iPhone 3GS VPN (in)compatibility with Cisco ASA 550x

forrie
forrie used Ask the Experts™
on
I've searched through the archives here and didn't quite see this addressed.

Several of us here at work have Macs, including iPhones.  I've been tasked with attempting to get our iPhone 3GS' working with VPN to our Cisco ASA 5540, ASA version 8.0(4).

It continues to tell me my secret/password is incorrect.  As I look through the config on the iPhone, there are very few parameters to tune.  My first suspicion was the IKE proposals weren't compatible.  For example, we don't have 3des/md5, but we do have 3des/sha.

I began logging in tonight while watching the syslog via ASDM.   The only logs I see say:

Denied ICMP type=3 from xx.xx.xx.xx on interface Outside
Group = Our_Group, IP = xx.xx.xx.xx, Error: Unable to remove PeerTblEntry
Group = Our_Group, IP = xx.xx.xx.xx, Removing peer from peer table failed, no match!

I Googled around, but still can't make much sense of this.  I also noted there is an extensive babble of this issue on discussions.apple.com - many different viewpoints and experiences.

Does anyone here know how to get this working correctly, or what the problems are?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Forrie,

You say you have had a look on the net could you confirm that these did not work for you either?

http://www.networkworld.com/community/node/30484

http://www.macosxhints.com/article.php?story=20070827135109248

Cyclops3590Sr Software Engineer

Commented:
do you have nat-traversal configured on teh ASA 'isakmp nat-traversal 20'

As of OS version 3.0 (iPod or iPhone), NAT-T has been required to get IPSec VPN working

Author

Commented:
To the first comment, alas no I did not scour the entire Internet, though I did my best (I'm new to Macs, so don't always know "where" to look), but thank you for the links - I am going to give this a try.

Second command, I checked our config and we have "crypto isakmp nat-traversal 10".

Thanks.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
For the networkworld link, it asks to implement:

crypto ipsec transform-set VPNTRANS mode transport

We already have several other transform-set's defined:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

I may try to do all of this on my spare ASA 5505 once I set it up at home for SOHO use, to ensure none of this will interfere with our production fw.
crypto isakmp nat-traversal 10 is what we have configured and Iphones work fine.

Just allow every type of transform set to begin with

Author

Commented:
We already have:

crypto isakmp nat-traversal 10

in our configuration.

Author

Commented:
In the above URLs posted earlier, I've set up a test account for my iphone on the ASA 5540, I selected mschap as the authentication means, but the configuration says:

username iphone password [omitted] nt-encrypted privilege 0
username iphone attributes
   vpn-group-policy Our_Group_Name
   service-type remote-access

We do not have a transform set in our configuration.  I'm concerned what the following (again from the above URL) may do to our configuration:

crypto ipsec transform-set VPNTRANS mode transport

Thus far, I continue to get the error from the iPhone that says (for the VPN) that the shared secret is wrong.  I'm pretty sure it's correct, having entered it 3 times and carefully.

Thanks.

Author

Commented:
The logs on the ASA are showing this error now when the iPhone attempts to start the VPN:

313001 xx.xx.xx.xx  Denied ICMP type=3, code=3 from xx.xx.xx.xx on interface Outside

It's almost as if the connection is failing based on this alone, I don't see other log entries during the live syslog view on the ASA.
Cyclops3590Sr Software Engineer

Commented:
type 3, code 3 is port unreachable.  did you enable isakmp on the outside interface?

Author

Commented:
All our users connect via VPN on the Outside interface.   There are no problems, I can connect just fine from home.

But yes, we have this enabled:

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto isakmp enable Outside
crypto isakmp enable management
crypto isakmp policy 60
crypto isakmp policy 80
crypto isakmp policy 100
crypto isakmp policy 120
crypto isakmp nat-traversal 10

Cyclops3590Sr Software Engineer

Commented:
do you use the same credentials on the iphone that you do at home?

Author

Commented:
Yes, I do.    I've tested both my personal account and a "test" account I set up today.  
Cyclops3590Sr Software Engineer

Commented:
and the client on your home desktop is configured to use nat as well right?  also, is the iphone connecting from wireless or cell network?

Author

Commented:
I use NAT here at home, yes.  I've tried connecting over both cell and wireless.  
Cyclops3590Sr Software Engineer

Commented:
well i'm running out of ideas...have you tried blowing away the vpn profile on the iphone and re-adding it back in?
This may sound silly, but are you selecting IPsec in the iPhone when configuring VPN settings? I can't see how this isnt working as it literally works out of the box normally. If you can remote access using a laptop then you can with an iPhone etc.

Author

Commented:
I've already deleted and re-established the VPN profile.

Yes, I'm using IPSEC from the iPhone, and I would agree it should "just work" -- my initial suspicion was that the IKE proposals, which I cannot optionally tune on the iPhone that I know of, were not correct.

The error I keep getting from the iPhone 3GS is that the shared secret is incorrect -- so this suggests a hash issue.   I've configured a profile with "mschap" which shows up as nt-encrypted in the config, and I'm still getting the same error.

Author

Commented:
There was an active thread on discussions.apple.com about this.  However, if you post anything critical of Apple in *any* way, they "moderate" your post.  That includes being critical of options or even suggesting that the configuration is less than optimal.

Author

Commented:
Despite many attempts, I have not been able to get this working.

I've also tried to use the iPhone Configuration Utility, provided by Apple.  No luck.

The common error I'm seeing on the ASA is essentially a "built inbound ICMP connection" for the IP the phone has, then a "Denied icmp type=3, code=3".

This makes no sense to me, since I'm able to use a VPN IPSec client on a PC or a Mac.

I have not implemented:

crypto ipsec transform-set VPNTRANS mode transport

Simply because I am concerned this will affect other operational connections (which is a problem).

So, failing any further suggestions, I will close this question out.

Cyclops3590Sr Software Engineer

Commented:
can you post the relevant crypto/isakmp/etc. commands.  been trying to help on another question involving same type of issue and just realized you never posted your config here.  only reason I ask is curious what the phase 1/2 transforms you are using.  also, has this ever worked?

Author

Commented:
I can post the config if you tell me which portion you need.   It's never worked for us...

As I stated in my last question, someone sayd that we need VPNTRANS support enabled -- it's not clear to me what this is, or how  it will affect established VPN user connections -- I can't risk taking them off the air.

Thanks.

Commented:
Forrie,

Just following up where are you with this?

Author

Commented:
I got the iPhone VP{N working yesterday -- before I asked this question, Snow Leopard wasn't really in full swing.  

I found that one of the problems I had was the decoder I used for our encrypted password was older - it was providing an incorrect string.   Once I solved that, the VPN was working -- so it's really difficult to determine where the problems were prior to some of the OS updates.

In any case, I am now able to use VPN on the iPhone and with the native IPSec client that is available in Snow Leopard.

I must also note that I did not need to add anything to the Cisco ASA config, ultimately.

So, who gets fair credit here for answers... I want to be sure.


Thanks.

Commented:
Hi Forrie,

Thanks for getting back, no one should get any points as none of our recommended solutions worked for you so I would accept your own answer i.e. the post directly above this.
Commented:
As a side note, the reason why I had to use the decoder to decode our encrypted password is that the consultant we used apparently didn't give it to us, or gave the incorrect one from another configuration that was being tested.   Ironic, but true.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial