Setting up a Cisco secure IPSEC tunnel on an iPAD



Add VPN Configuration

IPSec –
Description: CompanyVPN
Account: Your domain username
Password: Your domain password
Group Name: ipsec group name
Secret: ipsec secret shared key

Slide VPN to on and you should be connected

Nat rules change after 8.3 upgrade breaks VPN

Normal Nat statment
access-list nonat extended permit ip
nat (inside) 0 access-list nonat-inside
New nat statment
object network vpnpool
nat (inside,outside) source static any any destination static vpnpool vpnpool
This NAT rule says to keep the source address for anything coming from the internal interface going to the range designated by the vpnpool object while also keeping the destination address the same.
Seems like a strange way of going about this but this is all i have come across so far. Anyone else has a better way please leave a comment.

What is IPv6

IPv6 is the successor to IPv4.  IPv4 and IPv6 are the internet protocols that all networks use to communicate.  IPv4 is still dominate today on the internet.  The reason for IPv6 is simple, the world is running out of IPv4 addresses.  So IPv6 was created in 1998 to create more available public IP addresses.  IPv4 gives you about 4 billion addresses.  To put this in perspective the size of a subnet alone in IPv6 is 2 to the 64th power.  Or the square of the entire IPv4 internet.  To further put this in perspective with IPv6 you can have 340 trillion trillion trillion unique addresses.
IPv6 uses 128-bit addresses where IPv4 only uses 32bit addresses.  This greatly increases the amount of IP’s available.  This eliminates the need for NAT or network address translation.  This is where you can assing different ports on your firewall but use the same external IP.  It will then route to different hosts inside your network.
IPv6 clients can autoconfigure themselves when they are connected to an IPv6 network using Stateless Address Autoconfiguration.  The way they accomplish this is through ICMPv6 router discovery messages.  When you first plugin to an IPv6 network your host sends a link-local multicast router solicitation request.  Which is basically a request for its configuration.  Routers then send a router advertisement packet that contain the network layer settings.  If you don’t wish to use Stateless Adress Autoconfiguration there are two other options DHCPv6 or you can statically configure your address.
The security in IPv6 has also changed.  Where IPSec was an option in IPv4 it is not in IPv6, it is mandatory. 
In addition to the other changes mobile IPv6 or MIPv6 does not have triangular routing issues.  Therefore in theory you could move an entire subnet without any renumbering.  Your routers however would have to support NEMO or Network Mobility.  However, since NEMO or MIPv6 are widely depolyed this is not common.
IPv6 addresses are written as follows 112:ec9:97b4::9b3f:481:8445.  IPv6 addresses are typically broken down into 2 logical parts.  The 64-bits for the subnet and 64-bits for the host part of the address.  Broadcast addresses no longer exist in IPv6 you now have three different types of addresses.  They are unicast, anycast, and multicast.  Unicast is a uniquely identifying address for a host.  Anycast is an address that is unique to a group of hosts, typically located in different physical locations, so that data can flow to the closest one.  Multicast has not changed it allows you to deliver a packet to multiple hosts.
As far as DNS goes you may be familiary with A host records.  Or a name that points to an IPv4 address.  With IPv6 you have a AAAA record which points to its IPv6 host. 
Dual IP stack implementation is in place in most modern operating systems.  It is a transitional way running IPv4 and IPv6 concurrently.  This way programmers can write applications to accept connections on the IPv4 or IPv6 interfaces.  Something else you will run into are hybrid dual stack IPv6/IPv4 addresses.  These are special addresses where the first 80 bits are set to 0, the next 16 are set to 1, and the last 32 bits are your IPv4 address.  An example of a hybrid dual stack is as follows, ::ffff: You can see it looks like an IPv4 address with the ::ffff: prefix.
Tunneling is a popular method of encapsulating IPv6 packets in IPv4 packets. Which uses IPv4 as the link layer for IPv6. This direct encapsulation is indicated by IP protocol 41. If protocol 41 is being blocked on a router or NAT device you can also use UDP packets to encapsulate your IPv6 data. Automatic tunneling is a process where the routing infrastructure determines the tunnel endpoints. 6to4 tunneling is recommended for automatic tunneling is uses the protocol 41 encapsulation. Your endpoints are determined by using IPv4 anycast address on the remote side. Then embedding this address on the local IPv6 side. 6to4 is widely deployed today and is probably the most common method of encapsulting. Configured tunneling is another method of encapsulation. This is a process in which you explicitly configure your endpoints for your tunnels. This can be done by the OS or manually by the adminsitrator. There is also a method called automated tunneling where you use a tunnel broker. For larger networks it is recommended to use configured routing because of its ease of troubleshooting compared to automatic tunneling. Automated tunneling is a compromise between automatic tunneling and configured tunneling. It gives the best of both worlds.
If you have a host that is IPv6 only keep in mind you must use a dual stack application layer proxy, i.e. a web proxy. However, it must support both IPv4 and IPv6.

Problem trying to start IPSEC service

If you are trying to start your IPSEC service after a Windows auto update rebooted your server and it did not come back then simply try to restart your system and see if IPSEC loads.  I spent a lot of time troubleshooting the following error:
Could not start the ipsec services service on local computer error 10048: only one usage of each socket address (protocol/network address/port) is normally permitted.
Then I decided to simply rebooted and this resolved the problem.  Had that not worked I did find an article that explained how to reinstall the IPSEc policy, I didn’t run this command so use caution but this was the best I could find.
  REG DELETE HKLMSOFTWAREPoliciesMicrosoftWindowsIPSec
   PolicyLocal /F
  REG ADD HKLMSystemCurrentControlSetServicesIPSEC /V 
   Start /T REG_DWORD /F /D 1
  regsvr32 -s polstore.dll