Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

iPad VPN

Has anyone created a IPSEC VPN tunnel for an iPad implementation?  I'm trying to find a secure way to

impmenent the iPad in our enviornment and I see that Apple says they support CISCO VPN.

Any documentation or instructions you can provide would be greatly appreciated.

Thanks,

GLH

6 REPLIES

Re: iPad VPN

I think it should work with l2tp-IPSec since it works on both iPhone and iMac. Here is a guide.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219

Re: iPad VPN

The iPad IPSec VPN client has not been officially tested but I have seen it work with an ASA running 8.x using a similar configuration to the one below.


crypto ipsec transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
crypto isakmp nat-traversal

group-policy BasicPolicy internal
group-policy BasicPolicy attributes
  password-storage enable
username basic password uc/Xo0s4BJ1CCT.d encrypted
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group Basic type remote-access
tunnel-group Basic general-attributes
  default-group-policy BasicPolicy
  dhcp-server 10.10.253.1
tunnel-group Basic ipsec-attributes
  pre-shared-key letmein

New Member

Re: iPad VPN

We had a lot of problems with the iPad's VPN and the imbedded AT&T 3G card, until we found out that the trick is to enable NAT-T on the Cisco firewall.  We've tried this with both a 3005 VPN Concentrator and an ASA5510, it works great.  FYI, you only need to do this with AT&T's 3G, Verizon and most of the other WiFi connections that we tried work fine without NAT-T.  You don't need to do anything with the iPad client except plug in the standard info (default username, group name, and group password (they call it "shared secret").  It works with XAUTH Radius authentication like SecurID or PhoneFactor, too.

New Member

iPad VPN

Dear all,

I tried everything as described above, but get no connection. The SA520 show in its logfile the entry:

12:45:48: [Cisco] [IKE] ERROR:  Aggressive mode of ..... [500] is not acceptable.

Do you have any idea ?

Regards

Georg

New Member

Re: iPad VPN

Greg,

I know this might not be the answer you want to hear but I have tested both the IPSec and the ssl any connect client on both iPad and iPhone and had them both working. The bit issue with IPSec was that because you have to configure l2tp and terminate the tunnel on the default base group which lacks the group name/password and rely on the shared secret only we decided this was a security risk. If you are trying to rollout a remote access solution I would strongly suggest using Anyconnect ssl because this client uses DTLS and SSL fallback which is what you want for devices that use slower connection types I.e wifi or 3G. The Anyconnect also has persistence when transitioning media types and auto reconnect almost seamless to the user. We have rolled out Anyconnect to over 10k users and started the iPad pilot. You can buy the essentials Anyconnect client very cheap. IPSec is not reliable on mobile devices

Sent from Cisco Technical Support iPad App

New Member

Re: iPad VPN

Vabruno,

unfortunately we have built our network with SA520 and SA540s which do not support Anyconnect.

I tested the IPAD IPSec connection with a cheap Fritz!Box (AVM) which was easy to configure and works perfect. I am wondering why CISCO cannot do this.

Georg

9586
Views
0
Helpful
6
Replies