We have just deployed an SA540. Right now we are only using the default LAN. VLAN isn't turned on.
VPN is currently working in 3 different modes
1. IPSec configured for IPSecuritas for our Mac users.
2. IPSec (mode-config) for iPhone/iPad users.
3. SSL VPN split tunnel for Windows users.
We are not using SSL VPN port forwarding, QuickVPN, or VPN client as of yet.
My question is how to best allow the iPhone/iPad access to the WAN either from the local site's ISP or going through the tunnel? We would prefer full tunnel (WAN access through tunnel) if we can't have configurations for both (depending on the person/need).
BTW, IPS is turned on.
Solved! Go to Solution.
Currently Ipad/Iphone & android isn't supported vpn program.Our Cisco vpn verison specifically for SA500 device since the vpn make a inital connection and then authenticates to local database which is a two step process. Iphone and android usually sends all this information in step one which won't allow the vpn to establish a connection.
The SA540 supports the built-in Cisco IPSec functionality in the iPhone/iPad. We have already tested it. Not only can we connect, we can access devices on the LAN. We use the Enterprise version of Real VNC on our servers/PCs, as well as, Real VNC Viewer on our iPhones/iPads. It works perfectly.
The VPN/IKE setup was performed using the wizard and checking the box for VPN client.
At any rate, what we can't get to work is allowing the iPhone/iPad to access the Internet, either through the tunnel or the client-side ISP, while connected to the VPN.
Am I making sense now?
A little more information as I was in a hurry yesterday.
When you connect using a VPN policy setup for the Cisco VPN client the mode-config box is checked. This also makes the VPN connection use the IPs in the Dynamic IP Range page (VPN > IPSec > Dynamic IP Range). The iPhones/iPads receive an IP from that range.
Getting access to the LAN is easy (automatically setup in the background when setting up the VPN using the wizard I guess as it works without any intervention). I just don't know how to get WAN/Internet access when connected to the VPN. Like I stated earlier, either through the iPhone (wireless or 3G) or through the tunnel using the SA540's ISP.
You can easily test my scenario in your lab.
First, use the VPN wizard to create a "Remote" (not site-to-site) VPN tunnel, but make sure to click the box for VPN client.
Second, disable the VPN policy the wizard just created so you can change the IKE policy the wizard created to change XAUTH type to "User Database".
Next, re-enable the VPN policy.
Last, add an XAUTH user.
That's it for configuring the SA540 for iPhone/iPad VPN access.
Now, go into your Network peferences on your iPhone/iPad and configure an IPSec VPN connection.
Enter the AXUTH user you created above for the "Account" field, enter the VPN Policy name you used above for the "Group Name", and enter the shared secret string you used above for the "Secret" field. Of course you have to enter the IP address in the "Server" field, but that's trivial.
I figured out how to get WAN access when connected to the VPN, so I thought I would share. I had to enable Split Tunneling on the Dynamic IP Range tab and REBOOT!!! Rebooting the router was the key. Now I get WAN access via the local side (3G or wireless) and everything else goes through the tunnel.
I cannot mark this discussion "as answered" because the OP (original poster) cannot mark their own reply as answered.
Someone please reply to this discussion and I will mark this discussion as answered. I don't want to mark jasbryan's comment as answered because it is wrong.
I put a how-to document together to help others setup VPN on their Mac's, using the built-in version of IPSec, as well as use the same VPN/IKE Policies on their iPhone, iPad, or with the Cisco VPN Client.