Cisco IPSec and XAuthPassword profile key
I am creating the config profile for iPhone, while using iPhone Configuration Utility I can not enter password for IPSec VPN as the application does not have UI for that.
I had found, though, that manually writing "XAuthPassword" key into the config profile does the trick, iPhone do recognize that entry and sets the password automatically on applying profile.
So, the questions are:
1) Is this config key officially supported on iOS for IPSec VPN? If yes, then starting with which version?
2) Because iPhone Configuration Utility does not allow me to create signed profiles containing XAuthPassword key, can I manually sign the configuration profile I had edited?
Thank you in advance
Hi,
in « iOS Configuration Profile Reference »:
IPSec Dictionary Keys
XAuthEnable – Integer:1 if XAUTH is ON, 0 if it is OFF. Used for Cisco IPSec.
It turn off XAuth and do not ask for User/Password.
You can try this option by editing configuration profile like this:
<key>XAuthEnabled</key>
<integer>0</integer>
<key>AuthenticationMethod</key>
<string>Certificate</string>
but I can`t resolve the problem, I seems it is a ios (4.3.1) bug, because my vpn-server works fine with other vpn-clients, like Cisco VPN Client, with certificate authentication and without xauth.
Best regards!
Similar Messages
-
Hi,
Is there any way to push configuration.xml created localy via NAM configuration profile tool to all clients dot1x then they connects to Cisco Catalyst Swithes and make AAA with ISE-->AD.
Cisco ASA can do it for VPN client (push them xml profile), any similar things with ISE possible?
thanksYou have the ability to push a file with ISE, however after you modify the configuration.xml file you then have to select repair device, which you can not do that easily. You can try to have ISE deploy a script where the client downloads the file from an ftp server and then the script repairs the network adapter.
That will however require some knowledge on scripting.
Thanks,
Sent from Cisco Technical Support iPad App -
Profile for Cisco IPsec VPN does not set shared secret correctly
Hi,
We have a shared secret configuration for a Cisco IPsec (connecting to an ASA). I can correctly configure a profile for the Cisco IPsec VPN and deliver it to the device. However, the VPN connection fails due to an invalid shared secret. If I then go into the VPN settings on the device itself and manually retype the shared secret, it works fine.
I have noticed this when generating the mobileconfig profile both from Apple's iPhone Configuration Utility and also when using the MobileIron management platform to generate and push profiles.
Has anyone else seen this problem? I'm really confident that I'm typing the shared secret correctly in the iPCU generated profile as I've tried it many times. It also has happened across every flavor of iOS 3.x and 4.x (including the 4.2 betas).
thanksHi,
Thanks for the reply but it is a bit of a strange one. What makes you think the shared secret we are using - which you don't know - is more than 32 characters long. I can promise you it isn't. There's a bug in the way mobileconfig files are storing the encrypted shared secret values. I've now seen it on a third party mobile device management platform too. -
Cisco IPSec Client - shared key size
Hello,
I have got a question concerning the Cisco IPSec Client.
Could you tell me, how large the key may be (max. 64 or 127 characters) ?
Thanks and regards
PatrickJust to help somebody else facing an issue similar to this one.
Open Advanced menu from the configurated VPN in the Network Preferences and check 'Send all traffic over VPN connection'.
The problem is when you have a VPN that routes all the traffic, if you want specific routes they should be configured and passed on from the router.
I've configured a tested several vpn connections to Cisco ASA without an issue when the routes are configured on it (vpn_net1, vpn_net2 and so on) but when the route isn't specified in the router it should be considered as a default route and this option needed to be checked. -
Mavericks VPN dropouts with native VPN client and Cisco IPSec
Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions?Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions? -
Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2
This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working
Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
GRE IPSec between Cisco 2811 and FortiGate 110C
Hello,
Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?Hi,
You can configure the GRE tunnel on the 2811.
