Skip navigation

Built-in IPsec VPN randomly drops to Cisco VPN server

38742 Views 61 Replies Latest reply: Apr 7, 2014 8:11 AM by racitup RSS
  • Fotos Georgiadis Level 1 Level 1 (10 points)

    Haven't check it on Mountain Lion, yet. Pity Apple hasn't fixed it. Glad some people report that the workaround still works tho! Thanks Ripxmax2000.

  • Fotos Georgiadis Level 1 Level 1 (10 points)

    I filled bug ID# 12449876 in the Apple Radar (Bug reporting system) for this issue. Perhaps if a lot of us do the same and refer to this bug #ID (12449876) and this thread Apple might give it some attention and fix it in a nice and clean  / native way.

  • dscott8201 Calculating status...

    Well, 

     

    After reading this, I am happy that I am not insane.  It is VPN device independent.  I am using the built in client on 10.6.8 and connecting to Fortinet devices.  Iphones and Ipads work fine, IMAC's drop around the 45 minute mark.  I have a distributed setup, so I am going to try that automated patch and let you know.

     

    I would seriously like Apple to fix this natively.

  • amsoares Calculating status...

    Fotos,

     

    Any news about this ? I have a customer complaining about the same problem. He was using Cisco IPsec but the connection to the protected networks was lost after a few hours of uptime. Then he moved to L2TP/IPsec but now he has the 45 minute problem discussed here. Can you show us what is in the bug you opened ?

     

    Thanks.

  • Fotos Georgiadis Level 1 Level 1 (10 points)

    Hey amsoares,

     

    my bug report was marked as a duplicate of #11871577 which is still Open. So Apple certainly knows about it. The question is when / whether they will do anything about it.

     

    Allegedly, internally Apple prioritizes bugs based on the buzz they generate on the Radar. So if you want to help out and you are a developer or have a developer Apple ID handy, login to the bug reporter and create a new bug report, preferrably referencing either my bug # or the one above.

     

    My bug report was:

     

    07-Oct-2012 07:16 PM Fotos Georgiadis:

     

    Summary:

    The built-in IPsec VPN drops connection with the message "IPSec Controller: XAuth reauthentication dialog required, so connection aborted". Since the most common Cisco configuration out there is to have an IKE rekey attempt every 45 or so minutes, this makes remote work cumbersome.

     

    Steps to Reproduce:

    1. Create a IPSec VPN connection to a Cisco endpoint (through System Preferences).

    2. The security-association lifetime and policy on the Cisco should be small enough (3 minutes for triggering the problem). The default is 45 to 60 minutes

    3. Connect to the VPN

    4. Watch as the lifetime of the connection passes by:

        $ sudo racoonctl ss ipsec

    5. When the time ends the connection will be dropped and the message "IPSec Controller: XAuth reauthentication dialog required, so connection aborted" will be printed in the console.

     

    Unfortunately I don't have access to the precise Cisco configuration that will trigger the issue. But as you can also see in the thread mentioned below it's a common occurrence and other people might be able to provide a detailed configuration.

     

    Expected Results:

    The connection should stay up, or at least provide a dialog asking for credentials (again).

     

    Actual Results:

    The connection drops.

     

    Notes:

     

    Much more info (and a workaround) provided on this thread:

    https://discussions.apple.com/message/15977385

     

    Detailed explanation tracing the issue in the source code:

    https://discussions.apple.com/message/15977385#15977385

     

    Workaround:

    https://discussions.apple.com/message/15977385#18164765

     

    Hope you manage to solve your issue. Didn't my suggested workaround work for your client?

  • amsoares Level 1 Level 1 (0 points)

    Fotos,

     

    Thank you very much for your answer. I think the customer tried the workaround you found without success but i will check that again. In this case, i am the cisco guy. I opened a case with cisco and they say the problem in the apple side and that they cannot do anything. They have a bug as well but it's marked as closed:

    +++++++++++++++++++++++++++++
    CSCsh67528 Bug Details

    L2TP/IPsec OSX client disconnection after 45 minutes when NAT-T in used

    Symptom:
    L2TP/IPsec OSX client disconnects after 45 minutes

    Conditions:
    If NAT is in the middle and NAT-T is negotiated.

    Workaround:
    Use latest MacOS Client 10.7.3 and ASA version above
    8.2.5.21, 8.3.2.29 or 8.4.3.

    Further Problem Description:
    The OSX side fails to rekey the Phase 1 as initiated by the ASA
    +++++++++++++++++++++++++++++

    The workaround they mention is not valid as well.

     

    Thanks.

  • mckinasole Calculating status...

    I have a script that will fix this. If you interested let me know and ill send it to you.

  • mckinasole Level 1 Level 1 (0 points)

    #!/bin/bash

     

    EXPECTED_ARGS=1

    E_BADARGS=65

     

    printHelp ()

    {

         echo

         echo -e "\tPurpose: For fixing and unfixing your vpn connections"

         echo -e "\tUsage: sudo `basename $0` [options]\n"

         echo -e "\tOptions"

         echo -e "\tprep\t - fixes racoon.conf. Run only once!!!"

         echo -e "\t\t this adds --> include "/etc/racoon/remote/*.conf" to /etc/racoon/racoon.conf \n"

         echo -e "\tunprep\t - unfixes racoon.conf."

         echo -e "\t\t this removes --> include "/etc/racoon/remote/*.conf" from /etc/racoon/racoon.conf \n"

         echo -e "\tfix\t - run after you login to the vpn. This will disconnect you!"

         echo -e "\t\t This will change the lifetime to 168 hours in the IP.conf file\n"

         echo -e "\tunfix\t - run after your done with the vpn."

         echo -e "\t\t Do this if you need to connect to an other location or you can't connect to the vpn.\n"

     

    }

     

    if [ $# -lt $EXPECTED_ARGS ]

    then

    printHelp

    exit $E_BADARGS

    fi

     

    #################

    if [ $1 = prep ]

         then

     

    mkdir -p /etc/racoon/remote

    echo -e "creating directory /etc/racoon/remote \n"

    cp -a /etc/racoon/racoon.conf /etc/racoon/racoon.conf.orig

    echo -e "backing up /etc/racoon/racoon.conf to /etc/racoon/racoon.conf.orig\n"

     

    echo 'include "/etc/racoon/remote/*.conf" ;' >> /etc/racoon/racoon.conf

    echo -e 'adding this line --> include "/etc/racoon/remote/*.conf" ;" <-- to end of /etc/racoon/racoon.conf\n'

    fi

     

    #################

    if [ $1 = unprep ]

         then

     

    rm -rf /etc/racoon/remote

    echo -e "removing directory /etc/racoon/remote \n"

     

    sed -i -e '/include "\/etc\/racoon\/remote\/\*\.conf" ;/d' /etc/racoon/racoon.conf

     

    echo -e 'removing lines --> include "/etc/racoon/remote/*.conf" ;" <-- from /etc/racoon/racoon.conf\n'

    fi

     

    #################

    if [ $1 = fix ]

         then

    mv /var/run/racoon/*.conf /etc/racoon/remote

     

    sed -i -e 's~include "/var/run/racoon/\*\.conf"~#include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

     

    sed -i -e 's/lifetime time 3600 sec/lifetime time 168 hours/' /etc/racoon/remote/*.conf

     

     

    launchctl stop com.apple.racoon

    launchctl start com.apple.racoon

     

    fi

     

    #################

    if [ $1 = unfix ]

         then

    sed -i -e 's~#include "/var/run/racoon/\*\.conf"~include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

    rm -f /etc/racoon/remote/*

     

    launchctl stop com.apple.racoon

    launchctl start com.apple.racoon

     

    fi

     

    #################

  • Fotos Georgiadis Level 1 Level 1 (10 points)

    Hello again amsoares,

     

    I couldn't change the Cisco configuration (beyond my control), but as I mentioned above you could either change the security association lifetime, as I already have hinted above in a previous reply, using:

     

    crypto ipsec security-association lifetime

     

    or change the default lifetime of the isakmp policy:

     

    crypto isakmp policy

     

    Keep in mind that I haven't tried any of these, they might work, they might not, they have security implications which you should fully understand before changing things, and of course all standard disclaimers apply, etc. etc. Please consult your Cisco documentation or Cisco directly if you change these settings in a production environment.

