patch 9.408-4: IPsec VPN fails with AD user

Question

Hi community,

after applying patch 9.408-4 yesterday the IPsec VPN isn't working anymore if the user is a backend (AD) user. It works fine with local users. Looks to me like a (fixed) bug earlier this year.
Anything known about a "re-invention" of this bug?

Logfile shows:

2016:11:11-10:52:14 sophos pluto[6859]: | processing XAUTH_TYPE attribute
2016:11:11-10:52:14 sophos pluto[6859]: | processing XAUTH_USER_NAME attribute
2016:11:11-10:52:14 sophos pluto[6859]: | processing XAUTH_USER_PASSWORD attribute
2016:11:11-10:52:14 sophos pluto[6859]: | peer xauth user name is '<my user here>'
2016:11:11-10:52:16 sophos pluto[6859]: "<geht Euch nichts an> #3: extended authentication failed
2016:11:11-10:52:16 sophos pluto[6859]: "<geht Euch nichts an> #3: sending XAUTH status
2016:11:11-10:52:16 sophos pluto[6859]: | building XAUTH_STATUS attribute

Thanks in advance.

Mathias Löwe

This thread was automatically locked due to age.

BAlfson · Answer

Hi, Mathias, and welcome to the UTM Community! 
 First, what happens if you restore the backup made just prior to the Up2Date? If that doesn't resolve the issue, does a reboot of the UTM? If that, too, doesn't fix things, try deleting the IPsec Remote Access Rule and replacing it with a new, identical one. Any luck? 
 Cheers - Bob

Mathias Löwe · Answer

Hi Bob, thanks for the answers. After restoring the pre-update backup and a reboot it now works again. Maybe it was a temporary problem with the 2FA via Sophos authenticator (i forgot to mention this)?! I was pretty sure this is a bug since it looked exactly the same as in spring: VPN (with 2FA) was only possible with locally authenticated users but not with those from AD while login to user portal (using 2FA) and Webadmin with AD user was always possible. Ciao, Mathias