Ipsec connection failed mac os

Question: Q: L2TP/IPSec on macOS 10.12.6 unable to connect — but iOS 10 connects fine to same VPN!

I have set up a home office server (macOS 10.12.6 with latest Server). I configured VPN L2TP/IPSec on the server.

I can successfully connect to the VPN using iOS 10 (latest). Works great.

I used the very same settings on macOS 10.12.6 client, but am unable to connect. It is trying to, but I get:

The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.»

Oh yes, Administrator = me 🙂

Any tips? Thanks.

MacBook Pro, macOS Sierra (10.12), 2.5 GHz i7 quad core w. 16gb RAM

Posted on Aug 18, 2017 8:43 AM

All replies

Loading page content

Page content loaded

Experiencing the same situation. 2 MBPs running 10.12.6 (16G29) can’t connect to VPN, where 2 older MBPs can—running Mavericks and Snow Leopard. I was connecting with my main Sierra machine less than a month ago, but set up other Sierra laptop this morning and getting the same error.

Sep 2, 2017 8:08 AM

So I was on the phone with Apple support. During this conversation we found a work around- kind off.

1. On you client, delete the non working VPN settings

2. Create a new admin account

3. Switch users to newly created admin account

4. Create a new VPN profile/Setting

5. Test it. If it works, switch back to your original user/admin account and test to connect there. DON’t modify it, duplicate it or rename it under your original account, or it won’t work anymore and you have to start over! The new VPN profile should continue to work under your original account.

6. If no longer needed delete the temporary admin account.

Sep 2, 2017 8:16 AM

So I was on the phone with Apple support. During this conversation we found a work around- kind off.

1. On you client, delete the non working VPN settings

2. Create a new admin account

3. Switch users to newly created admin account

4. Create a new VPN profile/Setting

5. Test it. If it works, switch back to your original user/admin account and test to connect there. DON’t modify it, duplicate it or rename it under your original account, or it won’t work anymore and you have to start over! The new VPN profile should continue to work under your original account.

6. If no longer needed delete the temporary admin account.

Tried my luck with both Sierra MBPs—no joy. Thanks for the suggestion.

Источник

IPSec VPN для OS X и iOS. Без боли

VPN (англ. Virtual Private Network — виртуальная частная сеть) — обобщённое название технологий, позволяющих обеспечить одно или несколько сетевых соединений (логическую сеть) поверх другой сети (например, Интернет).
© Wikipedia

VPN используется для удаленного подключения к рабочему месту, для защиты данных, для обхода фильтров и блокировок, для выдачи себя за гражданина другой страны и вообще — штука незаменимая. Практически повсеместно в качестве простого средства для организации пользовательского VPN используется всем известный OpenVPN, который использовал и я. Ровно до тех пор, пока у меня не появился Macbook и OS X в придачу. Из-за того, что подход Apple к конфигурации DNS сильно отличается от подхода других *nix-систем, проброс DNS через VPN нормально не работал.

После некоторых исследований у меня получилось два варианта:
— Использование DNS «мимо» VPN, что сильно небезопасно, но решает проблему.
— Использование нативных для OS X VPN-протоколов: PPTP и семейства IPSec.
Разумеется, я выбрал второе и разумеется — IPSec, а не устаревший PPTP.

Настройка Linux ( в моем случае — Arch Linux )

1. Открыть Настройки → Сеть
2. Нажать (+) и выбрать VPN/Cisco IPSec
3. Заполнить основную информацию ( адрес, имя пользователя и пароль )
4. Выбрать «Настройки аутентификации» и указать группу и PSK ( из файла /etc/racoon/psk.key )
5. Подключиться

OS X и IPSec

IPSec это не один протокол, а набор протоколов и стандартов, каждый из которых имеет кучу вариантов и опций. OS X поддерживает три вида IPSec VPN:
— IPSec/L2TP
— IKEv2
— Cisco VPN

Первый вариант избыточен — какой смысл пробрасывать ethernet-пакеты для пользовательского VPN?
Второй — требует сертификатов и сильно сложной настройки на стороне клиента, что тоже нехорошо.
Остается третий, который называется «Cisco», а на самом деле — XAuth+PSK. Его и будем использовать.

Препарация OS X

После некоторых неудачных попыток настроить VPN на OS X, я полез изучать систему на предмет того, как же именно там работает VPN.
Недолгий поиск дал мне файлик /private/etc/racoon/racoon.conf, в котором была строчка include «/var/run/racoon/*.conf»;.
После этого все стало понятно: при нажатии кнопки OS X генерирует конфиг для racoon и кладет его в /var/run/racoon/, после окончания соединения — удаляет. Осталось только получить конфиг, что я и сделал, запустив скрипт перед соединением.

