Skip navigation

Mountain Lion (10.8) certificates-based L2TP over IPsec VPN kaput

16357 Views 33 Replies Latest reply: Feb 13, 2014 4:08 PM by tqxw RSS
1 2 3 Previous Next
3g91ld3a Level 1 Level 1 (0 points)
Currently Being Moderated
Jul 30, 2012 11:48 AM

After upgrading to Mountain Lion, my certificates-based L2TP over IPsec VPN stopped working. However, it works fine using a PSK instead of certificates. OSX 10.7, as well as Windows clients have no trouble with the certificates. For OSX 10.8, the VPN server is complaining the payload is faulty. So, since this works fine for OSX 10.7 and Windows clients, I have to conclude that the Mac client is mangling the certificate payload in 10.8.

 

In the Mac logs, I see the same as the user in this thread: https://discussions.apple.com/message/19058470#19058470 . I have also followed the suggested solution in that thread of allowing all applications access to the private key in the Keychain, to no avail, the issue persists and the logs are unchanged.

 

Any ideas?

 

Cheers.

MacBook Pro, OS X Mountain Lion
  • haraldfromenns Level 1 Level 1 (5 points)

    Hi,

     

    Have the same issue. IPSec stopped working after the f+++ mountain loion update.

    I did a lot of debug and research - no solution yet.

     

    Any news from your side?

  • beamzz Level 1 Level 1 (0 points)

    Hi,

     

    I also have the exact same problem!!

    I am surprised that there is no official comment yet from Apple..

  • haraldfromenns Level 1 Level 1 (5 points)

    Hi,

     

     

    Interesting detail: if I connect from the LAN side to our vpn system, the ipsec connection goes up!


    When I come from the WAN-Side, the connection never goes to established-state.

    The error message on the server side is:

    >>next payload type of ISAKMP Message has an unknown value: 132

     

    @APPLE: you really messed something up here - please fix!

  • christophefrom25 Level 1 Level 1 (0 points)

    Hi,

     

    I have exactly the same problem. Could you tell me more about using PSK instead of certificates ? How do you do this ? Is there something to change on server side ?

     

    Thanks a lot for your answers.

  • ct181 Level 1 Level 1 (0 points)

    I've been able to solve this problem by copying the following three files from my last OSX 10.7 backup into the 10.8 installation:

     

    1. /usr/sbin/racoon
    2. /System/Library/LaunchDaemons/com.apple.racoon.plist
    3. /System/Library/Sandbox/Profiles/racoon.sb

     

    The first file is the IPsec client binary, the second tells how to launch the client, and the third specifies what the client is allowed to do on your system.

  • christophefrom25 Level 1 Level 1 (0 points)

    Thanks for the idea, but it doesn't work for me.

     

    I restored those 3 files from a Lion backup and rebooted the machine. Then the problem is worse, since launchd can't even launch racoon : "racoon[431]: Configuration Parse Error. (cfparse: yyparse erred, filename /etc/racoon/racoon.conf). (failure: fatal parse failure)"

     

    I also tried to restore racoon.conf and racoonctl from Lion, but with no success either ...

  • ct181 Level 1 Level 1 (0 points)

    I ran into the same problem today while trying to fix a colleague's VPN.  It turned out that he had iCloud enabled, which apparently generates a config file /var/run/racoon/<some-ipv6-address>.cfg that the old racoon doesn't understand (because it is not IPv6-ready, presumably).  If you move the file out of the /var/run/racoon directory, the old client should start.

     

    We also deactivated IPv6 on the Terminal via

         networksetup -setv6off Ethernet

    ("Ethernet" is the network device you are using for the VPN; see networksetup -listallnetworkservices for a list).  However, I am not sure if that changes anything, since we did it before moving the config file away.

     

    And he still does have some weird problem with the server certificate not being accepted, though.  On another colleague's MacBook it worked with copying the three files, and deleting and re-importing the CA certificate into the system keychain.

     

    Hope that helps...

  • ct181 Level 1 Level 1 (0 points)

    PS: The foo:bar:foo:foo.conf file is created by the "Back to My Mac" feature – if you don't use this, you could disable it in the iCould System Preference Pane and the conf file will be automatically removed.

  • christophefrom25 Level 1 Level 1 (0 points)

    Yes, it helps a lot ! It (almost) works, thanks to your advices.

     

    As you said, the problem to make the Lion version of racoon work again on Mountain Lion is the presence of those files in /var/run/racoon. (the last line of /etc/racoon/racoon.conf is 'include /var/run/racoon/*.conf')

     

    In my case, I didn't find any .cfg file, but two .conf files. If I delete them, all is OK, but they appear again after reboot.

    The first one is the one you're talking about - the "Back To My Mac" feature. I disabled it, and it's gone.

     

    But I can't find out what is the other one. I tried the -setv6off thing on both Wi-Fi and VPN interface, but it doesn't work. I have to remove the file manually until I find the solution.

     

    But thanks a lot for your help !

  • Jakob Tewes Level 1 Level 1 (0 points)

    We also try, to use Cert-Based L2TP-VPN

    via strongswan on 10.8.1 and also got no luck.

    We have the apple-specific certificate-usage proposal (ipsec),

    aswell as the DNS-name of the system built in to the certificates,

    but it wont work (even without NAT/PAT).

     

    The only thing, were not publishing is CRL's - could that be part of the solution maybe?

     

    Anyone got CRLs published (via HTTP or elseway)?

     

    Thanks,

     

    Jakob

  • cpohle Level 1 Level 1 (0 points)

    Hi, I just update my iPhone to iOS 6, and guess what - now the IPSEC VPN does not connect anymore. On the other end of the tunnel, I have a StronSwan router, showing this

     

    > next payload type of ISAKMP Message has an unknown value: 132

     

    error message several times before it quits with a

     

    > max number of retransmissions (2) reached STATE_MAIN_R2.

     

    Thanks for any hint!

     

    Regards,

     

    Carsten

  • Yukiru Level 1 Level 1 (0 points)

    @cpohle

    Yes same here, tried it today too. IOS5 works, IOS6 doesnt. Apple keeps on screwing our infrastructure.

    If any engineer from apple looks at this post, please change it back, so it will work again.

     

    And exact the same problem like in OS X 10.8. VPN stopps connecting after phase 1.

1 2 3 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (4)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.