Tuesday 7 February 2012



VPNs and IPHONE's

Interesting one today, worth a post,

Been working on a VPN RAS for IOS devices for work, and it appears i have been struggling with DNS for the iphone devices, but not PCs connecting via the VPN, why you ask,

have a read of my findings, could save you some time!!


SOLUTION: is split-dns;
 
The iPhone doesn't seem to accept the DNS servers that the VPN endpoint tries to assign to it, so the only way to get this to work if split-tunnel is in play is via the split-dns method.
 
To have this feature we need IOS 12.4, we are running 12.3.x
 
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htspldns.html#wp1446542
 
Basically, it looks like if your VPN is NOT configured to use split-tunnel, you're all set and everything works out of the box, BUT all traffic will pass through the VPN - tested this and yes it works, we are now resolving internal names,  but its not pratical.
 
As we are using split-tunnelling (encryption domains), then it needs to be configured for split-dns on each of the domains that need to resolve through the tunnel. 


upgraded to 12.4 from 12.3 and there she is! split-dns!!!

ISAKMP group policy config commands:
  access-restrict    Restrict clients in this group to an interface
  acl                Specify split tunneling inclusion access-list number
  backup-gateway     Specify backup gateway
  dns                Specify DNS Addresses
  domain             Set default domain name to send to client
  exit               Exit from ISAKMP client group policy configuration mode
  firewall           Enforce group firewall feature
  group-lock         Enforce group lock feature
  include-local-lan  Enable Local LAN Access with no split tunnel
  key                pre-shared key/IKE password
  max-logins         Set maximum simultaneous logins for users in this group
  max-users          Set maximum number of users for this group
  netmask            netmask used by the client for local connectivity
  no                 Negate a command or set its defaults
  pfs                The client should propose PFS
  pool               Set name of address pool
  save-password      Allows remote client to save XAUTH password
  split-dns          DNS name to append for resolution

enter the command followed by your companys domain(s)
 split-dns mydomain.com

and magic! its all working

P.S
Looks like this bug has been around since 2008 and apple still have not fixed it!!!

ON ANOTHER NOTE, CCNP STUDIES STARTING BACK UP THIS WEEK!
Posted by at No comments:
Subscribe to: Posts (Atom)