Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAD, iPOD and MAC with IPSEC CISCO in CISCO C870 router

Hi,


I had a iPAD, iPOD and MAC computer that when I try connect to the IPSEC CISCO the machine show the error message:

IMG-20130801-01138.jpg

With Android tablet, android cellular , PC windows, etc and the IPSEC Connection it works fine!


Any ideas?

Here my Router configuration:

!

version 12.4

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname MY_ROUTER-1

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

enable secret 5 XXXXXXXXXXXXXXX

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userauth local

aaa authentication login CONSOLE local

aaa authorization exec default local

aaa authorization network groupauth local

!

!

aaa session-id common

clock timezone EST -5

clock summer-time EST recurring

!

crypto pki trustpoint TP-self-signed-1258137879

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1258137879

revocation-check none

rsakeypair TP-self-signed-1258137879

!

!

crypto pki certificate chain TP-self-signed-1258137879

certificate self-signed 01

  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31323538 31333738 3739301E 170D3032 30333133 30343037

  33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642QQW 65727469 66696361 74652D31 32353831

  33373837 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C394 05F6BF1E BB71C7F2 AF1FE0F0 73DABBE4 2B89F21E 88B0F443 0B9F9860

  67211B1C AB0F3F53 D531ED4B 64BE977D 277E9C26 36D7B460 B19AF608 BAEA69DF

  C0FD6E74 FBB91CAC 2AE4FF58 5EAB74A2 4FA847E8 1DE09573 B2A35B25 F2BC64AE

  7340F30B 1563083B 5C8FB608 548E938F 852C7B6F 27EBF34B D0C8083E 8CC09CD7

  B7C70203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603

  551D1104 20301E82 1C676667 5F6D746C 5F727472 5F30312E 67666773 6D746C2E

  71632E63 61301F06 03551D23 04183016 8014C788 9EFA45C5 4BEE67B7 B344DB92

  A5C973FE DDA7301D 0603551D 0E041604 14C7889E FA45C54B EE67B7B3 44DB92A5

  C973FEDD A7300D06 092A8648 86F70D01 01040500 03818100 506DFEC5 14C02EF1

  A6AC5E23 2186277E 15EBD10D A7A1B510 80F39CD1 A00C6B0B 264A5D4D 8379E409

  C9F4554A 63982F36 44DCFD76 07749D16 13BD04B6 64F3A632 500E0CED 6F7602B4

  A20EDA46 C2759267 BD575A17 D6410426 F5ACAE8D B6D813AB B327E96C 9D97FE2D

  8B134003 8E220A95 6B6DC49C E3FB51AA 07AF5775 43F59C03

        quit

dot11 syslog

no ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.100

ip dhcp excluded-address 192.168.1.117

ip dhcp excluded-address 192.168.1.3

ip dhcp excluded-address 192.168.1.102

ip dhcp excluded-address 192.168.1.15

!

ip dhcp pool POOL_VLAN1

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   domain-name MIDOMAIN.local

   dns-server 192.168.1.3 142.169.XXXX.XXX

!

!

ip vrf principal

!

ip domain name MIDOMAIN.LOCAL

ip name-server 142.169.XXX.XXX

ip name-server 204.50.XXX.XXX

login block-for 180 attempts 5 within 30

login quiet-mode access-class 1

!

multilink bundle-name authenticated

!

!

file verify auto

username XXXXX privilege 2 password 7 0FFF73C245E4B0718111640585955

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr aes

authentication pre-share

!

crypto isakmp policy 4

hash md5

authentication pre-share

crypto isakmp key SAMPLE123 address 1.2.3.4 no-xauth

crypto isakmp key WSXexinatest address 208.85.XXX.XXX no-xauth

!

crypto isakmp client configuration group VPNCLIENTGROUP

key MY_KEY_XXXXXXXXXX

dns 192.168.1.3

wins 192.168.1.3

domain MYDOMAIN.local

pool POOL_VPN_CLIENT

acl 121

pfs

max-logins 10

netmask 255.255.255.0

crypto isakmp profile VPNCLIENT

   match identity group VPNCLIENTGROUP

   client authentication list userauth

   isakmp authorization list groupauth

   client configuration address respond

!

!

crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac

!

crypto dynamic-map CLIENTMAP 1

set security-association lifetime seconds 86400

set transform-set 3DESMD5

set isakmp-profile VPNCLIENT

reverse-route

!

!

crypto map HQMAP 10 ipsec-isakmp

set peer 208.85.113.218

set transform-set 3DESMD5

set pfs group2

match address 112

crypto map HQMAP 65535 ipsec-isakmp dynamic CLIENTMAP

!

archive

log config

  logging enable

  logging size 200

  notify syslog contenttype plaintext

  hidekeys

!

!

ip ssh version 1

!

!

!

interface FastEthernet0

duplex half

speed 10

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 216.XXX.XXX.XXX 255.255.255.0

ip nat outside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

crypto map HQMAP

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat enable

!

ip local pool POOL_SVC_ADMIN 192.168.1.73 192.168.1.79

ip local pool POOL_VPN_CLIENT 192.168.1.65 192.168.1.70

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 216.218.0.1

!

!

no ip http server

no ip http secure-server

no ip nat service skinny tcp port 2000

ip nat source list 101 interface FastEthernet4 overload

ip nat source static tcp 192.168.1.220 2000 216.XXX.XXX.XXX 1900 extendable

ip nat source static udp 192.168.1.102 161 216.XXX.XXX.XXX 9161 extendable

ip nat inside source static tcp 192.168.1.3 80 216.XXX.XXX.XXX 80 extendable

!

!

access-list 1 permit 69.70.51.78

access-list 2 permit 69.70.51.78

access-list 101 remark *****NAT OVERLOAD*****

access-list 101 deny   ip 192.168.1.0 0.0.0.255 1.2.3.0 0.0.0.255

access-list 101 deny   tcp host 192.168.1.220 any eq 2000

access-list 101 deny   tcp host 192.168.1.220 eq 2000 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 121 remark *****SPLIT TUNNEL ENCRYPTED TRAFFIC*****

access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.1.64 0.0.0.7

snmp-server community xxxxxxxxx RO 2

!

!

!

!

control-plane

!

!

line con 0

logging synchronous

login authentication CONSOLE

no modem enable

line aux 0

line vty 0 4

access-class 1 in

transport input telnet ssh

!

scheduler max-task-time 5000

ntp clock-period 17174982

ntp server 216.xxx.xxx.xxx

ntp server 199.xxx.xxx.xxx

ntp server 72.xxx.xxx.xxx

ntp server 66.xxx.xxx.xxx

!

webvpn gateway gateway1

ip address 216.XXX.XXX.XXX port 443

ssl encryption 3des-sha1 aes-sha1

ssl trustpoint TP-self-signed-1258137879

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context admin

logo file flash:/webvpn/gfgs_logo.PNG

secondary-color orange

title-color #669999

text-color black

ssl authenticate verify all

!

!

policy group default

   functions svc-enabled

   timeout idle 3600

   timeout session 1209600

   svc address-pool "POOL_SVC_ADMIN"

   svc default-domain "MYDOMAIN.lOCAL"

   svc keep-client-installed

   svc dns-server primary 192.168.1.3

default-group-policy default

gateway gateway1 domain admin

inservice

!

!

webvpn context test

ssl authenticate verify all

!

no inservice

!

end

--------------------------

Thanks...

Everyone's tags (2)
262
Views
0
Helpful
0
Replies
CreatePlease login to create content