WAN Routing
1833780 Members
2193 Online
110063 Solutions
New Discussion

what need for connecting apple IOS 8-10 /android by L2TP? (MSR1003)

 
alex20
Occasional Advisor

what need for connecting apple IOS 8-10 /android by L2TP? (MSR1003)

from windows - working..

but from ipad get error:

*Mar  8 09:09:04:200 2017 TM-RT0001 IKE/7/EVENT: Phase1 process started.
Begin a new phase 1 negotiation as responder.
Responder created an SA for peer 31.163.97.50, local port 500, remote port 500.
Set IKE SA state to IKE_P1_STATE_INIT.
Received ISAKMP Security Association Payload.
Received ISAKMP Vendor ID Payload.
......
Received ISAKMP Vendor ID Payload.
Process vendor ID payload.
Process SA payload.
Check ISAKMP transform 1.
...
Check ISAKMP transform 2.
...
....
Check ISAKMP transform 13.
  Lifetime type is 1.
  Life duration is 3600.
  Encryption algorithm is 3DES-CBC.
  Authentication method is Pre-shared key.
  HASH algorithm is HMAC-SHA1.
  DH group is 2.
Found pre-shared key that matches address 31.3.97.50 in keychain keychain1.
Attributes is acceptable.
Constructed SA payload
Construct NAT-T rfc3947 vendor ID payload.
Construct XAUTH Cisco Unity 1.0 vendor ID payload.
Construct XAUTH draft6 vendor ID payload.
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND2.
Sending packet to 31.3.97.50 remote port 500, local port 500.
...
Received 2 NAT-D payload.
Peer is behind NAT.
Construct KE payload.
...
IKE SA state changed from IKE_P1_STATE_SEND2 to IKE_P1_STATE_SEND4.
Sending packet to 31.3.97.50 remote port 500, local port 500.

  I-Cookie: a4d8facd902d8444
  R-Cookie: 35e4ae3e30d5abfc
  next payload: KE
  version: ISAKMP Version 1.0
  exchange mode: Main
  flags:
  message ID: 0
  length: 248
Sending an IPv4 packet.
Sent data to socket successfully.
Received packet from 31.3.97.50 source port 4500 destination port 4500.

  I-Cookie: a4d8facd902d8444
  R-Cookie: 35e4ae3e30d5abfc
  next payload: ID
  version: ISAKMP Version 1.0
  exchange mode: Main
  flags: ENCRYPT
  message ID: 0
  length: 100

*Mar  8 09:09:04:415 2017 TM-RT0001 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar  8 09:09:04:415 2017 TM-RT0001 IKE/7/EVENT: Phase1 process started.
Decrypt the packet.
...
The profile profile1 is matched.
Found keychain keychain1 in profile profile1 successfully.
...
Construct authentication by pre-shared-key.
Encrypt the packet.
IKE SA state changed from IKE_P1_STATE_SEND4 to IKE_P1_STATE_ESTABLISHED.
Sending packet to 31.3.97.50 remote port 4500, local port 4500.
  I-Cookie: a4d8facd902d8444
  R-Cookie: 35e4ae3e30d5abfc
  next payload: ID
  version: ISAKMP Version 1.0
  exchange mode: Main
  flags: ENCRYPT
  message ID: 0
  length: 68
Sending an IPv4 packet.
Sent data to socket successfully.
Add tunnel, alloc new tunnel with ID [2].
Received packet from 31.3.97.50 source port 4500 destination port 4500.

  I-Cookie: a4d8facd902d8444
  R-Cookie: 35e4ae3e30d5abfc
  next payload: HASH
  version: ISAKMP Version 1.0
  exchange mode: Quick
  flags: ENCRYPT
  message ID: 978a8126
  length: 308
*Mar  8 09:09:05:096 2017 TM-RT0001 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar  8 09:09:05:096 2017 TM-RT0001 IKE/7/EVENT: Phase2 process started.
Set IPsec SA state to IKE_P2_STATE_INIT.
Decrypt the packet.
Received ISAKMP Hash Payload.
Received ISAKMP Security Association Payload.
Received ISAKMP Nonce Payload.
Received ISAKMP Identification Payload (IPsec DOI).
Received ISAKMP Identification Payload (IPsec DOI).
Received ISAKMP NAT-OA Payload.
Received ISAKMP NAT-OA Payload.
Process HASH payload.
Validated HASH(1) successfully.
Process IPsec ID payload.
Process IPsec ID payload.
Set inside vrf to Nego flow info.
IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP.
Process IPsec SA payload.
Check IPsec proposal 1.
Parse transform 1.
  Lifetime type is in seconds.
  Life duration is 3600.
  Encapsulation mode is Transport-UDP.
  Key length is 256 bytes.
  Authentication algorithm is HMAC-SHA1.
  Transform ID is AES-CBC.
The proposal is unacceptable.
Failed to negotiate IPsec SA.

my config:

#
 ip pool magazin 10.10.10.2 10.10.11.250
 ip pool magazin gateway 10.10.10.1
#
interface Virtual-Template0
 ppp authentication-mode pap ms-chap chap ms-chap-v2 domain dp
 ppp ipcp dns 10.5.3.130
 remote address pool magazin
 ip address 10.10.10.1 255.255.254.0
 ospf cost 10
#
interface GigabitEthernet0/0
 port link-mode route
 speed 100
 ip address XX.XX.XX.XX 255.255.255.224
 packet-filter name WanInterfaceIn inbound
 nat outbound name internetACL
 ipsec apply policy map2
#
acl advanced name WanInterfaceIn
 rule 760 permit udp destination-port eq 1701
 rule 765 permit udp destination-port eq 500
 rule 770 permit udp destination-port eq 4500
#
ipsec transform-set tran1
 encapsulation-mode transport
 esp encryption-algorithm aes-cbc-128 3des-cbc aes-cbc-256
 esp authentication-algorithm sha1 sha256
#
ipsec policy-template poltempl2 1
 transform-set tran1
 ike-profile profile1
 reverse-route dynamic
 reverse-route preference 100
 reverse-route tag 1000
#
ipsec policy map2 10 isakmp template poltempl2
#
l2tp-group 1 mode lns
 allow l2tp virtual-template 0
 undo tunnel authentication
#
 l2tp enable
#
ike profile profile1
 keychain keychain1
 match remote identity address 0.0.0.0 0.0.0.0
#
ike proposal 1
 encryption-algorithm 3des-cbc
 dh group2
#
ike keychain keychain1
 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$po0mSO/41uuJ7CKQ=

2 REPLIES 2
alex20
Occasional Advisor

Re: what need for connecting apple IOS 8-10 /android by L2TP? (MSR1003)

add my config...

Gellemar
Occasional Visitor

Re: what need for connecting apple IOS 8-10 /android by L2TP? (MSR1003)

Hit the sam problem as you. Spent around a week, truing to figure aout what's wrong. The situation is, that iOS phones (as well as MacBook Air with OS X) are sending on the phase 2 only one proposal (and it seems to be slightly different from what do they send on P1, but that's OK):

AES256+SHA1

Thing is, that they checking it only with the first transform! And more interesting, in the multiple-encryption transform as you're using - it checks it against only FIRST entry in row.

So, to fix it - you have to simply and quite stupidly change the sequence:

ipsec transform-set tran1
 encapsulation-mode transport
 esp encryption-algorithm aes-cbc-256 3des-cbc aes-cbc-128

 

Sounds really stupid, but wit this change I now connecting iPhones and iMacs with no problems.

Also please consider, that these devices on both phases do want lifetime 3600, so consider to check this as well.