Solved: Re: iPhone Trusted Network Detection

tom.nguyen · ‎11-19-2010

I'm trying to get TND working on iPhones runing the 2.4.30.32 anyconnect client. In our scenario, the user is able to establish a VPN tunnel via 3G fine. When he enables wifi and connects to our internal (tusted) network, his 3G VPN tunnel doesn't get terminated. I'm not sure if I have to make changes to my policy file or if it's even supported on the iPhones. Attached is a copy of my policy file.

Herbert Baerten · ‎11-22-2010

Hi Tom,

well, TND will work like I described, but I guess not the way you were expecting it to work.

I.e.

1. User enables 3G => TND automatically brings up the VPN

2. User brings his phone into the office and connects via wifi. => TND detects 1 trusted and 1 untrusted interface, and so does nothing (tunnel remains up)

3. The existing VPN tunnel that's connected via 3G never get's torn down. => correct, until the user manually disconnects the 3G connection (then TND will detect that there is only a trusted network left, and so it tears down the tunnel).

In other words, TND means "If there is at least one untrusted network connection then bring up the vpn".

TND does not mean "If there is both a trusted and untrusted network connection, bring down the untrusted one".

Or to summarize, TND only controls the up/down state of the VPN tunnel, it does not control the up/down status of the interfaces/network connections.

I hope this clarifies, if not let me know.

regards

Herbert

View solution in original post

Herbert Baerten · ‎11-21-2010

Hi Tom,

if I understand correctly, when the iPhone is connected to both (untrusted) 3G and (trusted) Wifi, you would want Anyconnect to tear down the 3G connection?

Unfortunately that is not how TND works, Anyconnect only has control over the tunnel, not over the 'physical' interfaces so it will never bring down a network interface (in this case the 3G).

TND will cause a tunnel to be established automatically (without user intervention) when an untrusted network connection is detected, that is all.

So in your situation: as long as the 3G connection is up there is an untrusted connection, so the tunnel will remain up. When you end the 3G connection, the tunnel will be torn down. Since there is only a trusted network left, no new tunnel will be established. As soon as you bring up the 3G again (even if the trusted wifi is also still active) TND will kick in and establish a new tunnel.

hth

Herbert

tom.nguyen · ‎11-22-2010

Thanks for the reply Herbert. Here's the scenario:

1. VPN get's established via 3G

2. User brings his phone into the office and connects via wifi.

3. The existing VPN tunnel that's connected via 3G never get's torn down.

Should TND work in this case?

Herbert Baerten · ‎11-22-2010

Hi Tom,

well, TND will work like I described, but I guess not the way you were expecting it to work.

I.e.

1. User enables 3G => TND automatically brings up the VPN

2. User brings his phone into the office and connects via wifi. => TND detects 1 trusted and 1 untrusted interface, and so does nothing (tunnel remains up)

3. The existing VPN tunnel that's connected via 3G never get's torn down. => correct, until the user manually disconnects the 3G connection (then TND will detect that there is only a trusted network left, and so it tears down the tunnel).

In other words, TND means "If there is at least one untrusted network connection then bring up the vpn".

TND does not mean "If there is both a trusted and untrusted network connection, bring down the untrusted one".

Or to summarize, TND only controls the up/down state of the VPN tunnel, it does not control the up/down status of the interfaces/network connections.

I hope this clarifies, if not let me know.

regards

Herbert

tom.nguyen · ‎11-22-2010

Got it. It makes sense now. Thanks for you help with this.