IPSec VPN does not work for IOS devices after upgrade to 9.411-3

Hi Jesper,

Try uploading the previous backup on the UTM. 

Any help with that?

Thanks

Thanks for quick reply, we dont have this option, since we have made several changes since...

 

Any other options?

 

Regards

Jesper Hanno

Hi, Jesper, and welcome to the UTM Community!

Sachin's suggestion is the correct one.  Go to the 'Management' section, and you will see that you can review the changes made since the Up2Date.  That will allow you to easily repeat the changes if needed.

Before you restore the backup made just prior to the Up2Date, make another configuration backup.  If the restore "trick" doesn't solve your problem, just restore the newest backup.

Cheers - Bob

@Sachin's @BAlfson

What is this restore backup thing?

This is stupid. I have never restored a backup after an upgrade and it was never needed or useful. (In 15 Years Astaro/Sophos UTM)

 

You only need the backup when HW is completly down or upgrade or rebuild.

 

May

Thanks Bob, 

 

Are there any other options, are there changes in the latest update to IPSec VPN that could justify this behaviour. we would prefer to know whats going on if thats an option...

I tried to look at the syslog files, and on a device that having the problem we have

Facility: authpriv
Priority: warning
Tag: 2017:02:15-16:15:46 remote pluto[6267]
Message: "D_REF_IpsRoaForActivDirec_AaaUsexxxxxxx"[41] x.x.x.x:9853 #68: no suitable connection for peer 'C=xx, L=xxx, O=xxxxxx, CN=xxxxx, E=xxxxxxx@xxxxx.xx'

Regards

Jesper Hanno

Extra lines from the log: "D_REF_IpsRoaForActivDirec_AaaUsexxxxxxx"[41] x.x.x.x:9853 #68: no suitable connection for peer 'C=xx, L=xxxxxx, O=xxxxxx, CN=xxxxxx, E=xxxxxx@xxxxxx.xx' "D_REF_IpsRoaForActivDirec_AaaUsexxxxxxx"[41] x.x.x.x:9853 #68: sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:9853 packet from x.x.x.x:9853: ISAKMP version of ISAKMP Message has an unknown value: 80 packet from x.x.x.x:9853: sending notification INVALID_MAJOR_VERSION to x.x.x.x:9853 packet from x.x.x.x:9853: ISAKMP version of ISAKMP Message has an unknown value: 80 packet from x.x.x.x:9853: sending notification INVALID_MAJOR_VERSION to x.x.x.x:9853

Delete the IPsec Connection and the Remote Gateway it uses, Jesper, and then create them both anew.  Any luck with that?

If the restore "trick" doesn't help and this doesn't either, Support may tell you to re-image from ISO.  You should get a case open with them ASAP.

It sounds like this device is mission-critical enough that you should be running a Hot-Standby.

Cheers - Bob

Delete the IPsec Connection and the Remote Gateway it uses, Jesper, and then create them both anew.  Any luck with that?

If the restore "trick" doesn't help and this doesn't either, Support may tell you to re-image from ISO.  You should get a case open with them ASAP.

It sounds like this device is mission-critical enough that you should be running a Hot-Standby.

Cheers - Bob

Let me try again..

It is all the Apple IOS Devices that have this problem, if we delete the configuration on the Apple IOS device and logging in the the portal and reconfigure the client it works, but we are not happy about informing all users to recreate their VPN again...

Regards

Jesper Hanno

Is this  a problem with all iOS devices? Which version? 

I had several iOS VPN Problems, and they are an apple Problem, because they changed something.

How old are these iOS VPN installations, how old is your UTM installation. May be your VPN CA Certificate has an old MD5.

 

May

It seems like it all IOS devices, we have not found any that did work, and the Apple IOS device version is 10.2.1 (the latest)

The VPN installation/configuration is from October 15-20th 2016

 

Regards

Jesper Hanno

Sorry, in my last comment, I was thinking this was a site-to-site, but it's Remote Access.

Try deleting the IPsec Remote Access Rule and creating a new one identical to the old.  If that didn't work, I'm afraid you're stuck with the solution you already found.  The restore trick probably would fix this problem.

Cheers - Bob