3

I'm trying to get VPN working between various devices and a Cisco ASA 5520 running 7.2(1). When trying to connect with a Mac running OX X 10.5.8, I keep getting this error: On the ASA it says:

Sep 16 13:44:02 [IKEv1 DEBUG]: Group = <redacted>, IP = <redacted>, All SA proposals found unacceptable
Sep 16 13:44:02 [IKEv1]: IP = <redacted>, All IKE SA proposals found unacceptable!

How can I tell what the Mac is asking for that the ASA will not provide?

longneck
  • 23,082
  • 4
  • 52
  • 86
  • Either by looking in the settings on the Mac side to see what proposals it's configured to try, or the logs on the Mac. Or see if you can increase the detail in the Cisco logs to get more than the above. You haven't said what software you're using on the Mac side. – TessellatingHeckler Sep 16 '11 at 20:54
  • The client is the VPN built-in to the Mac OS, and it doesn't say what proposals it will try. The Mac log has no detail beyond "IPSec connection failed" during Phase 1, and the max logging from the Cisco ASA is what you see above. – longneck Sep 16 '11 at 21:16
  • Assuming it can work, you could Google for OS X's default settings (I can't find them quickly), or point it at a server you do control and can get better logs from. It's not something I've played with before - is it a generic IPSEC VPN on the Mac, or a built-in Cisco VPN client? – TessellatingHeckler Sep 16 '11 at 22:14

1 Answers1

3

I don't think there is a way to see what proposal an incoming device attempted. Even 'debug isakmp 99' on the ASA will not reveal this. However I believe the default phase 1 settings for Apple devices would be 3DES/SHA-1/DH2, so on your ASA you would need to configure something similar to...

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

and you'll need to enable nat-t if you haven't already:

crypto isakmp nat-traversal 3600

This document on the Cisco website covers L2Tp over IPSEC and has a little section on iPhone and MAC OS X compatibility

paulos
  • 1,694
  • 10
  • 12