Q: Built-in IPsec VPN randomly drops to Cisco VPN server
I'm using the built-in IPsec VPN client on Lion and the VPN connection randomly drops. I've found this in the system.log file corresponding to the time when the connection drops:
Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 started (Initiated by me).
Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 established (Initiated by me).
Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Information message).
Aug 20 10:00:34 MBP racoon[38259]: IPSec Extended Authentication requested.
Aug 20 10:00:34 MBP configd[16]: IPSec requesting Extended Authentication.
Aug 20 10:00:34 MBP configd[16]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted
Aug 20 10:00:34 MBP configd[16]: IPSec disconnecting from server xx.xx.xx.xx
Aug 20 10:00:34 MBP racoon[38259]: IPSec disconnecting from server xx.xx.xx.xx
Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).
Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).
Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Is there a hint here as to any configuration I can change on the MBP, or anything I can ask the network admin to change on the Cisco device to resolve this?
Thanks,
Guy
MacBook Pro, Mac OS X (10.7)
Posted on Aug 20, 2011 8:33 AM
Hey,
unfortunately it seems that you can't build ppp since a lot of (closed source) headers are missing. And even if you could I doubt it'd work correctly with the rest of the OS (with important stuff missing). TBH I haven't tried to build ppp and you might succeed but I don't think it's worth it. That's why I asked for an Apple engineer!
On the other hand I've got great news!
I managed to keep the VPN connection up past the 45min mark. This is not for the faint at heart and all disclaimers apply. Here's how:
I had two problems with our VPN connection. The first one was the 45minutes hard limit. But I also had a problem with the DPD (Dead Peer Detection) which would kill all SSH connections whenever it triggered. And this could happen as soon as 3 minutes after connecting or even after 30 minutes. Basically with the VPN connection being flakey I couldn't get anything done over the VPN.
Here is how I solved both problems:
01. Connect to the VPN (so OSX generates the racoon configuration file)
02. Copy the generated configuration file to /etc/racoon:
$ sudo cp /var/run/racoon/1.1.1.1.conf /etc/racoon
03. Edit the racoon configuration file with your favorite editor (vim):
$ sudo vim /etc/racoon/racoon.conf
04. At the bottom of the file comment out the line:
# include "/var/run/racoon/*.conf" ;
05. ... and instead include the copied file (which we will edit):
include "/etc/racoon/1.1.1.1.conf" ;
06. Edit the generated configuration file with your favorite editor (vim):
$ sudo vim /etc/racoon/1.1.1.1.conf
07. Disable dead peer detection:
dpd_delay 0;
08. Change proposal check to claim from obey:
proposal_check claim;
09. Change the proposed lifetime in each proposal (24 hours instead of 3600 seconds):
lifetime time 24 hours;
10. Disconnect and reconnect (this time racoon will use your custom configuration)
11. Use the VPN for at least 45 minutes and hopefully it won't drop!
The most important thing is to change the proposal_check option. From the racoon.conf manual:
proposal_check level;
claim If the responder's lifetime length is longer than the initiator's or the
responder's key length is shorter than the initiator's, the responder will
use the initiator's value. If the responder's lifetime length is shorter than the
initiator's, the responder uses its own length AND sends a RESPONDER-
LIFETIME notify message to an initiator in the case of lifetime (phase 2 only)
Caveats: if you use multiple VPN connections you have to copy all configuration files to /etc/racoon and add appropriate include lines. If your VPN server changes IP you have to remember to update this file since changing it in System Preferences won't have an effect, etc. Cumbersome but it works! This is definitely not a long term solution and I'd like to see Apple fix this.
Give it a shot ... it might work for you too but YMMV. Please post back whether it works for you or not.
Cheers,
-fotos
PS. Wrote this while being connected on the VPN for 8 straight hours!
Posted on Apr 18, 2012 3:48 PM