iPhone 4 - IPSec VPN

Answered Question
Mar 15th, 2011
User Badges:

Hello,


I am trying to connect to our environment through Cisco Remote Access IPSec VPN from iPhone 4. Below are the versions


iPhone OS : 4.2.1

Cisco VPN: ASA5520, version 8.0(5)


I am able to connect successfully however I cannot connect to any server after VPN is established.

At the same time, I am able to connect over VPN via any internet PC. The difference I have observed till now is that when an Internet PC connects, the protocol encryption on ASDM shows 'IKE IPsecOverNatT 3DES' for the active session. On the other hand, when I connect through iPhone the protocol encryption is 'IKE IPsec 3DES'.


Is it possible to force iPhone to connect on IPsecOverNatT. Please suggest.

Thanks.


Correct Answer by Pavel Pokorny about 6 years 4 months ago

Hi,


I have almost the same configuration as you have - and it works.

There is only one difference - split-tunnel.

Can you try your IPhone traffic have fully tunneled?


HTH


Pavel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Pavel Pokorny Tue, 03/15/2011 - 11:38
User Badges:

Hi,


How, did you make the test to server?

As far as I know, IP* has problem with DNS, so for example to connect via RDP, you have to use ip address of machine.


And about IPsecOverNatT or IPsec withou NAT, it depends on where you are located - if behind NAT, so it will be IPsecOverNat. If you are "directly on internet" so it will be without NAT.

May I ask, why do you want IPsecOverNatT?


HTH

Pavel

dedra_live Tue, 03/15/2011 - 23:28
User Badges:

Hi Pavel,


Thanks for replying.


I succesfully connected to the office VPN (ASA5520) through the iPhone and was assigned the correct private IP from VPN pool.


Then I started the WYSE PocketCloud Pro application (pretty good for RDP) and created a manual connection against the private IP. I am not able to connect via the manual connection. The reason I am focusing on IPSecOverNATt is coz that is the only obvious difference in the connection I can notice. Hence, I would like the iPhone connect (current IKE over IPSec) to be IPSecOverNATt to rule out any issues due to different settings.

Secondly, the same PocketCloud application is able to connect through the non-manual auto-discovery mode but that is dependent on external factors such as installing a component on the remote machine and simultaneous logins into gmail account from client as well as server (strange).


Does iPhone support NAT-T. Is there any detailed guideline from Cisco or iPhone on how to make this work or any specific config for iPhone support. I believe it is almost there as VPN is connected and IP is assigned. Only the connectivity to the end destination has to be established.


Thanks for assistance.

dedra_live Wed, 03/16/2011 - 23:29
User Badges:

Another observation.


I successfully connect to the VPN from iPhone (i.e. Phase 1 and Phase 2).


However, I do not see any newly generated connections in the ASA log after the tunnel is established. Whereas in case of VPN connection from a PC all RDP etc other connections can are shown in the logs.


Looks like iPhone is not sending out connections after the VPN is established.

How can I debug this problem. Any clue/hint is appreciated.


Thanks.

bala020881 Thu, 03/17/2011 - 03:54
User Badges:

Please answer for my question


1.Are you connecting to VPN from iPhone using 3G or WiFi ?


2.Are you using your office wifi?

dedra_live Thu, 03/17/2011 - 04:15
User Badges:

Hello there,


I have tried both, 3G and WiFi (from home and office). None of them works.


Thanks.

bala020881 Thu, 03/17/2011 - 05:48
User Badges:

Can you tell me which VPN gateway that you are using ??


To the outside interface of your VPN gateway whether the following ports are opened.


UDP/TCP-10000

UDP-4500

UDP-500


Similarly tell me whether you have IPSec VPN and AnyConnect VPN configured on the same VPN gateway??


Thanks

dedra_live Thu, 03/17/2011 - 09:47
User Badges:

Hello,


VPN gateway is ASA5520, version 8.0(5)


All the VPN ports are open because the same VPN configurations work for outside PC clients. iPhone is also assigned private IP from the same pool and the tunnel does get established.


Only IPSec VPN is configured on the ASA.

Thanks.

Pavel Pokorny Thu, 03/17/2011 - 11:23
User Badges:

Hi,


How does look like part of configuration on ASA ?


group-policy xxxxx attributes


Can you post it?


BR


Pavel

dedra_live Fri, 03/18/2011 - 02:44
User Badges:

Hello Pavel,


Please find below the requested information


group-policy vpnpolicy internal
group-policy vpnpolicy attributes
dns-server value x.x.x.x
vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnpolicy_splitTunnelAcl


access-list vpnpolicy_splitTunnelAcl standard permit any


Thanks for the help. Hope to get the iPhone working over VPN.

Correct Answer
Pavel Pokorny Fri, 03/18/2011 - 02:54
User Badges:

Hi,


I have almost the same configuration as you have - and it works.

There is only one difference - split-tunnel.

Can you try your IPhone traffic have fully tunneled?


HTH


Pavel

dedra_live Fri, 03/18/2011 - 03:35
User Badges:

Excellent Pavel.


Thanks a bunch. That's why the traffic was routed out by iPhone to the internet instead of the ASA.

walterp Thu, 08/16/2012 - 08:18
User Badges:

Hi


I am having the same issues as discussed here, can you please clarify where you configured all traffic to be tunneled for the iphone as on my ASA the policy is set to Tunnel all networks and when connecting with a pc client it works. From the Iphone it establishes the VPN but the Iphone cannot communicate with any internal host (as if all traffic is not been tunneled)

You both really seam very informed on the remote access of the VPN Access of the iPhone Remote ID port VPN IPSec setup. I have a Apple network with a Apple Airport Time Capsule W/2TB of Storage a MacBook Pro (early 2015 model) iPhone 6s Plus, w/U.S. Cellular data plan, iPad Air also on my U.S. Cellular Data Plan, Apple Watch series 1, Magic Mouse (Apple Bluetooth) for MacBook. And I have been HACKED SEVERELY WITH THESE VPN REMOTE ID PORTS, AND MY KNOWLEDGE IS NULL ON THEM. When I go to Game Center at certain times on my iPhone it will show my iCloud signed in then the screen resets quickly and shows "sign in" My maps always starts at a point where I believe my accounts and network are being HACKED FROM A PERSON LOCALLY! BUT I DO KNOW ARE USING REMOTE TCP PORTS OR THIS VPN REMOTE ID IPSec also is a screen that resets and flashes the screen as if to show me the screen after a reset! CAN U HELP ME I HAVE EVERYTHING SHUT DOWN EXCEPT MY CELL AND IPAD! And use a modem that they can reconfigure after connection of my devices! If I try to take the only Ethernet connection from my TWC modem used to go from Apple airport to say Roku player won't make internet connection have to unplug and reset?? Any help be great the IPS ip addresses on my phone are staticed??

Actions

This Discussion