Re: Need help with iPhone VPN non-ASA

bmmcwhirt · ‎09-03-2012

I am a network hobbiest. I am trying to set up my home router so my family can VPN to the house with our iphnones and ipads. I have tried to figure this out several times on my own and and for some reason I can not get the policies to match.

At this point I am looking to start from scratch as my current config is pretty sloppy from trying many different methods.

Here is my setup

[cable modem] <==> [c1841] <==> [8 port switch]

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 15.1(4)M, RELEASE SOFTWARE (fc1)

So I am using NAT, and I do want to have 3-4 external devices able to conect to the VPN and without a static IP on the roaming end. The 1841 does have a static IP.

I am looking for the method that will work best in this setup.

Thanks.

Bryan

shikhsha · ‎09-03-2012

Hi Bryan,

You can accomplish what you are looking for by using DYNDNS. You can google for it. It is a paid service but i think that the charges are nominal. Once you have a domain name for your router then you can configure your built in IPSec VPN client to connect to your 1841 remotely.

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

bmmcwhirt · ‎09-03-2012

I think you misunderstood me. I have a static IP and ad domain name for the router. I use zoneedit instead of dyndns but the same thing.

The iphones will have dynamic IP and no domain name.

The problem is all the documentation I have found on setting up the VPN is related to an ASA and functions the 1841 does not have. I have been able to get them to talk with various configs but never have I ben able to get past phase 1.

I am reverting my config back to a bare config with only NAT. I know there are a few different ways to go about setting up IPSec I just dont know which one will work with the iPhone/iPad.

I have set up a VPN between me and a friend who also has a cisco router and that was easy, getting the iphone to work has eluded me however.

shikhsha · ‎09-03-2012

Hi Bryan,

Do me a favour. Set up a normal remote access VPN on 1841. Test it with a normal windows xp or a windows 7 machine. Once you get that working and are able to pass traffic try connecting your Iphone. If it fails please send me the output of the following:

debug crypto isakmp

debug crypto ipsec

Also let me know the code that you are running on the router.

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

bmmcwhirt · ‎09-09-2012

I am trying to follow the process for L2TP/IPSec at

www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342vpn4.html

There are a few lines that are confusing me.

crypto isakmp key cisco address 172.1.1.1

set peer 172.1.1.1

It appears that this is setting a static IP for the remote end with a public IP and I do not understand why.

If you can help me to understand this I can continue with the config.

Thanks for all your help so far.

bmmcwhirt · ‎09-20-2012

Ok, I have set my mac up to connect to the VPN using straight cisco ipsec in my system prefs.

This is a small section of the debug log from the 1841.

.Sep 20 12:22:13.517 EDT: ISAKMP:(0):Checking ISAKMP transform 5 against priority 4 policy

.Sep 20 12:22:13.517 EDT: ISAKMP: life type in seconds

.Sep 20 12:22:13.517 EDT: ISAKMP: life duration (basic) of 3600

.Sep 20 12:22:13.517 EDT: ISAKMP: encryption 3DES-CBC

.Sep 20 12:22:13.517 EDT: ISAKMP: auth XAUTHInitPreShared

.Sep 20 12:22:13.517 EDT: ISAKMP: hash SHA

.Sep 20 12:22:13.517 EDT: ISAKMP: default group 2

.Sep 20 12:22:13.517 EDT: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!

At that point the encryption seems to match but something else is not. I have double and tripple checked that the pre-shared key is exact on both ends.