You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Mountain Lion VPN problem?

Since upgrading to Mountain Lion (10.8) my VPN that uses L2TP/IPSec with machine authentication with a certificate no longer works. My other VPNs seem OK, I just have a problem using authentication with certificates.


Does anyone else have this problem?


Here are my logs, connection always seems to fail transmision with Main-Mode Mesage 5 everytime.


Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IPSec Phase1 started (Initiated by me).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: receive success. (Initiator, Main-Mode message 2).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: receive success. (Initiator, Main-Mode message 4).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).

Jul 26 11:52:35 XXXXXXXXXX-macbook-pro.local racoon[11746]: IPSec Phase1 started (Initiated by me).

Jul 26 11:52:35 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

Jul 26 11:52:38 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Phase1 Retransmit).

Jul 26 11:52:41 --- last message repeated 1 time ---

Jul 26 11:52:41 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: receive success. (Initiator, Main-Mode message 2).

Jul 26 11:52:41 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).

Jul 26 11:52:42 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: receive success. (Initiator, Main-Mode message 4).

Jul 26 11:52:42 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).

Jul 26 11:53:11 XXXXXXXXXX-macbook-pro.local pppd[11745]: IPSec connection failed

Jul 26 11:53:11 XXXXXXXXXX-macbook-pro.local racoon[11746]: IPSec disconnecting from server 138.XXX.X.X

Macbook Pro 17" (mid 2009), Mac OS X (10.6.1), MacBookPro5,2

Posted on Jul 26, 2012 4:03 AM

Reply
Question marked as Top-ranking reply

Posted on Jul 26, 2012 10:51 AM

I have the same problem after upgrading from Lion to Mountain Lion. What I did is open Keychain Access and grant the VPN certificate (the private key part) to allow for all applications to access.

39 replies

Aug 7, 2012 2:31 AM in response to Nuno Barreto

I have found a solution that works for me. I just retrieved the executables racoon and racoonctl for lion (they are in /usr/sbin/), and replaced the mountain lion ones with those. For this version is clear that Apple has created a custom racoon that makes it mandatory for certificates to be installed in Keychain Access (it was not my case) and to have them given permission to use racoon.


I didn't test what would happen if I installed the certificates in the Keychain Access because I don't have their password (don't ask, company policy), but I guess it would work.


Note: This "solution" might make other VPN connections you might have with Keychain Access certificates not work.

Aug 8, 2012 5:04 PM in response to Frazzler

I have tried doing this, but in Keychain Access I only see the two different types of passwords and not a certificate. One is a XAuth Password and the other is a Shared Secret. I try to go to 'my certificates' and it's empty after I have gone through the installer for my school's VPN. The other certificates I have are: Software signing, com.apple.systemdefault, come.apple.kerberos.kdc, and Apple Code Signing Certification Authority. I have tried setting both those password Access Controls to allow by any application, but that didn't work. It starts out with allowing racoon anyway.

Aug 12, 2012 6:06 AM in response to Frazzler

having the same problem. When I try to connect via VPN (Cisco IPSEC), I get "the negotiation with the VPN server failed. Verify the server address and try reconnecting." When I follow your steps going into Keychain Access and change the access control to the private key, I get "The server certificate's identity is incorrect, contact your local network administrator."


I used to use a Cisco VPN on Mountain Lion with no issues, and had never used the internal IPSEC vpn...

Sep 16, 2012 9:17 PM in response to Frazzler

Hi guys,


I've been bashing my head and reading all available forums and am still bashing my head against a brick wall.


We had people using Lion 10.7 with Cisco IPsec VPN and all of our server settings and shared secret worked without a hitch. One person has taken the leap and gone to Mountain Lion and it all went to shreds. I've had a look at the system log and this is what I get from when it tries to connect:



9/17/12 1:35:09.064 PM configd[17]: IPSec connecting to server 203.58.241.189


9/17/12 1:35:09.067 PM configd[17]: IPSec Phase1 starting.

