Apple iOS IKEv2 VPN to Microsoft RRAS - Authetication issue

sulaimansylvester 1 Reputation point
2021-07-30T18:53:53.883+00:00

We have a fully functioning VPN setup for our Windows 10 devices using IKEv2 to two load balanced Windows RRAS servers. Both servers works with Windows devices, but only one server works with iPhones devices.

The permutations result in error messages on the iPhone:

User authentication failed

Logs from Server 2016 Event Viewer:

CoId={8AB4D661-0463-0579-09F9-86933397C252}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: <Unauthenticated User>. Negotiation timed out

I have compared all the settings, but cannot figure out why one server is complaining about authentication. Please help.

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

10 answers

Sort by: Most helpful
  1. Sebastian Cerazy 321 Reputation points
    2022-02-04T12:05:30.767+00:00

    What kind of IDIOTIC answer is that?
    If you have nothing to say, better say nothing.

    Server 2019 RRAS AlwaysON VPN, using certificate, working fine with Windows clients, MacOS clients, but NOT iOS
    No matter what I configure with Apple Configurator 2 I always get:

    CoId={5F663023-EC52-FA99-4E03-5F2E41939CC8}: The user ******@domain.com connected from xx.xx.xx.xx but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.  
      
    CoId={5F663023-EC52-FA99-4E03-5F2E41939CC8}: The following error occurred in the Point to Point Protocol module on port: VPN2-163, UserName: <Unauthenticated User>. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.  
    

    Any help appreciated

    A failed attempt is also documented here:

    https://www.reddit.com/r/networking/comments/ddq1fd/apple_ios_ikev2_vpn_to_microsoft_rras/

    Seb

    1 person found this answer helpful.
    0 comments No comments

  2. Sebastian Cerazy 321 Reputation points
    2022-02-22T18:29:31.14+00:00

    I had a long look again at certificate that works and INDEED it was not that one.
    So I re-crafted myself another one, with SAN having 2 entries:
    RFC 822 Name (basically email) & UPN

    (done it in fact before reading your last reply)

    Used this in my mobileconfig & ... it connected instantly!

    Thanks for your help. Your input was invaluable!

    Seb

    1 person found this answer helpful.
    0 comments No comments

  3. Anonymous
    2021-08-02T03:50:47.927+00:00

    Hi,

    Thanks for posting in Q&A platform.

    Please kindly note that Q&A platform is mainly focus on troubleshooting Windows system related issue. IOS is a third party product which we're not familiar with and we do not have such Apple device to do the test in our environment. If these 2 VPN servers can work with Windows devices and cannot work with Apple devices, I would suggest you could contact Apple support first for further troubleshooting. If they can narrow down the issue is more related with windows part and post the exact error message, please feel free to post in our forum.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. Gary Nebbett 6,216 Reputation points
    2022-02-07T19:25:45.793+00:00

    Hello Seb,

    Despite feeling rather conflicted, regarding your disparaging remark to a well-intentioned posting, I think that it is worth mentioning that the two messages that you posted point quite strongly to the cause of the problem: the acceptable authentication mechanisms configured on the RAS server are not compatible with the authentication mechanism being requested by the macOS clients.

    Can you post some indication of how the server and clients are configured?

    Gary

    0 comments No comments

  5. Sebastian Cerazy 321 Reputation points
    2022-02-18T10:20:54.657+00:00

    Like that:

    https://learn.microsoft.com/en-us/answers/questions/541747/inunte-macos-custom-vpn-configuration.html?childToView=723547#comment-723547

    There is NO "username and password" policy on VPN server, as it is certificate only, and exactly the same is chosen in iOS profile

    Windows & Mac OS (Mojave & above) connect fine to this VPN server, so I do not see why iOS complains, especially that Mac profile is the same (there is only that much one can actually configure)

    The remark you mentioned was honest personal opinion, it is what it is, you as an author will feel different, because you are looking from a different angle
    Unless you mean my post above? -MSFT, I hold them all in low regard


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.