Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Avatar2000
Avatar2000 Author
User level: Level 1
0 points

iPad IPSEC Cisco client - Additional route issue

Hi,


I am unsure if this problem has come about in recent iOS releases, or just something thats only become aparent now because someone has tried to use. I've never had any complaints prior to the last month or so.


When connecting to a VPN configuration on a Cisco router (which previously didnt work but has for about a year I guess), the iPad recieves additional routes just fine, as it should, but does not seem to work with them.


For example I have 2 networks


192.168.200.0/24

10.0.10.0/24


In my ACLs on the router I add both networks, and I have confirmed with an app on my ipad that it gets both routes. They have the exact same flags, mtu, and gateway.I can get to the 192.168.200.0/24 network, but not the 10.0.10.0/24 network, even though my network tools software says the correct route is in use. Its almost as if it is not encrypted


If i reverse the ACLs order, so i have the route to the 10.0.10.0/24 network first, then that network will work, and the 192.168.200.0/24 network will NOT, despite the route tables looking EXACTLY the same as the first instance.


If I connect via a PC cisco client, works fine. All routes work.


I've had reports (that I have yet to confirm as I do not have a Mac) that the built in VPN client in MacOS has the same issue, but the Cisco supplied VPN client has no issue.

It seems like its an issue with the apple OS software, but am open to suggestion - Anyone got any ideas?


Leigh

iPad, iOS 4.3.5

Posted on Aug 2, 2011 5:29 PM

Reply
19 replies
User profile for user: Avatar2000
Avatar2000 Author
User level: Level 1
0 points

Sep 14, 2011 10:50 PM in response to googlebait

Its not a claim, its a fact. Its the cisco LIST price for AnyConnect licensing. I went on to mention your AnyConnect Essentials (and the appropriate cisco LIST prices), later, however its NOT AN OPTION because (as you yourself pointed out) there is no AnyConnect Essentials for ISR routers. I would have to purchase an ASA 5510 minimum, costing $6k LIST, plus licenses.


Yes, they have told me they aren't willing to pay for an SSL VPN, because the solution they have now, worked (until they ran into this issue with Apple- and only with Apple). I guess there opinion is why should they have to pay to work around Apple's broken software? I said take it up with apple - they asked me to as I have the best technical perspective on the case, and - here I am.


It was almost going to happen anyway ("begrudgingly") because Cisco didnt have a 64 bit windows client.... but hey, they came to the party. Wow. Sounds like there was enough pressure to make them change their mind, so I dare say it'll be around for some time yet.



I don't care if they don't fix it - I don't care if they drop support completely, for IPSEC VPN. If IOS/Lion cannot handle it, admit it, drop it, and move on - it can be the "adobe flash" of the IOS's (and Lion's) network capabilities. Maybe then my clients will just say well, lets find a device that can, and my problems solved, or they will say 'lets pay for an ASA rollout'. But, if its in the software, then they should support it so that it works properly. If you're happy to accept less than full working capabilities from all IOS software features, just remember that line if they break your SSL client. 😉 Sure, it might not be an achieveable goal, but thats why they have iOS upgrades - to get as close to it as possible. In this particular case, I would think its not a difficult fix - it works for the first route, just not subsequent routes.


In conclusion, a simple 'no, I don't know how to fix the IPSEC client problem' probably would have sufficed.

Reply
User profile for user: googlebait
googlebait
User level: Level 1
0 points

Sep 15, 2011 11:30 AM in response to Avatar2000

Your factual evidence misleads in the context of the discussion because the subject was SSL VPN for ASA, because you do not need the premium package for that. It is for posture assessment and other advanced features that have nothing to do with VPN SSL, and no one here or you has expressed any desire for that. No more than $250 USD for an unlimited license for anyconnect essentials and the mobile license is the price for VPN SSL on ASA. I know because I have the receipts. I have no idea what the list price is because nobody pays list price. Our discount is no better than anyone else's.


IPsec is not the best option for clients because it requires specialized client software that really replaces or augments the client systems TCP/IP stack since IPsec is a L3 protocol. Why you'd insist on continuing to use IPsec on a mobile client at this point when SSL is the current best standard for this sort of thing since it uses higher layer protocols as do all the other secure apps is curious.


The problem with IPsec at L3 on mobile is that to make it work well required two companies working in close collaboration at the development level. The bug you mentioned probably has been reported to both companies and they are finger pointing at each other as to who is responsible and why it may be slow to fix it. I don't want Apple designing my VPN client into the OS because it is a L3 thing and had to be a special project where two large companies work together to design it and fix bugs. The Apple/Cisco collaboration was the best they could do in 2008, but SSL VPN has matured since then and there are better options.


As for your silly claim that I am tolerant of bugs or if I don't hold Apple's feet to the fire on IPsec bugs then they'll also not fix SSL VPN, that is absurd. Anyconnect (SSL VPN) provides the separation between the OS and the application so that Cisco treats it more like any other client and so *Cisco fixes the VPN bugs*. AS IT SHOULD BE. Modularity. I don't need Apple to fix my SSL VPN bugs because it's provided by Cisco and it is their core competency and best interest to fix any SSL VPN bugs quicky. They are cranking out updates very fast now because it's their preferred VPN client method. So how is the bug fixing going on my Cisco SSL VPN AnyConnect $250 USD upgrade? Well let's look at just this year's updates from Cisco on their SSL VPN client AnyConnect.


3.0.3054 Aug 2011

3.0.3050 Jul 2011

3.0.2052 May 2011

3.0.1047 Mar 2011

3.0.0629 Jan 2011


Regular updates, no? Your "all features should be supported 100%" as well as your "just remember that line if they break your SSL client" doesn't in fact make any sense. Better that you remember that bugs get fixed fastest and best when you have modularity, both technically and politicallly, and a company's self interest working in your favor. Apple breaking SSL VPN is far less likely to happen with SSL VPN because odds are it would break other stuff too. And even if it doesn't, Cisco and their customers would lean on them for an update after Cisco determines it was Apple's problem. With the built-in IPsec it may take a committee meeting to even find out where the problem lies with some bugs. So the Apple/Cisco built-in iOS IPsec L3 client implementation will never be as good, nor bugs fixed as fast as the current AnyConnect SSL VPN as I've been saying all along. Nor do your "100% support" ideas do anything in the real world. I hate bugs, and I know how to avoid them by using the combination of products least likely to have or at least continue to have them.


I seriously doubt that your clients are going to drop iOS over VPN support, because the VPN support on Android is abysmal, whether IPsec or SSL unless you root it. Good luck with that.

Reply
User profile for user: Avatar2000
Avatar2000 Author
User level: Level 1
0 points

Sep 15, 2011 5:10 PM in response to googlebait

Wow, pushing your line as the subject of the discussion again? Look at the first post - being mine - for the subject of the discussion... which is basically that the IPSEC client for iOS and Lion, is broken. I wanted to confirm this isn't an isolated issue, and at least one has confirmed that it isn't. I also wanted to see if anyone had a fix for the issue.


You somehow seemingly decided this is a discussion about how great your SSL-VPN deployment is, versus an IPSEC deployment, but it does absolutely nothing solve the problem at hand. You continue to push the discussion essentially off-topic: we can't change to SSL based VPN for the reasons I have given (multiple times) so unless you have something that contributes to resolving the actual issue, there's no point in you responding. I get it, you're an SSL-VPN fanboy. Move on.

Reply
User profile for user: googlebait
googlebait
User level: Level 1
0 points

Sep 15, 2011 5:47 PM in response to googlebait

Well it turns out that Cisco IOS VPN doesn't support mobile clients. On Cisco IOS VPN, there is no mobile license to support iOS, WebOS, Android, etc. So to use the Apple iOS AnyConnect client as of now, you must be terminating your VPN with an ASA. Learn something every day I guess. http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.s html

Reply

iPad IPSEC Cisco client - Additional route issue

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up