Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 40721 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco VPN not working

LupUrus

Hi,

I just answered to this post: https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/78503/utm9-9-404-5-cisco-vpn-to-macos-10-11

But as I looked deeper, I saw, that the problem is maybe another one, so I now open another post.

We cannot connect with the VPN client of macOS anymore (problem exists since macOS 10.11). I don't know if the macOS update was the problem, but we didn't change the config of the Sophos UTM9.

What we do: We synchronize our users with an Active Directory and the SSL VPN software from the User Portal works. As well we activated Cisco VPN, but we cannot connect from macOS:  "unexpected error".

The UTM9 log says:

ERROR: asynchronous network error report on eth1 for message to ................ port 61168, complainant ................: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

ERROR: asynchronous network error report on eth1 for message to ................ port 61168, complainant ................: No route to host [errno 113, origin ICMP type 3 code 13 (not authenticated)]

...

"D_for Administrator to Internal (Network)-1"[2] ................:61170 #20: max number of retransmissions (2) reached STATE_MAIN_R2
"D_for Administrator to Internal (Network)-1"[2] ................:61170: deleting connection "D_for Administrator to Internal (Network)-1"[2] instance with peer ................ {isakmp=#0/ipsec=#0}

 

I also tried with a local only user.

 

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Are you able to connect through a Windows system? MAC updates from 10.11.4 add support to encryption algorithm AES 256, refer this https://support.apple.com/en-us/HT206154 .

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi, thanks for the answer. This change is not supported by the UTM9? I have the latest firmware.

    I can't try it from windows because I don't have an Cisco VPN Client (it's not free). Windows 10 itself doesn't support Cisco VPN.

  • 0 in reply to LupUrus

    Hi, and welcome to the UTM Community!

    You didn't say what version of UTM.  There was recently an OpenSSL vulnerability that was addressed by removing a cipher from the suite of those used by the UTM.  If you're on 9.407 but haven't updated the MAC OS, then my guess is that's your problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    It's an UTM 9 with the newest firmware: 9.407-3. As well I'm using the newest macOS Sierra (10.12).

    But: The prolem exists maybe since 9.405 and as well with macOS 10.11.

  • 0 in reply to LupUrus

    Here is the settings i use with MacOS Sierra and UTM 9.407

    I use IPSec instead of the Cisco IPsec VPN

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • 0 in reply to KennethHolmqvist

    Thanks for your answer. How are your IPSec settings? And how did you configure macOS?

  • 0 in reply to LupUrus

    I use the IPSec with a preshared-key and the policy mentioned above. in Remote Access > IPSec

     

    on the mac i create a vpn adapter and then choose Cisco IPSec. Here is my macOS configuration.

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • 0 in reply to KennethHolmqvist

    If you use the Cisco Client in the Mac, you will want to configure the Cisco VPN Client server in 'Remote Access' in WebAdmin.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to KennethHolmqvist

    Could you please also post a screenshot of you IPSec settings? And what kind of VPN-ID do you use?

    I'm getting the error:

     

    cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===xxx.xxx.xxx.xxx ...........

    sending encrypted notification INVALID_ID_INFORMATION to xxx.xxx.xx.xx

    Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf41870f2 (perhaps this is a duplicated packet)

     

     

    ---------

    @Bob: I tried that, but this doesn't work for me :(

  • 0 in reply to LupUrus

    Guys, I don't do Macs, but I do have an iPhone and I expect the process is identical for you.

    1. Configure 'Cisco VPN Client' in WebAdmin.  Configure the 'iOS devices' tab, noting that the cert you choose must have the same VPN ID as the FQDN used to reach it.
    2. Configure the User Portal so that you can reach it.
    3. Browse to the User Portal from your Mac.
    4. On the 'Remote Access' tab, enter a password in the 'iOS device VPN Configuration' and press [Install].
    5. You will be prompted several times by iOS to accept the install.
    6. Connect to your new VPN option.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to LupUrus

    Guys, I don't do Macs, but I do have an iPhone and I expect the process is identical for you.

    1. Configure 'Cisco VPN Client' in WebAdmin.  Configure the 'iOS devices' tab, noting that the cert you choose must have the same VPN ID as the FQDN used to reach it.
    2. Configure the User Portal so that you can reach it.
    3. Browse to the User Portal from your Mac.
    4. On the 'Remote Access' tab, enter a password in the 'iOS device VPN Configuration' and press [Install].
    5. You will be prompted several times by iOS to accept the install.
    6. Connect to your new VPN option.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML