Hi there,
I have a problem using a proxy server trough a vpn connection on the iphone (3GS and 4, iOS 5.0.1).
VPN works fine, but the iphone doesn't use the proxy settings given for the vpn-connection. I tried to set them manually or
via proxy pac, nothing works. There is no problem to use a proxy server via wifi, but for vpn it doesn't work. Can anybody help me please?
iPhone 4, iOS 5.0.1
Hi, I have exactly the same symptom, did you manage to resolve the issue? I have found if I put the PROXY on the WiFi conneciton and then connect the VPN, the proxy is used (but obviously nothing else works).
Have also tried PAC and Manual proxy config on the VPN definition. No success.
Actually. Scratch this request. I appear to have got to the bottom of this. The proxy is only used on a split tunnel for domains you decalre as being serviced by the VPN. This is done on the ASA device with the split-dns command. Just list the domains the tunnel will be used for. I had that change made on the AS and it works as expected.
There's a fair explanation of the parameter in the ASA CLI configuration guide.
One thing to add. Although it's working for me, the first request after the conneciton auto-dials fails. It would appear the DNS is going out on internet proper. However, if I refresh the page it goes via the proxy and all subsequent pages are OK until the tunnel drops and then the same thing happens.
We currently dont have a DNS server allocated and also have a different domain name for the clients than the domain the tunnel is servicing - will see if I can resolve tomorrow, but just for your info at moment.
If you start the tunnel and then access the page - all works 1st time.
GREAT.....it works 🙂
Even at 1st time.
But, isn't it possible to use wildcards in the split-dns value list? I need to set something like "*.something.com"...just "something.com" doesn't work.
Have to look at this....
Hm, looks as if only the first domain in the list is beeing used to be resolved through the tunnel...
I've entered a list separated with spaces, as described in the cisco howto.
Does this work in your setup?
Fortunately I only have one domain name at present :-)
I though the wildcard was implied - so any host in the domain you enter uses the tunnel.
In terms of your conenction, do you supply DNS server to the client as well? At the moment I don't but might add them in to see if that's why the first query fails
Hmpf....my mistake ( should'nt do such configs when telephone is ringing all the time 😉 ).
It works now. I have a list of domains separated with spaces and all are being used through the tunnel. And you're right, I don't need wildcards, just something like "domainname.com".
Oh yes, and I supply DNS server to the client and even the proxy-server.
Do you also give proxy-server? I'm not sure if the client then first is going out to internet for DNS...
But, just try it with setting the DNS server, but don't forget to add its ip address to the split tunneling 😉
not you have me inteersted 🙂
When you say supply the proxy-server - do you mean as part of the tunnel definition on the phone, or as a parameter on the VPN conneciton like split-dns?
I supply it as part of the VPN config on the phone - how do you do it?
I tried both setups and - actually - both are working 🙂
You can manually set the proxy on the iphone, but then it's importat the ASA is configured not to modify client proxy settings.
Now I've configured the ASA to supply the proxy server ip and port (and here again, also add the proxy server ip to split tunneling).
Need the commands?
Just for me to understand:
If you start the tunnel manually, then everything works fine.
But if the tunnel starts via auto-dial the first try is unsuccessful? Maybe it's just something like a timeout problem, if the tunnel does'nt come up fast enough?
How do you configure auto-dial vpn on the iphone? Do you use the anyconnect client?
I can't find this option in the "normal" ipsec client on the phone...
Yes, start manually, all is good. Allow to auto-connect, the very 1st query fails (and I see a DNS entry leaving the phone) and then just hitting refresh in safari, it all works again.
So, if you get the iphone configuration utility, and select certificate as the authenticaiton model for an iPsec VPN, you can see the parameters to connect on demand - they are hidden where the authentication is manual. You can however add them in manually
under the iPsec section (note, typed this in manually, so might not be perfect)
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>onDemandAlways</key>
<array>
<string>domain-name.com</string>
<string>domain-name.com</string>
</array>
Sir, I wanted to confirm with you that if you were able to resolve this issue? My biggest concern is when I put in the manual proxy settings in the ipsec vpn section, the iPhone never uses those credentials The Authentication dialogue pops up asking the user to enter credentials again. Also once the user has entered his credentials which he should not need too, those credentials seemed to be saved somewhere on the phone forever that even if you want to change those, you cant.
Two problems I am looking to resolve.
1. The proxy authentication settings in the ipsec vpn section are not getting used causing the user to enter credentials
2. Once the credentials are put in, the phone keeps on using those proxy credentials on all subsequent requests. If you want to change those credentials there is no straight forward way to change those
Sorry,i have the same problem as you had
but i didn't get the key
let me explain that again:
when i use the wireless of our university,i have to set the proxy to my wifi to use the internet
with this config 192.168.0.1 port:8080 and my account (myusername and mypassword)
it works perfect
but when i want to set vpn(pptp) to my iphone ,it doesn't work
in the vpn part i set a manually proxy,but it dosen't work:(
Hey, thank you for your suggestion 🙂
I'll try this on Monday and tell you if it also worked for me.
wonder if you could share your config with any sensitive stuff removed?
proxy through vpn-connection
