Profile for Cisco IPsec VPN does not set shared secret correctly

Hi,
We have a shared secret configuration for a Cisco IPsec (connecting to an ASA). I can correctly configure a profile for the Cisco IPsec VPN and deliver it to the device. However, the VPN connection fails due to an invalid shared secret. If I then go into the VPN settings on the device itself and manually retype the shared secret, it works fine.
I have noticed this when generating the mobileconfig profile both from Apple's iPhone Configuration Utility and also when using the MobileIron management platform to generate and push profiles.
Has anyone else seen this problem? I'm really confident that I'm typing the shared secret correctly in the iPCU generated profile as I've tried it many times. It also has happened across every flavor of iOS 3.x and 4.x (including the 4.2 betas).
thanks

Hi,
Thanks for the reply but it is a bit of a strange one. What makes you think the shared secret we are using - which you don't know - is more than 32 characters long. I can promise you it isn't. There's a bug in the way mobileconfig files are storing the encrypted shared secret values. I've now seen it on a third party mobile device management platform too.

Similar Messages

  • Cisco IPSEC VPN not working after upgrade to Mavericks

    I have been using the Cisco IPSEC VPN for almost 2 years with no issues. When I upgraded to Mavericks this week it stopped working. When i tell it to connect it prompts for password and attempts to connect for about 30 seconds then comes back with the following message...
    VPN Connection
    The negotiation with the VPN server failed. Verify the server address and try reconnecting.
    The address, group, shared secret, user and password are correct. Any help would be greatly appreiated.

    Hry, I'm not sure if this fixes the Cisco IPSec issue, but I can vouch for it fixing the L2TP issue that occurs after tha mavericks upgrade!
    I’ve got L2TP VPN working in Mavericks 10.9 and Server App 3.0.0 / 3.0.1.
    It really is quite a simple fix.
    Obviously, the standard caveats apply: This is a temporary, unsupported, workaround, and only a suggested idea at that. Again, this workaround is NOT supported by Apple.
    Proceed with this workaround on your own equipment at your own risk. And remember the golden rule: Always backup your data!
    OK so here goes… copy and paste the following into termini ONE LINE AT A TIME!
    cd /tmp
    curl -sO http://c5mart.co/mavericks-vpn-fix/racoon.tar.gz
    tar -xzvf racoon.tar.gz
    rm racoon.tar.gz
    sudo chown root:wheel racoon
    sudo chmod 555 racoon
    if [ ! -f /usr/sbin/racoon.mavericks ]; then sudo mv /usr/sbin/racoon /usr/sbin/racoon.mavericks; fi;
    sudo mv racoon /usr/sbin/racoon
    sudo killall racoon
    This works fine for me and I'm running a OSX Server for my entire office.
    …et voilà!

  • I want to mirror an iOS device to my computer for demonstration and training purposes.  I cannot use Airserver as my company VPN does not allow the connection.  Is there a hardware solution instead?

    I want to mirror an iOS device to my computer for demonstration and training purposes.  I cannot use Airserver as my company VPN does not allow the connection.  Is there a hardware solution instead?

    Shoeb, hi.
    Thanks for replying and apologies for my tardiness in responding. I have just completed a re-creation of my web page using CSS/HTML rather than XML/XSLT and now I find that when saving in MHT format the watermark/background image is saved, which is nice, but trying to save it as 'webpage complete' under 'save as' in the browser still does not work. (For those who are new to Firefox, MHT files are not supported by the browser, but using the FF extention UnMHT one can open such files and save web documents as MHT files, meaning no accompanying folder is required to properly view the file.)

  • Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                       Dear All,
    i have the folloing case :
    i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
    i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
    so what the setting of the mail and smtp server should be ,
    was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
    i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
    Best regards,

    Thanks Jennifer.
    I did manage to configure LDAP attribute map to the specific group policy.
    Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
    Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
    Example: let say my username is LLH.
    Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
    Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
    Only me know the preshared key and only me can login with my Connection Profile.
    Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
    Example:
    AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
    Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
    Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
    I hope above description can paint the scenario clearer.
    Thanks in advance for all the help and comment given.

  • Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

    This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • Microsoft Forefront Server Protection for Exchange Registration Service does not start automatically

    Hello,
    I am having an issue when I start my TMG 2010 machine:
    (*TMG 2010 + Forefront protection for Exchange + Exchange Edge server role, acting like a SMTP relay and Antispam filter)
    The service "Microsoft Forefront Server Protection for Exchange Registration Service"
    does not start, it is set to "Manual".
    I tried to find some information about which services should be started and which should not, but I cannot find such information, not even in Technet (my fault probably).
    Thanks in advance.
    Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

    Hi,
    Have you received any errors in event logs when
    you started the Microsoft Forefront Server Protection for Exchange Registration Service?
    Based on my research,
    Microsoft Forefront Server Protection Controller service is a dependency of the Microsoft Forefront Server Protection Registration service and the Microsoft Forefront
    Server Protection Registration service is a dependency of the Microsoft Exchange Transport service.
    The Microsoft Forefront Server Protection Registration service normally only runs for a brief time (less than a minute) when FPE initializes. It then shuts
    down and does not need to be running for transport scanning to occur.
    You can refer to the link below:
    Services
    Best regards,
    Susie

  • R1: tcAPIException: Duplicate schedule item for a task that does not allow multiples.

