Previous 1 2 3 Next 43 Replies Latest reply: Mar 11, 2013 4:01 PM by ananoxoto Go to original post Branched to a new discussion.
  • threatspike Level 1 (0 points)

    It seems that your analysis backs up what was previously discussed - specifically that the encrypted flag is incorrectly set on each of the fragment packets, hence the 0x01 value that appears in the ISAKMP header.  I agree that if VPN servers don't understand the Cisco Fragmentation protocol then they will obviously fail, but even if they do then they may be thrown by the fact that the packet is advertised as having an encrypted payload when this is not the case.  The Cisco Fragmentation protocol breaks up an encrypted payload into chunks and then sends each chunk wrapped in a non-encrypted ISAKMP packet.

     

    If your device negotiates AES as the cipher for the phase 1 security association then the VPN server will attempt to decrypt 1252 bytes (taken from your first screenshot) using a cipher which works on block sizes of 128 bits (16 bytes). Since 1252 isn't divisible by 16, the decryption routine would likely throw an exception which seems to match your log extract. If the issue is simply that the Cisco fragmentation payload is not supported then this seems like a strange error message to be getting?

  • ddwrtchris Level 1 (0 points)

    Hi,

     

    seams that cisco thinks, that if they send something encrypted in chunks, they need to set the encryption flag in the header.

     

    So if an ipsec implementation supports IKE fragmentation it has to ignore a encryption flag on these packages, i agree on that.

     

    Maybe Cisco sometimes documents this, and tells what have driven them to do it that way.

    I also wonder why apple is just using this stuff, allows this change to their client, and are not testing against common other vpn servers as cisco.

    Even Microsoft tested their ipsec client heavily against strongswan.

  • William Kucharski Level 6 (14,985 points)

    ddwrtchris - Excellent analysis.

     

    Have you filed a bug with Apple for this yet?

  • ddwrtchris Level 1 (0 points)

    Hi,

     

    i will, just signed up for the Developer Account, and now i try to push this info into the apple bug-report-scheme ;-)

  • ddwrtchris Level 1 (0 points)

    Hi,

     

    we have just uploaded a patch for strongswan 5.0.1, that ios 6 + 6.0.1 here:

     

    http://wiki.strongswan.org/issues/264

  • ThomasWendler Level 1 (0 points)

    Hi,

     

    anyone knows when this will be fixed (iOS 6.0.2)?

     

    This is really annoying!

     

    Best regards

     

    Thomas

  • ddwrtchris Level 1 (0 points)

    Hi,

     

    i wrote here, that it is fixed in a beta that is right now available. that is NOT 6.0.2 ;-)

     

    But the apple robot deleted my post.

     

    If i write the version number again, the apple robot might delete my post again, and (accodording to my click agreement i did...) i might go to jail.

     

    It's friday night, i just came back from sports and a beer (i am german), so please take the last sentence as i mean it.

     

    Ciao Chris

  • ddwrtchris Level 1 (0 points)

    Hi,

     

    just checked 6.0.2 on an ipad mini, bug not fixed. So you have to wait for 6.x where x is 1.

     

    Ciao Chris

  • amt257 Level 1 (0 points)

    Here is the current network conditions of what works and what doesn't on iOS 5.x and 6.0.x ..

     

    ios asa failures.JPG

  • arkipad Level 1 (0 points)

    It looks like that there was a change made on how VPN works after upgrading to iOS 6.0 or higher. The only way VPN works over cellular data is to leave the Wi-Fi turned on (but not connected to a Wi-Fi NW). On iOS 5 devices VPN works over cellular data whether the Wi-Fi is on or off. Please note that we are using the IPSec VPN.

  • arkipad Level 1 (0 points)

    .

  • nero1203 Level 1 (0 points)

    能打汉字么?

     

    6.0.1 IPSEC VPN 提示 VPN服务器协议失败。

     

    这个BUG 带给我很大的麻烦!

  • threatspike Level 1 (0 points)

    Hi,

     

    We launched our new cloud networking service today (https://www.threatspike.com) so to follow up on my previous comments, if any of you guys are still having trouble with VPN access over 3G/Wifi then come give it a try and let us know if it works for you.  It's free to sign up (5GB allowance) and we would appreciate your help with testing it plus any feedback you can offer!

     

    Thanks,

    Adam

  • ananoxoto Level 1 (0 points)

    Hi all!

     

    Does anybody know if these problems have been solved in iOS 6.1.2?

     

    If not, has Apple said anything about when they plan to solve them?

     

    Thanks

Previous 1 2 3 Next