IPSec (Cisco)

Use the following guidelines to configure IPSec (Cisco) VPN.

Table 1. IPSec (Cisco) settings

Item

Description

Name

Enter a short phrase that identifies this VPN setting.

Description

Provide a description that clarifies the purpose of these settings.

Connection Type

Select IPSec (Cisco).

Server

Enter the IP address, hostname, or URL for the VPN server.

Proxy

Select None, Manual, or Automatic to configure a proxy.

If you select Manual, you must specify the proxy server name and port number.

If you select Automatic, you must specify the proxy server URL.

Proxy Server URL

Automatic Proxy

Enter the URL for the proxy server.

Enter the URL of the location of the proxy auto-configuration file.

Proxy Server

Manual Proxy

Enter the name for the proxy server.

Proxy Server Port

Manual Proxy

Enter the port number for the proxy server.

Type

Manual Proxy

Select Static or Variable for the type of authentication to be used for the proxy server.

Proxy Server User Name

Manual Proxy

If the authentication type is Static, enter the username for the proxy server.

If the authentication type is Variable, the default variable selected is $USERID$.

Proxy Server Password

Manual Proxy

If the authentication type is Static, enter the password for the proxy server. Confirm the password in the field below.

If the authentication type is Variable, the default variable selected is $PASSWORD$.

Proxy Domains (iOS only)

The VPN will only proxy for the domain and domain suffixes specified here (.com and .org are examples of top-level domain suffixes). Domain suffixes can be used to match multiple domains. For example, .com would include all .com domains, and example.com would include all domains ending in example.com, such as pages.example.com and mysite.example.com. Wildcards are not supported.

Click Add+ to add a domain.

User Name

Specify the user name to use. The default value is $EMAIL$. Use this field to specify an alternate format. For example, your standard might be $USERID$.

Why: Some enterprises have a strong preference concerning which identifier is exposed.

User Authentication

Select the authentication method to use: Shared Secret/Group Name or Certificate.

Group Name

Shared Secret/Group Name authentication.

Specify the name of the group to use. If Hybrid Authentication is used, the string must end with “[hybrid]”.

Shared Secret

Shared Secret/Group Name authentication.

The shared secret passcode. This is not the user’s password; the shared secret must be specified to initiate a connection.

Confirm Shared Secret

Shared Secret/Group Name authentication.

Re-enter the shared secret to confirm.

Use Hybrid Authentication

Shared Secret/Group Name authentication.

Select to specify hybrid authentication, i.e., server provides a certificate and the client provides a pre-shared key.

Prompt for Password

Shared Secret/Group Name authentication.

Specify whether the user should be prompted for a password when connecting.

XAuth Enabled

Specifies that IPsec XAuth authentication is enabled. Select this option if your VPN requires two-factor authentication, resulting in a prompt for the password. This option is enabled by default.

Password

Specify the password to use. The default value is $PASSWORD$. Use this field to specify a custom format, such as $PASSWORD$_$USERID$. See Supported variables for details.

Identity Certificate

Certificate authentication.

Select the entry you created for supporting VPN, if you are implementing certificate-based authentication.

Include User PIN

Certificate authentication.

Select to prompt the user for a PIN.

VPN on Demand

Certificate authentication.

Select to enable the VPN on Demand section. Click Add New to specify a domain or hostname and the preferred connection option.

Per-app VPN

Select Yes to create a per-app VPN setting.

An additional license may be required for this feature.

You cannot delete a per-app VPN setting that is being used by an app. Remove the per-app VPN setting from the app before you delete the setting.

You can enable per-app VPN for an app when you:

•

add the app in the App Catalog.

•

edit an in-house app or an App Store app in the App Catalog.

See the Apps@Work Guide for information about how to add or edit iOS apps.

NOTE:

This per-app VPN setting is not supported on iOS 8-8.4.1.

On Demand Rules (VPN on Demand, iOS 7 and later)

VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wi-Fi network.

Note the following:

•

A matching rule is not required. The Default Rule is applied if a matching rule is not defined.

•

If you select Evaluate Connection, a matching rule is not required.

•

You can create up to 10 On Demand matching rules.

•

For each matching rule you can create up to 50 Type and Value pairs.

Add New Matching Rule

Click to add a new On Demand matching rule.

