Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
IPAD Connecting to ASA
- Thread starter jafris
- Start date
intelwizrd
IS-IT--Management
I have a number of users with iPhones and iPads connecting to an ASA5520 via an IPSec VPN with Radius User Authentication to our AD domain. We had to create a separate VPN group for the iPhones when we added them and the iPad uses the same group. What do you have so far or what seems to be the problem?
intelwizrd
IS-IT--Management
Here are some links to point you in the right direction. Both are based on v8.0 or later.
- Thread starter
- #4
Thanks intelwizrd,
I have the second cisco link you send and did implemented the Config they showed, but I was immediately droped off by the ASA. When I searched on the error details, they pointed to Check the ISAKMP and crypto map configuration on both peers.
I am using ASA IOS 8.0(4)which is pretty much the one needed.
I wonder if I need to create a cryptomap do I need to assign it to the external interface also, if yes will it effect existing SSL users.
Also Please let me know if the Preshare key relates to the secret in the IPAD VPN configuration
The first link is very help full.
I have the second cisco link you send and did implemented the Config they showed, but I was immediately droped off by the ASA. When I searched on the error details, they pointed to Check the ISAKMP and crypto map configuration on both peers.
I am using ASA IOS 8.0(4)which is pretty much the one needed.
I wonder if I need to create a cryptomap do I need to assign it to the external interface also, if yes will it effect existing SSL users.
Also Please let me know if the Preshare key relates to the secret in the IPAD VPN configuration
The first link is very help full.
intelwizrd
IS-IT--Management
Yes, the preshared key is what you put into the "Secret" field on the IPSec VPN config.
Also, I just noticed that you can configure for AES-256 instead of 3des if you want. Seems to work with latest IOS. I am going to try a few things on my firewall in the morning and will post the relevant config for connecting an iPhone/iPad.
Also, I just noticed that you can configure for AES-256 instead of 3des if you want. Seems to work with latest IOS. I am going to try a few things on my firewall in the morning and will post the relevant config for connecting an iPhone/iPad.
intelwizrd
IS-IT--Management
Here is a config that should work. Note my ASA version number and that all devices are running the latest IOS.
I have it set to authenticate to our domain controllers and use local accounts as a backup in case they go down. With this config (and extra groups not shown) we have iPhones and iPads connecting via IPSec as well as PCs and MACs connecting with the Cisco IPSec client (and anyconnect clients as well). All connections seem to be using AES-256 as far as I can tell. When I first set this up, the iPhone had to use 3DES.
Also, I removed a couple of lines related to the initial config I did for the iPhone with 3DES. I will be testing after removing them from my running config tomorrow morning, this will be end result.
I have it set to authenticate to our domain controllers and use local accounts as a backup in case they go down. With this config (and extra groups not shown) we have iPhones and iPads connecting via IPSec as well as PCs and MACs connecting with the Cisco IPSec client (and anyconnect clients as well). All connections seem to be using AES-256 as far as I can tell. When I first set this up, the iPhone had to use 3DES.
Also, I removed a couple of lines related to the initial config I did for the iPhone with 3DES. I will be testing after removing them from my running config tomorrow morning, this will be end result.
Code:
!
ASA Version 8.2(2)4
!
ip local pool iphonepool 10.10.10.224-10.10.10.239 mask 255.255.255.240
!
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.10.7.100
key ******
aaa-server partnerauth (inside) host 10.10.7.101
key ******
!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
!
group-policy iphone internal
group-policy iphone attributes
dns-server value 10.10.7.100 10.10.7.102
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
default-domain value lan.local
!
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
address-pool iphonepool
authentication-server-group partnerauth LOCAL
default-group-policy iphone
tunnel-group iphone ipsec-attributes
pre-shared-key iphonetest
tunnel-group iphone ppp-attributes
authentication ms-chap-v2
!intelwizrd
IS-IT--Management
When I said all devices are running the latest IOS, I meant the Apple IOS.
intelwizrd
IS-IT--Management
I removed the lines this morning to bring my config inline with what I posted yesterday. My VPN clients and devices are both connecting using AES-256.
When you add the VPN configuration to the iPad/iPhone with the above example:
IPSec VPN
Description: RAVPN
Server: (domain name or IP of the outside interface)
Account: (user account name)
Password: can leave blank for now
Use Certificate: OFF
Group Name: iphone
Secret: iphonetest (in my example above)
Proxy: OFF
When the VPN is started, it should prompt for a username (prefilled with what you put in when setting it up) and a password. If it doesn't prompt then something is wrong with the setup and the VPN tunnel is not being set up correctly.
When you add the VPN configuration to the iPad/iPhone with the above example:
IPSec VPN
Description: RAVPN
Server: (domain name or IP of the outside interface)
Account: (user account name)
Password: can leave blank for now
Use Certificate: OFF
Group Name: iphone
Secret: iphonetest (in my example above)
Proxy: OFF
When the VPN is started, it should prompt for a username (prefilled with what you put in when setting it up) and a password. If it doesn't prompt then something is wrong with the setup and the VPN tunnel is not being set up correctly.
- Thread starter
- #9
intelwizrd
IS-IT--Management
I had a custom map for the iPhone when it first came out and I needed a custom config. When you posted your question I did some looking at the established VPN connections and noticed that they were using the same config as our VPN clients so I took it out. I have also changed the order of preference in the crypto map to prefer AES-256.
Hope it works for you.
Hope it works for you.
Hi intelwizrd,
I have a Cisco 1812 with Easy VPN server configures, and everything works fine with Cisco VPN Client on windows, but I cant connect with Iphone/Ipad. It pops up with user credentials, but whatever I type it fails.
Is there anything Im missing ?
Debug crypto isakmp gives me this, when a Iphone tries to connect:
*Oct 13 12:55:42.705: ISAKMP (0): received packet from 109.57.11.247 dport 500 sport 500 Global (N) NEW SA
*Oct 13 12:55:42.705: ISAKMP: Created a peer struct for 109.57.11.247, peer port 500
*Oct 13 12:55:42.705: ISAKMP: New peer created peer = 0x8814ED04 peer_handle = 0x80000026
*Oct 13 12:55:42.705: ISAKMP: Locking peer struct 0x8814ED04, refcount 1 for crypto_isakmp_process_block
*Oct 13 12:55:42.705: ISAKMP: local port 500, remote port 500
*Oct 13 12:55:42.705: ISAKMP
0):insert sa successfully sa = 85B764D4
*Oct 13 12:55:42.705: ISAKMP0): processing SA payload. message ID = 0
*Oct 13 12:55:42.705: ISAKMP0): processing ID payload. message ID = 0
*Oct 13 12:55:42.705: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : Sindby
protocol : 0
port : 0
length : 14
*Oct 13 12:55:42.705: ISAKMP0):: peer matches sdm-ike-profile-1 profile
*Oct 13 12:55:42.705: ISAKMP0):Setting client config settings 86DAF750
*Oct 13 12:55:42.705: ISAKMP0)Re)Setting client xauth list and state
*Oct 13 12:55:42.705: ISAKMP/xauth: initializing AAA request
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 13 12:55:42.705: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 13 12:55:42.705: ISAKMP (0): vendor ID is NAT-T v7
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 13 12:55:42.705: ISAKMP0): vendor ID is NAT-T v3
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 13 12:55:42.705: ISAKMP0): vendor ID is NAT-T v2
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct 13 12:55:42.705: ISAKMP0): vendor ID is XAUTH
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID is Unity
*Oct 13 12:55:42.705: ISAKMP0): processing vendor id payload
*Oct 13 12:55:42.705: ISAKMP0): vendor ID is DPD
*Oct 13 12:55:42.705: ISAKMP0): Authentication by xauth preshared
*Oct 13 12:55:42.705: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 13 12:55:42.705: ISAKMP: life type in seconds
*Oct 13 12:55:42.705: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.705: ISAKMP: encryption AES-CBC
*Oct 13 12:55:42.705: ISAKMP: keylength of 256
*Oct 13 12:55:42.705: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.705: ISAKMP: hash SHA
*Oct 13 12:55:42.705: ISAKMP: default group 2
*Oct 13 12:55:42.705: ISAKMP0):Encryption algorithm offered does not match policy!
*Oct 13 12:55:42.705: ISAKMP0):atts are not acceptable. Next payload is 3
*Oct 13 12:55:42.705: ISAKMP0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 13 12:55:42.705: ISAKMP: life type in seconds
*Oct 13 12:55:42.705: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.705: ISAKMP: encryption AES-CBC
*Oct 13 12:55:42.705: ISAKMP: keylength of 128
*Oct 13 12:55:42.705: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.705: ISAKMP: hash SHA
*Oct 13 12:55:42.705: ISAKMP: default group 2
*Oct 13 12:55:42.705: ISAKMP0):Encryption algorithm offered does not match policy!
*Oct 13 12:55:42.705: ISAKMP0):atts are not acceptable. Next payload is 3
*Oct 13 12:55:42.705: ISAKMP0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 13 12:55:42.705: ISAKMP: life type in seconds
*Oct 13 12:55:42.705: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.705: ISAKMP: encryption AES-CBC
*Oct 13 12:55:42.705: ISAKMP: keylength of 256
*Oct 13 12:55:42.705: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.705: ISAKMP: hash MD5
*Oct 13 12:55:42.705: ISAKMP: default group 2
*Oct 13 12:55:42.709: ISAKMP0):Encryption algorithm offered does not match policy!
*Oct 13 12:55:42.709: ISAKMP0):atts are not acceptable. Next payload is 3
*Oct 13 12:55:42.709: ISAKMP0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 13 12:55:42.709: ISAKMP: life type in seconds
*Oct 13 12:55:42.709: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.709: ISAKMP: encryption AES-CBC
*Oct 13 12:55:42.709: ISAKMP: keylength of 128
*Oct 13 12:55:42.709: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.709: ISAKMP: hash MD5
*Oct 13 12:55:42.709: ISAKMP: default group 2
*Oct 13 12:55:42.709: ISAKMP0):Encryption algorithm offered does not match policy!
*Oct 13 12:55:42.709: ISAKMP0):atts are not acceptable. Next payload is 3
*Oct 13 12:55:42.709: ISAKMP0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 13 12:55:42.709: ISAKMP: life type in seconds
*Oct 13 12:55:42.709: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.709: ISAKMP: encryption 3DES-CBC
*Oct 13 12:55:42.709: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.709: ISAKMP: hash SHA
*Oct 13 12:55:42.709: ISAKMP: default group 2
*Oct 13 12:55:42.709: ISAKMP0):atts are acceptable. Next payload is 3
*Oct 13 12:55:42.709: ISAKMP0):Acceptable atts:actual life: 86400
*Oct 13 12:55:42.709: ISAKMP0):Acceptable atts:life: 0
*Oct 13 12:55:42.709: ISAKMP0):Basic life_in_seconds:3600
*Oct 13 12:55:42.709: ISAKMP0):Returning Actual lifetime: 3600
*Oct 13 12:55:42.709: ISAKMP0)::Started lifetime timer: 3600.
*Oct 13 12:55:42.709: ISAKMP0): processing KE payload. message ID = 0
*Oct 13 12:55:42.733: ISAKMP0): processing NONCE payload. message ID = 0
*Oct 13 12:55:42.733: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 13 12:55:42.733: ISAKMP (0): vendor ID is NAT-T v7
*Oct 13 12:55:42.733: ISAKMP0): vendor ID is NAT-T v3
*Oct 13 12:55:42.733: ISAKMP0): vendor ID is NAT-T v2
*Oct 13 12:55:42.733: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 13 12:55:42.733: ISAKMP0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
*Oct 13 12:55:42.733: ISAKMP2026): constructed NAT-T vendor-rfc3947 ID
*Oct 13 12:55:42.733: ISAKMP2026):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Oct 13 12:55:42.733: ISAKMP (2026): ID payload
next-payload : 10
type : 1
address : xx.xxx.xx.xx
protocol : 0
port : 0
length : 12
*Oct 13 12:55:42.733: ISAKMP2026):Total payload length: 12
*Oct 13 12:55:42.737: ISAKMP2026): sending packet to 109.57.11.247 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Oct 13 12:55:42.737: ISAKMP2026):Sending an IKE IPv4 Packet.
*Oct 13 12:55:42.737: ISAKMP2026):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Oct 13 12:55:42.737: ISAKMP2026):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
*Oct 13 12:55:43.537: ISAKMP (2026): received packet from 109.57.11.247 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Oct 13 12:55:43.537: ISAKMP2026): processing HASH payload. message ID = 0
*Oct 13 12:55:43.537: ISAKMP:received payload type 20
*Oct 13 12:55:43.537: ISAKMP (2026): His hash no match - this node outside NAT
*Oct 13 12:55:43.537: ISAKMP:received payload type 20
*Oct 13 12:55:43.537: ISAKMP (2026): No NAT Found for self or peer
*Oct 13 12:55:43.537: ISAKMP2026): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x85B764D4
*Oct 13 12:55:43.537: ISAKMP2026):SA authentication status:
authenticated
*Oct 13 12:55:43.537: ISAKMP2026):SA has been authenticated with 109.57.11.247
*Oct 13 12:55:43.537: ISAKMP2026):SA authentication status:
authenticated
*Oct 13 12:55:43.537: ISAKMP2026): Process initial contact,
bring down existing phase 1 and 2 SA's with local xx.xxx.xx.xx remote 109.57.11.247 remote port 500
*Oct 13 12:55:43.541: ISAKMP2026):returning IP addr to the address pool
*Oct 13 12:55:43.541: ISAKMP: Trying to insert a peer xx.xxx.xx.xx/109.57.11.247/500/, and inserted successfully 8814ED04.
*Oct 13 12:55:43.541: ISAKMP2026):Returning Actual lifetime: 3600
*Oct 13 12:55:43.541: ISAKMP: set new node -1870316501 to CONF_XAUTH
*Oct 13 12:55:43.541: ISAKMP2026):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2255271000, message ID = -1870316501
*Oct 13 12:55:43.541: ISAKMP2026): sending packet to 109.57.11.247 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 13 12:55:43.541: ISAKMP2026):Sending an IKE IPv4 Packet.
*Oct 13 12:55:43.541: ISAKMP2026)urging node -1870316501
*Oct 13 12:55:43.541: ISAKMP: Sending phase 1 responder lifetime 3600
*Oct 13 12:55:43.541: ISAKMP2026):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 13 12:55:43.541: ISAKMP2026):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
*Oct 13 12:55:43.541: ISAKMP2026):Need XAUTH
*Oct 13 12:55:43.541: ISAKMP: set new node -1846708170 to CONF_XAUTH
*Oct 13 12:55:43.541: ISAKMP/xauth: request attribute XAUTH_TYPE_V2
*Oct 13 12:55:43.541: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Oct 13 12:55:43.541: ISAKMP/xauth: request attribute XAUTH_DOMAIN_V2
*Oct 13 12:55:43.541: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Oct 13 12:55:43.541: ISAKMP2026): initiating peer config to 109.57.11.247. ID = -1846708170
*Oct 13 12:55:43.541: ISAKMP2026): sending packet to 109.57.11.247 my_port 500 peer_port 500 (R) CONF_XAUTH
*Oct 13 12:55:43.541: ISAKMP2026):Sending an IKE IPv4 Packet.
*Oct 13 12:55:43.541: ISAKMP2026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 13 12:55:43.541: ISAKMP2026):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
*Oct 13 12:55:52.237: ISAKMP (2026): received packet from 109.57.11.247 dport 500 sport 500 Global (R) CONF_XAUTH
*Oct 13 12:55:52.237: ISAKMP: set new node -935085502 to CONF_XAUTH
*Oct 13 12:55:52.237: ISAKMP2026): processing HASH payload. message ID = -935085502
*Oct 13 12:55:52.237: ISAKMP2026): processing DELETE payload. message ID = -935085502
*Oct 13 12:55:52.237: ISAKMP2026)eer does not do paranoid keepalives.
*Oct 13 12:55:52.237: ISAKMP2026)eer does not do paranoid keepalives.
*Oct 13 12:55:52.237: ISAKMP2026):deleting SA reason "No reason" state (R) CONF_XAUTH (peer 109.57.11.247)
*Oct 13 12:55:52.237: ISAKMP2026):deleting node -935085502 error FALSE reason "Informational (in) state 1"
*Oct 13 12:55:52.237: ISAKMP: set new node 1554826523 to CONF_XAUTH
*Oct 13 12:55:52.237: ISAKMP2026): sending packet to 109.57.11.247 my_port 500 peer_port 500 (R) CONF_XAUTH
*Oct 13 12:55:52.237: ISAKMP2026):Sending an IKE IPv4 Packet.
*Oct 13 12:55:52.237: ISAKMP2026)urging node 1554826523
*Oct 13 12:55:52.237: ISAKMP2026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 13 12:55:52.237: ISAKMP2026):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA
*Oct 13 12:55:52.241: ISAKMP2026):deleting SA reason "No reason" state (R) CONF_XAUTH (peer 109.57.11.247)
*Oct 13 12:55:52.241: ISAKMP0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Oct 13 12:55:52.241: ISAKMP: Unlocking peer struct 0x8814ED04 for isadb_mark_sa_deleted(), count 0
*Oct 13 12:55:52.241: ISAKMP: Deleting peer node by peer_reap for 109.57.11.247: 8814ED04
*Oct 13 12:55:52.241: ISAKMP2026):deleting node -1846708170 error FALSE reason "IKE deleted"
*Oct 13 12:55:52.241: ISAKMP2026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 13 12:55:52.241: ISAKMP2026):Old State = IKE_DEST_SA New State = IKE_DEST_SA
/Jesper
I have a Cisco 1812 with Easy VPN server configures, and everything works fine with Cisco VPN Client on windows, but I cant connect with Iphone/Ipad. It pops up with user credentials, but whatever I type it fails.
Is there anything Im missing ?
Debug crypto isakmp gives me this, when a Iphone tries to connect:
*Oct 13 12:55:42.705: ISAKMP (0): received packet from 109.57.11.247 dport 500 sport 500 Global (N) NEW SA
*Oct 13 12:55:42.705: ISAKMP: Created a peer struct for 109.57.11.247, peer port 500
*Oct 13 12:55:42.705: ISAKMP: New peer created peer = 0x8814ED04 peer_handle = 0x80000026
*Oct 13 12:55:42.705: ISAKMP: Locking peer struct 0x8814ED04, refcount 1 for crypto_isakmp_process_block
*Oct 13 12:55:42.705: ISAKMP: local port 500, remote port 500
*Oct 13 12:55:42.705: ISAKMP
0):insert sa successfully sa = 85B764D4*Oct 13 12:55:42.705: ISAKMP
0): processing SA payload. message ID = 0*Oct 13 12:55:42.705: ISAKMP
0): processing ID payload. message ID = 0*Oct 13 12:55:42.705: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : Sindby
protocol : 0
port : 0
length : 14
*Oct 13 12:55:42.705: ISAKMP
0):: peer matches sdm-ike-profile-1 profile*Oct 13 12:55:42.705: ISAKMP
0):Setting client config settings 86DAF750*Oct 13 12:55:42.705: ISAKMP
0)Re)Setting client xauth list and state*Oct 13 12:55:42.705: ISAKMP/xauth: initializing AAA request
*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 69 mismatch*Oct 13 12:55:42.705: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 198 mismatch*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 29 mismatch*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 245 mismatch*Oct 13 12:55:42.705: ISAKMP (0): vendor ID is NAT-T v7
*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 114 mismatch*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 227 mismatch*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 250 mismatch*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 157 mismatch*Oct 13 12:55:42.705: ISAKMP
0): vendor ID is NAT-T v3*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 164 mismatch*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 123 mismatch*Oct 13 12:55:42.705: ISAKMP
0): vendor ID is NAT-T v2*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID seems Unity/DPD but major 242 mismatch*Oct 13 12:55:42.705: ISAKMP
0): vendor ID is XAUTH*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID is Unity*Oct 13 12:55:42.705: ISAKMP
0): processing vendor id payload*Oct 13 12:55:42.705: ISAKMP
0): vendor ID is DPD*Oct 13 12:55:42.705: ISAKMP
0): Authentication by xauth preshared*Oct 13 12:55:42.705: ISAKMP
0):Checking ISAKMP transform 1 against priority 1 policy*Oct 13 12:55:42.705: ISAKMP: life type in seconds
*Oct 13 12:55:42.705: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.705: ISAKMP: encryption AES-CBC
*Oct 13 12:55:42.705: ISAKMP: keylength of 256
*Oct 13 12:55:42.705: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.705: ISAKMP: hash SHA
*Oct 13 12:55:42.705: ISAKMP: default group 2
*Oct 13 12:55:42.705: ISAKMP
0):Encryption algorithm offered does not match policy!*Oct 13 12:55:42.705: ISAKMP
0):atts are not acceptable. Next payload is 3*Oct 13 12:55:42.705: ISAKMP
0):Checking ISAKMP transform 2 against priority 1 policy*Oct 13 12:55:42.705: ISAKMP: life type in seconds
*Oct 13 12:55:42.705: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.705: ISAKMP: encryption AES-CBC
*Oct 13 12:55:42.705: ISAKMP: keylength of 128
*Oct 13 12:55:42.705: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.705: ISAKMP: hash SHA
*Oct 13 12:55:42.705: ISAKMP: default group 2
*Oct 13 12:55:42.705: ISAKMP
0):Encryption algorithm offered does not match policy!*Oct 13 12:55:42.705: ISAKMP
0):atts are not acceptable. Next payload is 3*Oct 13 12:55:42.705: ISAKMP
0):Checking ISAKMP transform 3 against priority 1 policy*Oct 13 12:55:42.705: ISAKMP: life type in seconds
*Oct 13 12:55:42.705: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.705: ISAKMP: encryption AES-CBC
*Oct 13 12:55:42.705: ISAKMP: keylength of 256
*Oct 13 12:55:42.705: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.705: ISAKMP: hash MD5
*Oct 13 12:55:42.705: ISAKMP: default group 2
*Oct 13 12:55:42.709: ISAKMP
0):Encryption algorithm offered does not match policy!*Oct 13 12:55:42.709: ISAKMP
0):atts are not acceptable. Next payload is 3*Oct 13 12:55:42.709: ISAKMP
0):Checking ISAKMP transform 4 against priority 1 policy*Oct 13 12:55:42.709: ISAKMP: life type in seconds
*Oct 13 12:55:42.709: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.709: ISAKMP: encryption AES-CBC
*Oct 13 12:55:42.709: ISAKMP: keylength of 128
*Oct 13 12:55:42.709: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.709: ISAKMP: hash MD5
*Oct 13 12:55:42.709: ISAKMP: default group 2
*Oct 13 12:55:42.709: ISAKMP
0):Encryption algorithm offered does not match policy!*Oct 13 12:55:42.709: ISAKMP
0):atts are not acceptable. Next payload is 3*Oct 13 12:55:42.709: ISAKMP
0):Checking ISAKMP transform 5 against priority 1 policy*Oct 13 12:55:42.709: ISAKMP: life type in seconds
*Oct 13 12:55:42.709: ISAKMP: life duration (basic) of 3600
*Oct 13 12:55:42.709: ISAKMP: encryption 3DES-CBC
*Oct 13 12:55:42.709: ISAKMP: auth XAUTHInitPreShared
*Oct 13 12:55:42.709: ISAKMP: hash SHA
*Oct 13 12:55:42.709: ISAKMP: default group 2
*Oct 13 12:55:42.709: ISAKMP
0):atts are acceptable. Next payload is 3*Oct 13 12:55:42.709: ISAKMP
0):Acceptable atts:actual life: 86400*Oct 13 12:55:42.709: ISAKMP
0):Acceptable atts:life: 0*Oct 13 12:55:42.709: ISAKMP
0):Basic life_in_seconds:3600*Oct 13 12:55:42.709: ISAKMP
0):Returning Actual lifetime: 3600*Oct 13 12:55:42.709: ISAKMP
0)::Started lifetime timer: 3600.*Oct 13 12:55:42.709: ISAKMP
0): processing KE payload. message ID = 0*Oct 13 12:55:42.733: ISAKMP
0): processing NONCE payload. message ID = 0*Oct 13 12:55:42.733: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 13 12:55:42.733: ISAKMP (0): vendor ID is NAT-T v7
*Oct 13 12:55:42.733: ISAKMP
0): vendor ID is NAT-T v3*Oct 13 12:55:42.733: ISAKMP
0): vendor ID is NAT-T v2*Oct 13 12:55:42.733: ISAKMP
0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH*Oct 13 12:55:42.733: ISAKMP
0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT*Oct 13 12:55:42.733: ISAKMP
2026): constructed NAT-T vendor-rfc3947 ID*Oct 13 12:55:42.733: ISAKMP
2026):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR*Oct 13 12:55:42.733: ISAKMP (2026): ID payload
next-payload : 10
type : 1
address : xx.xxx.xx.xx
protocol : 0
port : 0
length : 12
*Oct 13 12:55:42.733: ISAKMP
2026):Total payload length: 12*Oct 13 12:55:42.737: ISAKMP
2026): sending packet to 109.57.11.247 my_port 500 peer_port 500 (R) AG_INIT_EXCH*Oct 13 12:55:42.737: ISAKMP
2026):Sending an IKE IPv4 Packet.*Oct 13 12:55:42.737: ISAKMP
2026):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY*Oct 13 12:55:42.737: ISAKMP
2026):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2*Oct 13 12:55:43.537: ISAKMP (2026): received packet from 109.57.11.247 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Oct 13 12:55:43.537: ISAKMP
2026): processing HASH payload. message ID = 0*Oct 13 12:55:43.537: ISAKMP:received payload type 20
*Oct 13 12:55:43.537: ISAKMP (2026): His hash no match - this node outside NAT
*Oct 13 12:55:43.537: ISAKMP:received payload type 20
*Oct 13 12:55:43.537: ISAKMP (2026): No NAT Found for self or peer
*Oct 13 12:55:43.537: ISAKMP
2026): processing NOTIFY INITIAL_CONTACT protocol 1spi 0, message ID = 0, sa = 0x85B764D4
*Oct 13 12:55:43.537: ISAKMP
2026):SA authentication status:authenticated
*Oct 13 12:55:43.537: ISAKMP
2026):SA has been authenticated with 109.57.11.247*Oct 13 12:55:43.537: ISAKMP
2026):SA authentication status:authenticated
*Oct 13 12:55:43.537: ISAKMP
2026): Process initial contact,bring down existing phase 1 and 2 SA's with local xx.xxx.xx.xx remote 109.57.11.247 remote port 500
*Oct 13 12:55:43.541: ISAKMP
2026):returning IP addr to the address pool*Oct 13 12:55:43.541: ISAKMP: Trying to insert a peer xx.xxx.xx.xx/109.57.11.247/500/, and inserted successfully 8814ED04.
*Oct 13 12:55:43.541: ISAKMP
2026):Returning Actual lifetime: 3600*Oct 13 12:55:43.541: ISAKMP: set new node -1870316501 to CONF_XAUTH
*Oct 13 12:55:43.541: ISAKMP
2026):Sending NOTIFY RESPONDER_LIFETIME protocol 1spi 2255271000, message ID = -1870316501
*Oct 13 12:55:43.541: ISAKMP
2026): sending packet to 109.57.11.247 my_port 500 peer_port 500 (R) QM_IDLE*Oct 13 12:55:43.541: ISAKMP
2026):Sending an IKE IPv4 Packet.*Oct 13 12:55:43.541: ISAKMP
2026)urging node -1870316501*Oct 13 12:55:43.541: ISAKMP: Sending phase 1 responder lifetime 3600
*Oct 13 12:55:43.541: ISAKMP
2026):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH*Oct 13 12:55:43.541: ISAKMP
2026):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE*Oct 13 12:55:43.541: ISAKMP
2026):Need XAUTH*Oct 13 12:55:43.541: ISAKMP: set new node -1846708170 to CONF_XAUTH
*Oct 13 12:55:43.541: ISAKMP/xauth: request attribute XAUTH_TYPE_V2
*Oct 13 12:55:43.541: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Oct 13 12:55:43.541: ISAKMP/xauth: request attribute XAUTH_DOMAIN_V2
*Oct 13 12:55:43.541: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Oct 13 12:55:43.541: ISAKMP
2026): initiating peer config to 109.57.11.247. ID = -1846708170*Oct 13 12:55:43.541: ISAKMP
2026): sending packet to 109.57.11.247 my_port 500 peer_port 500 (R) CONF_XAUTH*Oct 13 12:55:43.541: ISAKMP
2026):Sending an IKE IPv4 Packet.*Oct 13 12:55:43.541: ISAKMP
2026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE*Oct 13 12:55:43.541: ISAKMP
2026):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT*Oct 13 12:55:52.237: ISAKMP (2026): received packet from 109.57.11.247 dport 500 sport 500 Global (R) CONF_XAUTH
*Oct 13 12:55:52.237: ISAKMP: set new node -935085502 to CONF_XAUTH
*Oct 13 12:55:52.237: ISAKMP
2026): processing HASH payload. message ID = -935085502*Oct 13 12:55:52.237: ISAKMP
2026): processing DELETE payload. message ID = -935085502*Oct 13 12:55:52.237: ISAKMP
2026)eer does not do paranoid keepalives.*Oct 13 12:55:52.237: ISAKMP
2026)eer does not do paranoid keepalives.*Oct 13 12:55:52.237: ISAKMP
2026):deleting SA reason "No reason" state (R) CONF_XAUTH (peer 109.57.11.247)*Oct 13 12:55:52.237: ISAKMP
2026):deleting node -935085502 error FALSE reason "Informational (in) state 1"*Oct 13 12:55:52.237: ISAKMP: set new node 1554826523 to CONF_XAUTH
*Oct 13 12:55:52.237: ISAKMP
2026): sending packet to 109.57.11.247 my_port 500 peer_port 500 (R) CONF_XAUTH*Oct 13 12:55:52.237: ISAKMP
2026):Sending an IKE IPv4 Packet.*Oct 13 12:55:52.237: ISAKMP
2026)urging node 1554826523*Oct 13 12:55:52.237: ISAKMP
2026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL*Oct 13 12:55:52.237: ISAKMP
2026):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA*Oct 13 12:55:52.241: ISAKMP
2026):deleting SA reason "No reason" state (R) CONF_XAUTH (peer 109.57.11.247)*Oct 13 12:55:52.241: ISAKMP
0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.*Oct 13 12:55:52.241: ISAKMP: Unlocking peer struct 0x8814ED04 for isadb_mark_sa_deleted(), count 0
*Oct 13 12:55:52.241: ISAKMP: Deleting peer node by peer_reap for 109.57.11.247: 8814ED04
*Oct 13 12:55:52.241: ISAKMP
2026):deleting node -1846708170 error FALSE reason "IKE deleted"*Oct 13 12:55:52.241: ISAKMP
2026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Oct 13 12:55:52.241: ISAKMP
2026):Old State = IKE_DEST_SA New State = IKE_DEST_SA/Jesper
intelwizrd
IS-IT--Management
Can you post the relevant portion of your sanitized config?
intelwizrd
IS-IT--Management
You can copy the output of 'show run' to a text editor like notepad and replace public IP's or other sensitive information before posting here.
If you are using a terminal client like putty you can tell it save the output to a text file so you don't have to copy and paste.
If you are using a terminal client like putty you can tell it save the output to a text file so you don't have to copy and paste.
Here is my running configuration.... Hope you can see the error.
Building configuration...
Current configuration : 9682 bytes
!
! Last configuration change at 14:47:30 UTC Wed Oct 13 2010 by sbyadmin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 90.0.0.245 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-250973313
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-250973313
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-250973313
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353039 37333331 33301E17 0D313031 30313230 39343333
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3235 30393733
33313330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BCF94FB0 772B0E92 B703CE70 556D5D22 A57823E5 DD4CD4C4 12D639DE 5E97DB2D
81FBB304 9FA677A6 CAD84F96 9733081B F8F8FAAE 000B02FB AEF7C7B1 73AFA44B
7D27E112 8991F03B 3D4FD484 34E2EA9F BD426F73 48778F2A AD35AAD6 EC00805D
249B8702 D545AEEA 40670DFD 3E6BEC29 EE48A0C6 CB7694FD 722D1A62 3A499CC5
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 801462CB F6BD12F6
080C8A89 F9FBBDCE 9751528A FFFD301D 0603551D 0E041604 1462CBF6 BD12F608
0C8A89F9 FBBDCE97 51528AFF FD300D06 092A8648 86F70D01 01040500 03818100
ACA87977 55225FC6 9147E57E 8B5A8CA8 46348CAF 801D11C6 9DA57C69 14FA5076
6844F0CC 4CBEB541 136A483A 69F7B7F0 E45374E8 14DC2E80 CC04F840 3531B884
F08A492D 8C3902C0 725EE93D AC83A29F 799AAE0F 5795484B B3D02F84 911DB135
21B0B9D4 5C189766 C30DA111 6B9B4E46 E999DA5B 202A6900 07A93D8D 41C7FD21
quit
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable
!
