VPN Configuration Profiles iOS4

I've just had the same issue... after upgrading to 4.2.1 I could no longer connect to our L2TP vpn. Luckily I've access to the logs and the config.

In order to successfully dial in I needed to change:
Phase 1 proposal encryption to AES128
Phase 1 proposal authentication to MD5
Phase 1 key group to DH2

Hope that helps

I gathered a console log using the iPhone Configuration Utility ( http://www.apple.com/support/iphone/enterprise/) to update my bugreport.

Here is my log:

Tue Jun 22 10:58:34 unknown configd[25] <Debug>: CaptiveNetworkSupport:UIAllowedNotifyCallback:70 uiallowed: false
Tue Jun 22 10:58:35 unknown profiled[550] <Warning>: profiled|Service stopping.
Tue Jun 22 10:58:38 unknown configd[25] <Notice>: IPSec connecting to server vpn.mycompany.com
Tue Jun 22 10:58:38 unknown configd[25] <Notice>: SCNC: start, triggered by Preferences, type IPSec, status 0
Tue Jun 22 10:58:41 unknown configd[25] <Notice>: IPSec Phase1 starting.
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: *** racoon started: pid=569 started by: 1
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: @(#) racoon / IPsec-tools
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 ( http://www.openssl.org/)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: Reading configuration from "/etc/racoon/racoon.conf"
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] WARNING: /var/run/racoon/1.1.1.1.conf:14: "support_mip6" it is obsoleted. use "support_proxy".
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: racoon launched by launchd.
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: 10.32.193.226[500] used as isakmp port (fd=7)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: 10.32.193.226[4500] used as isakmp port (fd=8)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: 127.0.0.1[500] used as isakmp port (fd=9)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: 127.0.0.1[4500] used as isakmp port (fd=10)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: fe80::1%lo0[500] used as isakmp port (fd=11)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: fe80::1%lo0[4500] used as isakmp port (fd=12)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: ::1[500] used as isakmp port (fd=13)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: ::1[4500] used as isakmp port (fd=14)
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: found launchd socket.
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] NOTIFY: accepted connection on vpn control socket.
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: accept a request to establish IKE-SA: 1.1.1.1
Tue Jun 22 10:58:41 unknown racoon[569] <Notice>: IPSec connecting to server 1.1.1.1
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: initiate new phase 1 negotiation: 10.32.193.226[500]<=>1.1.1.1[500]
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] INFO: begin Identity Protection mode.
Tue Jun 22 10:58:41 unknown racoon[569] <Notice>: IPSec Phase1 started (Initiated by me).
Tue Jun 22 10:58:41 unknown sandboxd[570] <Notice>: racoon(569) deny network-outbound /private/var/tmp/launchd/sock
Tue Jun 22 10:58:41 unknown racoon[569] <Info>: [569] ERROR: delete phase1 handle.
Tue Jun 22 10:58:41 unknown kernel[0] <Debug>: launchd[569] Builtin profile: racoon (sandbox)
Tue Jun 22 10:58:45 unknown racoon[569] <Info>: [569] ERROR: delete phase1 handle.
Tue Jun 22 10:58:47 unknown racoon[569] <Info>: [569] ERROR: delete phase1 handle.
Tue Jun 22 10:58:50 unknown racoon[569] <Info>: [569] ERROR: delete phase1 handle.
Tue Jun 22 10:58:51 unknown configd[25] <Notice>: IPSec disconnecting from server 1.1.1.1
Tue Jun 22 10:58:51 unknown racoon[569] <Notice>: IPSec disconnecting from server 1.1.1.1
Tue Jun 22 10:58:51 unknown racoon[569] <Info>: [569] WARNING: in purgephXbydstaddrwop... purging phase1 and related phase2s
Tue Jun 22 10:58:51 unknown racoon[569] <Info>: [569] INFO: ISAKMP-SA expired 10.32.193.226[500]-1.1.1.1[500] spi:010f91bbfec17b66:0000000000000000
Tue Jun 22 10:58:51 unknown racoon[569] <Info>: [569] WARNING: glob found no matches for path "/var/run/racoon/*.conf"
Tue Jun 22 10:58:51 unknown racoon[569] <Info>: [569] INFO: 10.32.193.226[500] used as isakmp port (fd=7)
Tue Jun 22 10:58:51 unknown racoon[569] <Info>: [569] INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Tue Jun 22 10:58:51 unknown racoon[569] <Info>: [569] INFO: fe80::1%lo0[500] used as isakmp port (fd=9)
Tue Jun 22 10:58:51 unknown racoon[569] <Info>: [569] INFO: ::1[500] used as isakmp port (fd=10)
Tue Jun 22 10:58:52 unknown racoon[569] <Info>: [569] INFO: racoon shutdown

[BTW vpn.mycompany.com and 1.1.1.1 are not real name and address]

The server, a Cisco ASA, logs "%ASA-3-713048: Error processing payload: Payload ID: id".

Same problems here with VPN,
I use a VigorPRO 5510 router at the job and have used a L2TP over IPSec configuration on my iPhone. It worked well al the time on my 3.1.3. install. Now I've updated to 4.0 it doesn't work anymore.
Recreated the profile of the VPN. Restarted the router at my job.
When I try from my iMac the VPN works well.

The error on my iPhone is: "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."

Found out that other users have WLAN Problems if they use DHCP to get IP-Adresses.

Since my L2TP VPN Server is configured to give an IP to the iPhone, maybe this is the same Problem.

I know, this does not fix the problem, but its a start where to look for an error.

Same problem with a IPSec(Cisco) profile to a Cisco ASA vpn server.

I suggest people file a bug report with Apple. The more people that do, the faster it will be looked at and resolved.

http://bugreport.apple.com

I filed bug id# 8117591.

Same problem
I recently upgraded to iOS4 on my iPhone 3GS, Prior to the upgrade my Vpn connection to Sonicwall NSA3500 thru L2TP implementation was working great, however, after the upgrade L2TP stopped connecting with the following messages:
IKE Responder: ESP encryption algorithm does not match
IKE Responder: IPSec proposal does not match (Phase 2)

Cannot get it to connect!..

I have unconfirmed tips that changing the encryption on the VPN server (at least this supposedly works for L2TP connections) to AES-128 resolves the issue. FWIW, I'm using 3DES. Here is my logs from the iPhone Configuration Utility:

FYI, here's what's happening on the iPhone side:

Tue Jun 22 12:11:03 iPhone configd[25] : SCNC: start, triggered by Preferences, type L2TP, status 0
Tue Jun 22 12:11:03 iPhone configd[25] : .934 (+35.687) SCDynamicStore "network" notification
Tue Jun 22 12:11:03 iPhone configd[25] : .996 (+0.061) SCDynamicStore "network" notification
Tue Jun 22 12:11:04 iPhone pppd[1692] : pppd 2.4.2 (Apple version 486) started by mobile, uid 501
Tue Jun 22 12:11:04 iPhone configd[25] : .196 (+0.199) SCDynamicStore "network" notification
Tue Jun 22 12:11:04 iPhone configd[25] : .252 (+0.056) SCDynamicStore "network" notification
Tue Jun 22 12:11:04 iPhone configd[25] : .312 (+0.059) SCDynamicStore "network" notification
Tue Jun 22 12:11:04 iPhone pppd[1692] : L2TP connecting to server 'x.x.x.x' (x.x.x.x)...
Tue Jun 22 12:11:04 iPhone pppd[1692] : IPSec connection started
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: *** racoon started: pid=1693 started by: 1
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: @(#) racoon / IPsec-tools
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 ( http://www.openssl.org/)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: Reading configuration from "/etc/racoon/racoon.conf"
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] WARNING: /var/run/racoon/x.x.x.x.conf:9: "support_mip6" it is obsoleted. use "support_proxy".
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: racoon launched by launchd.
Tue Jun 22 12:11:04 iPhone sandboxd[1694] : racoon(1693) deny network-outbound /private/var/tmp/launchd/sock
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: 10.16.4.171[500] used as isakmp port (fd=7)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: 10.16.4.171[4500] used as isakmp port (fd=8)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: 127.0.0.1[500] used as isakmp port (fd=9)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: 127.0.0.1[4500] used as isakmp port (fd=10)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: fe80::1%lo0[500] used as isakmp port (fd=11)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: fe80::1%lo0[4500] used as isakmp port (fd=12)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: ::1[500] used as isakmp port (fd=13)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: ::1[4500] used as isakmp port (fd=14)
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: found launchd socket.
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] NOTIFY: accepted connection on vpn control socket.
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: IPsec-SA request for x.x.x.x queued due to no phase1 found.
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: initiate new phase 1 negotiation: 10.16.4.171[500]<=>x.x.x.x[500]
Tue Jun 22 12:11:04 iPhone racoon[1693] : [1693] INFO: begin Identity Protection mode.
Tue Jun 22 12:11:04 iPhone racoon[1693] : IPSec Phase1 started (Initiated by me).
Tue Jun 22 12:11:05 iPhone kernel[0] : launchd[1693] Builtin profile: racoon (sandbox)
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: received Vendor ID: RFC 3947
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: Selected NAT-T version: RFC 3947
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: Hashing x.x.x.x[500] with algo #2
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: Hashing 10.16.4.171[500] with algo #2
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: Adding remote and local NAT-D payloads.
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: NAT-D payload #0 doesn't match
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: NAT-D payload #1 verified
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: received Vendor ID: DPD
Tue Jun 22 12:11:05 iPhone racoon[1693] : [1693] INFO: NAT detected: ME
Tue Jun 22 12:11:06 iPhone racoon[1693] : [1693] INFO: ISAKMP-SA established 10.16.4.171[4500]-x.x.x.x[4500] spi:799785f0ca7b5cb0:9a6b454c3a130ab0
Tue Jun 22 12:11:06 iPhone racoon[1693] : IPSec Phase1 established (Initiated by me).
Tue Jun 22 12:11:06 iPhone racoon[1693] : [1693] INFO: initiate new phase 2 negotiation: 10.16.4.171[4500]<=>x.x.x.x[4500]
Tue Jun 22 12:11:06 iPhone racoon[1693] : IPSec Phase2 started (Initiated by me).
Tue Jun 22 12:11:06 iPhone racoon[1693] : [1693] INFO: NAT detected -> UDP encapsulation (ENC_MODE 2->4).
Tue Jun 22 12:11:06 iPhone racoon[1693] : [1693] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Tue Jun 22 12:11:06 iPhone racoon[1693] : [1693] ERROR: Message: 'l No proposal is chosen'.
Tue Jun 22 12:11:19 iPhone racoon[1693] : [1693] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Tue Jun 22 12:11:19 iPhone racoon[1693] : [1693] ERROR: Message: 'l No proposal is chosen'.
Tue Jun 22 12:11:36 iPhone pppd[1692] : IPSec connection failed
Tue Jun 22 12:11:36 iPhone racoon[1693] : [1693] ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.
Tue Jun 22 12:11:36 iPhone configd[25] : .218 (+31.906) SCDynamicStore "network" notification
Tue Jun 22 12:11:36 iPhone configd[25] : .252 (+0.033) SCDynamicStore "network" notification
Tue Jun 22 12:11:36 iPhone configd[25] : .266 (+0.013) SCDynamicStore "network" notification
Tue Jun 22 12:11:36 iPhone configd[25] : .333 (+0.066) SCDynamicStore "network" notification
Tue Jun 22 12:11:36 iPhone racoon[1693] : [1693] WARNING: glob found no matches for path "/var/run/racoon/*.conf"
Tue Jun 22 12:11:36 iPhone racoon[1693] : [1693] INFO: 10.16.4.171[500] used as isakmp port (fd=7)
Tue Jun 22 12:11:36 iPhone racoon[1693] : [1693] INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Tue Jun 22 12:11:36 iPhone racoon[1693] : [1693] INFO: fe80::1%lo0[500] used as isakmp port (fd=9)
Tue Jun 22 12:11:36 iPhone racoon[1693] : [1693] INFO: ::1[500] used as isakmp port (fd=10)
Tue Jun 22 12:11:36 iPhone configd[25] : .371 (+0.038) SCDynamicStore "network" notification
Tue Jun 22 12:11:36 iPhone configd[25] : .400 (+0.028) SCDynamicStore "network" notification
Tue Jun 22 12:11:36 iPhone pppd[1692] : Exit.

I got around to trying the switch to AES-128 as well and it does indeed resolve the issue, except that when you do this it breaks VPN connections from OSX (at least 10.6.4). Switching back to 3DES (in my case) resolved the issue in OSX but obviously breaks it in iOS4 again.

I was already using AES-128 or better so that was not the issue for me.

I turned on debug logging on my VPN server and dug into this.

*The problem lies in using a configuration profile from iPCU.*

If I load a configuration profile created with iPCU 2.2 it does not work. If I manually enter the same vpn information thru the phone itself the vpn connection works as expected.

This is what I saw went watching the debug logs on the vpn server (Cisco ASA).
I am using a group/pre-shared key for the machine authentication part of the vpn setup. With a group/pre-shared key, the client should do request an Aggressive Mode IKE negotiation. Using the config profile from iPCU 2.x on an iOS 4.0 phone, this does not happen, it does a Main Mode, which in Cisco's case it rejects which is the expected result.

If I use the exact some profile on iOS 3.1.x phone it does Aggressive and succeeds. If I manually enter the same vpn settings on a iOS 4.0 phone, it used Aggressive mode and succeeds.

My conclusion is that iOS 4.0 phones do not read the configuration profile correctly.

...except that I'm not using iPCU to load a configuration profile onto my iPhone. I entered the information manually on my iPhone and it simply doesn't work with a 3DES configuration. It only works with AES-128.

I just received the following response from Apple:

This is a follow up to Bug ID# 8117648. After further investigation it has been determined that this is a known issue, which is currently being investigated by engineering. This issue has been filed in our bug database under the original Bug ID# 8119311. The original bug number being used to track this duplicate issue can be found in the State column, in this format: Duplicate/OrigBug#.

Thank you for submitting this bug report. We truly appreciate your assistance in helping us discover and isolate bugs.

Best Regards,

Patrick Collins
Apple Developer Connection
Worldwide Developer Relations

I have the same problem: after upgrading to iOS4 on my 3G, my VPN connection doesn't work anymore!! 😟
I have already deleted the config and afterthat created a new one, but it didn't solve the problem!!!

To add a data point - My VPN (iPhone 4 - ASA 5505) works on WiFi but no go on 3G or Edge. On 3G and Edge it indicates a connection but no traffic across it. My original iPhone worked on Edge (and WiFi).

UR

I have the same problem!!!!
After upgrading to iOS4 on my 3G, my VPN connection doesn't conect anymore!!
I have already configured a new one, but it didn't solve the problem!
FOR ME THIS IS A BIG PROBLEM... WHEN APPLE WIIL SOLVE THIS BUG?
WE NEED A DATE!

On Thursday i called apple, I was a very frustrated SysAdmin, I have a fleet of iPhones under my watch and honestly I don't like to upgrade things so I asked all employees to hold back from iOS 4 until I tested the capabilities that we use. To my surprise iOS 4 completely crippled for lack of a better word my VPN config.
A couple of days later and some frustration I have come to a compromise that allows all of my Windows, Apple and iPhone users to access the VPN, with no issues.

First of my security appliance is a SonicWall Pro 2040, I set up the VPN, and left the first proposal as 3DES, as for the second proposal that I changed to AES-128. I have tested the config, and made sure that at least 3 different Windows clients (XP, Vista and 7) can connect, and 2 iPhones (3g and 3gs), as well as an MacBook Pro. I am happy with this result.

As a side note, I tried the manual setup to see if it works, I also tried creating a profile through the iPhone Configuration Utility, and it also works like a charm.

This works!!!

Jaime Diaz

Message was edited by: charrod