This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with iOS VPN Config - could not decrypt Payloads!

Hello,

i now switched from a XG105 (17.5.15) to a XG106 (18.0.5).

The XG is behind a ISP NAT Device with exposed Host configuration, so Port 4500 and 500 comes trough, i could check that with using the Connect Client on Windows 10.

My Mobile config looks like that:

<plist version="1.0">
<dict>
        <key>PayloadContent</key>
        <array>
                <dict>
                        <key>IPSec</key>
                        <dict>
                                <key>AuthenticationMethod</key>
                                <string>SharedSecret</string>
                                <key>RemoteAddress</key>
                                <string>IPAdress</string>
                                <key>SharedSecret</key>
                                <data>!?EASYKEY!$   #also tried with original long string</data>
                                <key>XAuthEnabled</key>
                                <integer>1</integer>
                                <key>XAuthName</key>
                                <string>username</string>
                        </dict>
                        <key>IPv4</key>
                        <dict>
                                <key>OverridePrimary</key>
                                <integer>0</integer>
                        </dict>
                        <key>PayloadDescription</key>
                        <string>Configures VPN settings, including authentication.</string>
                        <key>PayloadDisplayName</key>
                        <string>Sophos IPSEC settings</string>
                        <key>PayloadIdentifier</key>
                        <string>com.sophos.iphone.profile.vpn1</string>
                        <key>PayloadOrganization</key>
                        <string>Sophos</string>
                        <key>PayloadType</key>
                        <string>com.apple.vpn.managed</string>
                        <key>PayloadUUID</key>
                        <string>3D8B5E8B-FARA-3BG1-B451-AA0A9824A0BF</string>
                        <key>PayloadVersion</key>
                        <integer>1</integer>
                        <key>Proxies</key>
                        <dict/>
                        <key>UserDefinedName</key>
                        <string>IPSEC_Name</string>
                        <key>VPNType</key>
                        <string>IPSec</string>
                </dict>
        </array>
        <key>PayloadDescription</key>
        <string>Sophos profile for iPhone.</string>
        <key>PayloadDisplayName</key>
        <string>Sophos profile</string>
        <key>PayloadIdentifier</key>
        <string>com.sophos.iphone.profile</string>
        <key>PayloadOrganization</key>
        <string>Sophos</string>
        <key>PayloadRemovalDisallowed</key>
        <false/>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>C8586117-4FF4-3840-A1D5-52E10AB757BA</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
</dict>
</plist>

IPSec-logs:(when trying to connect from Mobile iOS Device):

2021-04-25 10:47:24 27[NET] <14> received packet: from 80.187.102.14[500] to 192.168.0.16[500] (848 bytes)                                                      
2021-04-25 10:47:24 27[ENC] <14> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]                                                                    
2021-04-25 10:47:24 27[IKE] <14> received NAT-T (RFC 3947) vendor ID            
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike vendor ID  
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike-08 vendor ID                                                                               
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike-07 vendor ID                                                                               
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike-06 vendor ID                                                                               
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike-05 vendor ID                                                                               
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike-04 vendor ID                                                                               
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike-03 vendor ID                                                                               
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02 vendor ID                                                                               
2021-04-25 10:47:24 27[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID                                                                             
2021-04-25 10:47:24 27[IKE] <14> received XAuth vendor ID                       
2021-04-25 10:47:24 27[IKE] <14> received Cisco Unity vendor ID                 
2021-04-25 10:47:24 27[IKE] <14> received FRAGMENTATION vendor ID               
2021-04-25 10:47:24 27[IKE] <14> received DPD vendor ID                         
2021-04-25 10:47:24 27[IKE] <14> 80.187.102.14 is initiating a Main Mode IKE_SA 
2021-04-25 10:47:24 27[ENC] <14> generating ID_PROT response 0 [ SA V V V V V ] 
2021-04-25 10:47:24 27[NET] <14> sending packet: from 192.168.0.16[500] to 80.187.102.14[500] (180 bytes)                                                       
2021-04-25 10:47:24 07[NET] <14> received packet: from 80.187.102.14[500] to 192.168.0.16[500] (380 bytes)                                                      
2021-04-25 10:47:24 07[ENC] <14> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] 
2021-04-25 10:47:24 07[IKE] <14> local host is behind NAT, sending keep alives  
2021-04-25 10:47:24 07[IKE] <14> remote host is behind NAT                      
2021-04-25 10:47:24 07[ENC] <14> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]                                                                            
2021-04-25 10:47:24 07[NET] <14> sending packet: from 192.168.0.16[500] to 80.187.102.14[500] (396 bytes)                                                       
2021-04-25 10:47:25 12[NET] <14> received packet: from 80.187.102.14[3608] to 192.168.0.16[4500] (108 bytes)                                                    
2021-04-25 10:47:25 12[ENC] <14> invalid ID_V1 payload length, decryption failed?                                                                               
2021-04-25 10:47:25 12[ENC] <14> could not decrypt payloads                     
2021-04-25 10:47:25 12[IKE] <14> message parsing failed                         
2021-04-25 10:47:25 12[ENC] <14> generating INFORMATIONAL_V1 request 1878755533[ HASH N(PLD_MAL) ]                                                             
2021-04-25 10:47:25 12[NET] <14> sending packet: from 192.168.0.16[500] to 80.187.102.14[500] (92 bytes)                                                        
2021-04-25 10:47:25 12[IKE] <14> ID_PROT request with message ID 0 processing failed                                                                            
2021-04-25 10:47:25 12[DMN] <14> [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 80.187.102.14[3608] failed                                      
2021-04-25 10:47:28 28[NET] <14> received packet: from 80.187.102.14[3608] to 192.168.0.16[4500] (108 bytes)                                                    
2021-04-25 10:47:28 28[ENC] <14> invalid ID_V1 payload length, decryption failed?                                                                               
2021-04-25 10:47:28 28[ENC] <14> could not decrypt payloads                     
2021-04-25 10:47:28 28[IKE] <14> message parsing failed

Hope you have some suggestions.

Regards

This thread was automatically locked due to age.

0 LuCar Toni over 4 years ago

Could be a PSK issue. Maybe your PSK is encrypted. Check the file, you are using for the PSK.
Cancel
Vote Up 0 Vote Down

Cancel
0 n33dfull over 4 years ago in reply to LuCar Toni

Hi,

What file do you mean?

The Original VPN file has an long encrypted key and also when i go in the Sophos Connect options and Show the PSK this key is encrypted.

The VPN on my Computer works with the .scx/.the file.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to n33dfull

The Key, you are using within the config file cannot be encrypted. You need to manually change this key, if its encrypted.
Cancel
Vote Up 0 Vote Down

Cancel
0 n33dfull over 4 years ago in reply to LuCar Toni

Okay, i already did this. I wrote the PSK in plaintext.

In my case !?EASYKEY!$ (you can See it in the Info of my configuration file)

but this still dont work
Cancel
Vote Up 0 Vote Down

Cancel
0 n33dfull over 4 years ago

Hello,

anyone more Ideas?

Regards

Leon
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 4 years ago in reply to n33dfull

Hi n33dfull,

I tried to connect VPN on iOS with a LAB device running with v18.0.5 MR5 and it's working fine.

Can you please post a snapshot of VPN configuration from iOS(Setting > General > VPN)?
Cancel
Vote Up 0 Vote Down

Cancel
0 n33dfull over 4 years ago in reply to FormerMember

Good Morning,
thanks for your fast reply.

This is the Info on the iOS Device.

In the Configuration file, i already changed the following Values:

<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>RemoteAddress</key>
<string>IPAdress</string>
<key>SharedSecret</key>
<data>!?EASYKEY!$ #also tried with original long string</data>
<key>XAuthEnabled</key>
<integer>1</integer>
<key>XAuthName</key>
<string>username</string>
</dict>
<key>IPv4</key>

From XG:

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 4 years ago in reply to n33dfull

No need to use the encrypted preshared key as a secret in VPN config on iOS, it should be in plaintext(!?EASYKEY!$) only.

Can you update the configuration of IPsec (remote access)? == Just click on Apply once and try to connect VPN.

Could you please once take an observation with a different iOS or Android device?
Cancel
Vote Up 0 Vote Down

Cancel
0 n33dfull over 4 years ago in reply to FormerMember

Thanks for the Information, this is what i've already done.
I will check it later from another IOS Device.

Is there any limitation or requirement on the PSK, because at first when i used a long encrypted PSK from ym Password Manager the connection couldn't be established from the Connect Client to. --> Then i changed it to an easier PSK and it worked.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 4 years ago in reply to n33dfull

Check below thread for long preshared key: community.sophos.com/.../sophos-connect-ipsec-fails-with-mr5
Cancel
Vote Up 0 Vote Down

Cancel