Skip navigation

Built-in IPsec VPN randomly drops to Cisco VPN server

38764 Views 61 Replies Latest reply: Apr 7, 2014 8:11 AM by racitup RSS
1 2 3 ... 5 Previous Next
GuyHelmer Level 1 Level 1 (0 points)
Currently Being Moderated
Aug 20, 2011 8:33 AM

I'm using the built-in IPsec VPN client on Lion and the VPN connection randomly drops.  I've found this in the system.log file corresponding to the time when the connection drops:

 

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 started (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 established (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Extended Authentication requested.

Aug 20 10:00:34 MBP configd[16]: IPSec requesting Extended Authentication.

Aug 20 10:00:34 MBP configd[16]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

Aug 20 10:00:34 MBP configd[16]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

 

Is there a hint here as to any configuration I can change on the MBP, or anything I can ask the network admin to change on the Cisco device to resolve this?

 

Thanks,

Guy

MacBook Pro, Mac OS X (10.7)
  • TomSchober Calculating status...

    Looks like I have the same issue.  The log message that interests me is the "reauthentication dialog required, so connection aborted."  I do not see a dialog pop up asking me to re-authenticate.


    Log:

    Jan 31 11:06:59 LPTS-2 racoon[408]: IPSec Phase1 started (Initiated by me).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IPSec Phase1 established (Initiated by me).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IPSec Extended Authentication requested.

    Jan 31 11:06:59 LPTS-2 configd[14]: IPSec requesting Extended Authentication.

    Jan 31 11:06:59 LPTS-2 configd[14]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

    Jan 31 11:06:59 LPTS-2 configd[14]: IPSec disconnecting from server xxx.xxx.xxx.xx

    Jan 31 11:06:59 LPTS-2 racoon[408]: IPSec disconnecting from server xxx.xxx.xxx.xx

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Information message).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Information message).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Information message).

    Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

  • neslein Level 1 Level 1 (0 points)

    I am experiencing the exact same problem (BTW I've just updated to OSX 10.7.3):

     

    02/02/12 10.15.13,629 racoon: IPSec Phase1 started (Initiated by me).

    02/02/12 10.15.13,635 racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

    02/02/12 10.15.13,810 racoon: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

    02/02/12 10.15.13,810 racoon: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

    02/02/12 10.15.13,810 racoon: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

    02/02/12 10.15.13,810 racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

    02/02/12 10.15.13,810 racoon: IPSec Phase1 established (Initiated by me).

    02/02/12 10.15.13,836 racoon: IKE Packet: receive success. (Information message).

    02/02/12 10.15.13,838 racoon: IPSec Extended Authentication requested.

    02/02/12 10.15.13,838 configd: IPSec requesting Extended Authentication.

    02/02/12 10.15.13,838 configd: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

    02/02/12 10.15.13,839 configd: IPSec disconnecting from server XX.XX.XX.XX

    02/02/12 10.15.13,841 racoon: IPSec disconnecting from server XX.XX.XX.XX

    02/02/12 10.15.13,841 racoon: IKE Packet: transmit success. (Information message).

    02/02/12 10.15.13,841 racoon: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

    02/02/12 10.15.13,841 racoon: IKE Packet: transmit success. (Information message).

    02/02/12 10.15.13,843 racoon: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

    02/02/12 10.15.13,843 racoon: IKE Packet: transmit success. (Information message).

    02/02/12 10.15.13,843 racoon: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

    02/02/12 10.15.13,000 kernel: SIOCPROTODETACH_IN6: utun1 error=6

    02/02/12 10.15.13,975 configd: network configuration changed.

    iMac, Mac OS X (10.7.2)
  • mviltan Calculating status...

    I've had the same problem since moving to Lion. It disconnect every 45-55 mins.

     

    Really annoying!

  • rcha101 Level 1 Level 1 (0 points)

    I also have this problem. It would be nice if Lion would cache the login details and use them for re-auth. They are cached in Lion for the initial connection which is nice but the fact that you have to enter it again after 45 or so minutes is annoying.

     

    Can we please have a fix?!

  • matthew4130 Calculating status...

    I'm not an expert on this, but I've been experiencing this for a bit myself and here is what I've found. There is an IKE rekey attempt at 45 min. If  I connect to the VPN though the group I created, I end up using IKE Neg Mode Aggressive. Shortly after the 45 min rekey attempt, my session is dropped. Now on my vpn client, if I leave the group name blank, I connect to the VPN default group. The default group uses IKE Neg Mode Main, and with this I have no problem keeping my session up well beyond 45 min.

     

    Check your IKE Neg Mode. Try the default group if your not already, If you have an ASA, to see the IKE Neg Mode, from the CLI run

    sho vpn-sessiondb detail ra-ikev1-ipsec

     

    Let me know what you find

  • rcha101 Level 1 Level 1 (0 points)

    Hi,

     

    I've looked into this a bit further. My ipsec policy allows me to connect via VPN from my mac and my iphone. Previously I noticed it was using aggressive mode in the logs while troubleshooting this. If I disable aggressive-mode globally I cannot login from my iphone. If I remove the group name from the VPN setup on my mac I can no longer connect to the VPN.

     

    I'll look into this more to see if I can have a aggressive-mode policy for my iphone and a main mode policy for my mac, that may be the key to it.

  • cnicksic Calculating status...

    I'm having the same issue.  Like rcha101, I cannot remove the group name.  I cannot find out how to change the IKE Neg Mode but I assume that is set by the administrator of the VPN rather than by individual users like myself.  It appears I'm stuck.  Cisco VPN Client doesn't work in 64-bit and the native VPN disconnects after 45 minutes.  I guess I will try the 32-bit boot and see what happens.  If anyone else has any ideas, I'll continue to follow this thread.  Thanks...

  • cnicksic Level 1 Level 1 (0 points)

    As others suggested, I rebooted in 32-bit and the Cisco VPN Client works.  I am using version 4.9.01.0180 of the Cisco client which does not work in 64-bit.  I have not been disconnected at all with the Cisco client.  As rcha101 suggested, it appears that the Cisco client caches your login info for reauthentication but the Mac OS Lion native VPN client does not.  Like everyone else, I would like to use the native client if it could be improved to not disconnect every 45 minutes.  Until then, I will continue to run permanently in 32-bit.

     

    Just to summarize for anyone who finds this thread and has the same issue:

     

    1. I had been using Cisco VPN Client with an older version of Mac OS X.
    2. I bought a new MacBook running Mac OS Lion and the Cisco VPN Client failed with "Error 51: Unable to communicate with the VPN subsystem."
    3. I setup the native VPN client according to the instructions at http://anders.com/guides/native-cisco-vpn-on-mac-os-x.
    4. It connects successfully every time but the connection drops every 45 minutes.  According to matthew4130, there is an IKE rekey attempt at 45 minutes because the IKE Neg Mode is set to Aggressive and this fails because the native VPN client does not cache your login information.  This seems to make sense.
    5. The default setting on my new MacBook with Lion is to boot in 64-bit.  It turns out that Cisco VPN Client only works in 32-bit.  I rebooted in 32-bit (hold down 2 and 3 while restarting) and the Cisco VPN Client works perfectly just as previously with my old laptop.

     

    I hope this helps others not suffer through the same pain which I suffered.  And a big thanks to rcha101 and matthew4130 for their posts which helped me immensely -- as well as Anders on his site.

  • Fotos Georgiadis Calculating status...

    I have the same problem with the VPN dropping after ~45 minutes.

     

    matthew4130 is correct. There is an IKE rekey attempt every 45 or so minutes. The default ipsec SA lifetime is an hour (3600 seconds). The lifetime is configured, on Cisco routers, using the command:

    crypto ipsec security-association lifetime

     

    Also the default isakmp policy lifetime is a day (86400 seconds) but a lot of administrators lower this for security reasons:

    crypto isakmp policy

     

    AFAIK the problem isn't related to aggressive mode or main mode being selected, which both are explained here:

    https://supportforums.cisco.com/docs/DOC-8125

     

    Most likely what matthew4130 sees is that when main mode is enabled a different crypto group, with a bigger lifetime, is selected for the security association (lucky you!). IMHO you shouldn't change the lifetime since 1 hour is reasonable to prevent key recovery attacks.

     

    You can also see the SA lifetime of YOUR ipsec connection using this terminal command on your Mac:

    $ sudo racoonctl ss ipsec

     

    You should see something like this:

    diff: 140(s)hard: 3600(s)soft: 2880(s)

     

    Digging deeper into this I decided to check the (open) source code for ppp available by Apple here:

    http://www.opensource.apple.com/source/ppp/ppp-560.14.2/

     

    As you can see in ipsec_manager.c function process_racoon_msg() the connection is dropped with the message you are seeing (IPSec Controller: XAuth reauthentication dialog required, so connection aborted) when a REAUTHINFO message is received and the flag XAUTH_MUST_PROMPT is set in the xauth_flags.

     

    Note that this code is enabled only when the OS is not for embedded devices (i.e. iPad, iPhone, etc). The message is discarded on those devices and that's why you won't see the 1 hour limit on the iPad or the iPhone.

     

    Now the fix seems easy; instead of dropping the connection when xauth is requested at least prompt the user for the password again using process_xauth_need_info().

     

    Also if you look at an older version of ipsec_manager.c (412.5) that was the previous behavior; reauthenticating instead of dropping the connection. No idea why Apple changed (actually broke ) this!

     

    BTW when sending the phase2 command to racoon with racoon_send_cmd_start_ph2() there seems to be a hardcoded default lifetime of 3600 seconds...

     

    All we have to do now is get an Apple engineer to see this post and fix the code!

     

    -fotos

     

    PS1. The IPSec source code is a mess.

    PS2. I logged in with my Apple ID to post this and now my username is stuck as my full name. Privacy fail?

  • Fotos Georgiadis Level 1 Level 1 (10 points)

    Hey,

     

    unfortunately it seems that you can't build ppp since a lot of (closed source) headers are missing. And even if you could I doubt it'd work correctly with the rest of the OS (with important stuff missing). TBH I haven't tried to build ppp and you might succeed but I don't think it's worth it. That's why I asked for an Apple engineer!

     

    On the other hand I've got great news!

     

    I managed to keep the VPN connection up past the 45min mark. This is not for the faint at heart and all disclaimers apply. Here's how:

     

    I had two problems with our VPN connection. The first one was the 45minutes hard limit. But I also had a problem with the DPD (Dead Peer Detection) which would kill all SSH connections whenever it triggered. And this could happen as soon as 3 minutes after connecting or even after 30 minutes. Basically with the VPN connection being flakey I couldn't get anything done over the VPN.

     

    Here is how I solved both problems:

     

    01. Connect to the VPN (so OSX generates the racoon configuration file)

    02. Copy the generated configuration file to /etc/racoon:

        $ sudo cp /var/run/racoon/1.1.1.1.conf /etc/racoon

    03. Edit the racoon configuration file with your favorite editor (vim):

        $ sudo vim /etc/racoon/racoon.conf

    04. At the bottom of the file comment out the line:

       # include "/var/run/racoon/*.conf" ;

    05. ... and instead include the copied file (which we will edit):

       include "/etc/racoon/1.1.1.1.conf" ;

    06. Edit the generated configuration file with your favorite editor (vim):

        $ sudo vim /etc/racoon/1.1.1.1.conf

    07. Disable dead peer detection:

        dpd_delay 0;

    08. Change proposal check to claim from obey:

         proposal_check claim;

    09. Change the proposed lifetime in each proposal (24 hours instead of 3600 seconds):

         lifetime time 24 hours;

    10. Disconnect and reconnect (this time racoon will use your custom configuration)

    11. Use the VPN for at least 45 minutes and hopefully it won't drop!

     

    The most important thing is to change the proposal_check option. From the racoon.conf manual:

    proposal_check level;

        claim     If the responder's lifetime length is longer than the initiator's or the

                     responder's key length is shorter than the initiator's, the responder will

                     use the initiator's value.  If the responder's lifetime length is shorter than the

                     initiator's, the responder uses its own length AND sends a RESPONDER-

                     LIFETIME notify message to an initiator in the case of lifetime (phase 2 only)

     

    Caveats: if you use multiple VPN connections you have to copy all configuration files to /etc/racoon and add appropriate include lines. If your VPN server changes IP you have to remember to update this file since changing it in System Preferences won't have an effect, etc. Cumbersome but it works! This is definitely not a long term solution and I'd like to see Apple fix this.

     

    Give it a shot ... it might work for you too but YMMV. Please post back whether it works for you or not.

     

    Cheers,

    -fotos

     

    PS. Wrote this while being connected on the VPN for 8 straight hours!

  • mviltan Level 1 Level 1 (0 points)

    Thanks for your help. I've follwed you instructions but when I connect and check /var/run/racoon/ipaddress.conf

     

    it has

     

    dpd_delay 20;

    proposal_check obey;

     

     

    In /etc/racoon/ipadress.conf

     

    dpd_delay 0;

    proposal_check claim;

     

     

    In /etc/racoon/racoon.conf I have this:

     

    # Allow third parties the ability to specify remote and sainfo entries

    # by including all files matching /var/run/racoon/*.conf

    # This line should be added at the end of the racoon.conf file

    # so that settings such as timer values will be appropriately applied.

    # include "/var/run/racoon/*.conf" ;

    include "/etc/racoon/ipaddress.conf" ;

     

     

    What am I missing??

1 2 3 ... 5 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (5)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.