VPN Server and accounts for VPN On-Demand (VPoD) for iOS devices

The wish is that VPN accounts could be created that are compatible with “On-Demand (VPoD)” for iOS (iPhone/iPad) devices.

Basicly this requires a Cisco compatible use of certificated-based authentication.

VPN On-demand at Apple:

  1. http://help.apple.com/iosdeployment-ipcu/mac/1.0/#appbec2d1af
  2. Documentation Archive

Are there no other PepLink users wishing to establish an automatic and permanent VPN connection between their iPhone’s and iPad’s and their corporate network?

For my understanding, you would like to have Host-to-Network VPN for client workstation to access the network behind Peplink? Also, you would like to have a iOS VPN client?

I don’t want an iOS VPN client, I want compatibility with the iOS build-in iOS client to setup an automatic always-on VPN connection from the iOS device to the Peplink device. This VPN is not used to access the network behind the Peplink device, but as router to access the internet bypassing the mobile provider their (VoIP) port/packet filtering/blocking.

iOS VPN on demand does involve authentication by certificate.

You specify which domains require a VPN connection by using a configuration profile.

The VPN connection is made whenever the device tries to connect to certain domains. Specific apps don’t need to do anything; as soon as they try to access such a server the VPN connection is initiated.

According to Documentation Archive the protocol should be Cisco IPSec compatible.

Also see this screen shot taken from the Apple iPhone configuration utility:

For a Cisco IPSec Gateway on Linux, you could use Open source package StrongSwan for your iOS VPN on Demand:

Use --enable-cisco-quirks parameter to build StrongSwan to make it compatible with Cisco IPSEC. It is a stable certification based, IPsec Gateway on linux that is compatible with iOS VPN on Demand requirements.

source: apple ios - Linux solution for VPN on-demand for iOS devices - Server Fault

Despite the Cisco reference, the configure option --enable-cisco-quirks is not required as the iOS client is not provided by Cisco but is actually a modified version of Racoon.

source: iOS and macOS :: strongSwan Documentation

Thank you for your information. Regarding this feature, first we need to support host-to-network IPsec (client IPsec VPN) which we do not have it yet. BTW, we will see this would fit in our future firmware or not.