Solved

Possible to connect to an IPv4 VPN server on T-Mobile with iOS?

  • 27 July 2018
  • 6 replies
  • 4006 views

I've got an iPhone 7 Plus, running the latest version of iOS (11.4.1).

Our VPN at work is provided by a Cisco Meraki device, which is IPv4 only. The VPN uses L2TP over IPSEC. It's configured and works fine on my phone if I'm connected via WiFi to an IPv4 network, but it won't connect when I'm on the T-Mobile LTE network, which is IPv6 only.

The question is: is this a fundamental limitation of IPv6 only, or is this a problem with T-Mobile's network? When I try to ping an IPv4-only address (either the address of our VPN server, or Google's public DNS at 8.8.8.8) while connected to the T-Mobile IPv6 only network, it works — T-Mobile seems to map the IPv4 address, presumably using NAT64, into its IPv6 network.

This RFC suggests that IPSEC won't work over NAT64 translation, but it was written back in 2014 — maybe someone has improved NAT64 since then? A newer (2016) RFC7915 says that while IPSEC AH won't work, IPSEC ESP over UDP can and should. Can anyone confirm that T-Mobile's NAT64 implementation can handle IPSEC ESP over UDP?

In any case, the problem at user-level is that T-Mobile's network can't support access to my company's VPN, which works over other internet connections. Will T-Mobile attempt to fix this?

icon

Best answer by smplyunprdctble 27 July 2018, 16:36

View original

6 replies

Userlevel 5

On Android, I can set my APN to be either IPv4, IPv6, or IPv4/IPv6.

I'd imagine the same option is available on iPhones.  I just don't know where.

Userlevel 5

I did some further research, and it's an Apple limitation.

They apparently won't let you connect to anything besides IPv6.

So, you'll have to take this up with Apple.

Apple to iOS devs: IPv6-only cell service is coming soon, get your apps ready | Ars Technica

I also have a Verizon iPhone and it connects to VPN just fine over Verizon. In fact, when I connect my iPad to my iPhone via hotspot, the iPad can also VPN. As soon as the iPad is back on T-Mobile LTE, it can no longer VPN. It's a myth that this is an Apple limitation.

@traxem has the correct answer. Confirmed with co-worker on AT&T who's running iOS. VPN works fine on AT&T's network, and apparently Verizon's as well. Does not work for me on T-Mobile.

While researching issues connecting to a PPTP VPN from my phone through the TMO network, I came across this post.  While I am running Android, I figured the solution I found may help with IOS.  Basically, the issue seems to be that the default APN is IPv6 on TMO while the VPN I am connecting to is IPv4.  I found instructions for setting up an IPv4 APN on my phone after which the VPN connects.  The instruction link is here:  https://www.myopenrouter.com/article/vpn-connections-not-working-t-mobile-heres-how-fix .  I believe that the MMSC URL in the instructions got fat-fingered at the end; I entered .../wapenc (which is default APN URL on the existing APN) at the end instead of "wapeinc".  Otherwise, I followed the instructions as-is and it worked for me.

On my macosx i run a dns script that adds the ip4 resolving by re-adding my companies DNS entries . Somehow with the switch the VPN’s our ip4 dns entry gets removed.  

 

 

DNS_SETUP=$(echo list | scutil | grep DNS$ | grep Setup | head -1 | awk '{ print $4 }')

cat > ~/.dns.setup <<EOF
# https://apple.stackexchange.com/questions/324584/how-to-change-nameserver-in-resolv-conf-in-recovery-mode
list
get $DNS_SETUP
# adding the companies DNS settings
d.add ServerAddresses 192.x.y.z 192.y.x.z etc
set $DNS_SETUP
EOF
cat ~/.dns.setup | sudo scutil

 

Reply