User profile for user: leonidas1979
leonidas1979 Author
User level: Level 1
0 points

VPN On Demand over 3G on iOS 7

Hi,


I am using the VPN On Demand functionality with OpenVPN, I've configured it with the iPhone configuration utility to open a connection if the requested domain cannot be resolved (on demand).


It worked as expected until I upgraded to iOS 7. Now the VPN gets opened only if I am connected via WiFi, it does not work anymore over 3G. The VPN settings are not the problem, if I trigger the connection manually (from the iPhone Settings) the connection is established without a problem.


Any thoughts on this? My carrier is o2 Germany, is it possible that their DNS Servers send different status codes that do not trigger the VPN on demand functionality?


Thanks in advance,


Leo

iPhone 5, iOS 7

Posted on Sep 24, 2013 3:26 AM

Reply
10 replies
Sort By: 
User profile for user: RedRadioFlyer
RedRadioFlyer
User level: Level 1
0 points

Sep 25, 2013 7:46 PM in response to leonidas1979

I am having a similar problem. OpenVPN VPN on-demand worked perfectly untill we started upgrading our iPhone 5's (multiple iPhone5 not 5S) to iOS 7.


With iOS7 the VPN is no longer activated automatically for the domains that were setup to "always use VPN" (regardless of 3G/LTE/Wifi connection). As with the example above, the VPN connects with no problems if I manually activate it in setting. So, I don't believe it is a connection/configuration problem.


I noticed the iPhone Configuration Utility (v 3.6.2) for Windows has not been updated to support iOS 7 (download page currently says "contains updates to support iOS 6.1").


Could this inability to create iOS 7 specific configuration profiles be the problem??? If so, it seems like a significant oversite for enterprise suport.


This is a big problem for us because our company email is only accessable through our company VPN. So the iPhones need to be able to initiate a VPN session whenever they try to connect to "webmail.examplecompany.com" to check for new email or send outgoing ones. At this point, employees with iOS 7 have to manually activate the VPN everytime they want to send or recieve emails...

Reply
User profile for user: leonidas1979
leonidas1979 Author
User level: Level 1
0 points

Oct 4, 2013 5:47 AM in response to leonidas1979

I dug a little bit around and found this:

http://stackoverflow.com/questions/18948253/setting-up-a-vpn-configuration-profi le-on-ios-7


This is the Apple developer reference that explains all the options:

https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProf ileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW36


I don't have time know to try it out now, but it looks promising.

Reply
User profile for user: leonidas1979
leonidas1979 Author
User level: Level 1
0 points

Oct 4, 2013 7:50 AM in response to loehsup

…you can export a profile, select the "unencrypted" option, it will result in a .mobileconfig file, which is an XML Structure. You can edit it with a Text editor, then attach it to an email (if you're fine woth the security implications of that), or make it available from a local web server and point your iPhone to it.


The result is an unsigned profile, it installed fine for me. I just couldn't get it to work up until now…

Reply
User profile for user: loehsup
loehsup
User level: Level 1
0 points

Oct 4, 2013 9:22 AM in response to leonidas1979

Thanks for telling me that. I kept forgeting to export it and was using the files directly in the folder it saves to. So the first answer on here worked but only on Wifi which is internal. It knew to turn on the VPN and act like it used to in iOS 6. Once I was on a cellular connection, it stopped working. Anyone have any clue what I could be missing?

Reply
User profile for user: leonidas1979
leonidas1979 Author
User level: Level 1
0 points

Dec 20, 2013 6:45 AM in response to leonidas1979

Alright, I've spend some 3-4 hours trying to figure it out and I give up. This feature seems to be non-existent in iOS 7, and above mentioned "Developer Reference" is a joke. I believe the VPN Payload settings described are flat out lies, at least with openVPN


It does not work. The best I could get it to do is to automatically open up a VPN connection when the domain in question is in the network's search domains list. Which is pretty useless.


Also I believe that Apple doesn't care about this feature, as both the iPhone configuration utility and the Apple Configurator genrate code that is "deprecated" by the "Developer Reference".


Try to google for the necessary configuration keys:

https://www.google.de/search?q=ActionParameters+DomainAction+ConnectIfNeeded


You'll se that there are (at most) 5 people (including us) that seem to use that feature. And it seems to work nowhere.


Anyway, I'd be delighted if somebody proved me wrong.


Happy holidays…

Reply
User profile for user: rogerodermatt
rogerodermatt
User level: Level 1
10 points

Apr 3, 2014 6:58 AM in response to leonidas1979

@leonidas1979


I have a VPN Server with L2TP and i can connect to my server, but now i try it many hours with "on demand" but no success, i have always a prompt for enter the VPN password but after no vpn connection. I use my iPhone with iOS 7.1.


Here is my mobileconfig.


----

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadIdentifier</key>

<string>com.apple.mdm.mavserv.mydomain.me.59786680-1e2b-0131-55d7-30216117 b187.alacarte</string>

<key>PayloadRemovalDisallowed</key>

<false/>

<key>PayloadScope</key>

<string>User</string>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<string>59786680-1e2b-0131-55d7-30216117b187</string>

<key>PayloadOrganization</key>

<string>MavServer</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>PayloadDisplayName</key>

<string>MySettings</string>

<key>PayloadContent</key>

<array>

<dict>

<key>PayloadType</key>

<string>com.apple.vpn.managed</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>PayloadIdentifier</key>

<string>com.apple.mdm.mavserv.mydomain.me.59786680-1e2b-0131-55d 7-30216117b187.alacarte.vpn.a88bd3f0-1e2b-0131-55d9-30216117b187</string>

<key>PayloadUUID</key>

<string>a88bd3f0-1e2b-0131-55d9-30216117b187</string>

<key>PayloadEnabled</key>

<true/>

<key>PayloadDisplayName</key>

<string>My VPN</string>

<key>VPNType</key>

<string>L2TP</string>

<key>PPP</key>

<dict>

<key>OnDemandEnabled</key>

<integer>1</integer>

<key>CommRemoteAddress</key>

<string>mydomain.me</string>

<key>AuthName</key>

<string>USER</string>

<key>OnDemandMode</key>

<string>Agressive</string>

<key>OnDemandMatchDomainsAlways</key>

<array>

<string>vpn.mydomain.me</string>

</array>

<key>OnDemandMatchDomainsNever</key>

<array/>

<key>OnDemandMatchDomainsOnRetry</key>

<array/>

<key>AuthenticationMethod</key>

<string>Password</string>

<key>AuthPassword</key>

<string>PASSWORD</string>

</dict>

<key>IPSec</key>

<dict>

<key>AuthenticationMethod</key>

<string>SharedSecret</string>

<key>PromptForVPNPIN</key>

<false/>

<key>OnDemandEnabled</key>

<integer>1</integer>

<key>OnDemandRules</key>

<array>

<dict>

<key>Action</key>

<string>Connect</string>

<key>DNSDomainMatch</key>

<array>

<string>vpn.mydomain.me</string>

</array>

</dict>

</array>

<key>SharedSecret</key>

<data>...</data>

</dict>

<key>Proxies</key>

<dict/>

<key>UserDefinedName</key>

<string>MavServer</string>

<key>IPv4</key>

<dict>

<key>OverridePrimary</key>

<integer>1</integer>

</dict>

</dict>

</array>

</dict>

</plist>

----


Can some one help me or see what is wrong?


regards

Roger

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

VPN On Demand over 3G on iOS 7

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up