iPhone IPSEC VPN to Cisco 1811 Router (2024)

Hi,

I'm trying to VPN from an iPhone (running Apple IOS 9.2.1) to a Cisco 1811 Router. Here is information about the software/hardware of the router:

show ver - Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T11, RELEASE SOFTWARE (fc2)

show inv - PID: CISCO1811/K9 , VID: V06

The problem is the negotiation fails when trying to connect. I have done a debug of the crypto ipsec/isakmp and it seems the SA is failing on phase 2 with the transport-set negotiation. Here is a snippet of that:

See Also
Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S - Configuring Security for VPNs with IPsec [Support]Konfigurieren von IPSec zwischen Cisco IOS-Routern und dem Cisco VPN-Client mithilfe von VertrauenszertifikatenKonfigurieren von IPSec zwischen einem Cisco IOS-Router und einem Cisco VPN-Client 4.x für Windows mithilfe von RADIUS für die BenutzerauthentifizierungWelche VPN-Lösung ist die richtige für Sie?

Mar 4 21:53:59.474: ISAKMP:(2389): processing HASH payload. message ID = -1306087172
Mar 4 21:53:59.474: ISAKMP:(2389): processing SA payload. message ID = -1306087172
Mar 4 21:53:59.474: ISAKMP:(2389):Checking IPSec proposal 1
Mar 4 21:53:59.474: ISAKMP: transform 1, ESP_AES
Mar 4 21:53:59.474: ISAKMP: attributes in transform:
Mar 4 21:53:59.474: ISAKMP: SA life type in seconds
Mar 4 21:53:59.474: ISAKMP: SA life duration (basic) of 3600
Mar 4 21:53:59.474: ISAKMP: encaps is 3 (Tunnel-UDP)
Mar 4 21:53:59.474: ISAKMP: key length is 256
Mar 4 21:53:59.474: ISAKMP: authenticator is HMAC-SHA
Mar 4 21:53:59.474: ISAKMP:(2389):atts are acceptable.
Mar 4 21:53:59.474: IPSEC(validate_proposal_request): proposal part #1
Mar 4 21:53:59.474: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x, remote= x.x.x.x,
local_proxy= x.x.x.x/255.255.255.0/0/0 (type=4),
remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Mar 4 21:53:59.474: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
Mar 4 21:53:59.474: ISAKMP:(2389): IPSec policy invalidated proposal with error 256
Mar 4 21:53:59.474: ISAKMP:(2389): phase 2 SA policy not acceptable! (local xremote x)
Mar 4 21:53:59.474: ISAKMP: set new node 2128819092 to QM_IDLE
Mar 4 21:53:59.474: ISAKMP:(2389):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2212704784, message ID = 2128819092
Mar 4 21:53:59.474: ISAKMP:(2389): sending packet to xmy_port 4500 peer_port 4500 (R) QM_IDLE
Mar 4 21:53:59.474: ISAKMP:(2389):purging node 2128819092
Mar 4 21:53:59.474: ISAKMP:(2389):deleting node -1306087172 error TRUE reason "QM rejected"
Mar 4 21:53:59.474: ISAKMP:(2389):Node -1306087172, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Here are my transform-sets and crypto maps/policies:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2

crypto ipsec transform-set default-transform esp-aes esp-md5-hmac

crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac


crypto dynamic-map default-dynamicmap 10
set security-association lifetime seconds 86400
set transform-set default-transform
crypto dynamic-map default-dynamicmap 20
set transform-set TS

See Also
Configuring IPsec IKEv2 Remote Access VPN with Cisco Secure Firewall


crypto map default-cryptomap client authentication list userauthentication
crypto map default-cryptomap isakmp authorization list groupauthorization
crypto map default-cryptomap client configuration address respond
crypto map default-cryptomap 20 ipsec-isakmp dynamic default-dynamicmap

The default-cryptomap is bound to my outside interface.

The remote access VPN works with the Cisco VPN client but for some reason the router does not accept more than one transport proposal from the iPhone. Either way I would think the proposals I configured should match what the iPhone is requesting.

