Does anyone here know how to create a static route on an iPad? I’ve tried to find the answer using Google, but I can’t seem to get a straight answer and straight forward description on how to make one (or even if you can…it goes back and forth). So, since my Google-Fu seems week today I figured I’d ask here.
What I want to do is to build a static route in the system. Not a default route, but a static route.
Ah…well, I don’t have to feel so bad that I couldn’t find it since it seems no one else could. I guess just let this one die, unless someone knows and wishes to share.
What do you mean by a static route? If you mean a static ip address I’m not sure that can be done since whatever router you are connecting to will probably be configured as a dhcp server , and that means that it’s basically in control of assiging ip addresses to all the devices connected to it. I only have an iPad wifi, so the 3G connection side of things might be different, but my evo shift gets it’s ip address from sprint, which makes sense since the roaming nature of mobile devices necessarily require the servers at the cell towers to handle the connectivity of all devices within range. I think ultimately you will have better luck if you tell us what it is you’re trying to do, since there might be other solutions.
I don’t have an iPad handy (my wife refuses to let me play with hers…), but on my iPhone, I can go to Settings->Network->MYNETWORK and then configure it to use static IP, which I can assign.
If you think it would help for me to tell you what I’m trying to do that’s fine. Basically we’ve been having issues with our iPads using VPN to get into our system. They connect fine to the VPN gateway, but they can’t route out. An engineer suggested that the reason is that we have a routed network, and that the VPN address’s being handed out are on a DMZ subnet. Now, the DHCP address given out to VPN clients includes a default gateway to the firewall…which knows about the rest of the network. But this doesn’t seem to be working. So, the engineer suggested that adding a static route to the layer 3 device might solve the problem. Thus, I’m trying to find out how or even if you can add a static route to an iPad (you can add one to a Windows, Mac or Linux box fairly easily).
Let me give an example. Let’s say that my network uses 10.x.x.x network addressing. And let’s say that I want to create a static route that says basically that if you want to get to 10.x.x.x you need to go through a specific IP address to get there. That’s basically what I’m trying to do with the iPad…create a static route that tells the iPad that if it wants to get to the 10.x.x.x network it needs to send it’s traffic to a certain IP address…otherwise, simply use the default gateway for unknown IP addresses. According to the engineer I talked to about this, the iPad is using the physical default gateway of the NIC…not the virtual default gateway given to VPN clients. That means it’s actually sending packets to unknown IP addresses out the physical cards default gateway…and there is no way they will be able to route to one of our internal VLANs. So, specifically telling the iPad that if it wants to get to any 10 network address it needs to go to an address on the DMZ VLAN should solve the problem. At least according to this engineer I talked to.
First, I’ve seen nothing that would lead me to think there is any programming. Maybe if you download the developer’s kit and look at that?
Secondly, why would Apple allwo that? It’s not meant to be as flexible as a computer (note the inability to read file shares) and giving someone a way to programmatically force certain routes would be unsafe. (Presumably if you can route some addresses, you can route ALL addresses, thus routing all traffic to a controlling website that would then allow you to play “man in the middle”, for example, with banking or other web browsing.)
I suspect you’re stuck with “use the DHCP settings”, so if you want to program routes, set up a separate wifi, separate SSID, just for iPad and program the non-standard routes into that router…
Don’t know. Based on the lack of replies here and in the other board I asked this though I’m guessing not. Unfortunately neither DHCP nor separate WiFi networks helps, since the issue is with VPN and VLAN routing.
For many VPN clients, you cannot access both the general internet and the remote business LAN; which makes sense, since if you connect to the remote LAN you also need to use their DNS; which means you cannot use a local DNS (if you local LAN has any complexity to it). So you have a limit to what you can do with 2 separate LAN connections at once.
How about getting a shell like zsh or bash on to the iPad (may require jailbreaking/Cydia) and then configuring the routing table manually as you would on any *nix device?
They don’t have the firewall set up to allow firewall to firewall nailed up VPN. It’s all client based. And even if it did, you’d have to be able to configure each WiFi site you were at to have it nail up the VPN tunnel, which isn’t practical.
Depends on the type of VPN client. I think Nortel has a split tunnel feature, allowing you to access either the tunnel or your own internet depending on where you are trying to go. The problem I’m trying to solve here is that the iPad apparently (according to this engineer I was talking too) doesn’t use the virtual gateway given out by the DHCP server for the VPN connection, and that’s why it can’t route out to other VLANs on the network…only the DMZ VLAN that it’s brought in on. Our CISCO clients using IPSEC don’t seem to have a problem, but that is because (again according to this engineer) it has a value added feature that lets it use both the ‘real’ gateway and the virtual gateway from the VPN…so, since the firewall knows about all the VLANS. I don’t have a machine that doesn’t work (I’m thinking of building a L2TP VPN set on the firewall and then trying this with Microsofts built in VPN to see if it won’t work…and if it doesn’t then see if building a static route into it solves the problem).
I didn’t know it had a zsh or bash shell. Yeah, that might work. I’ll have to see if I can figure out how to access it. I have a jailbroken iPad at home (it’s my personal one). It would be of limited use though, since most of the users have assigned iPads and they aren’t jail broken…but I could at least find out if this is the problem and if the solution works. Thanks!
How does the engineer know this? Putting aside setting the static route for now, can you even view the routing table?
In my experience, it’s the job of the VPN client to set the static routes once it connects to the VPN gateway. (AFAICT, they typically require static routes to do things such as the split tunneling you mentioned.) So it seems to me that there is something wrong with the client. What VPN is it, anyway?
Know what? What the problem is, or what the possible solution is? She had no idea if you could do it with an iPad…she was merely saying how they had solved this in other cases with other operating systems.
It’s the VPN client built into the iPad. AFAICT you can’t get a 3rd party VPN app for the thing…I looked. My guess is if I could use CISCO’s VPN or ShrewSofts VPN client this would all work fine.
Know that the problem is the routing table. Hence my question of whether you can even view it (I don’t know anything about ipads). Maybe the VPN client itself has some kind of status that shows some of this info?
Ok, what’s the server then? I assume the combination of this VPN and the ipad client is known to work elsewhere?
The VPN client is integrated into the Mac iPad. I haven’t seen anywhere to get any information aside from the IP address assigned. I can only go by what’s happening, which is that it connects fine to the firewall, the tunnel is built an working (the firewall shows me that it’s connected and even what it is), but that the iPad can’t route outside of the DMZ VLAN. It can ping the firewalls DMZ address but that’s it.
How did she know it’s a problem with the routing table? Well, she said they had run up against this with routed networks and VPNs coming into DMZs before and this was the fix they used. Basically, to recap, her suggestion was to build a static route that would send any traffic going to the internally routed network through a known IP address (such as the firewall). My question to her was why isn’t the default gateway handling this (the default gateway given out by the firewall is the firewalls DMZ address btw…and that works fine for our CISCO and other IPSEC clients). Her answer to this was that some systems don’t use the virtual gateway given out as part of the VLAN, and instead use the physical gateway from the card…while some VPN client software has a feature that allows them to use both, which gets around the problem (if the virtual default gateway could be used it would solve the problem, since the firewall certainly knows where all the internal routed networks are).
It seemed counter intuitive to me, but empirically I can say that it’s definitely not working for the iPads accessing the customers VPN…while every other client (including the one I have on my Ubuntu laptop) works with no problems. I also know that the iPads are being used to allow VPN in other places.
What server? The firewall is a CISCO ASA. I’ve heard that people are using their iPads to connect to other systems via VPN. I don’t know if they are connecting to a routed network using a DMZ subnet however.
Well, I don’t have a ton of time to dig around but have you looked into this documentation to see about compatibility of the respective devices? Including O/S or firmware versions, etc., and any special configuration you might need? I believe this is specifically for the ASA 5500: Supported VPN Platforms, Cisco Secure Firewall ASA Series - Cisco
In there is also a link to another document that seems to have more technical details about connectivity with Apple devices.
In terms of troubleshooting, I am taking kind of the opposite approach from you and your engineer here; you have a specific problem and are trying to figure it out, but from what you’ve said so far, the static routing is only a guess on the part of the engineer and she has not run any kind of diagnostics or sniffing of the ipad’s attempt to access the VPN resources to determine that this is actually the problem. Nor do you seem to be sure that anyone else has successfully connected the exact pieces you are trying to connect (i.e., cisco asa 5500 [?] with ipad built-in vpn client … also note that in my digging, I saw mention of some other vpn client available in the itunes store but did not look into it in detail). So my opinion in this case is that you need to start at the beginning – first make sure it should work, and then check documentation on what Cisco says you need to do to make it work. Only then, try to narrow it down to some specific problem such as routing tables.
Just my opinion, tho. Maybe you guys really are thisclose and all you need is some way to set that route …
I’m not seeing it as a compatibility issue between the iPad and the ASA…after all, it does connect, authenticate and build the tunnel. Once attached, devices in the DMZ given to the VPN clients are able to be pinged.
You are right…this solution is just a ‘guess’, in that while the engineer I talked to has seen similar problems in the past with other devices in similar network configurations, she had no personal knowledge of the iPad. And while I actually have an iPad, I’ve never tried to do anything like this before, and thus far have been unable to figure out how or where you’d do it.
I have gone over CISCOs documentation and done searches about problems like this, but haven’t found anything specific…probably because it’s not specifically a CISCO issue, more an issue with routing on this particular type of network layout, assuming this engineer is correct. If you didn’t have a routed network behind your firewall, and weren’t using a non-routed DMZ then this issue probably wouldn’t crop up.
Once I get settled in from my latest trip I’ll probably try to build that L2TP VPN on the customers firewall and then try and use a Microsoft XP box to VPN in and see if I get the same results (the engineer said that was where they had most commonly seen this in the past). If I can get it to do something similar then I’ll try to see if putting in a static route fixes the problem…and if so, then at least I’ll be able to show why it’s happening. If the iPad can’t be made to use a similar method to fix the problem, and if I can’t find any other work around (which I’m also looking for) then the customer will be able to make an informed decision…perhaps they will by Zooms instead or something like that. Or continue to use RDP connections for their iPads.