Blog |Follow Nick on Twitter| About
 

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn't look good, there's a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn't get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

The key to getting this working is that the iphone side is not as configurable as it should be, so if you're trying to get this to work you need to be talking to the IT administrator to get the concentrator side changed. The 1st word of warning is that the iphone client doesn't support group authentication, so you're going to be changing the base group, now by default most "production" groups will inherit settings from the base group, so you will need to make sure that if you change anything in the base group that it doesn't effect your other L2L or Remote Access tunnels. (You have been warned.)

To get started, for whatever reason the iphone only supports cisco's NAT-T implementation of IPSEC, so if you have a firewall or access-list in front of your concentrator you're going to need to open up UDP 4500, then enable NAT Transparency. Another word of warning about NAT-T, we found that existing VPNS to Cisco Routers started to fail after enabling this, which was a bit odd as NAT-T wasn't enabled under any of the L2L profiles, anyway, to fix the issue we enabled NAT-T on the routers (again make sure UDP 4500 is allowed though any ACLs) and under "conf t" issue:

crypto ipsec nat-transparency udp-encapsulation

So, back to the cVPN3k config......

Configuration -> Tunnel & Security -> NAT Transparency IPSEC over NAT-T - TICK

So a quick explanation of the above so you get the idea; from the tree on the left, click "Configuration" then "Tunnel & Security" then "NAT Transparency" and tick the box next to NAT-T.

Now you need to setup your PHASE 1 Proposal...

Config -> Tunnel & Sec -> IPSEC -> IKE Proposal

I called mine iphone, and you need to configure the following settings.

  • Authentication: Preshared Key (NOT the one with Xauth)
  • Hash: SHA-1
  • Encryption: 3DES
  • DiffeHelmen: Group 2

After phase one, comes PHASE 2:

Config -> Policy Manage -> Traffic Mgnt -> SA

Again, add the following settings and I called mine: iphone

  • Authentication: ESP / SHA
  • Encryption: 3DES
  • Enacapsulation: Transport
  • IKE Proposal = iphone (or whatever your phase 1 was called)

Then finally we start working with the groups, so as mentioned above you need to work with the base group:

Config -> User Management -> Base Group

And you need to enable the following, the other settings will be optional:

On the Base Group Tab,

  • Tunnel Protocol: Tick "L2TP over IPSec"

On the IPSEC Tab,

  • Authentication: Internal or NT depending on what you've already configured for other Remote Access Profiles.
  • IPSEC SA is set to: iphone
  • Default Preshared Key: Set this to something really really long (this will be your secret on the iphone)

On the PPTP/L2TP Tab,

  • L2TP Authentication Protocols: Tick MSCHAPv1 / MSCHAPv2
  • L2TP Encryption: Tick 40 & 128 B

DONE! Now with a little bit of luck your iphone should connect.

A Quick note about comments: All support requested will be deleted, I don't have access to a concentrator to offer any meaningful advise, you use the above config at your own risk.

rgds,

Nick

 
Nick Bettison ©