Built-in IPsec VPN randomly drops to Cisco VPN server

I filled bug ID# 12449876 in the Apple Radar (Bug reporting system) for this issue. 😎 Perhaps if a lot of us do the same and refer to this bug #ID (12449876) and this thread Apple might give it some attention and fix it in a nice and clean / native way. 😉

Well,

After reading this, I am happy that I am not insane. It is VPN device independent. I am using the built in client on 10.6.8 and connecting to Fortinet devices. Iphones and Ipads work fine, IMAC's drop around the 45 minute mark. I have a distributed setup, so I am going to try that automated patch and let you know.

I would seriously like Apple to fix this natively.

Fotos,

Any news about this ? I have a customer complaining about the same problem. He was using Cisco IPsec but the connection to the protected networks was lost after a few hours of uptime. Then he moved to L2TP/IPsec but now he has the 45 minute problem discussed here. Can you show us what is in the bug you opened ?

Thanks.

Hey amsoares,

my bug report was marked as a duplicate of #11871577 which is still Open. So Apple certainly knows about it. The question is when / whether they will do anything about it.

Allegedly, internally Apple prioritizes bugs based on the buzz they generate on the Radar. So if you want to help out and you are a developer or have a developer Apple ID handy, login to the bug reporter and create a new bug report, preferrably referencing either my bug # or the one above.

My bug report was:

07-Oct-2012 07:16 PM Fotos Georgiadis:

Summary:

The built-in IPsec VPN drops connection with the message "IPSec Controller: XAuth reauthentication dialog required, so connection aborted". Since the most common Cisco configuration out there is to have an IKE rekey attempt every 45 or so minutes, this makes remote work cumbersome.

Steps to Reproduce:

1. Create a IPSec VPN connection to a Cisco endpoint (through System Preferences).

2. The security-association lifetime and policy on the Cisco should be small enough (3 minutes for triggering the problem). The default is 45 to 60 minutes

3. Connect to the VPN

4. Watch as the lifetime of the connection passes by:

$ sudo racoonctl ss ipsec

5. When the time ends the connection will be dropped and the message "IPSec Controller: XAuth reauthentication dialog required, so connection aborted" will be printed in the console.

Unfortunately I don't have access to the precise Cisco configuration that will trigger the issue. But as you can also see in the thread mentioned below it's a common occurrence and other people might be able to provide a detailed configuration.

Expected Results:

The connection should stay up, or at least provide a dialog asking for credentials (again).

Actual Results:

The connection drops.

Notes:

Much more info (and a workaround) provided on this thread:

https://discussions.apple.com/thread/3275811

Detailed explanation tracing the issue in the source code:

https://discussions.apple.com/thread/3275811

Workaround:

https://discussions.apple.com/thread/3275811

Hope you manage to solve your issue. Didn't my suggested workaround work for your client?

Fotos,

Thank you very much for your answer. I think the customer tried the workaround you found without success but i will check that again. In this case, i am the cisco guy. I opened a case with cisco and they say the problem in the apple side and that they cannot do anything. They have a bug as well but it's marked as closed:

+++++++++++++++++++++++++++++
CSCsh67528 Bug Details

L2TP/IPsec OSX client disconnection after 45 minutes when NAT-T in used

Symptom:
L2TP/IPsec OSX client disconnects after 45 minutes

Conditions:
If NAT is in the middle and NAT-T is negotiated.

Workaround:
Use latest MacOS Client 10.7.3 and ASA version above
8.2.5.21, 8.3.2.29 or 8.4.3.

Further Problem Description:
The OSX side fails to rekey the Phase 1 as initiated by the ASA
+++++++++++++++++++++++++++++

The workaround they mention is not valid as well.

Thanks.

I have a script that will fix this. If you interested let me know and ill send it to you.

#!/bin/bash

EXPECTED_ARGS=1

E_BADARGS=65

printHelp ()

{

echo

echo -e "\tPurpose: For fixing and unfixing your vpn connections"

echo -e "\tUsage: sudo `basename $0` [options]\n"

echo -e "\tOptions"

echo -e "\tprep\t - fixes racoon.conf. Run only once!!!"

echo -e "\t\t this adds --> include "/etc/racoon/remote/*.conf" to /etc/racoon/racoon.conf \n"

echo -e "\tunprep\t - unfixes racoon.conf."

echo -e "\t\t this removes --> include "/etc/racoon/remote/*.conf" from /etc/racoon/racoon.conf \n"

echo -e "\tfix\t - run after you login to the vpn. This will disconnect you!"

echo -e "\t\t This will change the lifetime to 168 hours in the IP.conf file\n"

echo -e "\tunfix\t - run after your done with the vpn."

echo -e "\t\t Do this if you need to connect to an other location or you can't connect to the vpn.\n"

}

if [ $# -lt $EXPECTED_ARGS ]

then

printHelp

exit $E_BADARGS

fi

#################

if [ $1 = prep ]

then

mkdir -p /etc/racoon/remote

echo -e "creating directory /etc/racoon/remote \n"

cp -a /etc/racoon/racoon.conf /etc/racoon/racoon.conf.orig

echo -e "backing up /etc/racoon/racoon.conf to /etc/racoon/racoon.conf.orig\n"

echo 'include "/etc/racoon/remote/*.conf" ;' >> /etc/racoon/racoon.conf

echo -e 'adding this line --> include "/etc/racoon/remote/*.conf" ;" <-- to end of /etc/racoon/racoon.conf\n'

fi

#################

if [ $1 = unprep ]

then

rm -rf /etc/racoon/remote

echo -e "removing directory /etc/racoon/remote \n"

sed -i -e '/include "\/etc\/racoon\/remote\/\*\.conf" ;/d' /etc/racoon/racoon.conf

echo -e 'removing lines --> include "/etc/racoon/remote/*.conf" ;" <-- from /etc/racoon/racoon.conf\n'

fi

#################

if [ $1 = fix ]

then

mv /var/run/racoon/*.conf /etc/racoon/remote

sed -i -e 's~include "/var/run/racoon/\*\.conf"~#include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

sed -i -e 's/lifetime time 3600 sec/lifetime time 168 hours/' /etc/racoon/remote/*.conf

launchctl stop com.apple.racoon

launchctl start com.apple.racoon

fi

#################

if [ $1 = unfix ]

then

sed -i -e 's~#include "/var/run/racoon/\*\.conf"~include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

rm -f /etc/racoon/remote/*

launchctl stop com.apple.racoon

launchctl start com.apple.racoon

fi

#################

Hello again amsoares,

I couldn't change the Cisco configuration (beyond my control), but as I mentioned above you could either change the security association lifetime, as I already have hinted above in a previous reply, using:

crypto ipsec security-association lifetime

or change the default lifetime of the isakmp policy:

crypto isakmp policy

Keep in mind that I haven't tried any of these, they might work, they might not, they have security implications which you should fully understand before changing things, and of course all standard disclaimers apply, etc. etc. Please consult your Cisco documentation or Cisco directly if you change these settings in a production environment.

As Cisco said the problem lies in Apple's side. You could try the script posted by mckinasole below, who, unfortunately, replied in the wrong question. The script basically does what I described in my solution above but in an automated / scripted way. 😉 I haven't tried the script as well, so YMMV.

Good luck!

Fotos,

Can you please clarify if the script/workaround is only valid for IPsec connections, and not valid for L2TP/IPsec connections ?

My customer had the 45 min problem after moving from IPsec to L2TP/IPsec. It seems that people posting here that have the same problem are talking about IPsec, not L2TP/IPsec.

Thanks.

Γειά σου amsoares,

honestly I have no idea if L2TP / IPsec connections are setup throught racoon or a different process. The script and the workaround are for the "Cisco IPsec" option. Haven't tried it with L2TP / IPsec, which might setup the connection in a completely different way. Yes, people here talk about the IPsec option not the L2TP / IPSec one, AFAIK.

If I were you, I'd get my hands on a Mac and try to debug it from there. It's kinda futile if you can't test things yourself.

Regards

I too have logged a bug: 13015443 - duplicate of #11871577 and have had a response. I was told to:

as root edit /etc/racoon/racoon.conf

uncomment the line:

#log debug;

and add the line:

path logfile "/var/log/racoon.log";

And send them the log. So I had another machine which I did not apply the fix to and sent them the log after it disconneted. I will let you know when I get an update.

Did you get any feedback about this ?

Thanks.

not yet!

Hi there

I have made the exact changes however my connection is still picking up key life of 3600 This is output

sudo racoonctl ss ipsec

192.168.16.76 195.99.192.84

esp mode=tunnel spi=3835192342(0xe4986416) reqid=0(0x00000000)

E: aes-cbc 72e6332f fdb28718 74c335f8 beb65d4a 5272d5d4 eb4bae29 89b707b6 d7ab8be9

A: hmac-sha1 50bfbd0d 0ca4dcc6 1059c768 2ea767a4 314cd7bd

seq=0x000000bb replay=4 flags=0x00000006 state=mature

created: Mar 7 12:12:51 2013 current: Mar 7 12:12:57 2013

diff: 6(s) hard: 3600(s) soft: 2880(s)

last: Mar 7 12:12:57 2013 hard: 0(s) soft: 0(s)

current: 55744(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 187 hard: 0 soft: 0

sadb_seq=1 pid=9712 refcnt=2

195.99.192.84 192.168.16.76

esp mode=tunnel spi=208470779(0x0c6d02fb) reqid=0(0x00000000)

E: aes-cbc fa3964d5 359abf9c 8b0d20ea acf2fcdc c48bd526 41f4fd7b b5264680 82378a31

A: hmac-sha1 a7f1edd3 d2f3ca50 d4790813 0fba2513 40b8856c

seq=0x00000057 replay=4 flags=0x00000006 state=mature

created: Mar 7 12:12:51 2013 current: Mar 7 12:12:57 2013

diff: 6(s) hard: 3600(s) soft: 2880(s)

last: Mar 7 12:12:56 2013 hard: 0(s) soft: 0(s)

current: 15382(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 87 hard: 0 soft: 0

sadb_seq=0 pid=9712 refcnt=2

I have followed the instructions, not sure why it still is not working?

I am having same issues as you in sense that even when performing the workaround still have getting lifetime of 3600