After the Beta 4 upgrade and on the final iOS 14 release I am unable to connect to my L2TP VPN server. Anytime I try to connect I get "The L2TP-VPN server did not respond" error. On my win10 laptop and android devices is able to connect. I also have an OpenVPN server and is able to connect from iOS. Any suggestions?
iPhone SE
I found the following in the developers forum. Which really is bad, because my VPN server does not illuminate the proper setting, so I am just screwed. Apple really needed to provide an option for backward compatibility instead of just trashing my setup.
"Apple responded to <a developer> report with the following:
This will need to be resolved by the server administrator.
We have upgraded the proposed ciphers in L2TP IPsec VPN to also propose SHA-256 for the Child SA in IPsec. The issue seems to be that the server is accepting SHA-256 cipher for the child but maybe dropping the ESP encrypted packets with SHA-256 HMAC. This maybe because the server is assuming a SHA-256 HMAC with 96 bits instead of the standard 128 bits. Switching the SHA-256 HMAC output from 96 to 128 bits should fix this issue.
Thank you for your feedback.
I have now disabled the SHA-256 compatible mode (96 bit) on my VPN server and now it works."
I found the following in the developers forum. Which really is bad, because my VPN server does not illuminate the proper setting, so I am just screwed. Apple really needed to provide an option for backward compatibility instead of just trashing my setup.
"Apple responded to <a developer> report with the following:
This will need to be resolved by the server administrator.
We have upgraded the proposed ciphers in L2TP IPsec VPN to also propose SHA-256 for the Child SA in IPsec. The issue seems to be that the server is accepting SHA-256 cipher for the child but maybe dropping the ESP encrypted packets with SHA-256 HMAC. This maybe because the server is assuming a SHA-256 HMAC with 96 bits instead of the standard 128 bits. Switching the SHA-256 HMAC output from 96 to 128 bits should fix this issue.
Thank you for your feedback.
I have now disabled the SHA-256 compatible mode (96 bit) on my VPN server and now it works."
Same for me. Since iOS 14 (iPhone / iPad mini)
i can see this in the VPN log:
2020:09:18-14:46:27 gtw-asgaard pluto[5970]: "L_for admin"[34] 78.80.99.86:57983 #66: received Delete SA(0x0fe64c16) payload: deleting IPSEC State #67
2020:09:18-14:46:27 gtw-asgaard pluto[5970]: "L_for admin"[34] 78.80.99.86:57983 #66: deleting connection "L_for admin"[16] instance with peer 78.80.99.86 {isakmp=#0/ipsec=#0}
2020:09:18-14:46:27 gtw-asgaard pluto[5970]: ERROR: asynchronous network error report on eth0 for message to 78.80.99.86 port 57983, complainant 78.80.99.86: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
2020:09:18-14:46:27 gtw-asgaard pluto[5970]: "L_for admin"[34] 78.80.99.86:57983 #66: received Delete SA payload: deleting ISAKMP State #66
2020:09:18-14:46:27 gtw-asgaard pluto[5970]: "L_for admin"[34] 78.80.99.86:57983: deleting connection "L_for admin"[34] instance with peer 78.80.99.86 {isakmp=#0/ipsec=#0}
2020:09:18-14:46:27 gtw-asgaard pluto[5970]: ERROR: asynchronous network error report on eth0 for message to 78.80.99.86 port 57983, complainant 78.80.99.86: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
I tired ha2-truncbug=no on /etc/ipsec.conf; thank you.
Didn't work though. I think that file (in my case) gets dynamically created from another script. This is essentially an OpenSwan via a QPKG by QNAP that is a version QNAP no longer maintains.
I switched to OpenVPN from the L2TP. This works. A little convoluted with profiles and certs, but it avoids using native Apple functionality that provides no options for how I want MY things to work.
This is the first thing I did. Both setting a configuration profile and manual configuration do not work.
I have deleted and recreated the VPN settings on my iPhone and iPad - both iOS 14. Nothing helped.
I also recreated the configurations on the VPN Server. No help.
I even tried simplified (no special characters) in the pre-shared key. No help.
I also reset network settings. No help.
The only devices I have, not able to connect my VPN, are my two iOS 14 devices. Everything else works (Windows, Macs on 10.14.6, offsite appliance, etc.).
All worked until the iOS upgrade to 14. Seems strongly like a bug.
I set sha2-truncbug=no on /etc/ipsec.conf and now VPN works for me but it's unable for Android 6 (Linux kernels before 2.6.33) and some builds of 7. Backward compatibility for bad SHA2 implementation is needed.
So I set up my /etc/ipsec.conf in the following way:
ike=aes256-sha1,aes128-sha1,aes256-sha1;modp1024
phase2alg=aes_gcm-null,aes256-sha1,aes128-sha1
Now my iOS 14, Android 7 and Win10 devices are able to connect my L2TP/IPsec VPN (libreswan-3.32+xl2tpd-1.3.8), but now I have a weaker configuration than before. Because of the use of sha1, the "sha2-truncbug=" parameter is not required.
Delete it, set it up again.
Thanks for your update. i changed my VPN server L2TP-over-IPSec policy to use SHA256 instead of SHA1/MD5 and i it worked for me.
Unable to connect to L2TP-VPN Server on iOS 14
