VPN with iOS Devices (1)

11 06 2013

Think about masked figures walking on the Broadway.
They are using public roads but you cannot identify them and you don’t know what’s going on inside their brain.

That’s the idea of establishing a Virtual Private Network (VPN) where the data stream uses the public internet highways but cannot be read by anyone. Capsule encrypted information in an ordinary overcoat and decrypt it by using a mutually agreed foreign language.

20130405-210600.jpg

This image shows the requirements of a typical configuration for private or small business use.

  • Firewall
  • Mobile device
  • Free Dynamic DNS account
  • Computer in a LAN you want to have connect to

Apple’s OS X for Mac and iOS for iPhone, iPad, and iPod Touch include a native Cisco IPSec VPN client. You can use this client to make a secure IPSec VPN connection to a firewall and the devices behind it. To do this, you must configure VPN on your firewall device to match those on the iOS or Mac OS X device.

Following the KISS principle I want to describe how to connect an iOS device with the LAN using the integrated Cisco client.

KISS
KISS = Keep it simple, stupid
A design principle noted by the U.S. Navy in 1960 that states that most systems work best if they are kept simple. Unnecessary complexity should be avoided.
Variations of this phrase are:
Keep it simple sir, Keep it simple and straightforward, Keep it short and simple, Keep it simple or be stupid

Why VPN …

Using a VPN connection provides security.
The participating devices have to authenticate before a secure connection can be established. All data will be strongly encrypted before transfer over the unsafe internet Autobahn starts.

You may think that there are apps connecting you with your devices at home with nearly zero configuration e.g. TeamViewer. That’s true but these apps don’t allow simultaneous connections of more than one device. Others like VNC Server/Viewer allow concurrent connections but their free versions do not support encryption. Additionally the firewall has to be configured for Port Forwarding.

So the best practice is to use VPN without additional licensing costs and nearly the same expenditure of time for setting up the virtual private network.

The basics …

Refer to the following articles about basic terms and functionalities of networking:

Network (1) Addressing

Network (2) Apple Airport router

Network (3) Port Forwarding

Your Internet Service Provider (ISP) usually assigns varying IPs. This would prevent a suitable usage of VPN. If this would happen with addresses in real life a postman could not deliver your mail. However there is a simple and free solution by using Dynamic DNS services offered by No-Ip.com or other providers.

From a Dynamic DNS provider you will get a hostname, not an IP address. A device from outside your LAN first contacts the DDNS provider to evaluate your actual WAN IP address. Your mobile device can now locate your LAN in the internet and establish a connection.

It’s quit simple to get an account at No-Ip.
Sign in and you get an E-Mail with a confirmation link.
Fill out the form for Dynamic DNS and you get a hostname like ‘user.no-ip.org’.
This constant hostname will replace the varying WAN IP of your home/small business network.
How does No-Ip get your WAN IP? Well, you have to install the free No-Ip Dynamic Update Client on one of your computers inside the LAN. This client updates your changing IP at No-Ip’s servers. Don’t switch this computer off to ensure that No-Ip knows your WAN IP at any time.

The Watchguard Firewall XTM …

Watchguard Inc. is located in Seattle, USA.
The company I work for uses Watchguard products without any problems since many years.

The firewall serves as a gateway for the LAN managed by Windows 2008 servers. Colleagues must have a secure access to these resources.

A running VPN connection …

The following steps illustrate the principles of a VPN client-server interaction in simple terms found on Wikipedia. For IP addresses refer to the above shown graphics.

Assume a remote host with public IP address 1.2.3.4 wishes to connect to a server found inside a company network. The server has internal address 192.168.1.10 and is not reachable publicly. Before the client can reach this server, it needs to go through a VPN server / firewall device that has public IP address 5.6.7.8 and an internal address of 192.168.1.1. All data between the client and the server will need to be kept confidential, hence a secure VPN is used.

01 The VPN client connects to a VPN server via an external network interface.

02 The VPN server assigns an IP address to the VPN client from the VPN server’s subnet. The client gets internal IP address 192.168.1.50, for example, and creates a virtual network interface through which it will send encrypted packets to the other tunnel endpoint (the device at the other end of the tunnel). This interface also gets the address 192.168.1.50.

03 When the VPN client wishes to communicate with the company server, it prepares a packet addressed to 192.168.1.10, encrypts it and encapsulates it in an outer VPN packet, say an IPSec packet. This packet is then sent to the VPN server at IP address 5.6.7.8 over the public Internet. The inner packet is encrypted so that even if someone intercepts the packet over the Internet, they cannot get any information from it. They can see that the remote host is communicating with a server/firewall, but none of the contents of the communication. The inner encrypted packet has source address 192.168.1.50 and destination address 192.168.1.10. The outer packet has source address 1.2.3.4 and destination address 5.6.7.8.

04 When the packet reaches the VPN server from the Internet, the VPN server decapsulates the inner packet, decrypts it, finds the destination address to be 192.168.1.10, and forwards it to the intended server at 192.168.1.10.

05 After some time, the VPN server receives a reply packet from 192.168.1.10, intended for 192.168.1.50. The VPN server consults its routing table, and sees this packet is intended for a remote host that must go through VPN.

06 The VPN server encrypts this reply packet, encapsulates it in a VPN packet and sends it out over the Internet. The inner encrypted packet has source address 192.168.1.10 and destination address 192.168.1.50. The outer VPN packet has source address 5.6.7.8 and destination address 1.2.3.4.

07 The remote host receives the packet. The VPN client decapsulates the inner packet, decrypts it, and passes it to the appropriate software at upper layers.

Overall, it is as if the remote computer and the server are on the same 192.168.1.0/24 network or in other words as if you are sitting in the office. VPN extends a private network across the public internet. Data are shared as if they were an integral part of the private network.

Continue reading about VPN. My next article describes the configuration of the firewall and the iPad/iPhone.

Thanks for visiting http://iNotes4You.com.


Actions

Information




%d bloggers like this: