After Upgrade iOS from 13.XX to 14.XX l2tp over IPSec Connection stop working.
This thread was automatically locked due to age.
Hi siggi_r,
Thank you for reaching out to the Community!
Are you getting any error message when you try to connect to L2TP? Could you please provide the logs?
Check out the following KBA on how to get VPN logs: How to get VPN Logs using the Sophos Firewall (SF) CLI Console.
Thanks,
Hallo Siggi,
Start with #1 in Rulz (last updated 2019-04-17), and after trying that, watch the IPsec Live Log. Any luck?
Cheers - Bob
Hi,
I've heard rumours on the Apple forums that the problem is related to the authentication settings now required by IOS 14 - can someone confirm this?
Suggested answer from the forums...
change the IPsec Policy in "Remote Access -> IPsec -> L2TP-over-IPsec (Policy used for L2TP-over-IPsec)"
-> IPsec encryption algorithm: 3DES
-> IPsec authentication algorithm: SHA2 256
I've tried this on our UTM - seems to work.
I obtained this from Apple regarding this problem
https://support.apple.com/en-us/HT211840
They want me to "truncate the output of the SHA-256 hash to 128 bits" (instad of truncating to less than 128 bits).
First I had no idea, what that is refering to and where I could configure (or even check) such a setting.
Now with the right search terms, I found this: https://support.sophos.com/support/s/article/KB-000036559?language=en_US Following the instructions ther makes the settings RFC-compliant at the cost of perhaps no longer admitting some Android VP clients
As I mentioned more recently in another thread, changing the "L2TP over IPsec" Policy will make L2TP work for Apple devices, but will "break" compatibility with other devices. You may want to consider using the SSL VPN capability for Apple devices along with the OpenVPN client app.
Cheers - Bob
I've got the same problem and could fix it with the policy changes you mentioned above.
Unfortunately, when I try to connect, I can only get a successful authentication when I use the first user in the "L2TP over IPSec" list (which is sorted alphabetically). So, when I try to connect using e.g. 'UserB', the authentication fails, because it is trying to authenticate 'UserA', which is the first one in the list. This can also be traced in the IPSec log files.
Additionaly, when I click on the 'i'-symbol at the 'L2TP-over-IPSec' policy, I can see that there is a distinct use for that policy for the first user in the list. No matter what I tried, I couldn't change that behavior.
Is there a solution for that problem?
Regards