Cisco VPN 3k Config for iPhone
Tags: Cisco, how to, iphone, Security, vpn
Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.
*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.
The key to getting this working is that the iphone side is not as configurable as it should be, so if you’re trying to get this to work you need to be talking to the IT administrator to get the concentrator side changed. The 1st word of warning is that the iphone client doesn’t support group authentication, so you’re going to be changing the base group, now by default most “production” groups will inherit settings from the base group, so you will need to make sure that if you change anything in the base group that it doesn’t effect your other L2L or Remote Access tunnels. (You have been warned.)
To get started, for whatever reason the iphone only supports cisco’s NAT-T implementation of IPSEC, so if you have a firewall or access-list in front of your concentrator you’re going to need to open up UDP 4500, then enable NAT Transparency. Another word of warning about NAT-T, we found that existing VPNS to Cisco Routers started to fail after enabling this, which was a bit odd as NAT-T wasn’t enabled under any of the L2L profiles, anyway, to fix the issue we enabled NAT-T on the routers (again make sure UDP 4500 is allowed though any ACLs) and under “conf t” issue:
crypto ipsec nat-transparency udp-encapsulation
So, back to the cVPN3k config……
Configuration -> Tunnel & Security -> NAT Transparency
IPSEC over NAT-T - TICK
So a quick explanation of the above so you get the idea; from the tree on the left, click “Configuration” then “Tunnel & Security” then “NAT Transparency” and tick the box next to NAT-T.
Now you need to setup your PHASE 1 Proposal…
Config -> Tunnel & Sec -> IPSEC -> IKE Proposal
I called mine iphone, and you need to configure the following settings.
- Authentication: Preshared Key (NOT the one with Xauth)
- Hash: SHA-1
- Encryption: 3DES
- DiffeHelmen: Group 2
After phase one, comes PHASE 2:
Config -> Policy Manage -> Traffic Mgnt -> SA
Again, add the following settings and I called mine: iphone
- Authentication: ESP / SHA
- Encryption: 3DES
- Enacapsulation: Transport
- IKE Proposal = iphone (or whatever your phase 1 was called)
Then finally we start working with the groups, so as mentioned above you need to work with the base group:
Config -> User Management -> Base Group
And you need to enable the following, the other settings will be optional:
On the Base Group Tab,
- Tunnel Protocol: Tick “L2TP over IPSec”
On the IPSEC Tab,
- Authentication: Internal or NT depending on what you’ve already configured for other Remote Access Profiles.
- IPSEC SA is set to: iphone
- Default Preshared Key: Set this to something really really long (this will be your secret on the iphone)
On the PPTP/L2TP Tab,
- L2TP Authentication Protocols: Tick MSCHAPv1 / MSCHAPv2
- L2TP Encryption: Tick 40 & 128 B
DONE! Now with a little bit of luck your iphone should connect.
A Quick note about comments: All support requested will be deleted, I don’t have access to a concentrator to offer any meaningful advise, you use the above config at your own risk.
12th August, 2008 - 5:49 pm
Doesnt work. I tried this and several different ways. It is a no go. Folks there is no support for the 3k series concentrators. if you have an ASA appliance then it will work. You can get it to connect all day. But it doesnt know what to do with the traffic.
28th August, 2008 - 7:54 pm
Hi “User”
I’ve taken my time on approving your comment as I wanted to contact the people whom I set this up for in the 1st place.
I believe your comment to be 50% correct, there is no support for the concentrator but that doesn’t mean it doesn’t work.
The people whom I set this up for have said that it’s still working fine, it is true that this article is quite old and the instructions relate to iPhone firmware version 1, and apple introduced a proper cisco client with a later firmware.
My message to all who stumble across this article is, concentrators are not supported by cisco, ASA’s are the way to go so if you can’t get this to work yourself then perhaps this is a good excuse to update
I would also like to remind readers that I do not have a concentrator or an iPhone and cannot answer any support questions.
Thanks,
Nick
28th August, 2008 - 7:59 pm
Cisco supports the vpn 3000 line of concentrators. It runs their ios. Also, That said that line of concentrators does in every way allow it to connect. It just will not pass traffic in any way it will null it as soon as it sees traffic. It reads the iphone as a “network blackhole”. That being said I have tried the ipsec pptp and the straight radius style configurations. I have tried this on the 2.0 software that is now the updated 1.0 software on the iphone and the ipod. The vpn 3000 line is not supported by the iphone. It is not a problem with the concentrators nor Cisco. But in fact an apple choice.
28th August, 2008 - 7:59 pm
I cant edit, But if you call cisco they will transfer you to a support rep who will setup the 3k line.
28th August, 2008 - 8:10 pm
Your feedback is interesting, and to be honest I don’t really want to get into an argument on whether you think this article is true or not, as I have stated I don’t have a phone or concentrator to validate either claim I have recieved.
I tried to speak with Cisco once very early (before I wrote this doc) and got bounced, recently people have told me they simply get told this information so the fact someone helped you config the 3k is brilliant, it just goes to show how some support personnel are more helpful than others… that all being said I believe there is likely to be a lot of truth in your final statement “It is not a problem with the concentrators nor Cisco. But in fact an apple choice.”
Kind Regards,
Nick
28th August, 2008 - 8:17 pm
True, I am not trying to argue, But just from some real testing with that series. But I think it more or less goes to cisco if you have support contracts with them they usually bend over backwords. Regular user calls in, you get the shaft.
One thing i will say, Corporations need to start getting together more and working with each other. Its the consumer that makes them money. Make it easy for us. I mean come on.
5th September, 2008 - 4:19 am
Well I don’t know why some of you claim it doesn’t work.
I just tried it on a new iPhone 3G with firmware 2.0.2, and it connects just fine over a GPRS connection. Before these changes, The Cisco IPSEC worked but not over GPRS/3G connections, and L2TP didn’t work at all. Now, I can connect with L2TP over GPRS just fine.
Many thanks to the original poster, and keep up the good work!