iOS VPN Sophos XG

Hi volks,

I don't know exactly since when to be honest - but yesterday I recognized that my IOS on Demand VPN stopped working. I tried to reconfigure it now with certificate authentication (because - I wanted to do this since a long time) but still no success.

What I've done -- Configured Sophos Connect as always. Then I downloaded the mobileconfig for IOS via UserPortal and imported it successfully to my iPhone. So here stops the fun :-O

The phone tries to connect and gives me an error that the communication with the VPN-Server fails. That's the corresponding log on the sophos-xg console (just obfuscated my ips and certificate details:


2019-07-24 06:56:14 27[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (848 bytes)
2019-07-24 06:56:14 27[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2019-07-24 06:56:14 27[IKE] <2> received NAT-T (RFC 3947) vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2019-07-24 06:56:14 27[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2019-07-24 06:56:14 27[IKE] <2> received XAuth vendor ID
2019-07-24 06:56:14 27[IKE] <2> received Cisco Unity vendor ID
2019-07-24 06:56:14 27[IKE] <2> received FRAGMENTATION vendor ID
2019-07-24 06:56:14 27[IKE] <2> received DPD vendor ID
2019-07-24 06:56:14 27[IKE] <2> --this-is-my-mobile-ip-- is initiating a Main Mode IKE_SA
2019-07-24 06:56:14 27[ENC] <2> generating ID_PROT response 0 [ SA V V V V V ]
2019-07-24 06:56:14 27[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (180 bytes)
2019-07-24 06:56:14 30[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (380 bytes)
2019-07-24 06:56:14 30[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-07-24 06:56:14 30[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-07-24 06:56:14 30[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (396 bytes)
2019-07-24 06:56:14 28[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (1280 bytes)
2019-07-24 06:56:14 28[ENC] <2> parsed ID_PROT request 0 [ FRAG(1) ]
2019-07-24 06:56:14 28[ENC] <2> received fragment #1, waiting for complete IKE message
2019-07-24 06:56:14 07[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (500 bytes)
2019-07-24 06:56:14 07[ENC] <2> parsed ID_PROT request 0 [ FRAG(2/2) ]
2019-07-24 06:56:14 07[ENC] <2> received fragment #2, reassembling fragmented IKE message
2019-07-24 06:56:14 07[NET] <2> received packet: from --this-is-my-mobile-ip--[500] to --this-is-my-official-ip--[500] (1708 bytes)
2019-07-24 06:56:14 07[ENC] <2> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
2019-07-24 06:56:14 07[IKE] <2> ignoring certificate request without data
2019-07-24 06:56:14 07[IKE] <2> received end entity cert "C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.example.com, E=void@example.com"
2019-07-24 06:56:14 07[CFG] <2> looking for XAuthInitRSA peer configs matching --this-is-my-official-ip--...--this-is-my-mobile-ip--[C=AT, ST=NA, L=NA, O=PRIVATE, OU=OU, CN=remote.example.com, E=void@example.com]
2019-07-24 06:56:14 07[IKE] <2> no peer config found
2019-07-24 06:56:14 07[ENC] <2> generating INFORMATIONAL_V1 request 274853226 [ HASH N(AUTH_FAILED) ]
2019-07-24 06:56:14 07[NET] <2> sending packet: from --this-is-my-official-ip--[500] to --this-is-my-mobile-ip--[500] (108 bytes)
2019-07-24 06:56:17 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:17 14[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:21 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:21 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:24 19[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:24 17[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:37 08[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side
2019-07-24 06:56:37 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4F2A0240) from other side





Do you have any Idea why it stopped working? I'm actually on the latest SFOS 17.5.7 MR-7 version. I also tried to go back to SFOS 17.5.5 MR-5 but still the same issue

Thx for any advice!

BR
Florian