Mountain Lion (10.8) certificates-based L2TP over IPsec VPN kaput

Hi to all...

Problem solved! Because OSX and IOS have the same problem, i dived into the deep of IKE and found

the solution.

The problem is, that the new IPSEC system has problems with handling "big" certificates (search for

IKE UDP fragmentation, if you are interested in).

So, the solution is quiet simple- create a certificate with the absolute MINIMUM of the required data

(for Example: C=AT, CN=HS, E=hs). I tested only with 1024Bit Public Key size- and this works on

IOS and OSX as well.

Habe fun,

Harald

Thanks for the tip, but I don't know how to handle this from within Keychain Access. Could you tell us a bit more, please ?

Hi,

This could NOT be solved within the keychain.The certificate has to be issued in a way, that its size

is so small, that it will be not fragmented during IKE negotiation.

If your certificate is issued by an IT administrator, tell him, that You need a certificate, where the

required fields (normally EMail and Common Name) should be as short as possible to reduce

the size of the certificate.

Harald

PS: take a look at this examble:

Ok, thanks a lot for your answers.

Thanks for this workaround!

Next problem: Safari doesn't resolve .local DNS names via VPN (under iOS 5.1, it did). Thanks again to M$ for proposing .local as default :-(

You can use "crypto isakmp fragmentation" command on yours Cisco VPN router.

It's enough to resolve problem.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/ sec_fragment_ike_pack.pdf

Does somebody know an equivalent solution for VPN routers running StrongSwan?

Yes, just create a certificate with 1024bits or less. That helps. Got it working with this.

And use XAUTH in your ipsec.secrets.

Yes, I am still watching this thread!

For every OSX update released I'm hoping for a fix for this bug, but so far nothing.

Poorly managed Apple!

What is even more annoying is that it was an Apple update on OSX 10.7 that forced me to rebuild my internal PKI infrastructure from 512 to 2048 certificate Key Size:

http://support.apple.com/kb/HT5281

(After this update, certificates with a Key Size less then 1024 was rejected)

Hi, i have the same problem, and debugged it in depth.

I use 2048 bit ssl certs.

Iphone and ipad both work with these certificates, so there must be a difference in the racoon source.

First i enabled the debugging at file: /etc/racoon/racoon.conf

(be sure,that racoon is not running, or you will get err (61). Reboot to fix)

added:

path logfile "/var/log/racoon.log";

log debug2;

did as root:

touch /var/log/racoon.log

chown root:admin /var/log/racoon.log

chmod 640 /var/log/racoon.log

So the error at the end after hashing the cert:

2013-02-24 10:48:51: [483] DEBUG: hmac(hmac_sha1)

2013-02-24 10:48:51: [483] DEBUG: HASH (init) computed:

2013-02-24 10:48:51: [483] DEBUG:

4c36a99e e9ddb045 03d54006 92b5c9ff c9732e72

2013-02-24 10:48:51: [483] ERROR: error -25308 errSecInteractionNotAllowed.

2013-02-24 10:48:51: [483] ERROR: failed to sign.

2013-02-24 10:48:51: [483] ERROR: failed to get sign2013-02-24 10:48:51: [483] ERROR: failed to allocate send buffer2013-02-24 10:48:51: [483] ERROR: failed to process packet.

2013-02-24 10:48:51: [483] ERROR: phase1 negotiation failed.

2013-02-24 10:48:51: [483] DEBUG: IV freed

The CA cert and the client are are trusted. (verified in the keystore, showing valid cert)

I also played around with turning dpd off, and ike_frag to on.

No change. Seems like the dog bytes in his tail.

Any updates in this issue ?

Rgds.

Frank

Hi Frank,

If you're still having this issue, find the corresponding private key in your keychain, double click it and select the "Access Control" tab. These settings may be preventing racoon from accessing your private key which causes the error you are seeing.

Hope it helps

Adam

It seems that things have been fixed since OX 10.8.3

For me, everything started to work again after this update, at last ! 🙂