Cisco VPN with On-Demand setup on Apple Devices finally working!

DomNik said:

Hi together,

I just wanted to thank the Sophos Team. This was one feature I was missing terribly since my switch from UTM 9. :-)

The Cisco VPN setup is finally working with Apple iOS Devices with "advanced" on-demand rules. :-)

I'm using this to automatically establish a VPN connection when using public/unencrypted wlans and for accessing my local infrastructure when needed.

 

Compared to L2TP/IPsec the connection is established really fast, doesn't drain the devices' battery so much and caused no strange hangs on switches between mobile and wlan connections so far.

However I'm using PSK mode right now as the XG's web interface always throws an error when I try to activate the certificate mode.

Has anyone managed to get this working with certificate based auth as well?

Best Regards

DomNik

 

Hi DomNik 

Do you mind sharing how you have got the VPN working with "advanced" on-demand rules as i currently use the Cisco VPN option for IOS although would be useful to have it work on demand.

Thanks

Hi DomNik,

Would also love to hear how you accomplished this feat. Let us know!

Thanks!

Hi together,

sorry for the delay. Below are my settings - no guarantee that this is the best setup, but it's working. :-)

1. Setup CISCO VPN in the XG UI:

CISCO VPN Client: Enable
Interface: WAN Interface
Authentication Type: Preshared Key
Preshared Key: a nice key (I'm using 128 printable chars right now)
Local ID: empty
Remote ID: empty
Allowed User: Your VPN users with CISCO VPN Client enabled + valid IP matching your VPN IP range (see below)

Name: free text without spaces
Assign IP from: Your VPN subnet
DNS Server 1: An internal IP of your XG
DNS Server 2: empty
Disconnect when tunnel is idle: disabled
Idle session time interval: empty

2. Create a mobileconfig file with "Apple Configurator 2" from the App Store in MacOS:

Fill the basic settings with the tool to get a nice template file - and leave all the other fields empty:

General

- Name: some free text

- Organization: some free text

VPN

- Connection Name: some free text

- Connection Type: IPsec

- Server: dyndns hostname

- Device authentication: Shared secret

3. Modify the mobileconfig with a text editor. This is my example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "www.apple.com/.../PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>these are</string>
<string>your trusted</string>
<string>wlan ssids that don't need VPN</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
</dict>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>Domains</key>
<array>
<string>your internal domains</string>
</array>
</dict>
</array>
</dict>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>Cellular</string>
</dict>
<dict>
<key>Action</key>
<string>Disconnect</string>
</dict>
</array>
<key>RemoteAddress</key>
<string>dyndns hostname</string>
<key>XAuthEnabled</key>
<integer>1</integer>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>generated free text</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>generated id</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>generated uuid</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>some free text</string>
<key>VPNType</key>
<string>IPSec</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>some free text</string>
<key>PayloadIdentifier</key>
<string>generated id</string>
<key>PayloadOrganization</key>
<string>some free text</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>generated uuid</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

4. Send the mobileconfig file with AirDrop to your device import it and insert username, user password and preshared key directly on the device.

It's important to understand the OnDemandRules logic. The rules are processed top down, in the example case:

- Disconnect for trusted WLAN SSIDs

- Connect for all other SSIDs

- Connect when internal domains should be accessed (no dns resolution possible from the outside)

- Default disconnect on Cellular network

- Default disconnect

Some nice examples: www.derman.com/.../Example-iOS-VPN-OnDemand-Rules

I hope the steps are understandable. Questions welcome. ;-)

Best Regards

DomNik

//Update: I had to create a new Sophos ID just to change my mail address. So this is my first post with the new account. :-)