I previously posted about some luck I had getting IPSEC VPN to work from my iPhone to my IOS router/firewall. That post is now kind of useless because the source blog disappeared about a year ago. So, in order to make this useful again I’m posting my full IOS code (obfuscated for obvious reasons). Change the IP addresses and the group name and password and you should be good to go. This uses the new(ish) method in IOS of zone based firewall. It’s overly complex and really hard to parse for anything remotely complicated but it’s what I’m working with. You’ll notice I used the SDM for most of the config. Yep, I’m lame and I’m not afraid to admit it. All of that zone config typing would have been a pain in the butt! Also, be sure to use a pool that is different from your “inside” subnet. Won’t work otherwise. Also, it should be obvious but this config uses local users so you need to add at least one of those.
Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.
And now the code:
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_2 local
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group mygroupname
key something_goes_here
dns 192.168.x.x
pool SDM_POOL_2
include-local-lan
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group mygroupname
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 2
crypto ipsec transform-set aes-transform esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set aes-transform
set isakmp-profile sdm-ike-profile-1
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
zone security ezvpn-zone
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
ip local pool SDM_POOL_2 192.168.y.y 192.168.y.z
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
I gave this a shot, but I got some errors saying my destination security zone out-zone and in-zone were not defined.
I think I defined them (still need to apply to interfaces):
zone security in-zone
zone security out-zone
zone security dmz-zone
but then I get error:
Firewall service-policy attachment failed, policy sdm-permit-ip does not exist.
What does your sdm-permit-ip policy look like?
Ignore that Bit just used same template and it worked like a charm, i think you still need to define your nat exemption list though..
Let me know if you need more info..
Hi all,
One thing that I have found to be a big problem is the DNS. It seems that unless you use the split-dns entry on your isakmp config IOS 4+ won’t even attempt to resolve your DNS properly. I haven’t tested this, but I bet it might fix the DNS problems with the built-in IPSec VPN in MacOS.
Also, FYI… never use a ‘.local’ dns suffix if you need IOS support. IOS uses ‘.local’ for bonjour stuff and it just won’t work. There is an apple KB article (TS3389) on this.
Thanks!
crypto isakmp client configuration group BlahBlah
domain mylocaldomain.private
split-dns mylocaldomain.private