?
Solved

VPN on I-Phone 5

Posted on 2013-01-15
13
Medium Priority
?
423 Views
Last Modified: 2013-06-09
I'm having troubles connecting to our corporate VPN on an I-Phone 5.  Our current setup is a L2TP w/ PSK and certificate for authentication.  The VPN at the office is made up of a RAS server, hosted on Windows 2003 and a certificate server that goes out on a dedicated public IP address that the outside world can see.  The problem with any VPN software on Apple and Android phones, is there is no setup that only looks for a certificate, it always asks for a password for authentication.  There is no password in this case, thats what the certificate is for.  Has anyone run into this or have any ideas?  I've tried multiple VPN clients in the App Store, but maybe I missed one.  Also, I was able to get it to work on a MacBook Pro on the Snow Leopard OS so I would think there would be a way to get this to work.

Thank You!
0
Comment
Question by:SGCAdmin
  • 7
  • 6
13 Comments
 
LVL 66

Expert Comment

by:btan
ID: 38781330
Rightfully you should see it after by "add vpn configuration" option and in this case example in link it is Cisco and can state use user certificate

http://www.personal.psu.edu/dmt155/iphonevpn/

Useful info

http://help.apple.com/iosdeployment-vpn/mac/1.1/?lang=en-us#appc28ee2b9
http://www.fatofthelan.com/technical/using-the-apple-ipadiphone-configuration-utility-for-vpn/
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 38783232
Hi Breadtan,

Thanks for the info and response.  Unfortunately, the Cisco IPSec config only allows a certificate with no option for PSK.   I am however, looking into a couple of the clients in that second link that I haven't tried, however, its not looking good so far.
0
 
LVL 66

Expert Comment

by:btan
ID: 38785201
Pardon me if I misunderstand but it is either certificate or psk, which doubt it can be both.

https://supportforums.cisco.com/thread/2160186
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:SGCAdmin
ID: 38787177
We actually do have it working with both and have been using it this way for over 8 years.  This may not be a typical setup, but its that much more secure when you need a certificate and a PSK to connect.  Both Microsoft and Apple both have configuration options in their computer OS's, apparently, just not in their phone OS's.  

I'm still digging for a possible solution, I'd hate to change what's been working for us.
0
 
LVL 66

Expert Comment

by:btan
ID: 38787365
noted i can understand that. You may want to check this interesting discussion. it has a table on the testing done with PSK and Cert via 3G, iwif to internet, wifi to LAN. I am suspecting you are looking out for Cert+Xauth (though i am not sure of the config)

https://discussions.apple.com/thread/4312913?start=30&tstart=0

It did point to IOS 6.0.1 - http://support.apple.com/kb/DL1606
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 38788908
Thanks for the research.  I can confirm however it doesn't work on both wireless or 3g/4g data so that update wouldnt apply.  I'm losing faith that there is mobile vpn software that looks for both cert and PSK.
0
 
LVL 66

Expert Comment

by:btan
ID: 38790003
Will see if chanced upon any other info but maybe posting to apple forum or even post this to vendor of interest may widen the scope...
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 38814381
I setup a test RRAS server so I could play with all configuations I could think of w/o affecting users, and I still cannot get this working.  I've also noticed, I cannot get certificate only based authentication working either, only MS-Chap V2 and L2TP PSK by itself works on the phone.  I think the default VPN I-Phone software, Cisco Any Connect for IPSEC, only accepts Cisco certificates and not Microsoft CA certificates.  I cannot find any info for anyone that has setup a Microsoft RRAS and used certificates as authentication on the i-phone or android.
0
 
LVL 66

Expert Comment

by:btan
ID: 38814509
It may be the insult vpn stack but certificate base should be standard of adhering to x509v3..cannot wonder Cisco cert is possible but not Microsoft certificate....unless they are different key algorithm
0
 
LVL 1

Accepted Solution

by:
SGCAdmin earned 0 total points
ID: 38868477
For now, we decided to go with a very complicated PSK and Active Directory authentication instead of using a certificate.  This is all setup on a new RAS server dedicated for just phone VPN.  Kind of disappointing, but at least I am still using Cert and PSK for PC communication.

Thanks!

Also, I'm not sure how to close this, as this was not solved.  I would like to leave the question in the system, in case someone else finds this.
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 39217311
Can anyone assist in closing this?  Please see my last comment for details why.

Thanks
0
 
LVL 66

Expert Comment

by:btan
ID: 39217776
You can close with points awarded if they had helped or likewise close it without any point awarded. Can request attention if needed further assistance etc. Thanks!
0
 
LVL 1

Author Closing Comment

by:SGCAdmin
ID: 39232717
See above.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question