- cOS Core version 11.x or later
iOS 10.x and later
iPhone iOS - Setting up L2TP tunnel
iPhone iOS - Setting up IPsec tunnel using PSK
The iPhone supports these types of VPN and a few others (Source: http://support.apple.com/kb/HT1288):
• L2TP/IPsec with PSK
• IPsec with PSK
Note: Apple stopped supporting PPTP tunnels from iOS version 10.
L2TP/IPsec with PSK
Setup L2TP/IPsec as usual on the Clavister (see the How To here: viewtopic.php?f=8&t=4491).
On the iPhone, open Settings > General > VPN > Add VPN configuration
Click L2TP and fill in the fields matching your Clavister's setup.
Click Save.
Select your L2TP VPN and slide the VPN selector to connect.
Enter your password.
If everything is correctly setup, you should get the VPN icon on the top left of your screen. IPsec with PSK
IPsec is compatible with the Cisco VPN client in the iPhone (iOS).
To setup this scenario, please follow these steps:
Objects - Address book
Add these objects:
VPN_ip 192.168.99.1
VPN_pool 192.168.99.10-192.168.99.250
Objects - IKE/IPsec Algorithms
Select AES and SHA256 on the IKE algorithm and on the IPsec algorithm select SHA1 and AES.
Objects – Authentication Objects
Add a Pre-shared Key, type: Passphrase (ASCII)
Objects – VPN Objects – IKE Config Mode Pool
Add a Config Mode Pool:
Select “Use a Static IP Pool”, select the VPN_pool object
Netmask: 255.255.255.0
DNS: Select/enter a DNS server
User Authentication – Local User Databases
Create a Local User Database, ”LocalUsers”
Populate it with users
Network – IPsec
Add an IPsec tunnel:
General Tab
Name = iPhone_VPN
Local network = all-nets
Remote Network = all-nets
Local Endpoint = VPN_ip
Source Interface = any
Remote Endpoint = none
Outgoing Routing Table = <main>
Encapsulation mode = Tunnel
IKE Config Mode Pool = Select your Static IP Pool
IKE Algorithms = Select your previously created IKE Algorithm
IKE Lifetime = 28800 (any value higher than 3900) s
IPsec Algorithm = Select your previously created IPsec Algorithm
IPsec Lifetime = 3600 s
IPsec Lifetime = 0 kB
Authentication tab
Select your Pre-shared Key
XAuth tab
Select: Require IKE XAuth user authentication for inbound IPsec tunnels
IKE Settings tab
IKE Main mode (default)
IKE DH Group: add group 14 (2048)
PFS None, 01(768-bit), 02(1024) and 05(1536) (all these are set as default)
Security Association: Select “Per Net (Set as default)”
Advanced tab
Enable “Add route dynamically” and Disable “Add route statically".
Specify address manually = Select your VPN_ip
Place this tunnel last in your list of IPsec tunnels (watch out for collisions with other roaming tunnels using PSK!).
Be aware that you can’t combine this with a PSK tunnel for L2TP/IPsec, without modifications.
User Authentication – User Authentication Rules
Add a User Authentication Rule:
General tab
Name: XAuth_VPN
Authentication Agent: XAuth
Authentication Source: Local
Originator IP: all-nets
Authentication Options tab
Local User DB: LocalUsers
Rules – IP Rule Sets – Main
Add IP Rules for the client traffic.
Common rules are Allow rules to reach internal resources and NAT rules to reach Internet resources via the tunnel. They might look like this:
NAT iPhone_VPN all-nets wan all-nets all_tcpudpicmp
Allow iPhone_VPN all-nets dmz server_ip http
On your iPhone
Add a "VPN configuration" in the Settings - VPN menu
Set the type to IPsec.
Fill in a description, Server IP, user name, password and secret (the Pre-shared Key created above). Verify that the connection works.