This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/ipsec working from windows but NOT from IOS

Hi,

I have this weird issue. HAving the same setup/credentials my windows machine can establish an L2TP/ipsec tunnel, but my iphone cannot. The same behavior regardless the type of network that the 2 clients are connecting from (WIFI / 4G). Any ideas ?

here's a chunk from the log, and the vpn attempt is over a 4g network:

2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: received Vendor ID payload [RFC 3947]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2019:04:07-17:31:44 circlepath pluto[5860]: packet from 109.166.134.186:543: received Vendor ID payload [Dead Peer Detection]
2019:04:07-17:31:44 circlepath pluto[5860]: "L_for MYUSER"[10] 109.166.134.186:543 #634: responding to Main Mode from unknown peer 109.166.134.186:543
2019:04:07-17:31:44 circlepath pluto[5860]: "L_for MYUSER"[10] 109.166.134.186:543 #634: NAT-Traversal: Result using RFC 3947: peer is NATed
2019:04:07-17:31:44 circlepath pluto[5860]: | NAT-T: new mapping 109.166.134.186:543/9533)
2019:04:07-17:31:44 circlepath pluto[5860]: "L_for MYUSER"[10] 109.166.134.186:9533 #634: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2019:04:07-17:31:44 circlepath pluto[5860]: "L_for MYUSER"[10] 109.166.134.186:9533 #634: Peer ID is ID_IPV4_ADDR: '10.176.202.10'
2019:04:07-17:31:44 circlepath pluto[5860]: "L_for MYUSER"[9] 109.166.134.186:9533 #634: deleting connection "L_for MYUSER"[10] instance with peer 109.166.134.186 {isakmp=#0/ipsec=#0}
2019:04:07-17:31:44 circlepath pluto[5860]: "L_for MYUSER"[9] 109.166.134.186:9533 #634: sent MR3, ISAKMP SA established
2019:04:07-17:31:48 circlepath pluto[5860]: "L_for MYUSER"[9] 109.166.134.186:9533 #634: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2019:04:07-17:31:51 circlepath pluto[5860]: "L_for MYUSER"[9] 109.166.134.186:9533 #634: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2019:04:07-17:31:54 circlepath pluto[5860]: "L_for MYUSER"[9] 109.166.134.186:9533 #634: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
2019:04:07-17:32:07 circlepath pluto[5860]: "L_for MYUSER"[9] 109.166.134.186:9533 #634: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3

Thank you,

This thread was automatically locked due to age.

Parents

0 BAlfson over 5 years ago

Salut Mircevski,

Please add the next 10 lines from the log.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 mircevski over 5 years ago in reply to BAlfson

Hi,

Here you go. There are 3 attempts here: 2 from 4G immediately consecutive, so no lines were excluded ... and 1 attempt from WIFI, a few seconds later. I do not see any different extra 10 lines, that is why I gave 2 consecutive attempts to prove that the next 10 are from new attempts.

Regards,

From 4G
Attempt 1
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: received Vendor ID payload [RFC 3947]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2019:04:10-00:52:24 circlepath pluto[5860]: packet from 37.251.223.32:543: received Vendor ID payload [Dead Peer Detection]
2019:04:10-00:52:24 circlepath pluto[5860]: "L_for mircevski"[13] 37.251.223.32:543 #867: responding to Main Mode from unknown peer 37.251.223.32:543
2019:04:10-00:52:24 circlepath pluto[5860]: "L_for mircevski"[13] 37.251.223.32:543 #867: NAT-Traversal: Result using RFC 3947: peer is NATed
2019:04:10-00:52:24 circlepath pluto[5860]: | NAT-T: new mapping 37.251.223.32:543/9533)
2019:04:10-00:52:24 circlepath pluto[5860]: "L_for mircevski"[13] 37.251.223.32:9533 #867: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2019:04:10-00:52:24 circlepath pluto[5860]: "L_for mircevski"[13] 37.251.223.32:9533 #867: Peer ID is ID_IPV4_ADDR: '10.5.245.175'
2019:04:10-00:52:24 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #867: deleting connection "L_for mircevski"[13] instance with peer 37.251.223.32 {isakmp=#0/ipsec=#0}
2019:04:10-00:52:24 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #867: sent MR3, ISAKMP SA established
2019:04:10-00:52:27 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #867: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2019:04:10-00:52:31 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #867: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2019:04:10-00:52:33 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #867: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
2019:04:10-00:52:46 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #867: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
Attempt 2
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: received Vendor ID payload [RFC 3947]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2019:04:10-00:53:12 circlepath pluto[5860]: packet from 37.251.223.32:543: received Vendor ID payload [Dead Peer Detection]
2019:04:10-00:53:12 circlepath pluto[5860]: "L_for mircevski"[15] 37.251.223.32:543 #868: responding to Main Mode from unknown peer 37.251.223.32:543
2019:04:10-00:53:12 circlepath pluto[5860]: "L_for mircevski"[15] 37.251.223.32:543 #868: NAT-Traversal: Result using RFC 3947: peer is NATed
2019:04:10-00:53:12 circlepath pluto[5860]: | NAT-T: new mapping 37.251.223.32:543/9533)
2019:04:10-00:53:12 circlepath pluto[5860]: "L_for mircevski"[15] 37.251.223.32:9533 #868: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2019:04:10-00:53:12 circlepath pluto[5860]: "L_for mircevski"[15] 37.251.223.32:9533 #868: Peer ID is ID_IPV4_ADDR: '10.5.245.175'
2019:04:10-00:53:12 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #868: deleting connection "L_for mircevski"[15] instance with peer 37.251.223.32 {isakmp=#0/ipsec=#0}
2019:04:10-00:53:12 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #868: sent MR3, ISAKMP SA established
2019:04:10-00:53:15 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #868: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2019:04:10-00:53:18 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #868: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2019:04:10-00:53:22 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #868: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
2019:04:10-00:53:34 circlepath pluto[5860]: "L_for mircevski"[14] 37.251.223.32:9533 #868: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
FROM WIFI
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: received Vendor ID payload [RFC 3947]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2019:04:10-00:56:44 circlepath pluto[5860]: packet from 109.128.214.27:500: received Vendor ID payload [Dead Peer Detection]
2019:04:10-00:56:44 circlepath pluto[5860]: "L_for mircevski"[16] 109.128.214.27 #869: responding to Main Mode from unknown peer 109.128.214.27
2019:04:10-00:56:44 circlepath pluto[5860]: "L_for mircevski"[16] 109.128.214.27 #869: NAT-Traversal: Result using RFC 3947: peer is NATed
2019:04:10-00:56:45 circlepath pluto[5860]: | NAT-T: new mapping 109.128.214.27:500/4500)
2019:04:10-00:56:45 circlepath pluto[5860]: "L_for mircevski"[16] 109.128.214.27:4500 #869: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2019:04:10-00:56:45 circlepath pluto[5860]: "L_for mircevski"[16] 109.128.214.27:4500 #869: Peer ID is ID_IPV4_ADDR: '192.168.1.45'
2019:04:10-00:56:45 circlepath pluto[5860]: "L_for mircevski"[17] 109.128.214.27:4500 #869: deleting connection "L_for mircevski"[16] instance with peer 109.128.214.27 {isakmp=#0/ipsec=#0}
2019:04:10-00:56:45 circlepath pluto[5860]: "L_for mircevski"[17] 109.128.214.27:4500 #869: sent MR3, ISAKMP SA established
2019:04:10-00:56:48 circlepath pluto[5860]: "L_for mircevski"[17] 109.128.214.27:4500 #869: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2019:04:10-00:56:51 circlepath pluto[5860]: "L_for mircevski"[17] 109.128.214.27:4500 #869: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2019:04:10-00:56:54 circlepath pluto[5860]: "L_for mircevski"[17] 109.128.214.27:4500 #869: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
2019:04:10-00:57:06 circlepath pluto[5860]: "L_for mircevski"[17] 109.128.214.27:4500 #869: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to mircevski

I don't see anything that might indicate a problem with the UTM. What version(s) of iOS? What is 192.168.1.45? 10.5.245.175? Where are they relative to 109.128.214.27?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 dswartz over 5 years ago in reply to BAlfson

This is definitely odd. I have an L2TP VPN on my 9.5 gateway, and have 4 family members using it - all using relatively new iphones. One of them, the iOS is a couple of years old - everyone else recent updates. No apparent issues...
Cancel
Vote Up 0 Vote Down

Cancel
0 mircevski over 5 years ago in reply to dswartz

Hi and sorry for answering late,

The 192.168.1.45 is the local ip on the IOS phone while being on wifi. The wifi public ip address is 109.128.214.27.

The 10.5.245.175 is the ip addres local to the phone while being on 4G and the 37.251.223.32 is the public ip address.

One more detail, though ... this WORKED on the iphone until I've created a couple of site-to-site ipsec VPN tunnels. After that point only the windows machine continued to work with the same credentials, but the iphone not anymore.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
+1 mircevski over 4 years ago in reply to dswartz

Problem SOLVED. Solution was in the “Remote Access”-> IPSEC (not L2TP) -> Advanced -> “Preshared Key Settings” ... I had VPN ID Type set to hostname and in the below field I had my UTM’s hostname ... changed this to “IP Address” and left the field below empty and it worked. Now, why did it work ? Hmmm I don’t know. I would be quite curious why
Cancel
Vote Up 0 Vote Down

Cancel

Reply

+1 mircevski over 4 years ago in reply to dswartz

Problem SOLVED. Solution was in the “Remote Access”-> IPSEC (not L2TP) -> Advanced -> “Preshared Key Settings” ... I had VPN ID Type set to hostname and in the below field I had my UTM’s hostname ... changed this to “IP Address” and left the field below empty and it worked. Now, why did it work ? Hmmm I don’t know. I would be quite curious why
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data