5 Replies Latest reply: Sep 11, 2014 2:41 PM by Allan Marcus @ LANL
RedRadioFlyer Level 1 Level 1

Hi Everyone,

 

I am going to be sending some engineers to Asia and want to force ALL of their iPhone traffic to use our VPN. I understand this will probably have a negative effect the iPhone's battery life, but I would rather they have no connection if the alternative is unencrypted traffic coming from their devices.

 

From what I have read, I think I see two potential ways of accomplishing this, but I have questions about each method.

 

1. Use L2TP and select "send all traffic". I'm concerned about the connection timing out or getting dropped as their phones switch from wifi to cellular data. Does anyone know if the "send all traffic" button causes the phone to keep the VPN connection alive or reinitiate the VPN as needed for for 'all traffic'?

 

2. Use IPsec with VPN On Demand and set a rule to always use VPN for * address (via the iPhone Configuration Utility). Does anyone know if this will force all traffic to use the VPN, or does it only apply to some connections (i.e. web browsing and email)?

 

Last but not least, after the iPhones are configured is there an easy way to test/confirm that they are using the VPN for 100% of their outgoing communications?

 

Thanks in advance!


iPhone 5, iOS 6.0.2
  • Nello Lucchesi Level 1 Level 1
    expertise.macosx
    Mac OS X

    The "Send All Traffic" option is also available for PPTP.

  • RedRadioFlyer Level 1 Level 1

    Hey Nello,

     

    I know PPTP is easy to setup, but it is so fundamentally insecure that even Microsoft (its creator) has stated that all data sent via PPTP should be considered unencrypted.

     

    I tried the PPTP "Send all Traffic" option to see how it will work with L2TP (PPTP is much easier to setup), but as I feared it only sends all traffic after the VPN has been manually turned on. Once the iphone goes to 'standby' mode it drops the VPN. All background activity (i.e. checking e-mail) occurs as normal traffic. In addition, every time someone starts using their iPhone they have to manually re-enable the VPN. So, "Send all Traffic" doesn't really do what it says because a lot of the the iPhone traffic continues to travel outside the VPN.

     

    I am in the process of setting up a dedicated IPSec VPN, and I will post my results when I trying to use the 'on-demand' function.

     

    Hopefully, IPSec will work better. However, an IPSec VPN is very hard to setup... the average user cannot setup an IPSec VPN and a Certificate Authority (certificate-authentication is required to use VPN on-demand) at home in their spare time.

     

    Apple really should do something about this. I was very impressed with the hardware encryption they included on all iPhones from the 3GS onwards. I just wish they would apply the same security mentality to their VPN offerings. I would happily pay a couple hundred bucks for an 'Apple style' all in one device that would be easy to setup/use, and be highly secure. It would be a great solution, and an easy way to hook new small businesses into the 'apple eco-system'. Come-on Apple strategic planning team... this should be a no brain-er!!!

  • Bill Kearney Level 1 Level 1

    Is there REALLY no way to force ALL traffic through a VPN?  As in, block any traffic unless a VPN is active?

  • MarkWagner Level 1 Level 1

    Is Apple really not have an answer for this? I'm guessing their non-response is their response, meaning no it does not reliably force traffic through the VPN connection.

  • Allan Marcus @ LANL Level 2 Level 2

    Apple's non-response here means nothing. This is not an Apple Inc support forum. This is user "community" support forum. Apple doesn't respond here.