Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
4
Replies

Cisco VPN on iPads

jsandau
Level 1
Level 1

‎09-15-2010 02:02 PM

I'm trying to get a VPN working on a cisco 1811. The VPN is basically used for the following senerio: A user will connect to the VPN and once inside they will connect to a computer using VNC. This set up works on computers, the problem is when they user tries from an iPad/iPhone. The user is able to connect to the VPN, but they can't ping anything except the router. A computer, however, can ping the router and any other computers on the network (even computers connecting through VPN) they can't ping Ipads connecting in through VPN however. I'm really not sure what the issue here is if it is a Cisco issueor an iPad issue. THnaks for any help.

Labels:
0 Helpful
4 Replies 4

praprama
Cisco Employee
Cisco Employee

‎09-15-2010 05:30 PM

Hey,

The VPN config should be alright given the fact that computers are able to ping anything on the LAN. When connected using an IPad and sending traffic, please paste the output of "show crypto ipsec sa".

Regards,

Prapanch

0 Helpful

jsandau
Level 1
Level 1
In response to praprama

‎09-17-2010 12:48 PM

Here is the output of show crypto ipsec sa: I ran it while the ipad was pinging the router (as that is all that the ipad can ping on the network.)

interface: FastEthernet0
    Crypto map tag: SDM_CMAP_3, local addr *External ip address*

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.11.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.101.0/255.255.255.0/0/0)
   current_peer *External ip address 2* port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 436, #pkts encrypt: 436, #pkts digest: 436
    #pkts decaps: 688, #pkts decrypt: 688, #pkts verify: 688
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: *External ip address*, remote crypto endpt.: *External ip address 2*
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access4
    Crypto map tag: Virtual-Access4-head-0, local addr *External ip address*

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.100.83/255.255.255.255/0/0)
   current_peer 142.179.171.145 port 63955
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *External ip address*, remote crypto endpt.: 142.179.171.145
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x5CBDB39(97246009)

     inbound esp sas:
      spi: 0xCE7D94EA(3464336618)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 49, flow_id: Motorola SEC 2.0:49, crypto map: Virtual-Access4-h
ead-0
        sa timing: remaining key lifetime (k/sec): (4383705/3567)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x5CBDB39(97246009)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 50, flow_id: Motorola SEC 2.0:50, crypto map: Virtual-Access4-h
ead-0
        sa timing: remaining key lifetime (k/sec): (4383705/3567)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to jsandau

‎09-18-2010 08:10 AM

Hey,

can you post the same output when trying to ping some other host behind the router? Need to see how the encaps and decaps counter increase? Also, do you see any logs on the router when trying ping some host on the insde?

Regards,

Prapanch

0 Helpful

jsandau
Level 1
Level 1
In response to praprama

‎09-20-2010 10:25 AM

Here is the results of the iPhone trying to ping a computer on the network:

interface: FastEthernet0
    Crypto map tag: SDM_CMAP_3, local addr *external IP address*

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.11.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.101.0/255.255.255.0/0/0)
   current_peer *external IP address 2* port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3788, #pkts encrypt: 3788, #pkts digest: 3788
    #pkts decaps: 5625, #pkts decrypt: 5625, #pkts verify: 5625
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: *external IP address*, remote crypto endpt.: *external IP address 2*
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access5
    Crypto map tag: Virtual-Access5-head-0, local addr *external IP address*

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.100.90/255.255.255.255/0/0)
   current_peer 142.179.171.145 port 19060
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *external IP address*, remote crypto endpt.: 142.179.171.145
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x4A3F6F0(77854448)

     inbound esp sas:
      spi: 0x36816BFC(914451452)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 59, flow_id: Motorola SEC 2.0:59, crypto map: Virtual-Access5-h
ead-0
        sa timing: remaining key lifetime (k/sec): (4553464/3555)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4A3F6F0(77854448)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 60, flow_id: Motorola SEC 2.0:60, crypto map: Virtual-Access5-h
ead-0
        sa timing: remaining key lifetime (k/sec): (4553465/3555)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents