Comments on: iPhone VPN and Cisco IOS, Part2 http://www.thecruftofmybrain.com/2010/05/05/iphone-vpn-and-cisco-ios-part2/ Purging my mental dust bunnies Wed, 25 Jan 2012 13:59:50 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Peter B http://www.thecruftofmybrain.com/2010/05/05/iphone-vpn-and-cisco-ios-part2/comment-page-1/#comment-37676 Peter B Wed, 25 Jan 2012 13:59:50 +0000 http://www.thecruftofmybrain.com/?p=495#comment-37676 Hi all, One thing that I have found to be a big problem is the DNS. It seems that unless you use the split-dns entry on your isakmp config IOS 4+ won't even attempt to resolve your DNS properly. I haven't tested this, but I bet it might fix the DNS problems with the built-in IPSec VPN in MacOS. Also, FYI... never use a '.local' dns suffix if you need IOS support. IOS uses '.local' for bonjour stuff and it just won't work. There is an apple KB article (TS3389) on this. Thanks! crypto isakmp client configuration group BlahBlah domain mylocaldomain.private split-dns mylocaldomain.private Hi all,
One thing that I have found to be a big problem is the DNS. It seems that unless you use the split-dns entry on your isakmp config IOS 4+ won’t even attempt to resolve your DNS properly. I haven’t tested this, but I bet it might fix the DNS problems with the built-in IPSec VPN in MacOS.

Also, FYI… never use a ‘.local’ dns suffix if you need IOS support. IOS uses ‘.local’ for bonjour stuff and it just won’t work. There is an apple KB article (TS3389) on this.
Thanks!

crypto isakmp client configuration group BlahBlah
domain mylocaldomain.private
split-dns mylocaldomain.private

]]> By: Solomon http://www.thecruftofmybrain.com/2010/05/05/iphone-vpn-and-cisco-ios-part2/comment-page-1/#comment-21215 Solomon Tue, 19 Oct 2010 05:45:50 +0000 http://www.thecruftofmybrain.com/?p=495#comment-21215 Ignore that Bit just used same template and it worked like a charm, i think you still need to define your nat exemption list though.. Let me know if you need more info.. Ignore that Bit just used same template and it worked like a charm, i think you still need to define your nat exemption list though..
Let me know if you need more info..

]]> By: Dan http://www.thecruftofmybrain.com/2010/05/05/iphone-vpn-and-cisco-ios-part2/comment-page-1/#comment-17490 Dan Thu, 27 May 2010 04:49:22 +0000 http://www.thecruftofmybrain.com/?p=495#comment-17490 I gave this a shot, but I got some errors saying my destination security zone out-zone and in-zone were not defined. I think I defined them (still need to apply to interfaces): zone security in-zone zone security out-zone zone security dmz-zone but then I get error: Firewall service-policy attachment failed, policy sdm-permit-ip does not exist. What does your sdm-permit-ip policy look like? I gave this a shot, but I got some errors saying my destination security zone out-zone and in-zone were not defined.

I think I defined them (still need to apply to interfaces):
zone security in-zone
zone security out-zone
zone security dmz-zone

but then I get error:
Firewall service-policy attachment failed, policy sdm-permit-ip does not exist.

What does your sdm-permit-ip policy look like?

]]>