Config example for ipsec vpn with iPad native vpn client

The iPad native vpn client supports ikev2. I have searched many documents in the internet and most of them are example for site-to-site, very few useful documentation about remote access vpn with ipsec using ikev2 perhaps for remote access ssl vpn is more convenient and popular.

So here’s the sample config. The config use certificate to authenticate the phase 1 and 2 tunnels, eap is not used in this configuration, also over in iPad local id is left blank hence in ASA need to disable peer-id check.

If during connection ASA syslog says something like EAP message is null then you need to turn on the debug to find out what’s wrong. iPad native vpn client does support EAP, and EAP is the default.

In the iPad native vpn client, the remote id is the fqdn of the ASA vpn server you want to connect to. The fqdn is based on the certificate that is enable in the ASA vpn server.

Need to use the default tunnel group provided by Cisco, because the native vpn client does not send group information.

In this example configuration there are site to site vpn within the crypto map, this is to give you an insight on which remote access sequence number you should use for ipsec remote access. The site to site and remote access can both co-exist in the crypto map.

A few debug commands that are useful:
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
debug crypto connection peer 1.1.1.1
where 1.1.1.1 is your peer’s ip address.

ip local pool private_pool 192.168.249.1-192.168.249.254 mask 255.255.255.0

group-policy IPSEC internal
group-policy IPSEC attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev2
 ip-comp enable
 pfs enable
 split-tunnel-policy tunnelall
 default-domain value xyz.local
 split-tunnel-all-dns enable
 gateway-fqdn value test.xyz.local
 address-pools value private_pool


tunnel-group DefaultRAGroup general-attributes
 address-pool private_pool
 default-group-policy IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
 peer-id-validate nocheck
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate ASDM_TrustPoint1
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256 aes-192 aes
 protocol esp integrity sha-512 sha-256 sha-1

crypto ikev2 policy 1
 encryption aes-256 aes-192 aes
 integrity sha512 sha256 sha
 group 14 5
 prf sha512 sha256 sha
 lifetime seconds 86400

crypto dynamic-map IPSEC_VPN 1 set pfs group14
crypto dynamic-map IPSEC_VPN 1 set ikev2 ipsec-proposal AES256
crypto dynamic-map IPSEC_VPN 1 set reverse-route

crypto map outside_map 5 match address XYZ_VPN1
crypto map outside_map 5 set pfs group14
crypto map outside_map 5 set peer 123.123.123.123
crypto map outside_map 5 set ikev2 ipsec-proposal IKEV2-AES
crypto map outside_map 5 set nat-t-disable
crypto map outside_map 5 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic IPSEC_VPN
crypto map outside_map interface outside


crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
Advertisements
This entry was posted in Firewall, Security, VPN and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s