Внутри я нашел именно ту информацию, которой мне не хватало для настройки сервера: IPSec proposals. Это списки поддерживаемых клиентом ( и сервером ) режимов аутентификации, шифрования и подписи, при несовпадении которых соединение не может быть установлено.
Итоговый proposal для OS X 10.11 и iOS 9.3 получился таким:
encryption_algorithm aes 256;
hash_algorithm sha256;
authentication_method xauth_psk_server;
dh_group 14;

Выбор VDS и настройка VPN

Для VPN-сервера я выбрал VDS от OVH, поскольку они дают полноценную виртуализацию с возможностью ставить любое ядро с любыми модулями. Это очень важно, поскольку ipsec работает на уровне ядра, а не пользователя, как OpenVPN.
Режим «Cisco VPN» (XAuth + PSK) предполагает двухэтапную аутентификацию:
— Используя имя группы и PSK для нее ( этап 1 )
— Используя имя пользователя и пароль ( этап 2 )

Настройка racoon

racoon — демон, который занимается управлением ключами ( IKE ). Именно он дает ядру разрешение на провешивание туннеля после того, как аутентифицирует клиента и согласует все детали протокола ( aka proposal ). racoon входит в стандартный пакет ipsec-tools и есть практически в любом дистрибутиве Linux «из коробки».

Используя случайные 64 бита группы и 512 бит ключа, я получаю достаточно вариантов, чтоб сделать перебор бессмысленным.

Настройка Linux

— Необходимо разрешить маршрутизацию: sysctl net.ipv4.ip_forward=1
— Необходимо разрешить протокол ESP и входящие соединения на порты 500/udp и 4500/udp: iptables -t filter -I INPUT -p esp -j ACCEPT; iptables -t filter -I INPUT -p udp —dport 500 -j ACCEPT; iptables -t filter -I INPUT -p udp —dport 4500 -j ACCEPT
— Необходимо включить NAT для нашей сети: iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
— Необходимо создать группу и создать/добавить туда пользователей: groupadd vpn и useradd -G vpn vpn_user
— Необходимо запустить racoon: racoon -vF

Настройка OS X

Настройки → Сеть

Выбрать (+) → VPN → Cisco IPSec → придумать название

Выбрать соединение → ввести адрес сервера, имя пользователя и пароль

Выбрать «Настройки аутентификации» → ввести имя группы и ключ ( именно в таком порядке )

Настройка iOS

Настройки → Основные → VPN → Добавить конфигурацию VPN.

Заполнить форму по аналогии, подключиться.

Источник

Ipsec connection failed mac os

Thu Mar 19, 2009 11:54 pm

I cannot for the life of me get L2TP w/ IPSec working. I’ve read all the wiki docs and almost all of the forum threads by those with similar issues and still cannot get it working.

I am trying to setup VPN access to connect from my MacBook Pro laptop to RB500, running latest ROS 3.22 (so NOT router to router like most of the docs describe). MacBook is running OS X 10.5 which supports L2TP/IPSec out of the box.

Enabled L2TP Server:

(NOTE: I did not create a new L2TP Server «interface», just enabled the server with the «enabled=yes» — not sure the difference)

Added PPP secret:

Not too sure if the IP values are correct. My network is 192.168.1.0 and I want the connecting VPN client to use an internal address.

Added IPSec peer:

I then configure Mac for L2TP/IPSec, enter public IP, user, pass, secret. When I connect, I see traffic on the UDP ports in MT. Mac first attempts to connect to port 1701, then a second request to port 500, then after about 10 seconds I get a vague «connection failed, check settings».

Another question is how can I see debug-level info about this connection in ROS? I’d probably be able to figure it out if I could get this info. I added a logging rule for topics «l2tp, ipsec, ppp» with action «memory» but I don’t see output in the log window.

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Sat Mar 21, 2009 8:47 pm

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Mon Apr 06, 2009 6:11 pm

Hello! Does anybody have any updates on this problem?

Mac OS X client says
23:33:53 ipsec the length in the isakmp header is too big.

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Thu Oct 22, 2009 1:35 pm

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Sun Dec 06, 2009 7:47 pm

It is working fine on RouterOS 4.0beta2.

Added IPSec peer as:

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Wed Oct 13, 2010 1:19 pm

I’m also having trouble with ROS v4.1 and Mac OS X 10.6.

It appears that the IPSec part is working, but not the L2TP/PPP side. According to my OSX logs.

13/10/2010 11:01:04 pppd[2113] IPSec connection established
13/10/2010 11:01:24 pppd[2113] L2TP cannot connect to the server

Has anyone got any tips?

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Sat Jun 06, 2015 6:07 am

Searching and finding this old thread, I also cannot get a Mac OSX 10.10.3 to connect through a new RB951G-2HnD to a MacPro 10.9.5 Server v3.0.3 running L2TP VPN.

