How to get an iPhone cnnecting to Windows Server 2008 RRAS usign L2TP/IPSec PSK VPN - works for Windows client

Hi,

I have a Windows Server 2008 server setup for remote access. I need to connect an iPhone/iOS  to it using l2TP/IPsec VPN with pre-shared keys.

I have configured the server to accept VPN conenctions using L2TP/IPSec with pre-sahred keys and verfied that Windows clients can connect successfully using this method of VPN. I have opened up all the approprate firewall ports.

However, no matter what I try I can't get an iPhon/iPad to conenct. Here is a trace from my ikeext.etl file when an iPhone is trying to connect:

[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                0|xxx.xxx.xxx.xxx|
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                0|xxx.xxx.xxx.xxx|Received packet
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                0|xxx.xxx.xxx.xxx|Local Address: yyy.yyy.yyy.yyy.4500 Protocol 0
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                0|xxx.xxx.xxx.xxx|Peer Address: xxx.xxx.xxx.xxx.4500 Protocol 0
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|iCookie d2af42d1e6df971f rCookie 472381cd5568e485
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Exchange type: IKE Quick Mode Length 308 NextPayload HASH Flags 1 Messid 0x011ce124
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|mmSa: 0x00000000033A0670
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Create QMSA: qmSA 0000000013287010 messId 11ce124
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Processing QM.  MM 00000000033A0670 QM 0000000013287010
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Process Payload HASH, SA 00000000033A0670 QM 0000000013287010
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Process Payload ID, SA 00000000033A0670 QM 0000000013287010
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Process Payload ID, SA 00000000033A0670 QM 0000000013287010
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Process Payload SA, SA 00000000033A0670 QM 0000000013287010
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM propNum 1, transformNum 0, peerSpi 159457670
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM transNum 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|PROTO: ESP Algo 12
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_TYPE: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_DUR: 3600
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_ENCAPSULATION_MODE: 4
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_KEY_LENGTH: 256
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Adjusting QM cipher type to AES_256
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_HMAC_ALG: 2
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM propNum 1, transformNum 1, peerSpi 159457670
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM transNum 2
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|PROTO: ESP Algo 12
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_TYPE: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_DUR: 3600
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_ENCAPSULATION_MODE: 4
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_KEY_LENGTH: 256
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Adjusting QM cipher type to AES_256
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_HMAC_ALG: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM propNum 1, transformNum 2, peerSpi 159457670
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM transNum 3
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|PROTO: ESP Algo 12
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_TYPE: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_DUR: 3600
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_ENCAPSULATION_MODE: 4
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_KEY_LENGTH: 128
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_HMAC_ALG: 2
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM propNum 1, transformNum 3, peerSpi 159457670
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM transNum 4
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|PROTO: ESP Algo 12
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_TYPE: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_DUR: 3600
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_ENCAPSULATION_MODE: 4
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_KEY_LENGTH: 128
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_HMAC_ALG: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM propNum 1, transformNum 4, peerSpi 159457670
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM transNum 5
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|PROTO: ESP Algo 3
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_TYPE: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_DUR: 3600
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_ENCAPSULATION_MODE: 4
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_HMAC_ALG: 2
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM propNum 1, transformNum 5, peerSpi 159457670
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM transNum 6
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|PROTO: ESP Algo 3
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_TYPE: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_LIFE_DUR: 3600
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_ENCAPSULATION_MODE: 4
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|IPSEC_HMAC_ALG: 1
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|Looking up QM policy for IKE
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM localAddr: yyy.yyy.yyy.yyy.1701 Protocol 17
[1]01D0.0D60::01/09/1601-02:07:43.072 [ikeext]                4|xxx.xxx.xxx.xxx|QM peerAddr: xxx.xxx.xxx.xxx.52917 Protocol 17

*****FormatMessage & Cipher
      Auth transform:
        Type: SHA1
        Config: HMAC-SHA1-96
        Crypto module: <unspecified>
      Cipher transform:
        Type: 3DES
        Config: CBC-3DES
        Crypto module: <unspecified>
-- 7 --
  Lifetime:
    Seconds: 3600
    Kilobytes: 250000
    Packets: 2147483647
  PFS group: None
  SA transforms: 1
  -- 0 --
    Type: ESP-Auth
      Type: SHA1
      Config: HMAC-SHA1-96
      Crypto module: <unspecified>
-- 8 --
  Lifetime:
    Seconds: 3600
    Kilobytes: 250000
    Packets: 2147483647
  PFS group: None
  SA transforms: 1
  -- 0 --
    Type: AH
      Type: SHA1
      Config: HMAC-SHA1-96
      Crypto module: <unspecified>
Flags: 0x00000000
Normal idle timeout (seconds): 300
Idle timeout in case of failover (seconds): 60
 of [1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|Accepted proposal.  Prop: 1 trans: 1
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|FwpmFilterEnum0 returned no matching filters
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeMatchFwpmFilter failed with Windows error 13825(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeMatchFwpmFilter failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeGetFwpTransFilterID failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeQMSelectorToIpsecTraffic failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeQMSelectorToGetSpi failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeGetSpi failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeProcessQMPolicyValidation failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkePostPayloadProcessQMSA failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeHandlePayloadQMSA failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeProcessPayloadQM failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeProcessOakPayloadGroup failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [user] |xxx.xxx.xxx.xxx|IkeProcessOakPacket failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|QM done. Cleaning up qmSa 0000000013287010.  Error 13825(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|IKE diagnostic event:
Event Header:
  Timestamp: 1601-01-01T00:00:00.000Z
  Flags: 0x0000011f
    IP protocol field set
    Local address field set
    Remote address field set
    Local port field set
    Remote port field set
    IP version field set
  IP version: IPv4
  IP protocol: 17
  Local address: yyy.yyy.yyy.yyy
  Remote address: xxx.xxx.xxx.xxx
  Local Port: 1701
  Remote Port: 52917
  Application ID:
  User SID: <invalid>
Failure type: IKE/Authip Quick Mode Failure
Type specific info:
  Failure error code:0x00003601
    No policy configured  Failure point: Local
  Keying module type: Ike
  QM State: State corresponding to first roundtrip
  QM SA role: Responder
  Mode: Transport Mode
  QM Filter ID: 0x0000000000011093

[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|SendNotify: mmSa 00000000033A0670 cookie d142afd2 state 6 messId 11ce124
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|Construct IKEHeader
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|Construct HASH
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|Construct NOTIFY
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|Sending Packet
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|iCookie d2af42d1e6df971f rCookie 472381cd5568e485
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|Exchange type: IKE Informational Mode Length 76 NextPayload HASH Flags 1 Messid 0xa7d312b7
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|Local Address: yyy.yyy.yyy.yyy.4500 Protocol 0
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|Peer Address: xxx.xxx.xxx.xxx.4500 Protocol 0
[1]01D0.0D60::01/09/1601-02:07:43.074 [ikeext]                4|xxx.xxx.xxx.xxx|IF-Index: 10
[1]01D0.0D60::01/09/1601-02:07:43.075 [ikeext]                4|xxx.xxx.xxx.xxx|Deleting QM.  MM: 00000000033A0670 QM: 0000000013287010
[1]01D0.0D60::01/09/1601-02:07:43.075 [user] |xxx.xxx.xxx.xxx|IkeHandleOakQMPacket failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.075 [user] |xxx.xxx.xxx.xxx|IkeHandleQMPacketDispatch failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[1]01D0.0D60::01/09/1601-02:07:43.075 [user] |xxx.xxx.xxx.xxx|IkeProcessPacket failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)

What I don't understand is that it accepts a proposal but on the very next line it says there are no matching filters.

Can anyone give any advice on troubleshooting this problem? There seems to be no reason why this setup should work for Windows clients but not for an iPhone.

Thanks