Mobile - problems when renegotiating with Mac OS X

filnko

Hello there,

I've got some problems with renegotiation after 2880 seconds tunnel uptime.

My Mac always asks for an xauth authentification although the credentials are saved, this happens every 2880 seconds.
Lifetimes are 7200 for Phase 1 and 3600 for Phase 2.

I tried many different settings, lifetimes, …

Following the output when renegotiating with OS X:

Jul 5 21:58:27	racoon: [Self]: INFO: IPsec-SA established: ESP 212.0.0.215[500]->193.0.0.238[500] spi=104117483(0x634b4eb)
Jul 5 21:58:27	racoon: [Self]: INFO: IPsec-SA established: ESP 212.0.0.215[500]->193.0.0.238[500] spi=125463337(0x77a6b29)
Jul 5 21:58:27	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jul 5 21:58:27	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jul 5 21:58:27	racoon: INFO: Update the generated policy : 10.12.99.1/32[0] 10.12.0.0/23[0] proto=any dir=in
Jul 5 21:58:27	racoon: [Self]: INFO: respond new phase 2 negotiation: 212.0.0.215[4500]<=>193.0.0.238[16071]
Jul 5 21:58:14	racoon: INFO: login succeeded for user "christoph"
Jul 5 21:58:14	racoon: user 'christoph' authenticated
Jul 5 21:58:14	racoon: INFO: Using port 0
Jul 5 21:58:12	racoon: INFO: Released port 0
Jul 5 21:58:12	racoon: [Self]: INFO: ISAKMP-SA deleted 212.0.0.215[4500]-193.0.0.238[16071] spi:fb7ff395484dd830:72d17a184e79f316
Jul 5 21:58:12	racoon: INFO: purged ISAKMP-SA spi=fb7ff395484dd830:72d17a184e79f316:0000c3db.
Jul 5 21:58:12	racoon: INFO: purging ISAKMP-SA spi=fb7ff395484dd830:72d17a184e79f316:0000c3db.
Jul 5 21:58:07	racoon: [Self]: INFO: ISAKMP-SA established 212.0.0.215[4500]-193.0.0.238[16071] spi:b567033074ea7d5c:c30a90afb45228b4
Jul 5 21:58:07	racoon: INFO: Sending Xauth request
Jul 5 21:58:07	racoon: INFO: NAT detected: PEER
Jul 5 21:58:07	racoon: INFO: NAT-D payload #1 doesn't match
Jul 5 21:58:07	racoon: [193.0.0.238] INFO: Hashing 193.0.0.238[16071] with algo #2
Jul 5 21:58:07	racoon: INFO: NAT-D payload #0 verified
Jul 5 21:58:07	racoon: [Self]: [212.0.0.215] INFO: Hashing 212.0.0.215[4500] with algo #2
Jul 5 21:58:07	racoon: INFO: Adding xauth VID payload.
Jul 5 21:58:07	racoon: [Self]: [212.0.0.215] INFO: Hashing 212.0.0.215[4500] with algo #2
Jul 5 21:58:07	racoon: [193.0.0.238] INFO: Hashing 193.0.0.238[16071] with algo #2
Jul 5 21:58:07	racoon: INFO: Adding remote and local NAT-D payloads.
Jul 5 21:58:07	racoon: [193.0.0.238] INFO: Selected NAT-T version: RFC 3947
Jul 5 21:58:07	racoon: INFO: received Vendor ID: DPD
Jul 5 21:58:07	racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 5 21:58:07	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 5 21:58:07	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
[03-07]
Jul 5 21:58:07	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Jul 5 21:58:07	racoon: INFO: received Vendor ID: RFC 3947
Jul 5 21:58:07	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jul 5 21:58:07	racoon: INFO: begin Aggressive mode.
Jul 5 21:58:07	racoon: [Self]: INFO: respond new phase 1 negotiation: 212.0.0.215[4500]<=>193.0.0.238[16071]
Jul 5 21:52:05	racoon: INFO: renegotiating phase1 to 193.0.0.238 due to active phase2

The tunnel works flawlessly over days when connecting with Windows 8.1 + Shrew:

Jul 5 19:53:30	racoon: [Self]: INFO: IPsec-SA established: ESP 212.0.0.215[500]->62.0.0.106[500] spi=2966502201(0xb0d13b39)
Jul 5 19:53:30	racoon: [Self]: INFO: IPsec-SA established: ESP 212.0.0.215[500]->62.0.0.106[500] spi=42409046(0x2871c56)
Jul 5 19:53:30	racoon: WARNING: authtype mismatched: my:hmac-sha384 peer:hmac-sha512
Jul 5 19:53:30	racoon: WARNING: authtype mismatched: my:hmac-sha256 peer:hmac-sha512
Jul 5 19:53:30	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-sha512
Jul 5 19:53:30	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jul 5 19:53:30	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jul 5 19:53:30	racoon: INFO: Update the generated policy : 10.12.99.1/32[0] 10.12.0.0/23[0] proto=any dir=in
Jul 5 19:53:30	racoon: [Self]: INFO: respond new phase 2 negotiation: 212.0.0.215[4500]<=>62.0.0.106[10252]

Can you help me there?