Frazzler

Q: Mountain Lion VPN problem?

Since upgrading to Mountain Lion (10.8) my VPN that uses L2TP/IPSec with machine authentication with a certificate no longer works. My other VPNs seem OK, I just have a problem using authentication with certificates.

 

Does anyone else have this problem?

 

Here are my logs, connection always seems to fail transmision with Main-Mode Mesage 5 everytime.

 

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IPSec Phase1 started (Initiated by me).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: receive success. (Initiator, Main-Mode message 2).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: receive success. (Initiator, Main-Mode message 4).

Jul 26 11:52:34 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).

Jul 26 11:52:35 XXXXXXXXXX-macbook-pro.local racoon[11746]: IPSec Phase1 started (Initiated by me).

Jul 26 11:52:35 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

Jul 26 11:52:38 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Phase1 Retransmit).

Jul 26 11:52:41 --- last message repeated 1 time ---

Jul 26 11:52:41 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: receive success. (Initiator, Main-Mode message 2).

Jul 26 11:52:41 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).

Jul 26 11:52:42 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: receive success. (Initiator, Main-Mode message 4).

Jul 26 11:52:42 XXXXXXXXXX-macbook-pro.local racoon[11746]: IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).

Jul 26 11:53:11 XXXXXXXXXX-macbook-pro.local pppd[11745]: IPSec connection failed

Jul 26 11:53:11 XXXXXXXXXX-macbook-pro.local racoon[11746]: IPSec disconnecting from server 138.XXX.X.X

Macbook Pro 17" (mid 2009), Mac OS X (10.6.1), MacBookPro5,2

Posted on Jul 26, 2012 4:03 AM

Close

Q: Mountain Lion VPN problem?

  • All replies
  • Helpful answers

Previous Page 2 of 3 last Next
  • by Frazzler,

    Frazzler Frazzler Aug 6, 2012 4:18 AM in response to greg.shaw
    Level 1 (0 points)
    Aug 6, 2012 4:18 AM in response to greg.shaw

    And where does your VPN connect to?  It sounds like your VPN might be using a DNS service that doesn't recognise the internal URls, is the VPN you are using supplied by your University?

  • by Nuno Barreto,

    Nuno Barreto Nuno Barreto Aug 6, 2012 5:42 AM in response to Frazzler
    Level 1 (0 points)
    Aug 6, 2012 5:42 AM in response to Frazzler

    Sorry, can't really disclose what server it is. It's a ipSec connection, that was working no problem before with Lion. I have tried remaking the whole configuration, without success. It might be a whole different reason, but the fact is Mountain Lion broke my ipSec connection via racoon

  • by Frazzler,

    Frazzler Frazzler Aug 6, 2012 5:58 AM in response to Nuno Barreto
    Level 1 (0 points)
    Aug 6, 2012 5:58 AM in response to Nuno Barreto

    My question was directed to Greg Shaw not you

  • by Nuno Barreto,

    Nuno Barreto Nuno Barreto Aug 6, 2012 6:09 AM in response to Frazzler
    Level 1 (0 points)
    Aug 6, 2012 6:09 AM in response to Frazzler

    sorry

  • by Nuno Barreto,

    Nuno Barreto Nuno Barreto Aug 7, 2012 2:31 AM in response to Nuno Barreto
    Level 1 (0 points)
    Aug 7, 2012 2:31 AM in response to Nuno Barreto

    I have found a solution that works for me. I just retrieved the executables racoon and racoonctl for lion (they are in /usr/sbin/), and replaced the mountain lion ones with those. For this version is clear that Apple has created a custom racoon that makes it mandatory for certificates to be installed in Keychain Access (it was not my case) and to have them given permission to use racoon.

     

    I didn't test what would happen if I installed the certificates in the Keychain Access because I don't have their password (don't ask, company policy), but I guess it would work.

     

    Note: This "solution" might make other VPN connections you might have with Keychain Access certificates not work.

  • by thomas hk,

    thomas hk thomas hk Aug 7, 2012 10:26 PM in response to Frazzler
    Level 1 (0 points)
    Aug 7, 2012 10:26 PM in response to Frazzler

    hi

     

    I do have the same problem with my new MBP retina display running Mountain lion

     

     

    The same vpn was working with my old MBP running Mountain lion as well

     

    Can not figure how to get it to work again an with out the vpn you lost in China

     

    I would most appreciate any help I can get

     

    Thomas

  • by thomas hk,

    thomas hk thomas hk Aug 7, 2012 11:22 PM in response to thomas hk
    Level 1 (0 points)
    Aug 7, 2012 11:22 PM in response to thomas hk

    i do get this

    The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

     

    how can i change to IPSec?

     

    Thanks for any help

     

    Thomas

  • by thomas hk,

    thomas hk thomas hk Aug 7, 2012 11:34 PM in response to thomas hk
    Level 1 (0 points)
    Aug 7, 2012 11:34 PM in response to thomas hk

    Sorry all

    I was just too stupid I got it to work thank you

  • by Frazzler,

    Frazzler Frazzler Aug 8, 2012 1:53 AM in response to thomas hk
    Level 1 (0 points)
    Aug 8, 2012 1:53 AM in response to thomas hk

    Did you try granting the racoon app rights access to your certificate as outlined earlier in this thread?

  • by yangsta,

    yangsta yangsta Aug 8, 2012 5:04 PM in response to Frazzler
    Level 1 (0 points)
    Aug 8, 2012 5:04 PM in response to Frazzler

    I have tried doing this, but in Keychain Access I only see the two different types of passwords and not a certificate. One is a XAuth Password and the other is a Shared Secret. I try to go to 'my certificates' and it's empty after I have gone through the installer for my school's VPN. The other certificates I have are: Software signing, com.apple.systemdefault, come.apple.kerberos.kdc, and Apple Code Signing Certification Authority. I have tried setting both those password Access Controls to allow by any application, but that didn't work. It starts out with allowing racoon anyway.

