Important note
The built-in Cisco VPN client introduced in Mac OS X 10.6 Snow Leopard has the habit of disconnecting itself when re-keying should be performed but fails after about 48 minutes up to one hour. This timeout issue has been fixed in Mac OS X 10.6.4.
In versions of Mac OS X 10.6.0 up to 10.6.3, the problem can be worked around by increasing the re-keying period to e.g. 1 week.
Tip
The update to Snow Leopard 10.6.4 fixes the issue of the VPN disconnecting after 48 minutes many people have observed in 10.6.0–10.6.3. Therefore, there is no need to change the configuration of racoon anymore.
In order to revert your configuration to the stock one, remove the last line from /etc/racoon.conf, so that the last line is again
1include "/var/run/racoon/*.conf" ;
Note that this workaround severely decreases the security of your VPN connection as attackers now have up to 1 week to attack the phase 1 key.
I have no clue where Apple stores the configuration template for racoon, but I have found the following workaround.
- Create directory “/etc/racoon/remote” as root:
1sudo mkdir /etc/racoon/remote
Open a VPN connection to your Cisco VPN concentrator. This should result in the creation of a config file located at
/var/run/racoon/10.1.1.1.conf, where10.1.1.1is the IP address of the VPN concentrator.Move this dynamically created file to
/etc/racoon/remotebefore we change its contents:
1sudo mv /var/run/racoon/*.conf /etc/racoon/remote
- Now we edit the file, replacing all lines
1lifetime time 3600 sec;
by
1lifetime time 168 hours;
This is achieved by the following sed command:
1sudo sed -i.bak 's/lifetime time 3600 sec/lifetime time 168 hours/' /etc/racoon/remote/*.conf
- To make
racoonread our converted file, insert a line
1include "/etc/racoon/remote/*.conf" ;
right before the last line of /etc/racoon.conf. The last two lines should now be
1include "/etc/racoon/remote/*.conf" ;
2include "/var/run/racoon/*.conf" ;
This is achieved by executing the following patch command:
1sudo patch /etc/racoon/racoon.conf <<EOF
2--- /etc/racoon.orig/racoon.conf 2009-06-23 09:09:08.000000000 +0200
3+++ /etc/racoon/racoon.conf 2009-12-11 13:52:11.000000000 +0100
4@@ -135,4 +135,5 @@
5 # by including all files matching /var/run/racoon/*.conf
6 # This line should be added at the end of the racoon.conf file
7 # so that settings such as timer values will be appropriately applied.
8+include "/etc/racoon/remote/*.conf" ;
9 include "/var/run/racoon/*.conf" ;
10EOF
- Restart racoon:
1sudo launchctl stop com.apple.racoon
2sudo launchctl start com.apple.racoon
That’s it. If this did not do the trick, try restarting your machine.
To summarize, here are all the commands to be executed:
1sudo mkdir /etc/racoon/remote
2sudo mv /var/run/racoon/*.conf /etc/racoon/remote
3sudo sed -i.bak 's/lifetime time 3600 sec/lifetime time 168 hours/' /etc/racoon/remote/*.conf
4sudo patch /etc/racoon/racoon.conf <<EOF
5--- /etc/racoon.orig/racoon.conf 2009-06-23 09:09:08.000000000 +0200
6+++ /etc/racoon/racoon.conf 2009-12-11 13:52:11.000000000 +0100
7@@ -135,4 +135,5 @@
8 # by including all files matching /var/run/racoon/*.conf
9 # This line should be added at the end of the racoon.conf file
10 # so that settings such as timer values will be appropriately applied.
11+include "/etc/racoon/remote/*.conf" ;
12 include "/var/run/racoon/*.conf" ;
13EOF
14sudo launchctl stop com.apple.racoon
15sudo launchctl start com.apple.racoon