Builtin Cisco VPN not connecting - solution (albeit a very crappy one)
So I've been trying for a day to get Snow Leopard to connect to the Cisco VPN concentrator at work (dunno which model).
Today I was able to get a bit more detail by editing /etc/syslog.conf to enable debug logging to system.log and edit /etc/racoon/racoon.conf to uncomment the debug log line (racoon is the Cisco client).
This is the error that surfaced:
ERROR: failed to get subjectAltName
With racoon's debug2 logging on I was able to see the problem when the server's cert was displayed: the Subject Alternative Name field is blank. Now there's no way for me to get this fixed on the server side - I work for a 250,000 person organization and a change like that would take me being an executive and months of bureaucracy to get through. So here's what I did incase anyone else needs this and doesn't mine extreme kludgery:
First I needed to capture the configuration file that was generated at connect time:
sudo su -
while true; do cp /var/run/racoon/*.conf /tmp/; done
Hit connect just after typing this a few times, then ctrl-c in the terminal to stop it
You should hopefully have a file named /tmp/<ip>.conf where ip is the resolved ip address of your vpn server. Copy this file to /etc/racoon/ and edit it.
Change "verify_cert on" to "verify_cert off" and comment out the next line ("certificate_verification") with a #
Finally, edit /etc/racoon/racoon.conf. At the end, comment out the line 'include "/var/run/racoon/*.conf" ;' and add the line 'include "/etc/racoon/<yourfile>" ;'
This solution totally blows cause any configuration change requires a repeat of the procedure and also prevents you from having multiple VPNs configured without doing this for each of them. Suggestions welcome.
Today I was able to get a bit more detail by editing /etc/syslog.conf to enable debug logging to system.log and edit /etc/racoon/racoon.conf to uncomment the debug log line (racoon is the Cisco client).
This is the error that surfaced:
ERROR: failed to get subjectAltName
With racoon's debug2 logging on I was able to see the problem when the server's cert was displayed: the Subject Alternative Name field is blank. Now there's no way for me to get this fixed on the server side - I work for a 250,000 person organization and a change like that would take me being an executive and months of bureaucracy to get through. So here's what I did incase anyone else needs this and doesn't mine extreme kludgery:
First I needed to capture the configuration file that was generated at connect time:
sudo su -
while true; do cp /var/run/racoon/*.conf /tmp/; done
Hit connect just after typing this a few times, then ctrl-c in the terminal to stop it
You should hopefully have a file named /tmp/<ip>.conf where ip is the resolved ip address of your vpn server. Copy this file to /etc/racoon/ and edit it.
Change "verify_cert on" to "verify_cert off" and comment out the next line ("certificate_verification") with a #
Finally, edit /etc/racoon/racoon.conf. At the end, comment out the line 'include "/var/run/racoon/*.conf" ;' and add the line 'include "/etc/racoon/<yourfile>" ;'
This solution totally blows cause any configuration change requires a repeat of the procedure and also prevents you from having multiple VPNs configured without doing this for each of them. Suggestions welcome.
Macbook Pro 5.1, Mac OS X (10.6)