Cisco IPSec Client - shared key size
Hello,
I have got a question concerning the Cisco IPSec Client.
Could you tell me, how large the key may be (max. 64 or 127 characters) ?
Thanks and regards
Patrick
Just to help somebody else facing an issue similar to this one.
Open Advanced menu from the configurated VPN in the Network Preferences and check 'Send all traffic over VPN connection'.
The problem is when you have a VPN that routes all the traffic, if you want specific routes they should be configured and passed on from the router.
I've configured a tested several vpn connections to Cisco ASA without an issue when the routes are configured on it (vpn_net1, vpn_net2 and so on) but when the route isn't specified in the router it should be considered as a default route and this option needed to be checked.
Similar Messages
-
Cisco IPSec Client Setup for Wireless
I would like to set up Cisco IPSec VPN Client on a wireless Laptop to authenticate to a Cisco Radius Server 3.2. (WLC 4100)with pre-share keys.
I have setup the basic parameters on the WLC,SSID, VLAN, L3 Security IPSec and default IPSec parameters. The WLC does not seem to send/forward any kind of request to ACS at all and when i connect on the Wireless Client it behaves as a pass through VPN.
Thank you,Try these links:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008014a37c.shtml
http://www.cisco.com/warp/public/480/acs-peap.html
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfd8.html -
Static addressing for Cisco IPSEC client
Hey Guys,
Is there a way for Cisco client based users to use static addresses instead of receivinga a dhcp address? This will be setup on a Cisco 2801 router. We usually just do dhcp but this customer is requesting static address for each user.
Thanks
JimmyA scalable solution would be to configure a RADIUS server and provide the client their IP address via the frame-ip-address attribute. A hack could be to have a group defined on the EasyVPN server which is associated with an IP pool that has only one address available.
-
Can AnyConnect & Cisco IPsec co-exist on client pc?
Hi- a home user has to connect to one
business using AnyConnect and to us using Cisco IPsec client.
When installing AnyConnect, it wiped out the IPSec client. Can they co-exist on his pc and function side by side?
I'm sure they can't be used simultaneously, but can't both clients be installed for very different connections?
He's running 32-bit xp.
Thanks.Kathy
I am surprised that installation of AnyConnect removed the traditional IPSec client. I have not had that experience. I have several PCs running Windows XP SP3 which have both AnyConnect and IPSec clients installed. Either client works just fine (but not both at the same time).
HTH
Rick -
Mapped drives do not open after connecting via Cisco VPN Client
I have an issue when I initially connect to my remote network, I cannot get to any mapped drive unless I wait a few minutes for the VPN connect to mature. To explain further, I have to wait 2-4 minutes after connecting to the VPN for me to actually connect to those drives.
The error that pops up is:
"An error occurred while reconnecting to DriveLetter: to \\Server\sharedDrive\ Microsoft WIndows Network: The network path was not found. This connection has not been restored.
Now, immediately after I connect, I am able to successfully ping the server that hosts those folder locations but for some reason I cannot get to the server via UNC/shared drives until I wait a few minutes after connecting.
Below is the list of error logs I get when attempting to connect to the mapped drives during those first few minutes of connectivity:
1 15:26:39.804 10/06/14 Sev=Warning/3 IKE/0xA300005F
Firewall, Sygate Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:28:10.614 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
3 15:28:10.614 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
4 15:28:10.614 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
5 15:28:10.614 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
6 15:28:10.614 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
7 15:28:10.614 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
8 15:28:10.614 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
9 15:28:10.614 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
10 15:28:17.188 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
11 15:28:17.188 10/06/14 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
12 15:33:50.642 10/06/14 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.11.120, error 0
13 15:33:51.656 10/06/14 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
14 15:35:16.855 10/06/14 Sev=Warning/3 IKE/0xA300005F
Firewall, Sygate Security Agent, is not running, the client will not send firewall information to concentrator.
Any ideas on what it could be?I have a client that is showing a similar issue.. Windows 7 computer using Cisco IPSec client terminating on a Cisco 881 Router. I can ping the server by IP, Name and even access the drive from the start menu option, but not the mapped drive. Currently I am looking into this from a offline file issue in windows, but ran across this post and was wondering if you had figured this out? I am going to try the following and will post back if that resolves it.
