Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 8564 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

macOS built-in Cisco VPN

Hakan Marklund

I can't connect with macOS built-in Cisco VPN client to Sophos UTM (latest OS on both).

Both exporting "IPsec VPN" and "iOS VPN config" from User Portal downloads a file (.p12 and .mobileconfig) which if I double click it, installs my vpn user's private key (X509 User Cert), and a trust certificate (CA) for my Sophos UTM. The only difference is that with the iOS profile, the CA certificate is trusted, and it contains a VPN configuration for macOS.

In both cases, when I try to connect, I get the following error message: "Could not validate the server certificate. Verify your settings and try reconnecting".

My iPhone can connect perfectly with the same exported configuration profile.

 

Reading the log entries for successful and failed connections they are identical, up until the 4th response the Sophos UTM gets from my Mac.

In the successful connect from iOS, the exchange type is not ISAKMP_XCHG_INFO. It is ISAKMP_XCHG_MODE_CFG, see log extract below. Not sure what to do with this info though ;-)

 

Has anyone managed to successfully connect to the Sophos Cisco VPN using the native macOS client? Any input appreciated :-)

 

Kind regards,

Håkan

 

Log extract from a failed vpn connection attempt:

| *received 92 bytes from 1.2.3.4:4500 on eth1
| **parse ISAKMP Message:
| initiator cookie:
| cf a1 5a 57 46 83 54 4c
| responder cookie:
| 2b 26 05 aa 50 1b 33 05
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: d0 76 63 c0
| length: 92
| ICOOKIE: cf a1 5a 57 46 83 54 4c
| RCOOKIE: 2b 26 05 aa 50 1b 33 05
| peer: d5 15 7b b3
| state hash entry 25
| state object not found
packet from 1.2.3.4:4500: Informational Exchange is for an unknown (expired?) SA
| next event EVENT_RETRANSMIT in 10 seconds for #6
|
| *time to handle event
| event after this is EVENT_DPD in 10 seconds
| handling event EVENT_RETRANSMIT for 1.2.3.4 "D_for my_vpn_user to my_sophos_int (Network)-1" #6
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #6
| next event EVENT_DPD in 10 seconds for #6
| rejected packet:
|
| control:
| 2c 00 00 00 00 00 00 00 0b 00 00 00 6f 00 00 00
| 02 03 03 00 00 00 00 00 00 00 00 00 02 00 00 00
| d5 15 7b b3 00 00 00 00 00 00 00 00
| name:
| 02 00 11 94 d5 15 7b b3 00 00 00 00 00 00 00 00
ERROR: asynchronous network error report on eth1 for message to 1.2.3.4 port 4500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
| next event EVENT_DPD in 10 seconds for #6
|



This thread was automatically locked due to age.
  • 0

    Hi Hakan,

    Any help from a community thread here?

    Cheers-

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    There's a recent, buggy version of iOS that has problems.  Does this problem go away if you upgrade the OS?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    BAlfson said:

    There's a recent, buggy version of iOS that has problems.  Does this problem go away if you upgrade the OS?

     

    Hakan Marklund said:

    My iPhone can connect perfectly with the same exported configuration profile.

    Thanks for your input BAlfson. The problem is only with macOS though. In iOS, vpn works just fine "out-of-the-box" downloading the configuration profile from the User Portal.

Unfiltered HTML