It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure Apple iOS Devices for Client-to-Site VPN Connections

  • Last updated on

Because certificates longer than 512-bit do not work for iOS VPN clients with iOS version 6.0, it is recommended that you update to the latest version of iOS.

For client-to-site IPsec VPN connections, you can use Apple iOS devices. Follow the steps in this article to configure Apple iOS devices for IPsec VPN connections with the Barracuda NG Firewall.

Client2SiteiOS.png

In this article:

Requirements

To use Apple iOS devices to connect to a client-to-site IPsec VPN, you must have the following:

  • Apple device with iOS 5.1 or above
  • Client-to-Site IPsec VPN with certificate-based authentication
  • XAUTH to add user/password authentication

  • Root, server, and client certificates that meet the requirements set by Apple.
    The following table shows the required X.509 certificates, their settings, and where they must be installed.

    X.509 Certificate TypeInstallation DeviceFile TypeChain of TrustX.509 Extensions and Values
    Root CertificateBarracuda NG Firewall + Apple iOS DevicePEMTrust Anchor
    • Mandatory option for key usage: Certificate sign; CRL sign.
    Server CertificateBarracuda NG FirewallPKCS12End Instance
    • Subject Alternative Name: Only use the DNS tag with a FQDN which resolves to the IP address the VPN Service. Do not use the IP tag. E.g., DNS:vpnserver.yourdomain.com
    • Key Usage - Including the "Digital Signature" flag.
    Client CertificateApple iOS DevicePKCS12End Instance
    • Key Usage - Including the "Digital Signature" flag.

    When creating X.509 certificates:

    • Do not use identical Subject Alternative Names settings. Subject Alternative Names must also not contain the management IP address of the Barracuda NG Firewall.
    • Only use the X.509 extensions that are listed in the table above.

Configure the Apple iOS Device

Before you begin:

You must import the root and the client certificate on the Apple iOS device. You can import the certificate via email or by downloading it from a web server. If you are using a Mobile Device Management (MDM) server, you can also push the certificates to your devices.

To configure an Apple iOS device for IPsec VPN connections with the Barracuda NG Firewall:

  1. On the iOS device, tap Settings > General > VPN > Add VPN Configuration.
  2. On the Add VPN configuration screen, tap the IPsec tab.
  3. Configure the following settings:
    • Server – The Subject Alternative Name used in your certificates.
    • Account and Password – The XAUTH username and password.
    • Use Certificate – Enable it.
    • Certificate – The X.509 client certificate.

Establishing VPN through NAT can be problematic. If you experience connection losses, increase the UDP timeout on the NAT'd device. For example, the iPhone sends keepalive packets every 60 seconds, so you can enter any value over 60 seconds.

Unfortunately, many cell phone providers use NAT to connect mobile devices to the internet. Contact your cell phone provider support for help.

 

Last updated on
Previous Article Next Article