Mac OSX Cisco IPSEC Client Configuration

Updated #1 (20140415): The Cisco VPN configuration instructions are available in the Apple Enterprise Deployment Guide

How do you configure a IPSEC VPN server with Apple Mac OSX client compatibility?

There are various HOWTOs on the net that tell you how to configure various VPN appliances and IPSEC software (Racoon, StrongSwan, OpenSwan etc) to work with Apple Mac OSX and IOS devices. While you can continue to refer these HOWTOS, what if you could have access to the actual configuration information that a Mac OSX device uses to connect as a IPSEC client?

Having access to the actual client config on a Mac OSX will allow you to configure the server side and aid in debugging. Additionally, you will have the flexibility to disable weaker encryption algorithms on the server side without breaking compatibility with the Apple device.

Apple devices use the racoon(8) IPSEC key management daemon. The configuration is created at runtime and available under the /var/run/racoon/ folder when the VPN connection is initiated. The trick would be to fetch the config file by creating a dummy IPSEC connection entry, connect to the endpoint and fetch the config quickly as below:

  1. Create a new Cisco IPSEC connection from the System Preferences -> Network configuration screenmac-ipsec-network-settings
  2. Next fill up the VPN settings for Server Address, Account Name and PasswordScreen Shot 2014-04-12 at 6.55.23 pm
  3. Under Authentication Setting for the connection, add the Shared Secret and Group informationScreen Shot 2014-04-12 at 6.55.49 pm
  4. Apply the settings and Connect which will time out in a few seconds.Screen Shot 2014-04-12 at 6.56.24 pm
  5. While waiting for the connection to Timeout, from a Terminal window, copy out the config file to the /tmp/ folder using the below command:
    # Has to be run before the connection timeout occurs
    # TIP: if your server address is 1.2.3.4, then the config file
    # would be /var/run/racoon/1.2.3.4.conf
    $ sudo cp /var/run/racoon/1.2.3.4.conf /tmp/
    

    Screen Shot 2014-04-12 at 7.08.16 pm

The config file would now be available under the /tmp/ folder. Here is what mine looks like on Mac OSX Mavericks 10.9.2. It would be trivial to configure phase1 and phase2 settings on a IPSEC VPN server to support Mac clients based on the client config information.

remote x.x.x.x {
   doi ipsec_doi;
   situation identity_only;
   exchange_mode aggressive;
   my_identifier keyid_use "xxxxxx";
   verify_identifier off;
   shared_secret keychain "xxxxxxx";
   nonce_size 16;
   dpd_delay 20;
   dpd_retry 5;
   dpd_maxfail 5;
   dpd_algorithm dpd_blackhole_detect;
   initial_contact on;
   support_proxy on;
   proposal_check obey;
   xauth_login "xxxxxx";
   mode_cfg on;
   
   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm sha1;
      encryption_algorithm aes 256;
      lifetime time 3600 sec;
      dh_group 2;
   }
   
   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm sha1;
      encryption_algorithm aes;
      lifetime time 3600 sec;
      dh_group 2;
   }
   
   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm md5;
      encryption_algorithm aes 256;
      lifetime time 3600 sec;
      dh_group 2;
   }
   
   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm md5;
      encryption_algorithm aes;
      lifetime time 3600 sec;
      dh_group 2;
   }
   
   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm sha1;
      encryption_algorithm 3des;
      lifetime time 3600 sec;
      dh_group 2;
   }
   
   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm md5;
      encryption_algorithm 3des;
      lifetime time 3600 sec;
      dh_group 2;
   }
   
   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm sha1;
      encryption_algorithm des;
      lifetime time 3600 sec;
      dh_group 2;
   }
   
   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm md5;
      encryption_algorithm des;
      lifetime time 3600 sec;
      dh_group 2;
   }
}

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

More Posts - Website

Follow Me:
TwitterLinkedIn

Published by

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

One thought on “Mac OSX Cisco IPSEC Client Configuration”

Leave a Reply