Cisco IPSec and XAuthPassword profile key

Similar Messages

• Cisco ISE and NAM profile

  Hi,
  Is there any way to push configuration.xml created localy via NAM configuration profile tool to all clients dot1x then they connects to Cisco Catalyst Swithes and make AAA with ISE-->AD.
  Cisco ASA can do it for VPN client (push them xml profile), any similar things with ISE possible?
  thanks

  You have the ability to push a file with ISE, however after you modify the configuration.xml file you then have to select repair device, which you can not do that easily. You can try to have ISE deploy a script where the client downloads the file from an ftp server and then the script repairs the network adapter.
  That will however require some knowledge on scripting.
  Thanks,
  Sent from Cisco Technical Support iPad App

• Profile for Cisco IPsec VPN does not set shared secret correctly

  Hi,
  We have a shared secret configuration for a Cisco IPsec (connecting to an ASA). I can correctly configure a profile for the Cisco IPsec VPN and deliver it to the device. However, the VPN connection fails due to an invalid shared secret. If I then go into the VPN settings on the device itself and manually retype the shared secret, it works fine.
  I have noticed this when generating the mobileconfig profile both from Apple's iPhone Configuration Utility and also when using the MobileIron management platform to generate and push profiles.
  Has anyone else seen this problem? I'm really confident that I'm typing the shared secret correctly in the iPCU generated profile as I've tried it many times. It also has happened across every flavor of iOS 3.x and 4.x (including the 4.2 betas).
  thanks

  Hi,
  Thanks for the reply but it is a bit of a strange one. What makes you think the shared secret we are using - which you don't know - is more than 32 characters long. I can promise you it isn't. There's a bug in the way mobileconfig files are storing the encrypted shared secret values. I've now seen it on a third party mobile device management platform too.

• Cisco IPSec Client - shared key size

  Hello,
  I have got a question concerning the Cisco IPSec Client.
  Could you tell me, how large the key may be (max. 64 or 127 characters) ?
  Thanks and regards
  Patrick

  Just to help somebody else facing an issue similar to this one.
  Open Advanced menu from the configurated VPN in the Network Preferences and check 'Send all traffic over VPN connection'.
  The problem is when you have a VPN that routes all the traffic, if you want specific routes they should be configured and passed on from the router.
  I've configured a tested several vpn connections to Cisco ASA without an issue when the routes are configured on it (vpn_net1, vpn_net2 and so on) but when the route isn't specified in the router it should be considered as a default route and this option needed to be checked.

• Mavericks VPN dropouts with native VPN client and Cisco IPSec

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

• Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

  This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

  Hi Tony,
  to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
  CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
  You may want to try and ask in the AAA forum if there is anything you can do on ACS...
  hth
  Herbert

• GRE IPSec between Cisco 2811 and FortiGate 110C

  Hello,
  Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?

  Hi,
  You can configure the GRE tunnel on the 2811.
  I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
  I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
  Federico.

• CISCO IPSec

  Could some one please direct me on where to find literature on CISCO IPSec shared keys verses IPSec Internally generated Certificate based. If there isn’t any literature on the comparison of these two than the pros and cons of each would be good enough; thankyou.

  you may want to check out these links
  http://www.cisco.com/en/US/tech/tk583/tk372/tech_brief09186a00801e05dc.html
  especially this one:
  http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da1f.html#14092
  check out the case studies:
  http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da0d.html

• Cisco IPSec NAT transparency

  Hi,
  Cisco IPsec works fine for me, but only in native mode: using ESP protocol. Since it's a Cisco implementation I guess it supports NAT-T. Does anyone know:
  a) it should work automatically
  b) should I configure NAT-T (UDP or TCP) somewhere else?
  So: native mode is okay, but sice I go through a NAT device, IPSec NAT_T is my goal.
  Thanks,
  Aa

  Go to Configuration > System > Tunneling Protocols > IPSec > IKE proposals. Once there, select the Active proposal used by Group and check if you are using XAUTH. To change the config, click the modify button and choose "Preshared Keys (XAUTH)" under Authentication mode.

• Cisco IPSec Client Setup for Wireless

  I would like to set up Cisco IPSec VPN Client on a wireless Laptop to authenticate to a Cisco Radius Server 3.2. (WLC 4100)with pre-share keys.
  I have setup the basic parameters on the WLC,SSID, VLAN, L3 Security IPSec and default IPSec parameters. The WLC does not seem to send/forward any kind of request to ACS at all and when i connect on the Wireless Client it behaves as a pass through VPN.
  Thank you,

  Try these links:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008014a37c.shtml
  http://www.cisco.com/warp/public/480/acs-peap.html
  http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfd8.html

• Cisco IPSEC VPN not working after upgrade to Mavericks

  I have been using the Cisco IPSEC VPN for almost 2 years with no issues. When I upgraded to Mavericks this week it stopped working. When i tell it to connect it prompts for password and attempts to connect for about 30 seconds then comes back with the following message...
  VPN Connection
  The negotiation with the VPN server failed. Verify the server address and try reconnecting.
  The address, group, shared secret, user and password are correct. Any help would be greatly appreiated.

