general-attributes
  default-group-policy BasicPolicy
  dhcp-server 10.10.253.1
tunnel-group Basic ipsec-attributes
  pre-shared-key letmein

cerving
Level 1
Level 1

We had a lot of problems with the iPad's VPN and the imbedded AT&T 3G card, until we found out that the trick is to enable NAT-T on the Cisco firewall.  We've tried this with both a 3005 VPN Concentrator and an ASA5510, it works great.  FYI, you only need to do this with AT&T's 3G, Verizon and most of the other WiFi connections that we tried work fine without NAT-T.  You don't need to do anything with the iPad client except plug in the standard info (default username, group name, and group password (they call it "shared secret").  It works with XAUTH Radius authentication like SecurID or PhoneFactor, too.

Dear all,

I tried everything as described above, but get no connection. The SA520 show in its logfile the entry:

12:45:48: [Cisco] [IKE] ERROR:  Aggressive mode of ..... [500] is not acceptable.

Do you have any idea ?

Regards

Georg

vabruno
Level 1
Level 1

Greg,

I know this might not be the answer you want to hear but I have tested both the IPSec and the ssl any connect client on both iPad and iPhone and had them both working. The bit issue with IPSec was that because you have to configure l2tp and terminate the tunnel on the default base group which lacks the group name/password and rely on the shared secret only we decided this was a security risk. If you are trying to rollout a remote access solution I would strongly suggest using Anyconnect ssl because this client uses DTLS and SSL fallback which is what you want for devices that use slower connection types I.e wifi or 3G. The Anyconnect also has persistence when transitioning media types and auto reconnect almost seamless to the user. We have rolled out Anyconnect to over 10k users and started the iPad pilot. You can buy the essentials Anyconnect client very cheap. IPSec is not reliable on mobile devices

Sent from Cisco Technical Support iPad App

Vabruno,

unfortunately we have built our network with SA520 and SA540s which do not support Anyconnect.

I tested the IPAD IPSec connection with a cheap Fritz!Box (AVM) which was easy to configure and works perfect. I am wondering why CISCO cannot do this.

Georg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: