Can't connect to VPN L2TP/IPsec

Hi


Since the first OS X 10.11.4 beta I can't connect to VPN L2TP/IPsec servers any more. It isn't fixed in the second beta.


Can anyone confirm this problem? Does anyone have a workaround?


Daniel

Up vote post of DanielYK Down vote post of DanielYK
15k views
Posted by
DanielYK
Reply
Add a Comment

Replies

I can confirm this problem.


These are the errors that show up when there's a L2TP connection attempt:


1/27/16 8:05:52.609 PM Server[285]: Dispatcher: servermgr_dns plugin disconnected

1/27/16 8:06:03.398 PM racoon[751]: packet shorter than isakmp header size (size: 0, minimum expected: 28)

1/27/16 8:06:03.398 PM racoon[751]: packet shorter than isakmp header size (size: 0, minimum expected: 28)

1/27/16 8:06:03.399 PM racoon[751]: Connecting.

1/27/16 8:06:03.399 PM racoon[751]: IPSec Phase 1 started (Initiated by peer).

1/27/16 8:06:03.399 PM racoon[751]: IPSec Phase 1 started (Initiated by peer).

1/27/16 8:06:03.400 PM racoon[751]: IKE Packet: receive success. (Responder, Main-Mode message 1).

1/27/16 8:06:03.403 PM racoon[751]: >>>>> phase change status = Phase 1 started by us

1/27/16 8:06:03.403 PM racoon[751]: >>>>> phase change status = Phase 1 started by us

1/27/16 8:06:03.403 PM racoon[751]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

1/27/16 8:06:03.418 PM racoon[751]: IKE Packet: receive success. (Responder, Main-Mode message 3).

1/27/16 8:06:03.459 PM racoon[751]: failed to get preshared key from system keychain (error -67692).

1/27/16 8:06:03.460 PM racoon[751]: failed to get preshared key from system keychain (error -67692).

1/27/16 8:06:03.460 PM racoon[751]: try to get pskey by the peer's address.

1/27/16 8:06:03.460 PM racoon[751]: try to get pskey by the peer's address.

1/27/16 8:06:03.460 PM racoon[751]: couldn't find the pskey by address 67.161.***.***.

1/27/16 8:06:03.460 PM racoon[751]: couldn't find the pskey by address 67.161.***.***.

1/27/16 8:06:03.460 PM racoon[751]: couldn't find the pskey for 67.161.***.***.

1/27/16 8:06:03.460 PM racoon[751]: couldn't find the pskey for 67.161.***.***.

1/27/16 8:06:03.460 PM racoon[751]: failed to generate SKEYID

1/27/16 8:06:03.460 PM racoon[751]: failed to generate SKEYID

1/27/16 8:06:03.460 PM racoon[751]: IKE Packet: transmit failed. (Responder, Main-Mode Message 4).

1/27/16 8:06:03.460 PM racoon[751]: failed to process packet.

1/27/16 8:06:03.460 PM racoon[751]: failed to process packet.

1/27/16 8:06:03.461 PM racoon[751]: Phase 1 negotiation failed.

1/27/16 8:06:03.461 PM racoon[751]: Phase 1 negotiation failed.

1/27/16 8:06:03.464 PM racoon[751]: packet shorter than isakmp header size (size: 0, minimum expected: 28)

1/27/16 8:06:03.464 PM racoon[751]: packet shorter than isakmp header size (size: 0, minimum expected: 28)

1/27/16 8:06:03.464 PM racoon[751]: Connecting.

Posted by
ktula
Up vote reply of ktula Down vote reply of ktula
Add a Comment

I read in your logs something wrong with your preshared key. Have you checked this?


My logs shows something other, maybe someone can read them:

28.01.16 07:08:07,776 pppd[1797]: NetworkExtension is the controller

28.01.16 07:08:07,776 pppd[1797]: NetworkExtension is the controller

28.01.16 07:08:07,793 pppd[1797]: publish_entry SCDSet() failed: Success!

28.01.16 07:08:07,793 pppd[1797]: publish_entry SCDSet() failed: Success!

28.01.16 07:08:07,793 pppd[1797]: pppd 2.4.2 (Apple version 809.40.3) started by username, uid 501

28.01.16 07:08:07,794 pppd[1797]: l2tp_get_router_address

28.01.16 07:08:07,795 pppd[1797]: l2tp_get_router_address 10.0.1.1 from dict 1

28.01.16 07:08:08,150 pppd[1797]: L2TP connecting to server 'example.com' (124.34.56.78)...

28.01.16 07:08:08,151 pppd[1797]: IPSec connection started

28.01.16 07:08:08,171 racoon[1798]: accepted connection on vpn control socket.

28.01.16 07:08:08,171 racoon[1798]: accepted connection on vpn control socket.

28.01.16 07:08:08,171 racoon[1798]: Connecting.

28.01.16 07:08:08,171 racoon[1798]: IPSec Phase 1 started (Initiated by me).

28.01.16 07:08:08,171 racoon[1798]: IPSec Phase 1 started (Initiated by me).

28.01.16 07:08:08,172 racoon[1798]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

28.01.16 07:08:08,172 racoon[1798]: >>>>> phase change status = Phase 1 started by us

28.01.16 07:08:08,172 racoon[1798]: >>>>> phase change status = Phase 1 started by us

28.01.16 07:08:08,198 racoon[1798]: >>>>> phase change status = Phase 1 started by peer

28.01.16 07:08:08,198 racoon[1798]: >>>>> phase change status = Phase 1 started by peer

28.01.16 07:08:08,198 racoon[1798]: IKE Packet: receive success. (Initiator, Main-Mode message 2).

28.01.16 07:08:08,207 racoon[1798]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).

28.01.16 07:08:08,247 racoon[1798]: IKE Packet: receive success. (Initiator, Main-Mode message 4).

28.01.16 07:08:08,270 racoon[1798]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).

28.01.16 07:08:08,294 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:08,294 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:08,294 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:08,295 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:08,295 racoon[1798]: IKE Packet: receive success. (Information message).

28.01.16 07:08:11,332 racoon[1798]: IKE Packet: transmit success. (Phase 1 Retransmit).

28.01.16 07:08:11,357 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:11,357 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:11,357 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:11,357 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:11,357 racoon[1798]: IKE Packet: receive success. (Information message).

28.01.16 07:08:14,631 racoon[1798]: IKE Packet: transmit success. (Phase 1 Retransmit).

28.01.16 07:08:14,656 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:14,656 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:14,656 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:14,656 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:14,656 racoon[1798]: IKE Packet: receive success. (Information message).

28.01.16 07:08:17,923 racoon[1798]: IKE Packet: transmit success. (Phase 1 Retransmit).

28.01.16 07:08:17,949 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:17,949 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:17,949 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:17,949 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:17,949 racoon[1798]: IKE Packet: receive success. (Information message).

28.01.16 07:08:19,004 racoon[1798]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 144, max 1280

28.01.16 07:08:19,004 racoon[1798]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 144, max 1280

28.01.16 07:08:19,005 racoon[1798]: Received retransmitted packet from 124.34.56.78[500].

28.01.16 07:08:19,005 racoon[1798]: Received retransmitted packet from 124.34.56.78[500].

28.01.16 07:08:19,005 racoon[1798]: the packet is retransmitted by 124.34.56.78[500].

28.01.16 07:08:19,005 racoon[1798]: the packet is retransmitted by 124.34.56.78[500].

28.01.16 07:08:19,029 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:19,029 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:19,029 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:19,029 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:19,029 racoon[1798]: IKE Packet: receive success. (Information message).

28.01.16 07:08:30,871 racoon[1798]: IKE Packet: transmit success. (Phase 1 Retransmit).

28.01.16 07:08:30,896 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:30,896 racoon[1798]: Remote address mismatched. db=124.34.56.78[4500], act=124.34.56.78[500]

28.01.16 07:08:30,896 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:30,897 racoon[1798]: Fatal PAYLOAD-MALFORMED notify messsage, Phase 1 should be deleted.

28.01.16 07:08:30,897 racoon[1798]: IKE Packet: receive success. (Information message).

28.01.16 07:08:38,202 pppd[1797]: IPSec connection failed

28.01.16 07:08:38,202 racoon[1798]: IPSec disconnecting from server 124.34.56.78

28.01.16 07:08:38,202 racoon[1798]: IPSec disconnecting from server 124.34.56.78

28.01.16 07:08:38,203 racoon[1798]: glob found no matches for path "/var/run/racoon/.conf"

28.01.16 07:08:38,278 WindowServer[171]: send_datagram_available_ping: pid 464 failed to act on a ping it dequeued before timing out.

28.01.16 07:08:38,972 racoon[1798]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 144, max 1280

28.01.16 07:08:38,973 racoon[1798]: Received retransmitted packet from 124.34.56.78[500].

28.01.16 07:08:38,973 racoon[1798]: the packet is retransmitted by 124.34.56.78[500].

28.01.16 07:08:38,996 racoon[1798]: Connecting.

28.01.16 07:08:38,996 racoon[1798]: Unknown Informational exchange received.

Posted by
DanielYK
Up vote reply of DanielYK Down vote reply of DanielYK
Add a Comment

One thing i did notice that is very odd is while in the VPN menu in the Servers app, after saving the pre-shared key, if i move to another menu in Servers and then go back to the VPN menu, the pre-shared key field is blank. If i enter the pre-shared key again while the VPN service is enabled, i will be prompted to restart the service. But as soon as i go to another menu, or quit/relaunch Servers app, the pre-shared key field is blank again.


This does not happen on my other non-beta El Capitan server installed with the Servers app.

Posted by
ktula
Up vote reply of ktula Down vote reply of ktula
Add a Comment

Ok, i fixed the problem in which i was not able to save the preshared key in Servers. Now i am getting a different error.


In the VPN log:

2016-01-28 22:45:37 PST

Incoming call... Address given to client = 192.168.0.228

Thu Jan 28 22:45:37 2016 : Directory Services Authentication plugin initialized

Thu Jan 28 22:45:37 2016 : Directory Services Authorization plugin initialized

Thu Jan 28 22:45:37 2016 : publish_entry SCDSet() failed: Success!

Thu Jan 28 22:45:37 2016 : publish_entry SCDSet() failed: Success!

Thu Jan 28 22:45:37 2016 : publish_entry SCDSet() failed: Success!

Thu Jan 28 22:45:37 2016 : L2TP incoming call in progress from '67.161.***.***'...

Thu Jan 28 22:45:37 2016 : L2TP received SCCRQ

Thu Jan 28 22:45:37 2016 : L2TP sent SCCRP

Thu Jan 28 22:45:37 2016 : L2TP received SCCCN

Thu Jan 28 22:45:37 2016 : L2TP received ICRQ

Thu Jan 28 22:45:37 2016 : L2TP sent ICRP

Thu Jan 28 22:45:37 2016 : L2TP received ICCN

Thu Jan 28 22:45:37 2016 : L2TP connection established.

Thu Jan 28 22:45:37 2016 : Fatal signal 11

2016-01-28 22:45:37 PST

--> Client with address = 192.168.0.228 has hungup


In the racoon log:


1/28/16 10:45:36.394 PM racoon[266]: IPSec Phase 1 started (Initiated by peer).

1/28/16 10:45:36.394 PM racoon[266]: IPSec Phase 1 started (Initiated by peer).

1/28/16 10:45:36.395 PM racoon[266]: IKE Packet: receive success. (Responder, Main-Mode message 1).

1/28/16 10:45:36.395 PM racoon[266]: >>>>> phase change status = Phase 1 started by us

1/28/16 10:45:36.395 PM racoon[266]: >>>>> phase change status = Phase 1 started by us

1/28/16 10:45:36.395 PM racoon[266]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

1/28/16 10:45:36.409 PM racoon[266]: IKE Packet: receive success. (Responder, Main-Mode message 3).

1/28/16 10:45:36.440 PM racoon[266]: IKE Packet: transmit success. (Responder, Main-Mode message 4).

1/28/16 10:45:36.454 PM racoon[266]: Ignore INITIAL-CONTACT notification, because it is only accepted after Phase 1.

1/28/16 10:45:36.454 PM racoon[266]: Ignore INITIAL-CONTACT notification, because it is only accepted after Phase 1.

1/28/16 10:45:36.455 PM racoon[266]: IKEv1 Phase 1 AUTH: success. (Responder, Main-Mode Message 5).

1/28/16 10:45:36.455 PM racoon[266]: IKE Packet: receive success. (Responder, Main-Mode message 5).

1/28/16 10:45:36.455 PM racoon[266]: IKEv1 Phase 1 Responder: success. (Responder, Main-Mode).

1/28/16 10:45:36.456 PM racoon[266]: IKE Packet: transmit success. (Responder, Main-Mode message 6).

1/28/16 10:45:36.456 PM racoon[266]: IPSec Phase 1 established (Initiated by peer).

1/28/16 10:45:36.456 PM racoon[266]: IPSec Phase 1 established (Initiated by peer).

1/28/16 10:45:37.464 PM racoon[266]: IPSec Phase 2 started (Initiated by peer).

1/28/16 10:45:37.465 PM racoon[266]: IPSec Phase 2 started (Initiated by peer).

1/28/16 10:45:37.465 PM racoon[266]: IKE Packet: receive success. (Responder, Quick-Mode message 1).

1/28/16 10:45:37.465 PM racoon[266]: >>>>> phase change status = Phase 2 started

1/28/16 10:45:37.465 PM racoon[266]: >>>>> phase change status = Phase 2 started

1/28/16 10:45:37.466 PM racoon[266]: IKE Packet: transmit success. (Responder, Quick-Mode message 2).

1/28/16 10:45:37.467 PM racoon[266]: IKE Packet: receive success. (Responder, Quick-Mode message 3).

1/28/16 10:45:37.468 PM racoon[266]: IKEv1 Phase 2 Responder: success. (Responder, Quick-Mode).

