Cisco IPSec Client - shared key size

Hello,
I have got a question concerning the Cisco IPSec Client.
Could you tell me, how large the key may be (max. 64 or 127 characters) ?
Thanks and regards
Patrick

Just to help somebody else facing an issue similar to this one.
Open Advanced menu from the configurated VPN in the Network Preferences and check 'Send all traffic over VPN connection'.
The problem is when you have a VPN that routes all the traffic, if you want specific routes they should be configured and passed on from the router.
I've configured a tested several vpn connections to Cisco ASA without an issue when the routes are configured on it (vpn_net1, vpn_net2 and so on) but when the route isn't specified in the router it should be considered as a default route and this option needed to be checked.

Similar Messages

  • Cisco IPSec Client Setup for Wireless

    I would like to set up Cisco IPSec VPN Client on a wireless Laptop to authenticate to a Cisco Radius Server 3.2. (WLC 4100)with pre-share keys.
    I have setup the basic parameters on the WLC,SSID, VLAN, L3 Security IPSec and default IPSec parameters. The WLC does not seem to send/forward any kind of request to ACS at all and when i connect on the Wireless Client it behaves as a pass through VPN.
    Thank you,

    Try these links:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008014a37c.shtml
    http://www.cisco.com/warp/public/480/acs-peap.html
    http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfd8.html

  • Static addressing for Cisco IPSEC client

    Hey Guys,
    Is there a way for Cisco client based users to use static addresses instead of receivinga a dhcp address? This will be setup on a Cisco 2801 router. We usually just do dhcp but this customer is requesting static address for each user.
    Thanks
    Jimmy

    A scalable solution would be to configure a RADIUS server and provide the client their IP address via the frame-ip-address attribute. A hack could be to have a group defined on the EasyVPN server which is associated with an IP pool that has only one address available.

  • Can AnyConnect & Cisco IPsec co-exist on client pc?

    Hi- a home user has to connect to one
    business using AnyConnect and to us using Cisco IPsec client.
    When installing AnyConnect, it wiped out the IPSec client. Can they co-exist on his pc and function side by side?
    I'm sure they can't be used simultaneously, but can't both clients be installed for very different connections?
    He's running 32-bit xp.
    Thanks.

    Kathy
    I am surprised that installation of AnyConnect removed the traditional IPSec client. I have not had that experience. I have several PCs running Windows XP SP3 which have both AnyConnect and IPSec clients installed. Either client works just fine (but not both at the same time).
    HTH
    Rick

  • Mapped drives do not open after connecting via Cisco VPN Client

    I have an issue when I initially connect to my remote network, I cannot get to any mapped drive unless I wait a few minutes for the VPN connect to mature. To explain further, I have to wait 2-4 minutes after connecting to the VPN for me to actually connect to those drives.
    The error that pops up is:
    "An error occurred while reconnecting to DriveLetter: to \\Server\sharedDrive\    Microsoft WIndows Network: The network path was not found. This connection has not been restored.
    Now, immediately after  I connect, I am able to successfully ping the server that hosts those folder locations but for some reason I cannot get to the server via UNC/shared drives until I wait a few minutes after connecting. 
    Below is the list of error logs I get when attempting to connect to the mapped drives during those first few minutes of connectivity:
    1      15:26:39.804  10/06/14  Sev=Warning/3 IKE/0xA300005F
    Firewall, Sygate Security Agent, is not running, the client will not send firewall information to concentrator.
    2      15:28:10.614  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    3      15:28:10.614  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    4      15:28:10.614  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    5      15:28:10.614  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    6      15:28:10.614  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    7      15:28:10.614  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    8      15:28:10.614  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    9      15:28:10.614  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    10     15:28:17.188  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    11     15:28:17.188  10/06/14  Sev=Warning/2 IPSEC/0xE3700003
    Function CniInjectSend() failed with an error code of 0xE4510023 (IPSecDrvCB:856)
    12     15:33:50.642  10/06/14  Sev=Warning/2 CVPND/0xA3400015
    Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.11.120, error 0
    13     15:33:51.656  10/06/14  Sev=Warning/2 CVPND/0xA3400015
    Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
    14     15:35:16.855  10/06/14  Sev=Warning/3 IKE/0xA300005F
    Firewall, Sygate Security Agent, is not running, the client will not send firewall information to concentrator.
    Any ideas on what it could be?

