We help IT Professionals succeed at work.

IOS VPN Configuration for iPhone

keatscon
keatscon asked
on
Does anyone have a sample configuration for and IOS router that will allow an iPhone to connect to it via a VPN tunnel? If so, would you please post it here?

Comment
Watch Question

You could configure ssl based webvpn. Thatd work for anything with a browser and java.

Generate a self signed cert:

!--- Self-Signed Certificate Information

crypto pki trustpoint OURCERTNAME
 enrollment selfsigned
 serial-number none
 ip-address none
 revocation-check crl
 rsakeypair OURCERTNAME 1024
!
crypto pki certificate chain OURCERTNAME
 certificate self-signed 02
  30820240 308201A9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
!---------------------



!--- the WebVPN Gateway

webvpn gateway OurName
 ip address x.x.x.x port 443
 http-redirect port 80
 ssl trustpoint OURCERTNAME
 inservice

!--- the WebVPN Context

webvpn context webvpn
 title-color #CCCC66
 secondary-color white
 text-color black
 ssl authenticate verify all


!--- resources available to the client

 port-forward "portforward_list_1"
   local-port 3002 remote-server "172.22.1.20" remote-port 110 description "Pop3 Email"
   local-port 3001 remote-server "172.22.1.30" remote-port 23 description "Telnet"



!--- the group policy

 policy group policy_1
   port-forward "portforward_list_1"
 default-group-policy policy_1
 aaa authentication list sdm_vpn_xauth_ml_1
 gateway OURNAME domain webvpn
 max-users 2
 inservice


When someone authenticates on the page java will build a list of available applications based on whats in the port forward list.

Author

Commented:
Thank you elsewhere1, but the iPhone, as far as I know, will not work with this the way we need it to.
We are supposed to make a direct VPN connection between an iPhone and and the IOS based device, whether it is an ASA or IOS router using an IPSec tunnel.
Oh, I assumed it had to be done on a router. From the ASA it's cake:


ip local pool vpn-pool 10.4.8.0-10.4.10.255 mask 255.255.252.0

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host x.x.x.x
 timeout 5
 key DEFINEAKEYHERE
aaa-server vpn protocol radius
aaa-server vpn host x.x.x.x
 key THEABOVEKEY
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
group-policy _groupname_ internal
group-policy _groupname_ attributes
 dns-server value x.x.x.x
 vpn-session-timeout 36000
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified

tunnel-group _groupname_  type remote-access
tunnel-group _groupname_  general-attributes
 address-pool vpn-pool
 authentication-server-group RADIUS
 default-group-policy _groupname_
tunnel-group _groupname_  ipsec-attributes
 pre-shared-key YOURKEYAGAIN

Iphone stuff here:
https://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iphone.html


Author

Commented:
ElsleWhere1,  

Appreciate your quick responses and the example configurations you have provided, but have you used these configurations in connecting an Iphone to an ASA or IOS Router?
Am looking for a configuration example from someone that has actually configured an ASA or IOS Router to support an iPhone connection.

Have gone to the link you , and many others, have posted and have found no real useful information that tells me how to configure an IOS router to allow iPhones to connect. That is why I am looking for an example configuration from someone that has actually done this so that I can learn from their pain and experience.

Ive used the configuration for the ASA, i use it now. Not for an iphone. Its all a matter of the client side settings.
Per cisco:
Configure your Cisco security appliance exactly as you would to support connections from the Cisco VPN Client (IPSec).

Which is the above configuration. Im not sure what needs to be done on the phone side of things, but it certianly looks like it's supported. :)