Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Built-in IPsec VPN randomly drops to Cisco VPN server

I'm using the built-in IPsec VPN client on Lion and the VPN connection randomly drops. I've found this in the system.log file corresponding to the time when the connection drops:


Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 started (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 established (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Extended Authentication requested.

Aug 20 10:00:34 MBP configd[16]: IPSec requesting Extended Authentication.

Aug 20 10:00:34 MBP configd[16]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

Aug 20 10:00:34 MBP configd[16]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).


Is there a hint here as to any configuration I can change on the MBP, or anything I can ask the network admin to change on the Cisco device to resolve this?


Thanks,

Guy

MacBook Pro, Mac OS X (10.7)

Posted on Aug 20, 2011 8:33 AM

Reply
75 replies

Feb 1, 2012 3:01 PM in response to GuyHelmer

Looks like I have the same issue. The log message that interests me is the "reauthentication dialog required, so connection aborted." I do not see a dialog pop up asking me to re-authenticate.

Log:

Jan 31 11:06:59 LPTS-2 racoon[408]: IPSec Phase1 started (Initiated by me).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Jan 31 11:06:59 LPTS-2 racoon[408]: IPSec Phase1 established (Initiated by me).

Jan 31 11:06:59 LPTS-2 racoon[408]: IPSec Extended Authentication requested.

Jan 31 11:06:59 LPTS-2 configd[14]: IPSec requesting Extended Authentication.

Jan 31 11:06:59 LPTS-2 configd[14]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

Jan 31 11:06:59 LPTS-2 configd[14]: IPSec disconnecting from server xxx.xxx.xxx.xx

Jan 31 11:06:59 LPTS-2 racoon[408]: IPSec disconnecting from server xxx.xxx.xxx.xx

Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Information message).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Information message).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKE Packet: transmit success. (Information message).

Jan 31 11:06:59 LPTS-2 racoon[408]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

Feb 2, 2012 1:33 AM in response to GuyHelmer

I am experiencing the exact same problem (BTW I've just updated to OSX 10.7.3):


02/02/12 10.15.13,629 racoon: IPSec Phase1 started (Initiated by me).

02/02/12 10.15.13,635 racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

02/02/12 10.15.13,810 racoon: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

02/02/12 10.15.13,810 racoon: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

02/02/12 10.15.13,810 racoon: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

02/02/12 10.15.13,810 racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

02/02/12 10.15.13,810 racoon: IPSec Phase1 established (Initiated by me).

02/02/12 10.15.13,836 racoon: IKE Packet: receive success. (Information message).

02/02/12 10.15.13,838 racoon: IPSec Extended Authentication requested.

02/02/12 10.15.13,838 configd: IPSec requesting Extended Authentication.

02/02/12 10.15.13,838 configd: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

02/02/12 10.15.13,839 configd: IPSec disconnecting from server XX.XX.XX.XX

02/02/12 10.15.13,841 racoon: IPSec disconnecting from server XX.XX.XX.XX

02/02/12 10.15.13,841 racoon: IKE Packet: transmit success. (Information message).

02/02/12 10.15.13,841 racoon: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

02/02/12 10.15.13,841 racoon: IKE Packet: transmit success. (Information message).

02/02/12 10.15.13,843 racoon: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

02/02/12 10.15.13,843 racoon: IKE Packet: transmit success. (Information message).

02/02/12 10.15.13,843 racoon: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

02/02/12 10.15.13,000 kernel: SIOCPROTODETACH_IN6: utun1 error=6

02/02/12 10.15.13,975 configd: network configuration changed.

Feb 27, 2012 11:21 AM in response to GuyHelmer

I'm not an expert on this, but I've been experiencing this for a bit myself and here is what I've found. There is an IKE rekey attempt at 45 min. If I connect to the VPN though the group I created, I end up using IKE Neg Mode Aggressive. Shortly after the 45 min rekey attempt, my session is dropped. Now on my vpn client, if I leave the group name blank, I connect to the VPN default group. The default group uses IKE Neg Mode Main, and with this I have no problem keeping my session up well beyond 45 min.


Check your IKE Neg Mode. Try the default group if your not already, If you have an ASA, to see the IKE Neg Mode, from the CLI run

sho vpn-sessiondb detail ra-ikev1-ipsec


Let me know what you find

Feb 27, 2012 3:58 PM in response to matthew4130

Hi,


I've looked into this a bit further. My ipsec policy allows me to connect via VPN from my mac and my iphone. Previously I noticed it was using aggressive mode in the logs while troubleshooting this. If I disable aggressive-mode globally I cannot login from my iphone. If I remove the group name from the VPN setup on my mac I can no longer connect to the VPN.


I'll look into this more to see if I can have a aggressive-mode policy for my iphone and a main mode policy for my mac, that may be the key to it.

Feb 27, 2012 4:12 PM in response to rcha101

I'm having the same issue. Like rcha101, I cannot remove the group name. I cannot find out how to change the IKE Neg Mode but I assume that is set by the administrator of the VPN rather than by individual users like myself. It appears I'm stuck. Cisco VPN Client doesn't work in 64-bit and the native VPN disconnects after 45 minutes. I guess I will try the 32-bit boot and see what happens. If anyone else has any ideas, I'll continue to follow this thread. Thanks...

Mar 1, 2012 9:18 AM in response to cnicksic

As others suggested, I rebooted in 32-bit and the Cisco VPN Client works. I am using version 4.9.01.0180 of the Cisco client which does not work in 64-bit. I have not been disconnected at all with the Cisco client. As rcha101 suggested, it appears that the Cisco client caches your login info for reauthentication but the Mac OS Lion native VPN client does not. Like everyone else, I would like to use the native client if it could be improved to not disconnect every 45 minutes. Until then, I will continue to run permanently in 32-bit.


Just to summarize for anyone who finds this thread and has the same issue:


  1. I had been using Cisco VPN Client with an older version of Mac OS X.
  2. I bought a new MacBook running Mac OS Lion and the Cisco VPN Client failed with "Error 51: Unable to communicate with the VPN subsystem."
  3. I setup the native VPN client according to the instructions at http://anders.com/guides/native-cisco-vpn-on-mac-os-x.
  4. It connects successfully every time but the connection drops every 45 minutes. According to matthew4130, there is an IKE rekey attempt at 45 minutes because the IKE Neg Mode is set to Aggressive and this fails because the native VPN client does not cache your login information. This seems to make sense.
  5. The default setting on my new MacBook with Lion is to boot in 64-bit. It turns out that Cisco VPN Client only works in 32-bit. I rebooted in 32-bit (hold down 2 and 3 while restarting) and the Cisco VPN Client works perfectly just as previously with my old laptop.


I hope this helps others not suffer through the same pain which I suffered. And a big thanks to rcha101 and matthew4130 for their posts which helped me immensely -- as well as Anders on his site.

Apr 14, 2012 5:31 PM in response to GuyHelmer

I have the same problem with the VPN dropping after ~45 minutes.


matthew4130 is correct. There is an IKE rekey attempt every 45 or so minutes. The default ipsec SA lifetime is an hour (3600 seconds). The lifetime is configured, on Cisco routers, using the command:

crypto ipsec security-association lifetime


Also the default isakmp policy lifetime is a day (86400 seconds) but a lot of administrators lower this for security reasons:

crypto isakmp policy


AFAIK the problem isn't related to aggressive mode or main mode being selected, which both are explained here:

https://supportforums.cisco.com/docs/DOC-8125


Most likely what matthew4130 sees is that when main mode is enabled a different crypto group, with a bigger lifetime, is selected for the security association (lucky you!). IMHO you shouldn't change the lifetime since 1 hour is reasonable to prevent key recovery attacks.


You can also see the SA lifetime of YOUR ipsec connection using this terminal command on your Mac:

$ sudo racoonctl ss ipsec


You should see something like this:

diff: 140(s)hard: 3600(s)soft: 2880(s)


Digging deeper into this I decided to check the (open) source code for ppp available by Apple here:

http://www.opensource.apple.com/source/ppp/ppp-560.14.2/


As you can see in ipsec_manager.c function process_racoon_msg() the connection is dropped with the message you are seeing (IPSec Controller: XAuth reauthentication dialog required, so connection aborted) when a REAUTHINFO message is received and the flag XAUTH_MUST_PROMPT is set in the xauth_flags.


Note that this code is enabled only when the OS is not for embedded devices (i.e. iPad, iPhone, etc). The message is discarded on those devices and that's why you won't see the 1 hour limit on the iPad or the iPhone.


Now the fix seems easy; instead of dropping the connection when xauth is requested at least prompt the user for the password again using process_xauth_need_info().


Also if you look at an older version of ipsec_manager.c(412.5) that was the previous behavior; reauthenticating instead of dropping the connection. No idea why Apple changed (actually broke 🙂) this!


BTW when sending the phase2 command to racoon with racoon_send_cmd_start_ph2() there seems to be a hardcoded default lifetime of 3600 seconds...


All we have to do now is get an Apple engineer to see this post and fix the code!


