No more annoying password popups for Cisco VPN on OSX Lion (and Mountain Lion)!

I am currently working on a development project for our office in München. Accessing their internal servers requires connection via VPN (I’m working from Stockholm). I’m using the very handy built-in Cisco IPSEC VPN client in OSX and have had some annoying problems which until today I have not been able to solve. I am documenting these configuration changes so I remember what I did, and hopefully it can also help others out there!

The problem

After being connected via VPN for about 48-54 minutes (seems to vary), OSX will throw up a “please enter password” dialog (I can’t remember the exact wording…). After entering the password, the VPN connection stays active for another 48-54 minutes, at which time another password dialog pops up. Lather, rinse, repeat. Not very fun during a standard work day, especially when my application-in-progress likes to crap out as soon as it loses connectivity to those remote servers (and requires lengthy restarts).

The solution (I thought)

After much googling I found this solution, for which I had high hopes (despite the comments from fellow OSX Lion users who couldn’t get the solution to work). In short, that post goes about showing how to grant /usr/libexec/configd access to your keychain, in order to squelch the password dialog. Well, unfortunately that solution didn’t work for me as well 🙁

The working solution (finally!)

After a week or so of still getting that annoying password dialog, I managed to google the correct sequence of terms and I finally found a working solution! Over at the Apple forums, a very clever Mr Geordiadis posts a working solution to the problem. His solution is to modify the racoon configuration files for the VPN connection by tweaking a few settings and increasing the negotiated password timeout value from 3600 seconds to 24 hours (perfectly fine for my intended use). I’ve been connected now for over 8 hours today, haven’t had a password dialog yet! So excellent! Confirmed that it works on Mountain Lion (10.8) as well.

I hope this information helps you as it helped me!

Steps:

  • Connect to the VPN so the configuration file is generated
  • Create a location for the VPN configuration files

    $ sudo mkdir /etc/racoon/vpn
    
  • Copy the auto-generated configuration file into the new configuration folder:

    $ sudo cp /var/run/racoon/1.1.1.1.conf /etc/racoon/vpn/
    
  • Edit the racoon.conf file:

    $ sudo emacs /etc/racoon/racoon.conf
    
  • Comment out the include line at the end of the file and include the new configuration folder:

    #include "/var/run/racoon/*.conf" ;
    include "/etc/racoon/vpn/*.conf" ;
    
  • Edit the VPN configuration file:

    $ sudo emacs /etc/racoon/vpn/1.1.1.1.conf
    
    • Disable dead peer detection:

      dpd_delay 0;
      
    • Change proposal check to claim from obey:

      proposal_check claim;
      
    • Change the proposed lifetime in each proposal (24 hours instead of 3600 seconds):

      lifetime time 24 hours;
      
  • Disconnect VPN and reconnect.

Updated 2012-08-07: added the detailed steps
Updated 2012-08-07: tested on OSX Mountain Lion (10.8)

19 comments
  1. Hi David,

    I accidentally deleted the /etc/racoon/racoon.conf file. Could you please send it to me?

    Thanks in advance,
    Américo

    1. Hi! I’ve emailed it to you. Good luck! Also, I recommend enabling TimeMachine 😉

  2. Hi. Love this solution. It’s the only thing that I found to work. One caveat is that the file in /etc/racoon/vpn/ needs to be updated when the IP address of the VPN server changes. I have a my VPN behind a dynamic IP address and use DynDNS to keep it updated. When the IP does change, the configuration file is no longer valid and will not let me connect to the VPN. Once I repeat these steps, my computer connects up to my VPN again. Thanks again for the solution.

    1. I can’t take credit for the solution, and yes the filename changes if the server IP changes which can be a bit annoying… but glad it works for you!
      ./david

  3. I would like to note that this implementation still works in Mac OS X 10.9 (Mavericks) as well. Just in case anyone was wondering. When I upgraded from Mountain Lion to Mavericks, I had to reconfigure VPN with the steps above.

    1. Great, thanks for the feedback! I haven’t upgraded to Mavericks yet (I usually wait for the first point-release, just in case).

  4. I have Mac OS X 10.9 (Mavericks) and I haven’t been able to make it work yet, it’s still asking me for the password. I know that racoon.conf is pointing at my “./vpn/*.conf” file because when I do tests in that file and the setting is not valid, the vpn UI gives me an error. Any idea of what could be the problem?

    1. Hi!
      Hmm, since I don’t have Mavericks yet and am not currently using a Cisco VPN connection I won’t be able to provide much useful diagnostic information. Make sure the correct changes are made in your new vpn conf file (see above in the post)? Maybe the racoon conf options have changed? Try this at the command line:

      $ man racoon.conf

      and read up on the options. Maybe there’s some new info there?
      Good luck!

  5. Hello!

    Could anyone of you terminal professionals please make an executable script out of these steps, which make the whole process easier?

    1. That would be a great idea! Any takers? My current project doesn’t require a VPN connection so I’m currently not using this solution…

  6. Hi David. Wanted to know if there is any solution for OS X Mavericks?
    Thank you.

    1. I’ve received mixed reports as to whether this works on Mavericks… unfortunately (or fortunately?) I (a) don’t need a VPN connection for my current project and (b) haven’t upgraded to Mavericks yet, so I can’t personally verify this one way or another.

  7. I have Yosemite 10.10.4 and the Cisco client times out as described above. I followed the instructions and the Timeout went to 2 hours.

    Has anyone else solved this on Yosemite?

    Thanks!!

  8. Does not work for me. When I change the times, the server starts refusing the connection. The only solution seems to be vpnc or an applescript hack and plaintext storage of the password.

    1. sorry to hear — this advice is quite old (OSX Lion and Mountain Lion); both OSX and the Cisco VPN client have been updated since then. I currently do not have any projects using Cisco VPNs so I am not up to date with the issue.

      1. This bug is still present on Mac OS 10.12 (Sierra) and you can watch the thread from https://discussions.apple.com/thread/3275811?tstart=0 — If you also encounter it, don’t forget to add a comment there, eventually sending a bug report to Apple too, that’s the only way to fix this bug.

        1. Great, thanks for that information!

  9. Hi,
    Any clue how to do something a bit different and by this I mean:
    Making sure the VPN Client does not ask for the password for a username anymore but rather saves it in the keychain? (the instructions available on the net are for Snow Leopard but no longer seem to apply to El Capitan)

    1. Sounds interesting, but I’m not sure how to do that– as I mentioned above in a previous comment, I am no longer using the Cisco VPN client on my current project so I have not kept up to date on this issue. Sorry! Perhaps someone out there reading this will help you!

Leave a Reply

Your email address will not be published. Required fields are marked *