cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2031
Views
0
Helpful
8
Replies

IPAD 3 cannot VPN Calling on the Experts again.

Thomas Grassi
Level 1
Level 1

                   Cisco 851 router Apple Ipad 3 using IPSEC setp get this message The VPN server did not respond

I have tried Anyconnect that gives me Cannot verify server identity anyconnect can't verify the identity of ios-self-signed-certificate-1164042433 would you like to continue anyway? hit continue and it just goes off.

I was asking if If get an ASA 5505 to replace my 851 it would work in my environment.

I have 15 computers accessing the web thru the 851

I host a web site on one of my servers.

I have a static ip address.

I also host exchange server and have remote web access to my exchange as well as remote outlook users.

I can VPN thru the 851 using the cisco client on Windows 7 and vista and even xp

Would like to use the native windows client and get my iphones and ipads working.

Can the ASA5505 support the above?

Was also looking at the cisco 1841 how about that one?

Thanks

Tom

Thomas R Grassi Jr
8 Replies 8

DuncanM2008
Level 1
Level 1

Hi Tom,

The only thing useful I can add from experience is that Apple devices (iPAD & iPhone) + Cisco VPN client (native) forces the use of AES encryption (AES128 if i remember correctly).

So I would investigate the transform sets currently in use for dial-in clients.

Possibly post the transform set config currently in place?


HTH

Dunc.

Duncan

is this what you mean?

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set ESP-3DES-SHA

reverse-route

! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!

I can post my entire config also let me know

Thanks

Tom

Thomas R Grassi Jr

If you do decide to go with the ASA, dont forget that you'll need an extra license to support Anyconnect on mobile devices.  I believe it's L-ASA-M-5505

branfarm

not sure what you mean I did not need i did not need anything extra fr my cisco 851

what it is exactly?

Thomas R Grassi Jr

Sorry -- I'm not trying to cloud the issue here. I'm sure you'll be able to get this working on your existing setup. I just know from experience that if you do decide to go with the ASA, you'll need an addiitional license to allow mobile devices to connect using Anyconnect, on top of the Anyconnect count license.

Duncan

does this help

MyRouter#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 2
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys
).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
MyRouter#show crypto ipsec transform-set
Transform set ESP-3DES-SHA: { esp-3des esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Thomas R Grassi Jr

Hi Tom,

Sorry for the delay different timezome (UK GMT), here's an example of the settings I have in use for a device that terminates iPAD & iPhone VPN clients (cisco native);

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto ipsec transform-set ClientTransform esp-aes 256 esp-sha-hmac

crypto dynamic-map ClientDMAP 1

set transform-set ClientTransform

Hopefully this might be of some use in assisting you on the way to a complete configuration, if there's anything else you want to know just holla.

HTH

Dunc.

Duncan

Should I just add the code you posted to my config?

Only question I have crypto dynamic-map ClientDMAP 1 where do I point that to

This is my other part I thnk I need one more for the above

crypto map dynmap client authentication list tgcsradius

crypto map dynmap isakmp authorization list tgcsvpn

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

crypto map dynmap client authentication list tgcsradius

crypto map dynmap isakmp authorization list tgcsvpn

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

Tom

Thomas R Grassi Jr
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco