ipsec vpn to linux server

[marlene42]

I need to set up an IPsec connection to my linux home server.
Does anyone know, how
1. to configure the iPad 2 for IPsec with Linux vpn server?
2. to configure the Linux vpn server for iPad?
Thanks in advance, Marlene

 

[Lagranger]

At present no one seems to have found a truly workable solution for this, but here are some pointers that may help. (btw, I'd be more than willing to admit I'm wrong about this, but I've been casually researching the same topic without success since the iPad 1 was released. If up you do manage to find a solution anyway, please post your findings here!

Anyway, here's my iPad VPN research so far:

- At this point IPsec VPN support in iOS seems to be mean one thing: Cisco. The builtin VPN support works great you are connecting to Cisco hardware -- the connection is solid and I've even been able to run VOIP apps over it. So if you're willing to spring for a Cisco hardware, this is probably the best supported IPsec VPN for iOS at the moment.

- However, since you're running a Linux server I'm guessing might likewise be looking for an open-source solution. Unfortunately no one seems to be able to get the builtin iOS VPN support to work with any of the open-source IPsec implementations (e.g. racoon or isakmpd)

- If you're willing to consider an SSL-based VPN for your server, the most popular one for Linux/BSD is OpenVPN...

- Except again, no one has been able to get iOS to interoperate with OpenVPN *without jail breaking the device* (something many users wish to avoid) As an aside, Cisco just released an iPad client that works wirh their AnyConnect SSL-based VPN. You may begin to see the pattern here.

- If you're willing to put up with an older, less secure type of VPN, others have gotten PPTP to work just fine. In fact, if you're adventurous you can install the DD-WRT custom firmware on a supported home router and use it as a PPTP endpoint between your server and iPad.

- Hopefully iOS 5 will bring improvements in VPN connectivity options. But then again, some of us have been hoping for this over several past releases.

Hope this info helps.

 

[thewitt]

Great summary.

IPSec for iOS is currently a Cisco implementation.

There is nothing wrong with using PPTP over encrypted wireless. The only real complaint about PPTP is that it can be configured to send the username and password in plain text over a wired network. I you secure and encrypt your wifi signal, your PPTP connection will be adequately secured for most corporate networks - though your paranoid IT guys may still disagree.

If you do get an over zealous IT security guy in your face, challenge him to intercept your communication and hack your password... It's highly likely he has read somewhere this can be done but has no clue how to do so, and that it's more challenging than the article he read on a blog somewhere.

I've heard rumors of more broad VPN support coming, including SSL VPN but nothing concrete.

-t

 

[Lagranger]

Great summary.

IPSec for iOS is currently a Cisco implementation.

There is nothing wrong with using PPTP over encrypted wireless. The only real complaint about PPTP is that it can be configured to send the username and password in plain text over a wired network. I you secure and encrypt your wifi signal, your PPTP connection will be adequately secured for most corporate networks - though your paranoid IT guys may still disagree.

If you do get an over zealous IT security guy in your face, challenge him to intercept your communication and hack your password... It's highly likely he has read somewhere this can be done but has no clue how to do so, and that it's more challenging than the article he read on a blog somewhere.

I've heard rumors of more broad VPN support coming, including SSL VPN but nothing concrete.

-t

Hehe, thanks, thewitt.

I hate to admit it, I *am* one of those paranoid I.T. guys (just for a small organization that doesn't doesn't deploy VPNs (nor iPads, sadly) who also happens to love Wireshark and be somewhat of a crypto geek.

However, I do take your point re: PPTP's relative security being adequate in most instances and probably fine for a home server setup such as the OP's.

I personally suspect that PPTP gets a bad rep. because it reminds people of WEP (in that they are both older protocols and both use RC-4 for their default encryption). Of course, in the case of WEP, it was out right bad design and poor implementation that led to its downfall, not necessarily the crypto algorithm used.

Much better (wider) VPN support in iOS 5 would be great although I'm not holding my breath. I'd much rather be pleasantly surprised this fall rather than disappointed yet again.

[My apologies in advance if the following is not an option the OP is interested in. Hopefully the info might be of use to others who happen across here]

Anyhow, I don't intend to hijack this thread but perhaps I could suggest to the OP that SSH tunneling may be of use if you're not specifically looking to deploy a true VPN and are extra-concerned about security (e.g. connecting via open public wifi, etc)?

OpenSSH is shipped as part of nearly every Unix-like OS nowadays, is simple to configure for TCP forwarding (usually enabled by default on most distros) and is easily understood from a security standpoint. It requires no specific support from the iOS network stack since everything is done in the application layer.

Currently there are two iOS apps I'm aware of that support arbitrary SSH tunnels: iSSH and Remoter (actually a VNC app but allows creating tunnels). The idea is you first log in to your Linux box via SSH using one of these app to create a tunnel. Then launch your second app and point it to localhost and a predefined port to use the encrypted tunnel. Currently no iOS SSH client I've seen supports OpenSSH's SOCKS proxying feature, so you're limited to creating statically defined tunnels, but it's still quite usable.

Of course, there are a number of limitations with this approach that prevent it from ever replacing a true VPN setup, the biggest of which are: A current iOS limitation that requires you to 'refresh' the SSH tunnel every 10 min, the fact that you can only use TCP connections through it (eliminating many streaming and VOIP apps), and that it takes a pretty good understanding of how SSH works when setting things up on the iPad side.

 

[marlene42]

ipsec vpn to linux server - no working example found so far

Thank you, Lagranger and thewitt, for your replies!

Yes, Lagranger, great summary, even if it doesn't give me too much hope to find an open source solution.

Some facts I've collectet so far:

1. I had very good success with OpenVpn for many purposes, and I'd love to use it. But Jailbreak isn't an option here, so OpenVpn isn't either. It cannot just be ported to iPad and offered in App Store, because Apple's restrictive terms and conditions don't allow GPL Software.
2. PPTP is considered to be several orders of magnitude less secure than IPSec - this is a no-go.
3. IPad offers two more options: L2TP over IPSec and IPSec only. Therefore I thought of getting IPSec to work first.
4. Yes, OpenSSH is great, and I use it every day. Sometimes I use ssh tunnels on ssh tunnels on ssh tunnels to achieve a temporary goal, and if the underlying networks are not too flaky, it works great and reliable. But we need a true VPN for some applications. One example is Citrix: the Citrix client connects to a Citrix server and may get rederected to another Citrix server. The Citrix servers don't know about any ssh tunnels I might have set up, so it just says: "connect to the other server, which is located at 192.168.47.11. We gave up ssh tunnels for VPN use at this point.
5. I thought of authenticating with certificates (PKI is already established for OpenVpn use); I tried to import the private CA certificate and a test certificate, and iPad accepted them just like that. Missing a USB connector I had to learn, that email works for that
6. Of course, a small Cisco box might be an option, if that works for non-IPSec-experts better than Linux.

Thanks again, Marlene

 

[thewitt]

Just remember the IPSec implementation is Cisco. No other IPSec router will work as Cisco is non standard.

-t

 

[marlene42]

iPad ipsec vpn to linux - only Cisco IPSec router will work as its' non standard?

Hi thewitt,

UUUHHH, that sounds discouraging!

Do you know for sure? Do you know about those Cisco specific IPSec parameters which disqualify OpenSwan, StrongSwan and isakmpd (are there more?) at a time?

I found an Apple document, which shows some details how to configure a Cisco VPN concentrator. But alas, my (non-existing, slowly growing) IPSec skills don't let me understand it fully yet:

manuals.info.apple.com / de_DE / Einsatz_in_Unternehmen.pdf

Sorry for that "link", but I'm not allowed to post a link yet.


Thanks again for any further help! Marlene

 

[marlene42]

Sorry, of course there is an english version of this document:

http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

(and now I'm allowed to post links


Marlene

 

[thewitt]

It is a Cisco client. Go to the IPSec tab in the VPN setup screen and you'll see the Cisco logo ...

-t