    Hi,
    I'm struggling with the following task:
    I have to assure an account exists for a given resource. I do provision it with the .tcUserOperationsIntf.provisionObject().
    I've created a createUser task to create the account.
    The task code checks if there is already matching account.
    If no account exists, is is created in the disabled state, and the object state of OIM account is set to 'Disabled' by means of task return code mapping.
    If it exists, it is 'linked' to OIM account.
    The problem is if the existing account is enabled, I have to change the OIM account state to 'Enabled' either.
    To implement this (thanks, Kevin Pinski https://forums.oracle.com/thread/2564011 )) I've created an additional task 'Switch Enable' which is triggered by a special task return code. This task always succeeds, and its only side effect is switching the object status to 'Enabled'.
    By I've getting the 'Duplicate schedule item for a task that does not allow multiples' exception constantly:
    This is the stack trace:
    Thor.API.Exceptions.tcAPIException: Duplicate schedule item for a task that does not allow multiples.\
      at com.thortech.xl.ejb.beansimpl.tcUserOperationsBean.provisionObject(tcUserOperationsBean.java:2925)\
      at com.thortech.xl.ejb.beansimpl.tcUserOperationsBean.provisionObject(tcUserOperationsBean.java:2666)\
      at Thor.API.Operations.tcUserOperationsIntfEJB.provisionObjectx(Unknown Source)\
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\
      at java.lang.reflect.Method.invoke(Method.java:601)\
      at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)\
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)\
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)\
      ...skipped
      at Thor.API.Operations.tcUserOperationsIntfDelegate.provisionObject(Unknown Source)\
      ... skipped
    What did I wrong?
    Regards,
    Vladimir

    Hi Vladimir,
    Please select 'Allow Multiple Instance' checkbox for the process task.
    Thanks,
    Pallavi

  • [svn] 3580: MXMLG-243 - Path does not draw in the correct location when width and height are set

    Revision: 3580
    Author: [email protected]
    Date: 2008-10-10 16:24:50 -0700 (Fri, 10 Oct 2008)
    Log Message:
    MXMLG-243 - Path does not draw in the correct location when width and height are set
    Fixed MatrixUtil.transformBounds to offset the four bound points by the origin
    Bug: MXMLG-243
    QA: Yes
    Doc: No
    Review: Evtim
    Ticket Links:
    http://bugs.adobe.com/jira/browse/MXMLG-243
    http://bugs.adobe.com/jira/browse/MXMLG-243
    Modified Paths:
    flex/sdk/trunk/frameworks/projects/flex4/src/mx/utils/MatrixUtil.as

    Hi,
    For web application problem, please post your thread in
    ASP.NET forum.
    Best Wishes!
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey. Thanks<br/> MSDN Community Support<br/> <br/> Please remember to &quot;Mark as Answer&quot; the responses that resolved your issue. It is a common way to recognize those who have helped you, and
    makes it easier for other visitors to find the resolution later.

  • 9.0.3 Bug- PK-Attribute for EO based on View not set

    Hi,
    for some reasons I have created for each database table a corresponding database view.
    When creating the EO the wizard does not set the Primary Key Attribute according to the PK defined in the underlying Table. Instead the ROWID is defined as PK.
    This leads to a JBO-27122 Exception (ORA-01024: Ung|ltiger Datentyp im OCI-Aufruf) when opening the VO in BC4J Tester.
    If I manually set the PK Attribute to the correct Column, it works fine (CRUD).
    Found re:re:wwsec_api.add_user_to_list problem but perhaps it is possible for the wizard to identify the underlying table / pk column for a view based on a single table?
    Thanks, Markus

    There's absolutely nothing wrong with building Entity Object's on top of views.
    It's just that you have to set the primary key info by hand.
    If you wanted to be real clever, you could probably "fake" our reverse engineering wizard out by creating a private views named ALL_CONSTRAINTS and ALL_CONS_COLUMNS which "wrapped" the system-owned views and UNIONED in rows in the right structure to make it appear that your views have the same primary key constraints as your tables.
    This should work as a workaround.

  • HT1535 The option for "On this IPad" does not appear?

    Despite having a manual set up of content checked, the option for "On this IPad" does not appear? Why is this?

