Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 12308 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't authenticate IPsec VPN iOS client using AD group. AD users works fine.

MatthewArciniega1

As above. I'm using AD authentication with STAS. I have SSL-VPN and L2TP VPN working just fine to authenticate AD groups. But the Cisco IPsec VPN just won't work.

If I put individual AD users in the User and Groups list, it works just fine. But if I try with an AD group, or with a local group whose membership is synchronized with an AD group, I get the following in the IPsec VPN log:

2016:04:20-15:19:22 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: we have a cert and are sending it
2016:04:20-15:19:22 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: Dead Peer Detection (RFC 3706) enabled
2016:04:20-15:19:22 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: sent MR3, ISAKMP SA established
2016:04:20-15:19:22 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: sending XAUTH request
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: parsing XAUTH reply
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: extended authentication failed
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: sending XAUTH status
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: parsing XAUTH ack
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930: deleting connection "D_for VPN Users to LAN (Network)-1"[10] instance with peer 166.176.187.113 {isakmp=#0/ipsec=#0}
2016:04:20-15:19:36 home pluto[6724]: packet from 166.176.187.113:53930: Informational Exchange is for an unknown (expired?) SA
 

What's up with this?
Matthew


This thread was automatically locked due to age.
  • 0

    Is XAUTH selected in the UTM but not in the iOS client?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    This is for the Cisco IPsec VPN client for UTM 9.4. There are no XAUTH settings that I can see, and none available in the iOS profile you download from the user portal.

    -----------------------
    SG210/UTM 9.407-3

  • 0 in reply to MatthewArciniega1

    Which iOS client are you using?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    iOS 7.1 on iPhone 5s.

    -----------------------
    SG210/UTM 9.407-3

  • 0 in reply to MatthewArciniega1

    Ahh, now I see what we're discussing.  I've been using the SSL VPN (OpenVPN client on iOS) for so long that I'd forgotten that there was a built-in client.  In fact, when I tried to use my iPhone to connect to our UTM just now, I got the same lines in the log.  Interestingly, my user is a Local user and not authed by our AD.  Can you open a ticket with Support?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I've got a case open with support right now over the VPN client not getting pushed any routes to internal servers (after the 9.4 upgrade). Possibly this is related, so I've mentioned it to them, as you suggest.

    -----------------------
    SG210/UTM 9.407-3

  • 0

    Just a little follow-up to my own post.

    This issue doesn't seem related to the problem of routes not being pushed out.

    When I authenticate against one or more AD-synced user accounts, everything works fine, consistently. However, when I try to use an AD group, it's hit-or-miss. It seems that it's a cache issue. When the user has been cached as a member of the group, it works:

    2016:05:05-13:26:35 home aua[3684]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="166.176.186.55" host="" user="my.username" caller="REF_IpsRoaForActivDirec" engine="Cached"

    Otherwise:

    2016:05:05-13:22:38 home aua[10978]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="166.176.186.55" host="" user="matthew.arciniega" caller="REF_IpsRoaForActivDirec" reason="DENIED"

    In the IPsec log:

    2016:05:05-13:31:29 home pluto[6874]: packet from 166.176.186.55:61909: Informational Exchange is for an unknown (expired?) SA

    I've tried pre-caching the group in question. It works, but only for a few minutes.

    I need to go back to Sophos support on this, but I've been put off because of the length of time it takes them to pick up the issue and then escalate it. Other setup tasks taking precedence for me.

    -----------------------
    SG210/UTM 9.407-3

Unfiltered HTML