For a long time, I was trying to find solution to establish VPN connection between Apple iPhone/iPad devices and ScreenOS SSG devices, but without success. Now, with latest Apple iOS improvements, and support for IKEv2, it is possible.
In attach, I am uploading document, based on my lab tests, so I hope that some of you, that are using Apple smartphones, will be now able to access your corporate network, behind Juniper SSG devices.
Have in mind, that you should have Apple iOS 9.x installed, and need someone with Apple MAC, in order to prepare Apple VPN profile. More details in attached PDF.
I was actually looking for something like that! I remember trying back in the day but that was on ios 7 and 8. Will try it out for sure. Thanks for that, kudos to you!
I updated my PDF document, with test connection that is using IKEv2 with username/password authentication. Freeradius server is used for external authentication, but similar can be done using any RADIUS system...
Hi there, I'm going to add this to our Security TechWiki as well. Thank you so much!
Great work.. keep it up!
Kudos for all the hardwork and for sharing it with the community.
first, thank you for your documentation !
How did you get your vpn profile to your iphone?
I am not an Apple owner, so some of my firends helped me with Apple testing. If I remember well, after creating .mobileconfig file and necessary certificates, you need to upload (copy) them to your Apple phone. There are several ways of doing that, and in short, it is the same as copying any file on your mobile device. When you upload these files, follow "Configuring iOS client device" chapter from the PDF document.
tunnel is now enabled and works fine - but i can only reach lokal ip addresses, dns isn't working for internal network.
in Objects > Users > Local > Edit - if i use primary and secondary local dns ip also
in VPN > AutoKey > MODECFG Profile, but still can`t reach any lokal Host/FQDN
Any Idea how i can find out whats wrong?!
In general, you should check your policy and see if your client is allowed to reach DNS server through DNS protocol. I assume that your DNS is located within corporate network, so check your policy and configure it that your client not anly is possible to access corporate subnet, but also DNS server behind corporate VPN concentrator...
finally it works.
Now i`m trying to fix my hopefully last problem.
when i`m connected via VPN and activate one of two policys i have different problems:
if i use policy 1:
"dial vpn" "allowed any" to "192.168.1.0/24"
ok: its possible to go to external websites
not ok: can`t ping/reach internal ip`s and hostnames
info: mobile is using externel mobile carrierer dns
if i use policy 2:
"dial vpn" "allowed any" to "192.168.168.1.0/24 and 192.168.1.10 (webserver 1) and 192.168.1.20 (webserver 2)"
ok: its possible to ping/reach internal ip`s and hostnames and webserver
not ok: can`t go on any external website
info: mobile is using interal dns server(i made an ip pool with dns server)
Any suggestion from a Juniper employee??
I've have the same behavior with my SSG20 :
- When using LAN (192.168.1.0/24) as destination in the policy, i'm not accessing to my LAN but I can access to the web.
- When using single IP ou IP group as destination, I'm accessing to my LAN but no access to the web.
I'm finally using IP group for destination and my LAN proxy for web access.
But i'm still having two other problems :
1. the VPN is automaticaly disconnect after 8 minutes (same behavior on iOS and macOS).
2. I'm not able to use this VPN with Windows native client.
Does anybody have an idea ?