iPhone 4 - IPSec VPN

Answered Question
Mar 15th, 2011


I am trying to connect to our environment through Cisco Remote Access IPSec VPN from iPhone 4. Below are the versions

iPhone OS : 4.2.1

Cisco VPN: ASA5520, version 8.0(5)

I am able to connect successfully however I cannot connect to any server after VPN is established.

At the same time, I am able to connect over VPN via any internet PC. The difference I have observed till now is that when an Internet PC connects, the protocol encryption on ASDM shows 'IKE IPsecOverNatT 3DES' for the active session. On the other hand, when I connect through iPhone the protocol encryption is 'IKE IPsec 3DES'.

Is it possible to force iPhone to connect on IPsecOverNatT. Please suggest.


I have this problem too.
0 votes
Correct Answer by Pavel Pokorny about 5 years 2 months ago


I have almost the same configuration as you have - and it works.

There is only one difference - split-tunnel.

Can you try your IPhone traffic have fully tunneled?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Pavel Pokorny Tue, 03/15/2011 - 11:38


How, did you make the test to server?

As far as I know, IP* has problem with DNS, so for example to connect via RDP, you have to use ip address of machine.

And about IPsecOverNatT or IPsec withou NAT, it depends on where you are located - if behind NAT, so it will be IPsecOverNat. If you are "directly on internet" so it will be without NAT.

May I ask, why do you want IPsecOverNatT?



dedra_live Tue, 03/15/2011 - 23:28

Hi Pavel,

Thanks for replying.

I succesfully connected to the office VPN (ASA5520) through the iPhone and was assigned the correct private IP from VPN pool.

Then I started the WYSE PocketCloud Pro application (pretty good for RDP) and created a manual connection against the private IP. I am not able to connect via the manual connection. The reason I am focusing on IPSecOverNATt is coz that is the only obvious difference in the connection I can notice. Hence, I would like the iPhone connect (current IKE over IPSec) to be IPSecOverNATt to rule out any issues due to different settings.

Secondly, the same PocketCloud application is able to connect through the non-manual auto-discovery mode but that is dependent on external factors such as installing a component on the remote machine and simultaneous logins into gmail account from client as well as server (strange).

Does iPhone support NAT-T. Is there any detailed guideline from Cisco or iPhone on how to make this work or any specific config for iPhone support. I believe it is almost there as VPN is connected and IP is assigned. Only the connectivity to the end destination has to be established.

Thanks for assistance.

dedra_live Wed, 03/16/2011 - 23:29

Another observation.

I successfully connect to the VPN from iPhone (i.e. Phase 1 and Phase 2).

However, I do not see any newly generated connections in the ASA log after the tunnel is established. Whereas in case of VPN connection from a PC all RDP etc other connections can are shown in the logs.

Looks like iPhone is not sending out connections after the VPN is established.

How can I debug this problem. Any clue/hint is appreciated.


bala020881 Thu, 03/17/2011 - 03:54

Please answer for my question

1.Are you connecting to VPN from iPhone using 3G or WiFi ?

2.Are you using your office wifi?

dedra_live Thu, 03/17/2011 - 04:15

Hello there,

I have tried both, 3G and WiFi (from home and office). None of them works.


bala020881 Thu, 03/17/2011 - 05:48

Can you tell me which VPN gateway that you are using ??

To the outside interface of your VPN gateway whether the following ports are opened.




Similarly tell me whether you have IPSec VPN and AnyConnect VPN configured on the same VPN gateway??


dedra_live Thu, 03/17/2011 - 09:47


VPN gateway is ASA5520, version 8.0(5)

All the VPN ports are open because the same VPN configurations work for outside PC clients. iPhone is also assigned private IP from the same pool and the tunnel does get established.

Only IPSec VPN is configured on the ASA.


Pavel Pokorny Thu, 03/17/2011 - 11:23


How does look like part of configuration on ASA ?

group-policy xxxxx attributes

Can you post it?



dedra_live Fri, 03/18/2011 - 02:44

Hello Pavel,

Please find below the requested information

group-policy vpnpolicy internal
group-policy vpnpolicy attributes
dns-server value x.x.x.x
vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnpolicy_splitTunnelAcl

access-list vpnpolicy_splitTunnelAcl standard permit any

Thanks for the help. Hope to get the iPhone working over VPN.

Correct Answer
Pavel Pokorny Fri, 03/18/2011 - 02:54


I have almost the same configuration as you have - and it works.

There is only one difference - split-tunnel.

Can you try your IPhone traffic have fully tunneled?



dedra_live Fri, 03/18/2011 - 03:35

Excellent Pavel.

Thanks a bunch. That's why the traffic was routed out by iPhone to the internet instead of the ASA.

walterp Thu, 08/16/2012 - 08:18


I am having the same issues as discussed here, can you please clarify where you configured all traffic to be tunneled for the iphone as on my ASA the policy is set to Tunnel all networks and when connecting with a pc client it works. From the Iphone it establishes the VPN but the Iphone cannot communicate with any internal host (as if all traffic is not been tunneled)


This Discussion