11-27-2013 12:07 PM
hi,
i have one of the most basic configurations on a PIX 525 with remote access enabled. i am able to connect from a desktop machine running the cisco vpn client but for some reason i cant get my iphone or ipad to connect to my vpn. i get the error message stating 'the server did not respond'.
i am running ios 8.0.4 and i have a 3DES license which is required from what i understand.
im starting to think that this really is in the configuration. could it be the transform set specification?
can some one shed some light on this subject?
below is close to the current configuration, but its not exact, some things in it were corrected, so ignore them. it is the best i have, since i am away for the holiday. it should give insight into any areas that might be part of the problem.
thcvpn01(config)# show config
: Saved
: Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013
!
PIX Version 8.0(4)
!
hostname thcvpn01
domain-name somewhere.net
enable password* encrypted
passwd * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
same-security-traffic permit intra-interface
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObje
ct
access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2
55.255.0
access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (outside) 101 10.1.2.0 255.255.255.0 outside
nat (inside) 0 access-list inside-nat0
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 10.1.1.50-10.1.1.254 inside
dhcpd dns 208.67.222.222 208.67.222.220 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy THCVpnGroup internal
group-policy THCVpnGroup attributes
dns-server value 208.67.222.222 208.67.222.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
default-group-policy THCVpnGroup
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
jeff
12-11-2013 10:57 AM
try to change
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
to
crypto ipsec transform-set THCTransformSet ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-3DES-MD5
Thanks,
-Sinan
12-14-2013 09:38 AM
hi,
i just saw your post now. the options you specified do not exist.
the closest thing is "crypto ipsec transform-set THCTransformSet esp-aes-192" or 256
it also only takes 2 parameters so i tried esp-aes256 esp-md5-hmac and that doesn't work.
kevin
02-10-2014 06:31 PM
hi,
as a primary note, the people at apple's genius bar are not genious. they do not know that the following, so if you found your way here. awesome.
the correct answer is that the iphone and ipad only supports aes. you have to modify the crypto map to use aes as well as modify the isakmp service to use aes. i believe it supports all aes options, aes, aes 192 and aes 256.
in all of the frustration, do not, as i did, forget that your username is case sensitive.
jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide