Currently Being ModeratedNov 29, 2012 5:31 PM (in response to ddwrtchris)
It seems that your analysis backs up what was previously discussed - specifically that the encrypted flag is incorrectly set on each of the fragment packets, hence the 0x01 value that appears in the ISAKMP header. I agree that if VPN servers don't understand the Cisco Fragmentation protocol then they will obviously fail, but even if they do then they may be thrown by the fact that the packet is advertised as having an encrypted payload when this is not the case. The Cisco Fragmentation protocol breaks up an encrypted payload into chunks and then sends each chunk wrapped in a non-encrypted ISAKMP packet.
If your device negotiates AES as the cipher for the phase 1 security association then the VPN server will attempt to decrypt 1252 bytes (taken from your first screenshot) using a cipher which works on block sizes of 128 bits (16 bytes). Since 1252 isn't divisible by 16, the decryption routine would likely throw an exception which seems to match your log extract. If the issue is simply that the Cisco fragmentation payload is not supported then this seems like a strange error message to be getting?
Currently Being ModeratedNov 30, 2012 1:08 AM (in response to threatspike)
seams that cisco thinks, that if they send something encrypted in chunks, they need to set the encryption flag in the header.
So if an ipsec implementation supports IKE fragmentation it has to ignore a encryption flag on these packages, i agree on that.
Maybe Cisco sometimes documents this, and tells what have driven them to do it that way.
I also wonder why apple is just using this stuff, allows this change to their client, and are not testing against common other vpn servers as cisco.
Even Microsoft tested their ipsec client heavily against strongswan.
Currently Being ModeratedNov 30, 2012 1:45 AM (in response to ddwrtchris)
ddwrtchris - Excellent analysis.
Have you filed a bug with Apple for this yet?
Currently Being ModeratedNov 30, 2012 5:20 AM (in response to surfingsmurf)
i will, just signed up for the Developer Account, and now i try to push this info into the apple bug-report-scheme ;-)
Currently Being ModeratedDec 13, 2012 1:34 AM (in response to ddwrtchris)
we have just uploaded a patch for strongswan 5.0.1, that ios 6 + 6.0.1 here:
Currently Being ModeratedDec 14, 2012 5:52 AM (in response to surfingsmurf)
anyone knows when this will be fixed (iOS 6.0.2)?
This is really annoying!
Currently Being ModeratedDec 14, 2012 3:42 PM (in response to surfingsmurf)
i wrote here, that it is fixed in a beta that is right now available. that is NOT 6.0.2 ;-)
But the apple robot deleted my post.
If i write the version number again, the apple robot might delete my post again, and (accodording to my click agreement i did...) i might go to jail.
It's friday night, i just came back from sports and a beer (i am german), so please take the last sentence as i mean it.
Currently Being ModeratedDec 18, 2012 2:35 PM (in response to surfingsmurf)
just checked 6.0.2 on an ipad mini, bug not fixed. So you have to wait for 6.x where x is 1.
Currently Being ModeratedDec 18, 2012 3:03 PM (in response to ddwrtchris)
Currently Being ModeratedJan 2, 2013 3:38 PM (in response to amt257)
It looks like that there was a change made on how VPN works after upgrading to iOS 6.0 or higher. The only way VPN works over cellular data is to leave the Wi-Fi turned on (but not connected to a Wi-Fi NW). On iOS 5 devices VPN works over cellular data whether the Wi-Fi is on or off. Please note that we are using the IPSec VPN.
Currently Being ModeratedJan 10, 2013 10:18 PM (in response to surfingsmurf)
6.0.1 IPSEC VPN 提示 VPN服务器协议失败。
Currently Being ModeratedJan 16, 2013 6:14 PM (in response to surfingsmurf)
We launched our new cloud networking service today (https://www.threatspike.com) so to follow up on my previous comments, if any of you guys are still having trouble with VPN access over 3G/Wifi then come give it a try and let us know if it works for you. It's free to sign up (5GB allowance) and we would appreciate your help with testing it plus any feedback you can offer!
Currently Being ModeratedMar 11, 2013 4:01 PM (in response to threatspike)
Does anybody know if these problems have been solved in iOS 6.1.2?
If not, has Apple said anything about when they plan to solve them?