9/17/12 1:35:09.067 PM configd[17]: SCNC: start, triggered by System Preferen, type IPSec, status 0

9/17/12 1:35:09.077 PM mDNSResponder[52]: Double NAT (external NAT gateway address 192.168.1.70 is also a private RFC 1918 address)

9/17/12 1:35:09.078 PM racoon[3369]: IPSec connecting to server 203.58.241.189

9/17/12 1:35:09.078 PM racoon[3369]: Connecting.

9/17/12 1:35:09.079 PM racoon[3369]: IPSec Phase1 started (Initiated by me).

9/17/12 1:35:09.082 PM racoon[3369]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

9/17/12 1:35:09.121 PM racoon[3369]: IKEv1 Phase1 AUTH: failed. (Initiator, Aggressive-Mode Message 2).

9/17/12 1:35:09.122 PM configd[17]: IPSec Controller: IKE FAILED. phase 2, assert 0

9/17/12 1:35:09.122 PM racoon[3369]: IKE Packet: transmit success. (Information message).

9/17/12 1:35:09.122 PM racoon[3369]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).

9/17/12 1:35:09.122 PM racoon[3369]: IKE Packet: receive failed. (Initiator, Aggressive-Mode Message 2).

9/17/12 1:35:09.122 PM configd[17]: IPSec disconnecting from server 203.58.241.189

9/17/12 1:35:09.122 PM racoon[3369]: IPSec disconnecting from server 203.58.241.189

9/17/12 1:35:09.125 PM racoon[3369]: IPSec disconnecting from server 203.58.241.189


From this I gather that there is something up with IKE? Or perhaps that it is trying to go with aggressive mode (whereas we have static IPs) could be a problem?


Can anyone help out with this at all?


And also, is there a way to find out what version of the Cisco VPN client comes installed by default in Mac Lion 10.7 and which one comes in Mountain Lion? (Could the default settings have changed somewhere?)

Sep 28, 2012 9:37 AM in response to greg.shaw

I have totally the same problem as greg.shaw after migration to Mountain Lion:


VPN is working fine, but i still cannot access any internal portals or servers, except two (mail server, and MS communicator server).

DNS are ok, all configs too.


Do not know what else i can try. Spent all day to find the problem, but still no result 😟

Sep 29, 2012 9:05 AM in response to Bestwick

I finally fixedit!


So, what I did is:

1. I went to http://support.apple.com/downloads#osxmountainlion and manually downloaded Lion update 10.8.2 (combo)

2. Installed it

3. Opened Keychain access, choosed category "all items" and entered in search my VPN name. Found my vpn configuration, opened it. Choosed "allow all applications to acces the item" in "Access control" menu from pop up, which appeared after double click on the VPN configuration.

4. VPN works and all internal sites works fine as well.


Now I will try to grant access to racoon only to avoid the security breach, when granting access to all apps.


Good luck!


But infact it is a bit frustrating, I really spent 4 days to get it work. Apple should do more testing before launching new updates or at least provide better support for bug-fixing.

Sep 29, 2012 9:24 AM in response to Bestwick

Well, I just did it. I granted access only to racoon and racoonconf to my vpn configuration in keychain access and after VPN restart everything worked fine.

Tip: to find the racoon and racoonconf files in keychain browser window, when adding new apps, just type cmd-shift-g, and in the "go to folder" menu, which pop ups, enter the pass "/usr/sbin". There you will be able to find both racoon and racoonconf.

Oct 15, 2012 2:29 AM in response to Bestwick

I am having the same problem with VPN after upgrading from Snow Leopard server to Mountain Lion Server but I have no idea about certificates. I don't seem to have one for the VPN and following the steps above only brings up:


com.apple.racoon
com.apple.net.racoon


In both of these Access Control is already set to 'Allow all applications to access this item'.


I would be grateful for any guidance. Mountain Lion Server is definitely not a server for the rest of us!

Mountain Lion VPN problem?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.