     

    As Cisco said the problem lies in Apple's side. You could try the script posted by mckinasole below, who, unfortunately, replied in the wrong question. The script basically does what I described in my solution above but in an automated / scripted way. I haven't tried the script as well, so YMMV.

     

    Good luck!

  • amsoares Level 1 Level 1 (0 points)

    Fotos,

     

    Can you please clarify if the script/workaround is only valid for IPsec connections, and not valid for L2TP/IPsec connections ?

    My customer had the 45 min problem after moving from IPsec to L2TP/IPsec. It seems that people posting here that have the same problem are talking about IPsec, not L2TP/IPsec.

     

    Thanks.

  • Fotos Georgiadis Level 1 Level 1 (10 points)

    Γειά σου amsoares,

     

    honestly I have no idea if L2TP / IPsec connections are setup throught racoon or a different process. The script and the workaround are for the "Cisco IPsec" option. Haven't tried it with L2TP / IPsec, which might setup the connection in a completely different way. Yes, people here talk about the IPsec option not the L2TP / IPSec one, AFAIK.

     

    If I were you, I'd get my hands on a Mac and try to debug it from there. It's kinda futile if you can't test things yourself.

     

    Regards

  • mviltan Calculating status...

    I too have logged a bug: 13015443 - duplicate of #11871577  and have had a response. I was told to:

     

    as root edit /etc/racoon/racoon.conf

     

    uncomment the line:

    #log debug;

    and add the line:

    path logfile "/var/log/racoon.log";

     

     

    And send them the log. So I had another machine which I did not apply the fix to and sent them the log after it disconneted. I will let you know when I get an update.

  • amsoares Level 1 Level 1 (0 points)

    Did you get any feedback about this ?

     

    Thanks.

  • mviltan Level 1 Level 1 (0 points)

    not yet!

  • mohamedridha Calculating status...

    Hi there

     

    I have made the exact changes however my connection is still picking up key life of 3600 This is output

     

     

    sudo racoonctl ss ipsec

    192.168.16.76 195.99.192.84

              esp mode=tunnel spi=3835192342(0xe4986416) reqid=0(0x00000000)

              E: aes-cbc  72e6332f fdb28718 74c335f8 beb65d4a 5272d5d4 eb4bae29 89b707b6 d7ab8be9

              A: hmac-sha1  50bfbd0d 0ca4dcc6 1059c768 2ea767a4 314cd7bd

              seq=0x000000bb replay=4 flags=0x00000006 state=mature

              created: Mar  7 12:12:51 2013          current: Mar  7 12:12:57 2013

              diff: 6(s)          hard: 3600(s) soft: 2880(s)

              last: Mar  7 12:12:57 2013          hard: 0(s)          soft: 0(s)

              current: 55744(bytes)          hard: 0(bytes)          soft: 0(bytes)

              allocated: 187          hard: 0          soft: 0

              sadb_seq=1 pid=9712 refcnt=2

    195.99.192.84 192.168.16.76

              esp mode=tunnel spi=208470779(0x0c6d02fb) reqid=0(0x00000000)

              E: aes-cbc  fa3964d5 359abf9c 8b0d20ea acf2fcdc c48bd526 41f4fd7b b5264680 82378a31

              A: hmac-sha1  a7f1edd3 d2f3ca50 d4790813 0fba2513 40b8856c

              seq=0x00000057 replay=4 flags=0x00000006 state=mature

              created: Mar  7 12:12:51 2013          current: Mar  7 12:12:57 2013

              diff: 6(s)          hard: 3600(s) soft: 2880(s)

              last: Mar  7 12:12:56 2013          hard: 0(s)          soft: 0(s)

              current: 15382(bytes)          hard: 0(bytes)          soft: 0(bytes)

              allocated: 87          hard: 0          soft: 0

              sadb_seq=0 pid=9712 refcnt=2

     

     

    I have followed the instructions, not sure why it still is not working?

Actions

More Like This

  • Retrieving data ...

Bookmarked By (5)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.