PPTP Won't work after 4.3 Upgrade

Sorry, just to be clear in my last post

The home network router is transparent in this problem (which is what my last post was addressing) - if you are refering to the end point VPN router then that is different - in my case I have no idea what equipment has been set up to provide the end point of the VPN tunnel. I imagine that most non-IT people have any idea either.

Just use a decent VPN provider... the problem is NOT on Apple's side, and they won't be fixing it.

https://www.overplay.net/blog/pptp-with-apple-ios-4-3

Steveclv wrote:
Asatoran

You are not thinking this through logically

As many posters have pointed out, the iPad/iPhone with iOS 4.2 worked with PPTP VPN connections and have now stopped working on the same networks with 4.3 and 4.3.1.

No-one has changed their routers so this removes them from the equation.

You are showing that you are not understanding anything I said. I did NOT, repeat NOT, repeat NOT say that the problem is NOT iOS4.3. Far from it, I am agreeing that it was something that Apple changed. However, since not everyone is having a problem, the next step is to determine what is common with all the "broken" VPNs (besides using iOS4.3.) As I posted, the last several people that provided detailed info had used DD-WRT as their VPN endpoints. So I had pointed out that there is a POSSIBLE, repeat POSSIBLE focus for investigation.

Discussing routers and their configuration is meaningless and distracts from the problem which is that Apple have broken PPTP VPN connections in iOS 4.3 - PERIOD.

No, since all that was being posted was "me too" without any new info, how was it going to fix the issue? So gathering more info is required, and as I said above, we have preliminary data pointing toward DD-WRT and Linksys hardware.

I think livinginamoment explained it and I have a similar experience - within my WiFi network I have working PPTP VPN connections (Mac OSX, Windows 7 and iOS 4.2) and non-working PPTP VPN connections (iPad 4.3, iPad 2 4.3.1, iPhone 4.3)
They all use the same router.

You're being shortsighted. Yes, you didn't change your router, but what do you have in common with the other people that are having issues? (Again, besides iOS4.3.)

So to be clear - this problem has nothing whatsoever to do with the Router.
Steveclv wrote:
Sorry, just to be clear in my last post

The home network router is transparent in this problem (which is what my last post was addressing) - if you are refering to the end point VPN router then that is different - in my case I have no idea what equipment has been set up to provide the end point of the VPN tunnel. I imagine that most non-IT people have any idea either.

You are again thinking shortsightedly. You may not be in control of the VPN endpoint, but others are, the ones that have the VPN endpoint at home and are VPNing to their home. Those people can provide the extra info. I was NOT talking about the NON-VPN-ENDPOINT router, but about the router that IS being used as the VPN endpoint, which is of course of interest. And if you are not an IT person and you don't know what VPN equipment you're using, then I suggest you have your IT department work with Apple to fix the issue, since you wouldn't have access to the technical info needed to troubleshoot the issue. (i.e.: log files of the VPN endpoint.) "Me too" posts are what is "meaningless and distracting" since we already know that there is an issue, but "me too" doesn't do anything toward a resolution. I've already said that troubleshooting VPN issues is often difficult and if, as you infer, are not an IT person and don't know what kind of VPN endpoint and settings you're using, then how do you "know" it's not the router? 😐

Put it this way, I'm trying to point you toward ways to fix YOUR problem. I'm not affected by the issue, and if anything, I would NOT want Apple to put out an update since it could then "break" my VPN. So if I were selfish, I would tell Apple to NOT fix anything and tell you to replace your VPN equipment with a (very expensive) Cisco ASA5000 series box, which uses IPSec, which is much more reliable and secure than PPTP, and as has been posted definitely does work with iOS4.3 & iOS4.3.1. So if I were selfish, I would have said that the "issue" is your equipment since my equipment and setup is working fine, as well as other people's setup, and you don't even know what equipment you're connecting to. 😐

I could add a scathing reply but that would not add anything to this discussion.

It was not clear that you were referring to the end-point router in your earlier posts and at least that has been clarified.

I have no idea what end-point router is being used because we didn't set it up - we simply purchase a monthly service from a supplier. I suggest that many others are in the same situation.

Whilst the posting of 'me too' messages that seem to cause you some distress may add nothing technical to the discussion, it is indicative that the issues are widespread and whilst you do not believe that Apple staff read these threads, I can assure you that they do. They do not use it for providing support responses or for a dialog with Apple customers - but the information does disseminate back to Cupertino.

We all agree that 4.3 broke something - whether it was the hardening of the security protocols or incompetence due to insufficient testing or both we do not know and only Apple can truly answer and address that. Using one specific brand of end-point router or changing the protocol is not the answer (but may be a quick fix).

@Steveclv, I'm leaving out other comments since it won't help the issue. I'll just give one more suggestion:

I have no idea what end-point router is being used because we didn't set it up - we simply purchase a monthly service from a supplier. I suggest that many others are in the same situation.

We all agree that 4.3 broke something - whether it was the hardening of the security protocols or incompetence due to insufficient testing or both we do not know and only Apple can truly answer and address that. Using one specific brand of end-point router or changing the protocol is not the answer (but may be a quick fix).

Why aren't you yelling at your VPN provider? Whenever Apple comes out with a new model, the case manufacturers have to change their designs. When Apple updates OSX, it is not uncommon for software and hardware manufacturers to have to update their software or firmware. So it should not come as a surprise that a change to iOS would mean that some service providers may need to update their configurations, in this case a VPN service provider. Yes, it was not the service provider's fault, but it is in the service provider's best interest to work with Apple and get this resolved. The are looking at the potential loss of revenue from hudreds, thousands or perhaps millions of iOS clients.

Changing hardware, in this case, means changing service providers. That is not a quick fix, but the threat of leaving is powerful...if you were a good or large client.

Considering that most of the computer industry considers PPTP to be very weak security-wise, changing protocols shouldn't be much of an issue to a good quality service provider, since they should already be setup to use a better protocol. It's one thing if an individual had to change hardware to change protocol on their endpoint they owned at home, but a service provider that only supports PPTP does not sounds like a service provider that I'd want to rely on.

You are free to sit here and blame Apple all you want, but what will that get you? I agree that Apple may read some of the things on these forums, but this is not the official channel so is arguably the slowest channel for getting your issue resolved. Get your service provider on board.

About this issue:
After my long investigation I have some positive result.

1. My iPad sometimes connect "1/15"
2. Connection is established with vpn endpoint (dd-wrt point of view) but immediately after iOS brake this connection and no errors in the logs

Some logs from vpn when connection is unsuccessful (from iPad2)

Mar 30 19:48:26 pptpd[12423]: CTRL: Client "IP" control connection started
Mar 30 19:48:26 pptpd[12423]: CTRL: Starting call (launching pppd, opening GRE)
Mar 30 19:48:26 pppd[12424]: pppd 2.4.4 started by root, uid 0

connection established

Ending connection

Mar 30 19:48:29 pptpd[12423]: CTRL: EOF or bad error reading ctrl packet length.
Mar 30 19:48:29 pptpd[12423]: CTRL: couldn't read packet header (exit)
Mar 30 19:48:29 pptpd[12423]: CTRL: CTRL read failed
Mar 30 19:48:29 pptpd[12423]: CTRL: Reaping child PPP[12424]
Mar 30 19:48:29 pppd[12424]: Exit.
Mar 30 19:48:29 pptpd[12423]: CTRL: Client "IP" control connection finished

Some logs from vpn when connection is successful (from MBP)

Mar 30 20:00:34 pptpd[12906]: CTRL: Client "IP" control connection started
Mar 30 20:00:34 pptpd[12906]: CTRL: Starting call (launching pppd, opening GRE)
Mar 30 20:00:34 pppd[12907]: pppd 2.4.4 started by root, uid 0

connection established

Ending connection

Mar 30 20:00:56 pptpd[12906]: CTRL: EOF or bad error reading ctrl packet length.
Mar 30 20:00:56 pptpd[12906]: CTRL: couldn't read packet header (exit)
Mar 30 20:00:56 pptpd[12906]: CTRL: CTRL read failed
Mar 30 20:00:56 pptpd[12906]: CTRL: Reaping child PPP[12907]
Mar 30 20:00:56 pppd[12907]: Exit.
Mar 30 20:00:56 pptpd[12906]: CTRL: Client "IP" control connection finished

So it is no difference in the logs between 2 connections


Anyway from ddwrt point of view no problem with both connections.

I too am having identical problems.

All work fine remotely as of 10:53 EST on 3/31/2011:
My iOS 4.2.1 iPhone 4
HP EliteBook 8540p running Windows 7 Enterprise
Dell Vostro 1700 running Windows Vista Home
2010 MacBook Pro, fully patched

Does NOT work:
New iPad 2 iOS 4.3
Friends iPhone 4 running iOS 4.3

The server everything is connected to is a Linksys WRT54g rev 2, DD-WRT v24-sp2 (11/02/09) vpn which has worked fine for months.

The problem is simple. iOS device pre 4.3 works fine, upgrade it and it stops working. If I can't get this iPad 2 working with VPN soon, it is going back to the store. I purchased it so I wouldn't have to take my MacBook Pro everywhere.

Support knows about this issue because I called them and even sent logs from my iPads. They just don't care unless you are willing to pay $99 for them to look into it with no guarantee that they will find the problem and no refund if it is their fault.

-Mike

Just a quick note. I too am having issues connecting via PPTP VPN to a router loaded with DD-WRT firmware (DD-WRT v24-sp2 (10/10/09) std) on a Motorola WR850Gv2 with an iPhone and iPad running iOS 4.3. I can connect to other PPTP servers with these same devices including my works PPTP and to a Snow Leopard machine running VPN Activator. So I am not sure that Apple "broke" something they may have changed something that has affected this combination of equipment, firmware and software. Yes I can still connect to the VPN with other devices like a Mac and on older phone running iOS 4.21. I think we really need to hear from the folks who put together the DD-WRT firmware to get their opinion on this topic. I wish Apple would include OpenVPN support in iOS it has been done on jailbroken devices already.

It's not a DDWRT problem; my 3GS worked before and after updating to 4.3.1 however an iPad 2 will not connect with 4.3 or 4.3.1

I tried with DDWRT build 15962, then updated to 16454 on Asus RT-N16, but no difference.

It's got to be an iOS problem.

slinge wrote:
It's not a DDWRT problem; my 3GS worked before and after updating to 4.3.1 however an iPad 2 will not connect with 4.3 or 4.3.1

I tried with DDWRT build 15962, then updated to 16454 on Asus RT-N16, but no difference.

It's got to be an iOS problem.

While I agree that the issue is with iOS, considering that most (if not all) the people that reported which VPN endpoints they had problems with were DD-WRT, rather than getting tunnel-vision on "it's not DD-WRT", perhaps the question should be "what is it about DD-WRT that iOS doesn't like?"

Also, since your post states that your iPhone 3GS is working with iOS4.3.1 to a DD-WRT VPN, then one could argue that it is NOT iOS. (IOW, if "it's got to be iOS", then shouldn't your 3GS have failed also?)

(My apologies if it sounds like I'm picking on you. It's not my intent. Just when I saw the "It's got to be" that usually raises red flags for me. 🙂 )

Ok, the problem does appear to specifically affect the PopTopD PPTP server. This would explain the problem with the DDWRT routers, as they utilise this package. This however affects nearly every single Linux based firewall as well. The problem appears to be a bug in iOS 4.3 & 4.3.1 in that the client doesn't wait for LCP to proceed to 'open'.

If anyone has a work around I'd love to try it...

Detailed here:
http://forum.hidemyass.com/showthread.php?tid=2879

After comparing numerous tcpdump outputs and turning up the debug logging the problem is actually quite simple... AND DEFINITELY AN APPLE BUG.

To replicate:
1. Turn on debug logging for pppd when launched by pptpd
echo 'debug' >> /etc/ppp/options.pptpd
2. Set syslog to direct debug information to the system log file
3. tail -f /var/log/messages | grep -v 'racoon\|snmp'

Debug messages:
Windows 7 Laptop:
Apr 7 15:24:57 unix-03 pppd[22806]: Connect: ppp0 <--> /dev/pts/8
Apr 7 15:24:57 unix-03 pppd[22806]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xd861a44a> <pcomp> <accomp>]
Apr 7 15:24:57 unix-03 pppd[22806]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x4f8f6313> <pcomp> <accomp> <callback CBCP>]

iOS 4.3+:
Apr 7 15:17:10 unix-03 pppd[22084]: Connect: ppp0 <--> /dev/pts/8
Apr 7 15:17:10 unix-03 pppd[22084]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xe4445c4f> <pcomp> <accomp>]
Apr 7 15:17:28 unix-03 last message repeated 8 times


The iOS 4.3 and 4.3.1 devices simply stop sending traffic back after the PPTP server offers it's Configuration Request. Adding either 'nopcomp', 'noaccomp'
or both to /etc/ppp/options.pptpd results in the connections working every time.

In Other Words:
iOS 4.3 and 4.3.1 immediately stop trying to establish a VPN connection
when they are offered both pcomp (protocol field compression negotiation)
and accomp (address/control compression). This is the default behaviour
in PPP and presumably why allot of Linux based routers are subsequently unable
to establish connections with iOS 4.3+.

I've twigged a really simple way to make it work, tested on iOS 4.3.1 with iPad 2.

Firstly I downloaded the iPhone configuration utility, then I went to the "Configuration Profiles" section, clicked on the VPN bit and entered my PPTP details. I also filled in the General bit as apparently it is mandatory.

With iPad plugged in (and showing in the devices section of the iphone configuration utility) I clicked on it (the iPad), then it shows that I have the option to install the profile I created.

Click install, this brings up a message on ipad, confirm and install. Asks for the password to the VPN, enter it, click next etc, then profile should be installed.

Now when I go to VPN and select the PPTP VPN from the profile I just installed and try to connect... it doesnt connect straight away, says connecting.... but hangs.

Turn Airplane mode on, then off, and try again with the VPN... voila, it connects.

Now, I try turning the VPN on and off, connects every time.

Not quite sure why it works, but it is.

The only reason I can think why it might not work for everyone else is maybe its a profile from my 3GS (which is working) getting applied to the iPad. Still, its got to be worth a shot.

Apologies for a messy post, but this seems like a really idiot proof solution (it must be if I can do it!).