Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3316
Views
10
Helpful
7
Replies

[SOLVED] Native Iphone4s Cisco VPN client cannot estabilish tunnel (win clients do)

Go to solution
federico_tv
Level 1
Level 1

‎09-07-2012 02:56 AM

HI,

Iphone 4S latest IOS5 V 5.1.1 installed

I'm not able to make native IPSEC VPN connection to work against my company Cisco 877

Instead, all my notebook and netbook with Cisco VPN Client installed work fine when they remotely connect to company's 877

Enabling 877 debug, it seems Iphone successfully pass the phase 1 ike connection (in fact Iphone asks me for phase2 user/pass) but it hung at phase2 giving me back the error "Negotiation with VPN server failed"

Any idea or known issue on this ???

Here is how I configured my 877 VPN part :

R1(config)# aaa new-model

R1(config)# aaa authentication login default local

R1(config)# aaa authentication login vpn_xauth_ml_1 local

R1(config)# aaa authentication login sslvpn local

R1(config)# aaa authorization network vpn_group_ml_1 local

R1(config)# aaa session-id common

R1(config)# crypto isakmp policy 1

R1(config-isakmp)# encr 3des

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 2

R1(config-isakmp)#

R1(config-isakmp)#crypto isakmp policy 2

R1(config-isakmp)# encr 3des

R1(config-isakmp)# hash md5

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 2

R1(config-isakmp)# exit

R1(config)# crypto isakmp client configuration group CCLIENT-VPN

R1(config-isakmp-group)# key xxxxxxxx

R1(config-isakmp-group)# dns 192.168.0.1

R1(config-isakmp-group)# pool VPN-Pool

R1(config-isakmp-group)# acl 120

R1(config-isakmp-group)# max-users 5

R1(config-isakmp-group)# exit

R1(config)# ip local pool VPN-Pool 192.168.0.20 192.168.0.25

R1(config)# crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac

R1(config)# crypto ipsec profile VPN-Profile-1

R1(ipsec-profile)# set transform-set encrypt-method-1

R1(config)# interface Virtual-Template2 type tunnel

R1(config-if)# ip unnumbered FastEthernet0/0

R1(config-if)# tunnel mode ipsec ipv4

R1(config-if)# tunnel protection ipsec profile VPN-Profile-1

R1(config)# crypto isakmp profile vpn-ike-profile-1

R1(conf-isa-prof)# match identity group CCLIENT-VPN

R1(conf-isa-prof)# client authentication list vpn_xauth_ml_1

R1(conf-isa-prof)# isakmp authorization list vpn_group_ml_1

R1(conf-isa-prof)# client configuration address respond

R1(conf-isa-prof)# virtual-template 2

Then managed AccessList 120 for the desired traffic (for now "access-list 120 permit ip any any")

I configured my Cisco VPN clients with "CCLIENT-VPN" and relative password

Anytime they connects, are prompted for phase2 username and password then they join the VPN with a local subnet IP address released.

With the same parameters required and confirmed on Iphone VPN ipsec section it doesn't work.

This is the output of isakmp debug of 877 after Iphone asks me for username/password (then I suppose phase1 completed):

*May 19 14:29:30.731: ISAKMP (0:2081): received packet from 151.38.197.143 dport 500 sport 500 Global (R) CONF_XAUTH  

*May 19 14:29:30.735: ISAKMP:(2081):processing transaction payload from 151.38.197.143. message ID = -1427983983

*May 19 14:29:30.735: ISAKMP: Config payload REPLY

*May 19 14:29:30.735: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

*May 19 14:29:30.735: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

*May 19 14:29:30.735: ISAKMP:(2081):deleting node -1427983983 error FALSE reason "Done with xauth request/reply exchange"

*May 19 14:29:30.735: ISAKMP:(2081):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

*May 19 14:29:30.735: ISAKMP:(2081):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

*May 19 14:29:30.743: ISAKMP: set new node 1322685842 to CONF_XAUTH  

*May 19 14:29:30.747: ISAKMP:(2081): initiating peer config to 151.38.197.143. ID = 1322685842

*May 19 14:29:30.747: ISAKMP:(2081): sending packet to 151.38.197.143 my_port 500 peer_port 500 (R) CONF_XAUTH  

*May 19 14:29:30.747: ISAKMP:(2081):Sending an IKE IPv4 Packet.

