How to Setup a L2TP VPN Server on OS X

November 13, 2013 · 45 comments

This is a fast guide on configuring OS X to act as an L2TP VPN Server. This can be accomplished with Apple’s Server App, but if you don’t mind running a few Terminal commands and adding a couple configuration files manually, you can save yourself $20 and go out to eat instead.

This guide also includes a workaround for a known bug in the general release of OS X 10.9 Mavericks in its implementation of racoon that prevents remote clients from being able to connect to your VPN server.

Preamble

Estimated Time Required: 10-15 minutes
Tested on: OS X 10.8 Mountain Lion, OS X 10.9 Mavericks

Setup port forwarding

If your future server is behind a router, you’ll most likely need to setup port forwarding for the following ports:

  • UDP 500 for ISAKMP/IKE
  • UDP 1701 for L2TP
  • UDP 4500 for IPsec NAT Traversal
  • Optional: TCP 1723 for PPTP

Apple has more information on common ports used.

OS X 10.9 and 10.9.1 Mavericks fix

This step is only required on OS X 10.9 and 10.9.1 (Mavericks). Apple has finally fixed this bug in 10.9.2.

In OS X Mavericks, there was a change to the /usr/sbin/racoon program which breaks L2TP access from remote clients when traversing NAT. This is a known bug and I have filed a bug report with Apple. This also breaks Apple’s own Server App since it simply automates what we’re doing manually here. There are two known solutions.

Solution 1: Use a modified variation of the official fix . This modified installer does not check for the existence of the Apple Server.app. Download the modified package MavericksVPNUpdateServerAppLess.pkg.

Also checkout the official Apple KB article on this problem and their fix for users who have the Server.app installed on their systems.

Solution 2: Replace /usr/sbin/racoon with a version from Mountain Lion. If you don’t have your own backup available, you can download my backup of racoon from Mountain Lion. Simply unzip, move the executable into /usr/sbin, and reboot your Mac [or kill and restart racoon].

For example:

1
2
3
sudo mv /usr/sbin/racoon ~/Desktop/racoon.bak
sudo mv ~/Downloads/racoon /usr/sbin/racoon
sudo killall racoon

Add a shared secret to your keychain

Run the following command in Terminal after replacing SHARED-SECRET-PHRASE with your own secret phrase. When you login to your VPN server from a client, both an account password and secret phrase will be needed.

1
sudo security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p "SHARED-SECRET-PHRASE" /Library/Keychains/System.keychain

Configure Apple’s vpnd Service

Download Example configuration files (and racoon binary from Mountain Lion)

Modify the configuration file com.apple.RemoteAccessServers.plist below and save it to the following location. Set ownership to root:wheel and chmod 644.

1
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

You need to modify the following lines with your own information:

  • Lines 19-20 under “OfferedServerAddresses”

    These two lines should be changed to the DNS domains you want your VPN clients to use. In this example, I’m providing my local router (10.0.1.1) and a Google DNS domain as a secondary (8.8.4.4).

  • Lines 29-30 under “DestAddressRanges”

    These two lines specify the start and end IP address range that will be given to clients when they login. In this example, my clients are given an IP address between 10.0.1.250 and 10.0.1.254. Ideally, you should choose a range that is outside of the range that your router will assign so that you avoid IP address conflicts. For example, my router is configured with a DHCP range of 10.0.1.2 to 10.0.249.

This configuration file also enables PPTP in addition to L2TP. If you wish to enable this as well, modify lines 84-85 and 94-95.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ActiveServers</key>
    <array>
        <string>com.apple.ppp.l2tp</string>
    </array>
    <key>Servers</key>
    <dict>
        <key>com.apple.ppp.l2tp</key>
        <dict>
            <key>DNS</key>
            <dict>
                <key>OfferedSearchDomains</key>
                <array/>
                <key>OfferedServerAddresses</key>
                <array>
                    <string>10.0.1.1</string>
                    <string>8.8.4.4</string>
                </array>
            </dict>
            <key>IPv4</key>
            <dict>
                <key>ConfigMethod</key>
                <string>Manual</string>
                <key>DestAddressRanges</key>
                <array>
                    <string>10.0.1.250</string>
                    <string>10.0.1.254</string>
                </array>
            </dict>
            <key>Interface</key>
            <dict>
                <key>SubType</key>
                <string>L2TP</string>
                <key>Type</key>
                <string>PPP</string>
            </dict>
            <key>L2TP</key>
            <dict>
                <key>IPSecSharedSecret</key>
                <string>com.apple.ppp.l2tp</string>
                <key>IPSecSharedSecretEncryption</key>
                <string>Keychain</string>
                <key>Transport</key>
                <string>IPSec</string>
            </dict>
            <key>PPP</key>
            <dict>
                <key>AuthenticatorACLPlugins</key>
                <array>
                    <string>DSACL</string>
                </array>
                <key>LCPEchoEnabled</key>
                <integer>1</integer>
                <key>LCPEchoFailure</key>
                <integer>5</integer>
                <key>LCPEchoInterval</key>
                <integer>60</integer>
                <key>Logfile</key>
                <string>/var/log/ppp/vpnd.log</string>
                <key>VerboseLogging</key>
                <integer>1</integer>
            </dict>
            <key>Server</key>
            <dict>
                <key>Logfile</key>
                <string>/var/log/ppp/vpnd.log</string>
                <key>MaximumSessions</key>
                <integer>128</integer>
                <key>VerboseLogging</key>
                <integer>1</integer>
            </dict>
        </dict>
        <key>com.apple.ppp.pptp</key>
        <dict>
            <key>DNS</key>
            <dict>
                <key>OfferedSearchDomains</key>
                <array/>
                <key>OfferedServerAddresses</key>
                <array>
                    <string>10.0.1.1</string>
                    <string>8.8.4.4</string>
                </array>
            </dict>
            <key>IPv4</key>
            <dict>
                <key>ConfigMethod</key>
                <string>Manual</string>
                <key>DestAddressRanges</key>
                <array>
                    <string>10.0.1.250</string>
                    <string>10.0.1.254</string>
                </array>
            </dict>
            <key>Interface</key>
            <dict>
                <key>SubType</key>
                <string>PPTP</string>
                <key>Type</key>
                <string>PPP</string>
            </dict>
            <key>PPP</key>
            <dict>
                <key>AuthenticatorACLPlugins</key>
                <array>
                    <string>DSACL</string>
                </array>
                <key>CCPEnabled</key>
                <integer>1</integer>
                <key>CCPProtocols</key>
                <array>
                    <string>MPPE</string>
                </array>
                <key>LCPEchoEnabled</key>
                <integer>1</integer>
                <key>LCPEchoFailure</key>
                <integer>5</integer>
                <key>LCPEchoInterval</key>
                <integer>60</integer>
                <key>Logfile</key>
                <string>/var/log/ppp/vpnd.log</string>
                <key>MPPEKeySize128</key>
                <integer>0</integer>
                <key>MPPEKeySize40</key>
                <integer>1</integer>
                <key>VerboseLogging</key>
                <integer>1</integer>
            </dict>
            <key>Server</key>
            <dict>
                <key>Logfile</key>
                <string>/var/log/ppp/vpnd.log</string>
                <key>MaximumSessions</key>
                <integer>128</integer>
                <key>VerboseLogging</key>
                <integer>1</integer>
            </dict>
        </dict>
    </dict>
</dict>
</plist>

Create a Launchd profile

Take the com.apple.ppp.l2tp.plist plist configuration file below and save it to the following location. Set ownership to root:wheel and chmod 644.

1
/Library/LaunchDaemons/com.apple.ppp.l2tp.plist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 <?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd“>
<plist version=”1.0″>
    <dict>
        <key>Label</key>
        <string>com.apple.ppp.l2tp</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/sbin/vpnd</string>
            <string>-x</string>
            <string>-i</string>
            <string>com.apple.ppp.l2tp</string>
        </array>
        <key>OnDemand</key>
        <false/>
    </dict>
</plist>

Launchd Loading and Unloading

This command will load the launchd configuration and start the vpnd service. The VPN service will automatically start when you reboot your computer.

1
sudo launchctl load -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

This command will unload the launchd configuration and stop the vpnd service. This will also stop VPN services from starting when you reboot.

1
sudo launchctl unload -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist

Troubleshooting

If things just aren’t working, take a look in Console to see what errors vpnd is reporting.

Be Sociable, Share!

{ 44 comments… read them below or add one }

Michael April 16, 2014 at 4:14 am

I use VPN to connect my iPad to an iMac, 10.9.2. I can connect when my iMac is not in sleep mode. I cannot connect when it is in sleep mode. My work around is to not let the iMac go into sleep. Is there a better solution?

Reply

Ferd April 16, 2014 at 11:38 am

Apple’s own routers allegedly keep a “log of devices” and can send wake-up messages to clients. Please google for details – as far as I remember, this should work if the requesting device and the one to be woken up are both on the local network. Not sure if Apple routers will do the same if the requester originates from outside.

Reply

Bill H March 31, 2014 at 5:23 pm

Great guide and what should be a simple question. I am connecting from an iPad to my MAC and the L2TP VPN comes active, however I am unable to access any of my local IP addresses and iPad apps that work when on the home network (home automation, etc) are unable to connect to their servers… Is there an obvious step I’ve missed?

Thanks. b

Reply

Dave Gustavson March 31, 2014 at 8:04 pm

I think this is essentially what I asked in one of my March 6 comments.
I’m still waiting for an answer (haven’t had any luck with searching online).
What does get routed through the vpn and what does not?
It’s clearly not the same as being remotely connected to your home network, as not all the home network is visible, and also some of the remote network is visible.
If anyone knows of documentation that explains what vpn does and does not do, I’d love to know.

