Optionally, you can also input the following in a terminal window: Restarting the process in the Activity Monitor eliminates the problem without a need to restart the system. This indicates that the "Racoon" process is hanging. This error message appears in systems that have not been restarted for a long time. Verify your settings and try reconnecting" You can find the new version of the IPsec client at the following link: Error message: "A configuration error occurred. The client works again after deinstallation and then reinstallation of Version 4.
Instructions and configuration profile on the download page: Problems after upgrading to 10.6 (Snow Leopard):Īfter the system update to 10.6, a previously installed Cisco IPsec VPN client does not work, and the error message (Error 51) appears.
The client supports the PPTP and L2TP protocols over IPsec, but not IPsec with the XAUTH extension that we use.įor 10.6 and higher Mac OS X has an integrated Cisco IPsec client. Up to and including 10.5: the client integrated in the Internet Connect program currently does not work on our VPN servers. 10.7 - Lion Intel: integrated IPsecClient, Cisco An圜onnect Client Version 3.xĭownload What about the built-in VPN client?.10.6 - Snow Leopard Intel: integrated IPsec Client, Cisco IPsec Client, Cisco An圜onnect Client Version 3.x.10.5 - Leopard Intel: Cisco IPsec Client, Cisco An圜onnect Client Version 3.x.10.5 - Leopard PPC: Cisco IPsec Client, Cisco An圜onnect Client Version 2.5.x.10.4 - Tiger PPC, Cisco IPsec Client, Cisco An圜onnect Client Version 2.5.x.Īnother thing I explored was replacing the old racoon with a more modern racoon, but modern racoon doesn't support the keychain integration AFAICT.Fragen/ faq_en/ vpn_en/ vpn22_en Mac OS X and Cisco VPN VPN on Mac OS X (10.4 - Tiger, 10.5 - Leopard, 10.6 - Snow Leopard) General: Even with that directive in place, racoon still tries to do ESP/IP even when it shouldn't/can't. I didn't break anything by hacking the L2TP binary.īad news: Forcing NAT-T with that directive doesn't appear to work. Good news: I can get the "nat_traversal force" directive in the dynamic nf. So, I mv'ed the original L2TP executable asked and used a hex editor to replace "situation identity_only" with "nat_traversal force" (using approrpriate excess padding so everything stays the same size). The "situation identity_only" directive is pointless if I believe the man page. But, in a stroke of luck, one of the nf options baked into the executable is a) long and b) unnecessary. There's no obvious configuration file that lets me get at the options it sets.
It does NOT come from /usr/sbin/vpnd (though they share enough code for things to be confusing). It comes from the /System/Library/Extensions/L2TP.ppp/Contents/MacOS/L2TP executable. I managed to figure out what part of the GUI plumbing is responsible for the /var/run/racoon/ configuration. It's not considered secure enough by the folks who run the VPN server end of things. will be VPN options in the future? (For assorted reasons, I need to avoid 3rd party VPN products, even though they'd almost certainly be less of a pain than IPSec.) There's an /etc/racoon/nf, but what the GUI does is generate a dynamic nf in /var/run/racoon/ which /etc/racoon/nf is configured to source.ġ) Is there a sane way to tweak what gets written to the dynamic nf? Some plist to edit, perhaps?Ģ) Is this any better with Lion? Why on earth isn't NAT-T the default?ģ) Anyone know if OpenVPN, SSTP, etc. The problem is that it's difficult to put the directive in the right nf. Indicates that nat_traversal is NOT the default, but there's an option "nat_traversal = force" that looks like it'd be the right option to put in nf. The (no-longer-ships-with-Snow Leopard) man page for nf, at: Doh!ĭigging a little deeper, racoon appears to be the daemon that should do the NAT-T dance. The Mac side emits ESP/IP packets (which aren't NAT-friendly), when it really should be encapsulating ESP in port 4500/UDP. But whne push comes to shove, it doesn't actually use NAT-T protocols. If I'm interpreting Wireshark correctly, it appears that the Mac negotiates that it _could_ use NAT-T with the other end. When a NAT isn't involved, this tunnel works. I've made an L2TP/IPSec tunnel using System Preferences->Network->VPN on a 10.6.8 client.