Hi to all...
Problem solved! Because OSX and IOS have the same problem, i dived into the deep of IKE and found
The problem is, that the new IPSEC system has problems with handling "big" certificates (search for
IKE UDP fragmentation, if you are interested in).
So, the solution is quiet simple- create a certificate with the absolute MINIMUM of the required data
(for Example: C=AT, CN=HS, E=hs). I tested only with 1024Bit Public Key size- and this works on
IOS and OSX as well.
This could NOT be solved within the keychain.The certificate has to be issued in a way, that its size
is so small, that it will be not fragmented during IKE negotiation.
If your certificate is issued by an IT administrator, tell him, that You need a certificate, where the
required fields (normally EMail and Common Name) should be as short as possible to reduce
the size of the certificate.
You can use "crypto isakmp fragmentation" command on yours Cisco VPN router.
It's enough to resolve problem.
Anyone still watching this thread, I posted the following two discussions in hopes of getting attention of someone internally on the team.
Yes, I am still watching this thread!
For every OSX update released I'm hoping for a fix for this bug, but so far nothing.
Poorly managed Apple!
What is even more annoying is that it was an Apple update on OSX 10.7 that forced me to rebuild my internal PKI infrastructure from 512 to 2048 certificate Key Size:
(After this update, certificates with a Key Size less then 1024 was rejected)
Hi, i have the same problem, and debugged it in depth.
I use 2048 bit ssl certs.
Iphone and ipad both work with these certificates, so there must be a difference in the racoon source.
First i enabled the debugging at file: /etc/racoon/racoon.conf
(be sure,that racoon is not running, or you will get err (61). Reboot to fix)
path logfile "/var/log/racoon.log";
did as root:
chown root:admin /var/log/racoon.log
chmod 640 /var/log/racoon.log
So the error at the end after hashing the cert:
2013-02-24 10:48:51:  DEBUG: hmac(hmac_sha1)
2013-02-24 10:48:51:  DEBUG: HASH (init) computed:
2013-02-24 10:48:51:  DEBUG:
4c36a99e e9ddb045 03d54006 92b5c9ff c9732e72
2013-02-24 10:48:51:  ERROR: error -25308 errSecInteractionNotAllowed.
2013-02-24 10:48:51:  ERROR: failed to sign.
2013-02-24 10:48:51:  ERROR: failed to get sign2013-02-24 10:48:51:  ERROR: failed to allocate send buffer2013-02-24 10:48:51:  ERROR: failed to process packet.
2013-02-24 10:48:51:  ERROR: phase1 negotiation failed.
2013-02-24 10:48:51:  DEBUG: IV freed
The CA cert and the client are are trusted. (verified in the keystore, showing valid cert)
I also played around with turning dpd off, and ike_frag to on.
No change. Seems like the dog bytes in his tail.
Any updates in this issue ?