Apple iPhone + Cisco PIX

Discussion in 'Cisco' started by amattina@layer8group.com, Jan 15, 2008.

  1. Guest

    After much searching and testing and debugging, I'm asking IF the
    iPhone can do an L2TP tunnel to a Cisco PIX. I can get IKE done but
    then the PIX decides it wants to do IPSEC for the rest. The phone
    doesn't seem to support IPSEC. I found this out after going through
    the pix wizard to see if I missed anything obvious. The wizard states
    that "The PIX does not support native L2TP itself. It has to be used
    with IPSec." My debug is below...thoughts would be appreciated! I
    know this works with ASAs and 3000 VPN concentrators as there are
    descriptions of the phone working with those. Thanks!

    ----
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 3600
    ISAKMP: encryption 3DES-CBC
    ISAKMP: auth pre-share
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): remote peer supports dead peer detection

    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_IPV4_ADDR
    ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
    ISAKMP (0:0): Detected port floating
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match MINE hash
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match HIS hash
    hash received: 59 f7 2b ee da 61 d5 67 5a ef cf ba 0 b5 cf 98 10 93 7e
    99
    his nat hash : 8e 89 75 24 4e 80 32 62 cc 1d fb 6 71 b8 fc f5 e7 31 2c
    46
    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 0
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    VPN Peer: ISAKMP: Peer ip:32.142.139.86/4500 Ref cnt incremented to:2
    Total VPN Peers:2
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 3825114823
    ISAKMP (0): processing notify INITIAL_CONTACT
    ISAKMP (0): deleting SA: src 32.142.139.86, dst 74.41.88.210
    ISADB: reaper checking SA 0xb7d064, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:32.142.139.86/4500 Ref cnt decremented to:1
    Total VPN Peers:2
    ISADB: reaper checking SA 0xad9e04, conn_id = 0
    ISADB: reaper checking SA 0xb7db04, conn_id = 0
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0xad9e04, conn_id = 0
    ISADB: reaper checking SA 0xb7db04, conn_id = 0
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 3185697016

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: key length is 128
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 2, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: key length is 128
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 3, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 4, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    return status is IKMP_ERR_NO_RETRANS
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 2638162007

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: key length is 128
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 2, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: key length is 128
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 3, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 4, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    return status is IKMP_ERR_NO_RETRANS

    ---
     
    , Jan 15, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. C J Campbell

    Photos taken with Apple iPhone

    C J Campbell, Apr 30, 2007, in forum: Digital Photography
    Replies:
    4
    Views:
    492
    Ron Hunter
    May 1, 2007
  2. Replies:
    3
    Views:
    518
  3. Replies:
    0
    Views:
    586
  4. Mutlley

    iPhone: Cisco To Apple: You're Sued

    Mutlley, Jan 11, 2007, in forum: NZ Computing
    Replies:
    0
    Views:
    316
    Mutlley
    Jan 11, 2007
  5. Walter Neu

    Cisco ASA 5510 and Apple iPhone

    Walter Neu, Mar 16, 2009, in forum: Cisco
    Replies:
    2
    Views:
    1,075
    Robby Cauwerts
    Mar 17, 2009
Loading...

Share This Page