Reply

bill April 1, 2014 at 4:33 pm

Dave — In my case, the VPN starts fine, iPad connects fine, and I am able to go from the iPad, to the home network, and out the the “I”internet I am not able to access any local servers or applications on the home network (even using the IP addresses and not hostnames). B

Reply

Dave Gustavson April 1, 2014 at 8:37 pm

When I was at a hotel, my MacBook Pro could connect to home, but I could not see my home network drives. I could do screen sharing to one of my home machines, though, and access the network drives through that. Seems like one ought to be able to mount them on the remote computer if the vpn really put one on one’s home network.
When I did an arp -al, I saw other devices around the hotel.
So it must be that vpn forwards or not based on protocol or port number or ??

Reply

Ferd March 21, 2014 at 6:34 pm

Setting up a VPN based on the instructions provided at the time was a piece of cake and VPN connections from various clients worked fine. Initial tests showed VPN connections were stable for several minutes. It wasn’t until I actually was off site that I discovered that the machine (initially with OS X 10.9.1) which hosts the VPN server lost its wifi connection after about 10 minutes and failed to reconnect. Both server and router logs since the VPN went live are inconclusive. The server machine was operating with a stable wifi connection (sustaining several days easily) before and my network scanners have not shown any new “neighbours” that I haven’t been aware of already since my VPN went live. Wifi on several other machines in the same house has been no issue – neither before nor after the VPN server was set up. A server OS upgrade to 10.9.2 didn’t resolve the wifi issues and the server now drops its wifi consistently after a few minutes of inactivity (to the best of my knowledge it is configured to keep wifi connections alive – energy saving options are off and wifi wakeup is active). When the wifi is on, VPN works fine. I’m somewhat suspicious of my router (obviously I opened the ports noted in the instructions of its firewall to enable VPN connections) and it could be the routers fault but wanted to know if somebody else has expirienced wifi connection issues on server machines with the described VPN solution? Thanks.

Reply

aMakUzr March 21, 2014 at 3:55 pm

I’ve put up an article on this topic that I hope will help others:

see Setting Up an iOS 7 On-Demand VPN:
http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN

Reply

Dave Gustavson March 6, 2014 at 1:10 pm

Setting the Mac OS X.9 Firewall to let VPN packets through wasn’t obvious to me.
What I tried was just adding the iVPN app to the allowed list of apps, and it seems to be working, but it was not obvious to me that this would have the right effect. In fact, I don’t think this app has to be running anymore for VPN to work–the app just sets things up for the service, it doesn’t run it.
So this note, to help others with the quandary. The Mac Firewall is perhaps trying to be too easy-to-use, so I don’t know what it’s really doing or how to really control it anymore.

Reply

Dave Gustavson March 6, 2014 at 12:43 pm

When VPN is working, which transactions get routed through it and which don’t?
In some ways it’s like my remote Mac is just sitting on my own internal network, but in other ways it’s different.
I’m connected to the wifi in my hotel, and have VPN connected to my home network.
In Finder windows, I see my other computers at home (but not the one that’s running the VPN service), but I don’t see my network storage boxes. Why not?
I do see the various access points around the hotel, just like I’d see without VPN connected.
I’m able to connect (screenshare) my home computer that’s serving VPN by using Finder>Go To Server>the home-local IP address, so that much is working as though I’m on the home network.
But the hotel network is using similar IP addresses, 192.168.1.xx, so some are local to the hotel and some are local to home. Confusing. terminal arp -al seems to show only hotel-related devices, so that’s not going on my home network.
So, how can I be sure the VPN is really protecting my communications? It looks more like I have the VPN world added to the local world. What determines which packets get sent through the VPN tunnel, and which don’t? How do I know my email etc isn’t visible to others on the local wifi, when my laptop is clearly using wifi and can see other local nodes?
Where can I learn how this gets sorted out, and how to tell if it’s really protecting me?

Reply

Dave Gustavson March 6, 2014 at 12:30 pm

This discussion was very helpful. I took the easy way out and bought iPVN, but had trouble getting L2TP to work because my Airport Extreme wouldn’t forward ports 4500 and 500. Finally deleted the Back to my Mac entries, and then it allowed the forwarding.
I’m amazed that I was able to get all this working from a remote location, using VNC to get it installed on my home Mac, reconnecting successfully after Airport reboots 3 times!
I was motivated by my formerly useful but now apparently unsupported HideMyAss software refusing to connect my email or do screen sharing. I’m going to dump it, as it’s become useless–my motivation isn’t to hide my location but to be secure on shared wifi networks.
But I still have some questions. I’ll post them separately if this works.

Reply

Dave Gustavson March 6, 2014 at 1:06 pm

I meant iVPN, not iPVN. Sorry.

Reply

Alex March 6, 2014 at 8:48 am

Thanks for the post!

I am running Mac OS 10.9.2 on the server and client. Unfortunately I am unable to connect. Here is the console output on the client side (sorry, its pretty looong). Any ideas?

3/6/14 8:45:23.319 AM configd[18]: SCNC: start, triggered by (26239) com.apple.prefe, type L2TP, status 0, trafficClass 0
3/6/14 8:45:23.341 AM pppd[29382]: publish_entry SCDSet() failed: Success!
3/6/14 8:45:23.341 AM pppd[29382]: publish_entry SCDSet() failed: Success!
3/6/14 8:45:23.341 AM pppd[29382]: pppd 2.4.2 (Apple version 727.90.1) started by alex, uid 501
3/6/14 8:45:23.343 AM pppd[29382]: L2TP connecting to server ’78.49.249.253′ (78.49.249.253)…
3/6/14 8:45:23.344 AM racoon[220]: ==== Got usr1 signal – re-parsing configuration.
3/6/14 8:45:23.344 AM racoon[220]: ==== flush negotiating sessions.
3/6/14 8:45:23.344 AM racoon[220]: flushing ph2 handles: ignore_estab_or_assert 1…
3/6/14 8:45:23.344 AM racoon[220]: Flushing Phase 1 handles: ignore_estab_or_assert 1…
3/6/14 8:45:23.344 AM pppd[29382]: IPSec connection started
3/6/14 8:45:23.345 AM racoon[220]: ===== parsing configuration
3/6/14 8:45:23.345 AM racoon[220]: reading configuration file /etc/racoon/racoon.conf
3/6/14 8:45:23.345 AM racoon[220]: lifetime = 60
3/6/14 8:45:23.345 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.345 AM racoon[220]: encklen=0
3/6/14 8:45:23.345 AM racoon[220]: p:1 t:1
3/6/14 8:45:23.345 AM racoon[220]: 3DES-CBC(5)
3/6/14 8:45:23.346 AM racoon[220]: SHA(2)
3/6/14 8:45:23.346 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.346 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.346 AM racoon[220]: 0
3/6/14 8:45:23.346 AM racoon[220]: 0
3/6/14 8:45:23.346 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:23.346 AM racoon[220]: filename: /var/run/racoon/*.conf
3/6/14 8:45:23.346 AM racoon[220]: reading configuration file /var/run/racoon/78.49.249.253.conf
3/6/14 8:45:23.347 AM racoon[220]: lifetime = 3600
3/6/14 8:45:23.347 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.347 AM racoon[220]: encklen=256
3/6/14 8:45:23.347 AM racoon[220]: p:1 t:1
3/6/14 8:45:23.347 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.347 AM racoon[220]: SHA(2)
3/6/14 8:45:23.347 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.347 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.347 AM racoon[220]: 0
3/6/14 8:45:23.347 AM racoon[220]: 0
3/6/14 8:45:23.347 AM racoon[220]: lifetime = 3600
3/6/14 8:45:23.347 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.347 AM racoon[220]: encklen=256
3/6/14 8:45:23.347 AM racoon[220]: p:1 t:2
3/6/14 8:45:23.348 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.348 AM racoon[220]: MD5(1)
3/6/14 8:45:23.348 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.348 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.348 AM racoon[220]: 0
3/6/14 8:45:23.348 AM racoon[220]: 0
3/6/14 8:45:23.348 AM racoon[220]: lifetime = 3600
3/6/14 8:45:23.348 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.348 AM racoon[220]: encklen=128
3/6/14 8:45:23.348 AM racoon[220]: p:1 t:3
3/6/14 8:45:23.348 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.348 AM racoon[220]: SHA(2)
3/6/14 8:45:23.348 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.348 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.348 AM racoon[220]: 0
3/6/14 8:45:23.348 AM racoon[220]: 0
3/6/14 8:45:23.348 AM racoon[220]: lifetime = 3600
3/6/14 8:45:23.348 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.348 AM racoon[220]: encklen=128
3/6/14 8:45:23.348 AM racoon[220]: p:1 t:4
3/6/14 8:45:23.349 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.349 AM racoon[220]: MD5(1)
3/6/14 8:45:23.349 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.349 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.349 AM racoon[220]: 0
3/6/14 8:45:23.349 AM racoon[220]: 0
3/6/14 8:45:23.349 AM racoon[220]: lifetime = 3600
3/6/14 8:45:23.349 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.349 AM racoon[220]: encklen=0
3/6/14 8:45:23.349 AM racoon[220]: p:1 t:5
3/6/14 8:45:23.349 AM racoon[220]: 3DES-CBC(5)
3/6/14 8:45:23.349 AM racoon[220]: SHA(2)
3/6/14 8:45:23.349 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.349 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.349 AM racoon[220]: 0
3/6/14 8:45:23.349 AM racoon[220]: 0
3/6/14 8:45:23.349 AM racoon[220]: lifetime = 3600
3/6/14 8:45:23.349 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.349 AM racoon[220]: encklen=0
3/6/14 8:45:23.349 AM racoon[220]: p:1 t:6
3/6/14 8:45:23.350 AM racoon[220]: 3DES-CBC(5)
3/6/14 8:45:23.350 AM racoon[220]: MD5(1)
3/6/14 8:45:23.350 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.350 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.350 AM racoon[220]: 0
3/6/14 8:45:23.350 AM racoon[220]: 0
3/6/14 8:45:23.350 AM racoon[220]: reading configuration file /var/run/racoon/fd62:dfc9:18e8:d055:7198:0d04:2560:bdb3.conf
3/6/14 8:45:23.350 AM racoon[220]: lifetime = 900
3/6/14 8:45:23.350 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.350 AM racoon[220]: encklen=128
3/6/14 8:45:23.350 AM racoon[220]: p:1 t:1
3/6/14 8:45:23.350 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.350 AM racoon[220]: SHA256(4)
3/6/14 8:45:23.350 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.350 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.350 AM racoon[220]: 0
3/6/14 8:45:23.350 AM racoon[220]: 0
3/6/14 8:45:23.351 AM racoon[220]: lifetime = 900
3/6/14 8:45:23.351 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.351 AM racoon[220]: encklen=128
3/6/14 8:45:23.351 AM racoon[220]: p:1 t:2
3/6/14 8:45:23.351 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.351 AM racoon[220]: SHA(2)
3/6/14 8:45:23.351 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.351 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.351 AM racoon[220]: 0
3/6/14 8:45:23.351 AM racoon[220]: 0
3/6/14 8:45:23.351 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:23.351 AM racoon[220]: reading configuration file /var/run/racoon/fd93:088e:32fb:0a3a:7198:0d04:2560:bdb3.conf
3/6/14 8:45:23.351 AM racoon[220]: lifetime = 900
3/6/14 8:45:23.351 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.351 AM racoon[220]: encklen=128
3/6/14 8:45:23.351 AM racoon[220]: p:1 t:1
3/6/14 8:45:23.351 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.351 AM racoon[220]: SHA256(4)
3/6/14 8:45:23.352 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.352 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.352 AM racoon[220]: 0
3/6/14 8:45:23.352 AM racoon[220]: 0
3/6/14 8:45:23.352 AM racoon[220]: lifetime = 900
3/6/14 8:45:23.352 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.352 AM racoon[220]: encklen=128
3/6/14 8:45:23.352 AM racoon[220]: p:1 t:2
3/6/14 8:45:23.352 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.352 AM racoon[220]: SHA(2)
3/6/14 8:45:23.352 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.352 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.352 AM racoon[220]: 0
3/6/14 8:45:23.352 AM racoon[220]: 0
3/6/14 8:45:23.352 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:23.352 AM racoon[220]: reading configuration file /var/run/racoon/fde2:9c67:8a48:4901:7198:0d04:2560:bdb3.conf
3/6/14 8:45:23.352 AM racoon[220]: lifetime = 900
3/6/14 8:45:23.353 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.353 AM racoon[220]: encklen=128
3/6/14 8:45:23.353 AM racoon[220]: p:1 t:1
3/6/14 8:45:23.353 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.353 AM racoon[220]: SHA256(4)
3/6/14 8:45:23.353 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.353 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.353 AM racoon[220]: 0
3/6/14 8:45:23.353 AM racoon[220]: 0
3/6/14 8:45:23.353 AM racoon[220]: lifetime = 900
3/6/14 8:45:23.353 AM racoon[220]: lifebyte = 0
3/6/14 8:45:23.353 AM racoon[220]: encklen=128
3/6/14 8:45:23.353 AM racoon[220]: p:1 t:2
3/6/14 8:45:23.353 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:23.353 AM racoon[220]: SHA(2)
3/6/14 8:45:23.353 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:23.353 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:23.353 AM racoon[220]: 0
3/6/14 8:45:23.353 AM racoon[220]: 0
3/6/14 8:45:23.353 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:23.354 AM racoon[220]: parse succeeded.
3/6/14 8:45:23.354 AM racoon[220]: accepted connection on vpn control socket.
3/6/14 8:45:23.354 AM racoon[220]: received bind command on vpn control socket.
3/6/14 8:45:23.354 AM racoon[220]: checking listen addrs: 192.168.1.71[500]
3/6/14 8:45:23.354 AM racoon[220]: suitable outbound SP found: 192.168.1.71/32[57574] 78.49.249.253/32[1701] proto=udp dir=out.
3/6/14 8:45:23.354 AM racoon[220]: Suitable inbound SP found: 78.49.249.253/32[1701] 192.168.1.71/32[57574] proto=udp dir=in.
3/6/14 8:45:23.354 AM racoon[220]: configuration found for 78.49.249.253.
3/6/14 8:45:23.354 AM racoon[220]: *** New Phase 2
3/6/14 8:45:23.354 AM racoon[220]: Got new Phase 2 version 16
3/6/14 8:45:23.354 AM racoon[220]: ****** state changed to: IKEv1 quick I start
3/6/14 8:45:23.355 AM racoon[220]: new acquire 192.168.1.71/32[57574] 78.49.249.253/32[1701] proto=udp dir=out
3/6/14 8:45:23.355 AM racoon[220]: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
3/6/14 8:45:23.355 AM racoon[220]: (trns_id=AES encklen=256 authtype=hmac-sha)
3/6/14 8:45:23.355 AM racoon[220]: (trns_id=AES encklen=256 authtype=hmac-md5)
3/6/14 8:45:23.355 AM racoon[220]: (trns_id=AES encklen=128 authtype=hmac-sha)
3/6/14 8:45:23.355 AM racoon[220]: (trns_id=AES encklen=128 authtype=hmac-md5)
3/6/14 8:45:23.355 AM racoon[220]: (trns_id=3DES encklen=0 authtype=hmac-sha)
3/6/14 8:45:23.355 AM racoon[220]: (trns_id=3DES encklen=0 authtype=hmac-md5)
3/6/14 8:45:23.355 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[0].
3/6/14 8:45:23.355 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.355 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.356 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.356 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.356 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.356 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.356 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.356 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.356 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.356 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.356 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.356 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.356 AM racoon[220]: still search for IKE-Session. this fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500].
3/6/14 8:45:23.357 AM racoon[220]: still searching. skipping… session to fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.357 AM racoon[220]: New IKE-Session to 78.49.249.253[0].
3/6/14 8:45:23.357 AM racoon[220]: Connecting.
3/6/14 8:45:23.357 AM racoon[220]: In post_acquire
3/6/14 8:45:23.357 AM racoon[220]: configuration found for 78.49.249.253.
3/6/14 8:45:23.357 AM racoon[220]: ike_session_has_other_negoing_ph2: ph2 sub spid 31, db spid 31
3/6/14 8:45:23.357 AM racoon[220]: IPsec-SA request for 78.49.249.253 queued due to no Phase 1 found.
3/6/14 8:45:23.357 AM racoon[220]: *** New Phase 1
3/6/14 8:45:23.357 AM racoon[220]: ****** state changed to: IKEv1 ident I start
3/6/14 8:45:23.358 AM racoon[220]: ===
3/6/14 8:45:23.358 AM racoon[220]: initiate new phase 1 negotiation: 192.168.1.71[500]<=>78.49.249.253[500]
3/6/14 8:45:23.358 AM racoon[220]: begin Identity Protection mode.
3/6/14 8:45:23.358 AM racoon[220]: IPSec Phase 1 started (Initiated by me).
3/6/14 8:45:23.358 AM racoon[220]: new cookie:
5064890cae451dd7
3/6/14 8:45:23.358 AM racoon[220]: add payload of len 224, next type 13
3/6/14 8:45:23.358 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.358 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.358 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.358 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.358 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.358 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.358 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.359 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.359 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.359 AM racoon[220]: add payload of len 16, next type 13
3/6/14 8:45:23.359 AM racoon[220]: add payload of len 20, next type 13
3/6/14 8:45:23.359 AM racoon[220]: add payload of len 16, next type 0
3/6/14 8:45:23.359 AM racoon[220]: 500 bytes from 192.168.1.71[500] to 78.49.249.253[500]
3/6/14 8:45:23.359 AM racoon[220]: sockname 192.168.1.71[500]
3/6/14 8:45:23.359 AM racoon[220]: send packet from 192.168.1.71[500]
3/6/14 8:45:23.359 AM racoon[220]: send packet to 78.49.249.253[500]
3/6/14 8:45:23.359 AM racoon[220]: @@@@@@ data being sent:

5064890c ae451dd7 00000000 00000000 01100200 00000000 000001f4 0d0000e4
00000001 00000001 000000d8 01010006 03000024 01010000 800b0001 800c0e10
80010007 800e0100 80030001 80020002 80040002 03000024 02010000 800b0001
800c0e10 80010007 800e0100 80030001 80020001 80040002 03000024 03010000
800b0001 800c0e10 80010007 800e0080 80030001 80020002 80040002 03000024
04010000 800b0001 800c0e10 80010007 800e0080 80030001 80020001 80040002
03000020 05010000 800b0001 800c0e10 80010005 80030001 80020002 80040002
00000020 06010000 800b0001 800c0e10 80010005 80030001 80020001 80040002
0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 4df37928 e9fc4fd1
b3262170 d515c662 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
086381b5 ec427b1f 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
00000014 afcad713 68a1f1c9 6b8696fc 77570100
3/6/14 8:45:23.360 AM racoon[220]: 1 times of 500 bytes message will be sent to 78.49.249.253[500]
3/6/14 8:45:23.360 AM racoon[220]: Resend Phase 1 packet 5064890cae451dd7:0000000000000000
3/6/14 8:45:23.360 AM racoon[220]: ****** state changed to: IKEv1 ident I msg1 sent
3/6/14 8:45:23.360 AM racoon[220]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
3/6/14 8:45:23.360 AM racoon[220]: >>>>> phase change status = Phase 1 started by us
3/6/14 8:45:23.360 AM racoon[220]: vpn control writing 20 bytes
3/6/14 8:45:23.839 AM racoon[220]: @@@@@@ data from readmsg:

5064890c ae451dd7 b7f2c1d1 00a14491 01100200 00000000 00000094 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
3/6/14 8:45:23.839 AM racoon[220]: @@@@@@ data from readmsg:

5064890c ae451dd7 b7f2c1d1 00a14491 01100200 00000000 00000094 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
80010007 800e0100 80030001 80020002 80040002 0d000014 4a131c81 07035845
5c5728f2 0e95452f 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 00000018
4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
3/6/14 8:45:23.839 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[500].
3/6/14 8:45:23.839 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.839 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.840 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.840 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.840 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.840 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.840 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.840 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.840 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.840 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.840 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.840 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.840 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.840 AM racoon[220]: still search for IKE-Session. this fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500].
3/6/14 8:45:23.841 AM racoon[220]: still searching. skipping… session to fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.841 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[500].
3/6/14 8:45:23.841 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.841 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.841 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.841 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.841 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.841 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.841 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.841 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.841 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.841 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.842 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.842 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.842 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.842 AM racoon[220]: still search for IKE-Session. this fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500].
3/6/14 8:45:23.842 AM racoon[220]: still searching. skipping… session to fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.842 AM racoon[220]: Best-match IKE-Session to 78.49.249.253[0].
3/6/14 8:45:23.842 AM racoon[220]: 148 bytes message received from 78.49.249.253[500] to 192.168.1.71[500]
3/6/14 8:45:23.842 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[500].
3/6/14 8:45:23.842 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.842 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.842 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.843 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.843 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.843 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.843 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.843 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.843 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.843 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.843 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.843 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.843 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.843 AM racoon[220]: still search for IKE-Session. this fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500].
3/6/14 8:45:23.843 AM racoon[220]: still searching. skipping… session to fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.844 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[500].
3/6/14 8:45:23.844 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.844 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.844 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.844 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.844 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.844 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.844 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.844 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:23.844 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.844 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.844 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.844 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:23.845 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.845 AM racoon[220]: still search for IKE-Session. this fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500].
3/6/14 8:45:23.845 AM racoon[220]: still searching. skipping… session to fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:23.845 AM racoon[220]: Best-match IKE-Session to 78.49.249.253[0].
3/6/14 8:45:23.845 AM racoon[220]: begin.
3/6/14 8:45:23.845 AM racoon[220]: seen nptype=1(sa)
3/6/14 8:45:23.845 AM racoon[220]: seen nptype=13(vid)
3/6/14 8:45:23.845 AM racoon[220]: seen nptype=13(vid)
3/6/14 8:45:23.845 AM racoon[220]: seen nptype=13(vid)
3/6/14 8:45:23.845 AM racoon[220]: succeed.
3/6/14 8:45:23.845 AM racoon[220]: received Vendor ID: RFC 3947
3/6/14 8:45:23.845 AM racoon[220]: received Vendor ID: DPD
3/6/14 8:45:23.845 AM racoon[220]: received broken Microsoft ID: FRAGMENTATION
3/6/14 8:45:23.845 AM racoon[220]: remote supports FRAGMENTATION
3/6/14 8:45:23.845 AM racoon[220]: Selected NAT-T version: RFC 3947
3/6/14 8:45:23.846 AM racoon[220]: begin.
3/6/14 8:45:23.846 AM racoon[220]: seen nptype=2(prop)
3/6/14 8:45:23.846 AM racoon[220]: succeed.
3/6/14 8:45:23.846 AM racoon[220]: proposal #1 len=44
3/6/14 8:45:23.846 AM racoon[220]: begin.
3/6/14 8:45:23.846 AM racoon[220]: seen nptype=3(trns)
3/6/14 8:45:23.846 AM racoon[220]: succeed.
3/6/14 8:45:23.846 AM racoon[220]: transform #1 len=36
3/6/14 8:45:23.846 AM racoon[220]: type=Life Type, flag=0×8000, lorv=seconds
3/6/14 8:45:23.846 AM racoon[220]: type=Life Duration, flag=0×8000, lorv=3600
3/6/14 8:45:23.846 AM racoon[220]: type=Encryption Algorithm, flag=0×8000, lorv=AES-CBC
3/6/14 8:45:23.846 AM racoon[220]: encryption(aes)
3/6/14 8:45:23.846 AM racoon[220]: type=Key Length, flag=0×8000, lorv=256
3/6/14 8:45:23.847 AM racoon[220]: type=Authentication Method, flag=0×8000, lorv=pre-shared key
3/6/14 8:45:23.847 AM racoon[220]: type=Hash Algorithm, flag=0×8000, lorv=SHA
3/6/14 8:45:23.847 AM racoon[220]: hash(sha1)
3/6/14 8:45:23.847 AM racoon[220]: type=Group Description, flag=0×8000, lorv=1024-bit MODP group
3/6/14 8:45:23.847 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:23.847 AM racoon[220]: pair 1:
3/6/14 8:45:23.847 AM racoon[220]: 0x7fc5f3e2a570: next=0×0 tnext=0×0
3/6/14 8:45:23.847 AM racoon[220]: proposal #1: 1 transform
3/6/14 8:45:23.847 AM racoon[220]: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
3/6/14 8:45:23.847 AM racoon[220]: trns#=1, trns-id=IKE
3/6/14 8:45:23.847 AM racoon[220]: type=Life Type, flag=0×8000, lorv=seconds
3/6/14 8:45:23.847 AM racoon[220]: type=Life Duration, flag=0×8000, lorv=3600
3/6/14 8:45:23.847 AM racoon[220]: type=Encryption Algorithm, flag=0×8000, lorv=AES-CBC
3/6/14 8:45:23.847 AM racoon[220]: type=Key Length, flag=0×8000, lorv=256
3/6/14 8:45:23.848 AM racoon[220]: type=Authentication Method, flag=0×8000, lorv=pre-shared key
3/6/14 8:45:23.848 AM racoon[220]: type=Hash Algorithm, flag=0×8000, lorv=SHA
3/6/14 8:45:23.848 AM racoon[220]: type=Group Description, flag=0×8000, lorv=1024-bit MODP group
3/6/14 8:45:23.848 AM racoon[220]: Compared: DB:Peer
3/6/14 8:45:23.848 AM racoon[220]: (version = 0:0)
3/6/14 8:45:23.848 AM racoon[220]: (lifetime = 3600:3600)
3/6/14 8:45:23.848 AM racoon[220]: (lifebyte = 0:0)
3/6/14 8:45:23.848 AM racoon[220]: enctype = AES-CBC:AES-CBC
3/6/14 8:45:23.848 AM racoon[220]: (encklen = 256:256)
3/6/14 8:45:23.848 AM racoon[220]: hashtype = SHA:SHA
3/6/14 8:45:23.848 AM racoon[220]: authmethod = pre-shared key:pre-shared key
3/6/14 8:45:23.849 AM racoon[220]: dh_group = 1024-bit MODP group:1024-bit MODP group
3/6/14 8:45:23.849 AM racoon[220]: an acceptable proposal found.
3/6/14 8:45:23.849 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:23.849 AM racoon[220]: agreed on pre-shared key auth.
3/6/14 8:45:23.849 AM racoon[220]: ****** state changed to: IKEv1 ident I msg2 rcvd
3/6/14 8:45:23.849 AM racoon[220]: >>>>> phase change status = Phase 1 started by peer
3/6/14 8:45:23.849 AM racoon[220]: vpn control writing 20 bytes
3/6/14 8:45:23.849 AM racoon[220]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
3/6/14 8:45:23.849 AM racoon[220]: ===
3/6/14 8:45:23.852 AM racoon[220]: compute DH’s private.
3/6/14 8:45:23.852 AM racoon[220]: compute DH’s public.
3/6/14 8:45:23.852 AM racoon[220]: Hashing 78.49.249.253[500] with algo #2
3/6/14 8:45:23.852 AM racoon[220]: hash(sha1)
3/6/14 8:45:23.852 AM racoon[220]: Hashing 192.168.1.71[500] with algo #2
3/6/14 8:45:23.852 AM racoon[220]: hash(sha1)
3/6/14 8:45:23.853 AM racoon[220]: Adding remote and local NAT-D payloads.
3/6/14 8:45:23.853 AM racoon[220]: add payload of len 128, next type 10
3/6/14 8:45:23.853 AM racoon[220]: add payload of len 16, next type 20
3/6/14 8:45:23.853 AM racoon[220]: add payload of len 20, next type 20
3/6/14 8:45:23.853 AM racoon[220]: add payload of len 20, next type 0
3/6/14 8:45:23.853 AM racoon[220]: 228 bytes from 192.168.1.71[500] to 78.49.249.253[500]
3/6/14 8:45:23.853 AM racoon[220]: sockname 192.168.1.71[500]
3/6/14 8:45:23.853 AM racoon[220]: send packet from 192.168.1.71[500]
3/6/14 8:45:23.853 AM racoon[220]: send packet to 78.49.249.253[500]
3/6/14 8:45:23.853 AM racoon[220]: @@@@@@ data being sent:

