• United States



Galen Gruman
Executive Editor for Global Content

iOS 9 breaks VPNs, prevents server access for many

Sep 21, 20153 mins
AppleCisco SystemsMobile Security

Cisco AnyConnect and other VPNs may or may not work for your servers, as Apple breaks split-tunnel compatibility

Apple’s iOS 9 has several features meant to increase its strong enterprise-grade security. But it also breaks a key security method: VPN connections to some corporate servers. As a result, users won’t be able to access some servers over some VPN connections — but they’ll be able to access other servers with no problem.

The bug appeared in iOS 9’s beta. It was not fixed in the final version of iOS 9, and it is not fixed in the current beta of iOS 9.1.

Here’s what Cisco has reported about the bug:

We have noticed a couple of OS regressions between iOS 8.4.1 and iOS 9 that have been reported to Apple. Most notable is that when doing split tunneling, the Tunnel All DNS option no longer functions as expected. This was reported to Apple under Radar # 22558059. This is not resolved in the iOS 9 release.

As a result, depending on your network setup, DNS resolution won’t succeed for some servers. Thus, some of your corporate servers will no longer be available to users who successfully sign in via the VPN, but other servers will remain available. The availability is not random — if a server isn’t available due to this bug, it stays unavailable.

The bug does not affect connections to servers from within corporate networks, so users will be able to access your internal servers as expected. It’s only when using the VPN that the access is no longer certain.

The bug affects all VPN connections, not only those made from the widely used Cisco AnyConnect client. There are reports from people using other providers’ VPNs or even iOS’s built-in VPN that their VPN connections — all IPSec in the reports I’ve seen — have similar problems.

The last safe iOS version in terms of proper VPN operation is iOS 8.4.1. But iPads, iPhones, and iPod Touches updated to iOS 9 cannot easily be rolled back to prior iOS releases, leaving many users stranded when it comes to reliable VPN access.

To roll back to iOS 8.4.1, you must have backed up your iOS device in iTunes — not iCloud — before you installed iOS 9, then Option-click or Alt-click the Restore Backup button in iTunes’s Summary Settings window for your iOS device to select the iOS 8.4 .ipsw backup file, which is stored in a subfolder of your iTunes folder. These iOS backups are purged periodically, so your .ipsw file may no longer be available. Although the .ipsw files are often posted at websites, those downloads may be jailbroken versions containing malware.

This bug does not affect the Mac’s OS X operating system, including the golden master version of OS X 10.11 El Capitan or the OS X 11.1 beta now in the hands of developers. (El Capitan is due for final release by October.)