Previous 1 2 3 Next 43 Replies Latest reply: Mar 11, 2013 4:01 PM by ananoxoto Branched to a new discussion.
surfingsmurf Level 1 Level 1 (0 points)

After upgrading to IOS 6 both my iPad and iPhone Cisco VPN no longer work.  Prior to upgrading to IOS 6 Cisco VPN client works fine.  I also have L2TP and PPTP and both clients do work after upgrading to IOS 6. Anyone else confirmed this is an issue?


iPad 2 Wi-Fi + 3G, iOS 6
  • Thats Not Funny Level 1 Level 1 (0 points)

    Same here.  IOS6 broke our IPSec VPN connectivity.   The info that came with the upgrade didn't even mention the VPN client. How about some documentation Apple?

  • TimeForAction Level 1 Level 1 (0 points)

    Hello,

     

    We are experiencing the exact same problem with VPN connections on iOS 6 as pietia336.

     

    VPN starts, first companywebsite through VPN works, but after the first URL safari does not connect to other URL's through the VPN with .local domain names.

     

    After restarting the VPN connection we can again reach 1 URL. Every attemp to connect to a 2nd different URL fails in safari.

     

    We did not have this issue with iOS 5.1.1. Only appeares in iOS 6

     

    Funny thing is that with WiFi it works like a charm. Problem in our situation only occurs when connecting VPN over 3g.

     

    Trying an other App for network research we see that .local domains are being resolved correctly also with multiple domains.

     

    When using Chrome instead of Safari shows the same problems. First URL through VPN works, all following URL's fail.

     

    We tested multiple iPad2 's and all show the same problem. VPN through Cisco ASA.

     

    Hope to see a possible solution qiuck since all our mobile workers are waiting to update before this issue is resolved.

     

    Any sollutions yet?

     

    Best regards,

    Marco

  • TheManOnTheBench Level 1 Level 1 (0 points)

    Hello Sufingsmurf,

     

    I'm having the same problem with my IPSec VPN to a Vyatta server on my iPad after the 6.0 update. On the initial connection, I get a message announcing that the server is unreachable, then it stops. Subsequent attempts just let the connection spinning until I kill the "Settings" app. When I watch the log on the server, It's not getting anything from the iPad. It worked well with 5.x.

     

    Cheers

  • William Kucharski Level 6 Level 6 (14,890 points)

    Has anyone bothered contacting Cisco about it?

  • adamely Level 1 Level 1 (0 points)

    ios 6 has a bad bug in udp packet fragmentation handling.  Large UDP packets will cause IPSec connections to fail.  We're fighting through this as well and the only solution we found was to lower the size of the root and device certificates, far less than ideal.

  • Bgreve Level 1 Level 1 (0 points)

    Same problem here.  Updated to 6.0 on Wednesday, went to use VPN over 3G this morning and no dice.  WiFi is great, but nothing over 3G.  Tried different browsers and also set up connection again and no luck.  Hope that this gets resolved soon.

  • Nick.123 Level 1 Level 1 (0 points)

    Also found VPN broken on iOS6 using Cisco SA540 VPN ipsec

  • atriller Level 1 Level 1 (0 points)

    Same here, we use IPSEC VPN to connect to a Fortigate 200A.

    Connection stalls and gives an error on all iPhones and iPads via 3G or WiFi since they were updated to IOS6.

     

    The debug log on the firewall looks like this (IP addresses sanitized as A.B.C.D for the client and E.F.G.H. for the firewall):

     

    FG200A # ike 0: comes A.B.C.D:59175->E.F.G.H:500,ifindex=3....

    ike 0: IKEv1 exchange=Identity Protection id=e928f082dd00b69b/0000000000000000 len=668

    ike 0: in E928F082DD00B69B000000000000000001100200000000000000029C0D00016C000000010000000 1000001600101000A0300002401010000800B0001800C0E1080010007800E01008003FDED8002000 2800400050300002402010000800B0001800C0E1080010007800E01008003FDED800200028004000 20300002403010000800B0001800C0E1080010007800E00808003FDED80020002800400020300002 404010000800B0001800C0E1080010007800E01008003FDED8002000180040005030000240501000 0800B0001800C0E1080010007800E01008003FDED80020001800400020300002406010000800B000 1800C0E1080010007800E00808003FDED80020001800400020300002007010000800B0001800C0E1 0800100058003FDED80020002800400020300002008010000800B0001800C0E10800100058003FDE D80020001800400020300002009010000800B0001800C0E10800100018003FDED800200028004000 2000000200A010000800B0001800C0E10800100018003FDED80020001800400020D0000144A131C8 1070358455C5728F20E95452F0D0000144DF37928E9FC4FD1B3262170D515C6620D0000148F8D838 26D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E1 36DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64 EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464 335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00000C0900268 9DFD6B7120D00001412F5F28C457168A9702D9FE274CC01000D0000184048B7D56EBCE88525E7DE7 F00D6C2D38000000000000014AFCAD71368A1F1C96B8696FC77570100

    ike 0:iPhone: check for IP assignment method ...

    ike 0:iPhone: no IP assignment method defined

    ike 0:iPhone:93: responder: main mode get 1st message...

    ike 0:iPhone:93: VID RFC 3947 4A131C81070358455C5728F20E95452F

    ike 0:iPhone:93: VID unknown (16): 4DF37928E9FC4FD1B3262170D515C662

    ike 0:iPhone:93: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8

    ike 0:iPhone:93: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-08

    ike 0:iPhone:93: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582

    ike 0:iPhone:93: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07

    ike 0:iPhone:93: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285

    ike 0:iPhone:93: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-06

    ike 0:iPhone:93: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE

    ike 0:iPhone:93: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-05

    ike 0:iPhone:93: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B

    ike 0:iPhone:93: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-04

    ike 0:iPhone:93: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56

    ike 0:iPhone:93: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448

    ike 0:iPhone:93: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F

    ike 0:iPhone:93: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712

    ike 0:iPhone:93: XAUTHv6 negotiated

    ike 0:iPhone:93: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100

    ike 0:iPhone:93: peer supports UNITY

    ike 0:iPhone:93: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000

    ike 0:iPhone:93: VID DPD AFCAD71368A1F1C96B8696FC77570100

    ike 0:iPhone:93: DPD negotiated

    ike 0:iPhone:93: negotiation result

    ike 0:iPhone:93: proposal id = 1:

    ike 0:iPhone:93:   protocol id = ISAKMP:

    ike 0:iPhone:93:      trans_id = KEY_IKE.

    ike 0:iPhone:93:      encapsulation = IKE/none

    ike 0:iPhone:93:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.

    ike 0:iPhone:93:         type=OAKLEY_HASH_ALG, val=SHA.

    ike 0:iPhone:93:         type=AUTH_METHOD, val=RSA_SIG_XAUTH_I.

    ike 0:iPhone:93:         type=OAKLEY_GROUP, val=1024.

    ike 0:iPhone:93: ISKAMP SA lifetime=28800

    ike 0:iPhone:93: selected NAT-T version: RFC 3947

    ike 0:iPhone:93: cookie e928f082dd00b69b/3cd445fe599558a8

    ike 0:iPhone:93: out E928F082DD00B69B3CD445FE599558A80110020000000000000000AC0D000034000000010000000 100000028010100010000002007010000800B0001800C0E10800100058003FDED800200028004000 20D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC7757010 00D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC0204000000148299031 757A36082C6A621DE00040278

    ike 0:iPhone:93: sent IKE msg (ident_r1send): E.F.G.H:500->A.B.C.D:59175, len=172, id=e928f082dd00b69b/3cd445fe599558a8

    ike 0: comes A.B.C.D:59175->E.F.G.H:500,ifindex=3....