Doing some research I found that Windows 7 and Vista both have what’s called “slow link mode”. The behavior is that if the latency of the network connection exceeds 80 milliseconds (ms), the system will transition the files to “offline mode”. The 80 ms value is configurable using a local group policy edit.
Open Group policy (start -> run -> gpedit.msc)
Expand “Computer Configuration”
Expand “Administrative Templates”
Expand “Network”
Click on “Offline Files”
Locate “Configure slow-link mode”
This policy can either be disabled or set to a higher value for slower connections.
https://www.conetrix.com/Blog/post/Fixing-Problem-With-Windows-7-Shared-Files-and-Mapped-Drives-Unavailable-Over-VPN.aspx -
Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts
I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enableHi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair -
ASA Iphone, Ipad VPN client pre-shared key (PSK) special characters bug
I ran into this in a deployment of IPSec clients with apple ipad and iphone native vpn client. Here are details:
Cisco ASA 8.2.5 OS
Ipad, running 5.0.1
Iphone i4S, running OS 5.0.1
Special characters make your pre-shared key more secure, so i used a password generator app to make one that coincidently included a " (quotation mark). After configuring this PSK on a Ipad, i was unable to connect. I saw nothing in the ASA logs, indicating the Ipad didnt even try to connect.
The Ipad generated the following error message:
VPN Connection
A configuration error occured
OK Button
After searching for quite some time, i found this somewhat obscure reference to the bug:
http://blogs.oreilly.com/iphone/2008/07/strong-passwords-can-hurt.html
Special thx to this guy!
So i started to test special characters to see what would work, adding in 1 character at a time. Here is where I stopped:
pre-shared-key !@#$%^&*()_-+=;:'<>,.
These characters worked in the PSK. If you are curious, and want to play, have fun. I assume the alphnumerics will work since those are pretty standard.
As a side note, here are a few more interesting items:
1) The " (quote mark) does work when you run the real cisco vpn client. This was successful on a Windows 7 laptop with 5.X VPN Client.
2) The ? (question mark) doesnt work as well, but that is a little easier to figure out because when you configure it on the ASA, context-sensitive help kicks in and knocks you off the config line.
3) Iphone I4S suffers from the same issue - doesnt like quotes.
4) Android is probably not affected by this bug, but I tested on an open source TUN driver- enabled adroid - not the bionic.
Hope that saves someone some time, sometime!
WThanks for the tip.
Help stamp out special characters in passwords. Their "strength" is a myth!
Explained nicely here: http://xkcd.com/936/ -
Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...
Hi Guys
I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
Also want to be able to set logging to debug mode for the Racoon application on mac clients.
Your help is much appreciated
Kind Regards
MohamedHi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
Cisco IPSec and XAuthPassword profile key
I am creating the config profile for iPhone, while using iPhone Configuration Utility I can not enter password for IPSec VPN as the application does not have UI for that.
I had found, though, that manually writing "XAuthPassword" key into the config profile does the trick, iPhone do recognize that entry and sets the password automatically on applying profile.
So, the questions are:
1) Is this config key officially supported on iOS for IPSec VPN? If yes, then starting with which version?
2) Because iPhone Configuration Utility does not allow me to create signed profiles containing XAuthPassword key, can I manually sign the configuration profile I had edited?
Thank you in advanceHi,
in « iOS Configuration Profile Reference »:
IPSec Dictionary Keys
XAuthEnable – Integer:1 if XAUTH is ON, 0 if it is OFF. Used for Cisco IPSec.
It turn off XAuth and do not ask for User/Password.
You can try this option by editing configuration profile like this:
<key>XAuthEnabled</key>
<integer>0</integer>
<key>AuthenticationMethod</key>
<string>Certificate</string>
but I can`t resolve the problem, I seems it is a ios (4.3.1) bug, because my vpn-server works fine with other vpn-clients, like Cisco VPN Client, with certificate authentication and without xauth.
Best regards! -
Mavericks VPN dropouts with native VPN client and Cisco IPSec
Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions?Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions? -
Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2
This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working
Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
Profile for Cisco IPsec VPN does not set shared secret correctly
Hi,
We have a shared secret configuration for a Cisco IPsec (connecting to an ASA). I can correctly configure a profile for the Cisco IPsec VPN and deliver it to the device. However, the VPN connection fails due to an invalid shared secret. If I then go into the VPN settings on the device itself and manually retype the shared secret, it works fine.
