Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 3426 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2tp over ipsec with ipad

bobby_digital
Hi All,

I am configuring my IPAD runing IOS 6.1.3 with My Astaro device running 
9.105-9. I am using remote access L2TP OVER IPSEC without the certificate as I am using PFS. 

When I try to connect i'm getting vpn didnt respond from IPAD and Failed login attempt when I check the logs. 

09:28:42 pluto[30709]: packet from 172.22.49.148:500: unsupported exchange type ISAKMP_XCHG_AGGR in message
2013:09:10-09:28:42 pluto[30709]: packet from 172.22.49.148:500: sending notification UNSUPPORTED_EXCHANGE_TYPE to 172.22.49.148:500

Debugs:

2013:09:10-00:33:03 pluto[19153]: packet from 172.22.49.148:500: received Vendor ID payload [RFC 3947]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: received Vendor ID payload [XAUTH]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [Cisco-Unity]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: received Vendor ID payload [Dead Peer Detection]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: initial Main Mode message received on 98.230.170.140:500 but no connection has been authorized with policy=XAUTHPSK+XAUTHSERVER

I followed the document to the letter and even changed the override host name to match which I am thinking shouldn't matter since i'm not using certificates.



Any help would be greatly appreciated.


This thread was automatically locked due to age.
  • 0
    I am using PFS

    An IPsec Policy in use elsewhere in VPN configurations has no effect on L2TP - only the selections on the 'Advanced' tab have an effect.

    ISAKMP_XCHG_AGGR

    The UTM doesn't support Aggressive Mode, only Main Mode.  My iPhone is on 6.1.4, and I don't see a place to select Aggressive Mode for an L2TP client - how did you cause that?  Did you login to the User Portal with Safari and download the Remote Access Profile for iOS?

    Here's an example of a successful login from my iPhone:
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: received Vendor ID payload [RFC 3947]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: received Vendor ID payload [Dead Peer Detection]
    2013:09:10-11:51:27 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: responding to Main Mode from unknown peer 166.137.144.138:20927
    2013:09:10-11:51:27 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: NAT-Traversal: Result using RFC 3947: peer is NATed
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: Peer ID is ID_IPV4_ADDR: '10.7.13.3'
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:20927 #3: deleting connection "L_for astaro"[3] instance with peer 166.137.144.138 {isakmp=#0/ipsec=#0}
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:20927 #3: Dead Peer Detection (RFC 3706) enabled
    2013:09:10-11:51:28 utmsophos pluto[6160]: | NAT-T: new mapping 166.137.144.138:20927/8664)
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:8664 #3: sent MR3, ISAKMP SA established
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: responding to Quick Mode
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin aua.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: AUA plugin initialized.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin ippool.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin pppol2tp.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: pppd 2.4.5 started by (unknown), uid 0
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Using interface ppp0
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Connect: ppp0 
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Overriding mtu 1500 to 1380
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Overriding mru 1500 to mtu value 1380
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: IPsec SA established {ESP=>0x0dfa7ca8 


    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I did not download the remote access profile. I just setup under the remote access L2TP over IPSEC...

    should i use the profile?
  • 0
    Try it, it's cool and quick.  The other neat thing with iOS is to first get the OpenVPN app from the iTunes store and configure SSL VPN Remote Access in the UTM.  Then the Profile also populates the OpenVPN configuration in the iPhone.  It's now my preferred method because certificates are more secure than PSKs and the SSL VPN method works with Active Directory authentication.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thank you for your help. I used the import settings via the portal to open vpn on the IPAD. 

    Worked liked a charm.

    Thanks again!!!!!
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML