Network World
Saturday, November 22, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Jamey Heary: Cisco Security Expert

Cisco Subnet

Navigation

Cisco VPN gateways support the iPhone

So you have your shiny cool new iPhone. You’re addicted to their very cool web browser. Now you want to be able to surf to your internal home or corporate networks using VPN right? The embedded iPhone VPN client works over both Wi-Fi and EDGE network connections. Good news, both the Cisco IOS routers and the ASA appliance support this. In fact, they’ve supported it all along. Here are some of the geeky details and how to set it up.

The iPhone vpn client uses L2TP/IPSEC. This is the same VPN protocol that the MacOS and Windows XP native vpn clients use. For those not familiar with L2TP/IPSEC, just think of it as an alternative to using native IPSEC. The Cisco routers and firewalls (ASA) have included support for L2TP/IPSEC for a number of years now. Apple, in its infinite wisdom, has made the iPhone L2TP/IPSEC vpn client almost identical to the one on its MacOS. As a result, Cisco VPN gateways support it.

However, the iPhone L2TP/IPSEC vpn client does have some limitations. It is not as full featured as the vpn client that is on the MacOS. Here are the officially supported features from Apple that you’ll need to know when configuring your VPN gateway to handle the iPhone.

  • IKE phase 1—3DES encryption with SHA1 hash method. (no md5 support)
  • IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.
  • PPP Authentication—MSCHAPv2 (officially) but PAP, MS-CHAPv1 also worked in testing.
  • Pre-shared key (no certificate support).

So how do you configure this on a Cisco ASA firewall? Well, here is a sample configuration using the CLI. If you use ASDM (the GUI) then you can run through the wizard and enable the features the iPhone requires. Also, the Cisco ASA config guide has a partial CLI example found here
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219


ip local pool CLIENT-POOL 10.1.99.128-10.1.99.141 mask 255.255.255.240
crypto ipsec transform-set iPhone esp-3des esp-sha-hmac
crypto ipsec transform-set iPhone mode transport

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set iPhone
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

group-policy iPhone internal
group-policy iPhone attributes
vpn-tunnel-protocol l2tp-ipsec
address-pools value CLIENT-POOL

tunnel-group iPhone type remote-access
tunnel-group iPhone general-attributes
default-group-policy iPhone
authentication-server-group denlab-RADIUS
tunnel-group iPhone ipsec-attributes
pre-shared-key test
tunnel-group iPhone ppp-attributes
authentication ms-chap-v2
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

To those of you familiar with the ASA vpn CLI commands, you’ll notice that this config is nothing special. It is the same config you’ve used to setup any L2TP/IPSEC tunnels in the past. Basically, supporting the iPhone doesn’t change things. You just need to ensure that you are allowing the protocols/options that iPhone supports.

To check to see if the iPhone user is connected you can use the command
show vpn-sessiondb detail remote filter protocol L2TPOverIPSec or
show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNAtT

These show commands gives you just the L2TP/IPSEC clients that are connected. The second show command shows you any clients that are using nat traversal (meaning they are behind a PAT device somewhere).

For information on how to configure the Apple iPhone side of things see here http://docs.info.apple.com/article.html?artnum=305827 or here http://docs.info.apple.com/article.html?artnum=305723 .

For information on how to configure L2TP/IPSEC on an IOS VPN router see here http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804dfa69.html

Anyone have this setup at your site? Anyone have another iPhone I can have for "testing" purposes.

The opinions and information presented here are my personal views not those of my employer.

Monkey see Monkey do.......

Useful answer?
0

So why are you advocating connecting such an insecure consumer device to a corporate network?

RE: Monkey

Useful answer?
0

What are you expecting a Cisco security CSE to not push Cisco's sales and marketing agenda? Funny part is that this worked out of the box.........

You two sound like Monkeys

Useful answer?
0

No one advocated anything. The author just stated that it's possible and included exact instructions how. Marketing? huh??
Your Cisco resentment is weighing you down. Let go and be free, silly monkey.

why not fully Cisco VPN capable

Useful answer?
0

while this sounds nice it looks like it wont work with a lot of corporate Cisco VPN installations.

In our case it looks like we dont use certificates (just PSK as group passwords and RSA securID) which is good but apparently we only support IKE with MD5 so it wont work.

any updates ?

Oficial realese

Useful answer?
0

Hi
Thanks for the explanations!
I heard that APPLE and CISCO are working in an official release of CISCO VPN client for iphones. Is this true? If yes... do you know when is this gonna happen?
Thanks guys

client

Useful answer?
0

I haven't heard.

usability

Useful answer?
0

true, but the limitations I list above are imposed by the Apple IPhone client. If Apple opens up their client to be more extensible then this issue will go away. However you can always add another vpn group to your vpn gateway that allows this method of connection. I'm not advocating it, just that it works.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Jamey Heary

Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.

Contact him.

RSS feed XML feed

Jamey Heary archive.

Cisco Subnet

RSS feed Cisco news RSS feed

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: