You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Built-in IPsec VPN randomly drops to Cisco VPN server

I'm using the built-in IPsec VPN client on Lion and the VPN connection randomly drops. I've found this in the system.log file corresponding to the time when the connection drops:


Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 started (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 established (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Extended Authentication requested.

Aug 20 10:00:34 MBP configd[16]: IPSec requesting Extended Authentication.

Aug 20 10:00:34 MBP configd[16]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

Aug 20 10:00:34 MBP configd[16]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).


Is there a hint here as to any configuration I can change on the MBP, or anything I can ask the network admin to change on the Cisco device to resolve this?


Thanks,

Guy

MacBook Pro, Mac OS X (10.7)

Posted on Aug 20, 2011 8:33 AM

Reply
75 replies

Apr 22, 2012 5:40 PM in response to Fotos Georgiadis

In regards to the IKE lifetime the lower of the two peers' lifetimes is used. On my Cisco router I have not changed the default from 24 hours but both the iphone and Mac (Lion) have defaults of 60 mins (3600 seconds).


"A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime in the compared policy. If the lifetimes are not identical, the shorter lifetime—from the policy of the remote peer—is used."



The problem occurs on both Mac and Iphone. The problems are:

1. On the mac I have to manually re-enter my username and password at the 45 minute mark

2. On the iphone, at the 45 minute mark which I believe the first re-key attempt, the connection just drops and I have to VPN in again.


While the solution proposed is a good workaround for those on the mac the solution here does not solve either of the above issues and is only a workaround to delay the xauth re-authentication.


Apple please fix!

Jun 30, 2012 7:42 PM in response to GuyHelmer

Fotos Georgiadis <<-- This guy is a genus!! Thanks buddy if you was here in america i would buy you a beer! Running 10.6.8 connecting to a Cisco 3945 configure as Easy VPN Server with XAUTH. Client connected but would drop at 1 hour ISAKMP SA lifetime was set to default 86400 sec but sho crypto isakmp sa lifetime was showing a count down from 1 hours! Goolged like crazy until a ran up on this tread. Saved me about $800 (plane ticket) and time away from my family just to go configure a vmware server that i need to stay connected to for more then an hour while I install software from a virtual disk mount!


Why cant apple just give us these parameters to change in the network gui?!? There is an advanced tab on VPN common on this is pretty important stuff.

Jul 24, 2012 9:29 AM in response to Fotos Georgiadis

This is a terrific help! One question: It'd be great if I could continue including /var/run/racoon/*.conf, so that when I (inevitably) create a new VPN connection and forget to copy over the .conf file, it'll still work. But I can't find a way to detect what's happening when the same remote is defined twice, which would tell me whether the "include *.conf" should come first or second.


Any ideas? I looked at the source but don't have the stomach to parse through lex/yacc...

Jul 27, 2012 7:23 PM in response to GuyHelmer

To make it easier on you all, you can copy and paste the following commands. The only difference is the lifetime I personally set it to 168 hours instead of 24.


sudo mkdir /etc/racoon/remote

sudo sed -i.bak 's/lifetime time 3600 sec/lifetime time 168 hours/' /var/run/racoon/*.conf \ && sudo mv /var/run/racoon/*.conf /etc/racoon/remote

sudo patch /etc/racoon/racoon.conf <<EOF --- /etc/racoon.orig/racoon.conf 2009-06-23 09:09:08.000000000 +0200+++ /etc/racoon/racoon.conf 2009-12-11 13:52:11.000000000 +0100@@ -135,4 +135,5 @@# by including all files matching /var/run/racoon/*.conf# This line should be added at the end of the racoon.conf file# so that settings such as timer values will be appropriately applied.+include "/etc/racoon/remote/*.conf" ;include "/var/run/racoon/*.conf" ;EOF

sudo launchctl stop com.apple.racoon

sudo launchctl start com.apple.racoon

Oct 4, 2012 3:59 PM in response to Fotos Georgiadis

Hi Fotos,

I used your instructions but after that my vpn doesnt connect. It gives the below error in logs


10/4/12 5:29:12.147 PM configd[23]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0

10/4/12 5:29:12.241 PM configd[23]: IPSec Phase1 starting.

10/4/12 5:29:12.241 PM configd[23]: IPSec port-mapping update for en1 indicates no NAT. Public Address: a8f4136c, Protocol: None, Private Port: 0, Public Port: 0.

10/4/12 5:29:22.241 PM configd[23]: IPSec disconnecting from server 165.244.164.5

10/4/12 5:29:22.241 PM racoon[41759]: IPSec disconnecting from server 165.244.164.5

10/4/12 5:29:22.246 PM racoon[41759]: IPSec disconnecting from server 165.244.164.5


Once I change the racoon.conf to point to /var/run/racoon/*.conf it starts working again. even if I keep the generated conf file in a different directory even then its not working. The only time it will work is when racoon.conf is pointing to /var/run/racoon/*.conf. Any other path just fails.


Any help is highly appreciated.

Rgds,

Anand

Oct 7, 2012 9:46 AM in response to Andyjhs1

Unfortunately Andyjhs1 I have no idea what is wrong with your configuration. You should provide more info (for example are you on Lion or ML, a tcpump if possible, etc.) and somebody might be able to help you.


Due to the many bugs found in the IPSec Apple configuration I gave up on racoon and decided to start using vpnc. One of the problems I had was that even tho the VPN tunnel worked non-stop, whenever I closed the VPN connection, networking stopped working (pun) and somehow the routes got messed up. The only workaround was to pull the ethernet plug / on-off the WiFi which resets networking and the routes. Totally broke my nerves after a month.


Last month I brewed the latest version of vpnc (0.5.3). The configuration was a breeze and everything is working fine. Also allows me to setup some custom routes that where not being offered by the our Cisco (our admins got lazy!) and there was no way to configure using System Preferences.


Yes, I'd definately love a native Apple-supported working solution but until then vpnc will do.

Built-in IPsec VPN randomly drops to Cisco VPN server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.