IPSec VPN not working under iOS 9 … | Apple Developer Forums

Developer Forums

Hello everyone:

I think I have found a pretty serious bug in the iOS 9 Public Beta:

At home I have a router provided by my ISP. Because I want to use my Fortigate firewall, I have to set up my firewall with the WAN in the private network provided to me by the ISP, with my network behind it. I have my ISP router forwarding everything (DMZ) to my firewall. This is, more or less, completely transparent, as I can forward ports and create VPN connections directly on my Fortigate without touching anything else on the ISP router.

My iPad, running iOS 8.4, works just fine using the same exact connection parameters. I can dial in via IPSec and access my home network or the internet via VPN. However, when I connect with my iPhone running the latest iOS 9 public beta, the connection comes up, but I cannot pass any traffic. More specifically, traffic leaves the iPhone, arrives at the firewall, is forwarded to the destination, comes back to the firewall, is reencrypted and sent back to the iPhone, then nothing.

I think it has something to do with NAT Traversal. With standard IPSec, UDP port 500 is used. If the protocol detects NAT in the middle, it will switch to port 4500. I think the iPhone understands how to build a connection with NAT in the middle, but when the packets arrive, something happens and the iPhone forgets about NAT Traversal, dropping the packets. It's the only thing I can think of.

Is there any way to directly contact Apple with this issue without going through the low-level "have you tried rebooting your phone" guys first?

Network

17k

Posted by

salamihawk

Reply

Replies

It seems, it is the same issue with Cisco-Modem and Fritzbox 7490 as Router-Only-Config. So i think, there is a problem with IPSec in iOS9 - so that the Unitymedia-Network cannot handle the packets...

Posted by

paddyfalk

Same problem here. Had no issues with the VPN for 3 years. Since iOS 9 and OS X El Capitan I can still connect to the VPN Server and establish a tunnel but have no route or access to any devices in that network. I can't even ping the virtual IP given to iOS by the firewall from the iOS device.

Setup #1

iOS9 <> Unitymedia ISP <> pfSense Firewall/Router <> Local Network

Setup #2 (other Location, same behaviour)

iOS9 <> Unitymedia ISP <> fritz!Box (Port forward to pfSense for VPN) <> pfSense Firewall/Router (VPN Server) <> Local Network

VPN worked fine and works fine with Windows 7, iOS < 9, Shrew Soft VPN Client for Windows 10, etc.

Posted by

sirin

I was talking with some others and there's only really one commonality betwen all of us: Unitymedia. I thought it was maybe the FritzBoxes that we had, but, as you mentioned, you even have the problem with your pfSense Firewall. I can connect to an IPSec VPN completely trouble free, as long as the remote peer isn't in the Unitymedia network.

My home setup looks like your Setup #2, except I have a Fortigate instead of a pfSense and it's set up as DMZ, so all ports are forwarded to it. If I connect to the Fritz!Box LAN I can connect to the Fortigate without any issues whatsoever. If I connect to my VPN Connection via the WAN IP from behind my Fortigate, it still works problem free, so the issue doesn't seem to be with the firewalls or routers that we're using. That only leaves the ISP.

I think Apple changed something in the way they handle the payload packets and Unitymedia has some issue on their end that prevents these packets from being routed/processed properly.

Also: it seems like there may be more issues with iOS9 and VPN than just this one (German article):

http://www.heise.de/mac-and-i/meldung/iOS-9-Bug-sorgt-fuer-VPN-Probleme-2823133.html

Posted by

salamihawk

From german news site heise.de: http://www.heise.de/newsticker/meldung/iOS-9-Bug-sorgt-fuer-VPN-Probleme-2823133.html

Looks like there is a bug in DNS subsystem in combination with VPN.

In addition, Cisco reported also some issues with VPN before release of iOS 9: https://www.facebook.com/anyconnect/posts/1043581472380492

Posted by

schneim

Not fixed for me in iOS 9.0.1 😮 😠 😢

Posted by

schneim

Did you really expect that? It will not be fixed by any update from Apple. I guess the providers have to cope with that...Apple has been ignoring this problem for months....

Posted by

paddyfalk

No, it is not a problem with the AVM Fritzbox at all! Otherwise I should ask, why was the AVM Fritzbox working together with iPhones and iPads with IOS 8 on it?

I have an AVM Fritzbox 6360 which Unitymedia Cable connection. On 2 different iPhones as well as on 2 different iPads the VPN connection were working fine with the Fritzbox! After updating the Apple Phones and Pads to IOS 9, still I was able to get the VPN Tunnel estiblished, but no machine in the network behind the Fritzbox were reachable anymore! After downgrading 1 iPhone 6 from IOS 9 back to IOS 8.4.1 everything is working fine again.

I am using the VPN Client of Fritzbox 6360 and the Cisco VPN IPsec Client on the IOS hardware.

Posted by

PUWST

It seems there is a problem in the network of Unitymedia - one user told me, that apple implemented the "ECN-Protocol" in iOS9. And it cannot be disabled anymore.

https://en.wikipedia.org/wiki/Explicit_Congestion_Notification#ECN_support_in_IP_by_routers

In the article there is a sentence, which makes me angry:

In June 2015, Apple Inc. announced that it will enable ECN signalling by default on its hundreds of millions of deployed products, in a move that Apple believes will help drive the adoption of ECN in other products.[5]

So i have to wait till my provider fixes this? It is not a router-problem - cause the same router in a different ISP-Network does it well! My Provider says, they know about the issue, but they can't fix it in a few days.

Posted by

paddyfalk

Ladies and Gentlemen, I do believe I have found the cause of the issue, and it's not necessarily pretty.

I'm willing to bet that all of us who cannot connect to VPN endpoints with iOS 9 devices have one thing in common: The German ISP Unitymedia. Unitymedia, for some reason and, apparently, for many years now, has been tagging all outgoing IP packets with the ECN (Explicit Congestion Notification) Value of 0x03 (Congestion Experienced). It doesn't matter what you send from your Unitymedia connection, it will be tagged with ECN 0x03. Why? Nobody knows. Seems like a Unitymedia problem, right? Not quite.

See, iOS 9 can deal with non-VPN packets that are tagged with ECN 0x03 just fine. I can make web connections and FTP connections from my iPhone to my home machines just fine. The problem lies with Apples implementation of ECN with regards to the VPN stack. I believe that the ECN 0x03 value in the IP header is causing the VPN stack to disregard the incoming ESP packets, thus rendering a VPN connection to a router or firewall in the Unitymedia network completely useless.

This has been previously documented here:

http://serverfault.com/questions/356490/is-clearing-the-ecn-bits-from-the-ip-tos-header-considered-harmfull

and here (German language):

http://www.unitymediaforum.de/viewtopic.php?p=41203#p41203

In the last link, the author is quoted as saying:

"Ich habe keine Ahnung, wo diese Änderung auftritt. Der ToS-Code 0x3 bedeutet "Experienced Congestion", was normalerweise darauf hindeutet, dass der Router (nicht mein Router, sondern irgendwo auf dem Weg zum Tunnelendpunkt) eine auf gut Deutsch "Verstopfung" erfahren hat - hier tritt also ECN (Explicit Congestion Notification) in Kraft. Ist dieses Flag gesetzt, wird das ESP-Paket verworfen. Wohlgemerkt, der Aufbau des Tunnels (IKE Phase 1 und 2) klappt wie am Schnürchen, SAs werden korrekt aufgebaut."

English:

"I have no idea where these changes occur. The ToS Code 0x03 means "Experienced Congestion," something that normally means that some router along the path has experienced congestion. Here's where ECN comes into play: when this flag is set, the ESP Packet gets dropped. Note, however, that the Tunnel (IKE Phase 1 and 2) get established just fine."

Also of interest is this little tidbit I found in the wikipedia article concerning ECN: (https://en.wikipedia.org/wiki/Explicit_Congestion_Notification)

"In June 2015, Apple Inc. announced that it will enable ECN signalling by default on its hundreds of millions of deployed products..."

Bingo. Apple introduced a brand new, never-before-used implementation of ECN with iOS 9 and there's a serious bug in how those ECN values get passed along to the VPN module or how said module deals with them.

Unitymedia, for reasons unbeknownst to probably even their top men (TOP men), sends all packets out of their Network with ECN flag 0x03, thereby causing iOS 9 devices to drop incoming ESP packets and render IPSec VPN connections useless. And who knows what other problems.

Posted by

salamihawk

We are talking some german discussions about this problem.

It seems so, that mostly or only Unitymedia (UPC) customers have the problem. VPN IPSec manually or on Demand opens the tunnel, but not traffic and no reachable devices.

Are all have Unitymedia as provider?

Posted by

dieterf

http://www.meintechblog.de/2015/02/vpn-on-demand-zwischen-iphone-und-fritzbox-einrichten/

Posted by

dieterf

Yes, I am a Unitymedia customer with the product "2Play Comfort 120" and I have setup a Fritzbox 6360. Everything worked fine for me with the VPN IPsec Client until IOS 9 was rolled out and upgradeert to 2 iPhones and 2 iPads. Now, just the VPN get established, but no network devices are reachable anymore.

On one of the iPhone I allready did a downgrade to IOS 8.4.1, which works now again!

Posted by

PUWST

Same here

- Fritz 6360 (6.04)

- Windows Shrew works

- Droiden Client works

- iPhone 4s (iOS6) works

- iPad (iOS 8.4.1) works

- iPad (iOS 9.0.1) failed

Other customers using iOS 9/9.0.1 have no problems, but all i know have an other Provider (Telekom, Kabel Deutschland, other ADSL)

Posted by

dieterf

http://www.ip-phone-forum.de/showthread.php?t=281439&page=5&p=2119232&viewfull=1

Posted by

dieterf

Same problem too vith VPN.

If you connect in the same area network will work. All the rest no 😟

Submotted new bugn # 22876931

Posted by

Nicolo