IPSec VPN not working under iOS 9 Beta

Shame on ISP Unitymedia,

yesterday I tried to get a "smart hands" on this by Unitymedia. But they told me that they are not responsible for this outage! Still after explaining, that ISP Unitymedia is the only one in Germany were VPN IPsec stooped working after IOS9, they told me " To go to Apple, because they are responsible for an IOS Upgrade, which is not working in this way!

My next step will be to cancell my contract with Unitymedia; they are just stupid, because Unitymedia did a stupid setting of the ECN Flag of 0x03!

Unitymedia tells me to make an factoryreset on the Fritz!Box. ********!

I cannot leave UM, except i want to use Internet with up to 6mbit maximum down at home. UM gets back an IPv4 address an will happily sell it to Business Customers for more money... Actually i'm back to 8.4.1with all devices, waiting what happend and possible change my mobile devices ...

Not fixed in 9.0.2

I don't think that this will be fixed by Apple. The only chance seems to cancel the contract with Unitymedia and go to some other provider (In my case this means a loss of bandwidth from 200MBit down to about 16-20MBit).

You might be right, but I added a bug report anyway, because I hope by doing so, this problem will get the appropriate attention.

A little update: during the week I was able to confirm my suspicions that the problem was caused by the ECN 0x03 flag by setting up a Wi-Fi network with a Linux-based router as the gateway. We then used iptables to rewrite the entire 8-bit ToS field with 00000000, which caused the VPN connection to start working again.

Hi,

I'm a unitymedia "business" customer and I could say that the same problem also exist for me :-(

Setup:

iOS9 <> Unitymedia ISP <> fritz!Box (used as modem) <> Lancom 1781 router <> local Network

--> vpn to Lancom not longer working.

Sincerly Thomas

Still not working in 9.1b4. 😠

Unitymedia is not moving a bit towards my interests. So i wrote to them, if they would cancel the contract. I am not willing to wait until they have this fixed in the network or until Apple does the fix in iOS.

Thought I might also post to this thread so that things get escalated sooner rather than later. Same issue here: iPhone 6+, iPad 2 mini, both with latest-greatest official iOS 9.0.2. IPSec VPN (to my AVM FritzBox 7490) not working properly. Tunnel is initiated but no traffic is going through.

I have the same problem. Since iOS 9 the VPN does not work anymore.

The VPN Connection will be established (vpn-sign) but without further communication.

What happened? I'm really dissapointed.

GeXX - The problem is that Unitymedia has a misconfiguration in their network that's been tagging all outgoing packets with ECN 0x03 for probably more than a decade now and iOS 9 and OSX 10.11 drop incoming IPSec data payload (ESP) packets if they're marked with ECN 0x03.

Yes, i heard about it. I talked with Unitymedia. It is senseless because they dont know about the problem. Their answer is that I'm the first person with in this context. If it works with iOS8 and iOS9 dont, it's Apple's fault.

However, the problem seems bigger than i thought. Cisco warned us about iOS9 and VPN too:

http://www.heise.de/mac-and-i/meldung/iOS-9-Bug-sorgt-fuer-VPN-Probleme-2823133.html

I would appreciate to have an option to turn off or switch to an previos Explicit Congestion Notification - setting.

Apple, please help!

Nice, but this cannot be a solution for us. I need the function when I'm not at home. In example to have access to my smarthome-components. That means we dont have the chance to have a modified Linux-Router.

I have exactly the the same problem.

I have the 3play with 200Mbit, Unitymedia.

Fritz!Box 6490, Fritz!OS 06.24

iPhone 6 plus, iOS 9.0.2

Do not conflate this issue with the Cisco VPN bug. They are NOT the same. This issue stems from a problem that has existed in the Unitymedia network for maybe a decade, maybe even longer. It was never a problem until now, when Apple decided to implement ECN. The only way you can get it working again (without jailbreaking) is to put an iptables based router (Linux machine) before your iPhone and reset the entire 8-bit ToS field to 00000000 before the packets reach your iPhone. I can assure you that you're not the only one with this issue, you're not the only one who has brought it to anybody's attention. Both sides are aware of the issue. Im certain that this issue will be resolved somehow, but when and from whom I cannot say. Since it's a pretty serious design flaw in the Unitymedia network, I would say that it's more in their interest to resolve the issue as quickly as possible.