  Hry, I'm not sure if this fixes the Cisco IPSec issue, but I can vouch for it fixing the L2TP issue that occurs after tha mavericks upgrade!
  I’ve got L2TP VPN working in Mavericks 10.9 and Server App 3.0.0 / 3.0.1.
  It really is quite a simple fix.
  Obviously, the standard caveats apply: This is a temporary, unsupported, workaround, and only a suggested idea at that. Again, this workaround is NOT supported by Apple.
  Proceed with this workaround on your own equipment at your own risk. And remember the golden rule: Always backup your data!
  OK so here goes… copy and paste the following into termini ONE LINE AT A TIME!
  cd /tmp
  curl -sO http://c5mart.co/mavericks-vpn-fix/racoon.tar.gz
  tar -xzvf racoon.tar.gz
  rm racoon.tar.gz
  sudo chown root:wheel racoon
  sudo chmod 555 racoon
  if [ ! -f /usr/sbin/racoon.mavericks ]; then sudo mv /usr/sbin/racoon /usr/sbin/racoon.mavericks; fi;
  sudo mv racoon /usr/sbin/racoon
  sudo killall racoon
  This works fine for me and I'm running a OSX Server for my entire office.
  …et voilà!

• Silent Profile key ( # ) is not working anymore

  Hello,
  I am using a Nokia 6300. Recently I did a phone software update (to version 5.00), backed all my data up, had afterwards some trouble to get the saved data back on the handset, but it finally worked. Though I still have one small issue. Before the update, when I pressed and held the # key, the phone switched from General to Silent Profile, and back to General if I pressed the key again. This nice feature is now somehow disabled.
  Does anybody have the same problem, and would there be someone nice enough to help me out on this one?
  Thanks in advance

  which keyboard format did you set in the language?
  Regards,
  Jin Li
  May this year, be the year of 'DO'!
  I am a volunteer, and not a paid staff of Lenovo or Microsoft

• Cisco wireless and Apple Mac woes

  Hello all,
  I've been working with Cisco wireless and WLC's for a couple of years now but the recent onslaught of Apple Mac's is giving me heart burn.  I've seen this at numerous sites now and need to throw it to eht community for guidance.
  Basically we have had a number of instances where the Macs just fall off the wifi.  Sometimes it's when they wake from sleep and other times when roaming between AP's (1131s with same SSID's).  Our standard install is WPA2 and per ap local authentication.  PC's work fine and never an issue.
  We have completed a survey with a spectrum analyser and no RF interefence is present nor errors on the radio interface.
  Questions:
  - Is there a preferred Cisco config/setup for Mac's to work reliably?  I've heard loads of rumors but nothing concrete and nor can I find anything specific.
  - Should I be setting up WDS in case there is an authenticating issue.
  - For those who are Mac gurus and happen to be reading. What Mac options we should look at?
  This has all come to a head because the clients IT company who recommended the Macs (different from us doing the network infrastructure) are insisting that the problem is Cisco incompatibility and that we should rip out the Cisco kit and install airports (what tha!!!).
  Thanks in advance for any pointers.
  For those who like a config here it is .... Vanilla stuff really
  Building configuration...
  Current configuration : 2236 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP4
  no logging console
  enable secret xxxxxxxxxxxxxxxxx
  no aaa new-model
  dot11 syslog
  dot11 ssid Home
     vlan 1
     authentication open
     authentication key-management wpa
     guest-mode
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxx
  dot11 ssid avnet
     vlan 2
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxxxxxx
  username abcd password 1234
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  ssid Home
  mbssid
  speed  basic-1.0 basic-2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
  channel 2412
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  hold-queue 80 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  no bridge-group 2 source-learning
  bridge-group 2 spanning-disabled
  interface BVI1
  ip address 192.168.10.54 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.10.1
  no ip http server
  no ip http secure-server
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end

  Yeah!! even i have come across multiple issue with MAC and Cisco.. these are the below settings which i normally do on the cisco gears and most of the times this solved the issue..
  on the IOS AP disable Aironet Extentions and set the poer local and ofdm to max
  no dot11 extension aironet
  power local cck max
  power local ofdm max
  end
  On the WLC, disable Aironet IE..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Mavericks 10.9.5 VPN Cisco IPSec stopped working. Please help.

