VPN on demand is a clever Apple feature that enables a VPN connection to be initiated without needing to go into settings or even leave the application you want to use. This feature is only available with certificate-based VPNs which are traditionally the hardest type to setup. Luckily, iSimplyConnect includes everything you need to leverage this great feature, even if you only have one or two iOS devices.
VPN on demand is keyed from the domain name that you are trying to access. Using the iSimplyConnect web console, you can set a list of 'VPN Domains', specifying how they should be handled. The iSimplyConnect App will take care of distributing these to your devices.
There are two states that you can configure for each VPN on Demand domain that you specify: 'Always' and 'Establish if Needed'.
Always: Initiates a VPN connection for any address that matches the specifieddomain.
Establish if needed: Initiates a VPN connection for addresses that match the specified domain only after a failed DNS look-up has occurred.
The first does exactly what you might think - any request for a resource in that domain will cause the VPN to be brought up. For example, a VPN on demand setting of ".asavie.com" matches "support.asavie.com" and "partners.asavie.com" but doesn't match "getasavie.com". However, if you specify the match domain as "asavie.com" - notice there is no period at the start - it will match. Dial Always is an excellent way to ensure that any access to a given domain should be via secure VPN. Most commonly, this would be applied to business apps like SalesForce.com where you need to access the app via your Office network.
Establish if needed is even cleverer. In this mode, the iOS device will attempt to do a DNS lookup for the chosen resource first. In the event that DNS resolution is successful, the VPN will not be called. This setting is used for resources that are sometimes local to the iOS device and sometimes remote e.g. your SharePoint or Intranet server. If your device is on Campus or office Wi-Fi, the VPN will not be used.
It's worth noting that LDAP connections won't initiate a VPN connection; if the VPN hasn't already been established by another application, such as Safari, the LDAP lookup fails. Similarly, the ActiveSync 'push mail' client won't invoke VPN irrespective of whether the ActiveSync server is listed as a VPN domain. Lastly, some older applications don't use iOS's VPN-aware APIs so it is possible to find the occasional app that could ignore your VPN preferences.
While the VPN is established, all traffic is routed via the secure link, even domains that are not listed (i.e. the iOS VPN does not implement 'split-tunnel'.) For this reason, if your VPN host network doesn't allow internet access, you may find that your access to the internet is disabled whilst using the VPN.
Finally, at time of writing, (iOS 5.1) it appears that domains ending in '.local' DO NOT cause the VPN to auto-dial.