Setting up iPhone VPN (L2TP, IPsec) (11.x)

Security Gateway Articles and How to's
Post Reply
Tomas
Posts: 34
Joined: 15 Sep 2008, 15:57
Location: Clavister HQ - Örnsköldsvik

Setting up iPhone VPN (L2TP, IPsec) (11.x)

Post by Tomas » 29 Nov 2010, 13:51

This How-to applies to:
  • cOS Core version 11.x or later
    iOS 10.x and later
Topics covered in this document
iPhone iOS - Setting up L2TP tunnel
iPhone iOS - Setting up IPsec tunnel using PSK

The iPhone supports these types of VPN and a few others (Source: http://support.apple.com/kb/HT1288):
• L2TP/IPsec with PSK
• IPsec with PSK
Note: Apple stopped supporting PPTP tunnels from iOS version 10.

L2TP/IPsec with PSK
Setup L2TP/IPsec as usual on the Clavister (see the How To here: viewtopic.php?f=8&t=4491).

On the iPhone, open Settings > General > VPN > Add VPN configuration

Click L2TP and fill in the fields matching your Clavister's setup.
L2TP_settings.PNG
L2TP_settings.PNG (25.71 KiB) Viewed 16679 times
Click Save.
Select your L2TP VPN and slide the VPN selector to connect.
Enter your password.
If everything is correctly setup, you should get the VPN icon on the top left of your screen.
L2TP-Conn.png
L2TP-Conn.png (18.43 KiB) Viewed 17700 times
IPsec with PSK
IPsec is compatible with the Cisco VPN client in the iPhone (iOS).

To setup this scenario, please follow these steps:

Objects - Address book
Add these objects:
VPN_ip 192.168.99.1
VPN_pool 192.168.99.10-192.168.99.250

Objects - IKE/IPsec Algorithms
Select AES and SHA256 on the IKE algorithm and on the IPsec algorithm select SHA1 and AES.

Objects – Authentication Objects
Add a Pre-shared Key, type: Passphrase (ASCII)

Objects – VPN Objects – IKE Config Mode Pool
Add a Config Mode Pool:
Select “Use a Static IP Pool”, select the VPN_pool object
Netmask: 255.255.255.0
DNS: Select/enter a DNS server


User Authentication – Local User Databases
Create a Local User Database, ”LocalUsers”
Populate it with users


Network – IPsec
Add an IPsec tunnel:

General Tab
Name = iPhone_VPN
Local network = all-nets
Remote Network = all-nets
Local Endpoint = VPN_ip
Source Interface = any
Remote Endpoint = none
Outgoing Routing Table = <main>
Encapsulation mode = Tunnel
IKE Config Mode Pool = Select your Static IP Pool
IKE Algorithms = Select your previously created IKE Algorithm
IKE Lifetime = 28800 (any value higher than 3900) s
IPsec Algorithm = Select your previously created IPsec Algorithm
IPsec Lifetime = 3600 s
IPsec Lifetime = 0 kB

Authentication tab
Select your Pre-shared Key

XAuth tab
Select: Require IKE XAuth user authentication for inbound IPsec tunnels

IKE Settings tab
IKE Main mode (default)
IKE DH Group: add group 14 (2048)
PFS None, 01(768-bit), 02(1024) and 05(1536) (all these are set as default)
Security Association: Select “Per Net (Set as default)”

Advanced tab
Enable “Add route dynamically” and Disable “Add route statically".
Specify address manually = Select your VPN_ip
Place this tunnel last in your list of IPsec tunnels (watch out for collisions with other roaming tunnels using PSK!).
Be aware that you can’t combine this with a PSK tunnel for L2TP/IPsec, without modifications.

User Authentication – User Authentication Rules
Add a User Authentication Rule:

General tab
Name: XAuth_VPN
Authentication Agent: XAuth
Authentication Source: Local
Originator IP: all-nets

Authentication Options tab
Local User DB: LocalUsers

Rules – IP Rule Sets – Main
Add IP Rules for the client traffic.
Common rules are Allow rules to reach internal resources and NAT rules to reach Internet resources via the tunnel. They might look like this:

NAT iPhone_VPN all-nets wan all-nets all_tcpudpicmp
Allow iPhone_VPN all-nets dmz server_ip http

On your iPhone
Add a "VPN configuration" in the Settings - VPN menu
Set the type to IPsec.
Fill in a description, Server IP, user name, password and secret (the Pre-shared Key created above).
IPSec_settings.PNG
IPSec_settings.PNG (26.17 KiB) Viewed 16679 times
Verify that the connection works.
IPsec-con.png
IPsec-con.png (17.69 KiB) Viewed 17700 times

Tomas
Posts: 34
Joined: 15 Sep 2008, 15:57
Location: Clavister HQ - Örnsköldsvik

Re: Setting up iPhone VPN (PPTP, L2TP, IPsec)

Post by Tomas » 22 May 2012, 12:15

Updated: A detailed description for iPhone VPN has been added

mape
Posts: 41
Joined: 24 Oct 2016, 08:23

Re: Setting up iPhone VPN (L2TP, IPsec) (11.x)

Post by mape » 27 Oct 2016, 16:27

Updated 2016-10-25
Now updated to work with newer versions of cOS Core and iOS.

Post Reply