Apple iPhone + Cisco PIX

Discussion in 'Cisco' started by amattina, Jan 15, 2008.

  1. amattina

    amattina Guest

    After much searching and testing and debugging, I'm asking IF the
    iPhone can do an L2TP tunnel to a Cisco PIX. I can get IKE done but
    then the PIX decides it wants to do IPSEC for the rest. The phone
    doesn't seem to support IPSEC. I found this out after going through
    the pix wizard to see if I missed anything obvious. The wizard states
    that "The PIX does not support native L2TP itself. It has to be used
    with IPSec." My debug is below...thoughts would be appreciated! I
    know this works with ASAs and 3000 VPN concentrators as there are
    descriptions of the phone working with those. Thanks!

    ----
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 3600
    ISAKMP: encryption 3DES-CBC
    ISAKMP: auth pre-share
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): remote peer supports dead peer detection

    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_IPV4_ADDR
    ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
    ISAKMP (0:0): Detected port floating
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match MINE hash
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match HIS hash
    hash received: 59 f7 2b ee da 61 d5 67 5a ef cf ba 0 b5 cf 98 10 93 7e
    99
    his nat hash : 8e 89 75 24 4e 80 32 62 cc 1d fb 6 71 b8 fc f5 e7 31 2c
    46
    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 0
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    VPN Peer: ISAKMP: Peer ip:32.142.139.86/4500 Ref cnt incremented to:2
    Total VPN Peers:2
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 3825114823
    ISAKMP (0): processing notify INITIAL_CONTACT
    ISAKMP (0): deleting SA: src 32.142.139.86, dst 74.41.88.210
    ISADB: reaper checking SA 0xb7d064, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:32.142.139.86/4500 Ref cnt decremented to:1
    Total VPN Peers:2
    ISADB: reaper checking SA 0xad9e04, conn_id = 0
    ISADB: reaper checking SA 0xb7db04, conn_id = 0
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0xad9e04, conn_id = 0
    ISADB: reaper checking SA 0xb7db04, conn_id = 0
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 3185697016

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: key length is 128
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 2, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: key length is 128
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 3, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 4, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    return status is IKMP_ERR_NO_RETRANS
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    crypto_isakmp_process_block:src:32.142.139.86, dest:74.41.88.210 spt:
    4500 dpt:4500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 2638162007

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: key length is 128
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 2, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: key length is 128
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 3, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts not acceptable. Next payload is 3
    ISAKMP: transform 4, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 3600
    ISAKMP: encaps is 61444
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    return status is IKMP_ERR_NO_RETRANS

    ---
     
    amattina, Jan 15, 2008
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.