Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 676 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS -> L2TP

Stefan Onken

Hallo,

seit ich meine Vodafone Leitung auf 1GB Business mit fester IP  umgestellt habe, klappt das nicht mehr. Ich war da nun schon Wochen bei, finde aber keine Lösung. Vielleicht kann jemand helfen:

1) Feste IP auf einem externen Interface

2) Policy für L2TP IPSEC angepasst

3) LT2p Settings auf der UTM sind ja eigentlich selbsterklärend. 

4) Das Log sieht wie folgt aus:

2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: received Vendor ID payload [RFC 3947]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2021:07:30-12:52:58 gateway pluto[16731]: packet from 109.42.113.215:49163: received Vendor ID payload [Dead Peer Detection]
2021:07:30-12:52:58 gateway pluto[16731]: "L_for @.de"[6] 109.42.113.215:49163 #376: responding to Main Mode from unknown peer 109.42.113.215:49163
2021:07:30-12:52:58 gateway pluto[16731]: "L_for@.de"[6] 109.42.113.215:49163 #376: NAT-Traversal: Result using RFC 3947: peer is NATed
2021:07:30-12:52:58 gateway pluto[16731]: | NAT-T: new mapping 109.42.113.215:49163/55370)
2021:07:30-12:52:58 gateway pluto[16731]: "L_for@.de"[6] 109.42.113.215:55370 #376: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2021:07:30-12:52:58 gateway pluto[16731]: "L_for@.de"[6] 109.42.113.215:55370 #376: Peer ID is ID_IPV4_ADDR: '100.69.193.7'
2021:07:30-12:52:58 gateway pluto[16731]: "L_for@.de"[7] 109.42.113.215:55370 #376: deleting connection "L_for .....  [6] instance with peer 109.42.113.215 {isakmp=#0/ipsec=#0}
2021:07:30-12:52:58 gateway pluto[16731]: "L_for@.de"[7] 109.42.113.215:55370 #376: sent MR3, ISAKMP SA established
2021:07:30-12:53:01 gateway pluto[16731]: "L_for@.de"[7] 109.42.113.215:55370 #376: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2021:07:30-12:53:04 gateway pluto[16731]: "L_for@.de"[7] 109.42.113.215:55370 #376: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2021:07:30-12:53:07 gateway pluto[16731]: "L_for@.de"[7] 109.42.113.215:55370 #376: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3

Anmerkung: 

NAT Traversal (NAT-T) isrt natürlich aktiv. Ich verseteh es nicht. 



This thread was automatically locked due to age.
Parents
  • 0

    Hallo,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. Frowning2)

    Your IPsec Policy looks good for newer iOS.

    It seems strange that the client would establish a new ISAKMP SA after already being in Main mode .  Is this happening with more than one iOS device?

    Did Amodin's suggestion to re-do the PSK help?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hallo,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. Frowning2)

    Your IPsec Policy looks good for newer iOS.

    It seems strange that the client would establish a new ISAKMP SA after already being in Main mode .  Is this happening with more than one iOS device?

    Did Amodin's suggestion to re-do the PSK help?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML