Built-in IPsec VPN randomly drops to Cisco VPN server

In regards to the IKE lifetime the lower of the two peers' lifetimes is used. On my Cisco router I have not changed the default from 24 hours but both the iphone and Mac (Lion) have defaults of 60 mins (3600 seconds).

"A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime in the compared policy. If the lifetimes are not identical, the shorter lifetime—from the policy of the remote peer—is used."

The problem occurs on both Mac and Iphone. The problems are:

1. On the mac I have to manually re-enter my username and password at the 45 minute mark

2. On the iphone, at the 45 minute mark which I believe the first re-key attempt, the connection just drops and I have to VPN in again.

While the solution proposed is a good workaround for those on the mac the solution here does not solve either of the above issues and is only a workaround to delay the xauth re-authentication.

Apple please fix!

Fotos Georgiadis, thanks for your help on this, it all seems to be working. Much appreciated.

Fotos Georgiadis <<-- This guy is a genus!! Thanks buddy if you was here in america i would buy you a beer! Running 10.6.8 connecting to a Cisco 3945 configure as Easy VPN Server with XAUTH. Client connected but would drop at 1 hour ISAKMP SA lifetime was set to default 86400 sec but sho crypto isakmp sa lifetime was showing a count down from 1 hours! Goolged like crazy until a ran up on this tread. Saved me about $800 (plane ticket) and time away from my family just to go configure a vmware server that i need to stay connected to for more then an hour while I install software from a virtual disk mount!

Why cant apple just give us these parameters to change in the network gui?!? There is an advanced tab on VPN common on this is pretty important stuff.

Problem still exists in Mouintain Lion 😟. I will try this fix and report back.

This is a terrific help! One question: It'd be great if I could continue including /var/run/racoon/*.conf, so that when I (inevitably) create a new VPN connection and forget to copy over the .conf file, it'll still work. But I can't find a way to detect what's happening when the same remote is defined twice, which would tell me whether the "include *.conf" should come first or second.

Any ideas? I looked at the source but don't have the stomach to parse through lex/yacc...

To make it easier on you all, you can copy and paste the following commands. The only difference is the lifetime I personally set it to 168 hours instead of 24.

sudo mkdir /etc/racoon/remote

sudo sed -i.bak 's/lifetime time 3600 sec/lifetime time 168 hours/' /var/run/racoon/*.conf \ && sudo mv /var/run/racoon/*.conf /etc/racoon/remote

sudo patch /etc/racoon/racoon.conf <<EOF --- /etc/racoon.orig/racoon.conf 2009-06-23 09:09:08.000000000 +0200+++ /etc/racoon/racoon.conf 2009-12-11 13:52:11.000000000 +0100@@ -135,4 +135,5 @@# by including all files matching /var/run/racoon/*.conf# This line should be added at the end of the racoon.conf file# so that settings such as timer values will be appropriately applied.+include "/etc/racoon/remote/*.conf" ;include "/var/run/racoon/*.conf" ;EOF

sudo launchctl stop com.apple.racoon

sudo launchctl start com.apple.racoon

The above fixed my disconnects.. you shouldn't have to edit the proposal_check and other settings in ipaddress.conf file and there is no need to re-do this for different VPN connections. The all catch *.conf will still work with the above fix.

Yup. I was hoping Apple would finally fix this glaring issue in ML. Come on Apple throw a bone to those that use the Mac for something more substantial than playing Angry Birds 24/7. I'm not bitter though (ha).

I tried this in Mountain Lion and at first I couldn't connect to the VPN at all. Turned out the reason was becuase of step 8.

I left proposal check to obey, and made all the other changes, now the solution works great with Mountain Lion.

Thanks a lot Fotos, you're a genius!

Hi Fotos,

I used your instructions but after that my vpn doesnt connect. It gives the below error in logs

10/4/12 5:29:12.147 PM configd[23]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0

10/4/12 5:29:12.241 PM configd[23]: IPSec Phase1 starting.

10/4/12 5:29:12.241 PM configd[23]: IPSec port-mapping update for en1 indicates no NAT. Public Address: a8f4136c, Protocol: None, Private Port: 0, Public Port: 0.

10/4/12 5:29:22.241 PM configd[23]: IPSec disconnecting from server 165.244.164.5

10/4/12 5:29:22.241 PM racoon[41759]: IPSec disconnecting from server 165.244.164.5

10/4/12 5:29:22.246 PM racoon[41759]: IPSec disconnecting from server 165.244.164.5

Once I change the racoon.conf to point to /var/run/racoon/*.conf it starts working again. even if I keep the generated conf file in a different directory even then its not working. The only time it will work is when racoon.conf is pointing to /var/run/racoon/*.conf. Any other path just fails.

Any help is highly appreciated.

Rgds,

Anand

Unfortunately Andyjhs1 I have no idea what is wrong with your configuration. You should provide more info (for example are you on Lion or ML, a tcpump if possible, etc.) and somebody might be able to help you.

Due to the many bugs found in the IPSec Apple configuration I gave up on racoon and decided to start using vpnc. One of the problems I had was that even tho the VPN tunnel worked non-stop, whenever I closed the VPN connection, networking stopped working (pun) and somehow the routes got messed up. The only workaround was to pull the ethernet plug / on-off the WiFi which resets networking and the routes. Totally broke my nerves after a month.

Last month I brewed the latest version of vpnc (0.5.3). The configuration was a breeze and everything is working fine. Also allows me to setup some custom routes that where not being offered by the our Cisco (our admins got lazy!) and there was no way to configure using System Preferences.

Yes, I'd definately love a native Apple-supported working solution but until then vpnc will do.

Well I tried to figure this out too, but eventually it didn't matter for me so I gave up on whether the order is important or the configuration was overwritten. Personally after what I got through (reading IPSEC source code, yuck!) to get a working configuration I won't forget about it! 🙂

Thanks soljaboy1906. Glad to be of some help! Family time's good! 😉

Haven't check it on Mountain Lion, yet. Pity Apple hasn't fixed it. Glad some people report that the workaround still works tho! Thanks Ripxmax2000. 🙂