Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: wintersgrass
wintersgrass Author
User level: Level 1
9 points

Cisco IPSEC problems with Cisco VPN Tunnel

Hello all,
I've got a working tunnel setup between my Cisco 2600 Router and Cisco VPN client software for MAC/PC. I've added a profile for my iphone and ipad. The ipad (3.2.1) connects with no problems but my iphone 4 (4.1) does not establish a connection. I'm using the same details for both.

Here is the terminal monitor log from my cisco 2600 router:

1y24w: ISAKMP (0:7): retransmitting phase 1 AG INITEXCH...
1y24w: ISAKMP (0:7): peer does not do paranoid keepalives.

1y24w: ISAKMP (0:7): deleting SA reason "death by retransmission P1" state (R) AG INITEXCH (peer 212.166.128.142) input queue 0
1y24w: ISAKMP (0:7): deleting SA reason "death by retransmission P1" state (R) AG INITEXCH (peer 212.166.128.142) input queue 0
1y24w: ISAKMP: Unlocking IKE struct 0x82ADFC0C for isadb mark_sadeleted(), count 0
1y24w: ISAKMP: Deleting peer node by peer_reap for 212.166.128.142: 82ADFC0C
1y24w: ISAKMP (0:7): Input = IKE MESGINTERNAL, IKE PHASE1DEL
1y24w: ISAKMP (0:7): Old State = IKE RAM2 New State = IKE DESTSA

1y24w: ISAKMP (0:0): received packet from 212.166.128.118 dport 500 sport 500 Global (N) NEW SA
1y24w: ISAKMP: Created a peer struct for 212.166.128.118, peer port 500
1y24w: ISAKMP: Locking peer struct 0x82ADFC0C, IKE refcount 1 for Responding to new initiation
1y24w: ISAKMP: local port 500, remote port 500
1y24w: ISAKMP: insert sa successfully sa = 82769B08
1y24w: ISAKMP (0:8): processing SA payload. message ID = 0
1y24w: ISAKMP (0:8): processing ID payload. message ID = 0
1y24w: ISAKMP (0:8): ID payload
next-payload : 13
type : 11
group id : FSeguraVPNIPhone
protocol : 0
port : 0
length : 24
1y24w: ISAKMP (0:8): peer matches VPNClientIPhone profile
1y24w: ISAKMP: Looking for a matching key for 212.166.128.118 in default
1y24w: ISAKMP (0:8): Setting client config settings 82CC8330
1y24w: ISAKMP (0:8): (Re)Setting client xauth list and state
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 69 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 198 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 29 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 245 mismatch
1y24w: ISAKMP (0:8): vendor ID is NAT-T v7
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 114 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 227 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 250 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 157 mismatch
1y24w: ISAKMP (0:8): vendor ID is NAT-T v3
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 164 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 123 mismatch
1y24w: ISAKMP (0:8): vendor ID is NAT-T v2
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 242 mismatch
1y24w: ISAKMP (0:8): vendor ID is XAUTH
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID is Unity
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID is DPD
1y24w: ISAKMP (0:8) Authentication by xauth preshared
1y24w: ISAKMP (0:8): Checking ISAKMP transform 1 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption AES-CBC
1y24w: ISAKMP: keylength of 256
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash SHA
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): Encryption algorithm offered does not match policy!
1y24w: ISAKMP (0:8): atts are not acceptable. Next payload is 3
1y24w: ISAKMP (0:8): Checking ISAKMP transform 2 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption AES-CBC
1y24w: ISAKMP: keylength of 128
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash SHA
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): Encryption algorithm offered does not match policy!
1y24w: ISAKMP (0:8): atts are not acceptable. Next payload is 3
1y24w: ISAKMP (0:8): Checking ISAKMP transform 3 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption AES-CBC
1y24w: ISAKMP: keylength of 256
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash MD5
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): Encryption algorithm offered does not match policy!
1y24w: ISAKMP (0:8): atts are not acceptable. Next payload is 3
1y24w: ISAKMP (0:8): Checking ISAKMP transform 4 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption AES-CBC
1y24w: ISAKMP: keylength of 128
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash MD5
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): Encryption algorithm offered does not match policy!
1y24w: ISAKMP (0:8): atts are not acceptable. Next payload is 3
1y24w: ISAKMP (0:8): Checking ISAKMP transform 5 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption 3DES-CBC
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash SHA
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): atts are acceptable. Next payload is 3
1y24w: ISAKMP (0:8): processing KE payload. message ID = 0
1y24w: ISAKMP (0:8): processing NONCE payload. message ID = 0
1y24w: ISAKMP (0:8): vendor ID is NAT-T v7
1y24w: ISAKMP (0:8): vendor ID is NAT-T v3
1y24w: ISAKMP (0:8): vendor ID is NAT-T v2
1y24w: ISAKMP (0:8): Input = IKE MESG_FROMPEER, IKE AMEXCH
1y24w: ISAKMP (0:8): Old State = IKE_READY New State = IKE R_AM_AAAAWAIT

1y24w: ISAKMP: got callback 1
1y24w: ISAKMP (0:8): SKEYID state generated
1y24w: ISAKMP (0:8): constructed NAT-T vendor-07 ID
1y24w: ISAKMP (0:8): SA is doing pre-shared key authentication plus XAUTH using id type ID IPV4ADDR
1y24w: ISAKMP (0:8): ID payload
next-payload : 10
type : 1
address : x.x.x.x
protocol : 17
port : 0
length : 12
1y24w: ISAKMP (8): Total payload length: 12
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AG INITEXCH
1y24w: ISAKMP (0:8): Input = IKE MESG_FROMAAA, PRESHARED KEYREPLY
1y24w: ISAKMP (0:8): Old State = IKE R_AM_AAAAWAIT New State = IKE RAM2

1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AG INITEXCH
1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AG INITEXCH
1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: ISAKMP (0:6): purging SA., sa=8276914C, delme=8276914C
1y24w: %FW-6-SESS AUDITTRAIL: udp session initiator (192.168.11.69:5060) sent 1491 bytes -- responder (192.168.4.21:50000) sent 342 bytes
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AG INITEXCH
1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: %CRYPTO-4-IKMP NOSA: IKE message from 212.166.128.117 has no SA and is not an initialization offer
1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: ISAKMP (0:5): purging SA., sa=83463A3C, delme=83463A3C
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AG INITEXCH
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AG INITEXCH
1y24w: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 82.207.44.234 -> x.x.x.x (8/0), 1 packet
1y24w: ISAKMP (0:7): purging SA., sa=8318FF08, delme=8318FF08
1y24w: ISAKMP (0:8): retransmitting phase 1 AG INITEXCH...
1y24w: ISAKMP (0:8): peer does not do paranoid keepalives.

1y24w: ISAKMP (0:8): deleting SA reason "death by retransmission P1" state (R) AG INITEXCH (peer 212.166.128.118) input queue 0
1y24w: ISAKMP (0:8): deleting SA reason "death by retransmission P1" state (R) AG INITEXCH (peer 212.166.128.118) input queue 0
1y24w: ISAKMP: Unlocking IKE struct 0x82ADFC0C for isadb mark_sadeleted(), count 0
1y24w: ISAKMP: Deleting peer node by peer_reap for 212.166.128.118: 82ADFC0C
1y24w: ISAKMP (0:8): Input = IKE MESGINTERNAL, IKE PHASE1DEL
1y24w: ISAKMP (0:8): Old State = IKE RAM2 New State = IKE DESTSA

1y24w: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 82.207.44.234 -> x.x.x.x (8/0), 1 packet
x.x.x.x

Mac Pro 2.8ghz Intel Quad Core 4GB RAM, Mac OS X (10.6.5), Roland MT32, Roland SC-55, Roland CM-64

Posted on Dec 9, 2010 12:02 AM

Reply
5 replies
User profile for user: kuantize
kuantize
User level: Level 1
10 points

Mar 15, 2011 10:22 AM in response to wintersgrass

I I am having the exact same issue. From your problem description, and your logs you are also trying to use the Spanish Vodafone 3G network.

