Built-in IPsec VPN randomly drops to Cisco VPN server

So digging into this a bit more I used:

sudo fs_usage | grep /var/run/racoon

and opened a VPN to find out what creates the racoon .conf files for the VPN with the default 3600 seconds timeout.

This showed it was the configd daemon

14:44:31 lstat64 private/var/run/racoon/W.X.Y.Z.conf 0.000015 configd

14:44:31 stat64 private/var/run/racoon 0.000008 configd

14:44:31 open private/var/run/racoon/W.X.Y.Z.conf 0.000084 configd

14:44:31 open private/var/run/racoon.pid 0.000006 configd

Digging around in the apple source code it appears the line of code that sets the proposal Lifetime might be configurable through configuration:

http://www.opensource.apple.com/source/ppp/ppp-233.0.2/Helpers/vpnd/ipsec_utils. c

proposals = CFDictionaryGetValue(ipsec_dict, kRASPropIPSecProposals);

if (isArray(proposals))

nb = CFArrayGetCount(proposals);

do {

if (nb) {

proposal = CFArrayGetValueAtIndex(proposals, i);

if (!isDictionary(proposal))

FAIL("incorrect phase 1 proposal");

}

WRITE("\n");

WRITE("proposal {\n");

if (configure_proposal(level + 1, file, ipsec_dict, proposal, errstr))

goto fail;

WRITE("}\n");

} while (++i < nb);

-------------------------------------------- snip snip -------------------------------------

static int configure_proposal(int level, FILE *file, CFDictionaryRef ipsec_dict, CFDictionaryRef proposal_dict, char **errstr);

-------------------------------------------- snip snip -------------------------------------

/*
Lifetime is OPTIONAL
*/

{

u_int32_t lval = 3600;

if (proposal_dict) {

GetIntFromDict(proposal_dict, kRASPropIPSecProposalLifetime, &lval, 3600);

}

sprintf(text, "lifetime time %d sec;\n", lval);

WRITE(text);

}

But I couldn't figure out where this function is defined to trace where the configuration file might be:

CFDictionaryGetValue(ipsec_dict, kRASPropIPSecProposals);

Any ideas anyone?

The 45min to 1 hour VPN cut off is a major PITA!

And in case Apple think they're gods, vpnc under Linux works fine .

Cheers,

racitup

Fotos Georgiadis wrote:

I have the same problem with the VPN dropping after ~45 minutes.

matthew4130 is correct. There is an IKE rekey attempt every 45 or so minutes. The default ipsec SA lifetime is an hour (3600 seconds). The lifetime is configured, on Cisco routers, using the command:

crypto ipsec security-association lifetime

Also the default isakmp policy lifetime is a day (86400 seconds) but a lot of administrators lower this for security reasons:

crypto isakmp policy

AFAIK the problem isn't related to aggressive mode or main mode being selected, which both are explained here:

https://supportforums.cisco.com/docs/DOC-8125

Most likely what matthew4130 sees is that when main mode is enabled a different crypto group, with a bigger lifetime, is selected for the security association (lucky you!). IMHO you shouldn't change the lifetime since 1 hour is reasonable to prevent key recovery attacks.

You can also see the SA lifetime of YOUR ipsec connection using this terminal command on your Mac:

$ sudo racoonctl ss ipsec

You should see something like this:

diff: 140(s)

hard: 3600(s)

soft: 2880(s)

Digging deeper into this I decided to check the (open) source code for ppp available by Apple here:

http://www.opensource.apple.com/source/ppp/ppp-560.14.2/

As you can see in ipsec_manager.c function process_racoon_msg() the connection is dropped with the message you are seeing (IPSec Controller: XAuth reauthentication dialog required, so connection aborted) when a REAUTHINFO message is received and the flag XAUTH_MUST_PROMPT is set in the xauth_flags.

Note that this code is enabled only when the OS is not for embedded devices (i.e. iPad, iPhone, etc). The message is discarded on those devices and that's why you won't see the 1 hour limit on the iPad or the iPhone.

Now the fix seems easy; instead of dropping the connection when xauth is requested at least prompt the user for the password again using process_xauth_need_info().

Also if you look at an older version of ipsec_manager.c(412.5) that was the previous behavior; reauthenticating instead of dropping the connection. No idea why Apple changed (actually broke 🙂) this!

BTW when sending the phase2 command to racoon with racoon_send_cmd_start_ph2() there seems to be a hardcoded default lifetime of 3600 seconds...

All we have to do now is get an Apple engineer to see this post and fix the code!

-fotos

PS1. The IPSec source code is a mess. 😟

PS2. I logged in with my Apple ID to post this and now my username is stuck as my full name. Privacy fail? 😟

Does this apply to Mavericks (10.9)?

A while back I had written a simple script to overcome this issue and it still works to this day. I am posting it again for your convenience. However, I just noticed on today's 10.9.3 update that their is a reliability fix for VPN IPsec, I'm curious to see if it actually fixes this.

#!/bin/bash

EXPECTED_ARGS=1

E_BADARGS=65

printHelp ()

{

echo

echo -e "\tPurpose: For fixing and unfixing your vpn connections"

echo -e "\tUsage: sudo `basename $0` [options]\n"

echo -e "\tOptions"

echo -e "\tprep\t - fixes racoon.conf. Run only once!!!"

echo -e "\t\t this adds --> include "/etc/racoon/remote/*.conf" to /etc/racoon/racoon.conf \n"

echo -e "\tunprep\t - unfixes racoon.conf."

echo -e "\t\t this removes --> include "/etc/racoon/remote/*.conf" from /etc/racoon/racoon.conf \n"

echo -e "\tfix\t - run after you login to the vpn. This will disconnect you!"

echo -e "\t\t This will change the lifetime to 168 hours in the IP.conf file\n"

echo -e "\tunfix\t - run after your done with the vpn."

echo -e "\t\t Do this if you need to connect to an other location or you can't connect to the vpn.\n"

}

if [ $# -lt $EXPECTED_ARGS ]

then

printHelp

exit $E_BADARGS

fi

#################

if [ $1 = prep ]

then

mkdir -p /etc/racoon/remote

echo -e "creating directory /etc/racoon/remote \n"

cp -a /etc/racoon/racoon.conf /etc/racoon/racoon.conf.orig

echo -e "backing up /etc/racoon/racoon.conf to /etc/racoon/racoon.conf.orig\n"

echo 'include "/etc/racoon/remote/*.conf" ;' >> /etc/racoon/racoon.conf

echo -e 'adding this line --> include "/etc/racoon/remote/*.conf" ;" <-- to end of /etc/racoon/racoon.conf\n'

fi

#################

if [ $1 = unprep ]

then

rm -rf /etc/racoon/remote

echo -e "removing directory /etc/racoon/remote \n"

sed -i -e '/include "\/etc\/racoon\/remote\/\*\.conf" ;/d' /etc/racoon/racoon.conf

echo -e 'removing lines --> include "/etc/racoon/remote/*.conf" ;" <-- from /etc/racoon/racoon.conf\n'

fi

#################

if [ $1 = fix ]

then

mv /var/run/racoon/*.conf /etc/racoon/remote

sed -i -e 's~include "/var/run/racoon/\*\.conf"~#include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

sed -i -e 's/lifetime time 3600 sec/lifetime time 168 hours/' /etc/racoon/remote/*.conf

launchctl stop com.apple.racoon

launchctl start com.apple.racoon

fi

#################

if [ $1 = unfix ]

then

sed -i -e 's~#include "/var/run/racoon/\*\.conf"~include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

rm -f /etc/racoon/remote/*

launchctl stop com.apple.racoon

launchctl start com.apple.racoon

fi

#################

I posted here a long time ago mainly because the old Cisco VPN Client did not work with 64 bit and I was trying to get the native VPN to work as a 64 bit solution. While we could argue that the native solution would be ideal if it worked, it's worth noting that the newer Cisco AnyConnect Secure Mobility Client works well with 64 bit on 10.7, 10.8, and 10.9. I've been using it for quite a while now. I have version 3.1.03103. It's not available for free download from Cisco but you should be able to get it from your IT organization (assuming you need VPN for work). Sometimes they will complain a bit that you need the Mac version ;-)

Is it fixed in 10.9.3?

10.9.3 made no difference for me.

I invoke ALL, who has this problem - get feedback to http://www.apple.com/feedback/macosx.html

The problem is still here from 2011 year.

I tried build ipsec(racoon) for patching from apple opensource for 10.9.0-10.9.2. These sources can't build (syntax error + missing some functions in opensource) as downloaded.

I think, only right way - many feedbacks. After that, Apple (maybe) can plan to fix the bug at the 1-st priority (or in reasonable time).

I've also been long suffering from this problem. The recent updates with Mavericks and one to the VPN client haven't helped. The main problem seems to be that these is no way to change the SA proposal setting in the client.

Anyway, The script/workaround mckinasole posted works for me with some caveats as I run multiple vpn connections and need to set up new ones regularly.

I added some functionality and put the script up on github. https://github.com/thomasrutkowski/vpnfix

Thank you! This script works great for me.

I don't know anything about applescript. When I try to compile the code, I get a syntax error "expected expression, but found end of line" after the bracket after printHelp (). What should I know about this script to run it without a syntax error? Thanks much for your help.

Save it as a "file.sh" then run it with "sudo sh file.sh prep" then "sudo sh file.sh fix"

Used the script a few posts up on 10.9.5 to fix Cisco IPSEC VPN's, worked fine! Thanks

Why isn't Apple fixing this...

In the newest version OSX 10.11.2 (El Capitan) the problem still exists. I am managing about 30 windows servers behind a cisco vpn so I have to use the VPN every day, all day. I have installed a windows desktop using virtualbox now to be able to maintain the VPN connection.

The script helps, but only for one occasion. After a reboot, or getting out of hibernation, I cannot use the VPN anymore. It says it has encoutered an unexpected error. The only way to fix this is to change back the include setting in the racoon.conf file to the /var/run/racoon location. After that, it works instantaneous, but for only 45 minutes of connection time. It is driving me nuts...

Hey Patsound,

I had a similar issue, with the script only working the first time. Try this

Backup the .conf file in /etc/racoon/remote/

Then open it to edit and look for line 8:

local_address xxx.xxx.xxx;

Remove or comment out this line.

I have read this article with interest as I'm in the same position as most here, in that I need to use VPN for more than one hour at a time.

I must say that I'm absolutely put off and disgusted by the way this is being handled by the firm responsible.

===

Having said that, does anyone know why this seems to malfunction mostly when using Cisco routers but seems to be working properly with many other router types?

Kind regards

Hans