This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS VPN Sophos XG

Hi volks,

I don't know exactly since when to be honest - but yesterday I recognized that my IOS on Demand VPN stopped working. I tried to reconfigure it now with certificate authentication (because - I wanted to do this since a long time) but still no success.

What I've done -- Configured Sophos Connect as always. Then I downloaded the mobileconfig for IOS via UserPortal and imported it successfully to my iPhone. So here stops the fun :-O

The phone tries to connect and gives me an error that the communication with the VPN-Server fails. That's the corresponding log on the sophos-xg console (just obfuscated my ips and certificate details:

2019-07-24 06:56:14 27[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (848 bytes)
2019-07-24 06:56:14 27[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2019-07-24 06:56:14 27[IKE] <2> received NAT-T (RFC 3947) vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2019-07-24 06:56:14 27[IKE] <2> received XAuth vendor ID
2019-07-24 06:56:14 27[IKE] <2> received Cisco Unity vendor ID
2019-07-24 06:56:14 27[IKE] <2> received FRAGMENTATION vendor ID
2019-07-24 06:56:14 27[IKE] <2> received DPD vendor ID
2019-07-24 06:56:14 27[IKE] <2> --this-is-my-mobile-ip-- is initiating a Main Mode IKE_SA
2019-07-24 06:56:14 27[ENC] <2> generating ID_PROT response 0 [ SA V V V V V ]
2019-07-24 06:56:14 27[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (180 bytes)
2019-07-24 06:56:14 30[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (380 bytes)
2019-07-24 06:56:14 30[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-07-24 06:56:14 30[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-07-24 06:56:14 30[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (396 bytes)
2019-07-24 06:56:14 28[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (1280 bytes)
2019-07-24 06:56:14 28[ENC] <2> parsed ID_PROT request 0 [ FRAG(1) ]
2019-07-24 06:56:14 28[ENC] <2> received fragment #1, waiting for complete IKE message
2019-07-24 06:56:14 07[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (500 bytes)
2019-07-24 06:56:14 07[ENC] <2> parsed ID_PROT request 0 [ FRAG(2/2) ]
2019-07-24 06:56:14 07[ENC] <2> received fragment #2, reassembling fragmented IKE message
2019-07-24 06:56:14 07[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (1708 bytes)
2019-07-24 06:56:14 07[ENC] <2> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
2019-07-24 06:56:14 07[IKE] <2> ignoring certificate request without data
2019-07-24 06:56:14 07[IKE] <2> received end entity cert "C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.example.com, E=void@example.com"
2019-07-24 06:56:14 07[CFG] <2> looking for XAuthInitRSA peer configs matching --this-is-my-official-ip--...--this-is-my-mobile-ip--[C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.example.com, E=void@example.com]
2019-07-24 06:56:14 07[IKE] <2> no peer config found
2019-07-24 06:56:14 07[ENC] <2> generating INFORMATIONAL_V1 request 274853226 [ HASH N(AUTH_FAILED) ]
2019-07-24 06:56:14 07[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (108 bytes)
2019-07-24 06:56:17 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:17 14[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:21 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:21 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:24 19[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:24 17[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:37 08[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:37 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side

Do you have any Idea why it stopped working? I'm actually on the latest SFOS 17.5.7 MR-7 version. I also tried to go back to SFOS 17.5.5 MR-5 but still the same issue

Thx for any advice!

BR
Florian

This thread was automatically locked due to age.

Parents

0 Keyur over 6 years ago

Hi florianmulatz

I would request you to verify the configuration using the given articles and ensure certificate for local and remote are configured and applied in VPN configuration.

https://community.sophos.com/kb/en-us/123138

https://community.sophos.com/kb/en-us/123137
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Keyur over 6 years ago

Hi florianmulatz

I would request you to verify the configuration using the given articles and ensure certificate for local and remote are configured and applied in VPN configuration.

https://community.sophos.com/kb/en-us/123138

https://community.sophos.com/kb/en-us/123137
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 florianmulatz over 6 years ago in reply to Keyur

Hi Keyur,

Unforunately both of these entries helped nothing. As I mentioned it STOPPED working - that means it worked before :)

THx
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 6 years ago in reply to florianmulatz

Hi florianmulatz

I would request you to contact our technical support team and open a support case to investigate the issue further.
Cancel
Vote Up 0 Vote Down