1/28/16 10:45:37.468 PM racoon[266]: IPSec Phase 2 established (Initiated by peer).

1/28/16 10:45:37.468 PM racoon[266]: IPSec Phase 2 established (Initiated by peer).

1/28/16 10:45:37.468 PM racoon[266]: >>>>> phase change status = Phase 2 established

1/28/16 10:45:37.468 PM racoon[266]: >>>>> phase change status = Phase 2 established

1/28/16 10:45:37.485 PM racoon[266]: pfkey DELETE received: ESP 192.168.0.15[4500]->67.161.***.***[47809] spi=145147377(0x8a6c5f1)

1/28/16 10:45:37.485 PM racoon[266]: pfkey DELETE received: ESP 192.168.0.15[4500]->67.161.***.***[47809] spi=145147377(0x8a6c5f1)

Posted by
ktula
Up vote reply of ktula Down vote reply of ktula
Add a Comment

I am having the same issue (hangups with Signal 11) and the problem popped up after an upgrade to the OS (not server) No fix yet.



-01-31 08:30:23 EST Incoming call... Address given to client = 192.168.1.224

Sun Jan 31 08:30:23 2016 : Directory Services Authentication plugin initialized

Sun Jan 31 08:30:23 2016 : Directory Services Authorization plugin initialized

Sun Jan 31 08:30:23 2016 : publish_entry SCDSet() failed: Success!

Sun Jan 31 08:30:23 2016 : publish_entry SCDSet() failed: Success!

Sun Jan 31 08:30:23 2016 : publish_entry SCDSet() failed: Success!

Sun Jan 31 08:30:23 2016 : L2TP incoming call in progress from '192.168.1.25'...

Sun Jan 31 08:30:23 2016 : L2TP received SCCRQ

Sun Jan 31 08:30:23 2016 : L2TP sent SCCRP

Sun Jan 31 08:30:23 2016 : L2TP received SCCCN

Sun Jan 31 08:30:23 2016 : L2TP received ICRQ

Sun Jan 31 08:30:23 2016 : L2TP sent ICRP

Sun Jan 31 08:30:23 2016 : L2TP received ICCN

Sun Jan 31 08:30:23 2016 : L2TP connection established.

Sun Jan 31 08:30:23 2016 : Fatal signal 11

2016-01-31 08:30:23 EST --> Client with address = 192.168.1.224 has hungup

Posted by
pyackindc
Up vote reply of pyackindc Down vote reply of pyackindc
Add a Comment

Same issue here, Fatal signal 11.

Posted by
XCool
Up vote reply of XCool Down vote reply of XCool
Add a Comment

I've been trying to figure out what was wrong. I just decided to install server and have everything else I need running alright but this one i keep getting Fatal singal 11. B2MM is disabled as well, and that didn't resolve it. Hadn't used a previous driectory service or anything either. I'm going to try it on a non beta instance I have running and see how that goes.


BTW, ddclient and google domains work really well togehter.

Posted by
TransRapid
Up vote reply of TransRapid Down vote reply of TransRapid
Add a Comment

I'm also not able to use L2TP on OSX 10.11.4 (neither on IOS 9.3 b2).

Was able to use L2TP on my Synology NAS before from Mac and iPhone.

On Windows 10 (through Virtualbox) the L2TP connection is working fine.

Posted by
Jonder
Up vote reply of Jonder Down vote reply of Jonder
Add a Comment

I am having same problem as Jonder and as most of you all. I cant connect anymore to my Synology NAS vpn'server. And I truly need it.

Did anyone send this via Apple Bug Reporter? They must fix it asap before 11.4 release.

Posted by
panda88
Up vote reply of panda88 Down vote reply of panda88
Add a Comment

This one has been fixed for me with the latest beta relase 10.11.4 Beta (15E39d).

(Unfortunately IOS 9.3 b3 still has the issue)

Posted by
Jonder
Up vote reply of Jonder Down vote reply of Jonder
Add a Comment

I'm having the same issue with my VPN IPVANISH. It just won't connect. Neither will icloud from system settings. Feedback assistant just crashes upon opening! I'll be opening threads for those other issues, but thought I'd chime in and say I'm having VPN issues as well.

Posted by
mediaraft
Up vote reply of mediaraft Down vote reply of mediaraft
Add a Comment

I have this problem in OS 10.11.4 Beta 15E39d. The connections works fine in iOS 9.3 Beta13E5200d

Posted by
Al_F
Up vote reply of Al_F Down vote reply of Al_F
Add a Comment

So now that this release is out of beta, the issue still perisits. Does anyone have any further updates on a fix?

Posted by
tekwerx
Up vote reply of tekwerx Down vote reply of tekwerx
Add a Comment