It seems odd that your machine is attempting to use aggressive-mode in phase 1 of the IPSec connection. From what I can see, the default in 10.8.5 is to use main-mode. I'm wondering if you've modified the file at /etc/racoon/racoon.conf
in trying to get this working? Can you post the contents of the file at /etc/racoon/racoon.conf
?
Alternately, it may be possible to duplicate the configuration file that the L2TP/IPSec connection in System Preferences is using, and modify it slightly (configure to use main-mode) to see if that helps. Unfortunately, that configuration file is created at connect time, and is copied into /var/run/racoon/fqdn.of.host.conf. This file is also readable only by root (to protect the PSK that's stored inside of it). If you're quick, you can prepare a Terminal command that will copy that config file, initiate the VPN connection from System Preferences or the menu bar, and perform the copy command while the VPN is attempting to connect (you may have 5-10 seconds to perform the copy). Here's the command that you'd run right after initiating the VPN connection:
sudo cp -Rp /var/run/racoon/vpn.aec.com.br ~/Desktop
That file has permissions that disallow users from reading it. Use the command to make it readable:
sudo chmod 777 ~/Desktop/vpn.aec.com.br
NOTE: the file that you've copied onto the Desktop contains your PSK. You should not post this file (unmodified) to this website. If you would like to post this configuration file for troubleshooting, obfuscate the value of shared_secret
before posting.
You can configure the VPN connection to use main-mode by modifying the configuration file that you've copied onto your Desktop. Open that file in any text editor, and locate the line that says exchange_mode
. You may find that it says something like:
exchange_mode aggressive;
If so, see if you can change it so that it uses main-mode:
exchange_mode main;
Next, disable the built-in launchd script that launches racoon
normally:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.racoon.plist
Then, you can temporarily launch racoon
, and instruct it to use the configuration file that you exported:
sudo racoon -f ~/Desktop/vpn.aec.com.br -l /var/log/racoon.log
The racoon process will run in the background using the configuration file that you copied onto the Desktop. The process will also output to /var/log/racoon.log
Next, you can initiate a VPN connection using racoonctl:
sudo racoonctl vpn-connect vpn.aec.com.br
The VPN menubar item will not update while this process is connecting. However, you should see output in /var/log/system.log
and in /var/log/racoon.log
that reflects the fact that the IPSec Phase 1 connection is moving along (i.e., Main Mode Message 2, 3, 4, etc.). If you see that the machine is able to establish the IPSec tunnel (look for "IPSec Phase1 established" in system.log
), you're likely having problems with the exchange_mode that's configured.
How to undo this configuration
To put things back to the way that they were, you can disconnect (if the connection was successful) and then terminate the racoon
process that's running:
sudo racoonctl vpn-disconnect
sudo killall racoon
Then, re-load the launchd
config for racoon
:
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.racoon.plist
How to make this configuration permanent
If the racoon
configuration file that you used in the tests above seems to be allowing phase 1 to complete, you can configure racoon
to use that config file in the future:
Copy the config file that is on your Desktop into the folder /etc/racoon:
sudo cp ~/Desktop/vpn.aec.com.br.conf /etc/racoon/vpn.aec.com.br.conf
Make sure to secure the permissions on that file:
sudo chmod 600 /etc/racoon/vpn.aec.com.br.conf
Comment out the last line of the file at /etc/racoon/racoon.conf
, and add a line that will load the configuration that you copied to /etc/racoon
in the step above:
include "/var/run/racoon/*.conf" ;
Should be changed to:
#include "/var/run/racoon/*.conf" ;
include "/etc/racoon/vpn.aec.com.br.conf" ;
After you've made this change, you can save the file and attempt the VPN connection again from the menu bar.
Best Answer
You may be able to share the connection from Windows to Mac, depending upon how it is implemented in Windows. Follow these steps, from this site:
Go to a command prompt and type:
Note the IP Address of the Host Only adapter. Likely something like 10.37.129.2.
Assuming the VPN shows as a connection in Windows Network Connections, setup Internet Connection Sharing on this adapter. When setting up ICS, choose the Host Only adapter as the Private Network Adapter.
Once that’s done, connect to the VPN.
On the host, add a route to your VPN, specifying the IP address of the Host Only Adapter as the gateway. In this example, the subnet trying to be reached on the VPN is 192.168.40.0/24, and the IP address of the Host Only Adapter is 10.37.129.2, so in a Terminal window you would type the following: