Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3158
Views
5
Helpful
1
Replies

VPN Connectivity for Cell Phone VPN

dan hale
Level 3
Level 3

‎06-25-2010 09:51 AM

Hi All, I have a site that has a UC500 and I currently using the Cisco VPN client that I set up via the EZVPN throught the GUI. The vpn client works great no problems there when I use the client via a laptop however, I have an Administrator that is determined to use the built in VPN feature in his phone to connect to the inside network. From what I can tell the VPN on the cell phone is capable of doing IPSEC however, I tried setting it up and using it from my phone and his but, it will not connect.

Is there additonal ports or access-lists I have to created to let the Cell Phone VPN connect to my UC500? Below are the phones im using and partial output of the config.

Thanks for any help,

Dan

Cell Phones

HTC Imagio

HTC Evo 4G

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key xxxxxxxx
dns xxxxxxxx
pool SDM_POOL_1
acl 109
save-password
max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group EZVPN_GROUP_1
   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1

access-list 109 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 permit ip 10.1.1.0 0.0.0.255 any
access-list 109 permit ip 10.1.10.0 0.0.0.3 any

ip access-list extended in-outside
remark SDM_ACL Category=17
permit tcp any host xxx.xxx.xxx.xxx eq 4125 log
permit tcp any host xxx.xxx.xxx.xxx eq 3389 log
permit tcp any host xxx.xxx.xxx.xxx eq smtp log
permit tcp any host xxx.xxx.xxx.xxx eq 443 log
permit tcp any host xxx.xxx.xxx.xxx eq www log
permit udp host xxx.xxx.xxx.xxx eq domain any
permit udp host xxx.xxx.xxx.xxx eq domain any
permit icmp any host xxx.xxx.xxx.xxx time-exceeded
permit icmp any host xxx.xxx.xxx.xxx unreachable
permit tcp xxx.xxx.xxx.xxx 0.0.0.7 host xxx.xxx.xxx.xxx eq 22
permit udp any host xxx.xxx.xxx.xxx eq isakmp
permit udp any host xxx.xxx.xxx.xxx eq non500-isakmp

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-25-2010 11:50 AM

Dan,

Mobile phone vendors usually pubish requirements for IPsec VPN termination on their support pages.

Since you're mentioning that the problem is with connection it's rather the fact that it does not like either isakmp or ipsec settings.


Debugging on IOS (deb cry isa, deb crypto ipsec) will tell you more.

Marcin

Customers Also Viewed These Support Documents