Hi,
I'm trying to connect my new touch HD to the work cisco firewall. I've set it up as LDAP/IPSEC with a preshared key.
When I try and force it to connect it contacts the ASA, starts the handshake but I see this in the debugging VPN log:
Start of Handshake:
Code:
7 Nov 12 2008 15:36:23 713236 IP = 89.193.232.83, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Point of issue (i think anyway)
Code:
7 Nov 12 2008 15:36:24 713906 IP = 89.193.232.83, computing NAT Discovery hash
4 Nov 12 2008 15:36:24 713903 Group = 89.193.232.83, IP = 89.193.232.83, Can't find a valid tunnel group, aborting...!
7 Nov 12 2008 15:36:24 715065 Group = 89.193.232.83, IP = 89.193.232.83, IKE MM Responder FSM error history (struct &0xd9298110) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
7 Nov 12 2008 15:36:24 713906 Group = 89.193.232.83, IP = 89.193.232.83, IKE SA MM:d5e02623 terminating: flags 0x01000002, refcnt 0, tuncnt 0
7 Nov 12 2008 15:36:24 713906 Group = 89.193.232.83, IP = 89.193.232.83, sending delete/delete with reason message
Looking at the logs it at no point tries to auth with the username and password so it's a tunnelling issue.
Any super geeks about to help?
jon- said:
Hi,
I'm trying to connect my new touch HD to the work cisco firewall. I've set it up as LDAP/IPSEC with a preshared key.
When I try and force it to connect it contacts the ASA, starts the handshake but I see this in the debugging VPN log:
Start of Handshake:
Code:
7 Nov 12 2008 15:36:23 713236 IP = 89.193.232.83, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Point of issue (i think anyway)
Code:
7 Nov 12 2008 15:36:24 713906 IP = 89.193.232.83, computing NAT Discovery hash
4 Nov 12 2008 15:36:24 713903 Group = 89.193.232.83, IP = 89.193.232.83, Can't find a valid tunnel group, aborting...!
7 Nov 12 2008 15:36:24 715065 Group = 89.193.232.83, IP = 89.193.232.83, IKE MM Responder FSM error history (struct &0xd9298110) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
7 Nov 12 2008 15:36:24 713906 Group = 89.193.232.83, IP = 89.193.232.83, IKE SA MM:d5e02623 terminating: flags 0x01000002, refcnt 0, tuncnt 0
7 Nov 12 2008 15:36:24 713906 Group = 89.193.232.83, IP = 89.193.232.83, sending delete/delete with reason message
Looking at the logs it at no point tries to auth with the username and password so it's a tunnelling issue.
Any super geeks about to help?
Click to expand...
Click to collapse
I have a working config from a Cisco PIX 501, however it can only run PIX OS 6.3(5) and not the newer 7.x or 8.x code the ASA's run so it's likely there are differences. Plus I am also using Digital Certificates as opposed to pre-shared keys, however that will only change the ISAKMP policy. I am also using MS IAS as the Radius server.
Code:
access-list l2tp permit udp host X.X.X.X any eq 1701
ip address outside X.X.X.X 255.255.255.252
ip local pool L2TP-IP-Pool-1 10.10.10.1-10.10.10.14 mask 255.255.255.240
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server RADIUS (inside) host 192.168.1.1 cisco-key timeout 5
aaa-server RADIUS (inside) host 192.168.2.1 cisco-key timeout 5
sysopt connection permit-l2tp
crypto ipsec transform-set l2tp esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto dynamic-map dyna 20 match address l2tp
crypto dynamic-map dyna 20 set transform-set l2tp
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap client authentication RADIUS
crypto map mymap interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpdn group L2TP-VPN accept dialin l2tp
vpdn group L2TP-VPN ppp authentication mschap
vpdn group L2TP-VPN client configuration address local L2TP-IP-Pool-1
vpdn group L2TP-VPN client configuration dns 192.168.1.50
vpdn group L2TP-VPN client authentication aaa RADIUS
vpdn group L2TP-VPN client accounting RADIUS
vpdn group L2TP-VPN l2tp tunnel hello 60
vpdn enable outside
I have changed the IP addresses I am using, plus I have ommited the PKI Certificate stuff. For PSK's you would need to change the ISAKMP policy.
