userdoc:tt_ipsec_vpn_apple_ios

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
userdoc:tt_ipsec_vpn_apple_ios [2012/09/14 20:42] abelbeckuserdoc:tt_ipsec_vpn_apple_ios [2013/02/20 04:52] (current) abelbeck
Line 1: Line 1:
-====== IPsec VPN for iOS, OS X & Windows ======+====== IPsec VPN Configuration ======
  
 The popular Apple iOS platform has limited VPN options, one of which is IPsec (Cisco) which uses IPsec + XAuth. \\ The popular Apple iOS platform has limited VPN options, one of which is IPsec (Cisco) which uses IPsec + XAuth. \\
Line 16: Line 16:
 The AstLinux Web Interface is used for configuration, click on **IPsec Configuration**\\ The AstLinux Web Interface is used for configuration, click on **IPsec Configuration**\\
  
-Network tab -> VPN Type: {{:userdoc:ipsec-xauth-ipsecmobile.png?nolink|IPsec Mobile}}+Network tab -> VPN Type:\\ 
 +{{:userdoc:ipsec-xauth-ipsecmobile.png?nolink|IPsec Mobile}}
  
 The following IPsec Mobile Server Configuration (below) must be specified.  The only unique option is the //Server Cert DNS Name:// setting.  This must be the DNS name of the server, such as ''vpn.mydomain.com'' .  Wildcards may be used for iOS devices, such as ''*.mydomain.com'' or ''vpn.*.mydomain.com'' This defines the ''subjectAltName'' object in the CA certificate. The following IPsec Mobile Server Configuration (below) must be specified.  The only unique option is the //Server Cert DNS Name:// setting.  This must be the DNS name of the server, such as ''vpn.mydomain.com'' .  Wildcards may be used for iOS devices, such as ''*.mydomain.com'' or ''vpn.*.mydomain.com'' This defines the ''subjectAltName'' object in the CA certificate.
Line 96: Line 97:
 ===== Apple OS X Client Configuration ===== ===== Apple OS X Client Configuration =====
  
-After the IPsec server is configured and certificates generated, the final step is to install the CA and Peer certificates on your OS X notebook or desktop computer.+After the IPsec server is configured and certificates generated (above), the final step is to install the CA and Peer certificates on your OS X notebook or desktop computer.
  
 From the IPsec Mobile Server Configuration tab, download the credentials for the desired peer, mb13 for this example. From the IPsec Mobile Server Configuration tab, download the credentials for the desired peer, mb13 for this example.
Line 166: Line 167:
 {{:userdoc:ipsec-xauth-credentials2.jpg?nolink|Credentials}} {{:userdoc:ipsec-xauth-credentials2.jpg?nolink|Credentials}}
  
-The Shrew Soft VPN Client (v2.1.7) does not support password protected ''.p12'' packages, so the unencrypted ''mb13.key'', ''mb13.crt'' and ''ca.crt'', must be installed somewhere the Shrew Soft VPN Client can find them.  Be certain to transport the ''mb13.key'' file securely.+The Shrew Soft VPN Client (v2.1.7) does not support saving the password for protected ''.p12'' containers, so the unencrypted ''mb13.key'', ''mb13.crt'' and ''ca.crt'', can be installed somewhere the Shrew Soft VPN Client can find them.  Be certain to transport the ''mb13.key'' file securely.
  
  
Line 172: Line 173:
 **Shrew Soft VPN Client (v2.1.7) example: (Submitted by Tom Mazzotta)** **Shrew Soft VPN Client (v2.1.7) example: (Submitted by Tom Mazzotta)**
  
-The Shrew Soft VPN Client does not access certificates installed into the Windows certificate store, so you need to copy your certificate files to a folder where they can be found. The installer creates the folder\\ +The Shrew Soft VPN Client does not access certificates installed into the Windows certificate store, so you need to copy your certificate files to a folder where they can be found. The installer creates the folder:
-''C:\Documents and Settings\Administrator\My Documents\Shrew Soft VPN\certs''\\ +
-it is suggested to copy the CA cert (ca.crt), unencrypted client cert (mb13.crt), and private key(mb13.key) for the client cert, to that location. Select these files on the "Authentication | Credentials" tab.+
  
-Technically the Shrew Soft VPN Client does support encrypted client certificates, but you need to enter the client p/w every time (a real pain), so it makes more sense to use the unencrypted key with this product.+  C:\Documents and Settings\Administrator\My Documents\Shrew Soft VPN\certs
  
-To enable split tunneling, add the networks found on the LAN side of your Astlinux box to the list on the "Policy" tab (192.168.102.0/24 in this example).+It is suggested to copy the CA cert (''ca.crt''), client cert (''mb13.crt''), and unencrypted client private key (''mb13.key'') for the client cert, to that location. Select these files using the "Authentication | Credentials" tab. 
 + 
 +Technically, the Shrew Soft VPN Client supports encrypted client certificate ''.p12'' containers, but you need to enter the container password every time (a real pain), so it makes more sense to use the unencrypted key with this product. 
 + 
 +To enable split tunneling, add the networks found on the LAN side of your Astlinux box to the list on the "Policy" tab (''192.168.102.0/24'' in this example).
  
 {{:userdoc:ipsec-xauth-shrew-soft-config1.jpg?nolink|Shrew Soft Configuration}} {{:userdoc:ipsec-xauth-shrew-soft-config1.jpg?nolink|Shrew Soft Configuration}}
  • userdoc/tt_ipsec_vpn_apple_ios.1347655352.txt.gz
  • Last modified: 2012/09/14 20:42
  • by abelbeck