5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4 0a000084
2d159a1b d8288371 3ecad4c3 e21b8183 f194263d a04cd78e 67220bc5 b95f2052
d3a6a934 3177258c 07bf75f9 58b3675e d94767e8 7c40fd3a e5552798 6a3e5b6c
fa038f29 8994d3dd 28b31110 d56c03f7 e698ac54 b1eabc98 64a2fa0d 8fc870b3
23e28a02 ea131c70 8c89a058 97a62bc0 042d0c8c a445081d 136d64c3 ee153f74
14000014 ae61e4bb 4daf474f ec9bd408 878406e1 14000018 e4db2594 b0618bc6
ba3c4eab 83b66beb 9a013556 00000018 3800fe28 bc0d0ad0 ecc08713 03588a93
444ea4a4
3/6/14 8:45:23.853 AM racoon[220]: 1 times of 228 bytes message will be sent to 78.49.249.253[500]
3/6/14 8:45:23.853 AM racoon[220]: Resend Phase 1 packet 5064890cae451dd7:b7f2c1d100a14491
3/6/14 8:45:23.853 AM racoon[220]: ****** state changed to: IKEv1 ident I msg3 sent
3/6/14 8:45:23.853 AM racoon[220]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
3/6/14 8:45:24.438 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:24.453 AM racoon[220]: @@@@@@ data from readmsg:

5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4 0a000084
65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877 9fe054df
3/6/14 8:45:24.453 AM racoon[220]: @@@@@@ data from readmsg:

5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4 0a000084
65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877 9fe054df
9a7d3b6d ddc7fc44 d1c5e97f 3c579eba 735a0b2b d88008e4 64af7aa1 164264e0
d4a82e95 808e3014 789ee48c b12edac6 3f4c1767 0b39953b f0f9e80f e30c427e
08eaeb1f e52973dc 383aece7 d9a35cfe 8922803e 68762208 2b10dd9d a573c4aa
14000014 f421fbd4 1922f288 9a5fba9a fd4a0651 14000018 04540de6 ddca3f71
114dd197 16d770c1 e9b930ca 00000018 3d2f1cf6 0a69d97f fc50575c b4e75076
a10b1b13
3/6/14 8:45:24.454 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[500].
3/6/14 8:45:24.454 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:24.454 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:24.454 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.454 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:24.454 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.454 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:24.454 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.454 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:24.454 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.454 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:24.454 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.454 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:24.454 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.454 AM racoon[220]: still search for IKE-Session. this fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500].
3/6/14 8:45:24.454 AM racoon[220]: still searching. skipping… session to fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.454 AM racoon[220]: Best-match IKE-Session to 78.49.249.253[0].
3/6/14 8:45:24.455 AM racoon[220]: 228 bytes message received from 78.49.249.253[500] to 192.168.1.71[500]
3/6/14 8:45:24.455 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[500].
3/6/14 8:45:24.455 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:24.455 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:24.455 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.455 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:24.455 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.455 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:24.455 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.455 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:24.455 AM racoon[220]: still searching. skipping… session to 78.49.249.253[4500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.455 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:24.455 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.455 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[0].
3/6/14 8:45:24.455 AM racoon[220]: still searching. skipping… session to 78.49.249.253[0] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.455 AM racoon[220]: still search for IKE-Session. this fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500].
3/6/14 8:45:24.455 AM racoon[220]: still searching. skipping… session to fde2:9c67:8a48:4901:85e9:2f81:fbe7:98f9[500] is already stopped, active ph1 0 ph2 1.
3/6/14 8:45:24.456 AM racoon[220]: Best-match IKE-Session to 78.49.249.253[0].
3/6/14 8:45:24.456 AM racoon[220]: begin.
3/6/14 8:45:24.456 AM racoon[220]: seen nptype=4(ke)
3/6/14 8:45:24.456 AM racoon[220]: seen nptype=10(nonce)
3/6/14 8:45:24.456 AM racoon[220]: seen nptype=20(nat-d)
3/6/14 8:45:24.456 AM racoon[220]: seen nptype=20(nat-d)
3/6/14 8:45:24.456 AM racoon[220]: succeed.
3/6/14 8:45:24.456 AM racoon[220]: Hashing 192.168.1.71[500] with algo #2
3/6/14 8:45:24.456 AM racoon[220]: hash(sha1)
3/6/14 8:45:24.456 AM racoon[220]: NAT-D payload #0 doesn’t match
3/6/14 8:45:24.456 AM racoon[220]: Hashing 78.49.249.253[500] with algo #2
3/6/14 8:45:24.456 AM racoon[220]: hash(sha1)
3/6/14 8:45:24.456 AM racoon[220]: NAT-D payload #1 doesn’t match
3/6/14 8:45:24.456 AM racoon[220]: NAT detected: ME PEER
3/6/14 8:45:24.456 AM racoon[220]: ****** state changed to: IKEv1 ident I msg4 rcvd
3/6/14 8:45:24.456 AM racoon[220]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
3/6/14 8:45:24.456 AM racoon[220]: ===
3/6/14 8:45:24.459 AM racoon[220]: compute DH’s shared.
3/6/14 8:45:24.459 AM racoon[220]: Getting pre-shared key from keychain.
3/6/14 8:45:24.465 AM racoon[220]: the psk found.
3/6/14 8:45:24.465 AM racoon[220]: psk:
22486f6c 6d657322
3/6/14 8:45:24.465 AM racoon[220]: hmac(hmac_sha1)
3/6/14 8:45:24.465 AM racoon[220]: hmac(hmac_sha1)
3/6/14 8:45:24.465 AM racoon[220]: hmac(hmac_sha1)
3/6/14 8:45:24.466 AM racoon[220]: hmac(hmac_sha1)
3/6/14 8:45:24.466 AM racoon[220]: encryption(aes)
3/6/14 8:45:24.466 AM racoon[220]: hash(sha1)
3/6/14 8:45:24.466 AM racoon[220]: len(SKEYID_e) < len(Ka) (20 < 32), generating long key (Ka = K1 | K2 | …)
3/6/14 8:45:24.466 AM racoon[220]: hmac(hmac_sha1)
3/6/14 8:45:24.466 AM racoon[220]: compute intermediate encryption key K1
3/6/14 8:45:24.466 AM racoon[220]: hmac(hmac_sha1)
3/6/14 8:45:24.466 AM racoon[220]: compute intermediate encryption key K2
3/6/14 8:45:24.466 AM racoon[220]: hash(sha1)
3/6/14 8:45:24.466 AM racoon[220]: encryption(aes)
3/6/14 8:45:24.466 AM racoon[220]: use ID type of IPv4_address

