Unable to connect IOS devices
-
eszokolay
- Posts: 2
- Joined: Sun Jan 24, 2016 9:10 pm
Unable to connect IOS devices
I have everything working fine for PC's and MAc's but IOS devices can't connect. They never get a response from the server according to the error. Are there any specific firewall rules I need? Any help would be appreciated.
-
eastavin
- Posts: 42
- Joined: Tue Jan 19, 2016 7:13 pm
Re: Unable to connect IOS devices
eszokolay wrote:
>IOS devices can't connect. They never get a response from the server according to the error.<<
My suggestion is learn to use the server log file to verify if any communication is happening.
I borrowed an IPAD from a friend and tried this for you. If you choose IPSEC in the vpn setup you cant connect according to the error message ...yet the Log file on my server shows that a communication took place without connecting. Reminds me of Microsoft windows error messages that obfuscate what really happened. This is a good sign as it shows you made through the internet and the firewall:
2016-01-26 16:52:14.728 IPsec Client 3 (192.168.1.116:500 -> 192.168.1.100:500): A new IPsec client is created.
2016-01-26 16:52:14.728 IPsec Client 3 (192.168.1.116:500 -> 192.168.1.100:500): There are no acceptable transform proposals from the client for establishing an IKE SA.
2016-01-26 16:52:25.009 IPsec Client 3 (192.168.1.116:500 -> 192.168.1.100:500): This IPsec Client is deleted.
Now when I choose L2TP instead and put in the same username parameters I successfully login. (username, password and IPSec/preshared key.)
17:00:25.109 IPsec Client 6 (192.168.1.126:500 -> 192.168.1.103:500): A new IPsec client is created.
2016-01-26 17:00:25.140 IPsec IKE Session (IKE SA) 3 (Client: 6) (192.168.1.126:500 -> 192.168.1.103:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xxxx, Responder Cookie: xxxx, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-01-26 17:00:25.328 IPsec Client 6 (192.168.1.126:4500 -> 192.168.1.103:4500): The port number information of this client is updated.
2016-01-26 17:00:25.328 IPsec Client 6 (192.168.1.126:4500 -> 192.168.1.103:4500):
2016-01-26 17:00:25.328 IPsec IKE Session (IKE SA) 3 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): This IKE SA is established between the server and the client.
2016-01-26 17:00:26.203 IPsec IKE Session (IKE SA) 3 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): The client initiates a QuickMode negotiation.
2016-01-26 17:00:26.203 IPsec ESP Session (IPsec SA) 4 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xBB891AF1, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-01-26 17:00:26.203 IPsec ESP Session (IPsec SA) 4 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0x3135378, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-01-26 17:00:26.218 IPsec ESP Session (IPsec SA) 4 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): This IPsec SA is established between the server and the client.
2016-01-26 17:00:26.218 IPsec Client 6 (192.168.1.126:4500 -> 192.168.1.103:4500): The L2TP Server Module is started.
2016-01-26 17:00:26.312 L2TP PPP Session [192.168.1.126:1701]: A new PPP session (Upper protocol: L2TP) is started. IP Address of PPP Client: 192.168.1.126 (Hostname: "xxxxx-iPad"), Port Number of PPP Client: 1701, IP Address of PPP Server: 192.168.1.103, Port Number of PPP Server: 1701, Client Software Name: "L2TP VPN Client", IPv4 TCP MSS (Max Segment Size): 1314 bytes
2016-01-26 17:00:26.531 On the TCP Listener (Port 0), a Client (IP address 192.168.1.126, Host name "192.168.1.126", Port number 1701) has connected.
2016-01-26 17:00:26.531 For the client (IP address: 192.168.1.126, host name: "192.168.1.126", port number: 1701), connection "CID-34-D7BE11798A" has been created.
2016-01-26 17:00:26.531 SSL communication for connection "CID-xxxxx" has been started. The encryption algorithm name is "(null)".
2016-01-26 17:00:26.609 [HUB "xxxx"] The connection "CID-xxxxxxx" (IP address: 192.168.1.126, Host name: 192.168.1.126, Port number: 1701, Client name: "L2TP VPN Client", Version: 4.19, Build: 9599) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "xxxxxx".
2016-01-26 17:00:26.609 [HUB "xxx"] Connection "CID-xxxxxxx": Successfully authenticated as user "xxxxxxxxx".
2016-01-26 17:00:26.624 [HUB "VPN"] Connection "CID-xxx": The new session "SID-xxxxx-[L2TP]-10" has been created. (IP address: 192.168.1.126, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
2016-01-26 17:00:26.640 [HUB "xxxx"] Session "SID-xx[L2TP]-10": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 30 seconds.
2016-01-26 17:00:26.640 [HUB "xxxx"] Session "SID-xxxxx-[L2TP]-10": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 419, Client build number: 9599, Server product name: "SoftEther VPN Server (32 bit)", Server version: 419, Server build number: 9599, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "xx-iPad", Client IP address: "192.168.1.126", Client port number: 1701, Server host name: "192.168.1.103", Server IP address: "192.168.1.103", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN", Client unique ID: "xxx")
2016-01-26 17:00:26.687 L2TP PPP Session [192.168.1.126:1701]: Trying to request an IP address from the DHCP server.
