Jump to content


Photo

no network access via IPSec

IOS RDP Routing

Best Answer Gavin Chappell, 26 November 2015 - 08:05 AM

Ignore Network Connector - this is a more advanced type of VPN which is harder to configure, and not available for use on iOS devices.

 

For IPsec, the device will use your SSL VPN as its router, but it's not always clear which addresses are routed this way. It looks like my iOS 9 iPod Touch is behaving in the same way as a Windows client; you either have a default route (all traffic is sent to the SSL VPN), or a classful (A/B/C) route for whichever network you're on, depending on whether you enabled the "send all traffic" option when creating the configuration.

 

So, for example, if my internal network is 10.1.0.0/24 and I connect to it with L2TP/IPsec, the PPP interface on my iPod comes up as 10.1.0.100/8, and any traffic for anything on that subnet is transported over the VPN even though it's a much bigger subnet than I actually have (the SSL VPN just follows its own routing rules for traffic which is not destined for the subnet it's on).

 

Example 1: if I sent traffic from my iPod (10.1.0.100) to something on a different network inside the same classful subnet (e.g. 10.2.0.100) then this would first go to the SSL VPN (because it's covered by the 10.0.0.0/8 route on the client) and from there it would be sent either to the default gateway of the SSL VPN, or via any specific route which was configured.

 

Example 2: if I sent traffic from my iPod (10.1.0.100) to something on a network inside a different classful subnet (e.g. 192.168.1.100) then this can go two ways:

-- If I have "send all traffic" enabled on the iPod, then the packets would be sent to the SSL VPN as above, and again the VPN would use its own routing tables to work out where to send the packets from there (either to the default gateway, or so a specific gateway configured via a static route)

-- If I have "send all traffic" disabled on the iPod, then these packets will be sent to the default gateway of the iPod because they no longer match the 10.0.0.0/8 route that is configured. From there, they'll be routed/dropped by the gateway as necessary.

 

So the solution to this depends on what addressing you're using on your DMZ/LAN...

Go to the full post


  • Please log in to reply
2 replies to this topic

#1 Riemer

Riemer
  • Members
  • 9 posts

Posted 26 November 2015 - 06:53 AM

Hello,

 

we have a SSL VPN 280 and want to use a VPN Connection from a mobile device (iPad, iPhone). This works very good - I can establish the VPN-Connection and see the Client in the Admin-Console under IPSEC-Server.

 

When I now want to use an RDP-App to connect to the Enterprise LAN, it doesn´t work. I can´t ping the Destination.

I always see that the networkconnection uses the IP of the WLAN I am locked in.

 

The SSL VPN resides in a DMZ.

 

I tried to configure a static route (Network Connector) to the internal LAN, but it doesn´t work.

 

What can I do?

Any ideas are welcome.

 

Thank you

Marc



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 26 November 2015 - 08:05 AM   Best Answer

Ignore Network Connector - this is a more advanced type of VPN which is harder to configure, and not available for use on iOS devices.

 

For IPsec, the device will use your SSL VPN as its router, but it's not always clear which addresses are routed this way. It looks like my iOS 9 iPod Touch is behaving in the same way as a Windows client; you either have a default route (all traffic is sent to the SSL VPN), or a classful (A/B/C) route for whichever network you're on, depending on whether you enabled the "send all traffic" option when creating the configuration.

 

So, for example, if my internal network is 10.1.0.0/24 and I connect to it with L2TP/IPsec, the PPP interface on my iPod comes up as 10.1.0.100/8, and any traffic for anything on that subnet is transported over the VPN even though it's a much bigger subnet than I actually have (the SSL VPN just follows its own routing rules for traffic which is not destined for the subnet it's on).

 

Example 1: if I sent traffic from my iPod (10.1.0.100) to something on a different network inside the same classful subnet (e.g. 10.2.0.100) then this would first go to the SSL VPN (because it's covered by the 10.0.0.0/8 route on the client) and from there it would be sent either to the default gateway of the SSL VPN, or via any specific route which was configured.

 

Example 2: if I sent traffic from my iPod (10.1.0.100) to something on a network inside a different classful subnet (e.g. 192.168.1.100) then this can go two ways:

-- If I have "send all traffic" enabled on the iPod, then the packets would be sent to the SSL VPN as above, and again the VPN would use its own routing tables to work out where to send the packets from there (either to the default gateway, or so a specific gateway configured via a static route)

-- If I have "send all traffic" disabled on the iPod, then these packets will be sent to the default gateway of the iPod because they no longer match the 10.0.0.0/8 route that is configured. From there, they'll be routed/dropped by the gateway as necessary.

 

So the solution to this depends on what addressing you're using on your DMZ/LAN...



#3 Riemer

Riemer
  • Members
  • 9 posts

Posted 26 November 2015 - 10:24 AM

Thank you!!!!

 

Now it works.

I deleted the Network connector configuration.

Then I set the VPN Connection to "send all traffic"

 

Thats it.