Cisco IPSec setup
Use this section to configure your Cisco VPN server for use with iOS and iPadOS, both of which support Cisco ASA 5500 Security Appliances and PIX firewalls. iOS and iPadOS also support Cisco IOS VPN routers with IOS version 12.4(15)T or later. VPN 3000 Series Concentrators don’t support iOS or iPadOS VPN capabilities.
iOS and iPadOS support the following authentication methods:
Preshared key IPSec authentication with user authentication via xauth.
Client and server certificates for IPSec authentication, with optional user authentication via xauth.
Hybrid authentication, where the server provides a certificate and the client provides a preshared key for IPSec authentication. User authentication is required and provided via xauth, which includes these authentication methods:
User name with password
The Cisco Unity protocol uses authentication groups to group users based on a common set of parameters. You should create an authentication group for iOS and iPadOS users. For preshared key and hybrid authentication, the group name must be configured on the device with the group’s shared secret (preshared key) as the group password.
When using certificate authentication, there’s no shared secret. A user’s group is determined from fields in the certificate. The Cisco server settings can be used to map fields in a certificate to user groups.
RSA-Sig must be the highest priority on the ISAKMP priority list.
IPSec settings and descriptions
You can specify these settings to define how IPSec is implemented:
Mode: Tunnel mode.
IKE exchange modes: Aggressive mode for preshared key and hybrid authentication, or Main mode for certificate authentication.
Encryption algorithms: 3DES, AES-128, or AES256.
Authentication algorithms: HMAC-MD5 or HMAC-SHA1.
Diffie-Hellman Groups: Group 2 is required for preshared key and hybrid authentication, group 2 with 3DES and AES-128 for certificate authentication, and group 2 or 5 with AES-256.
Perfect Forward Secrecy (PFS): For IKE phase 2, if PFS is used, the Diffie-Hellman Group must be the same as was used for IKE phase 1.
Mode configuration: Must be enabled.
Dead peer detection: Recommended.
Standard NAT traversal: Supported and can be enabled (IPSec over TCP isn’t supported).
Load balancing: Supported and can be enabled.
Rekeying of phase 1: Not currently supported. It’s recommend that rekeying times on the server be set to one hour.
ASA address mask: Make sure all device address pool masks are either not set, or set to 255.255.255.255. For example:
asa(config-webvpn)# ip local pool vpn_users 10.0.0.1-10.0.0.254 mask 255.255.255.255.
If you use the recommended address mask, some routes assumed by the VPN configuration might be ignored. To avoid this, make sure your routing table contains all necessary routes, and make sure the subnet addresses are accessible before deployment.
Application version: The client software version is sent to the server, letting the server accept or reject connections based on the device’s software version.
Banner: The banner (if configured on the server) is displayed on the device, and the user must accept it or disconnect.
Split tunnel: Supported.
Split DNS: Supported.
Default domain: Supported.