back-to-my-macNetworkvpn
On Mac OSX 10.11.3 (likely previous), the built-in Cisco IPsec VPN client will refuse to reconnect to the VPN server after a network failure (cable unplugged, wifi lost etc.)
After about 30 seconds of 'Connecting…' in the menu bar, an error pops up about 'Failure to negotiate'. Deleting the service and creating a new one does not fix the issue, but a reboot does.
How do I reconnect to the server without having to reboot?
It turns out that Migration Assistant doesn't copy the VPN shared secret, if any. So if that's what your VPN connection uses, go to System Preferences > Network > (your VPN) > Authentication Settings... and set the correct value for the shared secret. Then Apply and try to connect again.
I guess not all VPN connections of the build-in VPN client in Mac have that option.
The PPTP and L2TP do offer the option: Open your network settings:
Select your VPN connection and click on the advanced button.
A new window will pop up with three check-boxes under the heading "Session options". The last one of these checkboxes is the one you want: "redirect all traffic over VPN".
However, like you said. The advanced button does not pop up with Cisco IPSec.
I found this thread (https://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn) that maybe could be an answer to your problem (if you use it to route the whole ip range):
Any one know how to hack the routing table (on a mac) to defeat the forcing of VPN routing for every thing over a cisco VPN? pretty much what I want to do is have only 10.121.* and 10.122.* addresses over the VPN and everything else straight to the internet.
The following works for me. Run these after connecting to the cisco vpn. (I'm using OS X's built-in cisco client, not the Cisco branded client.)
sudo route -nv add -net 10 -interface utun0
sudo route change default 192.168.0.1
Replace "10" in the first command with the network that's on the other side of the tunnel.
Replace "192.168.0.1" with your local network's gateway.
I put it into a bash script, like this:
$ cat vpn.sh
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "Run this as root"
exit 1
fi
route -nv add -net 10 -interface utun0
route change default 192.168.0.1
I also found an explanation on how to run this automatically when you connect the VPN, but it's late on Friday and I don't feel like trying it :)
https://gist.github.com/675916
Edit:
I have since left the job where I was using the Cisco VPN, so this is from memory.
The "10" in the first command is the network that you want to route over the VPN. "10" is short hand for "10.0.0.0/8". In Tuan Anh Tran's case, it looks like the network is "192.168.5.0/24".
As for which gateway to specify in the second command, it should be your local gateway. When you log into a VPN that prevents split-tunneling, it is enforcing that policy by changing your routing tables so that all packets are routed on the virtual interface. So you want to change your default route back to what it was prior to getting on the VPN.
The easiest way to figure out the gateway is to run netstat -rn before logging into the VPN, and look at the IP address to the right of the "default" destination. For example, here's what it looks like on my box right now:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.1.1 UGSc 29 0 en1
10.0.1/24 link#5 UCS 3 0 en1
10.0.1.1 0:1e:52:xx:xx:xx UHLWIi 55 520896 en1 481
10.0.1.51 7c:c5:37:xx:xx:xx UHLWIi 0 1083 en1 350
10.0.1.52 127.0.0.1 UHS 0 0 lo0
My gateway is 10.0.1.1 -- it is to the right of the "default" destination.
Best Answer
The problem is that racoon, Apple's proprietary Cisco VPN client doesn't close itself gracefully on disconnect, this actually makes all Cisco VPNs stop working if one was connected when the network failure occurred.
To fix this, simply stop racoon:
sudo killall racoon(you will be asked for your password)You may now quit Terminal and reconnect the VPN as normal.