This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP over IPsec with UTM Release 9.700-5 Help

L2TP over IPsec was working great for years, then iOS13 came out and I can't connect anymore.  I've upgraded the UTM to 9.700-5 also.

I made the recommended changes per Apple (2048-bits and SHA-2, etc), but still can't connect via iOS13.

So I started going backwards and trying to connect with Windows 10 and am having an issue there now also.  I'm totally baffled.  I have triple checked the Pre-Shared key and account username and passwords also.  No dice.  Anyone have any recommendations for a 100% preferred working solution to Remote Access using L2TP over IPsec that I can use as a template and re-verify all this?

Here's my last log (from an iOS 13 device)...

 

2019:10:15-09:08:00 gateway pluto[6332]: loaded PSK secret for 111.222.333.444 %any
2019:10:15-09:08:00 gateway pluto[6332]: loading ca certificates from '/etc/ipsec.d/cacerts'
2019:10:15-09:08:00 gateway pluto[6332]: loaded ca certificate from '/etc/ipsec.d/cacerts/GoDaddyEmailCert Verification CA 2.pem'
2019:10:15-09:08:00 gateway pluto[6332]: loaded ca certificate from '/etc/ipsec.d/cacerts/GoDaddyEmailCert Verification CA 1.pem'
2019:10:15-09:08:00 gateway pluto[6332]: loaded ca certificate from '/etc/ipsec.d/cacerts/GoDaddyEmailCert Verification CA 3.pem'
2019:10:15-09:08:00 gateway pluto[6332]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2019:10:15-09:08:00 gateway pluto[6332]: loading aa certificates from '/etc/ipsec.d/aacerts'
2019:10:15-09:08:00 gateway pluto[6332]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2019:10:15-09:08:00 gateway pluto[6332]: loading attribute certificates from '/etc/ipsec.d/acerts'
2019:10:15-09:08:00 gateway pluto[6332]: Changing to directory '/etc/ipsec.d/crls'
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: received Vendor ID payload [RFC 3947]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2019:10:15-09:08:21 gateway pluto[6332]: packet from 99.203.64.222:26867: received Vendor ID payload [Dead Peer Detection]
2019:10:15-09:08:21 gateway pluto[6332]: "L_for mickey@mouse.com"[9] 99.203.64.222:26867 #17: responding to Main Mode from unknown peer 99.203.64.222:26867
2019:10:15-09:08:21 gateway pluto[6332]: "L_for mickey@mouse.com"[9] 99.203.64.222:26867 #17: NAT-Traversal: Result using RFC 3947: both are NATed
2019:10:15-09:08:21 gateway pluto[6332]: | NAT-T: new mapping 99.203.64.222:26867/34290)
2019:10:15-09:08:21 gateway pluto[6332]: "L_for mickey@mouse.com"[9] 99.203.64.222:34290 #17: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2019:10:15-09:08:21 gateway pluto[6332]: "L_for mickey@mouse.com"[9] 99.203.64.222:34290 #17: Peer ID is ID_IPV4_ADDR: '0.0.0.0'
2019:10:15-09:08:21 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: deleting connection "L_for mickey@mouse.com"[9] instance with peer 99.203.64.222 {isakmp=#0/ipsec=#0}
2019:10:15-09:08:21 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Dead Peer Detection (RFC 3706) enabled
2019:10:15-09:08:21 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sent MR3, ISAKMP SA established
2019:10:15-09:08:22 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: peer client ID payload ID_IPV4_ADDR is invalid (0.0.0.0) in Quick I1
2019:10:15-09:08:22 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_ID_INFORMATION to 99.203.64.222:34290
2019:10:15-09:08:25 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:25 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:28 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:28 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:32 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:32 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:35 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:35 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:38 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:38 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:41 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:41 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:44 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:44 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:48 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:48 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:51 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x08dcb02c (perhaps this is a duplicated packet)
2019:10:15-09:08:51 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: sending encrypted notification INVALID_MESSAGE_ID to 99.203.64.222:34290
2019:10:15-09:08:52 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: received Delete SA payload: deleting ISAKMP State #17
2019:10:15-09:08:52 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290: deleting connection "L_for mickey@mouse.com"[10] instance with peer 99.203.64.222 {isakmp=#0/ipsec=#0}
2019:10:15-09:08:52 gateway pluto[6332]: ERROR: asynchronous network error report on eth1 for message to 99.203.64.222 port 34290, complainant 99.203.64.222: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]



This thread was automatically locked due to age.
Parents
  • "2019:10:15-09:08:22 gateway pluto[6332]: "L_for mickey@mouse.com"[10] 99.203.64.222:34290 #17: peer client ID payload ID_IPV4_ADDR is invalid (0.0.0.0) in Quick I1"

    This looks like a problem with the client.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Agreed - supposedly the 9.700-5 update to UTM should have fixed at least the iOS 13 update.

    I fear that the last of a response to this question from someone at Sophos means something is broken.  At least I am hoping that is the case.

    Zack

Reply
  • Agreed - supposedly the 9.700-5 update to UTM should have fixed at least the iOS 13 update.

    I fear that the last of a response to this question from someone at Sophos means something is broken.  At least I am hoping that is the case.

    Zack

Children
No Data