I have noticed this when generating the mobileconfig profile both from Apple's iPhone Configuration Utility and also when using the MobileIron management platform to generate and push profiles.
Has anyone else seen this problem? I'm really confident that I'm typing the shared secret correctly in the iPCU generated profile as I've tried it many times. It also has happened across every flavor of iOS 3.x and 4.x (including the 4.2 betas).
thanksHi,
Thanks for the reply but it is a bit of a strange one. What makes you think the shared secret we are using - which you don't know - is more than 32 characters long. I can promise you it isn't. There's a bug in the way mobileconfig files are storing the encrypted shared secret values. I've now seen it on a third party mobile device management platform too. -
Configurate cisco ipsec vpn client at asa 5505 version 8.4
Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
thank you.are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
what version of vpn client ? -
Using Cisco VPN client certificate for built in IPSec?
Hi,
Does anybody know if it is possible to "convert" a certificate exported from Cisco VPN client and import it into the Keychain for using it with built-in IPSec in Snow Leopard?
Thanks,
OliI too am having trouble importing the Cisco certificate. It would be nice for some clear documentation. We've been successful converting the x.509 cer to KPCS#7 using openssl which will import into the keychain. However, the VPN (Cisco IPSec) sill doesn't see it.
-
Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host
Hi:
Need your great help for my new ASA 5505 (8.4)
I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
ASA Version 8.4(3)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.29.8.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 177.164.222.140 255.255.255.248
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ABCtech.com
same-security-traffic permit inter-interface
object network obj_any
subnet 172.29.8.0 255.255.255.0
object service RDP
service tcp source eq 3389
object network orange
host 172.29.8.151
object network WAN_173_164_222_138
host 177.164.222.138
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexington office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
object network guava
host 172.29.8.3
object service L2TP
service udp source eq 1701
access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq 135
access-list inside_access_in extended deny tcp any eq 135 any
access-list inside_access_in extended deny udp any eq 135 any
access-list inside_access_in extended deny udp any any eq 135
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
89
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
w
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
tps
access-list outside_access_in extended permit gre any host 177.164.222.138
access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
01
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
.88.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list inside_in extended permit udp any any eq isakmp
access-list inside_in extended permit udp any eq isakmp any
access-list inside_in extended permit udp any any
access-list inside_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static orange interface service RDP RDP
nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
lex route-lookup
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
WW
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
_HTTPS
nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Guava protocol nt
aaa-server Guava (inside) host 172.29.8.3
timeout 15
nt-auth-domain-controller guava
user-identity default-domain LOCAL
http server enable
http 172.29.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 173.190.123.138
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.29.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcprelay server 172.29.8.3 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ABCtech_VPN internal
group-policy ABCtech_VPN attributes
dns-server value 172.29.8.3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Tunnel_User
default-domain value ABCtech.local
group-policy GroupPolicy_10.8.8.1 internal
group-policy GroupPolicy_10.8.8.1 attributes
vpn-tunnel-protocol ikev1 ikev2
username who password eicyrfJBrqOaxQvS encrypted
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 10.8.8.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group ABCtech type remote-access
tunnel-group ABCtech general-attributes
address-pool ABC_HQVPN_DHCP
authentication-server-group Guava
default-group-policy ABCtech_VPN
tunnel-group ABCtech ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 173.190.123.138 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
Regards,
Julio
Security Trainer
Maybe you are looking for
-
Rotating images in Address Book??
I am rather confused at the determination of Address Book to store contact photo's on one side?? I have rotated images right round 360 degress but no matter what way up they are once I drag them on to the image frame, address book automatically rotat
-
[Solved] Application launchers on desktop in Gnome 3.2?
So, I'm testing out gnome 3.2 again and I'm trying to create launchers on my desktop, but there doesn't appear to be an option for it in Gnome 3.2 when I right click my desktop. I have Nautilus drawing the desktop so did Gnome completely do away with
-
My iTunes is not working properly. It is not showing that my iPod is connected. My iPod continues to show the Do not disconnect display. How do I eject it if it does not show up on itunes? If I have accidently disconnected it while it was showing the
-
Default Functional Area in Sales Order Line Items
Hi, Is there any user exit that can be used to default Functional Area in Sales Order Line Items. I tried mv45afzz but not working. Any idea and do let me know the field or structure effected. Thanks.
-
Hi I can not remember the answers to my challenge questions to add my iPad. To I store.... Can not find how to reset them . Can someone help?