iPhone VPN and Cisco IOS, Part2

scott — Wed, 05 May 2010 15:58:52 +0000

I previously posted about some luck I had getting IPSEC VPN to work from my iPhone to my IOS router/firewall. That post is now kind of useless because the source blog disappeared about a year ago. So, in order to make this useful again I’m posting my full IOS code (obfuscated for obvious reasons). Change the IP addresses and the group name and password and you should be good to go. This uses the new(ish) method in IOS of zone based firewall. It’s overly complex and really hard to parse for anything remotely complicated but it’s what I’m working with. You’ll notice I used the SDM for most of the config. Yep, I’m lame and I’m not afraid to admit it. All of that zone config typing would have been a pain in the butt! Also, be sure to use a pool that is different from your “inside” subnet. Won’t work otherwise. Also, it should be obvious but this config uses local users so you need to add at least one of those.

Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.

And now the code:

aaa authentication login sdm_vpn_xauth_ml_2 local aaa authorization network sdm_vpn_group_ml_2 local


crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 2
crypto isakmp client configuration group mygroupname

 key something_goes_here

 dns 192.168.x.x

 pool SDM_POOL_2

 include-local-lan

 netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

   match identity group mygroupname

   client authentication list sdm_vpn_xauth_ml_2

   isakmp authorization list sdm_vpn_group_ml_2

   client configuration address respond

   virtual-template 2
crypto ipsec transform-set aes-transform esp-aes 256 esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

 set transform-set aes-transform

 set isakmp-profile sdm-ike-profile-1
class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
policy-map type inspect sdm-permit

 class type inspect SDM_EASY_VPN_SERVER_PT

  pass

 class class-default
zone security ezvpn-zone
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip
interface Virtual-Template2 type tunnel

 ip unnumbered FastEthernet0

 zone-member security ezvpn-zone

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile SDM_Profile1
ip local pool SDM_POOL_2 192.168.y.y 192.168.y.z

ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=1 permit esp any any

The Cruft Of My Brain » iphone ipad vpn cisco ios

iPhone VPN and Cisco IOS, Part2