Jump to content


Photo

iOS 13 Beta and VPN issues


  • Please log in to reply
9 replies to this topic

#1 Jarvis Meier

Jarvis Meier
  • Members
  • 6 posts

Posted 17 July 2019 - 10:40 AM

Are there any issues with VPN configurations and iOS 13?  I have one device on iOS 12 that is able to establish a VPN connection and browse internal network services and an iOS 13 beta device that can connect but is unable to connect to any internal network services.



#2 Micha Knorpp

Micha Knorpp
  • Members
  • 179 posts
  • LocationGermany, BW

Posted 05 August 2019 - 06:00 AM

You are using the iOS build-in vpn client, right?

While I haven´t used this method for some years now, I remember there have been similar issues at least 2 times when there was a new iOS release.

All you could do was wait for the next iOS release.

 

regards

micha


regards,
-micha-

#3 Jarvis Meier

Jarvis Meier
  • Members
  • 6 posts

Posted 09 September 2019 - 11:29 PM

I was on Apple developer forums and another guy had a similar issue with Libreswan IPSec.  The devices would connect but traffic would not get routed.  Here is his fix:  

 

Edit /etc/ipsec.conf on the VPN server. Find sha2-truncbug=yes and replace it with sha2-truncbug=no. Save the file and run service ipsec restart.



#4 Ivan Gaio

Ivan Gaio
  • Members
  • 2 posts

Posted 13 September 2019 - 09:15 AM

Hello Jarvis,

 

on one of our clients it helped to set the encryption to AES256 and the hashing to SHA256  in the Group VPN policy. Previously they where on AES and SHA and it didn't work. The client ist on Firmware Release 7.2.4



#5 Jarvis Meier

Jarvis Meier
  • Members
  • 6 posts

Posted 13 September 2019 - 10:00 AM

Hi Ivan,

I tried your suggestion and it didn't work.  iOS13 devices connect to the VPN and get an IP but traffic fails to route.



#6 Ivan Gaio

Ivan Gaio
  • Members
  • 2 posts

Posted 25 September 2019 - 03:23 AM

Hi Jarvis,

 

today i did a test-setup on one of our test FW's (Release 7.2.4) and tried with my phone (iOS13.1). I used the following settings on the Firewall:

 

IKEv1

Phase1: AES/SHA/DH2

Phase2: AES256/SHA256/DH2

XAuth

SharedSecret

 

on the phone i configured a new IPsec connection and entered the server ip, username and password, unchecked "use certificate", entered the groupname (XAuth in my case) and the shared secret

 

the phone connects (using NAT-T) and is able to reach the configured networks trough the firewall



#7 networkadmin

networkadmin
  • Members
  • 2 posts

Posted 14 October 2019 - 02:05 PM

We too have the same problem -> updated iOS and iPhone / iPAD no longer can access internal company IP addresses

NG 7.2.3

iOS 13.x

 

iPhone will establish VPN connection - i.e. iPhone says there is a VPN connection and NG says there is a connection

Even the NG page VPN->Client-to-site shows there is a connection

 

However . . . .  nothing is actually transferred from iPhone through the Firewall to the internal network - i.e. no routing

 

We have used the same iPhones / iPADs on the same NGs with the same FW rules for about 3 years - no issues until we updated iOS

 

Most likely this is an Apple issue, but wondered if anyone else has found a work around
 



#8 Manuel Huber

Manuel Huber
  • Members
  • 155 posts

Posted 16 October 2019 - 04:58 AM

Changed settings to AES256/SHA256 made several independent setups work again with iOS 13. In case there´s still some iOS 12 devices around, we separated them by using another MSAD group so that users with iOS 12 get different encryption/hash settings than users with iOS 13.

Not a good solution, a more flexible list of allowed parameters would be better, but I´m not sure if that´s worth a feature request.



#9 Mario Zulmin

Mario Zulmin
  • Members
  • 1 posts

Posted 17 October 2019 - 04:18 AM

Changed settings to AES256/SHA256 made several independent setups work again with iOS 13. In case there´s still some iOS 12 devices around, we separated them by using another MSAD group so that users with iOS 12 get different encryption/hash settings than users with iOS 13.

Not a good solution, a more flexible list of allowed parameters would be better, but I´m not sure if that´s worth a feature request.

 

 

Imo a FRQ for this would be great.

Having a list of allowed encryption/hash settings would be a benefit. Specially in case of mobile device vpns.



#10 Manuel Huber

Manuel Huber
  • Members
  • 155 posts

Posted 17 October 2019 - 05:50 AM

ok, please vote for it:

https://netsecfeedba...m/ideas/F-I-417