    ike 0: IKEv1 exchange=Identity Protection id=e928f082dd00b69b/3cd445fe599558a8 len=228

    ike 0: in E928F082DD00B69B3CD445FE599558A80410020000000000000000E40A000084DFA74545324372A 126F278B45D691EEC46604F92C062A5C37534C33EA2F7CCEB72133FA629A0C5D4748BB48B70AC436 E77E81B8DC6DDE79186CAA3EA775F37E9F18592312BF7100CF511835E77EDAE5BB9CD3A5A8A951AD 45E960737A89977F653D4D0FC0CF5BEC241BA451096CC5C2BB8DA11EDED36F54AC18E82F40C15683 F14000014DFFD8B297DAD3DEB89F3BD6989D4171B140000183B4C323EFD2126405F21D5A023F00AA 18A9EAA290000001844410154D4B1AB7254E635F5B92CA194E9AA0561

    ike 0:iPhone:93: responder:main mode get 2nd message...

    ike 0:iPhone:93: NAT detected: PEER

    ike 0:iPhone:93: out E928F082DD00B69B3CD445FE599558A80410020000000000000000E40A000084F069E03BFC55029 950321FD419FCFDC32C8D439E6F7576F2C73EB1CD6757DBEF779147BBB3E31C45AB765B5AEEC3CBA ABCB2A3323A9AF77D1F4D6D0481B2D2EDD88FE66D38FF8684D0DA7F822C57D9244C8B0DB57123E08 38DD97300509363E15222D12BFAC10C30727FA2D823F7DFE9733A37DA99E2EAFF1436AFCBB72561E 114000014DE8448636DB0FCB6FB8D042750357CCB1400001874055D9A2FF4B45ECA8279DA5413E4F 3A63C8AA7000000183B4C323EFD2126405F21D5A023F00AA18A9EAA29

    ike 0:iPhone:93: sent IKE msg (ident_r2send): E.F.G.H:500->A.B.C.D:59175, len=228, id=e928f082dd00b69b/3cd445fe599558a8

    ike 0:iPhone:93: ISAKMP SA e928f082dd00b69b/3cd445fe599558a8 key 24:5D043168282B4491639AD658C0060B34606858D54B1A0806

    ike 0: comes A.B.C.D:50509->E.F.G.H:4500,ifindex=3....

    ike 0: IKEv1 exchange=Identity Protection id=e928f082dd00b69b/3cd445fe599558a8 len=1280

    ike 0: in E928F082DD00B69B3CD445FE599558A8841002010000000000000500000004E400010100E928F08 2DD00B69B3CD445FE599558A80510020100000000000007543B3479EC0FD2895BCD0564942BF4927 B75E11676E4D4408D44D18AE6391BEB0BBF22F78080316DFB0BD272B20AAC710F6B6CADA58A8A04C A07BBBBBBE0D79921B2D6DB0125180DC8A93B63EFC74940DE5D59AF6FD2E5F5FB416F426EC8C9D93 B9FC77C2E23E75887A6FBF3E8A859690E33C898E3DFBB0112CA334E698FEEEAD7E9B1BF3F13D1652 8DEE23AB6A0A539C1DCAA13A5547275E4AF2D5E0DA9649604CB91AAD982C9E16EEA1CECCD2E3CD52 6776AB1D1DA4B5A3959C8B76D097C07A8EA905933E4922BE3359B80574D1CCF1442B5762A702B913 27BA64CA52A85F4D40FF11BF6C8335A48BD5977D1982FC7EDA8E4A7A83DCB96048F8EAE5AABFB781 82F312D1E1869E5951D9B2CCD7BBECE079DE1A54BEA3735E301B0653DD5D9B9B04497F02C9C579B1 89AC8010C6A3827EC584A4108DE6A78524631812BD5F4A7C1B1D7F62B97AAD38E482F797C00852DD 5C8BEF5696651EF882A7469807E3B73EA3B8C697F4CBCD016292233B26B0AE50A01DDE4C82C21E9D 3ABAA1767A22EC8359B7D01365C2E4BCF426E4FB65183DEC0EE5B1A957BFAF196C0D56AE965B9767 766E669A9C02A460C604B1FC2F0E4192B8C5F7A4BA471DBCDA0321A55EE795B4B86078810C53FC99 EB472F2AF1EFDFF72C6CC1A4576101327DB3502357FDFCA78018615E424A1023A227139A6F2ED9DA F7437AEC5B42B7FA691AE8452602AA5ED2FA5AE114EFCC047FD22893A3796873EAB6711E21B03545 1B79C42ECC91515F8AA10611B50F8516B384BE99257E399908EAC33579ECFA77F971286470D99E0E 2DB75EEA1B58D3DA6BAC92B15079CC5103C76864D4F541BF95D6A2598C5212F82D6353D38E9C163F A6C4B4603F39576771538ED7712EEF0E595DFE161C073AB540B2E176D802E3E8DABDA8695B511C6F 7EFEB9AC349FA14ADF210C463EFB01CFB41C745222AA3384B171FD1288B720665FDC4B4CFFB60EEC 25610993F3153283153547D120A371A06DED8641B1E1993FF7F7D9046C43CF1BBB49CA2F31D60AB3 13E5E2147DF62CEE9BDF867355750F02E0705811BCC175CF6305C936CFDB517A9997EEF54C9D664B 84DD10DEC10325465C87703E79CDFE1A6ECDB9BBC44374A158ED9C2CB6DD9D75D85C2D93FA23F450 7D14DF4CA9A7C94F77A4FC279DF6708EB24A697640A121D04A054C71D8908B19FD637EC2E821DA8E C13D75E92C5D29033F806A7C7431F499ECBBDDA9F8A720C648849799DB0494BAB9F4A947B73839D3 072EFE6F5EDFF72B0060BB82FF78005F550674B29CE23550D277430C17BD3C34CD3758B25321754D A2BB81D0DF8BA98520398A8F9A9B2B8049E411425F438F6B552D474FDC8CFB11CFA305117A6AF794 CCAC6A81F3512B71C7842AE2348A3A73990BEDA20F2EF421BE59031378DA04ED63669508E45D19A4 37E6EC8008D9EAC518CA6A811D0CB5FD5698E3B8AD9C104221B089EFE995715821DF46691EC791A7 BAF846A3A87086B3386E18DE3B08C3BFB605458B978236C6F216EF86D8F9E396F89831FAC6034F96 990A25D0D353B3E5F02A97122078274C2E25A1BF36E9D680BB9584D47CCBBC194D3AD2096EA9EA38 1FE90B275C496B7C6995ED59EC79BFC13A3E42B52CC3E58CCC62F2EBAF148004AE5DFB267E9A0E36 901038DFB009A38422887EF6367A8C48C154B96991264BE308588E8AF2E71E0C7741F968915446AE A

    ike 0:iPhone:93: responder: main mode get 3rd message...

    ike 0:iPhone:93: decryption error

     

    Since there was no change in the firewall config and it worked before, I think it is an IOS bug. Maybe some UDP fragmentation problem as it seems to be stuck in the initial dialog.

  • rwaters001 Level 1 Level 1 (0 points)

    TL;DR currently iOS 6 PSK VPN works for us, iOS 6 client-side cert VPN doesn't

     

    Also: atriller - try using a smaller PSK (for testing)

     

    We had working VPN configs before we upgraded some of our iphones to iOS 6 and, at first, nothing seemed to work but trying different configs has proven that some do.  We're using an HA active-standby pair of Fortinet 1240B Fortigates.  Strangely, we were seeing inconsistent results across direct-3G, wifi->Internet, wifi-mobile-hotspot->3G and wifi->internal-network.  We initially used client-side certificates and xauth so we could leverage VPN on-demand; all iOS 6 iphones would not establish a VPN but iOS 5.x iphones would (though we've been having VPNs dropping after a seemingly random number of minutes in the range of 2 to 16 but that's a separate issue; specifically, an "unknown SPI" fortigate/iphone problem).  After switching to a PSK + xauth VPN our iOS 6 phones wouldn't connect unless we avoided 3G and external networks; i.e. wifi->internal-network, which kept all the traffic inside our corporate network, was the only type of connectivity that worked.

     

    This week, it's different! (which, admittedly, sounds fishy)  I haven't changed anything fortigate-side.  I was reading this forum and atriller inspired me to compare our 'diag debug app ike -1' output to his.  Now, under our PSK + xauth config I consistently get a VPN established.  What continues to /not/ work is the client-side certificate + xauth config.  The diag debug output below shows the client-side certificate VPN not negotiating.

     

    Based on people I've spoken with and everything I've read and tried so far, with regards to all the problems listed above including the "unknown SPI" problem, it seems packets are either getting dropped, truncated or unable to be reassembled from fragments.  I may try putting the iphone VPN stuff on a different interface with a smaller MTU to see if that takes care of things.  I was told by Fortinet tech support that changing the MTU will correctly affect the VPN to send smaller UDP encapsulated ESP packets, etc.

     

    Also, something worth noting is before iOS 6, the built-in cisco IPSec client couldn't handle IKE fragmentation.  You can see this new option as available in the debug output below.

     

     

    broken iOS 6 w/ client-side certificates

    --------------------------------------------

    ike 0: comes A.B.C.D:11889->E.F.G.H:500,ifindex=29....

    ike 0: IKEv1 exchange=Identity Protection id=3b219d64a5665690/0000000000000000 len=668

    ike 0: in 3B219D64A5665(long string)

    ike 0:p1_fc_test: check for IP assignment method ...

    ike 0:p1_fc_test: no IP assignment method defined

    ike 0:p1_fc_test:50682: responder: main mode get 1st message...

    ike 0:p1_fc_test:50682: VID RFC 3947 4A131C81070358455C5728F20E95452F

    ike 0:p1_fc_test:50682: VID unknown (16): 4DF37928E9FC4FD1B3262170D515C662

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8

    ike 0:p1_fc_test:50682: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-08

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582

    ike 0:p1_fc_test:50682: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285

    ike 0:p1_fc_test:50682: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-06

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE

    ike 0:p1_fc_test:50682: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-05

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B

    ike 0:p1_fc_test:50682: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-04

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F

    ike 0:p1_fc_test:50682: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712

    ike 0:p1_fc_test:50682: XAUTHv6 negotiated

    ike 0:p1_fc_test:50682: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100

    ike 0:p1_fc_test:50682: peer supports UNITY

    ike 0:p1_fc_test:50682: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000

    ike 0:p1_fc_test:50682: VID DPD AFCAD71368A1F1C96B8696FC77570100

    ike 0:p1_ios_test2: check for IP assignment method ...

    ike 0:p1_ios_test2: no IP assignment method defined

    ike 0:p1_ios_test2:50682: negotiation result

    ike 0:p1_ios_test2:50682: proposal id = 1:

    ike 0:p1_ios_test2:50682:   protocol id = ISAKMP:

    ike 0:p1_ios_test2:50682:      trans_id = KEY_IKE.

    ike 0:p1_ios_test2:50682:      encapsulation = IKE/none

    ike 0:p1_ios_test2:50682:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.

    ike 0:p1_ios_test2:50682:         type=OAKLEY_HASH_ALG, val=MD5.

    ike 0:p1_ios_test2:50682:         type=AUTH_METHOD, val=RSA_SIG_XAUTH_I.

    ike 0:p1_ios_test2:50682:         type=OAKLEY_GROUP, val=1536.

    ike 0:p1_ios_test2:50682: ISKAMP SA lifetime=72000

    ike 0:p1_ios_test2:50682: selected NAT-T version: RFC 3947

    ike 0:p1_ios_test2:50682: cookie 3b219d64a5665690/3886dbcb9cae0cfb

    ike 0:p1_ios_test2:50682: out 3B219D64(long string)

    ike 0:p1_ios_test2:50682: sent IKE msg (ident_r1send): E.F.G.H:500->A.B.C.D:11889, len=176, id=3b219d64a5665690/3886dbcb9cae0cfb

    ike 0: comes A.B.C.D:11889->E.F.G.H:500,ifindex=29....

    ike 0: IKEv1 exchange=Identity Protection id=3b219d64a5665690/3886dbcb9cae0cfb len=284

    ike 0: in 3B219D64A56(long string)

    ike 0:p1_ios_test2:50682: responder:main mode get 2nd message...

    ike 0:p1_ios_test2:50682: NAT detected: PEER

    ike 0:p1_ios_test2:50682: out 3B219D64A5665690(long string)

    ike 0:p1_ios_test2:50682: sent IKE msg (ident_r2send): E.F.G.H:500->A.B.C.D:11889, len=284, id=3b219d64a5665690/3886dbcb9cae0cfb

    ike 0:p1_ios_test2:50682: ISAKMP SA 3b219d64a5665690/3886dbcb9cae0cfb key 32:515D7BCF14E353655570F75A5EC323C6EE0FC9649EF0846649C4E9B20A9B046F

    ike 0: comes A.B.C.D:11883->E.F.G.H:4500,ifindex=29....

    ike 0: IKEv1 exchange=Identity Protection id=3b219d64a5665690/3886dbcb9cae0cfb len=1280

    ike 0: in 3B219D64A56656903886DB(long string)

    ike 0:p1_ios_test2:50682: responder: main mode get 3rd message...

    ike 0:p1_ios_test2:50682: decryption error

    ike 0: comes A.B.C.D:11883->E.F.G.H:4500,ifindex=29....

    ike 0: IKEv1 exchange=Identity Protection id=3b219d64a5665690/3886dbcb9cae0cfb len=644

    ike 0: in 3B219D64A56656903886DB(long string)

    ike 0:p1_ios_test2:50682: responder: main mode get 3rd message...

    ike 0:p1_ios_test2:50682: decryption error

    ike 0: comes A.B.C.D:11883->E.F.G.H:4500,ifindex=29....

    ike 0: IKEv1 exchange=Identity Protection id=3b219d64a5665690/3886dbcb9cae0cfb len=1280

    ike 0: in 3B219D64A56656903886DB(long string)

    ike 0:p1_ios_test2:50682: responder: main mode get 3rd message...

    ike 0:p1_ios_test2:50682: decryption error

  • Karl Kroeker Level 1 Level 1 (25 points)

    It's going on 5 days now.  Has there been any progress or are we SOL?

     

    I am not as technical as the previous posts. VPN says it is connected, but when I go to my remote desktop app, I get the "failed to establish TCP connection" error.

  • atriller Level 1 Level 1 (0 points)

    I confirmed that VPN with PSK instead of Client certificates still works for us too. Maybe shorter certificates would work, but I will not check this now.

    I will try and see if I can make a bug report.

  • William Kucharski Level 6 Level 6 (14,890 points)

    How about this is a third party app breaking so you need to take it up with Cisco?

  • atriller Level 1 Level 1 (0 points)

    It is not an app but the built-in VPN client which is accessible via the IOS settings menu. The IPSEC-part of it is provided by Cisco but it is not shipped separately from the OS. As can be read above, even Cisco ASA firewalls no longer work as before with IOS6.

  • atriller Level 1 Level 1 (0 points)

    Further testing showed that PSK based VPN works only via 3G, not over WiFi. I can connect via WiFi but no application data gets through. I guess it has something to do with different MRU settings of the interfaces which leads to packet fragmentation and this seems to be mishandled.

Previous 1 2 3 Next