12

According to Apple’s support article on VPN for iOS, only Cisco IPSec, Juniper Junos Pulse, and Cisco AnyConnect support the VPN on-demand feature. Are there any open-source implementation (‘free’ as in beer is more important here) of these that I could deploy on a Linux-based system with no special hardware?

Update: I already have a PPTP solution. I am specifically interested in the on-demand features of the other two.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
Daniel
  • 191
  • 2
  • 16
  • Have you tried running an ipsec gateway on Linux? Might be compatible with the Cisco IPSEC option. Never tried it, though; I use PPTP. – Steve Dispensa Aug 25 '11 at 15:12

3 Answers3

10

Cisco IPSec, Juniper Junos Pulse, and Cisco AnyConnect can be configured for VPN on-demand for certain destination hosts/networks as they are part of the route and can realize the need to establish a VPN connection first in order to connect to those hosts/networks;

So in case of your Linux based PPTP VPN server, as far as that server is not your default routing gateway, VPN on Demand is meaningless. In this configuration your server should be a Cisco IPSEC compatible Gateway on linux and your iOS devices' default routing gateway too.

In case of Apple iOS device, VPN on Demand allows iOS device to establish a transparent and secure connectivity to a remote enterprise network with no more manual configuration at user side.

This VPN on Demand feature cannot be manually configured on the iOS device and requires a certificate-based authentication and is currently supported on Cisco IPSec, Juniper Junos Pulse, and Cisco AnyConnect.

In order to activate and configure it on iOS devices, you must create a configuration profile and then provision the device.

Another form of VPN on Demand is available on Mac OSX devices where Safari decides to establish a VPN connection to connect to certain domains/networks (e.g. vpn.mycompany.com) that you have already listed as VPN on Demand and configured its connection settings profile (password/certificate).

More Info:

iOS VPN on Demand: http://www.0x8847.net/2010/07/iphone-os-vpn-on-demand/ http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

OSX VPN on Demand: http://docs.info.apple.com/article.html?path=Mac/10.6/en/15575.html

For a Cisco IPSec Gateway on Linux, I recommend you use Open source package StrongSwan for your iOS VPN on Demand

http://www.strongswan.org/

Use --enable-cisco-quirks parameter to build StrongSwan to make it compatible with Cisco IPSEC. It is a stable certification based, IPsec Gateway on linux that is compatible with iOS VPN on Demand requirements.

Check following link for setup iOS on StrongSwan:

http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

Authentication uses XAUTH and certificates (authby=xauthrsasig).The described setup has been tested and confirmed working on an iPad 2 with iOS 4.3.1, but is expected to work on all other iOS devices (iPhone, iPad, iPod Touch) running an up to date iOS version.

Reza Hashemi
  • 266
  • 2
  • 5
3

As already mentioned in @Reza's answer you basically just need a profile to make this work. One thing Reza didn't mention though is the actual question I think you were asking. To make this work on linux you need some sort of IPSec support. There are several tools available that can do this, how to configure several of them is available here:

http://www.ipsec-howto.org/t1.html

I've used Openswan for this myself:

http://www.openswan.org/

Once you get the VPN configuration profile working and setup the realm correctly the iOS device will establish the IPSec tunnel on demand and free beers will be had by all (you're buying!)

polynomial
  • 3,968
  • 13
  • 24
  • I need IPsec with "certificate based authentication." This is not a listed feature for either of these tools. – Daniel Aug 29 '11 at 00:56
  • 1
    I don't think its listed for Openswan because it is the default. Here is how you can configure it to use certificate authentication: http://www.natecarlson.com/2007/07/30/configuring-an-ipsec-tunnel-between-openswan-and-windows-2000-xp/ You can replace XP with iOS in this example. – polynomial Aug 29 '11 at 01:43
2

We use the PPTP Linux package on CentOS, and it works very well for OSX, Windows, and iOS. I know it has its limitations with regards to security, but for most people it is more than adequate.

SpacemanSpiff
  • 8,733
  • 1
  • 23
  • 35