HTH
Andy
So does this work with WM6.1 native IPSec stack?
There's a similar thread here:
http://forum.xda-developers.com/showthread.php?t=280565&page=2
Someone else stated they figured it out.
stepw said:
So does this work with WM6.1 native IPSec stack?
There's a similar thread here:
http://forum.xda-developers.com/showthread.php?t=280565&page=2
Someone else stated they figured it out.
Click to expand...
Click to collapse
Yes. I have tested this with Windows XP & 2003 as well as Windows Mobile 6.0 & 6.1. The default policies with Vista prevent this working 'out-of-the-box' due to AES being the minimum encryption the Vista VPN client will negotiate (ISAKMP). You can change this though, but it's a pain to do individually and is best pushed down via a GPO - or use an ASA or PIX 7.x or 8.x that supports AES ISAKMP policies.
Andy
ADB100, how is your Cisco firewall configured? I've gotten past phase 1 now but it's stalling at phase 2 as i can't get the client to request the correct policy, it keeps falling back to the default which I can't reconfigure as other policies inherit from it.
Starting to lose my patience, so close yet so far! WinMo6.1 and cisco ASA VPN still has ig issues and no one on the internet seems to know why.
ADB100 said:
Yes. I have tested this with Windows XP & 2003 as well as Windows Mobile 6.0 & 6.1. The default policies with Vista prevent this working 'out-of-the-box' due to AES being the minimum encryption the Vista VPN client will negotiate (ISAKMP). You can change this though, but it's a pain to do individually and is best pushed down via a GPO - or use an ASA or PIX 7.x or 8.x that supports AES ISAKMP policies.
Andy
Click to expand...
Click to collapse
I pretty much posted all the VPN stuff in my previous post. I could send you the entire config if you wish (with some bits scrubbed obviously). I may have an ASA at the end of next week to play around. I will be installing it at a customer site the following week so I should have enough time to test the VPN stuff out, if you can wait? (I'm a CCIE.....)
Cheers
Andy
So you did Andy, sorry I didn't link you to the earlier post. I will continue playing with the ASA today (as you might have guessed I'm not that up to speed with Cisco) and let you know if I get anything.
FWIW here is the drop out when it was failing at phase 1, i don't have the latest log to hand
Code:
IP = , Error: Unable to remove PeerTblEntry
IP = , Removing peer from peer table failed, no match!
IP = , sending delete/delete with reason message
IP = , IKE SA MM:bccde876 terminating: flags 0x01000002, refcnt 0, tuncnt 0
IP = , IKE MM Responder FSM error history (struct &0xd888df20) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
IP = , IKE_DECODE RESENDING Message (msgid=1100200) with payloads : HDR + UNKNOWN (218), *** ERROR *** + NONE (0) total length : 128
IP = , IKE_DECODE RESENDING Message (msgid=1100200) with payloads : HDR + UNKNOWN (218), *** ERROR *** + NONE (0) total length : 128
IP = , IKE_DECODE RESENDING Message (msgid=1100200) with payloads : HDR + UNKNOWN (218), *** ERROR *** + NONE (0) total length : 128
IP = , IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
IP = , constructing Fragmentation VID + extended capabilities payload
IP = , constructing NAT-Traversal VID ver 02 payload
IP = , constructing ISAKMP SA payload
IP = , IKE SA Proposal # 1, Transform # 8 acceptable Matches global IKE entry # 3
IP = , processing IKE SA payload
IP = , Received NAT-Traversal ver 02 VID
IP = , processing VID payload
IP = , Received Fragmentation VID
IP = , processing VID payload
IP = , processing VID payload
IP = , Oakley proposal is acceptable
IP = , processing SA payload
IP = , IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 544
IP = , Received encrypted packet with no matching SA, dropping
Ignoring msg to mark SA with dsID 151552 dead because SA deleted
IP = , IKE_DECODE SENDING Message (msgid=bbb6340d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Group = DefaultRAGroup, IP = , constructing qm hash payload
Group = DefaultRAGroup, IP = , constructing IKE delete payload
Group = DefaultRAGroup, IP = , constructing blank hash payload
Group = DefaultRAGroup, IP = , sending delete/delete with reason message
Group = DefaultRAGroup, IP = , IKE SA MM:78a1831c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Group = DefaultRAGroup, IP = , IKE SA MM:78a1831c rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Group = DefaultRAGroup, IP = , Removing peer from correlator table failed, no match!
Group = DefaultRAGroup, IP = , sending delete/delete with reason message
Group = DefaultRAGroup, IP = , IKE QM Responder FSM error history (struct &0xd876e128) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Group = DefaultRAGroup, IP = , QM FSM error (P2 struct &0xd876e128, mess id 0x713438aa)!
IP = , IKE_DECODE SENDING Message (msgid=c1a6b7b3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Group = DefaultRAGroup, IP = , constructing qm hash payload
Group = DefaultRAGroup, IP = , constructing ipsec notify payload for msg id 713438aa
Group = DefaultRAGroup, IP = , constructing blank hash payload
Group = DefaultRAGroup, IP = , sending notify message
Group = DefaultRAGroup, IP = , All IPSec SA proposals found unacceptable!
Group = DefaultRAGroup, IP = , processing IPSec SA payload
Group = DefaultRAGroup, IP = , IKE Remote Peer configured for crypto map: outside-new_dyn_map
Group = DefaultRAGroup, IP = , Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Group = DefaultRAGroup, IP = , Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Group = DefaultRAGroup, IP = , Static Crypto Map check, map = outside-new_map, seq = 20, ACL does not match proxy IDs src: dst:213.122.163.115
Group = DefaultRAGroup, IP = , Static Crypto Map check, checking map = outside-new_map, seq = 20...
Group = DefaultRAGroup, IP = , QM IsRekeyed old sa not found by addr
Group = DefaultRAGroup, IP = , processing NAT-Original-Address payload
Group = DefaultRAGroup, IP = , L2TP/IPSec session detected.
Group = DefaultRAGroup, IP = , Received local Proxy Host data in ID Payload: Address 213.122.163.115, Protocol 17, Port 1701
Group = DefaultRAGroup, IP = , ID_IPV4_ADDR ID received
Group = DefaultRAGroup, IP = , processing ID payload
Group = DefaultRAGroup, IP = , Received remote Proxy Host FQDN in ID Payload: Host Name: HTC70 Address , Protocol 17, Port 1701
Group = DefaultRAGroup, IP = , ID_FQDN ID received, len 5
Group = DefaultRAGroup, IP = , processing ID payload
Group = DefaultRAGroup, IP = , processing nonce payload
Group = DefaultRAGroup, IP = , processing SA payload
Group = DefaultRAGroup, IP = , processing hash payload
IP = , IKE_DECODE RECEIVED Message (msgid=713438aa) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 293
IP = , IKE Responder starting QM: msg id = 713438aa
Group = DefaultRAGroup, IP = , Starting P1 rekey timer: 21600 seconds.
IP = , Keep-alives configured on but peer does not support keep-alives (type = None)
IP = , Keep-alive type for this connection: None
Group = DefaultRAGroup, IP = , PHASE 1 COMPLETED
IP = , IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 96
Group = DefaultRAGroup, IP = , constructing dpd vid payload
Group = DefaultRAGroup, IP = , Computing hash for ISAKMP
Group = DefaultRAGroup, IP = , constructing hash payload
Group = DefaultRAGroup, IP = , constructing ID payload
Group = DefaultRAGroup, IP = , Freeing previously allocated memory for authorization-dn-attributes
IP = , Connection landed on tunnel_group DefaultRAGroup
Group = DefaultRAGroup, IP = , Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Group = DefaultRAGroup, IP = , Computing hash for ISAKMP
Group = DefaultRAGroup, IP = , processing hash payload
Group = DefaultRAGroup, IP = , ID_FQDN ID received, len 5
Group = DefaultRAGroup, IP = , processing ID payload
IP = , IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 61
Group = DefaultRAGroup, IP = , P1 Retransmit msg dispatched to MM FSM
Group = DefaultRAGroup, IP = , Duplicate Phase 1 packet detected. Retransmitting last packet.
IP = , IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Group = DefaultRAGroup, IP = , Generating keys for Responder...
