On-Demand VPN Explained

(This article originally appeared in the blog iOS4Business, by Mathieu Bernier.)

VPN On-Demand is the Holy Grail, for Apple. When you ask an Apple representative for a VPN solution, what you get in return is: VPN On-Demand. So, let’s discover what’s behind that door with a short procedure using iPhone Configuration Utility.

(I won’t cover the configuration of the VPN gateway in this article. You need to make sure that your VPN gateway is properly configured to accept Certificates authenticated connections.)

I. The Concept

The first thing you need to know about VPN On-Demand (VPoD) is : it’s a very simple concept.

1. It allows administrators to define a Hosts Domain realm behind which all hosts must be accessed via a VPN connection.
2. Whenever an application try to access one of the server behind that realm, the iOS device automaticaly starts the VPN tunnel.

That’s VPN "On-Demand".

II. Requirements

In order to make VPN On-Demand work properly, you need :

• A compatible VPN gateway (Cisco, or any Cisco IPSec compatible third-party gateway, F5 SSL, JunOS Pulse etc …)
• An enterprise Certificate Authority
• The Authority CA Certificate
• A personnal certificate delivered by the Certificates Authority

III. Certificates

The first thing you need to do is to import the CA Certificate and your personal Certificate in the iOS configuration profile.
It’s fairly easy to do that.

1. Open the iPhone Configuration Utility on your desktop

   

2. Go to "Certificates"

   

3. Click on "Configure"

   

4. You need to get your personal Certificate and (if you use a company-wide Certificate Authority) the CA Certificate of your authority. First, import your personal certificate. Enter the password of your choice (remember it !) and click OK.
5. Do the same for the CA Certificate. It should not ask you for a password this time.
6. Now you have imported both certificates in your profile.

   

IV. "On-Demand" Configuration

A few settings are required to configure the VPN On-Demand in the profile.

1. Go to VPN

   

2. Enter the VPN gateway and authentication settings values.

   

3. Choose _Certificate_ as the authentication method for the device. Then select your personal certificate you imported earlier.

   

4. Enable _VPN On-Demand_ option and add a new realm in the list

   Screen shot 2011-05-23 at 6.31.06 AM.png

In this example we created a realm "*.intranet.mycompany.com" with an action set to "Always establish". So now, any application trying to access a server behind "intranet.mycompany.com" will automaticaly setup a VPN tunnel to access it.

Upload the profile to your device, and then you are ready.

Simple as it looks like.