IPSEC Verbindung nicht mehr möglich

[ismon]

Hallo zusammen,

seit einiger Zeit kann ich mich mit meinem Macbook (OS 10.10, aktuell) nicht mehr per VPN/IPSEC Verbinden.
Der VPN Server (Fritzbox) funktioniert. Form Iphone ist eine Verbindung mit gleichen Daten problemlos möglich.

Auf dem Mac erscheint beim Verbinden immer eine Fehlermeldung:
"Ein Konfigurationsfehler ist aufgetreten. Überprüfen Sie die Einstellungen und versuchen Sie erneut eine Verbindung herzustellen."

Wie geht die Daten sind 100% Korrekt.

Das steht im Log:

23.05.15 22:48:59,875 nesessionmanager[891]: NESMLegacySession[home vpn:1EEC3E93-795B-4FCB-AB23-AA6B9465F210]: Received a start command from SystemUIServer[317]
23.05.15 22:48:59,876 nesessionmanager[891]: NESMLegacySession[home vpn:1EEC3E93-795B-4FCB-AB23-AA6B9465F210]: status changed to connecting
23.05.15 22:48:59,878 nesessionmanager[891]: IPSec connecting to server 84.175.96.7
23.05.15 22:48:59,880 nesessionmanager[891]: IPSec Phase1 starting.
23.05.15 22:48:59,898 racoon[1479]: Configuration Parse Error. (cfparse: yyparse erred, filename /etc/racoon/racoon.conf). (failure: fatal parse failure)
23.05.15 22:48:59,899 com.apple.xpc.launchd[1]: (com.apple.racoon[1479]) Service exited with abnormal code: 1
23.05.15 22:48:59,899 com.apple.xpc.launchd[1]: (com.apple.racoon) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
23.05.15 22:49:09,880 nesessionmanager[891]: NESMLegacySession[home vpn:1EEC3E93-795B-4FCB-AB23-AA6B9465F210]: status changed to disconnecting
23.05.15 22:49:09,881 nesessionmanager[891]: IPSec disconnecting from server 84.175.96.7
23.05.15 22:49:09,882 nesessionmanager[891]: NESMLegacySession[home vpn:1EEC3E93-795B-4FCB-AB23-AA6B9465F210]: status changed to disconnected, last stop reason 0
23.05.15 22:49:09,924 racoon[1482]: IPSec disconnecting from server 84.175.96.7
23.05.15 22:49:09,925 racoon[1482]: IPSec disconnecting from server 84.175.96.7
23.05.15 22:49:10,008 UserNotificationCenter[1481]: *** WARNING: Method userSpaceScaleFactor in class NSWindow is deprecated on 10.7 and later. It should not be used in new applications. Use convertRectToBacking: instead. 
23.05.15 22:49:16,923 SystemUIServer[317]: Attempt to use XPC with a MachService that has HideUntilCheckIn set. This will result in unpredictable behavior: com.apple.backupd.status.xpc

Hat jemand eine Idee?

gruß
ismon

 

[pmau]

Die Datei /etc/racoon/racoon.conf ist kaputt gegangen und kann nicht mehr interpretiert werden.
Dort stehen die VPN Server Settings drin. Vielleicht findest Du ja was, dass kaputt aussieht.

Warum steht jetzt was falsches drin? Keine Ahnung.
Das kann man nur sehen wenn man reinschaut.

Vielleicht ein Sonderzeichen. Ein Leerzeichen vor einer IP Adresse oder irgendetwas was kaum auffällt.

 

[ismon]

Danke für den Hinweis.
Kann sich die Datei mal jemand anschauen?

Spoiler

# $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $

# "path" must be placed before it is used.
# You can overwrite what you defined, but it should not be used due to confusion.
path include "/etc/racoon" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/etc/cert" ;

# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 10; # maximum trying count to send.
interval 3 sec; # interval to resend (retransmit)
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;

# Auto exit delay timer - for use when controlled by VPN socket
auto_exit_delay 3 sec;
}

#
# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
#
#remote anonymous
#{
# #exchange_mode main,aggressive;
# exchange_mode aggressive,main;
# doi ipsec_doi;
# situation identity_only;
#
# #my_identifier address;
# my_identifier user_fqdn "macuser@localhost";
# peers_identifier user_fqdn "macuser@localhost";
# #certificate_type x509 "mycert" "mypriv";
#
# nonce_size 16;
# lifetime time 1 min; # sec,min,hour
# initial_contact on;
# support_mip6 on;
# proposal_check obey; # obey, strict or claim
#
# proposal {
# encryption_algorithm 3des;
# hash_algorithm sha1;
# authentication_method pre_shared_key ;
# dh_group 2 ;
# }
#}

remote ::1 [8000]
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;

my_identifier user_fqdn "macuser@localhost";
peers_identifier user_fqdn "macuser@localhost";
#certificate_type x509 "mycert" "mypriv";

nonce_size 16;
lifetime time 1 min; # sec,min,hour

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}

#
# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
#
#sainfo anonymous
#{
# pfs_group 1;
# lifetime time 30 sec;
# encryption_algorithm aes, 3des ;
# authentication_algorithm hmac_sha1;
# compression_algorithm deflate ;
#}

# sainfo address 203.178.141.209 any address 203.178.141.218 any
# {
# pfs_group 1;
# lifetime time 30 sec;
# encryption_algorithm des ;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate ;
# }

sainfo address ::1 icmp6 address ::1 icmp6
{
pfs_group 1;
lifetime time 60 sec;
encryption_algorithm 3des, aes ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

# Allow third parties the ability to specify remote and sainfo entries
# by including all files matching /var/run/racoon/*.conf
# This line should be added at the end of the racoon.conf file
# so that settings such as timer values will be appropriately applied.
include "/var/run/racoon/*.conf" ;

Gibt es eine Möglichkeit die Datei zurück zu setzten?

 

[pmau]

Du kannst natürlich die VPN Einstellungen entfernen.
Aber schau auch mal hier

include "/var/run/racoon/*.conf" ;

 

[ismon]

Unter /var/run/racoon/ liegt nichts.

 

[tocotronaut]

Habe ein ähnliches Problem unter 10.10.4 beta.

Die VPN Verbindung wird aufgebaut, aber es werden keine Daten übertragen.
Die Fehlermeldung im Logbuch der Fritzbox deutet auf einen IKE Fehler hin.

Frage: Apple oder AVM Informieren?