Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 27 subscribers
  • Views 7322 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS VPN Sophos XG

florianmulatz

Hi volks,

I don't know exactly since when to be honest - but yesterday I recognized that my IOS on Demand VPN stopped working. I tried to reconfigure it now with certificate authentication (because - I wanted to do this since a long time) but still no success.

What I've done -- Configured Sophos Connect as always. Then I downloaded the mobileconfig for IOS via UserPortal and imported it successfully to my iPhone. So here stops the fun :-O

The phone tries to connect and gives me an error that the communication with the VPN-Server fails. That's the corresponding log on the sophos-xg console (just obfuscated my ips and certificate details:


2019-07-24 06:56:14 27[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (848 bytes)
2019-07-24 06:56:14 27[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2019-07-24 06:56:14 27[IKE] <2> received NAT-T (RFC 3947) vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2019-07-24 06:56:14 27[IKE] <2> received XAuth vendor ID
2019-07-24 06:56:14 27[IKE] <2> received Cisco Unity vendor ID
2019-07-24 06:56:14 27[IKE] <2> received FRAGMENTATION vendor ID
2019-07-24 06:56:14 27[IKE] <2> received DPD vendor ID
2019-07-24 06:56:14 27[IKE] <2> --this-is-my-mobile-ip-- is initiating a Main Mode IKE_SA
2019-07-24 06:56:14 27[ENC] <2> generating ID_PROT response 0 [ SA V V V V V ]
2019-07-24 06:56:14 27[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (180 bytes)
2019-07-24 06:56:14 30[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (380 bytes)
2019-07-24 06:56:14 30[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-07-24 06:56:14 30[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-07-24 06:56:14 30[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (396 bytes)
2019-07-24 06:56:14 28[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (1280 bytes)
2019-07-24 06:56:14 28[ENC] <2> parsed ID_PROT request 0 [ FRAG(1) ]
2019-07-24 06:56:14 28[ENC] <2> received fragment #1, waiting for complete IKE message
2019-07-24 06:56:14 07[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (500 bytes)
2019-07-24 06:56:14 07[ENC] <2> parsed ID_PROT request 0 [ FRAG(2/2) ]
2019-07-24 06:56:14 07[ENC] <2> received fragment #2, reassembling fragmented IKE message
2019-07-24 06:56:14 07[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (1708 bytes)
2019-07-24 06:56:14 07[ENC] <2> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
2019-07-24 06:56:14 07[IKE] <2> ignoring certificate request without data
2019-07-24 06:56:14 07[IKE] <2> received end entity cert "C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.example.com, E=void@example.com"
2019-07-24 06:56:14 07[CFG] <2> looking for XAuthInitRSA peer configs matching --this-is-my-official-ip--...--this-is-my-mobile-ip--[C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.example.com, E=void@example.com]
2019-07-24 06:56:14 07[IKE] <2> no peer config found
2019-07-24 06:56:14 07[ENC] <2> generating INFORMATIONAL_V1 request 274853226 [ HASH N(AUTH_FAILED) ]
2019-07-24 06:56:14 07[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (108 bytes)
2019-07-24 06:56:17 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:17 14[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:21 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:21 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:24 19[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:24 17[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:37 08[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:37 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side





Do you have any Idea why it stopped working? I'm actually on the latest SFOS 17.5.7 MR-7 version. I also tried to go back to SFOS 17.5.5 MR-5 but still the same issue

Thx for any advice!

BR
Florian



This thread was automatically locked due to age.
  • 0

    Hi  

    I would request you to verify the configuration using the given articles and ensure certificate for local and remote are configured and applied in VPN configuration.

    https://community.sophos.com/kb/en-us/123138

    https://community.sophos.com/kb/en-us/123137

  • 0 in reply to Keyur

    Hi Keyur,

     

    Unforunately both of these entries helped nothing. As I mentioned it STOPPED working - that means it worked before :)

     

    THx

  • 0 in reply to florianmulatz

    Hi  

    I would request you to contact our technical support team and open a support case to investigate the issue further.

  • 0 in reply to Keyur

     Hi,

    Unfortunately - I only have the Free-Home-Version so I guess there is only Community support available for me :)

    BR

  • 0 in reply to florianmulatz

    Hi  

    I will perform the same scenario at my end and share the results with you, meanwhile can you please share screenshots of your iOS configuration and XG configuration?

  • 0 in reply to Keyur

    Hey Keyur,

    Here you go (only obfuscated my real ip and hostname) ->

     

    As I told you I simply downloaded the configuration profile via UserPortal so nothing to share there.

  • 0 in reply to florianmulatz

    Hi  

    The configuration seems to correct, it should work.

    Can you please execute below command and share the logs.

    "show vpn IPSec-logs" from the console

    Please also share logs when you connect using the command- tcpdump 'port 500 or 4500

    Are you using IPsec in iOS configuration?

  • 0 in reply to Keyur

    Hey Keyur,

    Here you go:

     

    console> show vpn IPSec-logs
    2019-07-25 14:22:44 29[NET] <8> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (848 bytes)
    2019-07-25 14:22:44 29[ENC] <8> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
    2019-07-25 14:22:44 29[IKE] <8> received NAT-T (RFC 3947) vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received XAuth vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received Cisco Unity vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received FRAGMENTATION vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received DPD vendor ID
    2019-07-25 14:22:44 29[IKE] <8> 80.110.39.23 is initiating a Main Mode IKE_SA
    2019-07-25 14:22:44 29[ENC] <8> generating ID_PROT response 0 [ SA V V V V V ]
    2019-07-25 14:22:44 29[NET] <8> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (180 bytes)
    2019-07-25 14:22:44 18[NET] <8> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (380 bytes)
    2019-07-25 14:22:44 18[ENC] <8> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2019-07-25 14:22:44 18[IKE] <8> remote host is behind NAT
    2019-07-25 14:22:44 18[ENC] <8> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2019-07-25 14:22:44 18[NET] <8> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (396 bytes)
    2019-07-25 14:22:44 25[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (1280 bytes)
    2019-07-25 14:22:44 25[ENC] <8> parsed ID_PROT request 0 [ FRAG(1) ]
    2019-07-25 14:22:44 25[ENC] <8> received fragment #1, waiting for complete IKE message
    2019-07-25 14:22:44 01[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (500 bytes)
    2019-07-25 14:22:44 01[ENC] <8> parsed ID_PROT request 0 [ FRAG(2/2) ]
    2019-07-25 14:22:44 01[ENC] <8> received fragment #2, reassembling fragmented IKE message
    2019-07-25 14:22:44 01[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (1708 bytes)
    2019-07-25 14:22:44 01[ENC] <8> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
    2019-07-25 14:22:44 01[IKE] <8> ignoring certificate request without data
    2019-07-25 14:22:44 01[IKE] <8> received end entity cert "C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.mulatz.at, E=void@mulatz.at"
    2019-07-25 14:22:44 01[CFG] <8> looking for XAuthInitRSA peer configs matching 84.112.164.56...80.110.39.23[C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.mulatz.at, E=void@mulatz.at]
    2019-07-25 14:22:44 01[IKE] <8> no peer config found
    2019-07-25 14:22:44 01[ENC] <8> generating INFORMATIONAL_V1 request 3609428277 [ HASH N(AUTH_FAILED) ]
    2019-07-25 14:22:44 01[NET] <8> sending packet: from 84.112.164.56[4500] to 80.110.39.23[4500] (108 bytes)
    2019-07-25 14:22:47 08[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:47 31[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:50 23[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:50 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:53 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:53 28[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:23:07 27[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:23:07 29[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side


    console> tcpdump 'port 500 or 4500'
    tcpdump: Starting Packet Dump
    14:25:23.917528 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
    14:25:23.918776 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
    14:25:24.028941 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
    14:25:24.036437 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
    14:25:24.116105 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:24.116911 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:24.117490 PortB, OUT: IP 84.112.164.56.4500 > 80.110.39.23.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
    14:25:27.265366 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:27.266282 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:30.446517 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:30.447342 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:33.550779 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:33.551074 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:46.648445 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    14:25:46.649545 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    ^C
    15 packets captured
    15 packets received by filter
    0 packets dropped by kernel



    To your last question - Yes - as I told - I downloaded the .mobileconfig file via the userportal!

    BR Florian

  • 0 in reply to florianmulatz

    Hi  

    Thank you for sharing the logs. It seems security parameter mismatch. Please allow us some time to analyze the logs and meanwhile, I request you to verify with preshared key.

  • 0 in reply to Keyur

    Hey,

    Checked with preshared Key as well - same problem.

    Here you go with the new logs:

    2019-07-26 11:51:41 23[NET] <15> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (848 bytes)
    2019-07-26 11:51:41 23[ENC] <15> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
    2019-07-26 11:51:41 23[IKE] <15> received NAT-T (RFC 3947) vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received XAuth vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received Cisco Unity vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received FRAGMENTATION vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received DPD vendor ID
    2019-07-26 11:51:41 23[IKE] <15> 80.110.39.23 is initiating a Main Mode IKE_SA
    2019-07-26 11:51:41 23[ENC] <15> generating ID_PROT response 0 [ SA V V V V V ]
    2019-07-26 11:51:41 23[NET] <15> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (180 bytes)
    2019-07-26 11:51:41 18[NET] <15> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (380 bytes)
    2019-07-26 11:51:41 18[ENC] <15> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2019-07-26 11:51:41 18[IKE] <15> remote host is behind NAT
    2019-07-26 11:51:41 18[ENC] <15> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2019-07-26 11:51:41 18[NET] <15> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (396 bytes)
    2019-07-26 11:51:41 27[NET] <15> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (108 bytes)
    2019-07-26 11:51:41 27[ENC] <15> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    2019-07-26 11:51:41 27[CFG] <15> looking for XAuthInitPSK peer configs matching 84.112.164.56...80.110.39.23[192.168.250.41]
    2019-07-26 11:51:41 27[IKE] <15> no peer config found
    2019-07-26 11:51:41 27[ENC] <15> generating INFORMATIONAL_V1 request 2390229987 [ HASH N(AUTH_FAILED) ]
    2019-07-26 11:51:41 27[NET] <15> sending packet: from 84.112.164.56[4500] to 80.110.39.23[4500] (108 bytes)
    2019-07-26 11:51:44 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
    2019-07-26 11:51:47 01[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
    2019-07-26 11:51:50 24[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
    2019-07-26 11:52:03 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side

     

    console> tcpdump 'port 500 or 4500'
    tcpdump: Starting Packet Dump
    11:51:41.251009 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
    11:51:41.252110 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
    11:51:41.368920 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
    11:51:41.376492 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
    11:51:41.436425 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    11:51:41.436869 PortB, OUT: IP 84.112.164.56.4500 > 80.110.39.23.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
    11:51:44.510096 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    11:51:47.507170 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    11:51:50.513345 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    11:52:03.671482 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    ^C
    10 packets captured
    10 packets received by filter
    0 packets dropped by kernel
    console>



    BR Florian