I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
Federico. -
Could some one please direct me on where to find literature on CISCO IPSec shared keys verses IPSec Internally generated Certificate based. If there isnt any literature on the comparison of these two than the pros and cons of each would be good enough; thankyou.
you may want to check out these links
http://www.cisco.com/en/US/tech/tk583/tk372/tech_brief09186a00801e05dc.html
especially this one:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da1f.html#14092
check out the case studies:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da0d.html -
Hi,
Cisco IPsec works fine for me, but only in native mode: using ESP protocol. Since it's a Cisco implementation I guess it supports NAT-T. Does anyone know:
a) it should work automatically
b) should I configure NAT-T (UDP or TCP) somewhere else?
So: native mode is okay, but sice I go through a NAT device, IPSec NAT_T is my goal.
Thanks,
AaGo to Configuration > System > Tunneling Protocols > IPSec > IKE proposals. Once there, select the Active proposal used by Group and check if you are using XAUTH. To change the config, click the modify button and choose "Preshared Keys (XAUTH)" under Authentication mode.
-
Cisco IPSec Client Setup for Wireless
I would like to set up Cisco IPSec VPN Client on a wireless Laptop to authenticate to a Cisco Radius Server 3.2. (WLC 4100)with pre-share keys.
I have setup the basic parameters on the WLC,SSID, VLAN, L3 Security IPSec and default IPSec parameters. The WLC does not seem to send/forward any kind of request to ACS at all and when i connect on the Wireless Client it behaves as a pass through VPN.
Thank you,Try these links:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008014a37c.shtml
http://www.cisco.com/warp/public/480/acs-peap.html
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfd8.html -
Cisco IPSEC VPN not working after upgrade to Mavericks
I have been using the Cisco IPSEC VPN for almost 2 years with no issues. When I upgraded to Mavericks this week it stopped working. When i tell it to connect it prompts for password and attempts to connect for about 30 seconds then comes back with the following message...
VPN Connection
The negotiation with the VPN server failed. Verify the server address and try reconnecting.
The address, group, shared secret, user and password are correct. Any help would be greatly appreiated.Hry, I'm not sure if this fixes the Cisco IPSec issue, but I can vouch for it fixing the L2TP issue that occurs after tha mavericks upgrade!
I’ve got L2TP VPN working in Mavericks 10.9 and Server App 3.0.0 / 3.0.1.
It really is quite a simple fix.
Obviously, the standard caveats apply: This is a temporary, unsupported, workaround, and only a suggested idea at that. Again, this workaround is NOT supported by Apple.
Proceed with this workaround on your own equipment at your own risk. And remember the golden rule: Always backup your data!
OK so here goes… copy and paste the following into termini ONE LINE AT A TIME!
cd /tmp
curl -sO http://c5mart.co/mavericks-vpn-fix/racoon.tar.gz
tar -xzvf racoon.tar.gz
rm racoon.tar.gz
sudo chown root:wheel racoon
sudo chmod 555 racoon
if [ ! -f /usr/sbin/racoon.mavericks ]; then sudo mv /usr/sbin/racoon /usr/sbin/racoon.mavericks; fi;
sudo mv racoon /usr/sbin/racoon
sudo killall racoon
This works fine for me and I'm running a OSX Server for my entire office.
…et voilà! -
Silent Profile key ( # ) is not working anymore
Hello,
I am using a Nokia 6300. Recently I did a phone software update (to version 5.00), backed all my data up, had afterwards some trouble to get the saved data back on the handset, but it finally worked. Though I still have one small issue. Before the update, when I pressed and held the # key, the phone switched from General to Silent Profile, and back to General if I pressed the key again. This nice feature is now somehow disabled.
Does anybody have the same problem, and would there be someone nice enough to help me out on this one?
Thanks in advancewhich keyboard format did you set in the language?
Regards,
Jin Li
May this year, be the year of 'DO'!
I am a volunteer, and not a paid staff of Lenovo or Microsoft -
Cisco wireless and Apple Mac woes
Hello all,
I've been working with Cisco wireless and WLC's for a couple of years now but the recent onslaught of Apple Mac's is giving me heart burn. I've seen this at numerous sites now and need to throw it to eht community for guidance.