IP = , Connection landed on tunnel_group DefaultRAGroup
IP = , computing NAT Discovery hash
IP = , constructing NAT-Discovery payload
IP = , computing NAT Discovery hash
IP = , constructing NAT-Discovery payload
IP = , Send Altiga/Cisco VPN3000/Cisco ASA GW VID
IP = , constructing VID payload
IP = , Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
IP = , Send IOS VID
IP = , constructing xauth V6 VID payload
IP = , constructing Cisco Unity VID payload
IP = , constructing nonce payload
IP = , constructing ke payload
IP = , computing NAT Discovery hash
IP = , processing NAT-Discovery payload
IP = , computing NAT Discovery hash
IP = , processing NAT-Discovery payload
IP = , processing nonce payload
IP = , processing ISA_KE payload
IP = , processing ke payload
IP = , IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 224
IP = , IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
IP = , P1 Retransmit msg dispatched to MM FSM
IP = , Duplicate Phase 1 packet detected. Retransmitting last packet.
IP = , IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
IP = , P1 Retransmit msg dispatched to MM FSM
IP = , Duplicate Phase 1 packet detected. Retransmitting last packet.
IP = , IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
IP = , constructing Fragmentation VID + extended capabilities payload
IP = , constructing NAT-Traversal VID ver 02 payload
IP = , constructing ISAKMP SA payload
IP = , IKE SA Proposal # 1, Transform # 8 acceptable Matches global IKE entry # 3
IP = , processing IKE SA payload
IP = , processing VID payload
IP = , Received NAT-Traversal ver 02 VID
IP = , processing VID payload
IP = , Received Fragmentation VID
IP = , processing VID payload
IP = , processing VID payload
IP = , Oakley proposal is acceptable
IP = , processing SA payload
IP = , IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Thank you for your help thus far Andy.
ETA - I removed the timestamp to get within char limit, the oldest (first) message is at the bottom, newest (last) at top
Update - I've decided to go down the cert route as there's a working config from Andy above, however the Cisco ASA exports it's certificates in a format the winmo decive can't import! Any ideas?
jon- said:
Update - I've decided to go down the cert route as there's a working config from Andy above, however the Cisco ASA exports it's certificates in a format the winmo decive can't import! Any ideas?
Click to expand...
Click to collapse
OK, I have just got this working in my lab......
I have got a pretty basic config at the moment. I am using a pre-shared key for the ISAKMP phase I negotiation and local users. I have tested it with a Windows XP client and a couple of minutes ago with WM6.1 on my Kaiser. Both worked first time. I used the ASDM GUI to generate this configuration, I just attempted to match up the old PIX 6.3(5) config with the 7.2(4) code that is running on the new PIX.
Code:
ip local pool ip-pool 10.20.20.1-10.20.20.10 mask 255.255.255.240
!
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map inside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.10.10
vpn-tunnel-protocol l2tp-ipsec
!
username cisco password cisco privilege 0
username cisco attributes
vpn-group-policy DefaultRAGroup
!
tunnel-group DefaultRAGroup general-attributes
address-pool ip-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key cisco
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
I will do some more testing and get the authentication passed to an external Radius server as well as using RSA Certificates instead of a PSK.
HTH
Andy
Thanks Andy. Are you using the default policy for the devices? My problem seems to be I cant select a different group/tunnel/policy with winmo6.1 so it falls back to the default one which I can't configure to work with the device.
Yes its the default one (DefaultRAGroup), this is pretty much a vanilla PIX (it's not actually a real PIX its just an emulated one as well....). If you can let me have some of the bits of your config I can maybe test them here?
Andy
Here in lies my problem (i think), I can't use the default policy but can't force my phone to another policy.
Andy,
Been playing with Greenbow VPN client today after giving up on the built in one. No having much luck with that either, it seems to be trying to set up a lan to lan tunnel as well.
