This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco VPN not working

Hi,

I just answered to this post: https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/78503/utm9-9-404-5-cisco-vpn-to-macos-10-11

But as I looked deeper, I saw, that the problem is maybe another one, so I now open another post.

We cannot connect with the VPN client of macOS anymore (problem exists since macOS 10.11). I don't know if the macOS update was the problem, but we didn't change the config of the Sophos UTM9.

What we do: We synchronize our users with an Active Directory and the SSL VPN software from the User Portal works. As well we activated Cisco VPN, but we cannot connect from macOS:  "unexpected error".

The UTM9 log says:

ERROR: asynchronous network error report on eth1 for message to ................ port 61168, complainant ................: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

ERROR: asynchronous network error report on eth1 for message to ................ port 61168, complainant ................: No route to host [errno 113, origin ICMP type 3 code 13 (not authenticated)]

...

"D_for Administrator to Internal (Network)-1"[2] ................:61170 #20: max number of retransmissions (2) reached STATE_MAIN_R2
"D_for Administrator to Internal (Network)-1"[2] ................:61170: deleting connection "D_for Administrator to Internal (Network)-1"[2] instance with peer ................ {isakmp=#0/ipsec=#0}

 

I also tried with a local only user.

 

Any ideas?



This thread was automatically locked due to age.
Parents Reply
  • Hi, and welcome to the UTM Community!

    You didn't say what version of UTM.  There was recently an OpenSSL vulnerability that was addressed by removing a cipher from the suite of those used by the UTM.  If you're on 9.407 but haven't updated the MAC OS, then my guess is that's your problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • It's an UTM 9 with the newest firmware: 9.407-3. As well I'm using the newest macOS Sierra (10.12).

    But: The prolem exists maybe since 9.405 and as well with macOS 10.11.

  • Here is the settings i use with MacOS Sierra and UTM 9.407

    I use IPSec instead of the Cisco IPsec VPN

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • Thanks for your answer. How are your IPSec settings? And how did you configure macOS?

  • I use the IPSec with a preshared-key and the policy mentioned above. in Remote Access > IPSec

     

    on the mac i create a vpn adapter and then choose Cisco IPSec. Here is my macOS configuration.

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • If you use the Cisco Client in the Mac, you will want to configure the Cisco VPN Client server in 'Remote Access' in WebAdmin.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Could you please also post a screenshot of you IPSec settings? And what kind of VPN-ID do you use?

    I'm getting the error:

     

    cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===xxx.xxx.xxx.xxx ...........

    sending encrypted notification INVALID_ID_INFORMATION to xxx.xxx.xx.xx

    Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf41870f2 (perhaps this is a duplicated packet)

     

     

    ---------

    @Bob: I tried that, but this doesn't work for me :(

  • Guys, I don't do Macs, but I do have an iPhone and I expect the process is identical for you.

    1. Configure 'Cisco VPN Client' in WebAdmin.  Configure the 'iOS devices' tab, noting that the cert you choose must have the same VPN ID as the FQDN used to reach it.
    2. Configure the User Portal so that you can reach it.
    3. Browse to the User Portal from your Mac.
    4. On the 'Remote Access' tab, enter a password in the 'iOS device VPN Configuration' and press [Install].
    5. You will be prompted several times by iOS to accept the install.
    6. Connect to your new VPN option.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA