This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mac OSX update 10.11.4 breaks the Cisco IPSec Client

Apple recently released OSX 10.11.4 which updated their IPSec built-in VPN to be compatible and support the Cisco AnyConnect client. However, it also apparently has broken the ability to connect a Mac OSX 10.11.4 client using the Apple built-in Cisco IPSec client to Sophos XG. We have not been able to find any setup configuration that works now as neither the Shared Secret config or a Cert/DSN config seems to work. I have read others are using the "L2TP over IPSec" on the Mac to connect to Sophos XG. Any recommendations?

This thread was automatically locked due to age.

0 sachingurung over 8 years ago

Hi Gary,

Greetings.

Please provide me logs when you try to connect to Sophos XG to investigate this further.

Thanks

Sachin Gurung

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 GaryChancellor over 8 years ago in reply to sachingurung

Do you want logs from XG or from my client? FYI I have a case opened #5832816 and have provided several logs. What I may have found is that Apple has updated the DH to group 14 and does not connect with the other earlier DH group levels. There is no place to set the DH level in XG.
Cancel
Vote Up 0 Vote Down

Cancel
0 GaryChancellor over 8 years ago in reply to GaryChancellor

One other thing, I have also filed a bug with Apple but I have not heard back on that yet.
Cancel
Vote Up 0 Vote Down

Cancel
0 KennethHolmqvist over 8 years ago

You should try install the iOS IPSec profile from the captive portal.. That works for me.

Sophos UTM 9.3 Certified Engineer
Sophos UTM 9.3 Certified Architect
Sophos XG v.15 Certified Engineer
Sophos XG v.17 Certified Engineer
Sophos XG v.17 Certified Architect
Cancel
Vote Up 0 Vote Down

Cancel
0 GaryChancellor over 8 years ago in reply to KennethHolmqvist

Thanks for the suggestion. I will see if that works. Apple has confirmed my report as a duplicate bug. No info on when if ever it will get fixed. In talking with Apple support, they acknowledge they changed their IPSec, but little info on how to fix or work around it.
Cancel
Vote Up 0 Vote Down

Cancel
0 GaryChancellor over 8 years ago

For those that may be interested, here is the Apple note on the changes to IPSec in Mac OSX/iOS

https://support.apple.com/en-us/HT206154

From reading this and other user posts, Apple (at Cisco request?) has dropped support for DH group 2 Aggressive mode and XG is not responding with DH group 5 or 14 and no options to set it to accept the newer standards.

Regards,

Gary
Cancel
Vote Up 0 Vote Down

Cancel