We had a lot of problems with the iPad's VPN and the imbedded AT&T 3G card, until we found out that the trick is to enable NAT-T on the Cisco firewall. We've tried this with both a 3005 VPN Concentrator and an ASA5510, it works great. FYI, you only need to do this with AT&T's 3G, Verizon and most of the other WiFi connections that we tried work fine without NAT-T. You don't need to do anything with the iPad client except plug in the standard info (default username, group name, and group password (they call it "shared secret"). It works with XAUTH Radius authentication like SecurID or PhoneFactor, too.
I know this might not be the answer you want to hear but I have tested both the IPSec and the ssl any connect client on both iPad and iPhone and had them both working. The bit issue with IPSec was that because you have to configure l2tp and terminate the tunnel on the default base group which lacks the group name/password and rely on the shared secret only we decided this was a security risk. If you are trying to rollout a remote access solution I would strongly suggest using Anyconnect ssl because this client uses DTLS and SSL fallback which is what you want for devices that use slower connection types I.e wifi or 3G. The Anyconnect also has persistence when transitioning media types and auto reconnect almost seamless to the user. We have rolled out Anyconnect to over 10k users and started the iPad pilot. You can buy the essentials Anyconnect client very cheap. IPSec is not reliable on mobile devices
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...