  My machine with (what might be) relevant software:
  Macbook Pro mid 2012
  Mavericks 10.9.5
  Server 3.2.1
  Xcode 6.0.1
  I use VPN to connect to Cisco IPSec.
  This used to work fine. Two days ago I noticed it stopped working.
  Over the few days before I installed Server and used some services, but switched them off after using.
  I used the DNS service and automated xcode build, but all switched off.
  When trying to connect to Cisco IPSec VPN I now get some kind of timeout, with the following in my log:
  02/10/2014 09:42:44.768 configd[24]: IPSec connecting to server 64.13.171.130
  02/10/2014 09:42:44.771 configd[24]: network changed.
  02/10/2014 09:42:44.772 configd[24]: IPSec Phase1 starting.
  02/10/2014 09:42:44.773 configd[24]: SCNC: start, triggered by (402) SystemUIServer, type IPSec, status 0, trafficClass 0
  02/10/2014 09:42:45.221 racoon[59453]: accepted connection on vpn control socket.
  02/10/2014 09:42:45.221 racoon[59453]: IPSec connecting to server 64.13.171.130
  02/10/2014 09:42:45.222 racoon[59453]: Connecting.
  02/10/2014 09:42:45.222 racoon[59453]: IPSec Phase 1 started (Initiated by me).
  02/10/2014 09:42:45.226 racoon[59453]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
  02/10/2014 09:42:45.227 racoon[59453]: >>>>> phase change status = Phase 1 started by us
  02/10/2014 09:42:45.230 configd[24]: network changed.
  02/10/2014 09:42:45.415 racoon[59453]: port 62465 expected, but 0
  02/10/2014 09:42:45.465 racoon[59453]: IKEv1 Phase 1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
  02/10/2014 09:42:45.466 racoon[59453]: >>>>> phase change status = Phase 1 started by peer
  02/10/2014 09:42:45.466 racoon[59453]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
  02/10/2014 09:42:45.466 racoon[59453]: IKEv1 Phase 1 Initiator: success. (Initiator, Aggressive-Mode).
  02/10/2014 09:42:45.466 racoon[59453]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
  02/10/2014 09:42:45.466 racoon[59453]: IPSec Phase 1 established (Initiated by me).
  02/10/2014 09:42:45.469 configd[24]: network changed.
  02/10/2014 09:42:45.655 racoon[59453]: IPSec Extended Authentication requested.
  02/10/2014 09:42:45.655 configd[24]: IPSec requesting Extended Authentication.
  02/10/2014 09:42:45.661 configd[24]: network changed.
  02/10/2014 09:42:49.984 xpcproxy[59462]: assertion failed: 13F34: xpcproxy + 3438 [D559FC96-E6B1-363A-B850-C7AC9734F210]: 0x2
  02/10/2014 09:43:36.000 kernel[0]: IOHIDSystem: postEvent LLEventQueue overflow.
  02/10/2014 09:44:45.759 racoon[59453]: IKE Packet: receive success. (Information message).
  02/10/2014 09:44:45.759 configd[24]: IPSec Controller: IKE FAILED. phase 4, assert 0
  02/10/2014 09:44:45.760 configd[24]: IPSec disconnecting from server 64.13.171.130
  02/10/2014 09:44:45.761 racoon[59453]: IPSec disconnecting from server 64.13.171.130
  02/10/2014 09:44:45.761 racoon[59453]: failed to send vpn_control message: Broken pipe
  02/10/2014 09:44:45.763 racoon[59453]: IPSec disconnecting from server 64.13.171.130
  02/10/2014 09:44:45.766 configd[24]: network changed.
  02/10/2014 09:44:45.774 configd[24]: network changed.
  Any suggestions on what I could possibly have broken and how to fix it? I need this VPN connection for work.

  A guess, but could this be an issue with changed permissions somehow? Something seems to stop the password popup to show. And then authentication fails.

• Project Actual Cost Line Items (CJI3) - Need Invement Profile Key also

  Hi All,
  We are trying to execute the report "Project Actual Cost Line Items" through Transaction Code CJI3.
  We need Invement Profile Key also in the out report of CJI3.
  Is there any Standard SAP report to get Invement Profile Key as well along with normal CJI3 output.
  Please let me know in case you find any such Standard SAP report.
  Thanks in advance for your help.
  Regards,
  Srinivas

  Hello Sreekanth
  Thanks for your input. Yes it is working now after posting cost under same CE as what I have maintained in Base of costing sheet on required WBS..
  I was under impression that the cost lying in cost center can be pulled out indepedantly on WBS through costing sheet  based upon percentage mentioned in overhead.However I am observing now that the cost posted on WBS is taken as base amount to calculate overhead.
  In my case, Eur 100 cost is posted under primary cost element 652100 on WBS and Eur 2000 cost is posted on Cost center under same Cost element Actually I am required to pull out some percentage of cost Eur2000 on cost center to WBS. However,
  currently it is taking Rs 100 (posted on WBS) as basline cost and calculating overhead over it and posting it to WBS again under overhead cost element.
  Can we handle this through costing sheet or for that Assessment distribution is must?  May I expect the answer.
  Best Regards
  Adwait