I am getting this:

[IKEv1]: Group = iphone, IP = 212.166.128.142, Error: Unable to remove PeerTblEntry
[IKEv1]: Group = iphone, IP = 212.166.128.142, Removing peer from peer table failed, no match!
[IKEv1]: Group = iphone, IP = 212.166.128.142, Error: Unable to remove PeerTblEntry
[IKEv1]: Group = iphone, IP = 212.166.128.142, Removing peer from peer table failed, no match!
[IKEv1]: Group = iphone, IP = 212.166.128.142, Error: Unable to remove PeerTblEntry

I had enabled NAT Trasversal in the lame and unsuccessful attempt to see if anything "before" the ASA was getting in the way, to no avail. The VPN works when it wants to. From that error I also guess that something regarding the originating connection is recorded in the firewall and cannot be refreshed, hence "reconnection" is not possible until that entry "times out".

Let me know if you solved this.
Reply
User profile for user: kuantize
kuantize
User level: Level 1
10 points

Mar 15, 2011 11:49 AM in response to kuantize

Actually after more thought and testing, I dont think the issue resides with Vodafone at all. Looking close at the logs, it is not negotiating further than phase 1, so there may be an isakmp mismatch between how the iphone4 VPN client is trying to connect to the Cisco IPSEC Remote Access tunnel.

I can't seem to find the exact specs of the Cisco iPhone4 client in order to make my Remote Access tunnel settings match.
Reply
User profile for user: rcha101
rcha101
User level: Level 1
0 points

Dec 2, 2011 3:16 PM in response to wintersgrass

I also have this exact same problem, I'm on Vodafone in Australia. Symptoms are as follows:

-VPN from iphone (IOS5) via WiFi to Cisco 877 VPN connect successfully

-VPN from iphone (IOS5) via Vodafone 3G to Cisco 877 VPN gets error "Negotiation with the VPN server failed."


The logs look almost exactly the same as Wintergrass (obviously different IPs etc).


One thing I have noticed which I suspect is the problem is in the logs you will the the initial connection on port 500 (isakmp) is NATd to one IP however when the connection on udp port 4500 comes in it is NATd to a different IP. You can verify that the IP the phone is getting is being NATd by googling "what is my IP" and then comparing this to what you see in the Cisco logs. The two should be different. This changing IP behaviour is also different to the logs from the connections via WiFi so I believe the problem lies with Vodafone though I am trying to find a workaround.


Note: I have tried 'crypto ipsec nat-transparency spi-matching' on the router but it made no difference.

Reply
User profile for user: rcha101
rcha101
User level: Level 1
0 points

Dec 2, 2011 5:11 PM in response to wintersgrass

FYI this issue is also discussed here: http://forums.whirlpool.net.au/forum-replies.cfm?t=1627210&p=-1&#bottom


I have tested a fix for this issue. It is an issue with the Vodafone APN you are using. I'm in Australia you'll need to find the equivalent for your country but here is my fix.

I created a file called 'vfinternet.au APN change.mobileconfig' in the iPhone Configuration Utility, emailed it to my iPhone and imported it and now VPN works fine. I've included the config for this file below.

Good luck!

-------------------------------------------------------------------------------- ----

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>DefaultsData</key>
<dict>
<key>apns</key>
<array>
<dict>
<key>apn</key>
<string>vfinternet.au</string>
<key>proxyPort</key>
<integer>0</integer>
</dict>
</array>
</dict>
<key>DefaultsDomainName</key>
<string>com.apple.managedCarrier</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>Provides customization of carrier Access Point Name.</string>
<key>PayloadDisplayName</key>
<string>Advanced</string>
<key>PayloadIdentifier</key>
<string>vfinternet.au APN change.</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.apn.managed</string>
<key>PayloadUUID</key>
<string>62EFB71A-C901-488D-92B8-AE698CC496FA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Profile description.</string>
<key>PayloadDisplayName</key>
<string>vfinternet.au APN change</string>
<key>PayloadIdentifier</key>
<string>vfinternet.au APN change</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>6F3F1B6C-D47F-492D-A442-F32A39EB5D51</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

Reply

Cisco IPSEC problems with Cisco VPN Tunnel

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up