iPhone and IOS Routers
March 8th, 2009 Posted in ITI recently decided to tackle setting up my Cisco 2600 router to connect with the Cisco VPN client mainly because i wanted to accomplish two things:
a) Able to connect back to my home network without the hassle of NAT networks… PPTP just didn’t cut it..
b) Able to use my sip phone anywhere including the one on my iPhone 3G.
So, because the iPhone’s only IPSEC vpn client is from Cisco, i decided to venture on figuring this setup.
So to start off I started reading this:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml
This page told me how to get my router to still talk to my friends peer vpn connection, and still have the capability of using the Cisco VPN client. I got it to work after morphing it to my current config. I tested the Cisco VPN client on my Mac and it worked like a charm…
So, I should just be able copy the settings from my Mac to my iPhone and everything should go well… NOPE!
When i started a connection with the iPhone, all I could get from it was a “Starting…” prompt and nothing more. So, I google it to find out why this was happening…
I find out that so many people were having the same frustrations of getting this to work, I came accross this page:
It states that:
“Which Cisco platforms work with the Cisco VPN Client on the iPhone?
Cisco ASA 5500 Security Appliances and PIX Firewalls. We highly recommend the latest 8.0.x software release (or greater), but you can also use 7.2.x software.
Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.”
Miffed about that comment, I ignored it and continued googling to find a solution, even though Cisco said it wouldn’t work. Most people were stating in that document, they were mentioning about v2.0 and not v2.1+ of the iPhone which enabled the Cisco IOS compatibility.
I finally came accross this page that was getting positive results, though was still pretty vague on what to do:
http://6200networks.com/2008/08/05/iphone-to-isr/
I tried to use his config settings and i was getting close… Phase 1 was now authenticating… But Phase 2 was not…. A comment from Scott stated to set the transform-set to aes and that would fix it … but, that still didn’t give me enough info… So, I decided to go to debug mode on the router…
Siphoning through the debug data, i finally found what was wrong:
—-
003566: *Feb 28 20:41:08.563 MST: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
003567: *Feb 28 20:41:08.567 MST: ISAKMP (0:2): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*** So It says here Phase 1 completed fine… Cool That’s what i wanted to see….
003568: *Feb 28 20:41:08.659 MST: ISAKMP (0:2): received packet from 1.2.3.4 dport 4500 sport 13972 Global (R) QM_IDLE
003569: *Feb 28 20:41:08.659 MST: ISAKMP: set new node -278205403 to QM_IDLE
003570: *Feb 28 20:41:08.663 MST: ISAKMP (0:2): processing HASH payload. message ID = -278205403
003571: *Feb 28 20:41:08.663 MST: ISAKMP (0:2): processing SA payload. message ID = -278205403
003572: *Feb 28 20:41:08.663 MST: ISAKMP (0:2): Checking IPSec proposal 1
003573: *Feb 28 20:41:08.663 MST: ISAKMP: transform 1, ESP_AES
003574: *Feb 28 20:41:08.663 MST: ISAKMP: attributes in transform:
003575: *Feb 28 20:41:08.663 MST: ISAKMP: SA life type in seconds
003576: *Feb 28 20:41:08.663 MST: ISAKMP: SA life duration (basic) of 3600
003577: *Feb 28 20:41:08.663 MST: ISAKMP: encaps is 3 (Tunnel-UDP)
003578: *Feb 28 20:41:08.663 MST: ISAKMP: key length is 256
003579: *Feb 28 20:41:08.663 MST: ISAKMP: authenticator is HMAC-SHA
003580: *Feb 28 20:41:08.663 MST: ISAKMP (0:2): atts are acceptable.
003581: *Feb 28 20:41:08.667 MST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.2.3.4, remote= 5.6.7.8,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.0.0.19/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0×0(0), conn_id= 0, keysize= 256, flags= 0×400
003582: *Feb 28 20:41:08.667 MST: IPSEC(kei_proxy): head = vpn, map->ivrf = , kei->ivrf =
003583: *Feb 28 20:41:08.667 MST: IPSEC(kei_proxy): head = vpn, map->ivrf = , kei->ivrf =
003584: *Feb 28 20:41:08.667 MST: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
003585: *Feb 28 20:41:08.667 MST: ISAKMP (0:2): IPSec policy invalidated proposal
003586: *Feb 28 20:41:08.667 MST: ISAKMP (0:2): phase 2 SA policy not acceptable! (local 1.2.3.4 remote 5.6.7.8)