  • by harpreed,

    harpreed harpreed Aug 12, 2012 6:06 AM in response to Frazzler
    Level 1 (0 points)
    Aug 12, 2012 6:06 AM in response to Frazzler

    having the same problem.  When I try to connect via VPN (Cisco IPSEC), I get "the negotiation with the VPN server failed.  Verify the server address and try reconnecting."  When I follow your steps going into Keychain Access and change the access control to the private key, I get "The server certificate's identity is incorrect, contact your local network administrator."

     

    I used to use a Cisco VPN on Mountain Lion with no issues, and had never used the internal IPSEC vpn...

  • by thetechnician,

    thetechnician thetechnician Sep 16, 2012 9:17 PM in response to Frazzler
    Level 1 (0 points)
    Sep 16, 2012 9:17 PM in response to Frazzler

    Hi guys,

     

    I've been bashing my head and reading all available forums and am still bashing my head against a brick wall.

     

    We had people using Lion 10.7 with Cisco IPsec VPN and all of our server settings and shared secret worked without a hitch. One person has taken the leap and gone to Mountain Lion and it all went to shreds. I've had a look at the system log and this is what I get from when it tries to connect:

     

     

    9/17/12 1:35:09.064 PM configd[17]: IPSec connecting to server 203.58.241.189

     

    9/17/12 1:35:09.067 PM configd[17]: IPSec Phase1 starting.

    9/17/12 1:35:09.067 PM configd[17]: SCNC: start, triggered by System Preferen, type IPSec, status 0

    9/17/12 1:35:09.077 PM mDNSResponder[52]: Double NAT (external NAT gateway address 192.168.1.70 is also a private RFC 1918 address)

    9/17/12 1:35:09.078 PM racoon[3369]: IPSec connecting to server 203.58.241.189

    9/17/12 1:35:09.078 PM racoon[3369]: Connecting.

    9/17/12 1:35:09.079 PM racoon[3369]: IPSec Phase1 started (Initiated by me).

    9/17/12 1:35:09.082 PM racoon[3369]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

    9/17/12 1:35:09.121 PM racoon[3369]: IKEv1 Phase1 AUTH: failed. (Initiator, Aggressive-Mode Message 2).

    9/17/12 1:35:09.122 PM configd[17]: IPSec Controller: IKE FAILED. phase 2, assert 0

    9/17/12 1:35:09.122 PM racoon[3369]: IKE Packet: transmit success. (Information message).

    9/17/12 1:35:09.122 PM racoon[3369]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).

    9/17/12 1:35:09.122 PM racoon[3369]: IKE Packet: receive failed. (Initiator, Aggressive-Mode Message 2).

    9/17/12 1:35:09.122 PM configd[17]: IPSec disconnecting from server 203.58.241.189

    9/17/12 1:35:09.122 PM racoon[3369]: IPSec disconnecting from server 203.58.241.189

    9/17/12 1:35:09.125 PM racoon[3369]: IPSec disconnecting from server 203.58.241.189

     

    From this I gather that there is something up with IKE? Or perhaps that it is trying to go with aggressive mode (whereas we have static IPs) could be a problem?

     

    Can anyone help out with this at all?

     

    And also, is there a way to find out what version of the Cisco VPN client comes installed by default in Mac Lion 10.7 and which one comes in Mountain Lion? (Could the default settings have changed somewhere?)

  • by Bestwick,

    Bestwick Bestwick Sep 28, 2012 9:37 AM in response to greg.shaw
    Level 1 (0 points)
    Sep 28, 2012 9:37 AM in response to greg.shaw

    I have totally the same problem as greg.shaw after migration to Mountain Lion:

     

    VPN is working fine, but i still cannot access any internal portals or servers, except two (mail server, and MS communicator server).

    DNS are ok, all configs too.

     

    Do not know what else i can try. Spent all day to find the problem, but still no result

  • by Bestwick,

    Bestwick Bestwick Sep 29, 2012 9:05 AM in response to Bestwick
    Level 1 (0 points)
    Sep 29, 2012 9:05 AM in response to Bestwick

    I finally fixedit!

     

    So, what I did is:

    1. I went to http://support.apple.com/downloads#osxmountainlion and manually downloaded Lion update 10.8.2 (combo)

    2. Installed it

    3. Opened Keychain access, choosed category "all items" and entered in search my VPN name. Found my vpn configuration, opened it. Choosed "allow all applications to acces the item" in "Access control" menu from pop up, which appeared after double click on the VPN configuration.

    4. VPN works and all internal sites works fine as well.

     

    Now I will try to grant access to racoon only to avoid the security breach, when granting access to all apps.

     

    Good luck!

     

    But infact it is a bit frustrating, I really spent 4 days to get it work. Apple should do more testing before launching new updates or at least provide better support for bug-fixing.

  • by Bestwick,

    Bestwick Bestwick Sep 29, 2012 9:24 AM in response to Bestwick
    Level 1 (0 points)
    Sep 29, 2012 9:24 AM in response to Bestwick

    Well, I just did it. I granted access only to racoon and racoonconf to my vpn configuration in keychain access and after VPN restart everything worked fine.

    Tip: to find the racoon and racoonconf files in keychain browser window, when adding new apps, just type cmd-shift-g, and in the "go to folder" menu, which pop ups, enter the pass "/usr/sbin". There you will be able to find both racoon and racoonconf.

Previous Page 2 of 3 last Next