Cancel
0 florianmulatz over 6 years ago in reply to Keyur

Hi,

Unfortunately - I only have the Free-Home-Version so I guess there is only Community support available for me :)

BR
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 6 years ago in reply to florianmulatz

Hi florianmulatz

I will perform the same scenario at my end and share the results with you, meanwhile can you please share screenshots of your iOS configuration and XG configuration?
Cancel
Vote Up 0 Vote Down

Cancel
0 florianmulatz over 6 years ago in reply to Keyur

Hey Keyur,

Here you go (only obfuscated my real ip and hostname) ->

As I told you I simply downloaded the configuration profile via UserPortal so nothing to share there.
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 6 years ago in reply to florianmulatz

Hi florianmulatz

The configuration seems to correct, it should work.

Can you please execute below command and share the logs.

"show vpn IPSec-logs" from the console

Please also share logs when you connect using the command- tcpdump 'port 500 or 4500

Are you using IPsec in iOS configuration?
Cancel
Vote Up 0 Vote Down

Cancel
0 florianmulatz over 6 years ago in reply to Keyur

Hey Keyur,

Here you go:

console> show vpn IPSec-logs
2019-07-25 14:22:44 29[NET] <8> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (848 bytes)
2019-07-25 14:22:44 29[ENC] <8> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2019-07-25 14:22:44 29[IKE] <8> received NAT-T (RFC 3947) vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2019-07-25 14:22:44 29[IKE] <8> received XAuth vendor ID
2019-07-25 14:22:44 29[IKE] <8> received Cisco Unity vendor ID
2019-07-25 14:22:44 29[IKE] <8> received FRAGMENTATION vendor ID
2019-07-25 14:22:44 29[IKE] <8> received DPD vendor ID
2019-07-25 14:22:44 29[IKE] <8> 80.110.39.23 is initiating a Main Mode IKE_SA
2019-07-25 14:22:44 29[ENC] <8> generating ID_PROT response 0 [ SA V V V V V ]
2019-07-25 14:22:44 29[NET] <8> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (180 bytes)
2019-07-25 14:22:44 18[NET] <8> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (380 bytes)
2019-07-25 14:22:44 18[ENC] <8> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-07-25 14:22:44 18[IKE] <8> remote host is behind NAT
2019-07-25 14:22:44 18[ENC] <8> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-07-25 14:22:44 18[NET] <8> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (396 bytes)
2019-07-25 14:22:44 25[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (1280 bytes)
2019-07-25 14:22:44 25[ENC] <8> parsed ID_PROT request 0 [ FRAG(1) ]
2019-07-25 14:22:44 25[ENC] <8> received fragment #1, waiting for complete IKE message
2019-07-25 14:22:44 01[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (500 bytes)
2019-07-25 14:22:44 01[ENC] <8> parsed ID_PROT request 0 [ FRAG(2/2) ]
2019-07-25 14:22:44 01[ENC] <8> received fragment #2, reassembling fragmented IKE message
2019-07-25 14:22:44 01[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (1708 bytes)
2019-07-25 14:22:44 01[ENC] <8> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
2019-07-25 14:22:44 01[IKE] <8> ignoring certificate request without data
2019-07-25 14:22:44 01[IKE] <8> received end entity cert "C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.mulatz.at, E=void@mulatz.at"
2019-07-25 14:22:44 01[CFG] <8> looking for XAuthInitRSA peer configs matching 84.112.164.56...80.110.39.23[C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.mulatz.at, E=void@mulatz.at]
2019-07-25 14:22:44 01[IKE] <8> no peer config found
2019-07-25 14:22:44 01[ENC] <8> generating INFORMATIONAL_V1 request 3609428277 [ HASH N(AUTH_FAILED) ]
2019-07-25 14:22:44 01[NET] <8> sending packet: from 84.112.164.56[4500] to 80.110.39.23[4500] (108 bytes)
2019-07-25 14:22:47 08[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
2019-07-25 14:22:47 31[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
2019-07-25 14:22:50 23[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
2019-07-25 14:22:50 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
2019-07-25 14:22:53 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
2019-07-25 14:22:53 28[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
2019-07-25 14:23:07 27[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
2019-07-25 14:23:07 29[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side

console> tcpdump 'port 500 or 4500'
tcpdump: Starting Packet Dump
14:25:23.917528 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
14:25:23.918776 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
14:25:24.028941 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
14:25:24.036437 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
14:25:24.116105 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:24.116911 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:24.117490 PortB, OUT: IP 84.112.164.56.4500 > 80.110.39.23.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
14:25:27.265366 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:27.266282 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:30.446517 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:30.447342 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:33.550779 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:33.551074 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:46.648445 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:25:46.649545 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
^C
15 packets captured
15 packets received by filter
0 packets dropped by kernel

To your last question - Yes - as I told - I downloaded the .mobileconfig file via the userportal!

