iOS VPN Sophos XG

Hi volks,

I don't know exactly since when to be honest - but yesterday I recognized that my IOS on Demand VPN stopped working. I tried to reconfigure it now with certificate authentication (because - I wanted to do this since a long time) but still no success.

What I've done -- Configured Sophos Connect as always. Then I downloaded the mobileconfig for IOS via UserPortal and imported it successfully to my iPhone. So here stops the fun :-O

The phone tries to connect and gives me an error that the communication with the VPN-Server fails. That's the corresponding log on the sophos-xg console (just obfuscated my ips and certificate details:


2019-07-24 06:56:14 27[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (848 bytes)
2019-07-24 06:56:14 27[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2019-07-24 06:56:14 27[IKE] <2> received NAT-T (RFC 3947) vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2019-07-24 06:56:14 27[IKE] <2> received XAuth vendor ID
2019-07-24 06:56:14 27[IKE] <2> received Cisco Unity vendor ID
2019-07-24 06:56:14 27[IKE] <2> received FRAGMENTATION vendor ID
2019-07-24 06:56:14 27[IKE] <2> received DPD vendor ID
2019-07-24 06:56:14 27[IKE] <2> --this-is-my-mobile-ip-- is initiating a Main Mode IKE_SA
2019-07-24 06:56:14 27[ENC] <2> generating ID_PROT response 0 [ SA V V V V V ]
2019-07-24 06:56:14 27[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (180 bytes)
2019-07-24 06:56:14 30[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (380 bytes)
2019-07-24 06:56:14 30[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-07-24 06:56:14 30[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-07-24 06:56:14 30[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (396 bytes)
2019-07-24 06:56:14 28[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (1280 bytes)
2019-07-24 06:56:14 28[ENC] <2> parsed ID_PROT request 0 [ FRAG(1) ]
2019-07-24 06:56:14 28[ENC] <2> received fragment #1, waiting for complete IKE message
2019-07-24 06:56:14 07[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (500 bytes)
2019-07-24 06:56:14 07[ENC] <2> parsed ID_PROT request 0 [ FRAG(2/2) ]
2019-07-24 06:56:14 07[ENC] <2> received fragment #2, reassembling fragmented IKE message
2019-07-24 06:56:14 07[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (1708 bytes)
2019-07-24 06:56:14 07[ENC] <2> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
2019-07-24 06:56:14 07[IKE] <2> ignoring certificate request without data
2019-07-24 06:56:14 07[IKE] <2> received end entity cert "C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.example.com, E=void@example.com"
2019-07-24 06:56:14 07[CFG] <2> looking for XAuthInitRSA peer configs matching --this-is-my-official-ip--...--this-is-my-mobile-ip--[C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.example.com, E=void@example.com]
2019-07-24 06:56:14 07[IKE] <2> no peer config found
2019-07-24 06:56:14 07[ENC] <2> generating INFORMATIONAL_V1 request 274853226 [ HASH N(AUTH_FAILED) ]
2019-07-24 06:56:14 07[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (108 bytes)
2019-07-24 06:56:17 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:17 14[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:21 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:21 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:24 19[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:24 17[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:37 08[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:37 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side





Do you have any Idea why it stopped working? I'm actually on the latest SFOS 17.5.7 MR-7 version. I also tried to go back to SFOS 17.5.5 MR-5 but still the same issue

Thx for any advice!

BR
Florian

  • Hi  

    I would request you to verify the configuration using the given articles and ensure certificate for local and remote are configured and applied in VPN configuration.

    https://community.sophos.com/kb/en-us/123138

    https://community.sophos.com/kb/en-us/123137

  • In reply to Keyur:

    Hi Keyur,

     

    Unforunately both of these entries helped nothing. As I mentioned it STOPPED working - that means it worked before :)

     

    THx

  • In reply to florianmulatz:

    Hi  

    I would request you to contact our technical support team and open a support case to investigate the issue further.

  • In reply to Keyur:

     Hi,

    Unfortunately - I only have the Free-Home-Version so I guess there is only Community support available for me :)

    BR

  • In reply to florianmulatz:

    Hi  

    I will perform the same scenario at my end and share the results with you, meanwhile can you please share screenshots of your iOS configuration and XG configuration?

  • In reply to Keyur:

    Hey Keyur,

    Here you go (only obfuscated my real ip and hostname) ->

     

    As I told you I simply downloaded the configuration profile via UserPortal so nothing to share there.

  • In reply to florianmulatz:

    Hi  

    The configuration seems to correct, it should work.

    Can you please execute below command and share the logs.

    "show vpn IPSec-logs" from the console

    Please also share logs when you connect using the command- tcpdump 'port 500 or 4500

    Are you using IPsec in iOS configuration?

  • In reply to Keyur:

    Hey Keyur,

    Here you go:


     

    console> show vpn IPSec-logs
    2019-07-25 14:22:44 29[NET] <8> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (848 bytes)
    2019-07-25 14:22:44 29[ENC] <8> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
    2019-07-25 14:22:44 29[IKE] <8> received NAT-T (RFC 3947) vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received XAuth vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received Cisco Unity vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received FRAGMENTATION vendor ID
    2019-07-25 14:22:44 29[IKE] <8> received DPD vendor ID
    2019-07-25 14:22:44 29[IKE] <8> 80.110.39.23 is initiating a Main Mode IKE_SA
    2019-07-25 14:22:44 29[ENC] <8> generating ID_PROT response 0 [ SA V V V V V ]
    2019-07-25 14:22:44 29[NET] <8> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (180 bytes)
    2019-07-25 14:22:44 18[NET] <8> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (380 bytes)
    2019-07-25 14:22:44 18[ENC] <8> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2019-07-25 14:22:44 18[IKE] <8> remote host is behind NAT
    2019-07-25 14:22:44 18[ENC] <8> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2019-07-25 14:22:44 18[NET] <8> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (396 bytes)
    2019-07-25 14:22:44 25[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (1280 bytes)
    2019-07-25 14:22:44 25[ENC] <8> parsed ID_PROT request 0 [ FRAG(1) ]
    2019-07-25 14:22:44 25[ENC] <8> received fragment #1, waiting for complete IKE message
    2019-07-25 14:22:44 01[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (500 bytes)
    2019-07-25 14:22:44 01[ENC] <8> parsed ID_PROT request 0 [ FRAG(2/2) ]
    2019-07-25 14:22:44 01[ENC] <8> received fragment #2, reassembling fragmented IKE message
    2019-07-25 14:22:44 01[NET] <8> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (1708 bytes)
    2019-07-25 14:22:44 01[ENC] <8> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
    2019-07-25 14:22:44 01[IKE] <8> ignoring certificate request without data
    2019-07-25 14:22:44 01[IKE] <8> received end entity cert "C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.mulatz.at, E=void@mulatz.at"
    2019-07-25 14:22:44 01[CFG] <8> looking for XAuthInitRSA peer configs matching 84.112.164.56...80.110.39.23[C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.mulatz.at, E=void@mulatz.at]
    2019-07-25 14:22:44 01[IKE] <8> no peer config found
    2019-07-25 14:22:44 01[ENC] <8> generating INFORMATIONAL_V1 request 3609428277 [ HASH N(AUTH_FAILED) ]
    2019-07-25 14:22:44 01[NET] <8> sending packet: from 84.112.164.56[4500] to 80.110.39.23[4500] (108 bytes)
    2019-07-25 14:22:47 08[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:47 31[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:50 23[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:50 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:53 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:22:53 28[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:23:07 27[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side
    2019-07-25 14:23:07 29[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (46FE9097) from other side



    console> tcpdump 'port 500 or 4500'
    tcpdump: Starting Packet Dump
    14:25:23.917528 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
    14:25:23.918776 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
    14:25:24.028941 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
    14:25:24.036437 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
    14:25:24.116105 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:24.116911 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:24.117490 PortB, OUT: IP 84.112.164.56.4500 > 80.110.39.23.4500: NONESP-encap: isakmp: phase 2/others R infEmail
    14:25:27.265366 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:27.266282 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:30.446517 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:30.447342 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:33.550779 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:33.551074 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:46.648445 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    14:25:46.649545 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    ^C
    15 packets captured
    15 packets received by filter
    0 packets dropped by kernel




    To your last question - Yes - as I told - I downloaded the .mobileconfig file via the userportal!

    BR Florian

  • In reply to florianmulatz:

    Hi  

    Thank you for sharing the logs. It seems security parameter mismatch. Please allow us some time to analyze the logs and meanwhile, I request you to verify with preshared key.

  • In reply to Keyur:

    Hey,

    Checked with preshared Key as well - same problem.

    Here you go with the new logs:


    2019-07-26 11:51:41 23[NET] <15> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (848 bytes)
    2019-07-26 11:51:41 23[ENC] <15> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
    2019-07-26 11:51:41 23[IKE] <15> received NAT-T (RFC 3947) vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received XAuth vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received Cisco Unity vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received FRAGMENTATION vendor ID
    2019-07-26 11:51:41 23[IKE] <15> received DPD vendor ID
    2019-07-26 11:51:41 23[IKE] <15> 80.110.39.23 is initiating a Main Mode IKE_SA
    2019-07-26 11:51:41 23[ENC] <15> generating ID_PROT response 0 [ SA V V V V V ]
    2019-07-26 11:51:41 23[NET] <15> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (180 bytes)
    2019-07-26 11:51:41 18[NET] <15> received packet: from 80.110.39.23[500] to 84.112.164.56[500] (380 bytes)
    2019-07-26 11:51:41 18[ENC] <15> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2019-07-26 11:51:41 18[IKE] <15> remote host is behind NAT
    2019-07-26 11:51:41 18[ENC] <15> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2019-07-26 11:51:41 18[NET] <15> sending packet: from 84.112.164.56[500] to 80.110.39.23[500] (396 bytes)
    2019-07-26 11:51:41 27[NET] <15> received packet: from 80.110.39.23[4500] to 84.112.164.56[4500] (108 bytes)
    2019-07-26 11:51:41 27[ENC] <15> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    2019-07-26 11:51:41 27[CFG] <15> looking for XAuthInitPSK peer configs matching 84.112.164.56...80.110.39.23[192.168.250.41]
    2019-07-26 11:51:41 27[IKE] <15> no peer config found
    2019-07-26 11:51:41 27[ENC] <15> generating INFORMATIONAL_V1 request 2390229987 [ HASH N(AUTH_FAILED) ]
    2019-07-26 11:51:41 27[NET] <15> sending packet: from 84.112.164.56[4500] to 80.110.39.23[4500] (108 bytes)
    2019-07-26 11:51:44 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
    2019-07-26 11:51:47 01[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
    2019-07-26 11:51:50 24[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side
    2019-07-26 11:52:03 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B0853EC4) from other side

     


    console> tcpdump 'port 500 or 4500'
    tcpdump: Starting Packet Dump
    11:51:41.251009 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
    11:51:41.252110 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
    11:51:41.368920 PortB, IN: IP 80.110.39.23.500 > 84.112.164.56.500: isakmp: phase 1 I ident
    11:51:41.376492 PortB, OUT: IP 84.112.164.56.500 > 80.110.39.23.500: isakmp: phase 1 R ident
    11:51:41.436425 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    11:51:41.436869 PortB, OUT: IP 84.112.164.56.4500 > 80.110.39.23.4500: NONESP-encap: isakmp: phase 2/others R infEmail
    11:51:44.510096 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    11:51:47.507170 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    11:51:50.513345 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    11:52:03.671482 PortB, IN: IP 80.110.39.23.4500 > 84.112.164.56.4500: NONESP-encap: isakmp: phase 1 I identEmail
    ^C
    10 packets captured
    10 packets received by filter
    0 packets dropped by kernel
    console>




    BR Florian

  • In reply to florianmulatz:

    Hi  

    I think you are combining 2 different VPN configuration and it may create a problem. There are 2 ways 2 connect VPN from iOS using IPSec connect and Using SSL VPN.

    If you want to connect IPsec VPN using certificate, you do not require to download any configuration from Sophos XG firewall user portal.

    In iOS, please navigate to Settings >> General >> VPN >> Add VPN configuration >> Type >> IPsec >> Tap on Back and it will shown Cisco client, please configure other parameters and try to connect.

    For IPsec VPN, please use the below given article and configure and it will connect for sure. (Use certificate instead of preshared key)

    https://community.sophos.com/kb/en-us/123137

    For certificate configuration, please follow the article - https://community.sophos.com/kb/en-us/123138#Deploying%20digital%20certificates

  • In reply to Keyur:

    Hey,

    First of all - the iPhone screenshots in the first article you gave me are horrible old. iOS does not look this way since years! The second article does not have anything to do with a roadwarrior vpn - it is a Site-to-Site configuration for connect - two branches for example.

    It looks like that you're mixing up things here. Of course I do not download the ssl-vpn but the one in the screenshot - and this configuration file is a so called ".mobileconfig" file which is a Kind of configuration profile specifically for Apple-Devices (iPhone as well as Mac OS-X)

     

    And when you open this file in an Editor you can see in the first few lines that it IS a configuration file for an IPSEC Configuration. -->
    <plist version="1.0">
    <dict>
            <key>PayloadContent</key>
            <array>
                    <dict>
                            <key>IPSec</key>
                            <dict>
                                    <key>AuthenticationMethod</key>
                                    <string>SharedSecret</string>
                                    <key>RemoteAddress</key>
                                    <string>84.112.164.56</string>
                                    <key>SharedSecret</key>

     

    etc …


    Thx for help
    BR Florian

  • In reply to florianmulatz:

    Hi,

    Another data point here. I have had a Cisco IPSec connection utilizing a pre-shared key working for some time now. Recently tried to switch this connection to a certificate-based connection in order to set up a VPN on demand profile with Apple Configurator 2. I changed the necessary settings within Sophos XG, navigated to the user portal, and downloaded the provided .mobileconfig file. I immediately opened this file with Apple Configurator 2 and was greeted with an error. The specific error relates to the .p12 included with the .mobileconfig profile. Not a single password seems to work – not the password requested & entered when downloading the .mobileconfig or the password included in password.txt when downloading the certificate manually. Removing the .p12 and replacing it with the manually downloaded version solves the password problem, but I still cannot connect.

    Has anyone had luck using the .mobileconfig with a certificate-based IPSec VPN from an iOS device? Any guidance is greatly appreciated! 

    C

  • In reply to c h:

    Hi  

    I am sorry for the inconvenience caused, please allow me sometime to replicate the issue at our end, we will get back to you with further details.

  • In reply to Keyur:

    Thank you for taking a look at this, Keyur. We look forward to hearing what you uncover.