Support
Community

Hi All,

After various attempts I managed to get Apple Mac's native VPN client to connect to a Netvanta 3120.  Apple are using their own fork of racoon to manage IKE negotiation, but it will not work out of the box by just using the Network Preferences VPN GUI, without creating a separate configuration file for it.  I tried this on an Apple MacBook Pro running OSX El Capitan v.10.11.6.  Other recent OSX versions should work too.

Some of my findings and conclusions:

• The native Apple Mac 'Cisco IPSec' VPN client requires XAUTH.  Attempting to connect without XAUTH is a hit and miss affair for IKE Phase 1.  Even if Phase 1 completes, IPSec Phase 2 always fails.
• The Apple Mac client asks Netvanta for MODE_CONFIG data.  Even if you modify its racoon.conf file by setting 'mode_cfg off;', this client setting appears to have been hard coded by Apple and will still ask for MODE_CONFIG information from the router.
• The Apple Mac's Network Preferences GUI does not provide sufficient settings to allow you to configure a connection with the Netvanta.  You will have to create a separate racoon configuration file with your settings and add an include directive in Apple's default /etc/racoon/racoon.conf file, to make sure the racoon client reads your modified configuration and executes it.
• You will also have to create an ipsec-tools.conf file with the required SA selectors and run this file manually as a script from a terminal, because Apple's racoon client will not pick it up and use it.
• When it connects, racoon by default sets up a full VPN tunnel, with all and any connections from the MackBook directed through the tunnel to Netvanta.  Unless you configure the Netvanta's firewall to forward VPN packets out through its WAN port, you will only be able to connect to PCs within Netvanta's LAN.  In the example configuration below I offer a solution for creating a split VPN tunnel, so connections to the Internet from the MacBook do not go through the VPN tunnel, but via the local router.
• The whole process of setting up the MacBook and getting it to connect is a bit of a chore, so 3rd party VPN clients may be an easier bet, if you do not have the patience to get this going.

STEPS TO GET A VPN CONNECTION GOING BETWEEN APPLE MAC AND NETVANTA

The main steps to get a VPN connection going are as follows:

1. Configure your Netvanta's VPN.
2. Configure Apple Macs' 'Cisco IPSec' VPN client GUI.
3. Run a script to set up Security Policies on the Apple Mac.
4. Connect using the Apple VPN GUI.
5. Ping the Netvanta to confirm connectivity.
6. Set up routes to implement a split VPN tunnel (optional).

NETWORK TOPOLOGY

   MacBook===========Router=======(INTERNET)=======Netvanta-----------LAN_SUBNET

192.168.1.8                RST.UVW.XY.Z                                  ABC.DEF.GH.IJK         10.10.10.0/24

1. NETVANTA CONFIGURATION

The configuration below shows only the VPN and XAUTH specific settings:

!

service password-encryption

!

username "admin" password encrypted "secret_admin_passwd"

username "macbookpro" password encrypted "xauth_macbookpro_passwd"

!



!

ip crypto

!

crypto ike client configuration pool Netvanta_VPN_modconfig

  ip-range            172.16.5.1        172.16.5.254    

  dns-server          10.10.10.1      

!

crypto ike policy 100

  no initiate

  respond main

  local-id address ABC.DEF.GH.IJK

  peer any

  client authentication server list LoginUseLocalUsers

  client configuration pool Netvanta_VPN_modconfig

  attribute 3

    encryption aes-256-cbc

    authentication rsa-sig

    group 5

    lifetime 7080

!

crypto ike remote-id fqdn macbook_VPN ike-policy 100 crypto map VPN 10

!

ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description VPN_IPSec_Access

  match address ip VPN-10-vpn-selectors

  set transform-set esp-aes-256-cbc-esp-sha-hmac

  set security-association lifetime seconds 3600

  set pfs group5

  ike-policy 100

  mobile

!

crypto ca profile "VPN SSL CA"

  ip-address ABC.DEF.GH.IJK

  subject-name "CN=3120_VPN; OU=VPN Gateway; O=VPN; C=US; ST=TN"

  fqdn 3120_VPN

!

crypto ca certificate chain "VPN SSL CA"

[Certificate details follow ... ]

!


!

ip access-list extended VPN-10-vpn-selectors

  permit ip 10.10.10.0 0.0.0.255  172.16.5.0 0.0.0.255   

  deny   ip any  any     log

!


!

ip policy-class Private

  allow list VPN-10-vpn-selectors stateless

[snip ...]

!


!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

[snip ...]

NOTE: I created the SSL CA, Netvanta and MacBook client certificates using OpenSSL.  It is important to add to the Netvanta certificate the IP address and/or its FQDN in the subjectAltName field, because Apple Mac reads those to determine the remote peer.  The Apple Mac Client SSL Certificate should also contain its FQDN in the subjectAltName field.

2. CONFIGURE APPLE MAC's VPN CLIENT

2.1 Network Preferences GUI

To configure the Apple Mac client, go to its Network Preferences GUI and create a new service, selecting from the drop down options:

Interface: VPN

VPN Type: Cisco IPSec

Server Address: ABC.DEF.GH.IJK (use your Netvanta's public IP address)

Account Name:   macbookpro     (use your Netvanta's XAUTH details here)

Password:       xauth_macbookpro_passwd

2.2 Authentication Settings

Select your client SSL certificate, after you import it into the "System" keychain, using MacBook's 'Keychain Access' application.  Configure your private key preferences, using the 'Keychain Access' GUI, so that it can accessed by /usr/sbin/racoon.  Also make sure you import the CA Certificate and edit its Trust settings to mark it as trusted.

If for some reason you do not want to use certificates, the proposed set up should also work with PSK, but SSL certificates are arguably more secure and in VPN Main Mode allow you to use FQDN, or USER_FQDN, etc., as the client's peer ID, rather than its public IP address;  which on a laptop is likely to change regularly.

2.3 Racoon Configuration Files

Configure Apple Mac's racoon configuration next.  Open a terminal and type:

sudo mkdir /etc/racoon/remote

to create a new directory for storing your own racoon configuration.  Then type:

sudo cat /var/run/racoon/ABC.DEF.GH.IJK.conf > /etc/racoon/remote/ABC.DEF.GH.IJK.conf

but do not run this syntax yet.  Start the VPN connection for racoon to generate the dynamic content of file /var/run/racoon/ABC.DEF.GH.IJK.conf and while it is trying to connect (you only have a few seconds for this) press the enter key to run the above syntax already entered into the command line, to capture this file's content.  Then go to /etc/racoon/remote/ABC.DEF.GH.IJK.conf and edit it as is appropriate for your connection.  I give a working example below, which I arrived at after some trial and error:

remote ABC.DEF.GH.IJK {

   doi ipsec_doi;

   situation identity_only;

   exchange_mode main;

   verify_identifier on;

   peers_identifier address ABC.DEF.GH.IJK;

   my_identifier fqdn "macbook_VPN";

   certificate_type x509 in_keychain "...Long_string_for_SSL_cert...";

   verify_cert on;

   certificate_verification sec_framework use_peers_identifier;

   #local_address 192.168.1.8;  # [NOTE 1]

   nonce_size 16;

   dpd_delay 20;

   dpd_retry 5;

   dpd_maxfail 5;

   dpd_algorithm dpd_blackhole_detect;

   initial_contact on;

   support_proxy on;

   proposal_check obey;

   xauth_login "macbookpro";

   nat_traversal force;  # [NOTE 2]

   ike_frag on;

   esp_frag 1280;  # [NOTE 3]

   mode_cfg on;


   proposal {

      authentication_method xauth_rsa_client;

      hash_algorithm sha1;

      encryption_algorithm aes 256;

      lifetime time 7080 sec;

      dh_group 5;

   }

}


sainfo anonymous

{

       pfs_group 5;

       lifetime time 3600 sec;

       encryption_algorithm aes 256;

       authentication_algorithm hmac_sha1;

       compression_algorithm deflate ;  # [NOTE 4]

}

NOTES:

1. Comment this out if you connect from different locations at a time.
2. I had to set his as "force" because the MacBook is behind NAT.
3. This seems to be the default fragment size for Apple Mac and can't be changed.  The Apple Mac logs complain that esp_frag is not built in Apple's OS kernel.
4. I suspect that Apple's racoon does not perform compression, but the connection works all the same.

