Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
userdoc:tt_ipsec_vpn_apple_ios [2012/09/14 15:30] abelbeck |
userdoc:tt_ipsec_vpn_apple_ios [2013/02/19 22:52] abelbeck |
====== IPsec VPN for iOS, OS X & Windows ====== | ====== IPsec VPN Configuration ====== |
| |
The popular Apple iOS platform has limited VPN options, one of which is IPsec (Cisco) which uses IPsec + XAuth. \\ | The popular Apple iOS platform has limited VPN options, one of which is IPsec (Cisco) which uses IPsec + XAuth. \\ |
The AstLinux Web Interface is used for configuration, click on **IPsec Configuration**\\ | The AstLinux Web Interface is used for configuration, click on **IPsec Configuration**\\ |
| |
Network tab -> VPN Type: {{:userdoc:ipsec-xauth-ipsecmobile.png?nolink|IPsec Mobile}} | Network tab -> VPN Type:\\ |
| {{:userdoc:ipsec-xauth-ipsecmobile.png?nolink|IPsec Mobile}} |
| |
The following IPsec Mobile Server Configuration (below) must be specified. The only unique option is the //Server Cert DNS Name:// setting. This must be the DNS name of the server, such as ''vpn.mydomain.com'' . Wildcards may be used for iOS devices, such as ''*.mydomain.com'' or ''vpn.*.mydomain.com''. This defines the ''subjectAltName'' object in the CA certificate. | The following IPsec Mobile Server Configuration (below) must be specified. The only unique option is the //Server Cert DNS Name:// setting. This must be the DNS name of the server, such as ''vpn.mydomain.com'' . Wildcards may be used for iOS devices, such as ''*.mydomain.com'' or ''vpn.*.mydomain.com''. This defines the ''subjectAltName'' object in the CA certificate. |
===== Apple OS X Client Configuration ===== | ===== Apple OS X Client Configuration ===== |
| |
After the IPsec server is configured and certificates generated, the final step is to install the CA and Peer certificates on your OS X notebook or desktop computer. | After the IPsec server is configured and certificates generated (above), the final step is to install the CA and Peer certificates on your OS X notebook or desktop computer. |
| |
From the IPsec Mobile Server Configuration tab, download the credentials for the desired peer, mb13 for this example. | From the IPsec Mobile Server Configuration tab, download the credentials for the desired peer, mb13 for this example. |
{{:userdoc:ipsec-xauth-credentials2.jpg?nolink|Credentials}} | {{:userdoc:ipsec-xauth-credentials2.jpg?nolink|Credentials}} |
| |
The Shrew Soft VPN Client (v2.1.7) does not support .p12 packages, so the unencrypted mb13.key, mb13.crt and ca.crt, must be installed somewhere the Shrew Soft VPN Client can find them. Be certain to transport the ".key" file securely. | The Shrew Soft VPN Client (v2.1.7) does not support saving the password for protected ''.p12'' containers, so the unencrypted ''mb13.key'', ''mb13.crt'' and ''ca.crt'', can be installed somewhere the Shrew Soft VPN Client can find them. Be certain to transport the ''mb13.key'' file securely. |
| |
| |
| |
Shrew Soft VPN Client (v2.1.7) example (Submitted by Tom Mazzotta): | **Shrew Soft VPN Client (v2.1.7) example: (Submitted by Tom Mazzotta)** |
| |
* The Shrew Soft VPN Client does not access certificates installed into the Windows certificate store, so you need to copy your certificate files to a folder where they can be found. The installer creates the folder C:\Documents and Settings\Administrator\My Documents\Shrew Soft VPN\certs, it is suggested to copy the CA cert (ca.crt), unencrypted client cert (mb13.crt), and private key(mb13.key) for the client cert, to that location. Select these files on the "Authentication | Credentials" tab. | The Shrew Soft VPN Client does not access certificates installed into the Windows certificate store, so you need to copy your certificate files to a folder where they can be found. The installer creates the folder: |
| |
* Technically the Shrew Soft VPN Client does support encrypted client certificates, but you need to enter the client p/w every time (a real pain), so it makes more sense to use the unencrypted key with this product. | C:\Documents and Settings\Administrator\My Documents\Shrew Soft VPN\certs |
| |
* To enable split tunneling, add the networks found on the LAN side of your Astlinux box to the list on the "Policy" tab (192.168.102.0/24 in this example). | It is suggested to copy the CA cert (''ca.crt''), client cert (''mb13.crt''), and unencrypted client private key (''mb13.key'') for the client cert, to that location. Select these files using the "Authentication | Credentials" tab. |
| |
| Technically, the Shrew Soft VPN Client supports encrypted client certificate ''.p12'' containers, but you need to enter the container password every time (a real pain), so it makes more sense to use the unencrypted key with this product. |
| |
| To enable split tunneling, add the networks found on the LAN side of your Astlinux box to the list on the "Policy" tab (''192.168.102.0/24'' in this example). |
| |
{{:userdoc:ipsec-xauth-shrew-soft-config1.jpg?nolink|Shrew Soft Configuration}} | {{:userdoc:ipsec-xauth-shrew-soft-config1.jpg?nolink|Shrew Soft Configuration}} |