*** Phase 2 fails! Though on the top it states what the iPhone client was expecting….
003573: *Feb 28 20:41:08.663 MST: ISAKMP: transform 1, ESP_AES
003574: *Feb 28 20:41:08.663 MST: ISAKMP: attributes in transform:
003575: *Feb 28 20:41:08.663 MST: ISAKMP: SA life type in seconds
003576: *Feb 28 20:41:08.663 MST: ISAKMP: SA life duration (basic) of 3600
003577: *Feb 28 20:41:08.663 MST: ISAKMP: encaps is 3 (Tunnel-UDP)
003578: *Feb 28 20:41:08.663 MST: ISAKMP: key length is 256
003579: *Feb 28 20:41:08.663 MST: ISAKMP: authenticator is HMAC-SHA
So according to this, the iPhone wants in phase 2:
esp-aes 256bit
hmac-sha
tunnel mode
lifetime 3600
With this new information I changed my transform-set and behold, a connected iPhone!
Below is my config of connecting the iPhone to a IOS Router (Router is a 2651). I use aaa for authentication:
—–
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
!
hostname C2651
!
! *** Setup aaa
aaa new-model
aaa authentication login local_auth local
aaa session-id common
!
!
clock timezone MST -7
clock summer-time MDT recurring
ip cef
!
! *** Enter a username and password here
username vpnuser password 7 ********************
!
!
! *** This policy is for phase 1 for the vpn client
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
!
! *** This part sets up the group password (Group Name: VPNCLIENT/Secret: secretkey)
! *** make sure you enter your dns/wins/domain name also
crypto isakmp client configuration group VPNCLIENT
key secretkey
dns 10.2.2.5
wins 10.2.2.5
domain domain.local
pool VPNCLIENT_ADDRESSES
acl 101
! *** we use acl 101 to control what goes in the network..
!
! *** We setup a isakmp (phase 1) profile for the vpnclient
! *** Tell it to use local_auth aaa to get the username/password
crypto isakmp profile vpn-isakmp-profile
match identity group VPNCLIENT
client authentication list local_auth
isakmp authorization list local_auth
client configuration address initiate
client configuration address respond
!
! *** THIS is the part where we specify PHASE 2.
! *** We set the transform to esp-aes 256bit with sha-hmac
crypto ipsec transform-set esp-aes-sha esp-aes 256 esp-sha-hmac
!
! *** we then set up to use that transport-set and the isakmp profile
crypto dynamic-map VPNCLIENT_MAP 1
set transform-set esp-aes-sha
set security-association lifetime seconds 3600
set isakmp-profile vpn-isakmp-profile
reverse-route
! *** lifetime may not show up as 3600 may already be the default
!
! *** We then associate it to the vpn map.
crypto map vpn 4 ipsec-isakmp dynamic VPNCLIENT_MAP
!
! *** Internal NIC
interface FastEthernet0/0
ip address 10.2.2.1 255.255.255.0
no ip proxy-arp
ip nat inside
duplex auto
speed auto
!
! *** External NIC
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
crypto map vpn
! *** We connect the vpn map to the external NIC
!
! *** We specify a dhcp pool address
ip local pool VPNCLIENT_ADDRESSES 10.0.0.1 10.0.0.254
!
! *** we add acl 101 to accept connectivity from 10.0.0.0/24 to the internal network
access-list 101 remark CVPN ACL
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.0.0.0 0.0.0.255
—–
On the iPhone side:
Description: <your choosing>
Server: IP or hostname of the router
Account: vpnuser
Password: password
Use Certificate: off
Group Name: VPNCLIENT
Secret: secretkey
I hope this makes sense… to recap:
This config setups:
Cisco VPN Client with AAA authentication.
Tested with CVPN Mac OS X v4.9.01 (0100) and iPhone v2.2
Phase 1: 3DES/SHA Group 2 Lifetime 3600 Seconds
Phase 2: AES256/SHA Lifetime 3600 Seconds Tunnel Mode
Internal: 10.2.2.0/24 VPN IPs: 10.0.0.0/24 WAN: DHCP
So I hope this blog will help any future people that are trying to get their router to work.
If you are still having problems or have any comments, please don’t hesitate to comment.
Thanks goes to Aaron, Scott and the 6200networks for researching on this setup.
Mike
3 Responses to “iPhone and IOS Routers”
By Raphaël on Sep 15, 2009
Thank you for this very detailed setup and troubleshooting guide… it was well worth the reading.
R.
By Bill Taney on May 4, 2010
I am trying your very detailed and excelent instructions on a Cisco router running 12.4(25c) Advanced IP Services and an iPad and I believe I have gone line by line but keep getting this error message:
May 4 16:23:40.382 CST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 166.137.143.134
Any suggestions would be hugely appreciated.
Thanks
Bill
By mike on May 11, 2010
I haven’t tried this setup with the new iPad. I will try it with mine when I have some time. Um.. The iPad is not behind any routers thats might not support IPSec VPNs?
Mike