Things I'd do if I ever have time

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.

iPad and the Cisco VPN

Published: 06/11/2010

Reference trace file:


The iPad is certainly a cool little toy. Not only does it support WPA Enterprise for Wi-Fi connectivity, it also has a built-in Cisco VPN client which does IPsec, L2TP, and PPTP. It unfortunately doesn't have the SSL-based AnyConnect client (which all Cisco shops seem to be moving over to these days), although iPhone OS 4 may potentially include it, but nevertheless an IPsec-capable client isn't a bad thing. But does it actually work? I've occasionally seen consumer devices feature something "enterprise-grade" because it's nifty for marketing while the implementation actually falls flat on its face when you attempt to use it.

We all know what an IPsec transaction looks like. Would it be any different on an iPad? Probably not, but wouldn't it be interesting to just see it happen? That's what we're here for today - have the device associate to an open hotspot and make the VPN connection. For this article, I configured an old Cisco 3005 concentrator with an external address of, created a simple group profile and a user account on the VPN concentrator, and statically configured an IP of on the iPad (because the ancient Netgear access point used as the public hotspot simulation really sucks when it comes to doing simple things like handing out addresses; consumer-grade junk, I tell you...).

The first few moments with our hotspot...

The trace file has been pared down a bit from the original. I've taken the liberty of removing all 802.11 Beacons, Probe Requests, Probe Responses, and a few other control frames, as well as ARP to improve the signal-to-noise ratio for our analysis.

In the first four frames, we see your basic 802.11 association process taking place between the iPad and the access point broadcasting the SSID "232." As you can tell by the parameter information in packet 3, this is a pretty old 802.11b-only Netgear AP. I didn't feel like breaking out the spare Cisco 1230 today. I got lazy.

As I mentioned earlier, I manually pre-configured an IP to the iPad before connecting to the access point. Even after I did this, the iPad apparently likes to send out a DHCP Discover packet after associating. I guess old habits die hard.

The iPad is apparently an IPv6-capable device, as we can see from the various ICMPv6 and multicast DNS queries that get loudly sent out to the network via an IPv6 link-local address, announcing my device's hostname in the process (this is also noted in the first DHCP Discover packet as well). This, along with a few IGMP packets using our real IPv4 address, get sent over the network for the next few seconds while I fumble around the iPad to start the VPN client which I pre-configured for our Cisco gateway.

iPad does IKE

Starting at packet 90, I switch on the slider for the VPN client in the iPad GUI and we see the three-packet phase 1 / Aggressive Mode exchange with the initiator cookie value of E970B24A2B2043F3:

   Show packet content

and responder cookie of 82C0EB9C1ACECA54. The negotiated IKE transform is 3DES / MD5.

   Show packet content

The two hosts do their Diffie-Hellman thing, and by packet 92 all we see is gibberish while they get ready to do XAUTH and proceed to Config Mode for the client's tunnel IP address, internal DNS, tunnel parameter information, inside routes, etc. We can't see it due to it being encrypted, of course, so we'll just have to use our imagination here. By the way, I'm prompted to enter my username / password on the iPad at this point.

Oddly enough, in packet 98 we see the gateway sending the iPad an "UNKNOWN-ISAKMP-VERSION" message, but to an IP address of (although based on the information in the MAC header, it's clearly meant for the iPad's network interface). Config Mode continues on, however.

At packet 104, we finally move into phase 2 / Quick Mode. This is roughly twelve seconds after our first IKE packet, so the Config Mode process was a bit slow, probably due to the ISAKMP version message above. But phase 2 finishes quickly ...

... and then poof! we're in. Looking at the Cisco concentrator's log we see that the reported client operating system is the iPhone OS. It feels a bit strange seeing that since I'm so used to seeing a Windows value. I remained logged in for a while and then terminated the connection, followed by me switching off the virtual Wi-Fi switch. You can see the 802.11 Disassociate frame go out on packet 123.

So yes, it does work...

I have no idea how many iPad users would actually use the Cisco VPN client (aside from students at schools requiring it), but I suspect they're not that common in the grand scheme of things. I once connected to my work's VPN gateway and started some Remote Desktop sessions with a couple of Windows servers (Mocha Remote Desktop Lite 2.3 was free when I downloaded this from the App Store). Otherwise, it would seem to be kind of a novelty since most users won't have an IPsec / L2TP / PPTP gateway running at home.

But it's still cool nonetheless.

Go back to the main articles list.