BR Florian
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 6 years ago in reply to florianmulatz

Hi florianmulatz

Thank you for sharing the logs. It seems security parameter mismatch. Please allow us some time to analyze the logs and meanwhile, I request you to verify with preshared key.
Cancel
Vote Up 0 Vote Down

Cancel
0 florianmulatz over 6 years ago in reply to Keyur

Hey,

Checked with preshared Key as well - same problem.

Here you go with the new logs:

2019-07-26 11:51:41 23[NET] <15> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (848 bytes)
2019-07-26 11:51:41 23[ENC] <15> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2019-07-26 11:51:41 23[IKE] <15> received NAT-T (RFC 3947) vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2019-07-26 11:51:41 23[IKE] <15> received XAuth vendor ID
2019-07-26 11:51:41 23[IKE] <15> received Cisco Unity vendor ID
2019-07-26 11:51:41 23[IKE] <15> received FRAGMENTATION vendor ID
2019-07-26 11:51:41 23[IKE] <15> received DPD vendor ID
2019-07-26 11:51:41 23[IKE] <15> 80.110.39.23 is initiating a Main Mode IKE_SA
2019-07-26 11:51:41 23[ENC] <15> generating ID_PROT response 0 [ SA V V V V V ]
2019-07-26 11:51:41 23[NET] <15> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (180 bytes)
2019-07-26 11:51:41 18[NET] <15> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (380 bytes)
2019-07-26 11:51:41 18[ENC] <15> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-07-26 11:51:41 18[IKE] <15> remote host is behind NAT
2019-07-26 11:51:41 18[ENC] <15> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-07-26 11:51:41 18[NET] <15> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (396 bytes)
2019-07-26 11:51:41 27[NET] <15> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (108 bytes)
2019-07-26 11:51:41 27[ENC] <15> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
2019-07-26 11:51:41 27[CFG] <15> looking for XAuthInitPSK peer configs matching 84.112.164.56...80.110.39.23[192.168.250.41]
2019-07-26 11:51:41 27[IKE] <15> no peer config found
2019-07-26 11:51:41 27[ENC] <15> generating INFORMATIONAL_V1 request 2390229987 [ HASH N(AUTH_FAILED) ]
2019-07-26 11:51:41 27[NET] <15> sending packet: from 84.112.164.56[4500] to 80.110.39.23[4500] (108 bytes)
2019-07-26 11:51:44 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
2019-07-26 11:51:47 01[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
2019-07-26 11:51:50 24[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
2019-07-26 11:52:03 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side

console> tcpdump 'port 500 or 4500'
tcpdump: Starting Packet Dump
11:51:41.251009 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
11:51:41.252110 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
11:51:41.368920 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
11:51:41.376492 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
11:51:41.436425 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
11:51:41.436869 PortB, OUT: IP 84.112.164.56.4500 > 80.110.39.23.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
11:51:44.510096 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
11:51:47.507170 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
11:51:50.513345 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
11:52:03.671482 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I ident[E]
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
console>

BR Florian
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 6 years ago in reply to florianmulatz

Hi florianmulatz

I think you are combining 2 different VPN configuration and it may create a problem. There are 2 ways 2 connect VPN from iOS using IPSec connect and Using SSL VPN.

If you want to connect IPsec VPN using certificate, you do not require to download any configuration from Sophos XG firewall user portal.

In iOS, please navigate to Settings >> General >> VPN >> Add VPN configuration >> Type >> IPsec >> Tap on Back and it will shown Cisco client, please configure other parameters and try to connect.

For IPsec VPN, please use the below given article and configure and it will connect for sure. (Use certificate instead of preshared key)

https://community.sophos.com/kb/en-us/123137

For certificate configuration, please follow the article - https://community.sophos.com/kb/en-us/123138#Deploying%20digital%20certificates
Cancel
Vote Up 0 Vote Down

Cancel