I’ve just upgraded my Mac Book to Yosemite and the only casualty I’ve found so far is the IPSecuritas IPSec VPN wrapper application.
Whilst it seems to work and establishes all of the SAs sucessfully via ISAKMP, it doesn’t then move any protected traffic.
Googling around, it seems a few folks have hit this and the perceived wisdom seems to be to turn off NAT traversal on the tunnel options to get things working in Yosemite. I was sceptical about this as having to disable NAT-T is too broken. In any case, even on my tame home network, which shouldn’t need NAT-T it just allowed me to pass traffic for one of the three tunnels at random.
Configuring any new IPSec environment always seems to consume half a day, and I like IPSecuritas so it was worth a bit of effort to get it working. I found this in system.log:
Nov 5 11:49:04 xxxxxxxx com.apple.kextd: ERROR: invalid signature for com.lobotomo.IPSecuritasFilter, will not load
Googling around Yosemite has become more picky about kernel extensions that it will load and now rejects unsigned files (probably quite a good idea, but not good for IPSecuritas). You can revert to the previous behaviour by:
sudo nvram boot-args="kext-dev-mode=1"
And then reboot.
Having done this, I can confirm that IPSecuritas now works fine on Yosemite without having to disable NAT-T!
There is a health warning here though. Apple presumably introduced code signing of kernel plugins for good reasons and, whilst many software vendors who ship older unsigned plugins are referencing the above as a short term fix (google the above command line!), you do this at your own risk. To back it out:
sudo nvram boot-args="kext-dev-mode=0"