Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Built-in IPsec VPN randomly drops to Cisco VPN server

I'm using the built-in IPsec VPN client on Lion and the VPN connection randomly drops. I've found this in the system.log file corresponding to the time when the connection drops:


Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 started (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 established (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Extended Authentication requested.

Aug 20 10:00:34 MBP configd[16]: IPSec requesting Extended Authentication.

Aug 20 10:00:34 MBP configd[16]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

Aug 20 10:00:34 MBP configd[16]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).


Is there a hint here as to any configuration I can change on the MBP, or anything I can ask the network admin to change on the Cisco device to resolve this?


Thanks,

Guy

MacBook Pro, Mac OS X (10.7)

Posted on Aug 20, 2011 8:33 AM

Reply
75 replies

Apr 7, 2014 8:11 AM in response to Fotos Georgiadis

So digging into this a bit more I used:

sudo fs_usage | grep /var/run/racoon

and opened a VPN to find out what creates the racoon .conf files for the VPN with the default 3600 seconds timeout.

This showed it was the configd daemon

14:44:31 lstat64 private/var/run/racoon/W.X.Y.Z.conf 0.000015 configd

14:44:31 stat64 private/var/run/racoon 0.000008 configd

14:44:31 open private/var/run/racoon/W.X.Y.Z.conf 0.000084 configd

14:44:31 open private/var/run/racoon.pid 0.000006 configd


Digging around in the apple source code it appears the line of code that sets the proposal Lifetime might be configurable through configuration:

http://www.opensource.apple.com/source/ppp/ppp-233.0.2/Helpers/vpnd/ipsec_utils. c


proposals = CFDictionaryGetValue(ipsec_dict, kRASPropIPSecProposals);

if (isArray(proposals))

nb = CFArrayGetCount(proposals);


do {


if (nb) {

proposal = CFArrayGetValueAtIndex(proposals, i);

if (!isDictionary(proposal))

FAIL("incorrect phase 1 proposal");

}


WRITE("\n");

WRITE("proposal {\n");


if (configure_proposal(level + 1, file, ipsec_dict, proposal, errstr))

goto fail;


WRITE("}\n");



} while (++i < nb);


-------------------------------------------- snip snip -------------------------------------

static int configure_proposal(int level, FILE *file, CFDictionaryRef ipsec_dict, CFDictionaryRef proposal_dict, char **errstr);

-------------------------------------------- snip snip -------------------------------------

/*
Lifetime is OPTIONAL
*/

{

u_int32_t lval = 3600;

if (proposal_dict) {

GetIntFromDict(proposal_dict, kRASPropIPSecProposalLifetime, &lval, 3600);

}

sprintf(text, "lifetime time %d sec;\n", lval);

WRITE(text);

}


But I couldn't figure out where this function is defined to trace where the configuration file might be:

CFDictionaryGetValue(ipsec_dict, kRASPropIPSecProposals);


Any ideas anyone?


The 45min to 1 hour VPN cut off is a major PITA!

And in case Apple think they're gods, vpnc under Linux works fine .


Cheers,

racitup


Fotos Georgiadis wrote:


I have the same problem with the VPN dropping after ~45 minutes.


matthew4130 is correct. There is an IKE rekey attempt every 45 or so minutes. The default ipsec SA lifetime is an hour (3600 seconds). The lifetime is configured, on Cisco routers, using the command:

crypto ipsec security-association lifetime


Also the default isakmp policy lifetime is a day (86400 seconds) but a lot of administrators lower this for security reasons:

crypto isakmp policy


AFAIK the problem isn't related to aggressive mode or main mode being selected, which both are explained here:

https://supportforums.cisco.com/docs/DOC-8125


Most likely what matthew4130 sees is that when main mode is enabled a different crypto group, with a bigger lifetime, is selected for the security association (lucky you!). IMHO you shouldn't change the lifetime since 1 hour is reasonable to prevent key recovery attacks.


You can also see the SA lifetime of YOUR ipsec connection using this terminal command on your Mac:

$ sudo racoonctl ss ipsec


You should see something like this:

diff: 140(s) hard: 3600(s) soft: 2880(s)


Digging deeper into this I decided to check the (open) source code for ppp available by Apple here:

http://www.opensource.apple.com/source/ppp/ppp-560.14.2/


As you can see in ipsec_manager.c function process_racoon_msg() the connection is dropped with the message you are seeing (IPSec Controller: XAuth reauthentication dialog required, so connection aborted) when a REAUTHINFO message is received and the flag XAUTH_MUST_PROMPT is set in the xauth_flags.


Note that this code is enabled only when the OS is not for embedded devices (i.e. iPad, iPhone, etc). The message is discarded on those devices and that's why you won't see the 1 hour limit on the iPad or the iPhone.


Now the fix seems easy; instead of dropping the connection when xauth is requested at least prompt the user for the password again using process_xauth_need_info().


Also if you look at an older version of ipsec_manager.c(412.5) that was the previous behavior; reauthenticating instead of dropping the connection. No idea why Apple changed (actually broke 🙂) this!


BTW when sending the phase2 command to racoon with racoon_send_cmd_start_ph2() there seems to be a hardcoded default lifetime of 3600 seconds...


All we have to do now is get an Apple engineer to see this post and fix the code!


-fotos


PS1. The IPSec source code is a mess. 😟

PS2. I logged in with my Apple ID to post this and now my username is stuck as my full name. Privacy fail? 😟

May 15, 2014 3:47 PM in response to GuyHelmer

A while back I had written a simple script to overcome this issue and it still works to this day. I am posting it again for your convenience. However, I just noticed on today's 10.9.3 update that their is a reliability fix for VPN IPsec, I'm curious to see if it actually fixes this.