On a side note, I have another site with a Cisco 2821 router with the exact same transform sets and it works fine. When I run a debug on that router the router seems to be accepting many more proposals rather than just quitting after the first proposal fails. Here is an snippet of that debug (you will see many more transport proposals being looked at by the router):

*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 1, ESP_AES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: key length is 256
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-SHA
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 2, ESP_AES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: key length is 256
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-MD5
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 3, ESP_AES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: key length is 128
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-SHA
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 4, ESP_AES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: key length is 128
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-MD5
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 5, ESP_3DES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-SHA
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: ISAKMP:(1016):Checking IPSec proposal 1
*Mar 5 00:14:58.698: ISAKMP: transform 6, ESP_3DES
*Mar 5 00:14:58.698: ISAKMP: attributes in transform:
*Mar 5 00:14:58.698: ISAKMP: SA life type in seconds
*Mar 5 00:14:58.698: ISAKMP: SA life duration (basic) of 3600
*Mar 5 00:14:58.698: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 5 00:14:58.698: ISAKMP: authenticator is HMAC-MD5
*Mar 5 00:14:58.698: ISAKMP:(1016):atts are acceptable.
*Mar 5 00:14:58.698: IPSEC(validate_proposal_request): proposal part #1

It then goes on and tries to match all the transport proposals that were offered until it finds a match (which it finally does on the newer router).

Is this a limitation of the older router's OS that it won't accept more than one proposal from the iPhone? Upgrading the IOS is not something that will be easy so hopefully there is a workaround.

Thanks.

Solved!Go to Solution.

iPhone IPSEC VPN to Cisco 1811 Router (2024)

FAQs

Does iPhone support IPSec VPN? ›

IPsec/IKEv2 is an integrated iPhone VPN protocol providing fast speeds and stability. It uses strong AES 256-bit encryption plus hash authentication for security. IKEv2 works seamlessly across iOS and macOS devices.

View More
How to connect Cisco VPN in iOS? ›

VPN - Setup and Connect using the Cisco Secure Client for iOS
  1. Install the Cisco Secure Client from the App Store . ...
  2. Open the Cisco Secure Client app.
  3. Tap Add VPN Connection.
  4. Enter a Description name for your connection, then tap Server Address and type vpn.colorado.edu then Save. ...
  5. The new connection will be created.

Get More Info Here
How do I configure IPSec VPN client on Apple iOS? ›

On the Apple iOS device, tap Settings > General > VPN > Add VPN Configuration. On the Add VPN configuration screen, tap the IPSec tab. Configure the following settings: Server – The IP address or FQDN that the VPN service is listening on (e.g., 62.99.

Discover More Details
How do I use IPSec on my iPhone? ›

How to connect using the iPhone's VPN function
  1. Tap [Settings] > [General] > [VPN and Device Management], then tap [VPN].
  2. Tap [Add VPN Configuration...]
  3. Enter the following information and tap [Done]. ・[Type] : IPsec. ...
  4. Make sure the VPN you just added is there and tap [Status] to connect to the VPN.
Mar 29, 2023

View Details
What is the difference between WireGuard and IPSec in iOS? ›

They believe WireGuard is far less power-hungry on mobile devices, quicker to connect, and highly secure. much greater throughput than IPSEC or OpenVPN. Because IPSec is a widely used standard (native clients are available for Windows, Mac OS, Android, and iOS), they believe it to be incredibly beautiful.

Discover More Details
Can we connect Cisco VPN in mobile? ›

Cisco Mobile VPN is a Cisco IOS IP Mobility solution that offers continuous secure mobility experiences to users on the move. Users don't need to continually restart and reauthenticate the connection or any intranet applications running on it.

Learn More
How to connect Cisco VPN in mobile? ›

VPN - Setup and Connect using the Cisco Secure Client for Android
  1. Install the Cisco Secure Client from the Google Play Store . ...
  2. Open the Cisco Secure Client app.
  3. Tap Add New VPN Connection.
  4. Tap Description.
  5. Enter in a name for your connection, then tap Done.
  6. Tap Server Address.
  7. Enter vpn.colorado.edu then tap OK.

Keep Reading
What type of IPsec VPN connection is Cisco? ›

The Cisco Learning Network

The Default IPSec VPN connection type is initiator or responder.

Learn More Now
Does Cisco VPN use IPsec? ›

In essence, if you have got a fairly simple deployment , then you can go with SSL VPN setup and if you want to leverage additional features, you can use Anyconnect with IPSec.

