yes sorry should of mentioned that.
The way I understand it is that once connected it should use the setting which are in /etc/racoon/ipaddress.conf which shows in a file in /var/run/racoon/ipaddress.conf
/var/run/racoon/ipaddress.conf seems to be defaulting back to the orignal settings so it's not picking it up even though in /etc/racoon/racoon.conf I have:
# include "/var/run/racoon/*.conf" ;
include "/etc/racoon/126.96.36.199.conf" ;
In regards to the IKE lifetime the lower of the two peers' lifetimes is used. On my Cisco router I have not changed the default from 24 hours but both the iphone and Mac (Lion) have defaults of 60 mins (3600 seconds).
"A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime in the compared policy. If the lifetimes are not identical, the shorter lifetime—from the policy of the remote peer—is used."
The problem occurs on both Mac and Iphone. The problems are:
1. On the mac I have to manually re-enter my username and password at the 45 minute mark
2. On the iphone, at the 45 minute mark which I believe the first re-key attempt, the connection just drops and I have to VPN in again.
While the solution proposed is a good workaround for those on the mac the solution here does not solve either of the above issues and is only a workaround to delay the xauth re-authentication.
Apple please fix!
Fotos Georgiadis <<-- This guy is a genus!! Thanks buddy if you was here in america i would buy you a beer! Running 10.6.8 connecting to a Cisco 3945 configure as Easy VPN Server with XAUTH. Client connected but would drop at 1 hour ISAKMP SA lifetime was set to default 86400 sec but sho crypto isakmp sa lifetime was showing a count down from 1 hours! Goolged like crazy until a ran up on this tread. Saved me about $800 (plane ticket) and time away from my family just to go configure a vmware server that i need to stay connected to for more then an hour while I install software from a virtual disk mount!
Why cant apple just give us these parameters to change in the network gui?!? There is an advanced tab on VPN common on this is pretty important stuff.
This is a terrific help! One question: It'd be great if I could continue including /var/run/racoon/*.conf, so that when I (inevitably) create a new VPN connection and forget to copy over the .conf file, it'll still work. But I can't find a way to detect what's happening when the same remote is defined twice, which would tell me whether the "include *.conf" should come first or second.
Any ideas? I looked at the source but don't have the stomach to parse through lex/yacc...
To make it easier on you all, you can copy and paste the following commands. The only difference is the lifetime I personally set it to 168 hours instead of 24.
sudo mkdir /etc/racoon/remote
sudo sed -i.bak 's/lifetime time 3600 sec/lifetime time 168 hours/' /var/run/racoon/*.conf \ && sudo mv /var/run/racoon/*.conf /etc/racoon/remote
sudo patch /etc/racoon/racoon.conf <<EOF --- /etc/racoon.orig/racoon.conf 2009-06-23 09:09:08.000000000 +0200 +++ /etc/racoon/racoon.conf 2009-12-11 13:52:11.000000000 +0100 @@ -135,4 +135,5 @@ # by including all files matching /var/run/racoon/*.conf # This line should be added at the end of the racoon.conf file # so that settings such as timer values will be appropriately applied. +include "/etc/racoon/remote/*.conf" ; include "/var/run/racoon/*.conf" ; EOF
sudo launchctl stop com.apple.racoon
sudo launchctl start com.apple.racoon
I used your instructions but after that my vpn doesnt connect. It gives the below error in logs
10/4/12 5:29:12.147 PM configd: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
10/4/12 5:29:12.241 PM configd: IPSec Phase1 starting.
10/4/12 5:29:12.241 PM configd: IPSec port-mapping update for en1 indicates no NAT. Public Address: a8f4136c, Protocol: None, Private Port: 0, Public Port: 0.
10/4/12 5:29:22.241 PM configd: IPSec disconnecting from server 188.8.131.52
10/4/12 5:29:22.241 PM racoon: IPSec disconnecting from server 184.108.40.206
10/4/12 5:29:22.246 PM racoon: IPSec disconnecting from server 220.127.116.11
Once I change the racoon.conf to point to /var/run/racoon/*.conf it starts working again. even if I keep the generated conf file in a different directory even then its not working. The only time it will work is when racoon.conf is pointing to /var/run/racoon/*.conf. Any other path just fails.
Any help is highly appreciated.
Unfortunately Andyjhs1 I have no idea what is wrong with your configuration. You should provide more info (for example are you on Lion or ML, a tcpump if possible, etc.) and somebody might be able to help you.
Due to the many bugs found in the IPSec Apple configuration I gave up on racoon and decided to start using vpnc. One of the problems I had was that even tho the VPN tunnel worked non-stop, whenever I closed the VPN connection, networking stopped working (pun) and somehow the routes got messed up. The only workaround was to pull the ethernet plug / on-off the WiFi which resets networking and the routes. Totally broke my nerves after a month.
Last month I brewed the latest version of vpnc (0.5.3). The configuration was a breeze and everything is working fine. Also allows me to setup some custom routes that where not being offered by the our Cisco (our admins got lazy!) and there was no way to configure using System Preferences.
Yes, I'd definately love a native Apple-supported working solution but until then vpnc will do.