About the Author

author photo

Joe Harris, CCIE No. 6200 (R&S, Security & SP) is a Systems Engineer with Cisco Systems® specializing in Security. In addition to authoring Cisco Network Security Little Black Book, Joe has also been a technical reviewer for several Cisco Press publications and written articles, white papers, and presentations on various security technologies. He also assists various Certification Partners by beta testing their newest CCIE certification workbooks and has been recognized by Cisco as an SE Wall of Fame award winner.

See All Posts by This Author

iPhone to ISR

August 5th, 2008 • RelatedFiled Under

So I was reading over the iPhone VPN to ASA Connectivity Document on CCO and noticed that the last line of the document states the following:

Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.

Well that got me to thinking….I wonder if it could be done? connect an iPhone to an ISR router that is. So I configured it up on one of my routers and used a friends iPhone to connect to the ISR and low and behold it works. I did some asking around and prior to implementing this you may want to read the following note below however.

***NOTE - Please note that this is in NO WAY supported by Cisco and is only provided here for informational purposes…If you use this in a production environment you will not receive Technical Assistance/Support from Cisco in any form.***

If you wanna see the config: Click Here

There Are 8 Responses So Far. »

  1. Gravatar

    Comment by Joe H on 7 August 2008:

    I’ve tested it on the VPN 3005 Concentrator and it works as well.

  2. Gravatar

    Comment by Brad Hedlund on 9 August 2008:

    Joe,
    One of my customers is running iPhones on Cisco IOS in production. I was not aware this is not TAC supported. Thanks for the heads up. Seems odd that TAC would not support this. After all, the VPN client on iPhone is not much different than the standard Cisco VPN client for a PC/Laptop.

    Brad

  3. Gravatar

    Comment by Dave B on 9 August 2008:

    I can confirm that it works with a VPN 3060 Concentrator as well.

  4. Gravatar

    Comment by Ronald Johns on 10 August 2008:

    I can confirm it works with ASA 8.0(3)…

  5. Gravatar

    Comment by Ronald Johns on 10 August 2008:

    dope! That’s what the CCO doc was about - my bad…

  6. Gravatar

    Comment by Mark Kohlmann on 20 August 2008:

    Modified configuration that works on a 2811 running 12.4(20)T using the Virtual-Template Interface and a split-tunnel. Fa0/0 is the nat outside interface. I had trouble getting reverse-route injection to work but this method is working perfectly.

    See Apple’s Enterprise Deployement Guide for more detailed information on iPhone supported features.

    Minimal configuration:

    aaa new-model
    !
    aaa authentication login iphone_vpn_xauth local
    aaa authorization network iphone_vpn_xauth local
    !
    username iPhone secret 5 ****
    !
    crypto isakmp policy 2
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group iPhone
    key *********
    dns 172.16.100.1
    pool POOL_VPN
    acl ACL_iPhoneVPN
    crypto isakmp profile iPhone-isakmp-profile
    match identity group iPhone
    client authentication list iphone_vpn_xauth
    isakmp authorization list iphone_vpn_xauth
    client configuration address respond
    virtual-template 1
    !
    crypto ipsec transform-set iphone-transform esp-3des esp-sha-hmac
    !
    crypto ipsec profile iPhone-vti1
    set transform-set iphone-transform
    !
    interface Virtual-Template1 type tunnel
    ip unnumbered FastEthernet0/0
    ip nat inside
    ip virtual-reassembly
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile iPhone-vti1
    !
    ip local pool POOL_VPN 172.16.100.90 172.16.100.99
    !
    ip access-list extended ACL_iPhoneVPN
    permit ip 172.16.96.0 0.0.15.255 any

    Enjoy!
    Mark

  7. Gravatar

    Comment by Oleg Rodichev on 22 September 2008:

    Hi,

    I’m sorry, but I have a question related to iPhone VPN connection to ASA 5540. I need to apply Client Type and Client Version for the iPhone group policy, because I do not need any other clients (but iPones) get connected to this group in ASA. How can I do that? I tried Client Type:iPhone and Client Ver:*:* , but it did not allow the connection from the iPhone 2.1. Please advise how the restrictions suppose to be set.

    Thanks,
    Oleg

  8. Gravatar

    Comment by Joe Harris on 27 September 2008:

    Oleg, you will need to create a client-access-rule from within the group-policy you have setup as follows:

    ASA(config)# group-policy iPhone attributes
    ASA(config-group-policy)#client-access-rule 10 permit type iPhone* version OS:2.0

    You could also just use the * as a wildcard for version if you so choose. An example is located here:

    http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499

Post a Response