Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Salamihawk
New Contributor

Fortigate IPSec VPN and iOS9

Hello all,

 

out of curiosity I joined the public beta and installed the iOS9 beta on my iPhone. I had an existing IPSec VPN connection that I created a while ago using FortiOS 4 on a 40C. The upgrade from 4 to 5 (and now 5.2.1) was problem-free, and the IPSec tunnel works as-is on my iPad, but my iPhone running the iOS9 beta doesn't seem to be able to use the VPN connection properly.

 

I even created a new tunnel using the VPN Wizard for iOS devices, and the same behavior is observed: The iPhone connects just fine, but when sending traffic, I see the traffic coming in through the tunnel, leaving the egress interface (in this case, the LAN), being answered and the packets coming back through the Fortigate out through the VPN tunnel interface to the iPhone, but the iPhone doesn't seem to respond at all. Seems as though iOS 9 can only send via IPSec, but not receive...

 

I've already opened a ticket with Apple, but I wanted to come here and see if anyone else had the same issue.

1 Solution
mas1971
New Contributor III

Hi,

 

i would you like to know, that the ECN issue with Unitymedia has been fixed!

  "The problem is that Unitymedia has been incorrectly tagging all outgoing packets from their cable modem connections with ECN (Explicit Congestion Notification) 0x03. That means if you send a packet from your home connection, it will eventually be tagged with ECN 0x03 (CE, Congestion Experienced)."

 

On my first call to Unitymedia Hotline, they told me about that they are looking to fix this. On my last Call / last week, they told me, that issue has been fixed.

Best wishes out of Germany

View solution in original post

Best wishes out of Germany
6 REPLIES 6
mas1971
New Contributor III

yes, ive got the same issue.

The VPN Tunnel was working fine with privios IOS Version, but know the tunnel is only connecting, but no traffic. (Timeout error in Fortios Logfile) IOS 9.02 Fortios 5.2.6 688 on Fortigate 60D

Best wishes out of Germany
Best wishes out of Germany
mas1971
New Contributor III

OK. Its an bug in Apple IOS 9

http://news.softpedia.com/news/ios-9-breaks-some-vpn-configurations-492315.shtml

 

 

Its still on IOS 9.1 beta.

Best wishes out of Germany
Best wishes out of Germany
Salamihawk

mas1971 wrote:

OK. Its an bug in Apple IOS 9

http://news.softpedia.com/news/ios-9-breaks-some-vpn-configurations-492315.shtml

 

 

Its still on IOS 9.1 beta.

Yes/no. It's specific to iOS 9, yes, but it's also not entirely the fault of iOS 9. I'm willing to bet that you have Unitymedia as your ISP.

 

The problem is that Unitymedia has been incorrectly tagging all outgoing packets from their cable modem connections with ECN (Explicit Congestion Notification) 0x03. That means if you send a packet from your home connection, it will eventually be tagged with ECN 0x03 (CE, Congestion Experienced). 

 

With iOS 9 and OSX El Capitan, Apple is implementing ECN per default. That means that iOS and OSX versions prior didn't bother to consider the ECN flag. Since it explicitly states in the ECN RFC (https://tools.ietf.org/html/rfc3168#section-9.1.1) that an encapsulating protocol must drop packets that are tagged with ECN 0x03 if the encapsulated protocol doesn't signal support for ECN, Apple technically appears to be doing the right thing, so the real problem is Unitymedia and their blanket tagging of all outgoing packets. Seems like a QoS misconfiguration to me.

 

mas1971
New Contributor III

Oh, thats an interesting thing!

We have got Unitymedia Bussines (200/25) on our main line at office. The second (Backup) Line is Vodafone DSL.

At home ive got Vodofone and mobile net is vodafone, too.

So i will add a second VPN Tunnel in Fortigate Router routing over the second line, testing this.

 

Im realy wondering about the thing, that packets in the VPN Tunnel can be tagged.

But the Problem is with CISCO UTMs and IOS9, too.

 

I can say: Yes, the VPN ipsec Tunnel is connecting, and in FTG log i can see packets are comming in, but without answer. So it looks like the DNS Problem, as told in the link.

 

Thanks a lot!

Best wishes out of Germany
Best wishes out of Germany
mas1971
New Contributor III

Yes, you are right!

 

Switching over to Vodafone Backup Line the VPN Tunnel connects and every thing is working fine with IOS 9.02.

So lets bother against unitymedia.

 

Thank you very much, you made my day!

Best wishes out of Germany
Best wishes out of Germany
mas1971
New Contributor III

Hi,

 

i would you like to know, that the ECN issue with Unitymedia has been fixed!

  "The problem is that Unitymedia has been incorrectly tagging all outgoing packets from their cable modem connections with ECN (Explicit Congestion Notification) 0x03. That means if you send a packet from your home connection, it will eventually be tagged with ECN 0x03 (CE, Congestion Experienced)."

 

On my first call to Unitymedia Hotline, they told me about that they are looking to fix this. On my last Call / last week, they told me, that issue has been fixed.

Best wishes out of Germany
Best wishes out of Germany
Labels
Top Kudoed Authors