Cisco VPN gateways support the iPhone

So you have your shiny cool new iPhone. You’re addicted to their very cool web browser. Now you want to be able to surf to your internal home or corporate networks using VPN right? The embedded iPhone VPN client works over both Wi-Fi and EDGE network connections. Good news, both the Cisco IOS routers and the ASA appliance support this. In fact, they’ve supported it all along. Here are some of the geeky details and how to set it up. The iPhone vpn client uses L2TP/IPSEC. This is the same VPN protocol that the MacOS and Windows XP native vpn clients use. For those not familiar with L2TP/IPSEC, just think of it as an alternative to using native IPSEC. The Cisco routers and firewalls (ASA) have included support for L2TP/IPSEC for a number of years now. Apple, in its infinite wisdom, has made the iPhone L2TP/IPSEC vpn client almost identical to the one on its MacOS. As a result, Cisco VPN gateways support it. However, the iPhone L2TP/IPSEC vpn client does have some limitations. It is not as full featured as the vpn client that is on the MacOS. Here are the officially supported features from Apple that you’ll need to know when configuring your VPN gateway to handle the iPhone.

  • IKE phase 1—3DES encryption with SHA1 hash method. (no md5 support)
  • IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.
  • PPP Authentication—MSCHAPv2 (officially) but PAP, MS-CHAPv1 also worked in testing.
  • Pre-shared key (no certificate support).
So how do you configure this on a Cisco ASA firewall? Well, here is a sample configuration using the CLI. If you use ASDM (the GUI) then you can run through the wizard and enable the features the iPhone requires. Also, the Cisco ASA config guide has a partial CLI example found here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219 [i] ip local pool CLIENT-POOL 10.1.99.128-10.1.99.141 mask 255.255.255.240 crypto ipsec transform-set iPhone esp-3des esp-sha-hmac crypto ipsec transform-set iPhone mode transport crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set iPhone crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside group-policy iPhone internal group-policy iPhone attributes vpn-tunnel-protocol l2tp-ipsec address-pools value CLIENT-POOL tunnel-group iPhone type remote-access tunnel-group iPhone general-attributes default-group-policy iPhone authentication-server-group denlab-RADIUS tunnel-group iPhone ipsec-attributes pre-shared-key test tunnel-group iPhone ppp-attributes authentication ms-chap-v2 crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 [/i] To those of you familiar with the ASA vpn CLI commands, you’ll notice that this config is nothing special. It is the same config you’ve used to setup any L2TP/IPSEC tunnels in the past. Basically, supporting the iPhone doesn’t change things. You just need to ensure that you are allowing the protocols/options that iPhone supports. To check to see if the iPhone user is connected you can use the command

show vpn-sessiondb detail remote filter protocol L2TPOverIPSec or show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNAtT

These show commands gives you just the L2TP/IPSEC clients that are connected. The second show command shows you any clients that are using nat traversal (meaning they are behind a PAT device somewhere). For information on how to configure the Apple iPhone side of things see here http://docs.info.apple.com/article.html?artnum=305827 or here http://docs.info.apple.com/article.html?artnum=305723 . For information on how to configure L2TP/IPSEC on an IOS VPN router see here http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804dfa69.html Anyone have this setup at your site? Anyone have another iPhone I can have for "testing" purposes. The opinions and information presented here are my personal views not those of my employer.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in