2

A client has a Sonicwall Pro 2040 running SonicOS 3.0, and they'd like to be able to use the L2TP VPN client from their iPads to connect to internal services (Citrix, etc). I've enabled the L2TP VPN server on the Sonicwall, made sure to set AES-128 for phase 2, and set up the configuration on a test iPad with the appropriate username, password, and pre-shared key. When I attempt to connect, I get some rather cryptic error messages in the log on the Sonicwall:

2   03/29/2011 12:25:09.096 IKE Responder: IPSec proposal does not match (Phase 2)  [My outbound IP address redacted] (admin)   [WAN IP address redacted]   10.10.130.7/32 -> [WAN IP address redacted]/32   
3   03/29/2011 12:25:09.096 IKE Responder: Received Quick Mode Request (Phase 2)    [My outbound IP address redacted], 61364 (admin)    [WAN IP address redacted], 500       
4   03/29/2011 12:25:07.048 IKE Responder: IPSec proposal does not match (Phase 2)  [My outbound IP address redacted] (admin)   [WAN IP address redacted]   10.10.130.7/32 -> [WAN IP address redacted]/32   
5   03/29/2011 12:25:07.048 IKE Responder: Received Quick Mode Request (Phase 2)    [My outbound IP address redacted], 61364 (admin)    [WAN IP address redacted], 500

The console log on the iPad looks like this:

Mar 29 13:31:24 Daves-iPad racoon[519] <Info>: [519] INFO: ISAKMP-SA established 10.10.130.7[500]-[WAN IP address redacted][500] spi:5d705eb6c760d709:458fcdf80ee8acde
Mar 29 13:31:24 Daves-iPad racoon[519] <Notice>: IPSec Phase1 established (Initiated by me).
Mar 29 13:31:24 Daves-iPad kernel[0] <Debug>: launchd[519] Builtin profile: racoon (sandbox)
Mar 29 13:31:25 Daves-iPad racoon[519] <Info>: [519] INFO: initiate new phase 2 negotiation: 10.10.130.7[500]<=>[WAN IP address redacted][500]
Mar 29 13:31:25 Daves-iPad racoon[519] <Notice>: IPSec Phase2 started (Initiated by me).
Mar 29 13:31:25 Daves-iPad racoon[519] <Info>: [519] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Mar 29 13:31:25 Daves-iPad racoon[519] <Info>: [519] ERROR: Message: '@ No proposal is chosen'.
Mar 29 13:31:46 Daves-iPad racoon[519] <Info>: [519] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Mar 29 13:31:46 Daves-iPad racoon[519] <Info>: [519] ERROR: Message: '@ No proposal is chosen'.
Mar 29 13:31:55 Daves-iPad pppd[518] <Notice>: IPSec connection failed

Does this offer any clues as to what's going wrong?

db2
  • 2,170
  • 2
  • 15
  • 19

2 Answers2

1

First of all I would strongly advice you (or your client) to upgrade to a more recent version of SonicOS, or rather SonicOS Enhanced.

Regarding your problem, by reading the error message it appears that the phase 2 proposals on the SonicWall and the iPad do not match. I would have a look at the protocol and authentication used. Make sure that the iPad is configured accordingly.

Two links that can be useful:

Nils Magne Lunde
  • 553
  • 3
  • 12
  • The stuff I've been reading says it should use Group 2, 3DES, SHA1 for IKE Phase 1, and ESP, AES-128, SHA1 for IPSEC Phase 2. That's what I've got set on the Sonicwall, and the error log doesn't indicate an encryption mismatch, like it's supposed to if that's the case. Very perplexing. – db2 Mar 29 '11 at 18:44
  • I have added two links that you might want to check out if not already done so. – Nils Magne Lunde Mar 29 '11 at 18:58
  • Cool, thanks. That looks pretty close to the current settings, though the Sonicwall interface screenshots look totally different from the one I'm working with. Does the "10.10.130.7/32 -> [WAN IP address redacted]/32" note that appears in the error log signify anything meaningful? I'm not a Sonicwall expert, so I'm not sure what it's trying to tell me with that bit. – db2 Mar 29 '11 at 19:09
  • Not quite sure about that bit... I've seen similar error messages when connecting to a SonicWall from another SonicWall, but never when using the GroupVPN profile. You are using the GroupVPN profile on the SonicWall? – Nils Magne Lunde Mar 29 '11 at 19:20
  • As far as I know, I am. I enabled the L2TP server, and while it doesn't give me a choice of which VPN profile is used for L2TP, it's accepting the pre-shared key that's configured for the GroupVPN profile. I've also made sure "Access from L2TP VPN client" is enabled for the local user. – db2 Mar 29 '11 at 19:27
  • I don't have too many other tips. I can see that some people resolved similar issues by changing the encryption, which you have already tried. I'm guessing it could be an iOS problem. You could of course update the firmware on the SW, but I don't know if it will make a difference. – Nils Magne Lunde Mar 29 '11 at 19:54
0

Although SonicWALL does say that your configuration should work, you might try bumping up to AES-256 to see if you have any better luck. Also make sure PFS is unchecked.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8260

pk.
  • 6,413
  • 1
  • 41
  • 63
  • Yup, I've made sure PFS isn't checked. No joy changing to AES-256. Apparently I should be seeing "IKE Responder: ESP encryption algorithm does not match" if the proposal doesn't match what the iPad can do, but that error never shows up. In fact, not even if I set phase 2 to use 3DES, which should definitely cause that error with an iOS 4 client. Seems like it's not even getting that far in the process. – db2 Mar 29 '11 at 19:30
  • There seem to be a lot of overall gripes regarding iOS4 and VPNs. I'm guessing the issue is on that end rather than the SonicWALL device. I hope you figure it out. – pk. Mar 29 '11 at 19:38