For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

chamindak_11539's avatar
chamindak_11539
Icon for Nimbostratus rankNimbostratus
Jul 25, 2014

iOS edge client not kicking off a VPN for on-demand mode.

Hello all, I'm having trouble getting on-demand VPN to work for iphones/ipads. I have setup the VPN profile and when manually connecting to the profile from my iphone all works fine. Instead of a cer...
BIG-IP Access Policy Manager (APM)
deployment
design
security
Alexey_384's avatar
Alexey_384
Historic F5 Account
Jul 26, 2014

Starting from iOS7 the Always Connected mode works as Connect If Needed. So, if host name can be resolved without VPN, then VPN won't be established. Even if host is not available directly, but it's name is resolvable then VPN won't be established. Another reason of the fault is the required interaction. Untrusted server certificate, for example. You can set nonexistent domain and try to navigate Safari to it. If VPN is established, then you domains are resolvable directly and nothing to do. It's expected behaviour. If not, then interaction is assumed and you have to figured out the cause of it.

 

  • chamindak_11539's avatar
    chamindak_11539
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2014
    Thanks Alexey. As per my understanding, the user puts a "if needed" domain in safari, which cannot be resolved. But as the domain is included in the "if needed" list on a VPN profile in the F5 edge client, the edge client should start establishing the VPN process. However I am not seeing any traffic on the APM log at all. All goes well if I manually enable the VPN. What am I missing?
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Jul 28, 2014
    Can you please provide a few sample domains? It would help us provide you with the information needed. Are you noticing any pre-logon checks taking place? Example: If your browser can resolve abc.com, the VPN won't kick in. If your browser cannot resolve abc.com and it's on the list to connect, the VPN will kick in. If your browser cannot resolve abc.com and it's not on the list to connect, the VPN won't kick in. I had some issues before and I think it's a bug with the software, it should always utilize the VPN if it's in the configuration list.
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2014
    It's not a software bug. iOS7 onwards apple don't support onDemand VPN. It fall backs to 'if Needed'. http://support.apple.com/kb/TS4550

     

    The new method is to use onDemand rules, but have to use MDM or editing of profiles

     

    https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html//apple_ref/doc/uid/TP40010206-CH1-SW27