!
license udi pid CISCO1812/K9 sn FCZ10232108
username sbyadmin privilege 15 secret 5 $1$P677$Rjnz/Wk8MeD8letZDL08d/
!
!
!
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Sindby
key SecretCode
dns 90.0.0.240 8.8.8.8
wins 90.0.0.240
domain sbynet
pool SDM_POOL_2
max-users 15
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group Sindby
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA12 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA13 esp-3des esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA14 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA15 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA15
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description $FW_OUTSIDE$
ip address xx.xxx.xxx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 90.0.0.190 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip local pool SDM_POOL_1 90.0.0.25 90.0.0.29
ip local pool SDM_POOL_2 90.0.0.75 90.0.0.90
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.200 25 interface FastEthernet0 25
ip nat inside source list 1 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
logging esm config
access-list 1 permit 90.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xx.xxx.xxx.xx 0.0.0.7 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.200
!
!
!
!
!
!
radius-server host 90.0.0.245 auth-port 1645 acct-port 1646 timeout 45 key SecretCode
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
end
Router#
Building configuration...
Current configuration : 9682 bytes
!
! Last configuration change at 14:47:30 UTC Wed Oct 13 2010 by sbyadmin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 90.0.0.245 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-250973313
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-250973313
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-250973313
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353039 37333331 33301E17 0D313031 30313230 39343333
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3235 30393733
33313330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BCF94FB0 772B0E92 B703CE70 556D5D22 A57823E5 DD4CD4C4 12D639DE 5E97DB2D
81FBB304 9FA677A6 CAD84F96 9733081B F8F8FAAE 000B02FB AEF7C7B1 73AFA44B
7D27E112 8991F03B 3D4FD484 34E2EA9F BD426F73 48778F2A AD35AAD6 EC00805D
249B8702 D545AEEA 40670DFD 3E6BEC29 EE48A0C6 CB7694FD 722D1A62 3A499CC5
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 801462CB F6BD12F6
080C8A89 F9FBBDCE 9751528A FFFD301D 0603551D 0E041604 1462CBF6 BD12F608
0C8A89F9 FBBDCE97 51528AFF FD300D06 092A8648 86F70D01 01040500 03818100
ACA87977 55225FC6 9147E57E 8B5A8CA8 46348CAF 801D11C6 9DA57C69 14FA5076
6844F0CC 4CBEB541 136A483A 69F7B7F0 E45374E8 14DC2E80 CC04F840 3531B884
F08A492D 8C3902C0 725EE93D AC83A29F 799AAE0F 5795484B B3D02F84 911DB135
21B0B9D4 5C189766 C30DA111 6B9B4E46 E999DA5B 202A6900 07A93D8D 41C7FD21
quit
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable
!
!
license udi pid CISCO1812/K9 sn FCZ10232108
username sbyadmin privilege 15 secret 5 $1$P677$Rjnz/Wk8MeD8letZDL08d/
!
!
!
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Sindby
key SecretCode
dns 90.0.0.240 8.8.8.8
wins 90.0.0.240
domain sbynet
pool SDM_POOL_2
max-users 15
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group Sindby
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA12 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA13 esp-3des esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA14 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA15 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA15
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description $FW_OUTSIDE$
ip address xx.xxx.xxx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 90.0.0.190 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip local pool SDM_POOL_1 90.0.0.25 90.0.0.29
ip local pool SDM_POOL_2 90.0.0.75 90.0.0.90
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.200 25 interface FastEthernet0 25
ip nat inside source list 1 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
logging esm config
access-list 1 permit 90.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xx.xxx.xxx.xx 0.0.0.7 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.200
!
!
!
!
!
!
radius-server host 90.0.0.245 auth-port 1645 acct-port 1646 timeout 45 key SecretCode
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
end
Router#
intelwizrd
IS-IT--Management
Sindby,
For the whatever reason I can't see the problem. It looks like the iPhone/iPad isn't sending back the auth info or it isn't able to set up a VPN tunnel correctly. Unfortunately, without logging on the iPhone side I don't know which way to go.
Here is a link to an apple forum where someone with a Cisco 1812 got their iPhone to connect. IT is a post by gvde and is the second to last. It looks almost identical to yours so you should be close to what you need.
For the whatever reason I can't see the problem. It looks like the iPhone/iPad isn't sending back the auth info or it isn't able to set up a VPN tunnel correctly. Unfortunately, without logging on the iPhone side I don't know which way to go.
Here is a link to an apple forum where someone with a Cisco 1812 got their iPhone to connect. IT is a post by gvde and is the second to last. It looks almost identical to yours so you should be close to what you need.
- Status
Similar threads
- Locked
- Question