GuyHelmer

Q: Built-in IPsec VPN randomly drops to Cisco VPN server

I'm using the built-in IPsec VPN client on Lion and the VPN connection randomly drops.  I've found this in the system.log file corresponding to the time when the connection drops:

 

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 started (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Phase1 established (Initiated by me).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: receive success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IPSec Extended Authentication requested.

Aug 20 10:00:34 MBP configd[16]: IPSec requesting Extended Authentication.

Aug 20 10:00:34 MBP configd[16]: IPSec Controller: XAuth reauthentication dialog required, so connection aborted

Aug 20 10:00:34 MBP configd[16]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IPSec disconnecting from server xx.xx.xx.xx

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

Aug 20 10:00:34 MBP racoon[38259]: IKE Packet: transmit success. (Information message).

Aug 20 10:00:34 MBP racoon[38259]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

 

Is there a hint here as to any configuration I can change on the MBP, or anything I can ask the network admin to change on the Cisco device to resolve this?

 

Thanks,

Guy

MacBook Pro, Mac OS X (10.7)

Posted on Aug 20, 2011 8:33 AM

Close

Q: Built-in IPsec VPN randomly drops to Cisco VPN server

  • All replies
  • Helpful answers

first Previous Page 5 of 6 last Next
  • by AlexDerksen,

    AlexDerksen AlexDerksen Mar 31, 2014 7:16 AM in response to GuyHelmer
    Level 1 (0 points)
    Mar 31, 2014 7:16 AM in response to GuyHelmer

    The same problem here.

    On Cisco IPSec VPN the connection drops after an hour!

    Do something Apple!!!

  • by racitup,

    racitup racitup Apr 7, 2014 8:11 AM in response to Fotos Georgiadis
    Level 1 (0 points)
    Apr 7, 2014 8:11 AM in response to Fotos Georgiadis

    So digging into this a bit more I used:

    sudo fs_usage | grep /var/run/racoon

    and opened a VPN to find out what creates the racoon .conf files for the VPN with the default 3600 seconds timeout.

    This showed it was the configd daemon

    14:44:31  lstat64    private/var/run/racoon/W.X.Y.Z.conf           0.000015   configd    

    14:44:31  stat64     private/var/run/racoon                        0.000008   configd    

    14:44:31  open       private/var/run/racoon/W.X.Y.Z.conf           0.000084   configd    

    14:44:31  open       private/var/run/racoon.pid                    0.000006   configd

     

    Digging around in the apple source code it appears the line of code that sets the proposal Lifetime might be configurable through configuration:

    http://www.opensource.apple.com/source/ppp/ppp-233.0.2/Helpers/vpnd/ipsec_utils. c

     

    proposals = CFDictionaryGetValue(ipsec_dict, kRASPropIPSecProposals);

    if (isArray(proposals))

    nb = CFArrayGetCount(proposals);

     

    do {

     

    if (nb) {

    proposal = CFArrayGetValueAtIndex(proposals, i);

    if (!isDictionary(proposal))

    FAIL("incorrect phase 1 proposal");

    }

     

    WRITE("\n");

    WRITE("proposal {\n");

     

    if (configure_proposal(level + 1, file, ipsec_dict, proposal, errstr))

    goto fail;

     

    WRITE("}\n");

     

     

    } while (++i < nb);

     

    -------------------------------------------- snip snip -------------------------------------

    static int configure_proposal(int level, FILE *file, CFDictionaryRef ipsec_dict, CFDictionaryRef proposal_dict, char **errstr);

    -------------------------------------------- snip snip -------------------------------------

    /*
    Lifetime is OPTIONAL
    */

    {

    u_int32_t lval = 3600;

    if (proposal_dict) {

    GetIntFromDict(proposal_dict, kRASPropIPSecProposalLifetime, &lval, 3600);

    }

    sprintf(text, "lifetime time %d sec;\n", lval);

    WRITE(text);

    }

     

    But I couldn't figure out where this function is defined to trace where the configuration file might be:

    CFDictionaryGetValue(ipsec_dict, kRASPropIPSecProposals);

     

    Any ideas anyone?

     

    The 45min to 1 hour VPN cut off is a major PITA!

    And in case Apple think they're gods, vpnc under Linux works fine .

     

    Cheers,

    racitup

     

    Fotos Georgiadis wrote:

     

    I have the same problem with the VPN dropping after ~45 minutes.

     

    matthew4130 is correct. There is an IKE rekey attempt every 45 or so minutes. The default ipsec SA lifetime is an hour (3600 seconds). The lifetime is configured, on Cisco routers, using the command:

    crypto ipsec security-association lifetime

     

    Also the default isakmp policy lifetime is a day (86400 seconds) but a lot of administrators lower this for security reasons:

    crypto isakmp policy

     

    AFAIK the problem isn't related to aggressive mode or main mode being selected, which both are explained here:

    https://supportforums.cisco.com/docs/DOC-8125

     

    Most likely what matthew4130 sees is that when main mode is enabled a different crypto group, with a bigger lifetime, is selected for the security association (lucky you!). IMHO you shouldn't change the lifetime since 1 hour is reasonable to prevent key recovery attacks.

     

    You can also see the SA lifetime of YOUR ipsec connection using this terminal command on your Mac:

    $ sudo racoonctl ss ipsec

     

    You should see something like this:

    diff: 140(s)hard: 3600(s)soft: 2880(s)

     

    Digging deeper into this I decided to check the (open) source code for ppp available by Apple here:

    http://www.opensource.apple.com/source/ppp/ppp-560.14.2/

     

    As you can see in ipsec_manager.c function process_racoon_msg() the connection is dropped with the message you are seeing (IPSec Controller: XAuth reauthentication dialog required, so connection aborted) when a REAUTHINFO message is received and the flag XAUTH_MUST_PROMPT is set in the xauth_flags.

     

    Note that this code is enabled only when the OS is not for embedded devices (i.e. iPad, iPhone, etc). The message is discarded on those devices and that's why you won't see the 1 hour limit on the iPad or the iPhone.

     

    Now the fix seems easy; instead of dropping the connection when xauth is requested at least prompt the user for the password again using process_xauth_need_info().

     

    Also if you look at an older version of ipsec_manager.c (412.5) that was the previous behavior; reauthenticating instead of dropping the connection. No idea why Apple changed (actually broke ) this!

     

    BTW when sending the phase2 command to racoon with racoon_send_cmd_start_ph2() there seems to be a hardcoded default lifetime of 3600 seconds...

     

    All we have to do now is get an Apple engineer to see this post and fix the code!

     

    -fotos

     

    PS1. The IPSec source code is a mess.

    PS2. I logged in with my Apple ID to post this and now my username is stuck as my full name. Privacy fail?

  • by ProDon,

    ProDon ProDon Apr 28, 2014 6:55 AM in response to mckinasole
    Level 1 (0 points)
    Apr 28, 2014 6:55 AM in response to mckinasole

    Does this apply to Mavericks (10.9)?

  • by mckinasole,

    mckinasole mckinasole May 15, 2014 3:47 PM in response to GuyHelmer
    Level 1 (0 points)
    May 15, 2014 3:47 PM in response to GuyHelmer

    A while back I had written a simple script to overcome this issue and it still works to this day. I am posting it again for your convenience. However, I just noticed on today's 10.9.3 update that their is a reliability fix for VPN IPsec, I'm curious to see if it actually fixes this.

     

    #!/bin/bash

     

     

    EXPECTED_ARGS=1

    E_BADARGS=65

     

     

    printHelp ()

    {

            echo

            echo -e "\tPurpose: For fixing and unfixing your vpn connections"

            echo -e "\tUsage: sudo `basename $0` [options]\n"

            echo -e "\tOptions"

            echo -e "\tprep\t - fixes racoon.conf. Run only once!!!"

            echo -e "\t\t this adds --> include "/etc/racoon/remote/*.conf" to /etc/racoon/racoon.conf \n"

            echo -e "\tunprep\t - unfixes racoon.conf."

            echo -e "\t\t this removes --> include "/etc/racoon/remote/*.conf" from /etc/racoon/racoon.conf \n"

            echo -e "\tfix\t - run after you login to the vpn. This will disconnect you!"

            echo -e "\t\t This will change the lifetime to 168 hours in the IP.conf file\n"

            echo -e "\tunfix\t - run after your done with the vpn."

            echo -e "\t\t Do this if you need to connect to an other location or you can't connect to the vpn.\n"

     

     

    }

     

     

    if [ $# -lt $EXPECTED_ARGS ]

    then

    printHelp

    exit $E_BADARGS

    fi

     

     

    #################

    if [ $1 = prep ]

            then

     

     

    mkdir -p /etc/racoon/remote

    echo -e "creating directory /etc/racoon/remote \n"

    cp -a /etc/racoon/racoon.conf /etc/racoon/racoon.conf.orig

    echo -e "backing up /etc/racoon/racoon.conf to /etc/racoon/racoon.conf.orig\n"

     

     

    echo 'include "/etc/racoon/remote/*.conf" ;' >> /etc/racoon/racoon.conf

    echo -e 'adding this line --> include "/etc/racoon/remote/*.conf" ;" <-- to end of /etc/racoon/racoon.conf\n'

    fi

     

     

    #################

    if [ $1 = unprep ]

            then

     

     

    rm -rf /etc/racoon/remote

    echo -e "removing directory /etc/racoon/remote \n"

     

     

    sed -i -e '/include "\/etc\/racoon\/remote\/\*\.conf" ;/d' /etc/racoon/racoon.conf

     

     

    echo -e 'removing lines --> include "/etc/racoon/remote/*.conf" ;" <-- from /etc/racoon/racoon.conf\n'

    fi

     

     

    #################

    if [ $1 = fix ]

            then

    mv /var/run/racoon/*.conf /etc/racoon/remote

     

     

    sed -i -e 's~include "/var/run/racoon/\*\.conf"~#include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

     

     

    sed -i -e 's/lifetime time 3600 sec/lifetime time 168 hours/' /etc/racoon/remote/*.conf

     

     

     

     

    launchctl stop com.apple.racoon

    launchctl start com.apple.racoon

     

     

    fi

     

     

    #################

    if [ $1 = unfix ]

            then

    sed -i -e 's~#include "/var/run/racoon/\*\.conf"~include "/var/run/racoon/\*\.conf"~' /etc/racoon/racoon.conf

    rm -f /etc/racoon/remote/*

     

     

    launchctl stop com.apple.racoon

    launchctl start com.apple.racoon

     

     

    fi

     

     

    #################

  • by cnicksic,

    cnicksic cnicksic May 15, 2014 4:39 PM in response to GuyHelmer
    Level 1 (0 points)
    May 15, 2014 4:39 PM in response to GuyHelmer

    I posted here a long time ago mainly because the old Cisco VPN Client did not work with 64 bit and I was trying to get the native VPN to work as a 64 bit solution.  While we could argue that the native solution would be ideal if it worked, it's worth noting that the newer Cisco AnyConnect Secure Mobility Client works well with 64 bit on 10.7, 10.8, and 10.9.  I've been using it for quite a while now.  I have version 3.1.03103.  It's not available for free download from Cisco but you should be able to get it from your IT organization (assuming you need VPN for work). Sometimes they will complain a bit that you need the Mac version ;-)

  • by Lohmeyer,

    Lohmeyer Lohmeyer May 16, 2014 12:37 AM in response to GuyHelmer
    Level 1 (0 points)
    May 16, 2014 12:37 AM in response to GuyHelmer

    Is it fixed in 10.9.3?

  • by skinnyoldcoot,

    skinnyoldcoot skinnyoldcoot May 16, 2014 9:12 AM in response to Lohmeyer
    Level 1 (0 points)
    May 16, 2014 9:12 AM in response to Lohmeyer

    10.9.3 made no difference for me.

  • by ToxeH35,

    ToxeH35 ToxeH35 Jun 16, 2014 2:03 PM in response to skinnyoldcoot
    Level 1 (0 points)
    Jun 16, 2014 2:03 PM in response to skinnyoldcoot

    I invoke ALL, who has this problem  - get feedback to http://www.apple.com/feedback/macosx.html

    The problem is still here from 2011 year.

    I tried build ipsec(racoon) for patching from apple opensource for 10.9.0-10.9.2. These sources can't build (syntax error + missing some functions in opensource) as downloaded.

     

    I think, only right way - many feedbacks. After that, Apple (maybe) can plan to fix the bug at the 1-st priority (or in reasonable time).

  • by ThomasRutkowski,

    ThomasRutkowski ThomasRutkowski Jun 26, 2014 9:03 AM in response to mckinasole
    Level 1 (0 points)
    Jun 26, 2014 9:03 AM in response to mckinasole

    I've also been long suffering from this problem. The recent updates with Mavericks and one to the VPN client haven't helped. The main problem seems to be that these is no way to change the SA proposal setting in the client.

     

    Anyway, The script/workaround mckinasole posted works for me with some caveats as I run multiple vpn connections and need to set up new ones regularly.

    I added some functionality and put the script up on github. https://github.com/thomasrutkowski/vpnfix

  • by o0O0o,

    o0O0o o0O0o Jul 6, 2014 2:44 PM in response to mckinasole
    Level 1 (0 points)
    Jul 6, 2014 2:44 PM in response to mckinasole

    Thank you! This script works great for me.

  • by opus45,

    opus45 opus45 Aug 19, 2014 3:38 PM in response to mckinasole
    Level 1 (0 points)
    Aug 19, 2014 3:38 PM in response to mckinasole

    I don't know anything about applescript.  When I try to compile the code, I get a syntax error "expected expression, but found end of line" after the bracket after printHelp ().  What should I know about this script to run it without a syntax error?  Thanks much for your help.

  • by dreanmer,

    dreanmer dreanmer Aug 25, 2014 6:41 AM in response to opus45
    Level 1 (0 points)
    Aug 25, 2014 6:41 AM in response to opus45

    Save it as a "file.sh" then run it with "sudo sh file.sh prep" then "sudo sh file.sh fix"

  • by Konstigt,

    Konstigt Konstigt Nov 12, 2014 7:31 AM in response to GuyHelmer
    Level 1 (0 points)
    Nov 12, 2014 7:31 AM in response to GuyHelmer

    Used the script a few posts up on 10.9.5 to fix Cisco IPSEC VPN's, worked fine! Thanks

     

    Why isn't Apple fixing this...

  • by Patsound,

    Patsound Patsound Dec 28, 2015 12:40 AM in response to mckinasole
    Level 1 (0 points)
    Dec 28, 2015 12:40 AM in response to mckinasole

    In the newest version OSX 10.11.2 (El Capitan) the problem still exists. I am managing about 30 windows servers behind a cisco vpn so I have to use the VPN every day, all day. I have installed a windows desktop using virtualbox now to be able to maintain the VPN connection.

     

    The script helps, but only for one occasion. After a reboot, or getting out of hibernation, I cannot use the VPN anymore. It says it has encoutered an unexpected error. The only way to fix this is to change back the include setting in the racoon.conf file to the /var/run/racoon location. After that, it works instantaneous, but for only 45 minutes of connection time. It is driving me nuts...

  • by FJS_NY,

    FJS_NY FJS_NY Feb 16, 2016 12:03 PM in response to Patsound
    Level 1 (0 points)
    Feb 16, 2016 12:03 PM in response to Patsound

    Hey Patsound,

     

    I had a similar issue, with the script only working the first time. Try this

     

    Backup the .conf file in /etc/racoon/remote/

    Then open it to edit and look for line 8:

       local_address xxx.xxx.xxx;

    Remove or comment out this line.

first Previous Page 5 of 6 last Next