This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco VPN not working with Apple iOS 6

Hi there!

Since installing the new iOS update for the iPhone (version 6) the Cisco VPN client is not working anymore. I get the following logs in the UTM (Release 9.002-12):

2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: received Vendor ID payload [RFC 3947]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: received Vendor ID payload [XAUTH]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [Cisco-Unity]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2012:09:21-11:45:45 utm-1 pluto[26458]: packet from 89.204.137.123:42730: received Vendor ID payload [Dead Peer Detection]
2012:09:21-11:45:45 utm-1 pluto[26458]: "D_for Anselment to Internal (Network)"[4] 89.204.137.123:42730 #9: responding to Main Mode from unknown peer 89.204.137.123:42730
2012:09:21-11:45:46 utm-1 pluto[26458]: "D_for Anselment to Internal (Network)"[4] 89.204.137.123:42730 #9: NAT-Traversal: Result using RFC 3947: peer is NATed
2012:09:21-11:45:47 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:47 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:47 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:47 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:50 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:50 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:50 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:50 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:53 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:53 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:53 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:53 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:56 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:56 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:56 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:56 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:57 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:57 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568
2012:09:21-11:45:57 utm-1 pluto[26458]: "D_for Anselment to Internal (Network)"[4] 89.204.137.123:42730 #8: max number of retransmissions (2) reached STATE_MAIN_R2
2012:09:21-11:45:57 utm-1 pluto[26458]: packet from 89.204.137.123:52568: next payload type of ISAKMP Message has an unknown value: 132
2012:09:21-11:45:57 utm-1 pluto[26458]: packet from 89.204.137.123:52568: sending notification PAYLOAD_MALFORMED to 89.204.137.123:52568

I think only a new update will resolve this.

This thread was automatically locked due to age.

0 BAlfson over 12 years ago

What happens if you delete the profile from your phone and then re-install via Safari?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 GuyFawkes over 12 years ago in reply to BAlfson

What happens if you delete the profile from your phone and then re-install via Safari?

Cheers - Bob

I tried your suggestion, but with the same result.
Unfortunately re-installing doesn't solve this problem :-(

In my opinion, this problem exists since installing 9002-12 (before everything was allright with the VPN).
After that installation I had tested it once, it didn't work, so I thought that it was a temporary problem or a wrong configuration.

Now I read, that more users have this problem...

nice greetings
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 12 years ago

The general concensus on the Apple forums seems to be that the Cisco VPN client in IOS6 is broken, not just with Astaros. Apparently there's a bug with UDP packet fragmentation handling.
Cancel
Vote Up 0 Vote Down

Cancel
0 daCaPo over 12 years ago

Maybe this is of interest: If i disable NAT, the connection gets established.

See also https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/54701 for another thread on the same issue.
Cancel
Vote Up 0 Vote Down

Cancel
0 ChristopherRuh over 12 years ago in reply to daCaPo

My Cisco VPN client worked fine on iOS 5 (Running 9.0002-12 before it was Up2Date released) and still works after the iOS 6 upgrade on my iPhone 4 and iPad 2. No reinstallation of the VPN profile was required. This is through 3G with a public IP or WiFi behind a NAT router.

NAT Traversal != NAT. NAT Traversal is used to make IPSec survive one side of the tunnel being NATed. Like if your iPad was behind a WiFi SOHO router at Starbucks. Traditional IPSec could only be used between two devices that had Publicly routable IP addresses. It wasn't until the implementation of NAT-T that one side NATed connectivity was possible through standard IPSec.
Cancel
Vote Up 0 Vote Down

Cancel
0 utmfan over 12 years ago

I can confirm my IPSec (Cisco) working on iOS 5.1(iPhone 4S), NOT working on iOS 6 (iPhone 4). Tested via 3G (same network provider on both devices).

Can someone with a working iOS6 solution provide details on their NAT customisations? I currently have no NAT rules at all.
Cancel
Vote Up 0 Vote Down

Cancel
0 daCaPo over 12 years ago in reply to utmfan

Hi,

there is still no solution to this problem, but an explanation and workaround available (at least it is working for me). See https://discussions.apple.com/message/19684739#19684739 for details.
Cancel
Vote Up 0 Vote Down

Cancel
0 FrankLin_01 over 12 years ago in reply to daCaPo
Hi,

I can confirm that the workaround solves the problem for me and our customers.

Here is the way I go:

Create a new X509 certificate in UTM certificate management
keep the values as short as possible
---
example:
Name             : XY
Key Size         : 1024
VPN-ID-Type      : Distinguished Name
Country          : Germany
State            : {empty}
City             : {empty}
Organization     : {empty}
Org.-Unit        : {empty}
Common Name      : XY
E-Mail           : {empty}

---
Assign the new certificate to the user
remove the users current VPN profile from his iOS 6 device
import the new VPN profile from user portal

The VPN connection should now work again.

Cheers
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago
In many cases, creating a cert with empty fields will cause problems.  I would suggest the following example:

Name             : Local X509
Key Size         : 1024
VPN-ID-Type      : Distinguished Name
Country          : US
State            : OK
City             : OKC
Organization     : MediaSoft
Org.-Unit        : HQ
Common Name      : MediaSoft
E-Mail           : admin@mediasoftusa.com

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Spoony over 12 years ago

THANK YOU VERY VERY MUCH for this simple solution!
Cancel
Vote Up 0 Vote Down

Cancel