So you have your shiny cool new iPhone. You’re addicted to their very cool web browser. Now you want to be able to surf to your internal home or corporate networks using VPN right? The embedded iPhone VPN client works over both Wi-Fi and EDGE network connections. Good news, both the Cisco IOS routers and the ASA appliance support this. In fact, they’ve supported it all along. Here are some of the geeky details and how to set it up.
The iPhone vpn client uses L2TP/IPSEC. This is the same VPN protocol that the MacOS and Windows XP native vpn clients use. For those not familiar with L2TP/IPSEC, just think of it as an alternative to using native IPSEC. The Cisco routers and firewalls (ASA) have included support for L2TP/IPSEC for a number of years now. Apple, in its infinite wisdom, has made the iPhone L2TP/IPSEC vpn client almost identical to the one on its MacOS. As a result, Cisco VPN gateways support it.
However, the iPhone L2TP/IPSEC vpn client does have some limitations. It is not as full featured as the vpn client that is on the MacOS. Here are the officially supported features from Apple that you’ll need to know when configuring your VPN gateway to handle the iPhone.
So how do you configure this on a Cisco ASA firewall? Well, here is a sample configuration using the CLI. If you use ASDM (the GUI) then you can run through the wizard and enable the features the iPhone requires. Also, the Cisco ASA config guide has a partial CLI example found here
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219
ip local pool CLIENT-POOL 10.1.99.128-10.1.99.141 mask 255.255.255.240
crypto ipsec transform-set iPhone esp-3des esp-sha-hmac
crypto ipsec transform-set iPhone mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set iPhone
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
group-policy iPhone internal
group-policy iPhone attributes
vpn-tunnel-protocol l2tp-ipsec
address-pools value CLIENT-POOL
tunnel-group iPhone type remote-access
tunnel-group iPhone general-attributes
default-group-policy iPhone
authentication-server-group denlab-RADIUS
tunnel-group iPhone ipsec-attributes
pre-shared-key test
tunnel-group iPhone ppp-attributes
authentication ms-chap-v2
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
To those of you familiar with the ASA vpn CLI commands, you’ll notice that this config is nothing special. It is the same config you’ve used to setup any L2TP/IPSEC tunnels in the past. Basically, supporting the iPhone doesn’t change things. You just need to ensure that you are allowing the protocols/options that iPhone supports.
To check to see if the iPhone user is connected you can use the command
show vpn-sessiondb detail remote filter protocol L2TPOverIPSec or
show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNAtT
These show commands gives you just the L2TP/IPSEC clients that are connected. The second show command shows you any clients that are using nat traversal (meaning they are behind a PAT device somewhere).
For information on how to configure the Apple iPhone side of things see here http://docs.info.apple.com/article.html?artnum=305827 or here http://docs.info.apple.com/article.html?artnum=305723 .
For information on how to configure L2TP/IPSEC on an IOS VPN router see here http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804dfa69.html
Anyone have this setup at your site? Anyone have another iPhone I can have for "testing" purposes.
The opinions and information presented here are my personal views not those of my employer.
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
Monkey see Monkey do.......
So why are you advocating connecting such an insecure consumer device to a corporate network?
RE: Monkey
What are you expecting a Cisco security CSE to not push Cisco's sales and marketing agenda? Funny part is that this worked out of the box.........
You two sound like Monkeys
No one advocated anything. The author just stated that it's possible and included exact instructions how. Marketing? huh??
Your Cisco resentment is weighing you down. Let go and be free, silly monkey.
why not fully Cisco VPN capable
while this sounds nice it looks like it wont work with a lot of corporate Cisco VPN installations.
In our case it looks like we dont use certificates (just PSK as group passwords and RSA securID) which is good but apparently we only support IKE with MD5 so it wont work.
any updates ?
Oficial realese
Hi
Thanks for the explanations!
I heard that APPLE and CISCO are working in an official release of CISCO VPN client for iphones. Is this true? If yes... do you know when is this gonna happen?
Thanks guys
client
I haven't heard.
usability
true, but the limitations I list above are imposed by the Apple IPhone client. If Apple opens up their client to be more extensible then this issue will go away. However you can always add another vpn group to your vpn gateway that allows this method of connection. I'm not advocating it, just that it works.