Following your edits save any changes and check the file for syntax errors:

sudo /usr/sbin/racoon -v -C -f /etc/racoon/remote/ABC.DEF.GH.IJK.conf

If it returns you to a prompt there are no errors in the file, otherwise it will complain that there was an error and it couldn't parse the configuration file.  Fix your error and check again the syntax before you move on to the next step.

For this file to be read by racoon you will need to add an include directive in Apple Mac's default configuration file.  Edit /etc/racoon/racoon.conf by commenting out the last line:

#include "/var/run/racoon/*.conf"

and adding:

include "/etc/racoon/remote/ABC.DEF.GH.IJK.conf"

2.4 Set Password for XAUTH

Configure the password for XAUTH.  This you can do from the Network Preferences GUI as mentioned above, but I also added it in /etc/racoon/psk.txt:

# IPv4/v6 addresses

# 10.160.94.3   asecretkeygoeshere

# 172.16.5.133  asecretkeygoeshere

# 3ffe:501:410:ffff:200:86ff:fe05:80fa  asecretkeygoeshere

# 3ffe:501:410:ffff:210:4bff:fea2:8baa  asecretkeygoeshere


macbookpro xauth_macbookpro_passwd


# USER_FQDN

# macuser@localhost     somethingsecret

# FQDN

# kame          hoge

3. SET UP SECURITY POLICIES

You will need to set up Security Policies, but Apple Mac's racoon version does not seem to load them from the default /etc/ipsec-tools.conf file.  So you need to create this file, make it executable and run it yourself from a terminal.  I created and used /etc/ipsec-tools.conf which is the file racoon in Linux is using for the same purpose, but you can name it and save as and where it suits you:

#!/usr/sbin/setkey -f


flush;

spdflush;


# SYNTAX

# spdadd <client_tunnel_subnet> <Netvanta_LAN_subnet> <protocol> -P out ipsec esp/tunnel/<Client_LAN_IP>-<Netvanta_public_IP>/require;


spdadd 172.16.5.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/192.168.1.8-ABC.DEF.GH.IJK/require;


spdadd 10.10.10.0/24 172.16.5.0/24 any -P in ipsec esp/tunnel/ABC.DEF.GH.IJK-192.168.1.8/require;


spdadd 172.16.5.0/24 172.16.5.0/24 any -P out none;

It is best to run this file as a script each time from a terminal before you try to connect, to flush any old security policies out of the kernel.  Make it executable:

sudo chmod -v u+x,g+x /etc/racoon/ipsec-tools.conf

and when you need to connect, first run it to set up security policies:

sudo /etc/racoon/ipsec-tools.conf

Check that security policies have been loaded as intended:

sudo setkey -DP

4. CONNECT USING THE GUI

Then you can run 'tail -f /var/log/system.log' in a terminal on Apple Mac, or use the Console application to see what is happening as you try to connect.  The Apple Mac racoon client will ping Netvanta once Phase 1 is complete to try to set up an IPSec tunnel.  In a few seconds you should be able to see in Apple Mac's log the tunnel being established, after the mode_config settings are received from the Netvanta:

nesessionmanager[531]: IPSec Phase 2 established.

configd[48]: network changed: v4(utun0+:172.16.5.1, en0) DNS* Proxy SMB

5. CONFIRM CONNECTIVITY

You should now be able to ping the Netvanta and receive a response.  Here is where the fun starts.  The connection is quite erratic with a lot of retransmissions.  This is because the Apple Mac seems to be setting new separate routes in its route table and then it tries to negotiate a new IKE connection, for each IP address any applications running on it may require.  The Netvanta will reject these new tunnel requests, because there are no SA selectors that match the various addresses Apple Mac may want to connect to.  All these attempts to connect to the Internet via the Netvanta generate a lot of messages like these on the Netvanta:

CRYPTO_IPSEC AdSendPktWithSecurity : No Matching SPDPolicy found 

CRYPTO_IPSEC AdSendPktWithSecurity : No Matching SPDPolicy found 

CRYPTO_IPSEC AdSendPktWithSecurity : No Matching SPDPolicy found 

[snip ...]

You can check that ISAKMP SAs and IPSec SAs have been established on the Netvanta:

Netvanta-3120# show crypto ike sa

Using 1 SAs out of 20

Peak concurrent SAs: 13

IKE Security Associations:

Peer IP Address: RST.UVW.XY.Z

  Mode-config Address: 172.16.5.1

  Local IP Address: ABC.DEF.GH.IJK

  Remote ID: macbook_VPN

  XAUTH Username: macbookpro

  Lifetime: 6754

  Status: UP (SA_MATURE)

  IKE Policy: 100

  NAT-traversal: V2

  Detected NAT / Behind NAT: Yes / Yes

  Dead Peer Detection: Yes

Netvanta-3120# show ip crypto ipsec sa

2 current IPv4 IPsec SAs on default VRF

2 current IPv4 + IPv6 IPsec SAs on all VRFs (4 peak of 40 max)

IPsec Security Associations:

Peer IP Address: ABC.DEF.GH.IJK

  Mode-config Address: 172.16.5.1

  Remote ID: macbook_VPN

  Crypto Map: VPN 10

  Direction: Inbound

  Encapsulation: ESP

  SPI: 0xD6E6196E (3605404014)

  RX Bytes: 51027

  Selectors: Src:172.16.5.0/255.255.255.0  Port:ANY  Proto:ALL IP

             Dst:10.10.10.0/255.255.255.0  Port:ANY  Proto:ALL IP

  Hard Lifetime: 3280

  Soft Lifetime: 0

  Out-of-Sequence Errors: 0

Peer IP Address: RST.UVW.XY.Z

  Mode-config Address: 172.16.5.1

  Remote ID: macbook_VPN

  Crypto Map: VPN 10

  Direction: Outbound

  Encapsulation: ESP

  SPI: 0x0DF3B1F0 (234074608)

  TX Bytes: 10802

  Selectors: Src:10.10.10.0/255.255.255.0  Port:ANY  Proto:ALL IP

             Dst:172.16.5.0/255.255.255.0  Port:ANY  Proto:ALL IP

  Hard Lifetime: 3280

  Soft Lifetime: 3230

  Egress MTU: 1419 bytes

6. SET UP A SPLIT VPN

Repeated Phase 1 negotiations for each Apple Mac Internet connection will create multiple IKE SAs, which will be thereafter deleted, since they won't match any selector on the Netvanta.  I am not sure why Apple Mac's racoon tries to create new VPN associations for each separate outgoing connection, instead of using the first VPN tunnel which has been already established.  Linux does not have such a problem, so it may be a bug with Apple's fork of racoon.  The solution I came up with is to set up a split tunnel manually (the El Capitan GUI does not seem to offer this option).  As soon as the VPN tunnel is established and you can ping the Netvanta, run from a terminal:

sudo route -nv add -net 10.10.10.0/24 -interface utun0

sudo route change default 192.168.1.254

The first line above ensures any communication with the LAN behind the Netvanta always connects via the Apple Mac VPN tunnel, while the second line allows all other traffic to be routed directly via the local router out to the Internet.  Adjust these to match your Netvanta's LAN subnet and your local router's IP address accordingly.

Once this split routing is set up the continuous renegotiations of new IKE SAs stop and the tunnel remains connected as expected.  I have not tried reconfiguring the Netvanta firewall to forward packets received from the Apple Mac to the Internet, to see what effect this may have on the continuous tunnel negotiations.

Can you see anything in the above I should revisit, or configure differently?  Any suggestions for improving it?