Here's the ASA config as requested
Code:
ip local pool Pool1 10.x.x.x-10.x.x.x mask 255.x.x.x
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside-new_dyn_map 20 set pfs
crypto dynamic-map outside-new_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map outside-new_dyn_map 40 set pfs
crypto dynamic-map outside-new_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 62.x.x.x
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside-new_map 20 match address outside-new_cryptomap_20
crypto map outside-new_map 20 set peer 62.x.x.x
crypto map outside-new_map 20 set transform-set ESP-DES-MD5
crypto map outside-new_map 65535 ipsec-isakmp dynamic outside-new_dyn_map
crypto map outside-new_map interface outside-new
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable outside-new
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption des
hash md5
group 1
lifetime 86400
group-policy DfltGrpPolicy attributes
banner value hispek.com vpn
vpn-simultaneous-logins 30
vpn-tunnel-protocol IPSec webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal_Nets
default-domain value hispek
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
group-policy MobileVPN internal
group-policy MobileVPN attributes
dns-server value 10.x.x.x 10.x.x.x
vpn-tunnel-protocol IPSec l2tp-ipsec
username jjbmobile password * encrypted privilege 15
username jjbmobile attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
service-type admin
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key M0b1132
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group 62.x.x.x type ipsec-l2l
tunnel-group 62.x.x.x ipsec-attributes
pre-shared-key m0squito
tunnel-group MobileVPN type remote-access
tunnel-group MobileVPN general-attributes
address-pool Pool1
default-group-policy MobileVPN
tunnel-group MobileVPN ipsec-attributes
pre-shared-key JonsSillyNewPhone
tunnel-group MobileVPN ppp-attributes
authentication ms-chap-v2
!
class-map global-class
match default-inspection-traffic
class-map inside-class
match access-list inside_mpc
class-map outside-class
match access-list outside_mpc
!
Windows Mobile 6.1 with ASA 5510
ADB100 said:
I pretty much posted all the VPN stuff in my previous post. I could send you the entire config if you wish (with some bits scrubbed obviously). I may have an ASA at the end of next week to play around. I will be installing it at a customer site the following week so I should have enough time to test the VPN stuff out, if you can wait? (I'm a CCIE.....)
Cheers
Andy
Click to expand...
Click to collapse
Hi Andy,
I am a new user to the forum....I am trying to workout Windows Mobile 6.1 connect with ASA 5510 using IPSec, through available VPN client which allows L2TP/IPSec & PPTP.
I have seen your posts and found you got this working without any external VPN client....Would you be able to share that configuration with me???
Thanks,
nil3879
Too bad Bluefire Security went out-of-business because their WinMo VPN client worked really well with Cisco VPN 3000 series concentrator and PIX 500 series firewalls and I'm sure it would work with Cisco ASA as well. Tested using group password and AD authentication.
I'm having issues sending & receiving MMS messages. The data connection works fine for browsing, and the APN settings are the ones from the O2 website (although I've tried several combinations from Google).
Same problem on both PPP and RMNet on michy's r11 and PPP on hastarin 7.2, can't figure it out. I've spent hours on Google and have search XDA, and can't get anywhere.
I've even tried using the Google DNS & O2 DNS servers to no avail.
I've included a logcat of what happens when I try to send an MMS in case it helps.
Does anyone have any ideas? I'm stumped.
We have 2 HD2s on O2, happens on both.
MMS works fine in WinMo.
WinMo: O2 Stock 1.72
Radio 2.12 & 2.15
Android: Bangsters 1.4 & 1.5
Kernel: michy's r11 and hastarin #7.2
Code:
I/pppd ( 2973): PAP authentication succeeded
D/MobileDataStateTracker( 304): mms Received state= CONNECTED, old= CONNECTING, reason= apnSwitched, apnTypeList= mms
D/NetworkStateTracker( 304): setDetailed state, old =CONNECTING and new state=CONNECTED
D/ConnectivityService( 304): ConnectivityChange for mobile_mms: CONNECTED/CONNECTED
V/NetworkStateTracker( 304): Setting TCP values: [4093,26280,35040,4096,16384,35040] which comes from [net.tcp.buffersize.edge]
D/NetworkLocationProvider( 304): onDataConnectionStateChanged 1
D/NetworkStateTracker( 304): addPrivateDnsRoutes for Mobile data state: CONNECTED(ppp0) - mPrivateDnsRouteSet = false
D/NetworkStateTracker( 304): adding 193.113.200.200 (-926387775)
D/NetworkStateTracker( 304): adding 193.113.200.201 (-909610559)
D/Tethering( 304): Tethering got CONNECTIVITY_ACTION
D/Tethering( 304): MasterInitialState.processMessage what=3
E/HierarchicalStateMachine( 304): TetherMaster - unhandledMessage: msg.what=3
D/GpsLocationProvider( 304): updateNetworkState available info: NetworkInfo: type: mobile_mms[EDGE], state: CONNECTED/CONNECTED, reason: apnSwitched, extra: mobile.o2.co.uk, roaming: false, failover: false, isAvailable: true
V/NetworkChange( 767): Received network change notification
D/NetworkLocationProvider( 304): updateNetworkState(): Updating network state to 2
D/ConnectivityService( 304): startUsingNetworkFeature for net 0: enableMMS
D/ConnectivityService( 304): getMobileDataEnabled returning true
D/ConnectivityService( 304): special network already active
I/GTalkService( 440): [ServiceAutoStarter] --- connectivity changed
I/GTalkService( 440): [ServiceAutoStarter] --- start GTalk service ---
I/MediaUploader( 731): No need to wake up
E/SendTransaction( 596): java.io.IOException: Cannot establish route for http://mmsc.mms.o2.co.uk: Unknown host
E/SendTransaction( 596): at com.android.mms.transaction.Transaction.ensureRouteToHost(Transaction.java:210)
E/SendTransaction( 596): at com.android.mms.transaction.Transaction.sendPdu(Transaction.java:165)
E/SendTransaction( 596): at com.android.mms.transaction.Transaction.sendPdu(Transaction.java:150)
E/SendTransaction( 596): at com.android.mms.transaction.SendTransaction.run(SendTransaction.java:118)
E/SendTransaction( 596): at java.lang.Thread.run(Thread.java:1096)
E/SendTransaction( 596): Delivery failed.
bump bump. Same problem here for me
contract or payg ?
contract.......................
In your MMS APN settings is the http://mmsc* server information in the SERVER or MMS SERVER slot?
dkl_uk said:
In your MMS APN settings is the http://mmsc* server information in the SERVER or MMS SERVER slot?
Click to expand...
Click to collapse
Tried in each and both
optiknerv said:
Tried in each and both
Click to expand...
Click to collapse
Well it definitely shouldn't be in the SERVER slot, that's part of your issue and you will receive errors regarding the lack of connection. It's trying to connect to something it's not supposed to want to connect to.
You have a choice of the following:
Data Bearer:
GPRS
Access Point Node (APN):
wap.o2.co.uk (contract)
payandgo.o2.co.uk (PAYG)
User ID:
o2wap (contract)
payandgo (PAYG)
Password:
password
Authentication
Normal
Gateway
193.113.200.195
MMS Message Server
http://mmsc.mms.o2.co.uk:8002
ENSURE there is a tick only in the MMS box.
I have tried to setup MMS in my network settings and failed, although it can be done. You should end up with two APN's, one is "default,supl" and the other is "mms".
dkl_uk said:
Well it definitely shouldn't be in the SERVER slot, that's part of your issue and you will receive errors regarding the lack of connection. It's trying to connect to something it's not supposed to want to connect to.
You have a choice of the following:
Data Bearer:
GPRS
Access Point Node (APN):
wap.o2.co.uk (contract)
payandgo.o2.co.uk (PAYG)
User ID:
o2wap (contract)
payandgo (PAYG)
Password:
password
Authentication
Normal
Gateway
193.113.200.195
MMS Message Server
http://mmsc.mms.o2.co.uk:8002
ENSURE there is a tick only in the MMS box.
I have tried to setup MMS in my network settings and failed, although it can be done. You should end up with two APN's, one is "default,supl" and the other is "mms".
Click to expand...
Click to collapse
I don't get a failed connection error. In fact I note that when I click send it disconnects from data connection then reconnects (i presume to the mms settings) it seems to show data upload and download but after a couple of minutes I get a "failed to send message after multiple attempts error"
It's just a wild guess, but I had problems with sending MMSes (while being sure that all carrier APN's settings were correct), when MMS Size setting was set to higher values than 300 KB. Although my problems were only with sending MMSes - I could receive them without any problems.
adecostres said:
It's just a wild guess, but I had problems with sending MMSes (while being sure that all carrier APN's settings were correct), when MMS Size setting was set to higher values than 300 KB. Although my problems were only with sending MMSes - I could receive them without any problems.
Click to expand...
Click to collapse
Seems this was the problem. Cheers.