I previously posted about some luck I had getting IPSEC VPN to work from my iPhone to my IOS router/firewall. That post is now kind of useless because the source blog disappeared about a year ago. So, in order to make this useful again I’m posting my full IOS code (obfuscated for obvious reasons). Change the IP addresses and the group name and password and you should be good to go. This uses the new(ish) method in IOS of zone based firewall. It’s overly complex and really hard to parse for anything remotely complicated but it’s what I’m working with. You’ll notice I used the SDM for most of the config. Yep, I’m lame and I’m not afraid to admit it. All of that zone config typing would have been a pain in the butt! Also, be sure to use a pool that is different from your “inside” subnet. Won’t work otherwise. Also, it should be obvious but this config uses local users so you need to add at least one of those.

Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.

And now the code:

aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_2 local

crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2

crypto isakmp client configuration group mygroupname
key something_goes_here
dns 192.168.x.x
pool SDM_POOL_2
include-local-lan
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group mygroupname
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 2

crypto ipsec transform-set aes-transform esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set aes-transform
set isakmp-profile sdm-ike-profile-1

class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC

policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default

zone security ezvpn-zone

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip

interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1

ip local pool SDM_POOL_2 192.168.y.y 192.168.y.z

ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any