Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
3
Replies

Cisco Pix 525 VPN - iPhone/iPad won't connect

jeff slansky
Level 1
Level 1

‎11-27-2013 12:07 PM

hi,

i have one of the most basic configurations on a PIX 525 with remote access enabled. i am able to connect from a desktop machine running the cisco vpn client but for some reason i cant get my iphone or ipad to connect to my vpn. i get the error message stating 'the server did not respond'.

i am running ios 8.0.4 and i have a 3DES license which is required from what i understand.

im starting to think that this really is in the configuration. could it be the transform set specification?

can some one shed some light on this subject?

below is close to the current configuration, but its not exact, some things in it were corrected, so ignore them. it is the best i have, since i am away for the holiday. it should give insight into any areas that might be part of the problem.

thcvpn01(config)# show config

: Saved

: Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013

!

PIX Version 8.0(4)

!

hostname thcvpn01

domain-name somewhere.net

enable password* encrypted

passwd * encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.222.220

domain-name somewhere.net

same-security-traffic permit intra-interface

object-group icmp-type ICMPObject

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

access-list outside_access_in extended permit icmp any any object-group ICMPObje

ct

access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2

55.255.0

access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (outside) 101 10.1.2.0 255.255.255.0 outside

nat (inside) 0 access-list inside-nat0

nat (inside) 101 10.0.0.0 255.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet

crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288

00

crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4

608000

crypto dynamic-map THCDynamicMap 1 set reverse-route

crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap

crypto map THCCryptoMap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 10.1.1.50-10.1.1.254 inside

dhcpd dns 208.67.222.222 208.67.222.220 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy THCVpnGroup internal

group-policy THCVpnGroup attributes

dns-server value 208.67.222.222 208.67.222.220

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

username [username] password [password] encrypted

tunnel-group THCVpnGroup type remote-access

tunnel-group THCVpnGroup general-attributes

address-pool ThcIPPool

default-group-policy THCVpnGroup

tunnel-group THCVpnGroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb

thcvpn01(config)#

thcvpn01(config)#

thcvpn01(config)#

jeff

Labels:
0 Helpful
3 Replies 3

usasigcis
Level 1
Level 1

‎12-11-2013 10:57 AM

try to change

crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac

to

crypto ipsec transform-set THCTransformSet ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-3DES-MD5

Thanks,

-Sinan

0 Helpful

jeff slansky
Level 1
Level 1
In response to usasigcis

‎12-14-2013 09:38 AM

hi,

i just saw your post now. the options you specified do not exist.

the closest thing is "crypto ipsec transform-set THCTransformSet esp-aes-192" or 256

it also only takes 2 parameters so i tried esp-aes256 esp-md5-hmac and that doesn't work.

kevin

0 Helpful

jeff slansky
Level 1
Level 1
In response to jeff slansky

‎02-10-2014 06:31 PM

hi,

as a primary note, the people at apple's genius bar are not genious. they do not know that the following, so if you found your way here. awesome.

the correct answer is that the iphone and ipad only supports aes. you have to modify the crypto map to use aes as well as modify the isakmp service to use aes. i believe it supports all aes options, aes, aes 192 and aes 256.

in all of the frustration, do not, as i did, forget that your username is case sensitive.

jeff

0 Helpful
Customers Also Viewed These Support Documents