Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
10
Helpful
2
Replies

Troubleshooting Cisco Remote access IPsec/IKEv1 VPN for IOS IPhone

Go to solution
lei.jin.ext@suez.com
Level 1
Level 1

‎03-10-2022 05:51 PM

 
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
lei.jin.ext@suez.com
Level 1
Level 1

‎03-10-2022 05:57 PM

Hi we face issue of config Rmote access IPsec/IKEv1 VPN for Cell phone.

refer to this document :

https://weberblog.net/cisco-asa-remote-access-vpn-for-android/

 

we can establish Rmote access IPsec/IKEv1 VPN for android  ; android selcect IPsec Identifer (VPN)

but for IOS IPhone select group name(VPN)faced issue log below:

 

5 Mar 11 2022 09:29:26 713259 Group = VPN, Username = XJA027, IP = 114.223.63.76, Session is being torn down. Reason: Phase 2 Mismatch
3 Mar 11 2022 09:29:26 713902 Group = VPN, Username = XJA027, IP = 114.223.63.76, Removing peer from correlator table failed, no match!
3 Mar 11 2022 09:29:26 713902 Group = VPN, Username = XJA027, IP = 114.223.63.76, QM FSM error (P2 struct &0x00007f87ac1954a0, mess id 0xbf62f231)!

 

 

configuration below: ASA 5516 Version 9.8

ip local pool VPN 192.168.200.100-192.168.200.200

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp route-lookup

 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2

 

group-policy VPN internal
group-policy VPN attributes
dns-server value 223.5.5.5 223.6.6.6
vpn-tunnel-protocol ikev1
default-domain value VPNTECH.LOCAL

 

tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN
authentication-server-group 10.174.74.89
default-group-policy VPN
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****

View solution in original post

2 Replies 2

Go to solution
lei.jin.ext@suez.com
Level 1
Level 1

‎03-10-2022 05:57 PM

Hi we face issue of config Rmote access IPsec/IKEv1 VPN for Cell phone.

refer to this document :

https://weberblog.net/cisco-asa-remote-access-vpn-for-android/

 

we can establish Rmote access IPsec/IKEv1 VPN for android  ; android selcect IPsec Identifer (VPN)

but for IOS IPhone select group name(VPN)faced issue log below:

 

5 Mar 11 2022 09:29:26 713259 Group = VPN, Username = XJA027, IP = 114.223.63.76, Session is being torn down. Reason: Phase 2 Mismatch
3 Mar 11 2022 09:29:26 713902 Group = VPN, Username = XJA027, IP = 114.223.63.76, Removing peer from correlator table failed, no match!
3 Mar 11 2022 09:29:26 713902 Group = VPN, Username = XJA027, IP = 114.223.63.76, QM FSM error (P2 struct &0x00007f87ac1954a0, mess id 0xbf62f231)!

 

 

configuration below: ASA 5516 Version 9.8

ip local pool VPN 192.168.200.100-192.168.200.200

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp route-lookup

 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2

 

group-policy VPN internal
group-policy VPN attributes
dns-server value 223.5.5.5 223.6.6.6
vpn-tunnel-protocol ikev1
default-domain value VPNTECH.LOCAL

 

tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN
authentication-server-group 10.174.74.89
default-group-policy VPN
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****

Go to solution
lei.jin.ext@suez.com
Level 1
Level 1
In response to lei.jin.ext@suez.com

‎04-12-2022 11:44 PM

The IOS support group 2 with AES-256 no certification authentication.

• Diffie-Hellman Groups: Group 2 is required for pre-shared key and hybrid authentication, group 2 with 3DES and AES-128 for certificate authentication, and group 2 or 5 with AES-256.


https://support.apple.com/en-ie/guide/deployment/depdf31db478/web

0 Helpful
Customers Also Viewed These Support Documents