    Hi pmbrady,
    The "On this [device]" tab will only show up if you are in the non-sidebar view of iTunes. In short, if you have the sidebar on the left hand side, you will want to use the disclosure triangle (left of your device name) to view what is on the device.
    iTunes 11: Frequently used features
    http://support.apple.com/kb/HT5649
    Thanks,
    Matt M.

  • Configurate cisco ipsec vpn client at asa 5505 version 8.4

    Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
    please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
    thank you.

    are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
    what version of vpn client ?

  • HT202343 Profile Manager 3.2.2 does not support 'use per-connection password'

    Profile Manager 3.2.2 does not support 'use per-connection password' for wireless configuration as stated here.
    https://support.apple.com/en-lu/HT202343
    This feature stops users credentials from being remembered by the device, particularly useful for multi-user devices in an enterprise environment.
    Any help would be much appreciated.
    Thanks in advance

    Yes Clinton I did same, but they were (Huawei customer support) surprised about this problem, They behave like they have no idea about USB 2.0 and  3.0 knowledge. They handsUp that reason I posted my problem in this forum.
    So is there any better solution to use any mediator between these USB version handling, Please let me know.
    Thanks
    Tauheed

  • [SOLVED]intel_backlight service does not set backlight at boot

    Hi everyone,
    I have a Dell inspiron 3542 laptop.The problem is that even though the backlight.service saves and loads the backlight value it does not set it.For example:
    xbacklight -get
    outputs the saved backlight value but on screen it appears around 1-5% and only when i change it,it goes back to normal.According to [email protected] manpage"if udev property ID_BACKLIGHT_CLAMP is not set to false value, the brightness is clamped to a value of at least 1 or 5% of maximum brightness, whichever is greater. This restriction will be removed when the kernel allows user space to reliably set  a brightness value which does not turn off the display."
    My Question is how can i set the udev property
    Thank you for any suggestions
    Last edited by Liberis (2015-05-11 00:49:08)

    I have to admit that the problem and the question was not well stated.I wanted to override backlight clamping because i thought that was the problem.
    Ill try to post the solution as clear as i can (my english knowledge is not the best) .
    The laptop im using has hybrid graphics(nvidia and intel) im using the open source drivers with i915 and nouveau modules and im using lvm2 dm-crypt setup
    I tried the following
    Recompiling systemd trying to revert this patch :https://github.com/systemd/systemd/comm … ca6c595c76
    Setting -no-clamp option (could not make it right i think) in [email protected] with(could not make it work i think i did not do it correct)
    as stated at http://lists.freedesktop.org/archives/s … 27138.html
    systemctl edit [email protected]
    [Service]
    ExecStart=
    ExecStop=
    ExecStart=/usr/lib/systemd/systemd-backlight -no-clamp load %i
    ExecStop=/usr/lib/systemd/systemd-backlight -no-clamp save %i
    I could not find a way to set ID_BACKLIGHT_CLAMP in udev properties i did not quite understand what it was asking to be honest.
    Solution
    EDIT:1 Adding ENV{ID_BACKLIGHT_CLAMP}="0" in backlight section in /usr/lib/udev/rules.d/99-systemd.rules also solves the issue as the man page says.
    Do not judge these might were completely wrong moves but with little to no knowledge only trial and error could help
    I  could also set the saved backlight at boot by blacklisting the i915 module and leaving nouveau.
    The strange thing is that i915 is still being  loaded while using PRIME
    glxinfo | grep "OpenGL renderer"
    OpenGL renderer string: Mesa DRI Intel(R) Haswell Mobile
    and the lsmod output
    lsmod | grep i915
    i915 1024000 4
    intel_gtt 20480 1 i915
    drm_kms_helper 102400 2 i915,nouveau
    drm 282624 8 ttm,i915,drm_kms_helper,nouveau
    i2c_algo_bit 16384 2 i915,nouveau
    video 24576 2 i915,nouveau
    button 16384 2 i915,nouveau
    i2c_core 53248 10 drm,i915,i2c_i801,i2c_hid,i2c_designware_platform,drm_kms_helper,i2c_algo_bit,v4l2_common,nouveau,videodev
    also journalctl -xe output
    -- Unit systemd-backlight@backlight:intel_backlight.service has begun starting up.
    May 11 02:43:20 archlinux kernel: ACPI: Video Device [GFX0] (multi-head: yes rom: no post: no)
    May 11 02:43:20 archlinux kernel: input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/LNXVIDEO:01/input/input11
    May 11 02:43:20 archlinux kernel: snd_hda_intel 0000:00:03.0: bound 0000:00:02.0 (ops i915_audio_component_bind_ops [i915])
    May 11 02:43:20 archlinux kernel: [drm] Initialized i915 1.6.0 20150130 for 0000:00:02.0 on minor 1
    May 11 02:43:20 archlinux kernel: [drm:hsw_unclaimed_reg_detect.isra.10 [i915]] *ERROR* Unclaimed register detected. Please use the i915.mmio_debug=1 to debug this proble
    May 11 02:43:20 archlinux kernel: input: HDA Digital PCBeep as /devices/pci0000:00/0000:00:1b.0/sound/card1/hdaudioC1D0/input9
    May 11 02:43:20 archlinux kernel: input: HDA Intel PCH Headphone Mic as /devices/pci0000:00/0000:00:1b.0/sound/card1/input12
    May 11 02:43:20 archlinux kernel: Console: switching to colour frame buffer device 170x48
    May 11 02:43:20 archlinux kernel: i915 0000:00:02.0: fb0: inteldrmfb frame buffer device
    May 11 02:43:20 archlinux kernel: i915 0000:00:02.0: registered panic notifier
    May 11 02:43:20 archlinux systemd[1]: Found device ST1000LM024_HN-M101MBB sda1.
    -- Subject: Unit dev-disk-by\x2duuid-7D28\x2d5BEB.device has finished start-up
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    -- The start-up result is done.
    May 11 02:43:20 archlinux systemd[1]: Started Load/Save Screen Backlight Brightness of backlight:intel_backlight.
    -- Subject: Unit systemd-backlight@backlight:intel_backlight.service has finished start-up
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    -- Unit systemd-backlight@backlight:intel_backlight.service has finished starting up.
    EDIT:2 Avoided the blacklisting by setting nouveau early KMS to boot earlier at mkinitcpio.conf and the result is the same
    I think nouveau has to be loaded before i915 otherwise intel_backlight service is not working even though
    systemctl status systemd-backlight@intel_backlight.service
    shows no errors
    I have to say that i have not quite understood why this is working like this but i would love if anyone can explain it.
    i can provide more info if needed
    Last edited by Liberis (2015-05-12 00:51:38)

  • [SOLVED] slim does not set a default session

    Hi everybody
    I think slim does not set the default session (first entry in sessions in /etc/slim.conf):
    My /etc/slim.conf:
    login_cmd exec /bin/bash -login ~/.xinitrc %session
    sessions openbox
    So the default session (and %session) should be openbox.
    My ~/.xinitrc:
    DEFAULT_SESSION=openbox
    # urxvt -e screen &
    (sleep 1;
    eval `cat ~/.fehbg`;
    conky &
    xbindkeys &
    volwheel &
    pidgin &
    case $1 in
    awesome|fluxbox|icewm|i3|dwm|wmii|fvwm|twm|wmfs)
    exec ck-launch-session $1
    openbox)
    /usr/bin/tint2 &
    exec ck-launch-session openbox-session
    exec ck-launch-session $DEFAULT_SESSION
    esac
    So. When my sessions option is only "openbox" and .xinitrc is started with $1 = "openbox", it should execute tint2. But it doesn't.
    Workaround 1:
    When I set openbox directly in login_cmd, it works and tint2 is executed.
    login_cmd exec /bin/bash -login ~/.xinitrc openbox
    Workaround 2:
    In slim, when I hit F1 to change the session and the words "openbox" appears at the screen, it does also work fine.
    That means, that slim does not set the default session correctly. Or am I wrong?
    I think this is since the last update.
    Thanks for your feedback.
    mindfuckup
    Last edited by mindfuckup (2013-02-12 19:24:39)

    Slim never set the default session, but there always was a comment in the default config suggesting that it would. This was well known and everybody simply set their own default (I'll get back to this in a second). Instead of simply modifying this comment, Arch included a patch to change Slim's behavior, but this led to new unexpected behavior so it was removed (recently).
    You could also have found this in the wiki, which also provides a solution. Another way to fix your .xinitrc is to replace $1 in the case statement by ${1:-openbox}.
    Edit: I just noticed you actually had the DEFAULT_SESSION as used in the wiki example. I think the solution in the wiki is a bit strange, and your .xinitrc (where tint2 should only be started for openbox) is an example where the alternative I suggested is simpler. Yet another way is to use the *) case for the default session (so you would not include openbox as a separate case and just start tint2 and openbox unless the $1 is set to awesome).
    Last edited by Raynman (2013-02-12 17:52:33)

  • HT4061 I cannot access my I Pad it is asking for a passcode, I  did not set one, so a code has been created and i need to have it reset

    I cannot access my Ipad. It is asking for a passcode, I did not set one.  How do I reset this so that I can log onto my Ipad?

    Hey dmplinton518,
    You'll want to follow the directions in here:
    iOS: Forgotten passcode or device disabled after entering wrong passcode
    http://support.apple.com/kb/HT1212
    Sincerely,
    Delgadoh

Maybe you are looking for