#!/bin/bash



EXPECTED_ARGS=1

E_BADARGS=65



printHelp ()

{

echo

echo -e "\tPurpose: For fixing and unfixing your vpn connections"

echo -e "\tUsage: sudo `basename $0` [options]\n"

echo -e "\tOptions"

echo -e "\tprep\t - fixes racoon.conf. Run only once!!!"

echo -e "\t\t this adds --> include "/etc/racoon/remote/*.conf" to /etc/racoon/racoon.conf \n"

echo -e "\tunprep\t - unfixes racoon.conf."

echo -e "\t\t this removes --> include "/etc/racoon/remote/*.conf" from /etc/racoon/racoon.conf \n"

echo -e "\tfix\t - run after you login to the vpn. This will disconnect you!"

echo -e "\t\t This will change the lifetime to 168 hours in the IP.conf file\n"

echo -e "\tunfix\t - run after your done with the vpn."

echo -e "\t\t Do this if you need to connect to an other location or you can't connect to the vpn.\n"



}



if [ $# -lt $EXPECTED_ARGS ]

then

printHelp

exit $E_BADARGS

fi



#################

if [ $1 = prep ]

then



mkdir -p /etc/racoon/remote

echo -e "creating directory /etc/racoon/remote \n"

cp -a /etc/racoon/racoon.conf /etc/racoon/racoon.conf.orig

echo -e "backing up /etc/racoon/racoon.conf to /etc/racoon/racoon.conf.orig\n"



echo 'include "/etc/racoon/remote/*.conf" ;' >> /etc/racoon/racoon.conf

echo -e 'adding this line --> include "/etc/racoon/remote/*.conf" ;" <-- to end of /etc/racoon/racoon.conf\n'

fi



#################

if [ $1 = unprep ]

then



rm -rf /etc/racoon/remote

echo -e "removing directory /etc/racoon/remote \n"



sed -i -e '/include "\/etc\/racoon\/remote\/\*\.conf" ;/d' /etc/racoon/racoon.conf



echo -e 'removing lines --> include "/etc/racoon/remote/*.conf" ;" <-- from /etc/racoon/racoon.conf\n'

fi



#################

if [ $1 = fix ]

then

mv /var/run/racoon/*.conf /etc/racoon/remote



sed -i -e 's~include "/var/run/racoon/\*\.conf"~#include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf



sed -i -e 's/lifetime time 3600 sec/lifetime time 168 hours/' /etc/racoon/remote/*.conf





launchctl stop com.apple.racoon

launchctl start com.apple.racoon



fi



#################

if [ $1 = unfix ]

then

sed -i -e 's~#include "/var/run/racoon/\*\.conf"~include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

rm -f /etc/racoon/remote/*



launchctl stop com.apple.racoon

launchctl start com.apple.racoon



fi



#################

May 15, 2014 4:39 PM in response to GuyHelmer

I posted here a long time ago mainly because the old Cisco VPN Client did not work with 64 bit and I was trying to get the native VPN to work as a 64 bit solution. While we could argue that the native solution would be ideal if it worked, it's worth noting that the newer Cisco AnyConnect Secure Mobility Client works well with 64 bit on 10.7, 10.8, and 10.9. I've been using it for quite a while now. I have version 3.1.03103. It's not available for free download from Cisco but you should be able to get it from your IT organization (assuming you need VPN for work). Sometimes they will complain a bit that you need the Mac version ;-)

Jun 16, 2014 2:03 PM in response to skinnyoldcoot

I invoke ALL, who has this problem - get feedback to http://www.apple.com/feedback/macosx.html

The problem is still here from 2011 year.

I tried build ipsec(racoon) for patching from apple opensource for 10.9.0-10.9.2. These sources can't build (syntax error + missing some functions in opensource) as downloaded.


I think, only right way - many feedbacks. After that, Apple (maybe) can plan to fix the bug at the 1-st priority (or in reasonable time).

Jun 26, 2014 9:03 AM in response to mckinasole

I've also been long suffering from this problem. The recent updates with Mavericks and one to the VPN client haven't helped. The main problem seems to be that these is no way to change the SA proposal setting in the client.


Anyway, The script/workaround mckinasole posted works for me with some caveats as I run multiple vpn connections and need to set up new ones regularly.

I added some functionality and put the script up on github. https://github.com/thomasrutkowski/vpnfix

Dec 28, 2015 12:40 AM in response to mckinasole

In the newest version OSX 10.11.2 (El Capitan) the problem still exists. I am managing about 30 windows servers behind a cisco vpn so I have to use the VPN every day, all day. I have installed a windows desktop using virtualbox now to be able to maintain the VPN connection.


The script helps, but only for one occasion. After a reboot, or getting out of hibernation, I cannot use the VPN anymore. It says it has encoutered an unexpected error. The only way to fix this is to change back the include setting in the racoon.conf file to the /var/run/racoon location. After that, it works instantaneous, but for only 45 minutes of connection time. It is driving me nuts...

May 13, 2016 5:31 AM in response to FJS_NY

I have read this article with interest as I'm in the same position as most here, in that I need to use VPN for more than one hour at a time.

I must say that I'm absolutely put off and disgusted by the way this is being handled by the firm responsible.

===


Having said that, does anyone know why this seems to malfunction mostly when using Cisco routers but seems to be working properly with many other router types?


Kind regards

Hans

Built-in IPsec VPN randomly drops to Cisco VPN server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.