Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SA500 Series SA540 iPhone IPSec

We have just deployed an SA540.  Right now we are only using the default LAN.  VLAN isn't turned on.

VPN is currently working in 3 different modes

1.  IPSec configured for IPSecuritas for our Mac users.

2.  IPSec (mode-config) for iPhone/iPad users.

3.  SSL VPN split tunnel for Windows users.

We are not using SSL VPN port forwarding, QuickVPN, or VPN client as of yet.

My question is how to best allow the iPhone/iPad access to the WAN either from the local site's ISP or going through the tunnel?  We would prefer full tunnel (WAN access through tunnel) if we can't have configurations for both (depending on the person/need).

BTW, IPS is turned on.

Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

SA500 Series SA540 iPhone IPSec

nice job

8 REPLIES
Silver

SA500 Series SA540 iPhone IPSec

Curtis,

Currently Ipad/Iphone & android isn't supported vpn program.Our Cisco vpn verison specifically for SA500 device since the vpn make a inital connection and then authenticates to local database which is a two step process. Iphone and android usually sends all this information in step one which won't allow the vpn to establish a connection.

Thanks,

Jasbryan

New Member

SA500 Series SA540 iPhone IPSec

Jasbryan,

The SA540 supports the built-in Cisco IPSec functionality in the iPhone/iPad.  We have already tested it.  Not only can we connect, we can access devices on the LAN.  We use the Enterprise version of Real VNC on our servers/PCs, as well as, Real VNC Viewer on our iPhones/iPads.  It works perfectly.

The VPN/IKE setup was performed using the wizard and checking the box for VPN client.

At any rate, what we can't get to work is allowing the iPhone/iPad to access the Internet, either through the tunnel or the client-side ISP, while connected to the VPN.

Am I making sense now?

New Member

Re: SA500 Series SA540 iPhone IPSec

A little more information as I was in a hurry yesterday.

When you connect using a VPN policy setup for the Cisco VPN client the mode-config box is checked.  This also makes the VPN connection use the IPs in the Dynamic IP Range page (VPN > IPSec > Dynamic IP Range).  The iPhones/iPads receive an IP from that range.

Getting access to the LAN is easy (automatically setup in the background when setting up the VPN using the wizard I guess as it works without any intervention).  I just don't know how to get WAN/Internet access when connected to the VPN.  Like I stated earlier, either through the iPhone (wireless or 3G) or through the tunnel using the SA540's ISP.

New Member

Re: SA500 Series SA540 iPhone IPSec

You can easily test my scenario in your lab.

First, use the VPN wizard to create a "Remote" (not site-to-site) VPN tunnel, but make sure to click the box for VPN client.

Second, disable the VPN policy the wizard just created so you can change the IKE policy the wizard created to change XAUTH type to "User Database".

Next, re-enable the VPN policy.

Last, add an XAUTH user.

That's it for configuring the SA540 for iPhone/iPad VPN access.

Now, go into your Network peferences on your iPhone/iPad and configure an IPSec VPN connection.

Enter the AXUTH user you created above for the "Account" field, enter the VPN Policy name you used above for the "Group Name", and enter the shared secret string you used above for the "Secret" field.  Of course you have to enter the IP address in the "Server" field, but that's trivial.

That's it...

New Member

SA500 Series SA540 iPhone IPSec

I figured out how to get WAN access when connected to the VPN, so I thought I would share.  I had to enable Split Tunneling on the Dynamic IP Range tab and REBOOT!!!  Rebooting the router was the key.  Now I get WAN access via the local side (3G or wireless) and everything else goes through the tunnel.

New Member

Re: SA500 Series SA540 iPhone IPSec

I cannot mark this discussion "as answered" because the OP (original poster) cannot mark their own reply as answered.

Someone please reply to this discussion and I will mark this discussion as answered.  I don't want to mark jasbryan's comment as answered because it is wrong. 

New Member

SA500 Series SA540 iPhone IPSec

nice job

New Member

SA500 Series SA540 iPhone IPSec

I put a how-to document together to help others setup VPN on their Mac's, using the built-in version of IPSec, as well as use the same VPN/IKE Policies on their iPhone, iPad, or with the Cisco VPN Client.

https://supportforums.cisco.com/thread/2127063?tstart=0

2536
Views
0
Helpful
8
Replies