GuyHelmer

Q: Built-in IPsec VPN randomly drops to Cisco VPN server

I'm using the built-in IPsec VPN client on Lion and the VPN connection randomly drops.  I've found this in the system.log file corresponding to the time when the connection drops:

 

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 started (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 established (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Extended Authentication requested.

Aug 20 10:00:34 MBP configd[16]: IPSec requesting Extended Authentication.

Aug 20 10:00:34 MBP configd[16]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

Aug 20 10:00:34 MBP configd[16]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

 

Is there a hint here as to any configuration I can change on the MBP, or anything I can ask the network admin to change on the Cisco device to resolve this?

 

Thanks,

Guy

MacBook Pro, Mac OS X (10.7)

Posted on Aug 20, 2011 8:33 AM

Close

Q: Built-in IPsec VPN randomly drops to Cisco VPN server

  • All replies
  • Helpful answers

Previous Page 2 of 6 last Next
  • by mviltan,

    mviltan mviltan Apr 19, 2012 7:13 AM in response to GuyHelmer
    Level 1 (0 points)
    Apr 19, 2012 7:13 AM in response to GuyHelmer

    yes sorry should of mentioned that.

     

    The way I understand it is that once connected it should use the setting which are in /etc/racoon/ipaddress.conf which shows in a file in /var/run/racoon/ipaddress.conf

     

    /var/run/racoon/ipaddress.conf seems to be defaulting back to the orignal settings so it's not picking it up even though in /etc/racoon/racoon.conf I have:

     

    # include "/var/run/racoon/*.conf" ;

    include "/etc/racoon/132.185.143.14.conf" ;

  • by GuyHelmer,

    GuyHelmer GuyHelmer Apr 19, 2012 7:40 AM in response to mviltan
    Level 1 (1 points)
    Apr 19, 2012 7:40 AM in response to mviltan

    Yes, /var/run/racoon/ipaddress.conf will be re-written each time the VPN connection is made, which is why you need to copy it to /etc/racoon and change /etc/racoon/racoon.conf to include /etc/racoon/ipaddress.conf instead of /var/run/racoon/*.conf.

  • by rcha101,

    rcha101 rcha101 Apr 22, 2012 5:40 PM in response to Fotos Georgiadis
    Level 1 (0 points)
    Apr 22, 2012 5:40 PM in response to Fotos Georgiadis

    In regards to the IKE lifetime the lower of the two peers' lifetimes is used. On my Cisco router I have not changed the default from 24 hours but both the iphone and Mac (Lion) have defaults of 60 mins (3600 seconds).

     

    "A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime in the compared policy. If the lifetimes are not identical, the shorter lifetime—from the policy of the remote peer—is used."

     

     

    The problem occurs on both Mac and Iphone. The problems are:

    1. On the mac I have to manually re-enter my username and password at the 45 minute mark

    2. On the iphone, at the 45 minute mark which I believe the first re-key attempt, the connection just drops and I have to VPN in again.

     

    While the solution proposed is a good workaround for those on the mac the solution here does not solve either of the above issues and is only a workaround to delay the xauth re-authentication.

     

    Apple please fix!

  • by mviltan,

    mviltan mviltan Apr 27, 2012 1:40 AM in response to Fotos Georgiadis
    Level 1 (0 points)
    Apr 27, 2012 1:40 AM in response to Fotos Georgiadis

    Fotos Georgiadis, thanks for your help on this, it all seems to be working. Much appreciated.

  • by soljaboy1906,

    soljaboy1906 soljaboy1906 Jun 30, 2012 7:42 PM in response to GuyHelmer
    Level 1 (0 points)
    Jun 30, 2012 7:42 PM in response to GuyHelmer

    Fotos Georgiadis <<-- This guy is a genus!! Thanks buddy if you was here in america i would buy you a beer! Running 10.6.8 connecting to a Cisco 3945 configure as Easy VPN Server with XAUTH. Client connected but would drop at 1 hour ISAKMP SA lifetime was set to default 86400 sec but sho crypto isakmp sa lifetime was showing a count down from 1 hours! Goolged like crazy until a ran up on this tread. Saved me about $800 (plane ticket) and time away from my family just to go configure a vmware server that i need to stay connected to for more then an hour while I install software from a virtual disk mount!

     

    Why cant apple just give us these parameters to change in the network gui?!? There is an advanced tab on VPN common on this is pretty important stuff.

  • by nronchetti,

    nronchetti nronchetti Jul 4, 2012 7:24 AM in response to GuyHelmer
    Level 1 (0 points)
    Jul 4, 2012 7:24 AM in response to GuyHelmer

    Problem still exists in Mouintain Lion . I will try this fix and report back.

  • by Jay_Levitt,

    Jay_Levitt Jay_Levitt Jul 24, 2012 9:29 AM in response to Fotos Georgiadis
    Level 1 (10 points)
    Jul 24, 2012 9:29 AM in response to Fotos Georgiadis

    This is a terrific help!  One question: It'd be great if I could continue including /var/run/racoon/*.conf, so that when I (inevitably) create a new VPN connection and forget to copy over the .conf file, it'll still work.  But I can't find a way to detect what's happening when the same remote is defined twice, which would tell me whether the "include *.conf" should come first or second.

     

    Any ideas?  I looked at the source but don't have the stomach to parse through lex/yacc...

  • by mckinasole,

    mckinasole mckinasole Jul 27, 2012 7:23 PM in response to GuyHelmer
    Level 1 (0 points)
    Jul 27, 2012 7:23 PM in response to GuyHelmer

    To make it easier on you all, you can copy and paste the following commands. The only difference is the lifetime I personally set it to 168 hours instead of 24.

     

    sudo mkdir /etc/racoon/remote

    sudo sed -i.bak 's/lifetime time 3600 sec/lifetime time 168 hours/' /var/run/racoon/*.conf \   && sudo mv /var/run/racoon/*.conf /etc/racoon/remote

    sudo patch /etc/racoon/racoon.conf <<EOF --- /etc/racoon.orig/racoon.conf     2009-06-23 09:09:08.000000000 +0200 +++ /etc/racoon/racoon.conf     2009-12-11 13:52:11.000000000 +0100 @@ -135,4 +135,5 @@ # by including all files matching /var/run/racoon/*.conf # This line should be added at the end of the racoon.conf file # so that settings such as timer values will be appropriately applied. +include "/etc/racoon/remote/*.conf" ; include "/var/run/racoon/*.conf" ; EOF

    sudo launchctl stop com.apple.racoon

    sudo launchctl start com.apple.racoon

  • by mckinasole,

    mckinasole mckinasole Jul 27, 2012 9:30 PM in response to mckinasole
    Level 1 (0 points)
    Jul 27, 2012 9:30 PM in response to mckinasole

    The above fixed my disconnects.. you shouldn't have to edit the proposal_check and other settings in ipaddress.conf file and there is no need to re-do this for different VPN connections. The all catch *.conf will still work with the above fix.

  • by arthurc,

    arthurc arthurc Aug 1, 2012 3:58 AM in response to nronchetti
    Level 1 (0 points)
    Aug 1, 2012 3:58 AM in response to nronchetti

    Yup.  I was hoping Apple would finally fix this glaring issue in ML.  Come on Apple throw a bone to those that use the Mac for something more substantial than playing Angry Birds 24/7.   I'm not bitter though (ha).

  • by Ripmax2000,

    Ripmax2000 Ripmax2000 Sep 24, 2012 8:11 AM in response to arthurc
    Level 1 (0 points)
    Sep 24, 2012 8:11 AM in response to arthurc

    I tried this in Mountain Lion and at first I couldn't connect to the VPN at all. Turned out the reason was becuase of step 8.

     

    I left proposal check to obey, and made all the other changes, now the solution works great with Mountain Lion.

     

    Thanks a lot Fotos, you're a genius!

  • by Andyjhs1,

    Andyjhs1 Andyjhs1 Oct 4, 2012 3:59 PM in response to Fotos Georgiadis
    Level 1 (0 points)
    Oct 4, 2012 3:59 PM in response to Fotos Georgiadis

    Hi Fotos,

    I used your instructions but after that my vpn doesnt connect. It gives the below error in logs

     

    10/4/12 5:29:12.147 PM configd[23]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0

    10/4/12 5:29:12.241 PM configd[23]: IPSec Phase1 starting.

    10/4/12 5:29:12.241 PM configd[23]: IPSec port-mapping update for en1 indicates no NAT. Public Address: a8f4136c, Protocol: None, Private Port: 0, Public Port: 0.

    10/4/12 5:29:22.241 PM configd[23]: IPSec disconnecting from server 165.244.164.5

    10/4/12 5:29:22.241 PM racoon[41759]: IPSec disconnecting from server 165.244.164.5

    10/4/12 5:29:22.246 PM racoon[41759]: IPSec disconnecting from server 165.244.164.5

     

    Once I change the racoon.conf to point to /var/run/racoon/*.conf it starts working again. even if I keep the generated conf file in a different directory even then its not working. The only time it will work is when racoon.conf is pointing to /var/run/racoon/*.conf. Any other path just fails.

     

    Any help is highly appreciated.

    Rgds,

    Anand

  • by Fotos Georgiadis,

    Fotos Georgiadis Fotos Georgiadis Oct 7, 2012 9:46 AM in response to Andyjhs1
    Level 1 (10 points)
    Oct 7, 2012 9:46 AM in response to Andyjhs1

    Unfortunately Andyjhs1 I have no idea what is wrong with your configuration. You should provide more info (for example are you on Lion or ML, a tcpump if possible, etc.) and somebody might be able to help you.

     

    Due to the many bugs found in the IPSec Apple configuration I gave up on racoon and decided to start using vpnc. One of the problems I had was that even tho the VPN tunnel worked non-stop, whenever I closed the VPN connection, networking stopped working (pun) and somehow the routes got messed up. The only workaround was to pull the ethernet plug / on-off the WiFi which resets networking and the routes. Totally broke my nerves after a month.

     

    Last month I brewed the latest version of vpnc (0.5.3). The configuration was a breeze and everything is working fine. Also allows me to setup some custom routes that where not being offered by the our Cisco (our admins got lazy!) and there was no way to configure using System Preferences.

     

    Yes, I'd definately love a native Apple-supported working solution but until then vpnc will do.

  • by Fotos Georgiadis,

    Fotos Georgiadis Fotos Georgiadis Oct 7, 2012 9:53 AM in response to Jay_Levitt
    Level 1 (10 points)
    Oct 7, 2012 9:53 AM in response to Jay_Levitt

    Well I tried to figure this out too, but eventually it didn't matter for me so I gave up on whether the order is important or the configuration was overwritten. Personally after what I got through (reading IPSEC source code, yuck!) to get a working configuration I won't forget about it!

  • by Fotos Georgiadis,

    Fotos Georgiadis Fotos Georgiadis Oct 7, 2012 9:56 AM in response to soljaboy1906
    Level 1 (10 points)
    Oct 7, 2012 9:56 AM in response to soljaboy1906

    Thanks soljaboy1906. Glad to be of some help! Family time's good!

Previous Page 2 of 6 last Next