The Mac client logged:
Fri Jun 5 22:17:52 2015 : publish_entry SCDSet() failed: Success!
Fri Jun 5 22:17:52 2015 : publish_entry SCDSet() failed: Success!
Fri Jun 5 22:17:52 2015 : l2tp_get_router_address
Fri Jun 5 22:17:52 2015 : l2tp_get_router_address 192.168.1.1 from dict 1
Fri Jun 5 22:17:52 2015 : L2TP connecting to server ‘65.35.xxx.xxx’ (65.35.xxx.xxx).
Fri Jun 5 22:17:52 2015 : IPSec connection started
Fri Jun 5 22:17:52 2015 : IPSec phase 1 client started
Fri Jun 5 22:17:52 2015 : IPSec phase 1 server replied
Fri Jun 5 22:18:22 2015 : IPSec connection failed

The VPN has previously worked reliably with the same client through a WRT54G router running dd-WRT firmware, which had port forwarding on external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.

Being new to RouterOS v6.27, I wonder if anyone can please give me some pointers. I am using WebFig and CLI but could set up Winbox if necessary.

Источник

Ipsec connection failed mac os

Бесплатный чек-лист
по настройке RouterOS
на 28 пунктов

Не работает подключение L2TP + IPsec с MacOS

Дома: [CCR1009-7G-1C-1S+] [CRS112-8P-4S-IN] [wAP ac] [RB260GS]
Не дома: [RB4011iGS+] [CRS326-24G-2S+RM] [wAP 60ad] [cAP ac].
. [hEX] [hAP ac²] [hAP ac lite] [hAP mini] [RB260GS]

Дома: [CCR1009-7G-1C-1S+] [CRS112-8P-4S-IN] [wAP ac] [RB260GS]
Не дома: [RB4011iGS+] [CRS326-24G-2S+RM] [wAP 60ad] [cAP ac].
. [hEX] [hAP ac²] [hAP ac lite] [hAP mini] [RB260GS]

Дома: [CCR1009-7G-1C-1S+] [CRS112-8P-4S-IN] [wAP ac] [RB260GS]
Не дома: [RB4011iGS+] [CRS326-24G-2S+RM] [wAP 60ad] [cAP ac].
. [hEX] [hAP ac²] [hAP ac lite] [hAP mini] [RB260GS]

Чуть попозже попробую именно big sur и именно с 6.48.x.
Но вообще вы сами не пробовали на 6.47 long-term пересесть — там ситуация такая же?

Дома: [CCR1009-7G-1C-1S+] [CRS112-8P-4S-IN] [wAP ac] [RB260GS]
Не дома: [RB4011iGS+] [CRS326-24G-2S+RM] [wAP 60ad] [cAP ac].
. [hEX] [hAP ac²] [hAP ac lite] [hAP mini] [RB260GS]

Значит пока попробовал подключиться с Big Sur к уже работающим серверам (пробовал 6.46.7 long-term и 6.47.8 stable).
Все ок с (почти) стандартными настройками, только аутентификацию он в отличие от более старых осей использует sha256.

Сейчас попробую куда-нибудь накатить 6.48.2 для теста.

Upd.: к 6.48.2 подключился так же без проблем, причем с вообще дефолтными настройками (так что, например, sha1 не помеха).

Так что вопрос — как вы настраиваете клиента?

Дома: [CCR1009-7G-1C-1S+] [CRS112-8P-4S-IN] [wAP ac] [RB260GS]
Не дома: [RB4011iGS+] [CRS326-24G-2S+RM] [wAP 60ad] [cAP ac].
. [hEX] [hAP ac²] [hAP ac lite] [hAP mini] [RB260GS]

Источник

Question: Q: L2TP/IPsec VPN doesn’t work after upgrade to Catalina.

Is this a bug or a planned «feature» ?

It is not possible to work with VPN’s after upgrade to Catalina.

MacBook Pro with Touch Bar

Posted on Oct 9, 2019 7:55 AM

All replies

Loading page content

Page content loaded

I am having the same issue using VPN for Azure over IKEv2.; just throws a generic error. The topic is trending for Cisco and Fortinet VPN gateways on Reddit. Apple support had us reinstall Catalina, to no avail.

Oct 9, 2019 11:22 AM

After doing some tinkering, we discovered that (at least for IKEv2) if you choose ‘None’ under Authentication Settings in your VPN settings and then select the «certificate» radio button and choose your certificate, it works. No explanation as to why, but it works.

Oct 9, 2019 1:38 PM

Clarifying my use case: after updating to Catalina my L2TP/IPsec connection connects as usual but tunnel connectivity disappears anywhere from 40 to 180 seconds (100% reproducible).

Method of checking:

Result: replies as usual until 40 to 180 seconds, then «time out»

VPN Log: tail -f /var/log/ppp.log

—No entries during successful pings—

—No entries 10 seconds after first ping timeout, then—

: no echo-reply, despite successful ppp_auxiliary_probe!

: No response to 3 echo-requests

: Serial link appears to be disconnected.

VNP Hardware: D-link VPN DSR-N250

Windows Virtual machine (running on same Catalina mac) connects to the VPN and hold connection indefinitely.

Oct 10, 2019 6:28 PM

No L2TP VPN working neither with setup in networking connections nor with the Shimo VPN client.

Shimo support reported me that, due to security features in Catalina, no L2TP can work any more.

So this doesn’t seem a bug but an intentional choice

Oct 18, 2019 1:38 PM

This wouldn’t seem logical for the following two reasons:

1) Apple wouldn’t keep the L2TP configuration option if it was no longer supported,

2) In my scenario (above) the connection «does» get established only to be lost in a minute or two.

So we are hoping that Apple just wasn’t aware that the functionality is broken in such a peculiar way.

Oct 18, 2019 1:49 PM

Hope you’re right.

This is the exact response by Shimo support «Unfortunately it’s no longer possible to provide PPTP and L2TP support on macOS Catalina due to Apples security restrictions«.

Shimo doesn’t work any more.

Also Apple VPN on L2TP does’t work always returning an error «the server L2TP-VPN did not respond. «

I agree that it’s somehow strange to still have configuration available but this is my situation at the moment. 🙁

Oct 18, 2019 2:03 PM

I add another information.

Examining the log of Vpn Connections (vim /var/log/ppp.log) i’ve found the following error. «L2TP: cannot connect racoon control socket: Connection refused».

Oct 18, 2019 2:32 PM

Sitting with the same problem. Waiting on feedback from my Router provider «Draytek» on what next,

anyone else make progress ?

Oct 19, 2019 4:33 AM

Getting the same problem after an upgrade to Catalina. PPP log shows the error: «L2TP: cannot connect racoon control socket: Connection refused» which I believe is the same as Plicciardello. Tried both native and Shimo clients. Connection to the same VPN server from a different mac running Mojave works fine.

Oct 22, 2019 9:12 AM

your’re experiencing exactly the same problem than me

Oct 22, 2019 1:23 PM

Try to run in terminal:

Oct 28, 2019 2:38 PM

I’ve tried to launch the command and VPN still doesn’t work but the returned error has changed

From «L2TP: cannot connect racoon control socket: Connection refused» we’ve evolved to

Tue Oct 29 00:02:35 2019 : IPSec connection started

Tue Oct 29 00:02:35 2019 : IPSec phase 1 client started

Tue Oct 29 00:02:35 2019 : IPSec phase 1 server replied

Tue Oct 29 00:03:05 2019 : IPSec connection failed

So something has changed. Now is the IPSec connection that fails

Any other ideas?

Oct 28, 2019 4:08 PM

At in I’d hope apple can provide VPN via SSL URGENTLY, as it seems they removed pretty much everything else that is available via VPN providers.

I understand they want to tighten things up, but removing a capability with not replacement in the market is irresponsible.

Oct 28, 2019 10:32 PM

I’m trying to do a native vpnd installation on Catalina 10.15.1. It had worked perfectly on Mojave. I seem to be getting farther than other people so here’s what I found.

First, my error in the vpnd.log is:

Fri Nov 1 16:00:55 2019 : L2TP incoming call in progress from ‘192.168.0.1’.

Fri Nov 1 16:00:56 2019 : L2TP incoming call in progress from ‘192.168.0.1’.

Fri Nov 1 16:00:58 2019 : L2TP incoming call in progress from ‘192.168.0.1’.

Fri Nov 1 16:01:06 2019 : L2TP incoming call in progress from ‘192.168.0.1’.

Fri Nov 1 16:01:10 2019 : L2TP incoming call in progress from ‘192.168.0.1’.

Fri Nov 1 16:01:14 2019 : L2TP incoming call in progress from ‘192.168.0.1’.

2019-11-01 16:01:15 EDT —> Client with address = 192.168.0.173 has hungup

2019-11-01 16:01:16 EDT —> Client with address = 192.168.0.174 has hungup

2019-11-01 16:01:18 EDT —> Client with address = 192.168.0.175 has hungup

2019-11-01 16:01:26 EDT —> Client with address = 192.168.0.176 has hungup

2019-11-01 16:01:30 EDT —> Client with address = 192.168.0.177 has hungup

2019-11-01 16:01:34 EDT —> Client with address = 192.168.0.178 has hungup

This has information about VPN changes.

The major change I found was that the LaunchDaemon was changed to vpn.ppp.l2tp.plist

I get as far as my log (above) showing that I’m hitting the vpnd service (and I don’t know why 6 times) and then hanging up. I know my username/password/shared secret are correct because if I change one of them, I don’t appear in the log.

Hope this helps someone else to maybe find an answer.

Источник