Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 3428 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2tp over ipsec with ipad

bobby_digital
Hi All,

I am configuring my IPAD runing IOS 6.1.3 with My Astaro device running 
9.105-9. I am using remote access L2TP OVER IPSEC without the certificate as I am using PFS. 

When I try to connect i'm getting vpn didnt respond from IPAD and Failed login attempt when I check the logs. 

09:28:42 pluto[30709]: packet from 172.22.49.148:500: unsupported exchange type ISAKMP_XCHG_AGGR in message
2013:09:10-09:28:42 pluto[30709]: packet from 172.22.49.148:500: sending notification UNSUPPORTED_EXCHANGE_TYPE to 172.22.49.148:500

Debugs:

2013:09:10-00:33:03 pluto[19153]: packet from 172.22.49.148:500: received Vendor ID payload [RFC 3947]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: received Vendor ID payload [XAUTH]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [Cisco-Unity]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: received Vendor ID payload [Dead Peer Detection]
2013:09:10-00:33:03  pluto[19153]: packet from 172.22.49.148:500: initial Main Mode message received on 98.230.170.140:500 but no connection has been authorized with policy=XAUTHPSK+XAUTHSERVER

I followed the document to the letter and even changed the override host name to match which I am thinking shouldn't matter since i'm not using certificates.



Any help would be greatly appreciated.


This thread was automatically locked due to age.
Parents
  • 0
    I am using PFS

    An IPsec Policy in use elsewhere in VPN configurations has no effect on L2TP - only the selections on the 'Advanced' tab have an effect.

    ISAKMP_XCHG_AGGR

    The UTM doesn't support Aggressive Mode, only Main Mode.  My iPhone is on 6.1.4, and I don't see a place to select Aggressive Mode for an L2TP client - how did you cause that?  Did you login to the User Portal with Safari and download the Remote Access Profile for iOS?

    Here's an example of a successful login from my iPhone:
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: received Vendor ID payload [RFC 3947]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: received Vendor ID payload [Dead Peer Detection]
    2013:09:10-11:51:27 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: responding to Main Mode from unknown peer 166.137.144.138:20927
    2013:09:10-11:51:27 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: NAT-Traversal: Result using RFC 3947: peer is NATed
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: Peer ID is ID_IPV4_ADDR: '10.7.13.3'
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:20927 #3: deleting connection "L_for astaro"[3] instance with peer 166.137.144.138 {isakmp=#0/ipsec=#0}
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:20927 #3: Dead Peer Detection (RFC 3706) enabled
    2013:09:10-11:51:28 utmsophos pluto[6160]: | NAT-T: new mapping 166.137.144.138:20927/8664)
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:8664 #3: sent MR3, ISAKMP SA established
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: responding to Quick Mode
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin aua.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: AUA plugin initialized.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin ippool.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin pppol2tp.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: pppd 2.4.5 started by (unknown), uid 0
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Using interface ppp0
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Connect: ppp0 
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Overriding mtu 1500 to 1380
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Overriding mru 1500 to mtu value 1380
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: IPsec SA established {ESP=>0x0dfa7ca8 


    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    I am using PFS

    An IPsec Policy in use elsewhere in VPN configurations has no effect on L2TP - only the selections on the 'Advanced' tab have an effect.

    ISAKMP_XCHG_AGGR

    The UTM doesn't support Aggressive Mode, only Main Mode.  My iPhone is on 6.1.4, and I don't see a place to select Aggressive Mode for an L2TP client - how did you cause that?  Did you login to the User Portal with Safari and download the Remote Access Profile for iOS?

    Here's an example of a successful login from my iPhone:
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: received Vendor ID payload [RFC 3947]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    2013:09:10-11:51:27 utmsophos pluto[6160]: packet from 166.137.144.138:20927: received Vendor ID payload [Dead Peer Detection]
    2013:09:10-11:51:27 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: responding to Main Mode from unknown peer 166.137.144.138:20927
    2013:09:10-11:51:27 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: NAT-Traversal: Result using RFC 3947: peer is NATed
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[3] 166.137.144.138:20927 #3: Peer ID is ID_IPV4_ADDR: '10.7.13.3'
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:20927 #3: deleting connection "L_for astaro"[3] instance with peer 166.137.144.138 {isakmp=#0/ipsec=#0}
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:20927 #3: Dead Peer Detection (RFC 3706) enabled
    2013:09:10-11:51:28 utmsophos pluto[6160]: | NAT-T: new mapping 166.137.144.138:20927/8664)
    2013:09:10-11:51:28 utmsophos pluto[6160]: "L_for astaro"[4] 166.137.144.138:8664 #3: sent MR3, ISAKMP SA established
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: responding to Quick Mode
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin aua.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: AUA plugin initialized.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin ippool.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Plugin pppol2tp.so loaded.
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: pppd 2.4.5 started by (unknown), uid 0
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Using interface ppp0
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Connect: ppp0 
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Overriding mtu 1500 to 1380
    2013:09:10-11:51:29 utmsophos pppd-l2tp[23916]: Overriding mru 1500 to mtu value 1380
    2013:09:10-11:51:29 utmsophos pluto[6160]: "L_for astaro"[2] 166.137.144.138:8664 #4: IPsec SA established {ESP=>0x0dfa7ca8 


    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML