10.11.4 update broke native Cisco IPSec VPN

Same problem here!

Exactly same here - found this in /var/log/system that describes the issue (IP's redacted)

Mar 23 08:14:43 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: Received a start command from SystemUIServer[288]

Mar 23 08:14:43 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to connecting

Mar 23 08:14:43 Dragunov nesessionmanager[417]: IPSec connecting to server X.X.X.X

Mar 23 08:14:43 Dragunov nesessionmanager[417]: IPSec Phase1 starting.

Mar 23 08:14:43 Dragunov racoon[236]: accepted connection on vpn control socket.

Mar 23 08:14:43 --- last message repeated 1 time ---

Mar 23 08:14:43 Dragunov racoon[236]: IPSec connecting to server X.X.X.X

Mar 23 08:14:43 --- last message repeated 1 time ---

Mar 23 08:14:43 Dragunov racoon[236]: Connecting.

Mar 23 08:14:43 Dragunov racoon[236]: IPSec Phase 1 started (Initiated by me).

Mar 23 08:14:43 --- last message repeated 1 time ---

Mar 23 08:14:43 Dragunov racoon[236]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

Mar 23 08:14:43 Dragunov racoon[236]: >>>>> phase change status = Phase 1 started by us

Mar 23 08:14:43 --- last message repeated 1 time ---

Mar 23 08:14:43 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0

Mar 23 08:14:46 --- last message repeated 1 time ---

Mar 23 08:14:46 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).

Mar 23 08:14:46 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0

Mar 23 08:14:49 --- last message repeated 1 time ---

Mar 23 08:14:49 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).

Mar 23 08:14:49 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0

Mar 23 08:14:52 --- last message repeated 1 time ---

Mar 23 08:14:52 Dragunov racoon[236]: IKE Packet: transmit success. (Phase 1 Retransmit).

Mar 23 08:14:52 Dragunov racoon[236]: none message must be encrypted, status 0x1461, side 0

Mar 23 08:14:53 --- last message repeated 1 time ---

Mar 23 08:14:53 Dragunov nesessionmanager[417]: NESMLegacySession[:89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to disconnecting

Mar 23 08:14:53 Dragunov nesessionmanager[417]: IPSec disconnecting from server X.X.X.X

Mar 23 08:14:53 Dragunov racoon[236]: IPSec disconnecting from server X.X.X.X

Mar 23 08:14:53 --- last message repeated 3 times ---

Mar 23 08:14:53 Dragunov nesessionmanager[417]: NESMLegacySession[89684807-78F0-4703-AFCC-9BC59DD46665]: status changed to disconnected, last stop reason None

In addition I updated the iOS install on my iPhone 6 - and the exact same vpn with the exact config still works on my iPhone - so it's just OS X 10.11.4 affected.

Hi,

having exakt the same problem, the 10.11.4 update broke native Cisco VPN connection. Seeing the same errors in my error log as @nickb843 posted!

Greets

Kilian

Thanks @NHump99

Changing the DH Group to version 14 solved our problem. Cisco VPN is working again!

Not working for me, I chosed all groups and only 14, but still not working.

Thanks for the tip @NHump99 - working great after updating DH group!

Thank you it works for me two but I had to set dhgrp to 14 also for phase 2

So you need to "upgrade" dhgrp to 14 on both phase (1 and 2) configuration

Still didn't work for me, I tried changing fase 1 and 2, with only 14 group, probably I have to upgrade my Fortinet firewall 100 D, I´m running 5.0 system on it.

thanks all.

@Mperez3100 - I'm running FortiOS 5.4 on multiple FortiGate 60D units. I only updated phase 1, and it started working for me after that...

We also have a FG 100D we keep the DH group 2 and add the 14 on phase 1, everything works after that, running v5.2.6 FOS.

I still have this problem. Any more suggestion on where to look for a solution to this.

Have updated phase 1 and phase 2 with DH group 14.

Any other client to try?

The common theme seems to be the Cisco Diffle Hillman group policies and the versions numbered 1,3,5. Apparently these should be avoided due to inadequate security (by way of Cisco forum suggestion) and you've done that you may get more Cisco oriented responses on their forums as to the issue.

https://supportforums.cisco.com/

from the strictly Mac OS X standpoint I would suggest what not to run on your system, this includes all 3rd party mac utilities for optimization or network, any mac Anti-Virus solution as these are known to cause problems, I'd also shut off any firewall to test, and include the Mac OS X built in VPN as part of that test (provided your VPN sever is set up to receive it) and if nothing else works make sure any device on your local network is not running anything to prevent tunneling. The manfacuter of the device may have a procedure to reset the devices to their defaults, make sure you note your current settings before resetting as you can screen shot on a mac using this procedure

How to take a screenshot on your Mac - Apple Support

Outside of that uninstall and reinstall the client in the current account or a new administrative account to test.

Past that this appears to be a cisco issue at this time, at least as far as Apple would see it in their EULA (see section O.)

I'm having the same problem now with 10.12

Was working fine prior to that and now even though it's showing connected, I can't connect to my office.