You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Mountain Lion (10.8) certificates-based L2TP over IPsec VPN kaput

After upgrading to Mountain Lion, my certificates-based L2TP over IPsec VPN stopped working. However, it works fine using a PSK instead of certificates. OSX 10.7, as well as Windows clients have no trouble with the certificates. For OSX 10.8, the VPN server is complaining the payload is faulty. So, since this works fine for OSX 10.7 and Windows clients, I have to conclude that the Mac client is mangling the certificate payload in 10.8.


In the Mac logs, I see the same as the user in this thread: https://discussions.apple.com/thread/4139538?answerId=19058470022#19058470022 . I have also followed the suggested solution in that thread of allowing all applications access to the private key in the Keychain, to no avail, the issue persists and the logs are unchanged.


Any ideas?


Cheers.

MacBook Pro, OS X Mountain Lion

Posted on Jul 30, 2012 11:48 AM

Reply
33 replies

Apr 15, 2013 3:01 AM in response to 3g91ld3a

Hi,

thanks Adam for the hint. But when i enable access for anyone, a new problem occur. The server cert cannot be verified. The client cert is valid a trusted. The CA has been imported. The server cert too. So, it worked with 10.7.x out of the box. Since 10.8 i have the problem. I will debug the problem in forgeground and will update this thread.


Thx.

Frank

Feb 13, 2014 4:08 PM in response to haraldfromenns

May be not simply a problem with Apple's software (10.9.1 Mavericks) but (also) with the router – Cisco noticed something similar (on http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client4 8/release/notes/48client.html):


User uploaded fileCSCdu86399

If you use the VPN Client with a Digital Certificate and your Client sits behind a Cable/DSL router or some other NAT device, you might not be able to connect to your VPN Gateway device (that is, the VPN 3000 Concentrator). The problem is not with the VPN Client or the Gateway; it is with the Cable/DSL router. When the VPN Client uses a Digital Certificate, it sends the Certificate to the VPN Gateway. Most of the time, the packet with the Certificate is too big for a standard Ethernet frame (1500), so it is fragmented. Many Cable/DSL routers do not transmit fragmented packets, so the connection negotiation fails (IKE negotiation).

This problem might not occur if the Digital Certificate you are using is small enough, but this is only in rare cases. This fragmentation problem happens with the D-Link DI-704 and many other Cable/DSL routers on the market. We have been in contact with a few of these vendors to try to resolve the issue.

Testing with the VPN Client Release 3.1 indicates that VPN Client connections using Digital Certificates can be made using the following Cable/DSL routers with the following firmware: …

Compare also https://discussions.apple.com/thread/3202997?start=16&tstart=0 who identifies problems with too long Shared Secrets.


And finally compare also https://discussions.apple.com/thread/2274119?answerId=11230155022#11230155022finding that the certificate has to be placed in the system keychain, not the login one. (Did not solve it for me.)

Mountain Lion (10.8) certificates-based L2TP over IPsec VPN kaput

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.