Re: iOS 5/6 and VPN
Re: iOS 5/6 and VPN
- Subject: Re: iOS 5/6 and VPN
- From: Athanasios Douitsis <email@hidden>
- Date: Thu, 18 Oct 2012 23:40:58 +0300
On Thu, Oct 18, 2012 at 8:03 PM, Kevin Brock <email@hidden> wrote:
> On Oct 18, 2012, at 6:03 AM, Athanasios Douitsis <email@hidden> wrote:
>
> Hi,
>
> Sorry for the delayed answer, just saw your message from yesterday. To
> do the same for iOS you have to play with the mobileconfig format,
> which is basically an xml schema documented by apple. It may surprise
> you that not only iOS, but also mountain lion now supports this
> format.
>
> For your reference, look here:
> http://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
>
> Recently I have completed a project exactly like the one you are
> describing for the National Technical University of Athens.
>
>
>
> It sounds like you're using this profile to ell the *existing* iOS secure
> networking software how to connect to your specific servers, rather than to
> enable a new VPN client type on the iOS system. Is that correct?
>
> Kevin
Hi Kevin,
If I understand you question correctly, the answer is yes. There are
actually 3+1 types of connections that the builtin iOS VPN client can
do.
The first is (PPP over) L2TP over IPSec with a preshared key or mutual
certificate authentication. I've tested this setup, it works, but it
uses IPSec transport mode packets back and forth between server and
client. This practically means many firewalls will block this
connection.
The second is PPTP, which is not too interesting for various reasons,
so I won't go too much into it.
The third and forth is pure IPSec tunnel mode with pre-shared or
client certificate authentication. I am counting a fourth way here,
because there's an obscure mention in Apple documentation that if
there a '[hybrid]' at the end of the group setting string then the
client goes to Xauth hybrid mode, which means certificate for the
server, username/password for the client authentication. This is the
most interesting mode, because it resembles very much the usual way
https works, where the web server presents a certificate but the
client doesn't. So this solves the man in the middle attack
possibility when you use a pre-shared key.
So as you can see there are quite a lot of types of servers that are
out there that the iOS client can connect to. I setup my own racoon,
but there are some great prebuilt software such as pfSense (based on
FreeBSD), and I know at least one example of successful connection
with OpenSWAN. I have also seen examples in the web with iOS
connecting to Cisco IOS (ironic right?).
Lastly, I have briefly studied the code at opensource.apple.com and at
least for some modes, the iOS client is also based on racoon, with
modifications of course. What's even more interesting is that the Mac
OS X client since at least 10.6 also uses this code (with heavy
ifdef'ing). For example try mdfind -name racoon on your mac.
My best regards,
Athanasios
>
>
> Athanasios Douitsis
>
>
>
> On Wed, Oct 17, 2012 at 3:10 PM, Arun R <email@hidden> wrote:
>
> Hello,
>
> I work with a company which offers enterprise-grade VPN solutions (our own).
> On Windows, OSX, etc, we have a simple thin client that automatically
> creates a VPN connection based on a configuration file. We also have a
> dialer GUI which dials the connection, monitors it to see how long it stays
> up, allows the user to disconnect it.
>
> We'd like to do the same with iOS - automated connection setup, and
> automated dialer. I've seen that other VPN apps (like Cisco/Juniper etc) are
> able to do this.
>
> I've looked on the web for an answer, but I dont see one anywhere. The best
> I see is the mobileconfig file which the user has to manually import.
>
> What do we need to do to get this working for us? Thought I'd talk to the
> experts before contacting Apple directly.
>
> Thank you!
> Arun
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macnetworkprog mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
>
>
>
> --
> Athanasios Douitsis
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macnetworkprog mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
>
--
Athanasios Douitsis
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden