User profile for user: nickhatch
nickhatch Author
User level: Level 1
0 points

Cisco VPN - Connected but unable to access sites

I have upgraded my iPhone to the version 2.0 software. I was able to create a configuration for the iPhone (using the configuration utility) and push it to my phone. When I attempt to connect to VPN, I am successful, but I am not able to access any of the internal web sites in my network.

I am able to successfully connect to the VPN and access sites using the Cisco VPN client on my MacBook and have copied the settings from the PCF file to my iPhone configuration.

I've also checked the console log in the configuration utility, but don't see any error message related to this issue.

Any assistance would be greatly appreciated.

MacBook, Mac OS X (10.5.2)

Posted on Jul 13, 2008 7:46 AM

Reply
10 replies
User profile for user: Rogik
Rogik
User level: Level 1
0 points

Jul 14, 2008 10:19 AM in response to nickhatch

We have exactly same problem. We use Cisco VPN to access. I am able to access Exchange server when I connect to wireless router that is inside the private network. At the same time when I use 3G and connect to the VPN server (connection works fine, according to VPN logs I complete Phase1 properly), I am unable to access resources behind the VPN (including Exchange). We tried to troubleshoot this with IT guys and it looks like it gives an error connected to some "attribute 5". This error shows up in the VPN logs during authentication.

I checked online - there are a lot of discussions about people being able to connect to the VPN, but not able to go through the VPN itself to private resources.
Reply
User profile for user: Rogik
Rogik
User level: Level 1
0 points

Jul 14, 2008 10:20 AM in response to nickhatch

We have exactly same problem. We use Cisco VPN to access. I am able to access Exchange server when I connect to wireless router that is inside the private network. At the same time when I use 3G and connect to the VPN server (connection works fine, according to VPN logs I complete Phase1 properly), I am unable to access resources behind the VPN (including Exchange). We tried to troubleshoot this with IT guys and it looks like it gives an error connected to some "attribute 5". This error shows up in the VPN logs during authentication.

I checked online - there are a lot of discussions about people being able to connect to the VPN, but not able to go through the VPN itself to private resources.
Reply
User profile for user: Baba Yaga
Baba Yaga
User level: Level 1
0 points

Jul 17, 2008 9:30 PM in response to digitalsynthesis

Cisco ASA and iphone IPSEC using pre-shared key: I get "connected" but cannot access anything. ISAKMP phase 1 completes fine, but phase 2 never does, so I am puzzled why it says "connected!" - I tweaked the ipsec transform sets and the dynamic mapping, swithed from tunnel-mode to transport mode, enabled NAT-T, since IPSEC-over-TCP is not supported, but still no luck. The regular Cisco IPSEC-VPN client works fine. I checked with Cisco and they said they got the following to work (I'm in the process of tweaking my setup to match this one, but still no luck)- let me know if you get it to work:

crypto ipsec transform-set AES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA mode transport
crypto ipsec transform-set IPSEC_AES256 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 10 set transform-set AES-SHA IPSEC_AES256
crypto dynamic-map dyno 10 set security-association lifetime seconds 28800
crypto dynamic-map dyno 10 set security-association lifetime kilobytes 4608000
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isamkp policy 20
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
...
Reply
User profile for user: Lace666
Lace666
User level: Level 1
0 points

Jul 18, 2008 8:12 AM in response to nickhatch

When I do connect to my Cisco 1801, i repeatedly get the following log messages:

01:14:40: IPSEC(validate proposalrequest): proposal part #1,
(key eng. msg.) INBOUND local= 91.41.160.32, remote= 80.187.106.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.113.9/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

01:14:40: IPSEC(crypto ipsec_processproposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }


The AES-thing really confuses me because I intentionally use 3des because the iPhone is told to use 3des?!
Reply
User profile for user: Lace666
Lace666
User level: Level 1
0 points

Jul 18, 2008 10:42 AM in response to Lace666

IT IS WORKING FOR ME!!

I use a Cisco 1801 Router

crypto isakmp policy 1
encr aes
authentication pre-share
group 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac

crypto isakmp client configuration group Group1
key MOSTSECRETKEY
dns XXX.XXX.XXX.XXX
domain pierburg
pool SDM POOL1
save-password
max-logins 1
banner ^C It works ^C
!

crypto dynamic-map SDM DYNMAP1 1
set transform-set ESP-AES-256-SHA
reverse-route
!

interface Dialer1
crypto map SDM CMAP1


The iPhone is using AES.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Cisco VPN - Connected but unable to access sites

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up