I have Cisco 1811 router. I have a VPN set up for both a local Windows client and also Webconnect. It has been running smoothly for some time.
Now I need to be able to support Apple iPads & iPhones. My first attemps were unsuccessful. The iPad would connect and be authenticated (verified on my server) but would disconnect saying that negotiation with the router failed.
Is there anything on the router that I need to change/add?
Below is my config. Items in brackets are replaced for security and public IP's are x'd out.
Thanks - Tom
--------------------------------------------------------------
Using 7125 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1800
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 [password]
!
aaa new-model
!
!
aaa authentication login vpnclient group radius local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 group radius local
aaa authorization network authorize_vpn_list local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip domain name Reillyww.com
ip name-server 64.115.0.9
ip name-server 64.115.0.10
!
!
crypto pki trustpoint TP-self-signed-649839349
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-649839349
revocation-check none
rsakeypair TP-self-signed-649839349
!
!
crypto pki certificate chain TP-self-signed-649839349
certificate self-signed 01 nvram:IOS-Self-Sig#3904.cer
username [admin1] privilege 15 secret 5 [password]
username [admin2] privilege 15 secret 5 [password]
username [user1] secret 5 [password]
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
!
crypto isakmp client configuration group rww_vpn_group
key [MyKey]
dns 192.168.5.12
domain [MyCompany.com]
pool VPN_pool
acl 100
firewall are-u-there
include-local-lan
max-logins 9
crypto isakmp profile sdm-ike-profile-1
match identity group [vpn_group_name]
client authentication list vpnclient
isakmp authorization list authorize_vpn_list
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set rww_transform_set esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map VPN_dynamic_map 10
set transform-set rww_transform_set
!
!
crypto map VPN_static_map client authentication list vpnclient
crypto map VPN_static_map isakmp authorization list authorize_vpn_list
crypto map VPN_static_map client configuration address respond
crypto map VPN_static_map 1000 ipsec-isakmp dynamic VPN_dynamic_map
!
!
!
!
interface FastEthernet0
description $ETH-LAN$
ip address 64.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.2.1
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool VPN_pool 192.168.5.20 192.168.5.30
ip route 0.0.0.0 0.0.0.0 64.x.x.x
ip route 192.168.2.0 255.255.255.0 Vlan1
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 60000
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAS_Pool 192.168.5.249 192.168.5.249 netmask 255.255.255.0 type rota
ry
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.5.251 80 64.x.x.x 80 extendable
ip nat inside source static tcp 192.168.5.251 143 64.x.x.x 143 extendable
ip nat inside source static tcp 192.168.5.251 443 64.x.x.x 443 extendable
ip nat inside source static 192.168.5.251 64.x.x.x
ip nat inside source static tcp 192.168.5.9 21 64.x.x.x 21 extendable
ip nat inside source static tcp 192.168.5.251 80 64.x.x.x 80 extendable
ip nat inside source static tcp 192.168.5.251 110 64.x.x.x 110 extendable
ip nat inside source static tcp 192.168.5.251 143 64.x.x.x 143 extendable
ip nat inside source static tcp 192.168.5.251 443 64.x.x.x 443 extendable
ip nat inside source static tcp 192.168.5.251 587 64.x.x.x 587 extendable
ip nat inside source static tcp 192.168.5.251 993 64.x.x.x 993 extendable
ip nat inside source static tcp 192.168.5.172 50000 64.x.x.x 50000 extendab
le
ip nat inside source static tcp 192.168.5.252 50001 64.x.x.x 50001 extendab
le
ip nat inside source static tcp 192.168.5.241 80 64.x.x.x 50002 extendable
ip nat inside source static tcp 192.168.5.240 80 64.x.x.x 50003 extendable
ip nat inside source static tcp 192.168.5.5 51020 64.x.x.x 51020 extendable
!
ip access-list extended NAS_Dest_List
permit tcp any any range 33000 45000
ip access-list extended sdm_vlan1_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended splitremote
remark SDM_ACL Category=16
permit ip 192.168.5.0 0.0.0.255 any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
!
!
!
!
radius-server host 192.168.5.12 auth-port 1645 acct-port 1646 key CiscoRadius
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address 64.x.x.x port 443
http-redirect port 80
ssl trustpoint TP-self-signed-649839349
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
webvpn context [companySSL]
title-color #CCCC66
secondary-color white
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "VPN_pool"
svc default-domain "[MyCompany.com]"
svc keep-client-installed
svc dns-server primary 192.168.5.12
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_2
gateway gateway_1
max-users 100
inservice
!
end
Now I need to be able to support Apple iPads & iPhones. My first attemps were unsuccessful. The iPad would connect and be authenticated (verified on my server) but would disconnect saying that negotiation with the router failed.
Is there anything on the router that I need to change/add?
Below is my config. Items in brackets are replaced for security and public IP's are x'd out.
Thanks - Tom
--------------------------------------------------------------
Using 7125 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1800
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 [password]
!
aaa new-model
!
!
aaa authentication login vpnclient group radius local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 group radius local
aaa authorization network authorize_vpn_list local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip domain name Reillyww.com
ip name-server 64.115.0.9
ip name-server 64.115.0.10
!
!
crypto pki trustpoint TP-self-signed-649839349
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-649839349
revocation-check none
rsakeypair TP-self-signed-649839349
!
!
crypto pki certificate chain TP-self-signed-649839349
certificate self-signed 01 nvram:IOS-Self-Sig#3904.cer
username [admin1] privilege 15 secret 5 [password]
username [admin2] privilege 15 secret 5 [password]
username [user1] secret 5 [password]
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
!
crypto isakmp client configuration group rww_vpn_group
key [MyKey]
dns 192.168.5.12
domain [MyCompany.com]
pool VPN_pool
acl 100
firewall are-u-there
include-local-lan
max-logins 9
crypto isakmp profile sdm-ike-profile-1
match identity group [vpn_group_name]
client authentication list vpnclient
isakmp authorization list authorize_vpn_list
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set rww_transform_set esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map VPN_dynamic_map 10
set transform-set rww_transform_set
!
!
crypto map VPN_static_map client authentication list vpnclient
crypto map VPN_static_map isakmp authorization list authorize_vpn_list
crypto map VPN_static_map client configuration address respond
crypto map VPN_static_map 1000 ipsec-isakmp dynamic VPN_dynamic_map
!
!
!
!
interface FastEthernet0
description $ETH-LAN$
ip address 64.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.2.1
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool VPN_pool 192.168.5.20 192.168.5.30
ip route 0.0.0.0 0.0.0.0 64.x.x.x
ip route 192.168.2.0 255.255.255.0 Vlan1
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 60000
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAS_Pool 192.168.5.249 192.168.5.249 netmask 255.255.255.0 type rota
ry
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.5.251 80 64.x.x.x 80 extendable
ip nat inside source static tcp 192.168.5.251 143 64.x.x.x 143 extendable
ip nat inside source static tcp 192.168.5.251 443 64.x.x.x 443 extendable
ip nat inside source static 192.168.5.251 64.x.x.x
ip nat inside source static tcp 192.168.5.9 21 64.x.x.x 21 extendable
ip nat inside source static tcp 192.168.5.251 80 64.x.x.x 80 extendable
ip nat inside source static tcp 192.168.5.251 110 64.x.x.x 110 extendable
ip nat inside source static tcp 192.168.5.251 143 64.x.x.x 143 extendable
ip nat inside source static tcp 192.168.5.251 443 64.x.x.x 443 extendable
ip nat inside source static tcp 192.168.5.251 587 64.x.x.x 587 extendable
ip nat inside source static tcp 192.168.5.251 993 64.x.x.x 993 extendable
ip nat inside source static tcp 192.168.5.172 50000 64.x.x.x 50000 extendab
le
ip nat inside source static tcp 192.168.5.252 50001 64.x.x.x 50001 extendab
le
ip nat inside source static tcp 192.168.5.241 80 64.x.x.x 50002 extendable
ip nat inside source static tcp 192.168.5.240 80 64.x.x.x 50003 extendable
ip nat inside source static tcp 192.168.5.5 51020 64.x.x.x 51020 extendable
!
ip access-list extended NAS_Dest_List
permit tcp any any range 33000 45000
ip access-list extended sdm_vlan1_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended splitremote
remark SDM_ACL Category=16
permit ip 192.168.5.0 0.0.0.255 any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
!
!
!
!
radius-server host 192.168.5.12 auth-port 1645 acct-port 1646 key CiscoRadius
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address 64.x.x.x port 443
http-redirect port 80
ssl trustpoint TP-self-signed-649839349
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
webvpn context [companySSL]
title-color #CCCC66
secondary-color white
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "VPN_pool"
svc default-domain "[MyCompany.com]"
svc keep-client-installed
svc dns-server primary 192.168.5.12
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_2
gateway gateway_1
max-users 100
inservice
!
end