011101f4 c0a80147
3/6/14 8:45:24.467 AM racoon[220]: hmac(hmac_sha1)
3/6/14 8:45:24.467 AM racoon[220]: failed to add initial-contact payload: rekey 0, ini-contact 1, contacted 1.
3/6/14 8:45:24.467 AM racoon[220]: add payload of len 8, next type 8
3/6/14 8:45:24.467 AM racoon[220]: add payload of len 20, next type 0
3/6/14 8:45:24.467 AM racoon[220]: Begin encryption.
3/6/14 8:45:24.467 AM racoon[220]: encryption(aes)
3/6/14 8:45:24.467 AM racoon[220]: pad length = 12
3/6/14 8:45:24.467 AM racoon[220]: About to encrypt 48 bytes
0800000c 011101f4 c0a80147 00000018 1a817ddd 182aa832 3c13c9b4 385e56be
5218eb3f 00000000 00000000 0000000c
3/6/14 8:45:24.467 AM racoon[220]: encryption(aes)
3/6/14 8:45:24.467 AM racoon[220]: Encrypted.
3/6/14 8:45:24.467 AM racoon[220]: Adding NON-ESP marker
3/6/14 8:45:24.468 AM racoon[220]: 80 bytes from 192.168.1.71[4500] to 78.49.249.253[4500]
3/6/14 8:45:24.468 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:24.468 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:24.468 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:24.468 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:24.468 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:24.468 AM racoon[220]: Resend Phase 1 packet 5064890cae451dd7:b7f2c1d100a14491
3/6/14 8:45:24.468 AM racoon[220]: Adding NON-ESP marker
3/6/14 8:45:24.468 AM racoon[220]: ****** state changed to: IKEv1 ident I msg5 sent
3/6/14 8:45:24.468 AM racoon[220]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
3/6/14 8:45:25.532 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:26.603 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:27.686 AM racoon[220]: Adding NON-ESP marker
3/6/14 8:45:27.686 AM racoon[220]: 80 bytes from 192.168.1.71[4500] to 78.49.249.253[4500]
3/6/14 8:45:27.686 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:27.686 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:27.686 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:27.686 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:27.686 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:27.686 AM racoon[220]: IKE Packet: transmit success. (Phase 1 Retransmit).
3/6/14 8:45:27.686 AM racoon[220]: Resend Phase 1 packet 5064890cae451dd7:b7f2c1d100a14491
3/6/14 8:45:27.686 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:27.689 AM racoon[220]: @@@@@@ data from readmsg:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4
0a000084 65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877
3/6/14 8:45:27.689 AM racoon[220]: @@@@@@ data from readmsg:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4
0a000084 65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877
9fe054df 9a7d3b6d ddc7fc44 d1c5e97f 3c579eba 735a0b2b d88008e4 64af7aa1
164264e0 d4a82e95 808e3014 789ee48c b12edac6 3f4c1767 0b39953b f0f9e80f
e30c427e 08eaeb1f e52973dc 383aece7 d9a35cfe 8922803e 68762208 2b10dd9d
a573c4aa 14000014 f421fbd4 1922f288 9a5fba9a fd4a0651 14000018 04540de6
ddca3f71 114dd197 16d770c1 e9b930ca 00000018 3d2f1cf6 0a69d97f fc50575c
b4e75076 a10b1b13
3/6/14 8:45:27.689 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[4500].
3/6/14 8:45:27.689 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:27.690 AM racoon[220]: Pre-existing IKE-Session to 78.49.249.253[4500]. case 1.
3/6/14 8:45:27.690 AM racoon[220]: 228 bytes message received from 78.49.249.253[4500] to 192.168.1.71[4500]
3/6/14 8:45:27.690 AM racoon[220]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 80, max 1280
3/6/14 8:45:27.690 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:27.690 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:27.690 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:27.690 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:27.690 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:27.690 AM racoon[220]: Received retransmitted packet from 78.49.249.253[4500].
3/6/14 8:45:27.690 AM racoon[220]: the packet is retransmitted by 78.49.249.253[4500].
3/6/14 8:45:28.769 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:29.862 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:30.904 AM racoon[220]: @@@@@@ data from readmsg:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4
0a000084 65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877
3/6/14 8:45:30.904 AM racoon[220]: @@@@@@ data from readmsg:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4
0a000084 65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877
9fe054df 9a7d3b6d ddc7fc44 d1c5e97f 3c579eba 735a0b2b d88008e4 64af7aa1
164264e0 d4a82e95 808e3014 789ee48c b12edac6 3f4c1767 0b39953b f0f9e80f
e30c427e 08eaeb1f e52973dc 383aece7 d9a35cfe 8922803e 68762208 2b10dd9d
a573c4aa 14000014 f421fbd4 1922f288 9a5fba9a fd4a0651 14000018 04540de6
ddca3f71 114dd197 16d770c1 e9b930ca 00000018 3d2f1cf6 0a69d97f fc50575c
b4e75076 a10b1b13
3/6/14 8:45:30.904 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[4500].
3/6/14 8:45:30.904 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:30.904 AM racoon[220]: Pre-existing IKE-Session to 78.49.249.253[4500]. case 1.
3/6/14 8:45:30.904 AM racoon[220]: 228 bytes message received from 78.49.249.253[4500] to 192.168.1.71[4500]
3/6/14 8:45:30.904 AM racoon[220]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 80, max 1280
3/6/14 8:45:30.905 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:30.905 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:30.905 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:30.905 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:30.905 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:30.905 AM racoon[220]: Received retransmitted packet from 78.49.249.253[4500].
3/6/14 8:45:30.905 AM racoon[220]: the packet is retransmitted by 78.49.249.253[4500].
3/6/14 8:45:30.958 AM racoon[220]: Adding NON-ESP marker
3/6/14 8:45:30.958 AM racoon[220]: 80 bytes from 192.168.1.71[4500] to 78.49.249.253[4500]
3/6/14 8:45:30.958 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:30.958 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:30.958 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:30.958 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:30.959 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:30.959 AM racoon[220]: IKE Packet: transmit success. (Phase 1 Retransmit).
3/6/14 8:45:30.959 AM racoon[220]: Resend Phase 1 packet 5064890cae451dd7:b7f2c1d100a14491
3/6/14 8:45:30.959 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:31.959 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:33.051 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:34.149 AM racoon[220]: Adding NON-ESP marker
3/6/14 8:45:34.149 AM racoon[220]: 80 bytes from 192.168.1.71[4500] to 78.49.249.253[4500]
3/6/14 8:45:34.149 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:34.149 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:34.149 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:34.150 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:34.150 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:34.150 AM racoon[220]: IKE Packet: transmit success. (Phase 1 Retransmit).
3/6/14 8:45:34.150 AM racoon[220]: Resend Phase 1 packet 5064890cae451dd7:b7f2c1d100a14491
3/6/14 8:45:34.150 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:34.191 AM racoon[220]: @@@@@@ data from readmsg:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4
0a000084 65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877
3/6/14 8:45:34.191 AM racoon[220]: @@@@@@ data from readmsg:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4
0a000084 65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877
9fe054df 9a7d3b6d ddc7fc44 d1c5e97f 3c579eba 735a0b2b d88008e4 64af7aa1
164264e0 d4a82e95 808e3014 789ee48c b12edac6 3f4c1767 0b39953b f0f9e80f
e30c427e 08eaeb1f e52973dc 383aece7 d9a35cfe 8922803e 68762208 2b10dd9d
a573c4aa 14000014 f421fbd4 1922f288 9a5fba9a fd4a0651 14000018 04540de6
ddca3f71 114dd197 16d770c1 e9b930ca 00000018 3d2f1cf6 0a69d97f fc50575c
b4e75076 a10b1b13
3/6/14 8:45:34.191 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[4500].
3/6/14 8:45:34.191 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:34.191 AM racoon[220]: Pre-existing IKE-Session to 78.49.249.253[4500]. case 1.
3/6/14 8:45:34.192 AM racoon[220]: 228 bytes message received from 78.49.249.253[4500] to 192.168.1.71[4500]
3/6/14 8:45:34.192 AM racoon[220]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 80, max 1280
3/6/14 8:45:34.192 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:34.192 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:34.192 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:34.192 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:34.192 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:34.192 AM racoon[220]: Received retransmitted packet from 78.49.249.253[4500].
3/6/14 8:45:34.192 AM racoon[220]: the packet is retransmitted by 78.49.249.253[4500].
3/6/14 8:45:35.219 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:36.312 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:37.395 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:38.395 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:39.489 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:40.587 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:41.588 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:42.683 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:43.763 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:44.850 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:45.948 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:47.038 AM racoon[220]: Adding NON-ESP marker
3/6/14 8:45:47.038 AM racoon[220]: 80 bytes from 192.168.1.71[4500] to 78.49.249.253[4500]
3/6/14 8:45:47.038 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:47.038 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:47.038 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:47.038 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:47.039 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:47.039 AM racoon[220]: IKE Packet: transmit success. (Phase 1 Retransmit).
3/6/14 8:45:47.039 AM racoon[220]: Resend Phase 1 packet 5064890cae451dd7:b7f2c1d100a14491
3/6/14 8:45:47.039 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:47.435 AM racoon[220]: @@@@@@ data from readmsg:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4
0a000084 65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877
3/6/14 8:45:47.435 AM racoon[220]: @@@@@@ data from readmsg:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 04100200 00000000 000000e4
0a000084 65503aaf f40682df 86d87704 53d96177 3c512755 646aa198 faaa7877
9fe054df 9a7d3b6d ddc7fc44 d1c5e97f 3c579eba 735a0b2b d88008e4 64af7aa1
164264e0 d4a82e95 808e3014 789ee48c b12edac6 3f4c1767 0b39953b f0f9e80f
e30c427e 08eaeb1f e52973dc 383aece7 d9a35cfe 8922803e 68762208 2b10dd9d
a573c4aa 14000014 f421fbd4 1922f288 9a5fba9a fd4a0651 14000018 04540de6
ddca3f71 114dd197 16d770c1 e9b930ca 00000018 3d2f1cf6 0a69d97f fc50575c
b4e75076 a10b1b13
3/6/14 8:45:47.435 AM racoon[220]: start search for IKE-Session. target 78.49.249.253[4500].
3/6/14 8:45:47.435 AM racoon[220]: still search for IKE-Session. this 78.49.249.253[4500].
3/6/14 8:45:47.436 AM racoon[220]: Pre-existing IKE-Session to 78.49.249.253[4500]. case 1.
3/6/14 8:45:47.436 AM racoon[220]: 228 bytes message received from 78.49.249.253[4500] to 192.168.1.71[4500]
3/6/14 8:45:47.436 AM racoon[220]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 80, max 1280
3/6/14 8:45:47.436 AM racoon[220]: sockname 192.168.1.71[4500]
3/6/14 8:45:47.436 AM racoon[220]: send packet from 192.168.1.71[4500]
3/6/14 8:45:47.436 AM racoon[220]: send packet to 78.49.249.253[4500]
3/6/14 8:45:47.436 AM racoon[220]: @@@@@@ data being sent:

00000000 5064890c ae451dd7 b7f2c1d1 00a14491 05100201 00000000 0000004c
1a2cfd95 417c77b3 043a8f0e 0cf595d4 d7b1b340 d44f186a 3fc825e3 d6f4188b
137b21f2 49b00b89 faa29324 9f2b8d63
3/6/14 8:45:47.436 AM racoon[220]: 1 times of 80 bytes message will be sent to 78.49.249.253[4500]
3/6/14 8:45:47.436 AM racoon[220]: Received retransmitted packet from 78.49.249.253[4500].
3/6/14 8:45:47.436 AM racoon[220]: the packet is retransmitted by 78.49.249.253[4500].
3/6/14 8:45:48.127 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:49.213 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:50.293 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:51.293 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:52.293 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:53.393 AM racoon[220]: CHKPH1THERE: no established ph1 handler found
3/6/14 8:45:53.849 AM pppd[29382]: IPSec connection failed
3/6/14 8:45:53.850 AM racoon[220]: vpn_control socket closed by peer.
3/6/14 8:45:53.850 AM racoon[220]: received disconnect all command.
3/6/14 8:45:53.850 AM racoon[220]: IPSec disconnecting from server 78.49.249.253
3/6/14 8:45:53.850 AM racoon[220]: already stopped ike_session_stopped_by_controller.
3/6/14 8:45:53.850 AM racoon[220]: already stopped ike_session_stopped_by_controller.
3/6/14 8:45:53.850 AM racoon[220]: already stopped ike_session_stopped_by_controller.
3/6/14 8:45:53.850 AM racoon[220]: already stopped ike_session_stopped_by_controller.
3/6/14 8:45:53.850 AM racoon[220]: already stopped ike_session_stopped_by_controller.
3/6/14 8:45:53.851 AM racoon[220]: already stopped ike_session_stopped_by_controller.
3/6/14 8:45:53.851 AM racoon[220]: in ike_session_purgephXbydstaddrwop… purging Phase 2 structures
3/6/14 8:45:53.851 AM racoon[220]: Phase 2 sa expired 192.168.1.71-78.49.249.253
3/6/14 8:45:53.851 AM racoon[220]: ****** state changed to: Phase 2 expired
3/6/14 8:45:53.851 AM racoon[220]: in ike_session_purgephXbydstaddrwop… purging Phase 1 and related Phase 2 structures
3/6/14 8:45:53.851 AM racoon[220]: IPsec-SA needs to be purged: ESP 192.168.1.71[4500]->78.49.249.253[4500] spi=520093696(0x1f000000)
3/6/14 8:45:53.851 AM racoon[220]: ISAKMP-SA expired 192.168.1.71[4500]-78.49.249.253[4500] spi:5064890cae451dd7:b7f2c1d100a14491
3/6/14 8:45:53.852 AM racoon[220]: ****** state changed to: Phase 1 expired
3/6/14 8:45:53.852 AM racoon[220]: no ph1bind replacement found. NULL ph1.
3/6/14 8:45:53.852 AM racoon[220]: vpncontrol_close_comm.
3/6/14 8:45:53.852 AM racoon[220]: ==== Got usr1 signal – re-parsing configuration.
3/6/14 8:45:53.852 AM racoon[220]: ==== flush negotiating sessions.
3/6/14 8:45:53.852 AM racoon[220]: flushing ph2 handles: ignore_estab_or_assert 1…
3/6/14 8:45:53.852 AM racoon[220]: Flushing Phase 1 handles: ignore_estab_or_assert 1…
3/6/14 8:45:53.852 AM racoon[220]: already stopped ike_session_stopped_by_controller.
3/6/14 8:45:53.853 AM racoon[220]: IV freed
3/6/14 8:45:53.853 AM racoon[220]: ===== parsing configuration
3/6/14 8:45:53.853 AM racoon[220]: reading configuration file /etc/racoon/racoon.conf
3/6/14 8:45:53.853 AM racoon[220]: lifetime = 60
3/6/14 8:45:53.853 AM racoon[220]: lifebyte = 0
3/6/14 8:45:53.853 AM racoon[220]: encklen=0
3/6/14 8:45:53.853 AM racoon[220]: p:1 t:1
3/6/14 8:45:53.853 AM racoon[220]: 3DES-CBC(5)
3/6/14 8:45:53.854 AM racoon[220]: SHA(2)
3/6/14 8:45:53.854 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:53.854 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:53.854 AM racoon[220]: 0
3/6/14 8:45:53.854 AM racoon[220]: 0
3/6/14 8:45:53.854 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:53.854 AM racoon[220]: filename: /var/run/racoon/*.conf
3/6/14 8:45:53.854 AM racoon[220]: reading configuration file /var/run/racoon/fd62:dfc9:18e8:d055:7198:0d04:2560:bdb3.conf
3/6/14 8:45:53.855 AM racoon[220]: lifetime = 900
3/6/14 8:45:53.855 AM racoon[220]: lifebyte = 0
3/6/14 8:45:53.855 AM racoon[220]: encklen=128
3/6/14 8:45:53.855 AM racoon[220]: p:1 t:1
3/6/14 8:45:53.855 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:53.855 AM racoon[220]: SHA256(4)
3/6/14 8:45:53.855 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:53.855 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:53.855 AM racoon[220]: 0
3/6/14 8:45:53.856 AM racoon[220]: 0
3/6/14 8:45:53.856 AM racoon[220]: lifetime = 900
3/6/14 8:45:53.856 AM racoon[220]: lifebyte = 0
3/6/14 8:45:53.856 AM racoon[220]: encklen=128
3/6/14 8:45:53.856 AM racoon[220]: p:1 t:2
3/6/14 8:45:53.856 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:53.856 AM racoon[220]: SHA(2)
3/6/14 8:45:53.856 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:53.856 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:53.856 AM racoon[220]: 0
3/6/14 8:45:53.856 AM racoon[220]: 0
3/6/14 8:45:53.857 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:53.857 AM racoon[220]: reading configuration file /var/run/racoon/fd93:088e:32fb:0a3a:7198:0d04:2560:bdb3.conf
3/6/14 8:45:53.857 AM racoon[220]: lifetime = 900
3/6/14 8:45:53.857 AM racoon[220]: lifebyte = 0
3/6/14 8:45:53.857 AM racoon[220]: encklen=128
3/6/14 8:45:53.857 AM racoon[220]: p:1 t:1
3/6/14 8:45:53.857 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:53.857 AM racoon[220]: SHA256(4)
3/6/14 8:45:53.857 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:53.858 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:53.858 AM racoon[220]: 0
3/6/14 8:45:53.858 AM racoon[220]: 0
3/6/14 8:45:53.858 AM racoon[220]: lifetime = 900
3/6/14 8:45:53.858 AM racoon[220]: lifebyte = 0
3/6/14 8:45:53.858 AM racoon[220]: encklen=128
3/6/14 8:45:53.858 AM racoon[220]: p:1 t:2
3/6/14 8:45:53.858 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:53.858 AM racoon[220]: SHA(2)
3/6/14 8:45:53.858 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:53.858 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:53.859 AM racoon[220]: 0
3/6/14 8:45:53.859 AM racoon[220]: 0
3/6/14 8:45:53.859 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:53.859 AM racoon[220]: reading configuration file /var/run/racoon/fde2:9c67:8a48:4901:7198:0d04:2560:bdb3.conf
3/6/14 8:45:53.859 AM racoon[220]: lifetime = 900
3/6/14 8:45:53.859 AM racoon[220]: lifebyte = 0
3/6/14 8:45:53.859 AM racoon[220]: encklen=128
3/6/14 8:45:53.859 AM racoon[220]: p:1 t:1
3/6/14 8:45:53.859 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:53.859 AM racoon[220]: SHA256(4)
3/6/14 8:45:53.859 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:53.860 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:53.860 AM racoon[220]: 0
3/6/14 8:45:53.860 AM racoon[220]: 0
3/6/14 8:45:53.860 AM racoon[220]: lifetime = 900
3/6/14 8:45:53.860 AM racoon[220]: lifebyte = 0
3/6/14 8:45:53.860 AM racoon[220]: encklen=128
3/6/14 8:45:53.860 AM racoon[220]: p:1 t:2
3/6/14 8:45:53.860 AM racoon[220]: AES-CBC(7)
3/6/14 8:45:53.860 AM racoon[220]: SHA(2)
3/6/14 8:45:53.860 AM racoon[220]: 1024-bit MODP group(2)
3/6/14 8:45:53.860 AM racoon[220]: pre-shared key(1)
3/6/14 8:45:53.861 AM racoon[220]: 0
3/6/14 8:45:53.861 AM racoon[220]: 0
3/6/14 8:45:53.861 AM racoon[220]: hmac(modp1024)
3/6/14 8:45:53.861 AM racoon[220]: parse succeeded.
3/6/14 8:45:53.861 AM racoon[220]: SADB delete message: proto-id 3
3/6/14 8:45:53.861 AM racoon[220]: src: 192.168.1.71[57574]
3/6/14 8:45:53.861 AM racoon[220]: dst: 78.49.249.253[1701]
3/6/14 8:45:53.861 AM racoon[220]: SADB delete message: proto-id 3
3/6/14 8:45:53.862 AM racoon[220]: src: 78.49.249.253[1701]
3/6/14 8:45:53.862 AM racoon[220]: dst: 192.168.1.71[57574]
3/6/14 8:45:53.862 AM racoon[220]: SADB delete message: proto-id 3
3/6/14 8:45:53.862 AM racoon[220]: src: 192.168.1.71[57574]
3/6/14 8:45:53.862 AM racoon[220]: dst: 78.49.249.253[1701]
3/6/14 8:45:53.862 AM racoon[220]: SADB delete message: proto-id 3
3/6/14 8:45:53.862 AM racoon[220]: src: 78.49.249.253[1701]
3/6/14 8:45:53.862 AM racoon[220]: dst: 192.168.1.71[57574]
3/6/14 8:45:53.928 AM UserNotificationCenter[29383]: *** WARNING: Method userSpaceScaleFactor in class NSWindow is deprecated on 10.7 and later. It should not be used in new applications. Use convertRectToBacking: instead.
3/6/14 8:45:54.393 AM racoon[220]: CHKPH1THERE: ph2 handle has advanced too far (status 18432, START 6336, dying -1)… ignoring

Reply

Jon Stacey February 26, 2014 at 11:25 pm

Good news everyone: the 10.9.2 release appears to have fixed the racoon bug. That step is no longer required now and did not break my setup like the 10.9 to 10.9.1 jump.

Reply

hai February 27, 2014 at 11:44 am

i do have an issue though with 10.9.2. I have to desactivate and reactivate the vpn activator in order to let the connection in l2tp vpn server. i dont understand what i did wrong…

Reply

Jon Stacey February 27, 2014 at 12:24 pm

hai,
Launch activator? What’s that? It’s working for me personally through reboots with the above guide and standard launchd profiles.

Reply

Bob February 26, 2014 at 4:17 pm

I stumbled upon this site while researching ‘the man in the middle’ issue with OS X. It all seems very easy, but was wondering what advantages there are to setting this up on your own computer? Surf the web from my iPhone more securely? Not sure what it gets me. Please explain!

Reply

Jon Stacey February 26, 2014 at 11:23 pm

Bob,
That’s one possible use. It will protect your connection between mobile device and home. You would still be unprotected from your home network out to the final destination, so you would still be susceptible to the MITM attack vector unless you’re running 10.9.2.

I use a VPN when I’m remote to connect to my home network as if I were physically there. It allows my to access the other computers on my network that aren’t directly accessible on the internet.

Reply

Antonio February 13, 2014 at 7:00 pm

The VPN-L2TP did not respond…

That’s what I get from my iPhone when trying to connect VPN

I’m newbie at this VPN implementation
Using the command line:
sudo launchctl load -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist
shows no issues
repeating it i get the message: “com.apple.ppp.l2tp: Already loaded”
Ports are forwarded to my mac vpn server static ip and ports are also enabled, at the modem and router.
All the tutorial process was easy to implement with no issues.

Is there something, some step that I missed?

If i use the VPN Server app from greenworld it works fine and actualy i’m able to control my home automation system.

Besides the secret phrase the VPN setting require an user and pass account info. Is that my acount info when i log in with my mac?

I’ll appreciate very much any help from you

Reply

Jon Stacey February 14, 2014 at 6:28 pm

Antonio,
Did you replace racoon? It sounds like symptoms I was having with the stock version that comes with OS X Mavericks.

If you’ve already done that, check the console for logs to see if there are more clues. If no l2tp or vpnd related logs appear then the connection isn’t getting to your computer.

Reply

Antonio Ferreira February 14, 2014 at 11:36 pm

I did replace the raccoon by using solution 1
No issues here.
I’m also don get any error message at the terminal window when i execute load or unload command.
It simply asks for my password and that’s it.
My net work is made up of a Time Capsule in DHCP mode ranging from 10.0.1.100 to 10.0.1.199. My mac as the fixed ip 10.0.1.50.
At the Router/modem (GSM), i setup the ports forwarding to the 10.0.1.50 and also setup the ports permission for the 500, 1701, 4500 (UDP) and 1723 (TCP)
Using the “Activity Monitor App” included at “utilities” directory i can see that the vpnd process is running by user root

Any other clues?

Reply

Ferd February 4, 2014 at 1:13 pm

Thanks, setup is straightforward and VPN works great. Just another question, is there a way to monitor things like bandwidth/amount if traffic that goes through the VPN on the server side – thanks.

Reply

Business networking groups in Maryland January 26, 2014 at 1:23 am

Therefore, you can get both consumer and professional electric hair clippers.
It’s no shock these days to notice even the once well of among us tightening their belts.
It is important that you know that you must be truly dedicated to ykur pursuit of a happier, healthier
and more successful life if yoou really expect
a personal development regimen to work.

Reply

SoZo January 22, 2014 at 5:14 pm

This worked perfectly for me.
Methode 1 was the solution to all my L2TP issues on Mavericks (non-server )

Thx heaps for this fix!!
SoZo

Reply

P LA Salle January 11, 2014 at 2:49 pm

Totally new to this vpn lingo so any help i can get is great.
Would like to use vpn to secure my data and info and because its been suggested that my iso comcast throttles netflix which makes watching movies near impossible.

The info i have is i can buy into a VPN service approx 8-9 bucks a month reasonable but still worried about sending banking info through a tunnel to a server possibly in russia etc.

So was wondering can i buy mac osx server 19.95 once and set up on my computer and then be a client to myself on that same computer? Or any other self contained and inexpensive solution would be helpful

Reply

Jon Stacey January 12, 2014 at 7:30 pm

P LA Salle,

Well first off if I were you I would track down the streaming issues with Comcast and prove/disprove that they are throttling specific content. I have not heard of them doing that, but I’m not one of their customers. If it turns out to be true, I would attempt to resolve it with Comcast and failing that switch to another ISP to help enforce net neutrality with my wallet rather than simply mask over the problem with a tunnel. That’s what I would do.

There are definitely paid VPN services out there that you can use, but if that’s not the endpoint and the traffic you’re sending is not encrypted, then somewhere along the line it’s viewable to someone. It might not be by your ISP, but someone else could be watching it since it’s in the clear [example NSA]. This guide is about setting up your own computer as an L2TP VPN server without Apples Server application. From a security standpoint unencrypted traffic sent to your home network as the end point would be okay, but if that traffic is forwarded on then from your home back out through your ISP to its final destination, then you’re only protected along the network path between your current location and home, and you are not protected from home out to the final end point.

That’s a fairly inadequate description if you’re new to this so I would suggest reading up a bit on Wikipedia or a book from a more outspoken author ;-)

Setting up your own VPN server on your own home network will not help you get around throttling. You would have to setup a VPN server outside of your network to tunnel through Comcast’s restrictions [assuming that they don't also throttle that type of traffic].

Reply

Marco January 7, 2014 at 2:46 pm

Hi Jon,
I’ve got something wrong: I can connect to the server only after I kill the vpnd process once.

  1. Reboot the server.
  2. Try to connect from a client and the server doesn’t respond.
  3. killall vpnd
  4. Try to connect from a client and it works.

I copied the launchctl config from yours. Please help!

Reply

Jon Stacey January 9, 2014 at 7:13 pm

Hi Marco,

That’s a new one. Does anything show up in the logs after the first reboot that might indicate what the problem is? Might want to check if there’s a second launchd profile –maybe it’s a different instance.

Here’s what my process looks like running:

Jon-Staceys-iMac:~ jon$ ps ax | grep vpn
135 ?? Ss 0:27.88 /usr/sbin/vpnd -x -i com.apple.ppp.l2tp

Reply

Marco January 11, 2014 at 5:01 pm

Hi Jon, thanks for your reply.
Apparently my issue was due to a conflict with “Back to My Mac”. Disabling it solved the problem!

Reply

Leo December 29, 2013 at 8:15 am

Hi Jon,
Thak you very much for the tutorial, I started with a 10.9.1 Mavericks and it worked out of the box. I had an initial issue with the router because I didn’t notice that the three ports to open were UDP and I opened TCP, but after fixed it, it worked fine.
Happy New Year!

Reply

Peter December 23, 2013 at 1:46 pm

Looks like Apple released a fix for this but it only installs on systems that have Server. My non-server 10.9.1 won’t do the install. Presumably this is what is needed for those of us using something like iVPN to get VPN functionality out of a non-server install.

Anyone figured out a workaround to apply this fix to non-server Mavericks, or if it will work at all?

Reply

Jon Stacey December 24, 2013 at 1:12 pm

I have modified Apple’s installation package to bypass the check for the Server.app and have modified the instructions above.

Download the modified package MavericksVPNUpdateServerAppLess.pkg.

Also check the official Apple installer if you do have the Server.app installed: http://support.apple.com/kb/DL1716

Reply

Peter December 19, 2013 at 4:12 pm

I am using iVPN for my Mavericks (non-server) L2TP setup, so I don’t know about all the other settings. I replaced racoon with the version embedded above (and tried my own from a Mountain Lion box). I replace the binary, changed the permissions to match the original one (root/wheel) and rebooted.

Nothing. I still get CHAP failure … access denied.

Anyone have any ideas?

Reply

Peter December 19, 2013 at 3:47 pm

I am using iVPN to manage my L2TP vpn setup on a non-server Mavericks install. I also have been without L2TP connectivity since Mavericks (although I swear it worked at first …).

Since I am using iVPN, I only replaced the racoon executable and then restarted (i.e. didn’t do other steps above). I still get a CHAP failure access denied when I try to connect via L2TP.

Any suggestions?

Reply

Peter December 19, 2013 at 4:13 pm

Whoops, didn’t mean to post twice.

Reply

Jon Stacey December 18, 2013 at 1:06 pm

Heads up everyone! The 10.9.1 update replaces racoon with the original version. After you update you will need to replace racoon once again.

Reply

dkunesh November 17, 2013 at 4:37 pm

Progress! I got L2TP started but can’t get my iPhone to connect. Here is what Console says:

Server ‘com.apple.ppp.l2tp’ starting…
Loading plugin /System/Library/Extensions/L2TP.ppp
Listening for connections…

Here is what my iPhone says after entering the shared secret and attempting to start VPN:

The L2TP-VPN server did not respond…

I’m connecting to the external IP address of my Time Capsule router. The iPhone side is set up like it used to be when VPN was working on OSX Server for Mountain Lion (keyed in shared secret and password for user account). I’m thinking I’m missing something on the Mac side.

If you’ve got any thoughts that might help, please let me know. Thanks for posting this. I’ll keep experimenting…

Reply

dkunesh November 17, 2013 at 10:01 pm

Got it working! My problem was related to port forwarding. Once I got all ports opened and pointing to the correct private IP for my iMac, I connected form my iPhone with no problems!

Thanks for the write-up!

Reply

dkunesh November 17, 2013 at 2:07 pm

I got to the last step and couldn’t launch.

First, I got “Dubious ownership on file (skipping): /Library/LaunchDaemons/com.apple.ppp.l2tp.plist”. I got around this by changing ownership of the file to root (“sudo chown root /Library/LaunchDaemons/com.apple.ppp.l2tp.plist”) and changing permissions (“sudo chmod 644 /Library/LaunchDaemons/com.apple.ppp.l2tp.plist”)

Now when trying to sudo launchctl load I get “no plist was returned, nothing to load”

Thoughts where I went wrong?

Thanks for posting this! I’ve been without VPN since OSX Server Mavericks was released.

Reply

Jon Stacey November 17, 2013 at 2:33 pm

dkunesh,
It might be a formatting issue with WordPress. I’ve updated the article with a zip file of my configuration files to try.

Download Example configuration files and racoon binary from Mountain Lion

Let me know if that gets you up and running.

Both of my files are owned by root:wheel and chmod 644. I’ve added those notes to the guide as well.

Reply

dkunesh November 17, 2013 at 3:05 pm

Worked like a charm. Thanks!

Reply

Jon Stacey November 17, 2013 at 2:39 pm

You could also try running a syntax check on your current plist files to find where the errors are: plutil -lint com.apple.ppp.l2tp.plist

Courtesy StackExchange: http://apple.stackexchange.com/questions/46368/whats-wrong-with-my-launchctl-config

Reply

shaggy December 9, 2013 at 7:38 pm

Ok newbie question here, first time setting up a vpn server, where do I set up the shared secret password at?

Reply

Jon Stacey December 10, 2013 at 9:52 pm

Shaggy,
That’s the security command under the “Add a shared secret to your keychain” section above ;-)

Reply

Leave a Comment

{ 1 trackback }

Previous post: