UTM: Troubleshooting L2TP connectivity when using iPhone, iPod, iPad (SW8269)

Return
  • Title

    UTM: Troubleshooting L2TP connectivity when using iPhone, iPod, iPad
  • Resolution

     Article Applies To: 

    SonicWALL Security Appliance Platforms:

    Gen5: NSA E8500, NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 240
    Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless, 
    Firmware/Software Version: SonicOS 5.2.0.1 and higher

    Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040
    Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W

    Firmware/Software Version: SonicOS  4.2.0.0 and higher

    Services: L2TP connectivity using iPhone, iPod, iPad



    List of IPSec and L2TP client proposals

    Important: To successfully establish a VPN tunnel the L2TP (VPN) client and the Remote VPN device must agree upon the same set of Proposals/Transform Payloads (differs from client to client), please refer the following article for complete details: UTM - VPN: List of IPSec and L2TP client proposals   


    Problem Definition:

    • L2TP tunnels between Sonicwall Appliances and Apple iphones, iPods and iPads are dropped by the Apple devices when not in use:

    L2TP tunnels between Sonicwall Appliances and Apple iPhones, iPods and iPads are dropped by the Apple devices unless continuously used. This is a power saving feature. This behavior is found on all iOS devices. VPN tunnels will disconnect if the iOS device is put to sleep (the screen is off). In addition, WiFi disconnects, and MOST data will stop passing, after the screen is turned off. 3G will still be up and available though, as it is used for push notifications/push mail, iCloud/MobileMe synchronization, etc. 3G may also be used to retrieve email on a timer using the fetch feature even when the screen is off. This is not applicable if the iOS device is WiFi only, like iPod touch and some iPads

    • iPhone, iPod, iPad L2TP connectivity fails when connecting to SonicWALL UTM appliances:

    Transformations that iPhone, iTouch, iPad Support for L2TP connectivity:

     On iOS version 3.x:

             

              Pre-shared key

              Phase 1- IKE Transformations :

    ·         Pre-shared key/3DES/SHA1/Group2

              Phase 2 - IPSec Transformations : 

    ·        AES128/SHA1

    ·        AES 128/MD5 

    ·        3DES/SHA1

    ·        3DES/MD5

    PFS: NO         

     

    On iOS Version 4:

             

              Phase 1- IKE Transformations

    ·         Pre-Shared/AES 256/SHA /Group 2

    ·         Pre-Shared/AES 256/ MD 5/ Group 2

    ·         Pre-Shared/AES 128/ SHA/Group 2

    ·         Pre-Shared/AES 128/MD 5/ Group 2

    ·         Pre-Shared/3DES/SHA1/Group

     

    SonicWALL Default Phase 1 Transformations:  Pre-Shared/3DES/SHA1/Group

     

         Phase 2 - IPSec Transformations :

    ·         AES256/SHA1

    ·         AES256/MD5

    ·         AES128/SHA1

    ·         AES128/MD5

    ·         3DES/SHA1

    ·         3DES/MD5

     

    SonicWALL Default Phase 2 Transformations:  3DES/SHA1/Group 2 

     


    Troubleshooting:

    Resolution 1:


    The new Accept Multiple Proposals for Clients checkbox allows multiple VPN or L2TP clients using different security policies to connect to a firewall running SonicOS 5.8.0.5 and above. The option is on the Advanced tab when configuring a GroupVPN policy from the VPN > Settings page in SonicOS.





    The client policy is still strictly checked against the configured proposal in the Proposals tab, as with clients connecting with SonicWALL GVC. This option has no effect on GVC.
    If the Accept Multiple Proposals for Clients option is selected, SonicOS will allow connections from other L2TP clients, such as Apple OS, Windows, or Android clients whose offered proposal is different from what is configured on the Proposals tab. The proposal is accepted if it meets the following conditions:

     

    • If the offered algorithm matches one of the possible algorithms available in SonicOS.
    • If the offered algorithm is stronger and more secure than the configured algorithm in the SonicOS proposal.
     

    If this option is NOT selected, SonicOS will require the client to strictly match the configured policy.

    This option allows SonicWALL to support heterogeneous environments for Apple, Windows, and Android clients. Using this option, SonicOS can work with these clients if their proposal includes a combination of algorithms which are supported in SonicOS, but are not configured in the policy to prevent other clients like GVC from failing. 
     



    Resolution 2:


     

    iPhone, iPod, iPad start transformation negotiation process starting from highest security for Phase 1 and Phase 2. Make sure that WAN Group VPN policy's Phase 1 and Phase 2 transformations match that of transformations that iPhone, iPod, iPad support.

    When negotiations fail due to mismatch, Firewall Logs do indicate the reason for the negotiation failures (shown below)

    Consider the following example:

    L2TP client on IPAD running iOS Version 3.x is trying to connect SonicWALL UTM device

    Phase 1 Transformations set on Group VPN Policy on SonicWall: Pre-shared key/3DES/SHA1/Group2

    Phase 2 Transformations set on Group VPN Policy on SonicWall: AES256/SHA1

     

    When L2TP client (iPhone, iPod, iPad) running iOS 3.x tries to connect, Phase 1 succeeds because these transformations are supported by iOS 3.x. But phase 2 negotiation fails as iOS 3.x doesn't support AES256. (please refer the above mentioned supported transformations)

    When L2TP client (iPhone, iPod, iPad) running iOS 4  tries to connect, both phase 1 and phase 2 connections succeed as these transformations are supported by iOS 4.x (please refer the above mentioned supported transformations)



    How to Test:

    Error Logs on SonicWALL UTM device when negotiations fail due to transformations mismatch (Tests are done using IPAD running iOS 3.x)

     

    a)    Phase 1 DH Group Mismatch

    b)    Phase 1 Encryption Mismatch

    c)    Phase 2 Encryption Mismatch

     

    d)    Phase 1 and Phase 2 Successful

      


     



Feedback submitted.

Did this article help?

[Select Rating]

Thank you for your rating!

Close

Request or Create a KB Article »

Product(s):
SonicWALL NSA Series
4500, 3500, 2400
SonicWALL E-Class NSA Series
E8500, E7500, E6500, E5500
SonicWALL TZ Series
210W, 210, 200W, 200, 100W, 100

Topic(s):
Technical Solutions

Article History:
Created on: 8/12/2010
Last Update on: 9/3/2014