Show Me More
How do I enable IPsec VPN? ›

How to Set Up an IPsec VPN Client
  1. Right-click on the wireless/network icon in your system tray.
  2. Select Open Network and Sharing Center. ...
  3. Click Set up a new connection or network.
  4. Select Connect to a workplace and click Next.
  5. Click Use my Internet connection (VPN).
  6. Enter Your VPN Server IP in the Internet address field.
Aug 26, 2021

Learn More Now

How do I configure my iPhone VPN? ›

Here's how to manually enable a VPN to work on your iPhone:
  1. Tap on your “Settings” app on the Home Screen of your iPhone.
  2. Choose “General.”
  3. Press “VPN.”
  4. Tap “Add VPN Configuration.”
  5. Press “Type” and pick the type of VPN protocol you're using. ...
  6. Type in a description, remote ID, and a server for the VPN.

Learn More
Does Apple have a VPN setting? ›

You can configure VPN settings for an iPhone, iPad, Mac, or Apple TV enrolled in a mobile device management (MDM) solution. Use the VPN payload to enter the VPN settings for connecting to your network. Settings you specify in the configuration profile can't be modified by users.

Read More
What is the Apple VPN setting? ›

A “VPN on an iPhone” means a virtual private network you use on your iPhone to securely connect to the internet. A VPN service routes your traffic via remote VPN servers, hiding your IP address, so neither your internet provider nor other third parties can snoop on your online activity.

Discover More
What VPN actually works on iPhone? ›

NordVPN is the best VPN for iPads and iPhones, thanks to a comprehensive package that comes with a built-in antivirus, ad-blocking, a data breach scanner, and a password manager. With more servers than ExpressVPN and Surfshark and world-class unblocking capabilities, Nord is the best streaming VPN I've tested.

Get More Info
What VPN does iPhone support? ›

What is the best VPN for iPhone and iPad?
Best VPN for iPhone and iPadStarting priceKill Switch
NordVPN$3.09+ per monthYes
ExpressVPN$6.67+ per monthYes
IPVanish VPN$2.75+ per monthYes
Proton VPNFree with limited services or $4.99 per monthYes
1 more row
Apr 12, 2024

View More
Which VPN works with iPhone? ›

ExpressVPN is the best iPhone VPN I've tested, thanks to its excellent privacy, great content unblocking power, and streamlined apps that put the competition to shame. Tons of servers, reliable connections on both Wi-Fi and mobile data, plus excellent customer support make ExpressVPN perfect for iOS.

Discover More Details
Do all VPNs use IPsec? ›

Many VPNs use the IPsec protocol suite to establish and run these encrypted connections. However, not all VPNs use IPsec. Another protocol for VPNs is SSL/TLS, which operates at a different layer in the OSI model than IPsec.

Read On
Top Articles
AIP / Garlic and Herb Stuffed Mushrooms – French Paleo Appetizer Recipe - A Squirrel in the Kitchen
Eggplant Ragout With Creamy Polenta Recipe - Tasting Table
Outstanding Vote Fabulous Worldwide Fun Emmett Smith's Birthday Nick's Birthday Church Wish Kevin's Full Pizza Party The Alphabet Song From Sing Along A Welcome Tori Back
Rubber Duckie Had A Barn Do Songs From Rock & Roll 1990 Fun George Strait’s Birthday Fuzzles Mariam Margoyles’s Wish Kevin Sings His Incorrect Song Old MacDonald Tune Supposed A VHS
Latest Posts
58 Cabbage Recipes That'll Have You Saying There's No Way That's Actually Cabbage
30+ Kid-Friendly Comfort Food Recipes Perfect for New Year's Day
Article information

Author: Jamar Nader

Last Updated:

Views: 5655

Rating: 4.4 / 5 (55 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Jamar Nader

Birthday: 1995-02-28

Address: Apt. 536 6162 Reichel Greens, Port Zackaryside, CT 22682-9804

Phone: +9958384818317

Job: IT Representative

Hobby: Scrapbooking, Hiking, Hunting, Kite flying, Blacksmithing, Video gaming, Foraging

Introduction: My name is Jamar Nader, I am a fine, shiny, colorful, bright, nice, perfect, curious person who loves writing and wants to share my knowledge and understanding with you.