Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 5742 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to connect through L2TP/IPSec via macOS and iOS

tedflo1

Hi, everyone.

I'm having a bit of an issue... I cannot connect to my company's VPN with my iOS devices and macOS system. We use L2TP/IPSec. 

I told Apple, and received this response:

Hello. We have upgraded the proposed ciphers in L2TP IPsec VPN to also propose SHA-256 for the Child SA in IPsec. The issue seems to be that the server is accepting SHA-256 cipher for the child but maybe dropping the ESP encrypted packets with SHA-256 HMAC. This maybe because the server is performing a SHA-256 HMAC with 96 bits output instead of the standard expected 128 bits. Switching the SHA-256 HMAC output from 96 to 128 bits on the server should fix this issue Thanks, --Dan

How do I go upon changing this in UTM 9? I am the systems administrator, but I have never had to deal with this before.

I appreciate your assistance.

Ted



This thread was automatically locked due to age.
  • 0

    Hello Ted,

    Thank you for contacting the Sophos Community!

    What is the output of the L2TP log? and do you have any log on the client?

    You can try by following this steps:

    1. Login to the UTM's webadmin
    2. Navigate to Remote Access > IPsec > Policies
    3. Edit the L2TP-over-IPsec policy
    4. Go down to IPsec authentication algorithm and change it from SHA2 256 (96 bit) to SHA2 256
    5. Click Save

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • +1

    Update 2021-05-26: I'm not sure where to find it, but I believe someone solved the issue of creating an L2TP-over-IPsec Policy that works for iOS and Windows.

    Ted, note that there is only one L2TP-over-IPsec Policy, so other non-Apple devices will no longer be able  to connect after you make the change suggested by Emmanuel.  You might want to consider using the OpenVPN apps for iOS to let Apple devices connect via the SSL VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you for the warning, Bob. I was about to make the change and will do what you suggested.

Unfiltered HTML