3 Replies Latest reply: Apr 17, 2010 6:46 PM by Hendricius
Adam Aulick Level 1 (30 points)
I am trying to set up a VPN connection using Snow Leopard's Cisco IPsec VPN type.

I have successfully entered my VPN server address, account name, password, group name, and imported a machine certificate.

When I attempt to connect, I get an error, "A configuration error occurred. Verify your settings and try reconnecting."

system.log shows a message, "racoon: failed to parse configuration file." which makes me think maybe there is a bug here.

Has anyone seen this and fixed it?

Has anyone got the Oracle IPSec VPN client working at all?

Mac OS X (10.6.2)
  • pckizer Level 1 (0 points)
    I get the same thing, but only if I enter a "Group Name". Without a group name, I get timeouts during Phase 1 that I'm still trying to diagnose, but with a group name I get the same generic error message you do.

    If I capture the generated config file and try and manually invoke racoon with it, I get the further information from racoon as such:

    2010-04-02 15:39:29: [5778] INFO: *** racoon started: pid=5778 started by: 627
    2010-04-02 15:39:29: [5778] INFO: @(#) racoon / IPsec-tools
    2010-04-02 15:39:29: [5778] INFO: @(#)This product linked OpenSSL 0.9.8l 5 Nov 2009 (http://www.openssl.org/)
    2010-04-02 15:39:29: [5778] INFO: Reading configuration from "/etc/racoon/racoon.conf"
    2010-04-02 15:39:29: [5778] WARNING: /var/run/racoon/{VPN-IP-hidden}.conf:17: "support_mip6" it is obsoleted. use "support_proxy".
    2010-04-02 15:39:29: [5778] ERROR: /var/run/racoon/{VPN-IP-hidden}.conf:101: "}" DH group must be equal in all proposals when aggressive mode is used.
    2010-04-02 15:39:29: [5778] ERROR: fatal parse failure (1 errors)
    racoon: failed to parse configuration file.
    Apr 2 15:39:29 Thoth racoon[5778]: Configuration Parse Error. (cfparse: yyparse erred, filename /etc/racoon/racoon.conf). (failure: fatal parse failure)

    Looks like it's time to open a bug report with Apple directly. (Which I'm about to do.)

  • Hendricius Level 1 (0 points)
    Hi Adam

    I'm facing the same issue. I can use the Sun VPN (IPsec) fine but can't connect using the Oracle VPN (IPsec hybrid). iMac uses racoon (open source IPsec tools), googled it and racoon does seem to support IPsec hybrid mode.

    For the Oracle VPN I added [hybrid] after the group name (long path of discovery). So I changed the group name to


    This does not make it work but it makes the error change to "could not validate the server certificate. Verify ..." wow! does that mean I'm on the right path?

    Where is the racoon conf file ?

    Where do I drop the certificate (the certificate you can get form the linux vpn client on mydesktop)?
    I tried dropping it in my key chain but had no success. I think I need to drop it in /etc/cert (see /etc/racoon/racoon.conf) but I haven't got the fogiest Idea what to name the file .
  • Hendricius Level 1 (0 points)

    I think it will never work unless Apple updates the racoon software ?

    I started crafting an oracle.conf to get past the System Preference tool and
    dropped an oracle.vpn in /var/run/racoon .

    racoonctl rc
    racoonctr vc <fqdn of vpn server>

    I don't get past phase 1 because there is a known bug in the NAT-T process.
    The part of the log file that gave me a clue

    2010-04-17 14:52:31: [11632] DEBUG: agreed on Hybrid RSA client auth.

    Sweet that means we're in ... but hold on

    2010-04-17 14:52:31: [11632] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    2010-04-17 14:52:31: [11632] INFO: NAT-D payload #-1 doesn't match
    2010-04-17 14:52:31: [11632] INFO: NAT-D payload #0 doesn't match
    2010-04-17 14:52:31: [11632] INFO: NAT detected: ME PEER

    Wow - bing that - it is a bug that was known since 2005 !!!!!!!

    I did

    strings /usr/sbin/racoon | grep ipsec

    and it willl show that ipsec tools is version 93.6 which seems ancient.
    I can't say how disappointed I am.