Cisco VPN on iPads

Unanswered Question

I'm trying to get a VPN working on a cisco 1811. The VPN is basically used for the following senerio: A user will connect to the VPN and once inside they will connect to a computer using VNC. This set up works on computers, the problem is when they user tries from an iPad/iPhone. The user is able to connect to the VPN, but they can't ping anything except the router. A computer, however, can ping the router and any other computers on the network (even computers connecting through VPN) they can't ping Ipads connecting in through VPN however. I'm really not sure what the issue here is if it is a Cisco issueor an iPad issue. THnaks for any help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Wed, 09/15/2010 - 17:30

Hey,

The VPN config should be alright given the fact that computers are able to ping anything on the LAN. When connected using an IPad and sending traffic, please paste the output of "show crypto ipsec sa".

Regards,

Prapanch

Here is the output of show crypto ipsec sa: I ran it while the ipad was pinging the router (as that is all that the ipad can ping on the network.)

interface: FastEthernet0
    Crypto map tag: SDM_CMAP_3, local addr *External ip address*

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.11.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.101.0/255.255.255.0/0/0)
   current_peer *External ip address 2* port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 436, #pkts encrypt: 436, #pkts digest: 436
    #pkts decaps: 688, #pkts decrypt: 688, #pkts verify: 688
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: *External ip address*, remote crypto endpt.: *External ip address 2*
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access4
    Crypto map tag: Virtual-Access4-head-0, local addr *External ip address*

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.100.83/255.255.255.255/0/0)
   current_peer 142.179.171.145 port 63955
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *External ip address*, remote crypto endpt.: 142.179.171.145
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x5CBDB39(97246009)

     inbound esp sas:
      spi: 0xCE7D94EA(3464336618)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 49, flow_id: Motorola SEC 2.0:49, crypto map: Virtual-Access4-h
ead-0
        sa timing: remaining key lifetime (k/sec): (4383705/3567)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x5CBDB39(97246009)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 50, flow_id: Motorola SEC 2.0:50, crypto map: Virtual-Access4-h
ead-0
        sa timing: remaining key lifetime (k/sec): (4383705/3567)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

praprama Sat, 09/18/2010 - 08:10

Hey,

can you post the same output when trying to ping some other host behind the router? Need to see how the encaps and decaps counter increase? Also, do you see any logs on the router when trying ping some host on the insde?

Regards,

Prapanch

Here is the results of the iPhone trying to ping a computer on the network:

interface: FastEthernet0
    Crypto map tag: SDM_CMAP_3, local addr *external IP address*

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.11.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.101.0/255.255.255.0/0/0)
   current_peer *external IP address 2* port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3788, #pkts encrypt: 3788, #pkts digest: 3788
    #pkts decaps: 5625, #pkts decrypt: 5625, #pkts verify: 5625
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: *external IP address*, remote crypto endpt.: *external IP address 2*
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access5
    Crypto map tag: Virtual-Access5-head-0, local addr *external IP address*

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.100.90/255.255.255.255/0/0)
   current_peer 142.179.171.145 port 19060
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *external IP address*, remote crypto endpt.: 142.179.171.145
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x4A3F6F0(77854448)

     inbound esp sas:
      spi: 0x36816BFC(914451452)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 59, flow_id: Motorola SEC 2.0:59, crypto map: Virtual-Access5-h
ead-0
        sa timing: remaining key lifetime (k/sec): (4553464/3555)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4A3F6F0(77854448)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 60, flow_id: Motorola SEC 2.0:60, crypto map: Virtual-Access5-h
ead-0
        sa timing: remaining key lifetime (k/sec): (4553465/3555)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Actions

This Discussion