iPhone cisco IPsec VPN split dns entries?

I seem to be having the same issue. I can successfully connect to my company's VPN, but I am unable to get to the 'internal' web page. The Cisco VPN settings don't seem to get too detailed, so I'm at a loss on how to resolve this issue.
Also, do you know why the "Use Certificate" option is grayed out? And what does this option do anyways?

Thanks!
-Matt

Me too...

I was able to finally access my company's exchange server by finding out the ip address of it and putting it in the "server" field of the email setup.

I also tried to manually set the dns server address in the network setup, but that didn't work. I would be fine with this solution since I don't expect my company to change dns servers too often! Anyone have any ideas why this doesn't work? (I tried delimiting the addresses with spaces and commas.)

Rob, sounds like an issue with the corporate VPN design, not the client. Seems like DHCP should just update those entries...Not really sure if these comments are all the same issue...you might try this:
after successfully connecting your client, browse somewhere like whatsmyipaddress and verify your web traffic is not going out the corporate pipe. Traffic gets tunneled down network lists that limit access once you connect to the VPN concentrator/ASA, not too sure about other VPN appliances/services. Can you verify that another IPSEC client can access the resources from your home network or your handset at a hotspot?

Data Roaming On
2.0 (5A347)
Modem Firmware 04.05.04_G

I realize this isn't the problem you're having, but I am curious why the "use certificate" option is greyed out on my phone as well. I actually do need to use a certificate for my setup, but I can't figure out a way of actually selecting that option. I see nothing in any of Apple's documentation about this.

Anybody?

I believe the problem is with "Split DNS" or "Split Networking" in the Cisco VPN Concentrator. The iPhone documentation says it supports these features, but I'm not sure it really does.

I don't have direct access to our VPN concentrator, but if one of you out there does, please experiment with the various combinations of turning split dns on or off to see if you eventually get DNS resolution from your internal DNS servers...

About the "use certificate" being greyed out. You need to upload your certificates to the iphone. Check out http://www.apple.com/support/downloads/iphoneconfigurationutility10formacosx.htm l for how to use the iphone configuration utility. Hope this helps.

I'm having what appears to be the same issue, I can connect and access all corp. resources from the same location/network with my full Cisco VPN client, but not with the iPhone. From the iPhone, I get connect, get the banner, and everything is OK according the the phone - I have an internal address on the VPN, etc - but all attempts to access corp. resources fail.

A quick check on whatismyip shows that I'm still accessing internet resources from my home network, not the corporate one. According to the Enterprise Deployment Doc:

OverridePrimary Boolean. Specifies whether to send all traffic through the VPN
interface. If true, all network traffic is sent over VPN.

I checked the config I'm using, and if I understand correctly, all traffic is supposed to go over my VPN tunnel in this config - correct? So, obviously not working as designed, or the config is being over-ridden somewhere.

Anyone else think something may not be functioning quite right?

I'm having the same issue - Rob, you mention a workaround using static DNS entries - do you mean using the static settings on a WiFi connection? Otherwise I can't see where you would create static DNS entries.

I don't really want to use the VPN when I'm on WiFi. Mostly when I use WiFi I'll be at home with a real computer, I want VPN over 3G and I can't get my work's DNS servers over 3G at the moment after connecting to the VPN.

Well, I think I found my particular problem. According to Cisco's documentation:

"Which Cisco platforms work with the Cisco VPN Client on the iPhone?

Cisco ASA 5500 Security Appliances and PIX Firewalls. We highly recommend the latest 8.0.x software release (or greater), but you can also use 7.2.x software.

Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities."

I know that I'm using a 3000 Series. Anyone else?

I had the same problem with my iPhone (both first generation and 3G). When I contacted our IT Network Security folks, they provided a different profile (i.e with different Group Name and Shared Secret)such that the DNS resolution goes through "NO Split Tunnel". However, the problem with this profile is you cannot access the internet unless you set the proxy settings properly. If your office does not have proxy to go out onto internet, then you may be totally alright. So, the "No Split Tunnel" seems to be the solution.

I am not aware of the Cisco VPN concentrator versions or anything though.

Hope this helps.

Thanks,
Thiru

I'm using Split DNS with success and have been since day one. I am using the same group settings as my Windows VPN client.

On the server side I am running a PIX 515E with PIX 7.2. I have both split tunneling configured for my private network and split DNS configured for my domain name. DNS lookups for my domain go to my internal servers via the tunnel, all others go to ATT's servers. Interesting traffic is encapsulated and tunnel properly, all other traffic goes via the active air interface (Wifi/3G).

My suggestions are to check that your corporate endpoint is PIX 7+ or ASA, and in your group policy: that split tunneling is configured and that tunnel configuration provides access to the internal DNS server, that internal DNS servers are configured, and that split DNS contains the domain name you are interested in.

Perhaps I am lucky but it has been working for me.

I have my Iphone Cisco VPN Client connected to our 3030 Concentrator in the office and have managed to get local dns resolution working.

You need to disable split tunneling and split dns on the concentrator Group profile and also enter the initial domain against which the client will perform resolution.

I have found no way of getting it working with split tunnelling and split dns enabled, so all traffic is routed over the ipsec tunnel whilst connected.

Not a big problem for me as I am only vpn'd to our network when wishing to use internal applications rather than public internet browsing

I am in the same boat. I can connect to our ASA and can hit internal websites sites via 10. IP address but never by URLs.

Appears that the DNS server values that should be pushed to the iPhone from the ASA and iPhone VPN never occur. I tested this on a VPN client using the same VPN group on my Mac Book Pro and split tunnel and DNS resolution of internal websites worked.

Finally I forced internal 10. DNS server address on my WIFI connection on the iPhone and then when connecting via WIFI with the VPN active, DNS resolution worked. So the values for DNS servers are either not being sent or received via the ASA and iPhone VPN client.

Opened a case with Cisco TAC but waiting on a response.

Mike

Well finally got the DNS working on the iPhone with the VPN client. Another thread mentioned not only split tunnel, but also the need to define split DNS on the ASA by Domain. Did that and it works.

Here is a sample (sanitized) config from my Cisco ASA vpn group policy.

group-policy vpnpolicy internal
group-policy vpnpolicy attributes
wins-server value ipaddress1 ipaddress2
dns-server value ipaddress1 ipaddress2
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AdminSplit
default-domain value youdomain.local
split-dns value yourdomain.local yourdomain.com
address-pools value dhcppool1

Hope it helps everyone.