Mountain Lion IPsec VPN randomly drops out (usually around 45 minutes)

Problem:

I’ve had this issue with both Lion (MAC OS X 10.7) and Mountain Lion (MAC OS X 10.8). I decided to use the built in VPN client to connect to a CISCO VPN using IPsec, however the connection fails at around 45 minutes every time.

[Side note] – If you are looking to use Apple’s inbuilt VPN client opposed to CISCOs on Mac OS X, check out this great article on migrating across

Resolution:

To fix this I found the resolution on Apple’s forums here

Before proceeding remember, the usual disclaimer applied – you are doing this at your own risk, I take no responsibility if your system dies or turns into a pumpkin. I’ve used this method successfully and have had a VPN connection stay connected for over 9 hours. Also if you are not comfortable using the terminal, I wouldn’t recommended attempting this.

Also, this is a hack at best, you will need to make further changes if you have more then 1 VPN profile configured as we change the included config to be static for the VPN you are connecting to, as opposed to whatever is generated when connecting.

  1. Connect to your VPN as you usually would, this generates the racoon config file we need to use.
  2. The configuration file is generated on /var/run/racoon/ and will be a file named after the ip address you are connecting to followed by the extension .conf – for this example I’ve used the invalid address of 255.255.255.255.conf – we need to copy this to /etc/racoon so we can modify it. From a terminal run a command such as:  sudo cp /var/run/racoon/255.255.255.255.conf /etc/racoon
  3. Using the editor of your choice (such as vim or pico – I’ll use vim) from the terminal run: sudo vim /etc/racoon/racoon.conf
  4. Go to the end of the file (in Vim you can do this by pressing shift-g) and remark out the line that reads: include “/var/run/racoon/*.conf” ; To remark out a line, simply add a hash (#) to the beginning of it. The line will then read  #include “/var/run/racoon/*.conf” ;
  5. While the file is still open, under the line you just remarked out, configure a new include using the file we copied earlier. Remember to update the path to the correct config file, depending on the IP address you have in the filename. The new line will look like this: include “/etc/racoon/255.255.255.255.conf” ;
  6. Save the file
  7. Now we must edit the file we copied earlier, again, in your favourite text editor edit the file, remember to update the command to use the correct filename: sudo vim /etc/racoon/255.255.255.255.conf
  8. Once open, look for the line that says dpd_delay xx; xx will be a value, in my case this was 20. We need to change this to 0 (Zero). Update the value so the line now reads: dpd_delay 0;
  9. Next, find the line that states proposal_check xxxx; xxxx will be a word, mine was set to obey. We need to change this to claim. Update the word so the line now reads: proposal_check claim;
  10. Next we need to find all lines in the file (there will be multiple) that state lifetime time xxxx sec; xxxx is a value, mine was 3600. We need to update the value AND the time format (ie, from sec to hours). Update EVERY instance of this line so it reads: lifetime time 12 hours;
  11. Save the file
  12. Disconnect from the VPN session.
  13. Next time you reconnect racoon will use the updated config file and you should find you won’t get disconnected every 45 or so minutes.

Resources:

Original Apple Support Thread

Wincent.com wiki article

Anders.com guide to migrating from CISCO VPN Client to Inbuilt Mac OS X client

Apple Radar bug #12449876

Feedback

If you have any feedback, or if this works for you please leave a comment. Comments keep me motivated to publish more solutions to issues I come across.