- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- WAN Routing
- >
- what need for connecting apple IOS 8-10 /android b...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2017 04:59 AM - edited 03-08-2017 02:19 AM
03-01-2017 04:59 AM - edited 03-08-2017 02:19 AM
what need for connecting apple IOS 8-10 /android by L2TP? (MSR1003)
from windows - working..
but from ipad get error:
*Mar 8 09:09:04:200 2017 TM-RT0001 IKE/7/EVENT: Phase1 process started. Begin a new phase 1 negotiation as responder. Responder created an SA for peer 31.163.97.50, local port 500, remote port 500. Set IKE SA state to IKE_P1_STATE_INIT. Received ISAKMP Security Association Payload. Received ISAKMP Vendor ID Payload. ...... Received ISAKMP Vendor ID Payload. Process vendor ID payload. Process SA payload. Check ISAKMP transform 1. ... Check ISAKMP transform 2. ... .... Check ISAKMP transform 13. Lifetime type is 1. Life duration is 3600. Encryption algorithm is 3DES-CBC. Authentication method is Pre-shared key. HASH algorithm is HMAC-SHA1. DH group is 2. Found pre-shared key that matches address 31.3.97.50 in keychain keychain1. Attributes is acceptable. Constructed SA payload Construct NAT-T rfc3947 vendor ID payload. Construct XAUTH Cisco Unity 1.0 vendor ID payload. Construct XAUTH draft6 vendor ID payload. IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND2. Sending packet to 31.3.97.50 remote port 500, local port 500. ... Received 2 NAT-D payload. Peer is behind NAT. Construct KE payload. ... IKE SA state changed from IKE_P1_STATE_SEND2 to IKE_P1_STATE_SEND4. Sending packet to 31.3.97.50 remote port 500, local port 500. I-Cookie: a4d8facd902d8444 R-Cookie: 35e4ae3e30d5abfc next payload: KE version: ISAKMP Version 1.0 exchange mode: Main flags: message ID: 0 length: 248 Sending an IPv4 packet. Sent data to socket successfully. Received packet from 31.3.97.50 source port 4500 destination port 4500. I-Cookie: a4d8facd902d8444 R-Cookie: 35e4ae3e30d5abfc next payload: ID version: ISAKMP Version 1.0 exchange mode: Main flags: ENCRYPT message ID: 0 length: 100 *Mar 8 09:09:04:415 2017 TM-RT0001 IKE/7/EVENT: IKE thread 1995711776 processes a job. *Mar 8 09:09:04:415 2017 TM-RT0001 IKE/7/EVENT: Phase1 process started. Decrypt the packet. ... The profile profile1 is matched. Found keychain keychain1 in profile profile1 successfully. ... Construct authentication by pre-shared-key. Encrypt the packet. IKE SA state changed from IKE_P1_STATE_SEND4 to IKE_P1_STATE_ESTABLISHED. Sending packet to 31.3.97.50 remote port 4500, local port 4500. I-Cookie: a4d8facd902d8444 R-Cookie: 35e4ae3e30d5abfc next payload: ID version: ISAKMP Version 1.0 exchange mode: Main flags: ENCRYPT message ID: 0 length: 68 Sending an IPv4 packet. Sent data to socket successfully. Add tunnel, alloc new tunnel with ID [2]. Received packet from 31.3.97.50 source port 4500 destination port 4500. I-Cookie: a4d8facd902d8444 R-Cookie: 35e4ae3e30d5abfc next payload: HASH version: ISAKMP Version 1.0 exchange mode: Quick flags: ENCRYPT message ID: 978a8126 length: 308 *Mar 8 09:09:05:096 2017 TM-RT0001 IKE/7/EVENT: IKE thread 1995711776 processes a job. *Mar 8 09:09:05:096 2017 TM-RT0001 IKE/7/EVENT: Phase2 process started. Set IPsec SA state to IKE_P2_STATE_INIT. Decrypt the packet. Received ISAKMP Hash Payload. Received ISAKMP Security Association Payload. Received ISAKMP Nonce Payload. Received ISAKMP Identification Payload (IPsec DOI). Received ISAKMP Identification Payload (IPsec DOI). Received ISAKMP NAT-OA Payload. Received ISAKMP NAT-OA Payload. Process HASH payload. Validated HASH(1) successfully. Process IPsec ID payload. Process IPsec ID payload. Set inside vrf to Nego flow info. IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP. Process IPsec SA payload. Check IPsec proposal 1. Parse transform 1. Lifetime type is in seconds. Life duration is 3600. Encapsulation mode is Transport-UDP. Key length is 256 bytes. Authentication algorithm is HMAC-SHA1. Transform ID is AES-CBC. The proposal is unacceptable. Failed to negotiate IPsec SA.
my config:
# ip pool magazin 10.10.10.2 10.10.11.250 ip pool magazin gateway 10.10.10.1 # interface Virtual-Template0 ppp authentication-mode pap ms-chap chap ms-chap-v2 domain dp ppp ipcp dns 10.5.3.130 remote address pool magazin ip address 10.10.10.1 255.255.254.0 ospf cost 10 # interface GigabitEthernet0/0 port link-mode route speed 100 ip address XX.XX.XX.XX 255.255.255.224 packet-filter name WanInterfaceIn inbound nat outbound name internetACL ipsec apply policy map2 # acl advanced name WanInterfaceIn rule 760 permit udp destination-port eq 1701 rule 765 permit udp destination-port eq 500 rule 770 permit udp destination-port eq 4500 # ipsec transform-set tran1 encapsulation-mode transport esp encryption-algorithm aes-cbc-128 3des-cbc aes-cbc-256 esp authentication-algorithm sha1 sha256 # ipsec policy-template poltempl2 1 transform-set tran1 ike-profile profile1 reverse-route dynamic reverse-route preference 100 reverse-route tag 1000 # ipsec policy map2 10 isakmp template poltempl2 # l2tp-group 1 mode lns allow l2tp virtual-template 0 undo tunnel authentication # l2tp enable # ike profile profile1 keychain keychain1 match remote identity address 0.0.0.0 0.0.0.0 # ike proposal 1 encryption-algorithm 3des-cbc dh group2 # ike keychain keychain1 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$po0mSO/41uuJ7CKQ=
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2017 02:17 AM
03-08-2017 02:17 AM
Re: what need for connecting apple IOS 8-10 /android by L2TP? (MSR1003)
add my config...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2017 06:01 AM
10-13-2017 06:01 AM
Re: what need for connecting apple IOS 8-10 /android by L2TP? (MSR1003)
Hit the sam problem as you. Spent around a week, truing to figure aout what's wrong. The situation is, that iOS phones (as well as MacBook Air with OS X) are sending on the phase 2 only one proposal (and it seems to be slightly different from what do they send on P1, but that's OK):
AES256+SHA1
Thing is, that they checking it only with the first transform! And more interesting, in the multiple-encryption transform as you're using - it checks it against only FIRST entry in row.
So, to fix it - you have to simply and quite stupidly change the sequence:
ipsec transform-set tran1 encapsulation-mode transport esp encryption-algorithm aes-cbc-256 3des-cbc aes-cbc-128
Sounds really stupid, but wit this change I now connecting iPhones and iMacs with no problems.
Also please consider, that these devices on both phases do want lifetime 3600, so consider to check this as well.