Action

Select one of the following actions to apply to the matching rule:

•

Connect—When applied, the VPN connects and establishes the connection unconditionally. Once the VPN is connected, manually disconnecting triggers attempts at reconnection until the VPN connection is re-established.

•

Disconnect—When applied, terminates any existing VPN connection and prohibits a new connection from ever being established.

•

Allow—Ignores the existing VPN connection while allowing a new VPN connection to be triggered. This action does not disconnect any existing connections.

•

Ignore—When applied, disregards the existing VPN connection, without actually disconnecting it. However, this action prohibits a new connection from ever being established in future.

•

Evaluate Connection—When applied, evaluates the list of action parameters for each connection attempt. List all the rules (Domain, Required DNS server, and Required URL probe) in the action parameter grid and configure the domain action (Connect if needed, Never connect) for each. Each grid may include up to 50 entries, and up to 10 action parameter grids may be added.

Add New

Click to add a new Type Value pair.

Click to delete either an On Demand rule, or a matching rule.

Matching Rules:

For each matching rule to which the action is applied enter the type and value pair.

Type

Select from one of the following key types:

•

DNS Domain

•

Interface Type

•

DNS Server Address

•

SSID

•

URL String Probe

Value

For each key selected, enter a value.

•

DNS Domain—Enter a list of domain names to match against the domain being accessed. Wildcard '*' prefix is supported, e.g. *.example.com would match anything.example.com.

•

Interface Type—Enter either Wifi or Cellular.

•

DNS Server Address—Enter a list of DNS servers to match against. All DNS servers have to match the device’s current DNS servers or this match will fail. Wildcard '*' is supported, e.g. 1.2.3.* would match any DNS servers with 1.2.3. prefix.

•

SSID—Enter a list of SSIDs to match against the current network. If the network is not a Wi-Fi network or if its SSID does not appear in the list, the match will fail.

•

URL String Probe—Enter a URL to a trusted HTTPS server. This is used to probe for reachability. Redirection is not supported.

Description

Enter additional information about this matching rule.

Domain Action

Only appears if the Action is Evaluate Connection.

Select one of the following Actions for the domain:

•

Connect if needed—The specified domains trigger a VPN connection attempt if domain name resolution fails. For example: The DNS server indicates that it cannot resolve the domain, or responds with a redirection to a different server, or fails to respond (timeout).

•

Never connect—The specified domains do not trigger a VPN connection attempt.

Action Parameters:

Only appears if the Action is Evaluate Connection. Define the Evaluation Type and Value pair.

Evaluation Type

Select the Evaluation type as one of the following:

•

Domain (Required)

•

Required DNS Server (only available with Connect if needed)

•

Required URL Probe (only available with Connect if needed)

Value

Enter the value for the evaluation type selected.

•

Domain—Enter a list of domains for which this evaluation applies. Wildcard prefixes are supported, for example, *.example.com.

NOTE:

Invalid wildcard entries (such as *.example.*com) can be saved in the UI, but will not work. Be sure to enter only valid wildcard entries.

•

Required DNS Server—Enter a list of IP addresses of DNS servers to use for resolving the domains. These servers do not need to be part of the device’s current network configuration. If these DNS servers are not reachable, a VPN connection is automatically triggered. Either configure an internal DNS server or trusted external DNS server.

•

Required URL Probe—Enter an HTTP or HTTPS (preferred) URL. The device probes this URL using a GET request. The probe is successful if the DNS resolution for this server is successful. A VPN connection is triggered if the probe fails.

Description

Enter additional information about this Evaluation Type and Value pair.

Default Rule:

The default rule (action) is applied to a connection that does not match any of the matching rules.

If none of the rules above match or if there is no rule defined, choose VPN connection to:

Select the action for the Default Rule.

Safari Domains

Applicable to: Safari Domains (iOS 7 and later; macOS 10.11 and later)

NOTE:

You must update your VPN software to a version that supports Per-app VPN.

If the server ends with one of these domain names, a VPN connection is started automatically.

Add+ - Click to add a domain.
Safari Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
Description - Enter a description for the domain.

Calendar Domains

Applicable to: Calendar Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

Add+ - Click to add a domain.
Calendar Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
Description - Enter a description for the domain.

Contact Domains

Applicable to: Contact Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

Add+ - Click to add a domain.
Contact Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
Description - Enter a description for the domain.

Mail Domains

Applicable to: Mail Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

Add+ - Click to add a domain.
Mail Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
Description - Enter a description for the domain.