Basically we have had a number of instances where the Macs just fall off the wifi. Sometimes it's when they wake from sleep and other times when roaming between AP's (1131s with same SSID's). Our standard install is WPA2 and per ap local authentication. PC's work fine and never an issue.
We have completed a survey with a spectrum analyser and no RF interefence is present nor errors on the radio interface.
Questions:
- Is there a preferred Cisco config/setup for Mac's to work reliably? I've heard loads of rumors but nothing concrete and nor can I find anything specific.
- Should I be setting up WDS in case there is an authenticating issue.
- For those who are Mac gurus and happen to be reading. What Mac options we should look at?
This has all come to a head because the clients IT company who recommended the Macs (different from us doing the network infrastructure) are insisting that the problem is Cisco incompatibility and that we should rip out the Cisco kit and install airports (what tha!!!).
Thanks in advance for any pointers.
For those who like a config here it is .... Vanilla stuff really
Building configuration...
Current configuration : 2236 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP4
no logging console
enable secret xxxxxxxxxxxxxxxxx
no aaa new-model
dot11 syslog
dot11 ssid Home
vlan 1
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii xxxxxxxxxxxx
dot11 ssid avnet
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii xxxxxxxxxxxxxxxx
username abcd password 1234
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers tkip
encryption vlan 2 mode ciphers tkip
ssid Home
mbssid
speed basic-1.0 basic-2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 80 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
ip address 192.168.10.54 255.255.255.0
no ip route-cache
ip default-gateway 192.168.10.1
no ip http server
no ip http secure-server
bridge 1 route ip
line con 0
line vty 0 4
login local
endYeah!! even i have come across multiple issue with MAC and Cisco.. these are the below settings which i normally do on the cisco gears and most of the times this solved the issue..
on the IOS AP disable Aironet Extentions and set the poer local and ofdm to max
no dot11 extension aironet
power local cck max
power local ofdm max
end
On the WLC, disable Aironet IE..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull -
Mavericks 10.9.5 VPN Cisco IPSec stopped working. Please help.
My machine with (what might be) relevant software:
Macbook Pro mid 2012
Mavericks 10.9.5
Server 3.2.1
Xcode 6.0.1
I use VPN to connect to Cisco IPSec.
This used to work fine. Two days ago I noticed it stopped working.
Over the few days before I installed Server and used some services, but switched them off after using.
I used the DNS service and automated xcode build, but all switched off.
When trying to connect to Cisco IPSec VPN I now get some kind of timeout, with the following in my log:
02/10/2014 09:42:44.768 configd[24]: IPSec connecting to server 64.13.171.130
02/10/2014 09:42:44.771 configd[24]: network changed.
02/10/2014 09:42:44.772 configd[24]: IPSec Phase1 starting.
02/10/2014 09:42:44.773 configd[24]: SCNC: start, triggered by (402) SystemUIServer, type IPSec, status 0, trafficClass 0
02/10/2014 09:42:45.221 racoon[59453]: accepted connection on vpn control socket.
02/10/2014 09:42:45.221 racoon[59453]: IPSec connecting to server 64.13.171.130
02/10/2014 09:42:45.222 racoon[59453]: Connecting.
02/10/2014 09:42:45.222 racoon[59453]: IPSec Phase 1 started (Initiated by me).
02/10/2014 09:42:45.226 racoon[59453]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
02/10/2014 09:42:45.227 racoon[59453]: >>>>> phase change status = Phase 1 started by us
02/10/2014 09:42:45.230 configd[24]: network changed.
02/10/2014 09:42:45.415 racoon[59453]: port 62465 expected, but 0
02/10/2014 09:42:45.465 racoon[59453]: IKEv1 Phase 1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
02/10/2014 09:42:45.466 racoon[59453]: >>>>> phase change status = Phase 1 started by peer
02/10/2014 09:42:45.466 racoon[59453]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
02/10/2014 09:42:45.466 racoon[59453]: IKEv1 Phase 1 Initiator: success. (Initiator, Aggressive-Mode).
02/10/2014 09:42:45.466 racoon[59453]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
02/10/2014 09:42:45.466 racoon[59453]: IPSec Phase 1 established (Initiated by me).
02/10/2014 09:42:45.469 configd[24]: network changed.
02/10/2014 09:42:45.655 racoon[59453]: IPSec Extended Authentication requested.
02/10/2014 09:42:45.655 configd[24]: IPSec requesting Extended Authentication.
02/10/2014 09:42:45.661 configd[24]: network changed.
02/10/2014 09:42:49.984 xpcproxy[59462]: assertion failed: 13F34: xpcproxy + 3438 [D559FC96-E6B1-363A-B850-C7AC9734F210]: 0x2
02/10/2014 09:43:36.000 kernel[0]: IOHIDSystem: postEvent LLEventQueue overflow.
02/10/2014 09:44:45.759 racoon[59453]: IKE Packet: receive success. (Information message).
02/10/2014 09:44:45.759 configd[24]: IPSec Controller: IKE FAILED. phase 4, assert 0
02/10/2014 09:44:45.760 configd[24]: IPSec disconnecting from server 64.13.171.130
02/10/2014 09:44:45.761 racoon[59453]: IPSec disconnecting from server 64.13.171.130
02/10/2014 09:44:45.761 racoon[59453]: failed to send vpn_control message: Broken pipe
02/10/2014 09:44:45.763 racoon[59453]: IPSec disconnecting from server 64.13.171.130
02/10/2014 09:44:45.766 configd[24]: network changed.
02/10/2014 09:44:45.774 configd[24]: network changed.
Any suggestions on what I could possibly have broken and how to fix it? I need this VPN connection for work.A guess, but could this be an issue with changed permissions somehow? Something seems to stop the password popup to show. And then authentication fails.
-
Project Actual Cost Line Items (CJI3) - Need Invement Profile Key also
Hi All,
We are trying to execute the report "Project Actual Cost Line Items" through Transaction Code CJI3.
We need Invement Profile Key also in the out report of CJI3.
Is there any Standard SAP report to get Invement Profile Key as well along with normal CJI3 output.
Please let me know in case you find any such Standard SAP report.
Thanks in advance for your help.
Regards,
SrinivasHello Sreekanth
Thanks for your input. Yes it is working now after posting cost under same CE as what I have maintained in Base of costing sheet on required WBS..
I was under impression that the cost lying in cost center can be pulled out indepedantly on WBS through costing sheet based upon percentage mentioned in overhead.However I am observing now that the cost posted on WBS is taken as base amount to calculate overhead.
In my case, Eur 100 cost is posted under primary cost element 652100 on WBS and Eur 2000 cost is posted on Cost center under same Cost element Actually I am required to pull out some percentage of cost Eur2000 on cost center to WBS. However,
currently it is taking Rs 100 (posted on WBS) as basline cost and calculating overhead over it and posting it to WBS again under overhead cost element.
Can we handle this through costing sheet or for that Assessment distribution is must? May I expect the answer.
Best Regards
Adwait
Maybe you are looking for
-
Hi Could you pls tell me How SAP R/3 Data is transfered to SAP BW in detail step by step ?? Thanks Sree
-
Trouble with port forwarding, DHCP, VUZE, and downloading speed.
I am using Vuze to download things. I have a slow download speed and yellow smiley face, indicating a NAT problem. I think I need to implement a port forwarding, but that requires a static IP address. My router and security is set up such that I CANN
-
Additional info printing on the preprinted stationary on One printer & Not
Hi, I am using smartform to print info on the preprinted stationary. The info to be printed is coming fine, But it is printing additional info like Job Name and User name (Login name) on the top left hand side of the pre-printed stationary when we us
-
Running JDeveloper 11122 for the 1st time error
Hello there, I just install JDeveloper 1.1.1.2.2 I also did create just an fusion web application to see how is going to run. When I run the application, Windows messages popup to request to keep blocking the java application or unblock the applicati
-
Hi All I had posted the document in FICO but corresponding to that i m trying to execute BAPI_ACC_DOCUMENT_POST but i m facing some problem i had given all the mandatory values in BAPI but some error is coming in Obj Type field.. when i posted the do