Your rating: None (4 votes)

iOS 4.2 includes built-in clients for several VPN protocols.

In addition, it is integrated with app-based SSL-VPN clients from several manufacturers. This integration isn't exposed through the UI, however. Instead, it must be configured using either the iPhone Configuration Utility or Mobile Device Management tools.

See each page below for specifics.

Each of these may be configured with an On-Demand VPN that responds to DNS requests to pre-configured domains.

On-Demand VPN Explained

Your rating: None (4 votes)

(This article originally appeared in the blog iOS4Business, by Mathieu Bernier.)

VPN On-Demand is the Holy Grail, for Apple. When you ask an Apple representative for a VPN solution, what you get in return is: VPN On-Demand. So, let’s discover what’s behind that door with a short procedure using iPhone Configuration Utility.

(I won’t cover the configuration of the VPN gateway in this article. You need to make sure that your VPN gateway is properly configured to accept Certificates authenticated connections.)

I. The Concept

The first thing you need to know about VPN On-Demand (VPoD) is : it’s a very simple concept.

  1. It allows administrators to define a Hosts Domain realm behind which all hosts must be accessed via a VPN connection.
  2. Whenever an application try to access one of the server behind that realm, the iOS device automaticaly starts the VPN tunnel.

That’s VPN "On-Demand".

II. Requirements

In order to make VPN On-Demand work properly, you need :

III. Certificates

The first thing you need to do is to import the CA Certificate and your personal Certificate in the iOS configuration profile.
It’s fairly easy to do that.

  1. Open the iPhone Configuration Utility on your desktop

  2. Go to "Certificates"

  3. Click on "Configure"

  4. You need to get your personal Certificate and (if you use a company-wide Certificate Authority) the CA Certificate of your authority. First, import your personal certificate. Enter the password of your choice (remember it !) and click OK.
  5. Do the same for the CA Certificate. It should not ask you for a password this time.
  6. Now you have imported both certificates in your profile.

IV. "On-Demand" Configuration

A few settings are required to configure the VPN On-Demand in the profile.

  1. Go to VPN

  2. Enter the VPN gateway and authentication settings values.

  3. Choose _Certificate_ as the authentication method for the device. Then select your personal certificate you imported earlier.

  4. Enable _VPN On-Demand_ option and add a new realm in the list

    Screen shot 2011-05-23 at 6.31.06 AM.png

In this example we created a realm "*.intranet.mycompany.com" with an action set to "Always establish". So now, any application trying to access a server behind "intranet.mycompany.com" will automaticaly setup a VPN tunnel to access it.

Upload the profile to your device, and then you are ready.

Simple as it looks like.

Cisco VPN

Your rating: None (2 votes)

There is information on configuring Cisco devices for iOS VPN in the Apple document VPN Server Configuration for iOS


Your rating: None (2 votes)

The iPhone Configuration Utility 3.2 included support for F5 SSL VPNs. Like other SSL VPNs (Juniper or Cisco AnyConnect), an iTunes Store App is required, in this case the BIG-IP Edge Client.

The iPCU can be configured with the default settings for the BIG-IP Edge Client. In addition, VPN On-Demand can be configured to automatically connect the SSL VPN client when certain domains are requested. For more information see the developer documentation on iPCU.

Related F5 KB Articles

Juniper VPN

Your rating: None (2 votes)


Your rating: None (2 votes)


SonicWALL is a manufacturer of firewalls, VPN concentrators, SSLVPN devices, and the like. The following was created on my NSA 3500 running SonicOS Enhanced

The built-in SonicWALL GroupVPN policy may be set up to allow connections from iOS devices. Unlike Cisco VPN and Juniper VPN devices, however, these cannot be configured to use certificate authentication, and cannot be configured for on-demand VPN access. However, for customers with existing SonicWALL infrastructure, this can be useful information.

To configure, we need to do the following steps:

  1. Set up the L2TP server
  2. Create a group with VPN access
  3. Assign users to this group
  4. Modify the built-in GroupVPN policy for iOS


Under VPN > L2TP Server, enable the L2TP Server.

Then configure it with your DNS settings, and a new subnet for the address pool. Note that the SonicWALL will take care of routing this subnet to the VPN users. You should make sure this range does NOT overlap with any subnet currently in use on your network.


In Users > Local Groups, create a new group for the VPN users.

The "VPN Access" tab is where you define local networks that GroupVPN clients may reach. By default these are blank. You must assign something here for VPN clients to reach something. "Firewalled Subnets" is a good choice, but you can be more specific if you like.


In Users > Local Users, create one or more Local Users that will connect. If your SonicWALL is connected to a directory system you may duplicate usernames here in order to assign group memberships. Note that your authentication server must support CHAP authentication, and some don't.

Assign these users to the group you created above.


In the VPN menu, choose "Settings". Enable and edit the "WAN GroupVPN" policy.

Create a relatively secure Shared Secret for your users. As the name implies, all devices will use the same secret as a preliminary password.

In the "Proposals" tab, configure the VPN with the following settings. This is required by the relatively non-configurable iOS VPN client.

In the "Advanced" tab, tick "Require authentication of VPN clients by XAUTH."

Finally, in the "Client" tab, set up your settings as follows:

iOS Configuration

Create a VPN configuration like the following:

The Remote Access Choice: VPN or APN?

Your rating: None (5 votes)

(This article originally appeared in the blog iOS4Business, by Mathieu Bernier.)

When you’re working on an iPhone/iPad deployment project you will always come to the point where your customer or yourself asks, "How can I secure remote access to my company?"

The first answer that comes to mind is "Configure a VPN tunnel." But an underestimated way to secure the access to your internal assets is through the use of Access Point Names, or APNs.

What is an APN?

APNs are gateways typically hosted by your mobile phone carrier, allowing your mobile to browse Internet using the mobile network. In general, APNs are shared between users and you don’t even know that your phone uses this gateway to access Internet. But if you’re a big company and you prefer to have your own private APN hosted by your carrier, you can rent one for all your devices.


The big advantage is that when you use a private APN, the VPN tunnel is configured between the APN gateway and your VPN gateway. That takes away the battery problem you can encounter with traditionnal VPN deployments.

That’s the basic configuration offered by your provider. Usualy you can deploy more secured and scalable architecture, with redundancy, MPLS links if you have one etc… These APNs are usualy RADIUS compatible so you can, on your side, restrict access to your network only to devices registered in your fleet.


There are three main disadvantages using APN :

  1. First, the price. The rent is starting around 900 euros/month in France for a no-failover, simple configuration.
  2. You need to rent an APN in each country where you want to deploy your fleet.
  3. All your 3G data traffic is going to be redirected on your own network, in and out, so you need to make sure that your infrastructure can support this traffic growth.


APNs can be set using the iPhone Configuration Utility or using most Mobile Device Management software.