Hi,
I'm trying to VPN from an iPhone (running Apple IOS 9.2.1) to a Cisco 1811 Router. Here is information about the software/hardware of the router:
show ver - Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T11, RELEASE SOFTWARE (fc2)
show inv - PID: CISCO1811/K9 , VID: V06
The problem is the negotiation fails when trying to connect. I have done a debug of the crypto ipsec/isakmp and it seems the SA is failing on phase 2 with the transport-set negotiation. Here is a snippet of that:
Mar 4 21:53:59.474: ISAKMP:(2389): processing HASH payload. message ID = -1306087172
Mar 4 21:53:59.474: ISAKMP:(2389): processing SA payload. message ID = -1306087172
Mar 4 21:53:59.474: ISAKMP:(2389):Checking IPSec proposal 1
Mar 4 21:53:59.474: ISAKMP: transform 1, ESP_AES
Mar 4 21:53:59.474: ISAKMP: attributes in transform:
Mar 4 21:53:59.474: ISAKMP: SA life type in seconds
Mar 4 21:53:59.474: ISAKMP: SA life duration (basic) of 3600
Mar 4 21:53:59.474: ISAKMP: encaps is 3 (Tunnel-UDP)
Mar 4 21:53:59.474: ISAKMP: key length is 256
Mar 4 21:53:59.474: ISAKMP: authenticator is HMAC-SHA
Mar 4 21:53:59.474: ISAKMP:(2389):atts are acceptable.
Mar 4 21:53:59.474: IPSEC(validate_proposal_request): proposal part #1
Mar 4 21:53:59.474: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x, remote= x.x.x.x,
local_proxy= x.x.x.x/255.255.255.0/0/0 (type=4),
remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Mar 4 21:53:59.474: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
Mar 4 21:53:59.474: ISAKMP:(2389): IPSec policy invalidated proposal with error 256
Mar 4 21:53:59.474: ISAKMP:(2389): phase 2 SA policy not acceptable! (local xremote x)
Mar 4 21:53:59.474: ISAKMP: set new node 2128819092 to QM_IDLE
Mar 4 21:53:59.474: ISAKMP:(2389):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2212704784, message ID = 2128819092
Mar 4 21:53:59.474: ISAKMP:(2389): sending packet to xmy_port 4500 peer_port 4500 (R) QM_IDLE
Mar 4 21:53:59.474: ISAKMP:(2389):purging node 2128819092
Mar 4 21:53:59.474: ISAKMP:(2389):deleting node -1306087172 error TRUE reason "QM rejected"
Mar 4 21:53:59.474: ISAKMP:(2389):Node -1306087172, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Here are my transform-sets and crypto maps/policies:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto ipsec transform-set default-transform esp-aes esp-md5-hmac
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10
set security-association lifetime seconds 86400
set transform-set default-transform
crypto dynamic-map default-dynamicmap 20
set transform-set TS
crypto map default-cryptomap client authentication list userauthentication
crypto map default-cryptomap isakmp authorization list groupauthorization
crypto map default-cryptomap client configuration address respond
crypto map default-cryptomap 20 ipsec-isakmp dynamic default-dynamicmap
The default-cryptomap is bound to my outside interface.
The remote access VPN works with the Cisco VPN client but for some reason the router does not accept more than one transport proposal from the iPhone. Either way I would think the proposals I configured should match what the iPhone is requesting.
On a side note, I have another site with a Cisco 2821 router with the exact same transform sets and it works fine. When I run a debug on that router the router seems to be accepting many more proposals rather than just quitting after the first proposal fails. Here is an snippet of that debug (you will see many more transport proposals being looked at by the router):
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 1, ESP_AES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: key length is 256
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-SHA
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 2, ESP_AES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: key length is 256
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-MD5
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 3, ESP_AES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: key length is 128
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-SHA
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 4, ESP_AES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: key length is 128
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-MD5
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 5, ESP_3DES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-SHA
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 6, ESP_3DES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-MD5
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: IPSEC(validate_proposal_request): proposal part #1
It then goes on and tries to match all the transport proposals that were offered until it finds a match (which it finally does on the newer router).
Is this a limitation of the older router's OS that it won't accept more than one proposal from the iPhone? Upgrading the IOS is not something that will be easy so hopefully there is a workaround.
Thanks.
Solved!Go to Solution.