×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPAD 3 cannot VPN Calling on the Experts again.

Unanswered Question
Aug 3rd, 2012
User Badges:

                   Cisco 851 router Apple Ipad 3 using IPSEC setp get this message The VPN server did not respond

I have tried Anyconnect that gives me Cannot verify server identity anyconnect can't verify the identity of ios-self-signed-certificate-1164042433 would you like to continue anyway? hit continue and it just goes off.


I was asking if If get an ASA 5505 to replace my 851 it would work in my environment.


I have 15 computers accessing the web thru the 851

I host a web site on one of my servers.

I have a static ip address.

I also host exchange server and have remote web access to my exchange as well as remote outlook users.

I can VPN thru the 851 using the cisco client on Windows 7 and vista and even xp

Would like to use the native windows client and get my iphones and ipads working.


Can the ASA5505 support the above?


Was also looking at the cisco 1841 how about that one?


Thanks


Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
DuncanM2008 Fri, 08/03/2012 - 16:27
User Badges:

Hi Tom,


The only thing useful I can add from experience is that Apple devices (iPAD & iPhone) + Cisco VPN client (native) forces the use of AES encryption (AES128 if i remember correctly).


So I would investigate the transform sets currently in use for dial-in clients.


Possibly post the transform set config currently in place?


HTH

Dunc.

Thomas Grassi Fri, 08/03/2012 - 16:36
User Badges:

Duncan


is this what you mean?


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set ESP-3DES-SHA

reverse-route

! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!


I can post my entire config also let me know


Thanks


Tom

branfarm1 Fri, 08/03/2012 - 17:41
User Badges:
  • Bronze, 100 points or more

If you do decide to go with the ASA, dont forget that you'll need an extra license to support Anyconnect on mobile devices.  I believe it's L-ASA-M-5505

Thomas Grassi Fri, 08/03/2012 - 18:06
User Badges:

branfarm


not sure what you mean I did not need i did not need anything extra fr my cisco 851


what it is exactly?

branfarm1 Fri, 08/03/2012 - 18:11
User Badges:
  • Bronze, 100 points or more

Sorry -- I'm not trying to cloud the issue here. I'm sure you'll be able to get this working on your existing setup. I just know from experience that if you do decide to go with the ASA, you'll need an addiitional license to allow mobile devices to connect using Anyconnect, on top of the Anyconnect count license.

Thomas Grassi Fri, 08/03/2012 - 18:03
User Badges:

Duncan


does this help


MyRouter#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 2
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys
).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
MyRouter#show crypto ipsec transform-set
Transform set ESP-3DES-SHA: { esp-3des esp-sha-hmac  }
   will negotiate = { Tunnel,  },

DuncanM2008 Sat, 08/04/2012 - 02:07
User Badges:

Hi Tom,


Sorry for the delay different timezome (UK GMT), here's an example of the settings I have in use for a device that terminates iPAD & iPhone VPN clients (cisco native);


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto ipsec transform-set ClientTransform esp-aes 256 esp-sha-hmac


crypto dynamic-map ClientDMAP 1

set transform-set ClientTransform


Hopefully this might be of some use in assisting you on the way to a complete configuration, if there's anything else you want to know just holla.


HTH

Dunc.

Thomas Grassi Sat, 08/04/2012 - 18:59
User Badges:

Duncan


Should I just add the code you posted to my config?


Only question I have crypto dynamic-map ClientDMAP 1 where do I point that to


This is my other part I thnk I need one more for the above


crypto map dynmap client authentication list tgcsradius

crypto map dynmap isakmp authorization list tgcsvpn

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

crypto map dynmap client authentication list tgcsradius

crypto map dynmap isakmp authorization list tgcsvpn

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap



Tom

Actions

This Discussion

Related Content