iPhone cisco IPsec VPN split dns entries?

Hello,

I'm trying to connect to my corporate network which uses separate internal dns servers for resolution (for obvious reasons) and it appears that the iphone is incapable of using these. The only work around i currently have is to statically set these entries. Is there any way to make it so that the vpn client will allow the vpn's dns entries to pass through?

Thanks!
-Rob

Macbook Pro, Mac OS X (10.5.4)

Posted on Jul 11, 2008 1:44 PM

21 replies

tmhunt2

Level 1

0 points

Sep 19, 2008 2:08 PM in response to theskunk

Here is a sample (sanitized) config from my Cisco ASA vpn group policy.

group-policy vpnpolicy internal
group-policy vpnpolicy attributes
wins-server value ipaddress1 ipaddress2
dns-server value ipaddress1 ipaddress2
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AdminSplit
default-domain value youdomain.local
split-dns value yourdomain.local yourdomain.com
address-pools value dhcppool1

Hope it helps everyone.

balfson

Level 1

0 points

Sep 20, 2008 2:56 PM in response to tmhunt2

"Several" years ago, we had a Pix and were using the Cisco client. When we upgraded everyone to Windows XP, we simply began to use the Windows L2TP over IPSec client. I don't know what the IT folks did to facilitate that in the Pix, but the impression I have was that our initial Pix configuration accepted the Windows VPN client.

Have you tried using L2TP on the iPhone? The advantage with the L2TP client is that there's a simple switch to select split-tunnel.

tmhunt2

Level 1

0 points

Sep 21, 2008 10:50 AM in response to balfson

I have not tried L2TP but may in the future. But that will require setting up an IAS authentication server for L2TP.

Also note that split-tunnel is only part of this. I had to use split-dns as well.

Now that I have IPsec working I am hesitant (and lack sufficient motivation) to muck with it. 😉

Message was edited by: tmhunt2

tbeecher

Level 1

0 points

Sep 23, 2008 8:50 AM in response to theskunk

I just got done setting mine up with our network. Thankfully, I build the VPNs. 🙂

I'm using a Cisco 3640 running IOS 12.4(21). 3DES Crypto image.

Not much to configure on the iPhone side, as we all know. The key really lies on the terminating device.

Basically, if your VPN is NOT configured to use split-tunnel, you're all set. All your traffic will pass through the VPN, and you'll be good.

If your VPN IS configured to use split-tunnel, then it needs to be configured for split-dns on each of the domains that need to resolve through the tunnel.

The iPhone doesn't seem to accept the DNS servers that the VPN endpoint tries to assign to it, so the only way to get this to work if split-tunnel is in play is via the split-dns method.

limd2

Level 1

0 points

Dec 17, 2008 6:21 AM in response to theskunk

Can anyone provide me a sanple configuration on the Cisco 3640 router running IOS for establishing iPhone VPN connection? I couldn't get it to work.

jsj-dk

Level 1

0 points

Jan 23, 2009 1:20 AM in response to tbeecher

tbeecher (and others)

I'm also looking for information on how to configure a IOS based VPN router to work with the iPhone.

With our current config it looks like the iPhone VPN logon stalls after phase 1 is complete or almost complete. It never enters phase 2.

Any pointers would be greatly appreciated.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

iPhone cisco IPsec VPN split dns entries?