-fotos


PS1. The IPSec source code is a mess. 😟

PS2. I logged in with my Apple ID to post this and now my username is stuck as my full name. Privacy fail? 😟

Apr 18, 2012 8:02 AM in response to Fotos Georgiadis

Fotos, thanks for diving into the code -- you're right, it did change between 10.6 and 10.7. I've changed the ipsec_manager.c to call process_xauth_need_info() instead of dropping the connection.


However, now I can't figure out how to get the code to build. I have XCode 4.3.2, and have tried to build ppp-560.14.2 with "xcodebuild -sdk macosx10.7", but the compiler complains it can't find SystemConfiguration/SCPrivate.h or other include files from SystemConfiguration.


Trying to setup a darwinbuild environment now...

Apr 18, 2012 3:48 PM in response to GuyHelmer

Hey,


unfortunately it seems that you can't build ppp since a lot of (closed source) headers are missing. And even if you could I doubt it'd work correctly with the rest of the OS (with important stuff missing). TBH I haven't tried to build ppp and you might succeed but I don't think it's worth it. That's why I asked for an Apple engineer!


On the other hand I've got great news! 🙂


I managed to keep the VPN connection up past the 45min mark. This is not for the faint at heart and all disclaimers apply. Here's how:


I had two problems with our VPN connection. The first one was the 45minutes hard limit. But I also had a problem with the DPD (Dead Peer Detection) which would kill all SSH connections whenever it triggered. And this could happen as soon as 3 minutes after connecting or even after 30 minutes. Basically with the VPN connection being flakey I couldn't get anything done over the VPN.


Here is how I solved both problems:


01. Connect to the VPN (so OSX generates the racoon configuration file)

02. Copy the generated configuration file to /etc/racoon:

$ sudo cp /var/run/racoon/1.1.1.1.conf /etc/racoon

03. Edit the racoon configuration file with your favorite editor (vim):

$ sudo vim /etc/racoon/racoon.conf

04. At the bottom of the file comment out the line:

# include "/var/run/racoon/*.conf" ;

05. ... and instead include the copied file (which we will edit):

include "/etc/racoon/1.1.1.1.conf" ;

06. Edit the generated configuration file with your favorite editor (vim):

$ sudo vim /etc/racoon/1.1.1.1.conf

07. Disable dead peer detection:

dpd_delay 0;

08. Change proposal check to claim from obey:

proposal_check claim;

09. Change the proposed lifetime in each proposal (24 hours instead of 3600 seconds):

lifetime time 24 hours;

10. Disconnect and reconnect (this time racoon will use your custom configuration)

11. Use the VPN for at least 45 minutes and hopefully it won't drop! 🙂


The most important thing is to change the proposal_check option. From the racoon.conf manual:

proposal_check level;

claim If the responder's lifetime length is longer than the initiator's or the

responder's key length is shorter than the initiator's, the responder will

use the initiator's value. If the responder's lifetime length is shorter than the

initiator's, the responder uses its own length AND sends a RESPONDER-

LIFETIME notify message to an initiator in the case of lifetime (phase 2 only)


Caveats: if you use multiple VPN connections you have to copy all configuration files to /etc/racoon and add appropriate include lines. If your VPN server changes IP you have to remember to update this file since changing it in System Preferences won't have an effect, etc. Cumbersome but it works! This is definitely not a long term solution and I'd like to see Apple fix this.


Give it a shot ... it might work for you too but YMMV. Please post back whether it works for you or not.


Cheers,

-fotos


PS. Wrote this while being connected on the VPN for 8 straight hours! 😀

Apr 19, 2012 6:21 AM in response to Fotos Georgiadis

Thanks for your help. I've follwed you instructions but when I connect and check /var/run/racoon/ipaddress.conf


it has


dpd_delay 20;

proposal_check obey;



In /etc/racoon/ipadress.conf


dpd_delay 0;

proposal_check claim;



In /etc/racoon/racoon.conf I have this:


# Allow third parties the ability to specify remote and sainfo entries

# by including all files matching /var/run/racoon/*.conf

# This line should be added at the end of the racoon.conf file

# so that settings such as timer values will be appropriately applied.

# include "/var/run/racoon/*.conf" ;

include "/etc/racoon/ipaddress.conf" ;



What am I missing??

Apr 19, 2012 7:13 AM in response to GuyHelmer

yes sorry should of mentioned that.


The way I understand it is that once connected it should use the setting which are in /etc/racoon/ipaddress.conf which shows in a file in /var/run/racoon/ipaddress.conf


/var/run/racoon/ipaddress.conf seems to be defaulting back to the orignal settings so it's not picking it up even though in /etc/racoon/racoon.conf I have:


# include "/var/run/racoon/*.conf" ;

include "/etc/racoon/132.185.143.14.conf" ;

Built-in IPsec VPN randomly drops to Cisco VPN server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.