2016-01-26 17:00:29.234 [HUB "x"] Session "SID-LOCALBRIDGE-1": The DHCP server of host "xxxxx" (192.168.1.1) on this session allocated, for host "SID-x-[L2TP]-10" on another session "xx", the new IP address 192.168.1.134.
2016-01-26 17:00:29.234 L2TP PPP Session [192.168.1.126:1701]: An IP address is assigned. IP Address of Client: 192.168.1.134, Subnet Mask: 255.255.255.0, Default Gateway: 192.168.1.1, Domain Name: "x", DNS Server 1: 192.168.1.1, DNS Server 2: 0.0.0.0, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0, IP Address of DHCP Server: 192.168.1.1, Lease Lifetime: 86400 seconds
2016-01-26 17:00:29.234 L2TP PPP Session [192.168.1.126:1701]: The IP address and other network information parameters are set successfully. IP Address of Client: 192.168.1.134, Subnet Mask: 255.255.255.0, Default Gateway: 192.168.1.1, DNS Server 1: 192.168.1.1, DNS Server 2: 0.0.0.0, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0
So it worked very well. Hope this helps you. Be careful with your passwords and preshared keys.
Now if you want - I understand there is an OPENVPN module in the apple store if you want to connect on UDP 1194. The server can provide you a sample config for the client for this port only. If you try it let us know how it went.
>IOS devices can't connect. They never get a response from the server according to the error.<<
My suggestion is learn to use the server log file to verify if any communication is happening.
I borrowed an IPAD from a friend and tried this for you. If you choose IPSEC in the vpn setup you cant connect according to the error message ...yet the Log file on my server shows that a communication took place without connecting. Reminds me of Microsoft windows error messages that obfuscate what really happened. This is a good sign as it shows you made through the internet and the firewall:
2016-01-26 16:52:14.728 IPsec Client 3 (192.168.1.116:500 -> 192.168.1.100:500): A new IPsec client is created.
2016-01-26 16:52:14.728 IPsec Client 3 (192.168.1.116:500 -> 192.168.1.100:500): There are no acceptable transform proposals from the client for establishing an IKE SA.
2016-01-26 16:52:25.009 IPsec Client 3 (192.168.1.116:500 -> 192.168.1.100:500): This IPsec Client is deleted.
Now when I choose L2TP instead and put in the same username parameters I successfully login. (username, password and IPSec/preshared key.)
17:00:25.109 IPsec Client 6 (192.168.1.126:500 -> 192.168.1.103:500): A new IPsec client is created.
2016-01-26 17:00:25.140 IPsec IKE Session (IKE SA) 3 (Client: 6) (192.168.1.126:500 -> 192.168.1.103:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xxxx, Responder Cookie: xxxx, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-01-26 17:00:25.328 IPsec Client 6 (192.168.1.126:4500 -> 192.168.1.103:4500): The port number information of this client is updated.
2016-01-26 17:00:25.328 IPsec Client 6 (192.168.1.126:4500 -> 192.168.1.103:4500):
2016-01-26 17:00:25.328 IPsec IKE Session (IKE SA) 3 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): This IKE SA is established between the server and the client.
2016-01-26 17:00:26.203 IPsec IKE Session (IKE SA) 3 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): The client initiates a QuickMode negotiation.
2016-01-26 17:00:26.203 IPsec ESP Session (IPsec SA) 4 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xBB891AF1, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-01-26 17:00:26.203 IPsec ESP Session (IPsec SA) 4 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0x3135378, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-01-26 17:00:26.218 IPsec ESP Session (IPsec SA) 4 (Client: 6) (192.168.1.126:4500 -> 192.168.1.103:4500): This IPsec SA is established between the server and the client.
2016-01-26 17:00:26.218 IPsec Client 6 (192.168.1.126:4500 -> 192.168.1.103:4500): The L2TP Server Module is started.
2016-01-26 17:00:26.312 L2TP PPP Session [192.168.1.126:1701]: A new PPP session (Upper protocol: L2TP) is started. IP Address of PPP Client: 192.168.1.126 (Hostname: "xxxxx-iPad"), Port Number of PPP Client: 1701, IP Address of PPP Server: 192.168.1.103, Port Number of PPP Server: 1701, Client Software Name: "L2TP VPN Client", IPv4 TCP MSS (Max Segment Size): 1314 bytes
2016-01-26 17:00:26.531 On the TCP Listener (Port 0), a Client (IP address 192.168.1.126, Host name "192.168.1.126", Port number 1701) has connected.
2016-01-26 17:00:26.531 For the client (IP address: 192.168.1.126, host name: "192.168.1.126", port number: 1701), connection "CID-34-D7BE11798A" has been created.
2016-01-26 17:00:26.531 SSL communication for connection "CID-xxxxx" has been started. The encryption algorithm name is "(null)".
2016-01-26 17:00:26.609 [HUB "xxxx"] The connection "CID-xxxxxxx" (IP address: 192.168.1.126, Host name: 192.168.1.126, Port number: 1701, Client name: "L2TP VPN Client", Version: 4.19, Build: 9599) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "xxxxxx".
2016-01-26 17:00:26.609 [HUB "xxx"] Connection "CID-xxxxxxx": Successfully authenticated as user "xxxxxxxxx".
2016-01-26 17:00:26.624 [HUB "VPN"] Connection "CID-xxx": The new session "SID-xxxxx-[L2TP]-10" has been created. (IP address: 192.168.1.126, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
2016-01-26 17:00:26.640 [HUB "xxxx"] Session "SID-xx[L2TP]-10": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 30 seconds.
2016-01-26 17:00:26.640 [HUB "xxxx"] Session "SID-xxxxx-[L2TP]-10": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 419, Client build number: 9599, Server product name: "SoftEther VPN Server (32 bit)", Server version: 419, Server build number: 9599, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "xx-iPad", Client IP address: "192.168.1.126", Client port number: 1701, Server host name: "192.168.1.103", Server IP address: "192.168.1.103", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN", Client unique ID: "xxx")
2016-01-26 17:00:26.687 L2TP PPP Session [192.168.1.126:1701]: Trying to request an IP address from the DHCP server.
2016-01-26 17:00:29.234 [HUB "x"] Session "SID-LOCALBRIDGE-1": The DHCP server of host "xxxxx" (192.168.1.1) on this session allocated, for host "SID-x-[L2TP]-10" on another session "xx", the new IP address 192.168.1.134.
2016-01-26 17:00:29.234 L2TP PPP Session [192.168.1.126:1701]: An IP address is assigned. IP Address of Client: 192.168.1.134, Subnet Mask: 255.255.255.0, Default Gateway: 192.168.1.1, Domain Name: "x", DNS Server 1: 192.168.1.1, DNS Server 2: 0.0.0.0, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0, IP Address of DHCP Server: 192.168.1.1, Lease Lifetime: 86400 seconds
2016-01-26 17:00:29.234 L2TP PPP Session [192.168.1.126:1701]: The IP address and other network information parameters are set successfully. IP Address of Client: 192.168.1.134, Subnet Mask: 255.255.255.0, Default Gateway: 192.168.1.1, DNS Server 1: 192.168.1.1, DNS Server 2: 0.0.0.0, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0
So it worked very well. Hope this helps you. Be careful with your passwords and preshared keys.
Now if you want - I understand there is an OPENVPN module in the apple store if you want to connect on UDP 1194. The server can provide you a sample config for the client for this port only. If you try it let us know how it went.
-
eszokolay
- Posts: 2
- Joined: Sun Jan 24, 2016 9:10 pm
Re: Unable to connect IOS devices
Thanks for the reply. I tried enabling more log settings and testing the connection and it looks like I do get to the server and almost connect. But unlike your example, I don't get an error, I get the standard connection lines starting with A new IPsec client is created and then I just get a line with This IKE SA is deleted, followed by a line with This IPsec Client is deleted.
Any ideas?
Any ideas?
-
eastavin
- Posts: 42
- Joined: Tue Jan 19, 2016 7:13 pm
Re: Unable to connect IOS devices
eszokolay wrote:
> Thanks for the reply. ..
> Any ideas?
Well not yet. Which IOS device? Which OS version? Which VPN feature are you attempting to setup? I mean when you get to part where you have to select do you choose L2TP or IPSEC or something else? Are there any known Apple bug reports for your device/OS/version?
Have u run a test using only your Vpn server internal ip as the target of your client? Use the internal address looks like 192.168.1.100 or whatever ur lan is using instead of the wan ip or ddns. This way you won't have any firewall issues. If it connects u know the challenge is in the firewall or isp.
Lastly have you tried OpenVPN client? It only needs one port to connect UDP 1194. Less variables to fiddle with. It too can be tested using your internal ip for your server as the target for the client.
PS. One last thought. Does your router have Filter WAN NAT Redirection? If so it should not be checked if you are testing with your wan ip in the client while on your lan.
> Thanks for the reply. ..
> Any ideas?
Well not yet. Which IOS device? Which OS version? Which VPN feature are you attempting to setup? I mean when you get to part where you have to select do you choose L2TP or IPSEC or something else? Are there any known Apple bug reports for your device/OS/version?
Have u run a test using only your Vpn server internal ip as the target of your client? Use the internal address looks like 192.168.1.100 or whatever ur lan is using instead of the wan ip or ddns. This way you won't have any firewall issues. If it connects u know the challenge is in the firewall or isp.
Lastly have you tried OpenVPN client? It only needs one port to connect UDP 1194. Less variables to fiddle with. It too can be tested using your internal ip for your server as the target for the client.
PS. One last thought. Does your router have Filter WAN NAT Redirection? If so it should not be checked if you are testing with your wan ip in the client while on your lan.