    I have a client that is showing a similar issue.. Windows 7 computer using Cisco IPSec client terminating on a Cisco 881 Router.  I can ping the server by IP, Name and even access the drive from the start menu option, but not the mapped drive.  Currently I am looking into this from a offline file issue in windows, but ran across this post and was wondering if you had figured this out?  I am going to try the following and will post back if that resolves it.
    Doing some research I found that Windows 7 and Vista both have what’s called “slow link mode”.  The behavior is that if the latency of the network connection exceeds 80 milliseconds (ms), the system will transition the files to “offline mode”.  The 80 ms value is configurable using a local group policy edit.
    Open Group policy (start -> run -> gpedit.msc)
    Expand “Computer Configuration”
    Expand “Administrative Templates”
    Expand “Network”
    Click on “Offline Files”
    Locate “Configure slow-link mode”
    This policy can either be disabled or set to a higher value for slower connections.
    https://www.conetrix.com/Blog/post/Fixing-Problem-With-Windows-7-Shared-Files-and-Mapped-Drives-Unavailable-Over-VPN.aspx

  • Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts

    I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
    Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
    I suspect it may be an issue with my firewall, but I am not really sure where to begin.
    Here is a copy of my config, any pointers or tips are aprpeciated:
    hostname mcfw
    enable password Pt8fQ27yMZplioYq encrypted
    passwd 2qaO2Gd6IBRkrRFm encrypted
    names
    interface Ethernet0/0
    switchport access vlan 400
    interface Ethernet0/1
    switchport access vlan 400
    interface Ethernet0/2
    switchport access vlan 420
    interface Ethernet0/3
    switchport access vlan 420
    interface Ethernet0/4
    switchport access vlan 450
    interface Ethernet0/5
    switchport access vlan 450
    interface Ethernet0/6
    switchport access vlan 500
    interface Ethernet0/7
    switchport access vlan 500
    interface Vlan400
    nameif outside
    security-level 0
    ip address 58.13.254.10 255.255.255.248
    interface Vlan420
    nameif public
    security-level 20
    ip address 192.168.20.1 255.255.255.0
    interface Vlan450
    nameif dmz
    security-level 50
    ip address 192.168.10.1 255.255.255.0
    interface Vlan500
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    ftp mode passive
    clock timezone JST 9
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network DM_INLINE_NETWORK_1
    network-object host 58.13.254.11
    network-object host 58.13.254.13
    object-group service ssh_2220 tcp
    port-object eq 2220
    object-group service ssh_2251 tcp
    port-object eq 2251
    object-group service ssh_2229 tcp
    port-object eq 2229
    object-group service ssh_2210 tcp
    port-object eq 2210
    object-group service DM_INLINE_TCP_1 tcp
    group-object ssh_2210
    group-object ssh_2220
    object-group service zabbix tcp
    port-object range 10050 10051
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq www
    group-object zabbix
    port-object eq 9000
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service http_8029 tcp
    port-object eq 8029
    object-group network DM_INLINE_NETWORK_2
    network-object host 192.168.20.10
    network-object host 192.168.20.30
    network-object host 192.168.20.60
    object-group service imaps_993 tcp
    description Secure IMAP
    port-object eq 993
    object-group service public_wifi_group
    description Service allowed on the Public Wifi Group. Allows Web and Email.
    service-object tcp-udp eq domain
    service-object tcp-udp eq www
    service-object tcp eq https
    service-object tcp-udp eq 993
    service-object tcp eq imap4
    service-object tcp eq 587
    service-object tcp eq pop3
    service-object tcp eq smtp
    access-list outside_access_in remark http traffic from outside
    access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
    access-list outside_access_in remark ssh from outside to web1
    access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
    access-list outside_access_in remark ssh from outside to penguin
    access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
    access-list outside_access_in remark http from outside to penguin
    access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
    access-list outside_access_in remark ssh from outside to hub & studio
    access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
    access-list outside_access_in remark dns service to hub
    access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
    access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
    access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
    access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
    access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
    access-list public_access_in remark General web access. (HTTP, DNS & ICMP and  Email)
    access-list public_access_in extended permit object-group public_wifi_group any any
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
    access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
    pager lines 24
    logging enable
    logging timestamp
    logging buffered notifications
    logging trap notifications
    logging asdm debugging
    logging from-address [email protected]
    logging recipient-address [email protected] level warnings
    logging host dmz 192.168.10.90 format emblem
    logging permit-hostdown
    mtu outside 1500
    mtu public 1500
    mtu dmz 1500
    mtu inside 1500
    ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
    ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 60
    global (outside) 1 interface
    global (dmz) 2 interface
    nat (public) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 0.0.0.0 0.0.0.0
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
    static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
    static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
    static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
    static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
    static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
    static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
    static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
    access-group outside_access_in in interface outside
    access-group public_access_in in interface public
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    http 59.159.40.188 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt noproxyarp dmz
    sysopt noproxyarp inside
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map public_map interface public
    crypto isakmp enable outside
    crypto isakmp enable public
    crypto isakmp enable inside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 59.159.40.188 255.255.255.255 outside
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 20
    console timeout 0
    dhcpd dns 61.122.112.97 61.122.112.1
    dhcpd auto_config outside
    dhcpd address 192.168.20.200-192.168.20.254 public
    dhcpd enable public
    dhcpd address 192.168.10.190-192.168.10.195 dmz
    dhcpd enable dmz
    dhcpd address 192.168.0.200-192.168.0.254 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics host number-of-rate 2
    no threat-detection statistics tcp-intercept
    ntp server 130.54.208.201 source public
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 61.122.112.97 61.122.112.1
    vpn-tunnel-protocol l2tp-ipsec
    group-policy CiscoASA internal
    group-policy CiscoASA attributes
    dns-server value 61.122.112.97 61.122.112.1
    vpn-tunnel-protocol IPSec
    username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPN_Pool
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    tunnel-group ocmc type remote-access
    tunnel-group ocmc general-attributes
    address-pool OfficePool
    tunnel-group ocmc ipsec-attributes
    pre-shared-key *****
    tunnel-group CiscoASA type remote-access
    tunnel-group CiscoASA general-attributes
    address-pool VPN_Pool
    default-group-policy CiscoASA
    tunnel-group CiscoASA ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    service-policy global_policy global
    smtp-server 192.168.10.10
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
    : end
    asdm location 192.168.10.10 255.255.255.255 inside
    asdm location 192.168.0.29 255.255.255.255 inside
    asdm location 58.13.254.10 255.255.255.255 inside
    no asdm history enable

    Hi Conor,
    What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
    Regards,
    Umair

  • ASA Iphone, Ipad VPN client pre-shared key (PSK) special characters bug

    I ran into this in a deployment of IPSec clients with apple ipad and iphone native vpn client. Here are details:
    Cisco ASA 8.2.5 OS
    Ipad, running 5.0.1
    Iphone i4S, running OS 5.0.1
    Special characters make your pre-shared key more secure, so i used a password generator app to make one that coincidently included a " (quotation mark). After configuring this PSK on a Ipad, i was unable to connect. I saw nothing in the ASA logs, indicating the Ipad didnt even try to connect.
    The Ipad generated the following error message:
    VPN Connection
    A configuration error occured
    OK Button
    After searching for quite some time, i found this somewhat obscure reference to the bug:
    http://blogs.oreilly.com/iphone/2008/07/strong-passwords-can-hurt.html
    Special thx to this guy!
    So i started to test special characters to see what would work, adding in 1 character at a time. Here is where I stopped:
    pre-shared-key !@#$%^&*()_-+=;:'<>,.
    These characters worked in the PSK. If you are curious, and want to play, have fun. I assume the alphnumerics will work since those are pretty standard.
    As a side note, here are a few more interesting items:
    1) The " (quote mark) does work when you run the real cisco vpn client. This was successful on a Windows 7 laptop with 5.X VPN Client.
    2) The ? (question mark) doesnt work as well, but that is a little easier to figure out because when you configure it on the ASA, context-sensitive help kicks in and knocks you off the config line.
    3) Iphone I4S suffers from the same issue - doesnt like quotes.
    4) Android is probably not affected by this bug, but I tested on an open source TUN driver- enabled adroid - not the bionic.
    Hope that saves someone some time, sometime!
    W

    Thanks for the tip.
    Help stamp out special characters in passwords. Their "strength" is a myth!
    Explained nicely here: http://xkcd.com/936/

  • Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

    Hi Guys
    I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
    I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
    However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
    When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
    Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
    My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
    Also want to be able to set logging to debug mode for the Racoon application on mac clients.
    Your help is much appreciated
    Kind Regards
    Mohamed

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • Cisco IPSec and XAuthPassword profile key

    I am creating the config profile for iPhone, while using iPhone Configuration Utility I can not enter password for IPSec VPN as the application does not have UI for that.
    I had found, though, that manually writing "XAuthPassword" key into the config profile does the trick, iPhone do recognize that entry and sets the password automatically on applying profile.
    So, the questions are:
    1) Is this config key officially supported on iOS for IPSec VPN? If yes, then starting with which version?
    2) Because iPhone Configuration Utility does not allow me to create signed profiles containing XAuthPassword key, can I manually sign the configuration profile I had edited?
    Thank you in advance

    Hi,
    in « iOS Configuration Profile Reference »:
    IPSec Dictionary Keys
    XAuthEnable – Integer:1 if XAUTH is ON, 0 if it is OFF. Used for Cisco IPSec.
    It turn off XAuth and do not ask for User/Password.
    You can try this option by editing configuration profile like this:
    <key>XAuthEnabled</key>
    <integer>0</integer>
    <key>AuthenticationMethod</key>
    <string>Certificate</string>
    but I can`t resolve the problem, I seems it is a ios (4.3.1) bug, because my vpn-server works fine with other vpn-clients, like Cisco VPN Client, with certificate authentication and without xauth.
    Best regards!

  • Mavericks VPN dropouts with native VPN client and Cisco IPSec

    Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
    I am connecting via a WIFI router to a remote VPN server
    The conenction is good for a while but eventually it drops out.
    I had Zero issues in mountain lion and only have issues since the update to 10.9
    I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
    My thoughts are:
    1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
    2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
    3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
    Any thousuggestions?

    Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
    I am connecting via a WIFI router to a remote VPN server
    The conenction is good for a while but eventually it drops out.
    I had Zero issues in mountain lion and only have issues since the update to 10.9
    I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
    My thoughts are:
    1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
    2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
    3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
    Any thousuggestions?

  • Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

    This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • Profile for Cisco IPsec VPN does not set shared secret correctly

    Hi,
    We have a shared secret configuration for a Cisco IPsec (connecting to an ASA). I can correctly configure a profile for the Cisco IPsec VPN and deliver it to the device. However, the VPN connection fails due to an invalid shared secret. If I then go into the VPN settings on the device itself and manually retype the shared secret, it works fine.
    I have noticed this when generating the mobileconfig profile both from Apple's iPhone Configuration Utility and also when using the MobileIron management platform to generate and push profiles.
    Has anyone else seen this problem? I'm really confident that I'm typing the shared secret correctly in the iPCU generated profile as I've tried it many times. It also has happened across every flavor of iOS 3.x and 4.x (including the 4.2 betas).
    thanks

    Hi,
    Thanks for the reply but it is a bit of a strange one. What makes you think the shared secret we are using - which you don't know - is more than 32 characters long. I can promise you it isn't. There's a bug in the way mobileconfig files are storing the encrypted shared secret values. I've now seen it on a third party mobile device management platform too.

  • Configurate cisco ipsec vpn client at asa 5505 version 8.4

    Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
    please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
    thank you.

    are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
    what version of vpn client ?

  • Using Cisco VPN client certificate for built in IPSec?

    Hi,
    Does anybody know if it is possible to "convert" a certificate exported from Cisco VPN client and import it into the Keychain for using it with built-in IPSec in Snow Leopard?
    Thanks,
    Oli

    I too am having trouble importing the Cisco certificate. It would be nice for some clear documentation. We've been successful converting the x.509 cer to KPCS#7 using openssl which will import into the keychain. However, the VPN (Cisco IPSec) sill doesn't see it.

  • Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

    Hi:
    Need your great help for my new ASA 5505 (8.4)
    I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
    ASA Version 8.4(3)
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.29.8.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 177.164.222.140 255.255.255.248
    ftp mode passive
    clock timezone GMT 0
    dns server-group DefaultDNS
    domain-name ABCtech.com
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 172.29.8.0 255.255.255.0
    object service RDP
    service tcp source eq 3389
    object network orange
    host 172.29.8.151
    object network WAN_173_164_222_138
    host 177.164.222.138
    object service SMTP
    service tcp source eq smtp
    object service PPTP
    service tcp source eq pptp
    object service JT_WWW
    service tcp source eq www
    object service JT_HTTPS
    service tcp source eq https
    object network obj_lex
    subnet 172.29.88.0 255.255.255.0
    description Lexington office network
    object network obj_HQ
    subnet 172.29.8.0 255.255.255.0
    object network guava
    host 172.29.8.3
    object service L2TP
    service udp source eq 1701
    access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
    access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended deny tcp any any eq 135
    access-list inside_access_in extended deny tcp any eq 135 any
    access-list inside_access_in extended deny udp any eq 135 any
    access-list inside_access_in extended deny udp any any eq 135
    access-list inside_access_in extended deny tcp any any eq 1591
    access-list inside_access_in extended deny tcp any eq 1591 any
    access-list inside_access_in extended deny udp any eq 1591 any
    access-list inside_access_in extended deny udp any any eq 1591
    access-list inside_access_in extended deny tcp any any eq 1214
    access-list inside_access_in extended deny tcp any eq 1214 any
    access-list inside_access_in extended deny udp any any eq 1214
    access-list inside_access_in extended deny udp any eq 1214 any
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any any eq www
    access-list inside_access_in extended permit tcp any eq www any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
    89
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
    tp
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
    tp
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
    w
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
    tps
    access-list outside_access_in extended permit gre any host 177.164.222.138
    access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
    01
    access-list outside_access_in extended permit ip any any
    access-list inside_access_out extended permit icmp any any
    access-list inside_access_out extended permit ip any any
    access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
    .88.0 255.255.255.0
    access-list inside_in extended permit icmp any any
    access-list inside_in extended permit ip any any
    access-list inside_in extended permit udp any any eq isakmp
    access-list inside_in extended permit udp any eq isakmp any
    access-list inside_in extended permit udp any any
    access-list inside_in extended permit tcp any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static orange interface service RDP RDP
    nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
    lex route-lookup
    nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
    WW
    nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
    _HTTPS
    nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
    nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
    nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
    nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
    route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server Guava protocol nt
    aaa-server Guava (inside) host 172.29.8.3
    timeout 15
    nt-auth-domain-controller guava
    user-identity default-domain LOCAL
    http server enable
    http 172.29.8.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
    crypto dynamic-map outside_dyn_map 20 set reverse-route
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 173.190.123.138
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
    ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
    P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 172.29.8.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside vpnclient-wins-override
    dhcprelay server 172.29.8.3 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    group-policy ABCtech_VPN internal
    group-policy ABCtech_VPN attributes
    dns-server value 172.29.8.3
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Tunnel_User
    default-domain value ABCtech.local
    group-policy GroupPolicy_10.8.8.1 internal
    group-policy GroupPolicy_10.8.8.1 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username who password eicyrfJBrqOaxQvS encrypted
    tunnel-group 10.8.8.1 type ipsec-l2l
    tunnel-group 10.8.8.1 general-attributes
    default-group-policy GroupPolicy_10.8.8.1
    tunnel-group 10.8.8.1 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 remote-authentication certificate
    ikev2 local-authentication pre-shared-key *****
    tunnel-group ABCtech type remote-access
    tunnel-group ABCtech general-attributes
    address-pool ABC_HQVPN_DHCP
    authentication-server-group Guava
    default-group-policy ABCtech_VPN
    tunnel-group ABCtech ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 173.190.123.138 type ipsec-l2l
    tunnel-group 173.190.123.138 general-attributes
    default-group-policy GroupPolicy_10.8.8.1
    tunnel-group 173.190.123.138 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 remote-authentication certificate
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect pptp
      inspect ftp
      inspect netbios
    smtp-server 172.29.8.3
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:6a26676668b742900360f924b4bc80de
    : end

    Hello Wayne,
    Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
    I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
    Regards,
    Julio
    Security Trainer

Maybe you are looking for

  • Rotating images in Address Book??

    I am rather confused at the determination of Address Book to store contact photo's on one side?? I have rotated images right round 360 degress but no matter what way up they are once I drag them on to the image frame, address book automatically rotat

  • [Solved] Application launchers on desktop in Gnome 3.2?

    So, I'm testing out gnome 3.2 again and I'm trying to create launchers on my desktop, but there doesn't appear to be an option for it in Gnome 3.2 when I right click my desktop. I have Nautilus drawing the desktop so did Gnome completely do away with

  • Help with itunes/ipod

    My iTunes is not working properly. It is not showing that my iPod is connected. My iPod continues to show the Do not disconnect display. How do I eject it if it does not show up on itunes? If I have accidently disconnected it while it was showing the

  • Default Functional Area in Sales Order Line Items

    Hi, Is there any user exit that can be used to default Functional Area in Sales Order Line Items. I tried mv45afzz but not working. Any idea and do let me know the field or structure effected. Thanks.

  • HT1420 Forgot authorization information answers, can not add iPad as a new. Device help!

    Hi I can not remember the answers to my challenge questions to add my iPad. To I store....  Can not find how to reset them . Can someone help?