The built-in Cisco VPN client introduced in Mac OS X 10.6 Snow Leopard has the habit of disconnecting itself when re-keying should be performed but fails after about 48 minutes up to one hour. This timeout issue has been fixed in Mac OS X 10.6.4.
In versions of Mac OS X 10.6.0 up to 10.6.3, the problem can be worked around by increasing the re-keying period to e.g. 1 week.
Note
The update to Snow Leopard 10.6.4 fixes the issue of the VPN disconnecting after 48 minutes many people have observed in 10.6.0–10.6.3. Therefore, there is no need to change the configuration of racoon anymore.
In order to revert your configuration to the stock one, remove the last line from /etc/racoon.conf, so that the last line is again
include “/var/run/racoon/*.conf” ;
Please let me know in the comments if you still observe disconnections with 10.6.4.
Note that this workaround severely decreases the security of your VPN connection as attackers now have up to 1 week to attack the phase 1 key.
I have no clue where Apple stores the configuration template for racoon, but I have found the following workaround.
-
Create directory “/etc/racoon/remote/” as root.
-
Open a VPN connection to your Cisco VPN concentrator and copy the config file from
/var/run/racoon/<IP address>.confto/etc/racoon/remote, replacing all lines lifetime time 3600 sec; by lifetime time 168 hours;
This is achieved by the following sed command:
1 2 | |
- To make
racoonread our converted file, insert a line include “/etc/racoon/remote/.conf” ; right before the last line of/etc/racoon.conf, so that the last two lines are now include “/etc/racoon/remote/.conf” ; include “/var/run/racoon/*.conf” ;
This is achieved by executing the following patch command:
1 2 3 4 5 6 7 8 9 10 | |
- Restart racoon:
1 2 | |
That’s it. If this did not do the trick, try restarting your machine.
To summarize, here are all the commands to be executed:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | |