L2TP VPN broken on MacOS 13/Ventura

Dove in and upgraded two Macs today to beta 1. Unfortunately, it appears L2TP VPN is broken or something changed in the way it works. I can longer get a connection to any VPN concentrator I used previously. I tested with Cisco Anyconnect SSL VPN client and can connect to the same concentrators (as they're configured to accept L2TP or SSL clients).

I also tested from my phone running iOS 16 beta and it still works for the L2TP connections.

The Mac not working with L2TP VPN ppp.log shows this

Fri Jun 10 19:18:52 2022 : L2TP connecting to server 'IP removed' (IP removed)... Fri Jun 10 19:18:52 2022 : IPSec connection started Fri Jun 10 19:18:52 2022 : IPSec phase 1 client started Fri Jun 10 19:19:02 2022 : IPSec connection failed

Connecting a Mac successfully on 12.4 the log shows

Fri Jun 10 19:12:33 2022 : L2TP connecting to server 'IP removed' (IP removed)... Fri Jun 10 19:12:33 2022 : IPSec connection started Fri Jun 10 19:12:33 2022 : IPSec phase 1 client started Fri Jun 10 19:12:33 2022 : IPSec phase 1 server replied Fri Jun 10 19:12:34 2022 : IPSec phase 2 started Fri Jun 10 19:12:34 2022 : IPSec phase 2 established Fri Jun 10 19:12:34 2022 : IPSec connection established (and then a ton more lines of the entire process ending with client getting an IP that I won't bother posting)

VPN wasn't high on my list of apps I was concerned about breaking with the beta. But, now that it is broke and I need it for work I'm kinda screwed myself.

Anyway, if anyone knows a way to fix this please let me know.

Post not yet marked as solved Up vote post of rymiles Down vote post of rymiles
28k views
Posted by
rymiles
Reply

  • Did anyone find a way to resolve this issue. The thread has gone quiet. I am able to connect perfectly using 10.13.6 but not using 13.3 I have tried all the suggestions above without any luck.

    Paul_Reading_Uk
Add a Comment

Replies

This is very bad news for longtime Sonicwall customers. The L2TP VPN has been one of its core features which has always worked well for Apple Mac remote access. On most "legacy" and no-so-old appliances, the L2TP connection is simply much faster for most applications(especially cifs) than the (SSL-VPN) "MobileConnect" app.

Sonicwall has done their part in making it possible to maximize the security of the L2TP/IPsec VPN protocol. Apple hasn't exactly followed. Please Apple, don't discontinue the built-in L2TP client.

Posted by
MikeLaRonde
Up vote reply of MikeLaRonde Down vote reply of MikeLaRonde
Add a Comment

Guys, try

sudo sysctl net.link.generic.system.hwcksum_tx=0 sudo sysctl net.link.generic.system.hwcksum_rx=0

this works for me

Posted by
JiaChao
Post not yet marked as solved Up vote reply of JiaChao Down vote reply of JiaChao

  • anyone tried this>

    klokjukji

  • It worked to me. Thank you!

    ggentile
Add a Comment

I have this same problem with Ventura 13.4.1 (c), but only when Machine Authentication is set to "Certificate". The connection disconnects immediately with "The L2TP-VPN server did not respond." Because it's immediate, clearly it did not time out waiting for a response. I can see in Wireshark and the remote system's logs that it did respond. But in the Mac's logs I see "IPSec connection failed" as above.

Shared secret authentication (pre shared key) works fine, so I think this is to do with certificates. Perhaps racoon has a problem accessing the system keychain? Or I failed to add the "correct" certificate to authenticate/authenticate to the peer, or to set its trust correctly?

Posted by
qris
Up vote reply of qris Down vote reply of qris
Add a Comment

Hey All,

So I'm not sure this will work for everyone, but it did for me. My symptoms were very similar to OP. For context I have set up l2tp with IPSEC on my EdgerouterX. I could successfully connect with my iPad pro (from a remote cellular network) but could not with my macbook running Ventura. In MacOS I would try and initiate the VPN connection, it would try for a while and then eventually say it could not connect. On the edgerouterx side, the log entries get stuck on "***.***.***.*** is initiating a Main Mode IKE_SA".

I tried everything in the thread to no avail. In the EdgerouterX tutorial it says its optional to set MTU size. I looked up MTU size and decided on 1400. When I used the command "set l2tp remote-access mtu 1400" and then committed the changes, it suddenly started working.

Hopefully that'll help some folks.

Posted by
DC-TV-ENG
Up vote reply of DC-TV-ENG Down vote reply of DC-TV-ENG
Add a Comment

Commands suggested by @JiaChao worked for me yesterday, but unexplicably the problem came back after one day, so I shut Mac down.

So, I continued searching and found a definitive solution by reading itim dot co article and figured out that Mac must have it own options to /etc/ppp, so I found also in taoofmac site and think the problem can be somewhere the first article said (LOCAL IP) so I commented all uncommented option but noipdefault.

It finally works.

Posted by
ggentile
Up vote reply of ggentile Down vote reply of ggentile
Add a Comment

Still present and somewhat exuberated behaviour in 13.6, cannot use ANY VPN on any connection (wifi, 4g etc) for more than 1-2 minutes before the connection hangs. It was totally fine for couple months, but the latest Ventura update brought the issue back. Apple hasn't updated my bug report for more than 6 months. I tried every recipe from this topic, no avail. Anyone found a reliable way to fix it?

Posted by
kopurando
Up vote reply of kopurando Down vote reply of kopurando
Add a Comment