SSL VPN and iPhone OS 4.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL VPN and iPhone OS 4.0

L4 Transporter

I was looking at the new specs for the 4.0 code of the iPhone OS, and saw that they were opening up the SSL VPN function to Juniper and Cisco.

Any chance Palo Alto is working on a NetConnect app for the iPhone?

http://www.apple.com/iphone/business/preview-iphone-os/

58 REPLIES 58

Dosn't work for me.

Tunnel Gateway Adapter must be the loopback device? Can't I use directly the external device? Also in the Cetificate can't I not use directly the official IP on the external interface?

Hi

You can use your external address. I've attached a screenshot of the common components for the PA/IOS VPN.

Rod

For troubleshooting I tried the global protect portal.

on a inside interface it is working on a external interface it is not working.

I see the deny in the monitor, but when i create a access rules i don't see the allow on that interface.

I added a second ip to the interface and used this for the global protect portal. The Ceritificate Page in the browser is popping up now, but then it keep in the waiting state. No login page to the portal.

Why is it not working with the primary ip in the interface?? I don't have any nat on that port on this ip.

Tested in on a other firewall and it works there....

Somehow I can't use the external interface on the pa2050 for ipsec / SSLVPN. Are there any reason why this is the case?

Also how should we proceed if port 443 is allready occupied with a nat rule?

Check this document.

Anyone tried connecting an Android device yet?

@toddnva:

I have been looking for an Android client that does not require rooting the device. At this point in time I have not found one. If you are aware of one I will happily test in my lab and make sure the results are made available to our entire community.

-Benjamin

Android OS 4 (ice cream thingy) will have support for IPSEC VPNs. Lets hope the developers get their act together and have an IPSEC client created for it's release which should be sometime in November. Until this happens I don't know of any other way of getting a legitimate droid device VPN'ing through the PA.

Rod

When PAN first told me about supporting iOS, they said it should also work with Android, but wouldn't initially be officially supported.  I guess not...  Hopefully ICS will support it.

Is there a Windows client that supports this as well?

@toddinva:

Windows support for SSL VPN on PAN-OS has existed for some time. 4.1 PAN-OS converts NetConnect to GlobalProtect on the Windows client side.

-Benjamin

I realize that.  I was just thinking that there have been instances where the NetConnect client didn't work right and using another client might be beneficial.  I haven't used the GlobalProtect client yet, so I don't know how well that one works.

Guys the supplicant native to Phones and IPSec in general use XAUTH, certificate authentication.  We developed a solution in house that does just that, profiles for VPN and Wifi and connecting them to the PAN agent.  Works on Android, Blackberry, IOS and Symbian etc. If your phone has VPN settings the XAUTH is usually the way to go.  That way when they upgrade you don't need your VPN client to upgrade as well.

Same for Wifi.  The key thing here is client auth certificates replace credentials such as Windows etc. General use of a single p12 per client and OSCP or a CRL makes PAN able to use the same cert for Wifi, VPN and SSL Decryption (even wired if you want to go 802.1X).

  • 28877 Views
  • 58 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!