*May 19 14:29:30.747: ISAKMP:(2081):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN

*May 19 14:29:30.747: ISAKMP:(2081):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

*May 19 14:29:31.299: ISAKMP (0:2081): received packet from 151.38.197.143 dport 500 sport 500 Global (R) CONF_XAUTH  

*May 19 14:29:31.299: ISAKMP:(2081):processing transaction payload from 151.38.197.143. message ID = 1322685842

*May 19 14:29:31.299: ISAKMP: Config payload ACK

*May 19 14:29:31.303: ISAKMP:(2081):       XAUTH ACK Processed

*May 19 14:29:31.303: ISAKMP:(2081):deleting node 1322685842 error FALSE reason "Transaction mode done"

*May 19 14:29:31.303: ISAKMP:(2081):Talking to a Unity Client

*May 19 14:29:31.303: ISAKMP:(2081):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK

*May 19 14:29:31.303: ISAKMP:(2081):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

*May 19 14:29:31.303: ISAKMP:(2081):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*May 19 14:29:31.303: ISAKMP:(2081):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May 19 14:29:31.303: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*May 19 14:29:31.315: ISAKMP:(2081):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*May 19 14:29:31.315: ISAKMP:(2081):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May 19 14:29:31.623: ISAKMP (0:2081): received packet from 151.38.197.143 dport 500 sport 500 Global (R) QM_IDLE     

*May 19 14:29:31.623: ISAKMP: set new node -851463821 to QM_IDLE     

*May 19 14:29:31.623: ISAKMP:(2081):processing transaction payload from 151.38.197.143. message ID = -851463821

*May 19 14:29:31.623: ISAKMP: Config payload REQUEST

*May 19 14:29:31.623: ISAKMP:(2081):checking request:

*May 19 14:29:31.623: ISAKMP:    IP4_ADDRESS

*May 19 14:29:31.623: ISAKMP:    IP4_NETMASK

*May 19 14:29:31.623: ISAKMP:    IP4_DNS

*May 19 14:29:31.623: ISAKMP:    IP4_NBNS

*May 19 14:29:31.623: ISAKMP:    ADDRESS_EXPIRY

*May 19 14:29:31.623: ISAKMP:    APPLICATION_VERSION

*May 19 14:29:31.623: ISAKMP:    MODECFG_BANNER

*May 19 14:29:31.623: ISAKMP:    DEFAULT_DOMAIN

*May 19 14:29:31.623: ISAKMP:    SPLIT_DNS

*May 19 14:29:31.623: ISAKMP:    SPLIT_INCLUDE

*May 19 14:29:31.623: ISAKMP:    INCLUDE_LOCAL_LAN

*May 19 14:29:31.623: ISAKMP:    PFS

*May 19 14:29:31.623: ISAKMP:    MODECFG_SAVEPWD

*May 19 14:29:31.623: ISAKMP:    FW_RECORD

*May 19 14:29:31.623: ISAKMP:    BACKUP_SERVER

*May 19 14:29:31.623: ISAKMP:    MODECFG_BROWSER_PROXY

*May 19 14:29:31.627: ISAKMP/author: Author request for group CCLIENT-VPNsuccessfully sent to AAA

*May 19 14:29:31.627: ISAKMP:(2081):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

*May 19 14:29:31.627: ISAKMP:(2081):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

*May 19 14:29:31.627: ISAKMP:(2081):attributes sent in message:

*May 19 14:29:31.627:         Address: 0.2.0.0

*May 19 14:29:31.627: ISAKMP:(2081):allocating address 192.168.0.21

*May 19 14:29:31.627: ISAKMP: Sending private address: 192.168.0.21

*May 19 14:29:31.627: ISAKMP: Sending subnet mask: 255.255.255.0

*May 19 14:29:31.631: ISAKMP: Sending IP4_DNS server address: 192.168.0.1

*May 19 14:29:31.631: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 3576

*May 19 14:29:31.631: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Thu 14-Aug-08 07:43 by prod_rel_team

*May 19 14:29:31.631: ISAKMP: Sending split include name 120 network 0.0.0.0 mask 0.0.0.0 protocol 0, src port 0, dst port 0

*May 19 14:29:31.631: ISAKMP: Sending save password reply value 0

*May 19 14:29:31.631: ISAKMP:(2081): responding to peer config from 151.38.197.143. ID = -851463821

*May 19 14:29:31.631: ISAKMP:(2081): sending packet to 151.38.197.143 my_port 500 peer_port 500 (R) CONF_ADDR   

*May 19 14:29:31.631: ISAKMP:(2081):Sending an IKE IPv4 Packet.

*May 19 14:29:31.631: ISAKMP:(2081):deleting node -851463821 error FALSE reason "No Error"

*May 19 14:29:31.631: ISAKMP:(2081):Talking to a Unity Client

*May 19 14:29:31.631: ISAKMP:(2081):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR

*May 19 14:29:31.631: ISAKMP:(2081):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE

*May 19 14:29:31.635: ISAKMP:(2081):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*May 19 14:29:31.635: ISAKMP:(2081):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Here Iphone stays idle for few seconds.......

*May 19 14:29:48.391: ISAKMP (0:2081): received packet from 151.38.197.143 dport 500 sport 500 Global (R) QM_IDLE     

*May 19 14:29:48.391: ISAKMP: set new node 1834509506 to QM_IDLE     

*May 19 14:29:48.391: ISAKMP:(2081): processing HASH payload. message ID = 1834509506

*May 19 14:29:48.391: ISAKMP:(2081): processing DELETE payload. message ID = 1834509506

*May 19 14:29:48.391: ISAKMP:(2081):peer does not do paranoid keepalives.

*May 19 14:29:48.395: ISAKMP:(2081):peer does not do paranoid keepalives.

*May 19 14:29:48.395: ISAKMP:(2081):deleting SA reason "No reason" state (R) QM_IDLE       (peer 151.38.197.143)

*May 19 14:29:48.395: ISAKMP:(2081):deleting node 1834509506 error FALSE reason "Informational (in) state 1"

*May 19 14:29:48.395: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*May 19 14:29:48.395: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

*May 19 14:29:48.395: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 151.38.197.143

*May 19 14:29:48.395: ISAKMP: set new node -1711408233 to QM_IDLE     

*May 19 14:29:48.395: ISAKMP:(2081): sending packet to 151.38.197.143 my_port 500 peer_port 500 (R) QM_IDLE     

*May 19 14:29:48.395: ISAKMP:(2081):Sending an IKE IPv4 Packet.

*May 19 14:29:48.399: ISAKMP:(2081):purging node -1711408233

*May 19 14:29:48.399: ISAKMP:(2081):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*May 19 14:29:48.399: ISAKMP:(2081):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*May 19 14:29:48.399: ISAKMP:(2081):deleting SA reason "No reason" state (R) QM_IDLE       (peer 151.38.197.143)

*May 19 14:29:48.399: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

*May 19 14:29:48.399: ISAKMP (0:2081): returning address 192.168.0.21 to pool

*May 19 14:29:48.399: ISAKMP: Unlocking peer struct 0x84084990 for isadb_mark_sa_deleted(), count 0

*May 19 14:29:48.399: ISAKMP: returning address 192.168.0.21 to pool

*May 19 14:29:48.399: ISAKMP: Deleting peer node by peer_reap for 151.38.197.143: 84084990

*May 19 14:29:48.399: ISAKMP: returning address 192.168.0.21 to pool

*May 19 14:29:48.403: ISAKMP:(2081):deleting node -1427983983 error FALSE reason "IKE deleted"

*May 19 14:29:48.403: ISAKMP:(2081):deleting node 1322685842 error FALSE reason "IKE deleted"

*May 19 14:29:48.403: ISAKMP:(2081):deleting node -851463821 error FALSE reason "IKE deleted"

*May 19 14:29:48.403: ISAKMP:(2081):deleting node 1834509506 error FALSE reason "IKE deleted"

*May 19 14:29:48.403: ISAKMP:(2081):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 19 14:29:48.403: ISAKMP:(2081):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*May 19 14:29:48.403: IPSEC(key_engine): got a queue event with 1 KMI message(s)

It seems 877 even comes to allocate a local LAN ip address to Iphone (192.168.0.21) but then something goes wrong.....

Any idea/suggestion on this ????

Thank you very much

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9
In response to federico_tv

‎09-20-2012 02:40 PM

Hi Federico,

Thanks for letting us know.

Please mark this post as answered so others will be able to learn from it.

Thanks.

Portu.

View solution in original post

7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎09-07-2012 03:02 AM

The problem is your Split-tunneling. The included Iphone-client wants to build a dedicated SA-pair per line in your Split-Tunnel-ACL. But that is not possible when you use the new config-style for VPNs with the virtual tunnel-interfaces.

Two workarounds are possible:

1) Configure the VPNs with crypto-maps

2) don't use split-tunneling.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
federico_tv
Level 1
Level 1
In response to Karsten Iwen

‎09-07-2012 05:53 AM

Thank you for the very quick answer.

However I forgotten to say that the same 877 share a point to point connection with another 877 at my home.

This other 877 gets a dynamic ip on WAN interface from ISP, changing time to time so I used the GRE over IPSEC with IP-NHRP (dynamic multipoint) for P-P tunnel between two 877.

The problem is: I was already trying to use crypto-maps for VPN clients , it worked, but when I applied crypto maps to the outside nat interface of company 877 , systematically I loose the tunnel between two 877.

That’s why I choosen Virtual-template / split tunnelling , the two realities work together without problems.

This is the company 877 point to point related configuration (yes, other than the configuration you have read before on previous post)

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key MyKey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set MySet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile Myprofile

set transform-set MySet

interface Tunnel0

ip address 192.168.200.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp server-only

ip tcp adjust-mss 1360

cdp enable

tunnel source MY_WAN_STATIC_IP_ADDRESS

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile Myprofile

My LAN at home can see the company's LAN and vice-versa by routing through Tunnel0

What can I do now ??

What do you mean with “don’t use split-tunneling ???

Can I implement a further separated method for the Iphone VPN living together with the other configurations ??

Thank you very much.

0 Helpful

Go to solution
federico_tv
Level 1
Level 1
In response to federico_tv

‎09-07-2012 06:02 AM

P.S.

I've read something about the incompatibility between split-tunneling and Apple devices , but it was referring to the unability to navigate once the Apple device had ALREADY gained the VPN access to remote site.

Do you refer to this issue only,  or are you sure I can't get the VPN connectivity with my actual configuration ???

Thanks !!!

0 Helpful

Go to solution
federico_tv
Level 1
Level 1
In response to federico_tv

‎09-14-2012 08:29 AM

I have tried this :

Removed for the moment both site to site tunnel configuration

Removed virtual-tunnel interface method

Tried a classic crypto-map configuration

I have the same issue and almost the same output on debug, phase2 not completed.

Any hint ??

Does anybody have an IPHONE ipsec client working on a cisco router (not ASA or PIX) ???

Thank you guys

0 Helpful

Go to solution
federico_tv
Level 1
Level 1
In response to federico_tv

‎09-20-2012 02:14 PM

Today, after a lot of tries, I have updated my iPhone4s to latest iOS6 operative system.

Now, with the original 877 configuration posted here (split tunneling - virtual template), VPN tunnel between iPhone and 877 WORKS CORRECTLY,  like windows machine with VPN client already do.

Do they (at Apple) solved any connection bug ????  who knows.....

Hope this helps.

Regards.

Go to solution
Javier Portuguez
Level 9
Level 9
In response to federico_tv

‎09-20-2012 02:40 PM

Hi Federico,

Thanks for letting us know.

Please mark this post as answered so others will be able to learn from it.

Thanks.

Portu.

Go to solution
federico_tv
Level 1
Level 1
In response to federico_tv

‎06-24-2013 12:20 AM 

federico zanini ha scritto:
I have tried this :
Removed for the moment both site to site tunnel configuration
Removed virtual-tunnel interface method
Tried a classic crypto-map configuration 
I have the same issue and almost the same output on debug, phase2 not completed.
Any hint ??
Does anybody have an IPHONE ipsec client working on a cisco router (not ASA or PIX) ???
Thank you guys

Latest news.... :

In effect it still refuse to work right way after first impression , even after IOS (6.1) update.

Same problem Phase 1 OK , Phase 2 KO

SOLVED :  The problem was related to the access-list that rules VPN client ,

applied to "crypto isakmp client configuration group"

The original  unworking one was :

access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip any any

it was replaced with :

access-list 120 remark ==[Cisco VPN Users]==

access-list 120 permit ip 172.16.217.0 0.0.0.255 any


( where 172.16.217.0 is the VPN client pool C class )

All now is working perfect.

Hope this helps to someone stuck on this issue..

0 Helpful
Customers Also Viewed These Support Documents