OS X 10.7, can't log into any L2TP VPN server

I was running 10.6.8 and couldn't login to any L2TP VPN server (tried 2 completely different ones) using the built-in VPN client. Upgraded to 10.7.2, the same issue. It doesn't seem that the machine is even trying to connect to the VPN server (at least Little Snitch doesn't show anything).

What I can see in /var/log/ppp.log is:

timestamp : L2TP connecting to server 'vpn.example.com' (xxx.xxx.xxx.xxx)...

timestamp : L2TP: cannot connect racoon control socket: No such file or directory

where xxx... is the ip address of the VPN server.

in /var/log/system.log:

timestamp: computername configd[14]: SCNC: start, triggered by SystemUIServer, type L2TP, status 0
timestamp: computer pppd[454]: pppd 2.4.2 (Apple version 560.13) started by username, uid 502

and then the 2 lines from ppp.log

What is not causing it:

the router - I can connect to the same VPN servers from another Mac and iPhone that are behind the same router

the OS X firewall (I think) - the same issue persists with the firewall off

Little Snitch - the same issue persists with LS off and when on, it doesn't even show any attempt for outgoing connection (and the other Mac has LS too, which shows attempt to connect to port 1701)

What it could be -- there was Cisco Anyconnect client on the machine, which was uninstalled. It is possible that somehow it messed up IPSec.

Any idea what may be going on?

Alternatively -- are there any other L2TP/IPSec clients for OS X?

lupincho

Posted 2012-01-16T21:21:06.713

Reputation: 1 630

I've used this product in the past. Follow it's instructions for OS X and replace the server part with the one you're using. If that doesn't work, it could very possibly be Cisco Anyconnect. Also, you shoul dhave your own cert, or skip that step. http://www.giganews.com/vyprvpn/setup/mac/l2tp.html

– skub – 2012-01-16T22:01:47.853

The issue is not the settings, these work on another machine and iPhone. There isn't a certificate, just username, password and secret. – lupincho – 2012-01-16T22:09:32.797

Answers

Turns out that something (possibly CiscoAnyconnect) has unloaded racoon on startup. To fix (with Anyconnect uninstalled) do the following:

launchctl load -w /System/Library/LaunchDaemons/com.apple.racoon.plist

You may also start racoon manually by:

sudo /usr/sbin/racoon

lupincho

Posted 2012-01-16T21:21:06.713

Reputation: 1 630

Unless this is also your post, I suspect that Cisco AnyConnect messed things up.

EDIT: Oh, that is your post. I still suspect the Cisco software, but I think it's because Cisco is probably holding the port needed for L2TP.

Have you tried:

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

skub

Posted 2012-01-16T21:21:06.713

Reputation: 2 716

The issue is that this happens with CiscoAnyconnect uninstalled too. I intaled it again and there isn't any entry for CiscoVPN in /System/Library/StartupItems, it is empty in fact. There is com.cisco.anyconnect.gui.plist in /Library/LaunchAgents which points to /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app. – lupincho – 2012-01-17T08:14:24.590

Also, with AnyConnect uninstalled, I didn't seen any entries for it or the L2TP ports in netstat or lsof. – lupincho – 2012-01-17T08:22:51.083

With AnyConnect installed, there is
"/opt/cisco/anyconnect/bin/vpnagentd -execv_instance" running but I don't see it taking any ports or sockets – lupincho – 2012-01-17T09:04:45.693

Stopping vpnagentd didn't help, but again -- the same problem happens when Anyconnect is uninstalled. At this point my guess is that Anyconnect has modified something and even after uninstall or stopping it, the issue persists. – lupincho – 2012-01-17T10:09:26.447