5 Replies Latest reply: Dec 2, 2011 5:11 PM by rcha101
wintersgrass Level 1 Level 1 (0 points)
Hello all,
I've got a working tunnel setup between my Cisco 2600 Router and Cisco VPN client software for MAC/PC. I've added a profile for my iphone and ipad. The ipad (3.2.1) connects with no problems but my iphone 4 (4.1) does not establish a connection. I'm using the same details for both.

Here is the terminal monitor log from my cisco 2600 router:

1y24w: ISAKMP (0:7): retransmitting phase 1 AGINITEXCH...
1y24w: ISAKMP (0:7): peer does not do paranoid keepalives.

1y24w: ISAKMP (0:7): deleting SA reason "death by retransmission P1" state (R) AGINITEXCH (peer 212.166.128.142) input queue 0
1y24w: ISAKMP (0:7): deleting SA reason "death by retransmission P1" state (R) AGINITEXCH (peer 212.166.128.142) input queue 0
1y24w: ISAKMP: Unlocking IKE struct 0x82ADFC0C for isadbmark_sadeleted(), count 0
1y24w: ISAKMP: Deleting peer node by peer_reap for 212.166.128.142: 82ADFC0C
1y24w: ISAKMP (0:7): Input = IKEMESGINTERNAL, IKEPHASE1DEL
1y24w: ISAKMP (0:7): Old State = IKERAM2 New State = IKEDESTSA

1y24w: ISAKMP (0:0): received packet from 212.166.128.118 dport 500 sport 500 Global (N) NEW SA
1y24w: ISAKMP: Created a peer struct for 212.166.128.118, peer port 500
1y24w: ISAKMP: Locking peer struct 0x82ADFC0C, IKE refcount 1 for Responding to new initiation
1y24w: ISAKMP: local port 500, remote port 500
1y24w: ISAKMP: insert sa successfully sa = 82769B08
1y24w: ISAKMP (0:8): processing SA payload. message ID = 0
1y24w: ISAKMP (0:8): processing ID payload. message ID = 0
1y24w: ISAKMP (0:8): ID payload
next-payload : 13
type : 11
group id : FSeguraVPNIPhone
protocol : 0
port : 0
length : 24
1y24w: ISAKMP (0:8): peer matches VPNClientIPhone profile
1y24w: ISAKMP: Looking for a matching key for 212.166.128.118 in default
1y24w: ISAKMP (0:8): Setting client config settings 82CC8330
1y24w: ISAKMP (0:8): (Re)Setting client xauth list and state
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 69 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 198 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 29 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 245 mismatch
1y24w: ISAKMP (0:8): vendor ID is NAT-T v7
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 114 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 227 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 250 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 157 mismatch
1y24w: ISAKMP (0:8): vendor ID is NAT-T v3
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 164 mismatch
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 123 mismatch
1y24w: ISAKMP (0:8): vendor ID is NAT-T v2
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID seems Unity/DPD but major 242 mismatch
1y24w: ISAKMP (0:8): vendor ID is XAUTH
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID is Unity
1y24w: ISAKMP (0:8): processing vendor id payload
1y24w: ISAKMP (0:8): vendor ID is DPD
1y24w: ISAKMP (0:8) Authentication by xauth preshared
1y24w: ISAKMP (0:8): Checking ISAKMP transform 1 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption AES-CBC
1y24w: ISAKMP: keylength of 256
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash SHA
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): Encryption algorithm offered does not match policy!
1y24w: ISAKMP (0:8): atts are not acceptable. Next payload is 3
1y24w: ISAKMP (0:8): Checking ISAKMP transform 2 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption AES-CBC
1y24w: ISAKMP: keylength of 128
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash SHA
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): Encryption algorithm offered does not match policy!
1y24w: ISAKMP (0:8): atts are not acceptable. Next payload is 3
1y24w: ISAKMP (0:8): Checking ISAKMP transform 3 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption AES-CBC
1y24w: ISAKMP: keylength of 256
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash MD5
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): Encryption algorithm offered does not match policy!
1y24w: ISAKMP (0:8): atts are not acceptable. Next payload is 3
1y24w: ISAKMP (0:8): Checking ISAKMP transform 4 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption AES-CBC
1y24w: ISAKMP: keylength of 128
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash MD5
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): Encryption algorithm offered does not match policy!
1y24w: ISAKMP (0:8): atts are not acceptable. Next payload is 3
1y24w: ISAKMP (0:8): Checking ISAKMP transform 5 against priority 3 policy
1y24w: ISAKMP: life type in seconds
1y24w: ISAKMP: life duration (basic) of 3600
1y24w: ISAKMP: encryption 3DES-CBC
1y24w: ISAKMP: auth XAUTHInitPreShared
1y24w: ISAKMP: hash SHA
1y24w: ISAKMP: default group 2
1y24w: ISAKMP (0:8): atts are acceptable. Next payload is 3
1y24w: ISAKMP (0:8): processing KE payload. message ID = 0
1y24w: ISAKMP (0:8): processing NONCE payload. message ID = 0
1y24w: ISAKMP (0:8): vendor ID is NAT-T v7
1y24w: ISAKMP (0:8): vendor ID is NAT-T v3
1y24w: ISAKMP (0:8): vendor ID is NAT-T v2
1y24w: ISAKMP (0:8): Input = IKEMESG_FROMPEER, IKEAMEXCH
1y24w: ISAKMP (0:8): Old State = IKE_READY New State = IKER_AM_AAAAWAIT

1y24w: ISAKMP: got callback 1
1y24w: ISAKMP (0:8): SKEYID state generated
1y24w: ISAKMP (0:8): constructed NAT-T vendor-07 ID
1y24w: ISAKMP (0:8): SA is doing pre-shared key authentication plus XAUTH using id type IDIPV4ADDR
1y24w: ISAKMP (0:8): ID payload
next-payload : 10
type : 1
address : x.x.x.x
protocol : 17
port : 0
length : 12
1y24w: ISAKMP (8): Total payload length: 12
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AGINITEXCH
1y24w: ISAKMP (0:8): Input = IKEMESG_FROMAAA, PRESHAREDKEYREPLY
1y24w: ISAKMP (0:8): Old State = IKER_AM_AAAAWAIT New State = IKERAM2

1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AGINITEXCH
1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AGINITEXCH
1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: ISAKMP (0:6): purging SA., sa=8276914C, delme=8276914C
1y24w: %FW-6-SESSAUDITTRAIL: udp session initiator (192.168.11.69:5060) sent 1491 bytes -- responder (192.168.4.21:50000) sent 342 bytes
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AGINITEXCH
1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: %CRYPTO-4-IKMPNOSA: IKE message from 212.166.128.117 has no SA and is not an initialization offer
1y24w: ISAKMP (0:0): received packet from 212.166.128.117 dport 4500 sport 4500 Global (N) NEW SA
1y24w: ISAKMP (0:5): purging SA., sa=83463A3C, delme=83463A3C
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AGINITEXCH
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH...
1y24w: ISAKMP (0:8): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH
1y24w: ISAKMP (0:8): sending packet to 212.166.128.118 my_port 500 peer_port 500 (R) AGINITEXCH
1y24w: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 82.207.44.234 -> x.x.x.x (8/0), 1 packet
1y24w: ISAKMP (0:7): purging SA., sa=8318FF08, delme=8318FF08
1y24w: ISAKMP (0:8): retransmitting phase 1 AGINITEXCH...
1y24w: ISAKMP (0:8): peer does not do paranoid keepalives.

1y24w: ISAKMP (0:8): deleting SA reason "death by retransmission P1" state (R) AGINITEXCH (peer 212.166.128.118) input queue 0
1y24w: ISAKMP (0:8): deleting SA reason "death by retransmission P1" state (R) AGINITEXCH (peer 212.166.128.118) input queue 0
1y24w: ISAKMP: Unlocking IKE struct 0x82ADFC0C for isadbmark_sadeleted(), count 0
1y24w: ISAKMP: Deleting peer node by peer_reap for 212.166.128.118: 82ADFC0C
1y24w: ISAKMP (0:8): Input = IKEMESGINTERNAL, IKEPHASE1DEL
1y24w: ISAKMP (0:8): Old State = IKERAM2 New State = IKEDESTSA

1y24w: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 82.207.44.234 -> x.x.x.x (8/0), 1 packet
x.x.x.x

Mac Pro 2.8ghz Intel Quad Core 4GB RAM, Mac OS X (10.6.5), Roland MT32, Roland SC-55, Roland CM-64
  • kuantize Level 1 Level 1 (10 points)
    I I am having the exact same issue. From your problem description, and your logs you are also trying to use the Spanish Vodafone 3G network.

    I am getting this:

    [IKEv1]: Group = iphone, IP = 212.166.128.142, Error: Unable to remove PeerTblEntry
    [IKEv1]: Group = iphone, IP = 212.166.128.142, Removing peer from peer table failed, no match!
    [IKEv1]: Group = iphone, IP = 212.166.128.142, Error: Unable to remove PeerTblEntry
    [IKEv1]: Group = iphone, IP = 212.166.128.142, Removing peer from peer table failed, no match!
    [IKEv1]: Group = iphone, IP = 212.166.128.142, Error: Unable to remove PeerTblEntry

    I had enabled NAT Trasversal in the lame and unsuccessful attempt to see if anything "before" the ASA was getting in the way, to no avail. The VPN works when it wants to. From that error I also guess that something regarding the originating connection is recorded in the firewall and cannot be refreshed, hence "reconnection" is not possible until that entry "times out".

    Let me know if you solved this.
  • kuantize Level 1 Level 1 (10 points)
    Actually after more thought and testing, I dont think the issue resides with Vodafone at all. Looking close at the logs, it is not negotiating further than phase 1, so there may be an isakmp mismatch between how the iphone4 VPN client is trying to connect to the Cisco IPSEC Remote Access tunnel.

    I can't seem to find the exact specs of the Cisco iPhone4 client in order to make my Remote Access tunnel settings match.
  • mgorb Level 1 Level 1 (0 points)
    I also had some troubles with setting ipsec from iphone to cisco, but finally ot worked.

    this guide appeared to be very useful http://manuals.info.apple.com/enUS/Enterprise_DeploymentGuide.pdf.

    Also you may check logs on iphone side with iphone config utility.
  • rcha101 Level 1 Level 1 (0 points)

    I also have this exact same problem, I'm on Vodafone in Australia. Symptoms are as follows:

    -VPN from iphone (IOS5) via WiFi to Cisco 877 VPN connect successfully

    -VPN from iphone (IOS5) via Vodafone 3G to Cisco 877 VPN gets error "Negotiation with the VPN server failed."

     

    The logs look almost exactly the same as Wintergrass (obviously different IPs etc).

     

    One thing I have noticed which I suspect is the problem is in the logs you will the the initial connection on port 500 (isakmp) is NATd to one IP however when the connection on udp port 4500 comes in it is NATd to a different IP. You can verify that the IP the phone is getting is being NATd by googling "what is my IP" and then comparing this to what you see in the Cisco logs. The two should be different. This changing IP behaviour is also different to the logs from the connections via WiFi so I believe the problem lies with Vodafone though I am trying to find a workaround.

     

    Note: I have tried 'crypto ipsec nat-transparency spi-matching' on the router but it made no difference.

  • rcha101 Level 1 Level 1 (0 points)

    FYI this issue is also discussed here: http://forums.whirlpool.net.au/forum-replies.cfm?t=1627210&p=-1&#bottom

     

    I have tested a fix for this issue. It is an issue with the Vodafone APN you are using. I'm in Australia you'll need to find the equivalent for your country but here is my fix.

    I created a file called 'vfinternet.au APN change.mobileconfig' in the iPhone Configuration Utility, emailed it to my iPhone and imported it and now VPN works fine. I've included the config for this file below.

    Good luck!

    -------------------------------------------------------------------------------- ----

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>PayloadContent</key>
    <array>
    <dict>
    <key>PayloadContent</key>
    <array>
    <dict>
    <key>DefaultsData</key>
    <dict>
    <key>apns</key>
    <array>
    <dict>
    <key>apn</key>
    <string>vfinternet.au</string>
    <key>proxyPort</key>
    <integer>0</integer>
    </dict>
    </array>
    </dict>
    <key>DefaultsDomainName</key>
    <string>com.apple.managedCarrier</string>
    </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Provides customization of carrier Access Point Name.</string>
    <key>PayloadDisplayName</key>
    <string>Advanced</string>
    <key>PayloadIdentifier</key>
    <string>vfinternet.au APN change.</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadType</key>
    <string>com.apple.apn.managed</string>
    <key>PayloadUUID</key>
    <string>62EFB71A-C901-488D-92B8-AE698CC496FA</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Profile description.</string>
    <key>PayloadDisplayName</key>
    <string>vfinternet.au APN change</string>
    <key>PayloadIdentifier</key>
    <string>vfinternet.au APN change</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>6F3F1B6C-D47F-492D-A442-F32A39EB5D51</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    </dict>
    </plist>