IPSecuritas on OS X Yosemite

13 Replies

Uncategorized

I’ve just upgraded my Mac Book to Yosemite and the only casualty I’ve found so far is the IPSecuritas IPSec VPN wrapper application.

Whilst it seems to work and establishes all of the SAs sucessfully via ISAKMP, it doesn’t then move any protected traffic.

Googling around, it seems a few folks have hit this and the perceived wisdom seems to be to turn off NAT traversal on the tunnel options to get things working in Yosemite. I was sceptical about this as having to disable NAT-T is too broken. In any case, even on my tame home network, which shouldn’t need NAT-T it just allowed me to pass traffic for one of the three tunnels at random.

Configuring any new IPSec environment always seems to consume half a day, and I like IPSecuritas so it was worth a bit of effort to get it working. I found this in system.log:

Nov  5 11:49:04 xxxxxxxx com.apple.kextd[22]: ERROR: invalid signature for com.lobotomo.IPSecuritasFilter, will not load

Googling around Yosemite has become more picky about kernel extensions that it will load and now rejects unsigned files (probably quite a good idea, but not good for IPSecuritas). You can revert to the previous behaviour by:

sudo nvram boot-args="kext-dev-mode=1"

And then reboot.

Having done this, I can confirm that IPSecuritas now works fine on Yosemite without having to disable NAT-T!

There is a health warning here though. Apple presumably introduced code signing of kernel plugins for good reasons and, whilst many software vendors who ship older unsigned plugins are referencing the above as a short term fix (google the above command line!), you do this at your own risk. To back it out:

sudo nvram boot-args="kext-dev-mode=0"

13 comments

  1. Oliver Thomsen

    Hi, did you post your findings on the IPSecuritas support forum? Maybe Lobotomo can just sign their kernal extensions and release a new RC for IPSecuritas?
    Reagrds, Oliver

    1. rob Post author

      I have to say that I haven’t posted this there. The forum site gives a bunch of page errors for me, and the last post is over a month ago. I was a bit nervous about creating a forum account just to post this, but maybe I should.

    2. rob Post author

      OK, it is worse than that, registration doesn’t work for me on the Lobotomo forum site. It prompts for a captcha type confirmation, but displays no input box for the text, and no captcha image. If you have a way of getting Lobotomos attention, maybe highlight this to them.

  2. Emory

    Rob…just wanted to thank you for posting this solution. I too can confirm that IPSecuritas now works fine on Yosemite without having to disable NAT-T!

  3. Richard Roth

    Thank you very much for documenting this. This was the only explanation I found regarding this issue, and following your instructions got my connection working again.

  4. Ike

    I had a number of problems, but I couldn’t be sure if it was due to Yosemite, or Comcast upgrading my router while I was on vacation. Having said that, I was able to get everything back up and running. After I did that, I found that I did not need kernel extension. However I *am* running with Nat-T disabled.

    1. rob Post author

      As far as I can tell, then you need the kernel ext if you are using NAT-T, or have more than one SA up at the same time. Note that without NAT-T you will be able to negotiate an SA, but won’t actually be able to pass protected traffic in a lot of environments. Most Internet connections will allow UDP (NAT-T) packets outbound with corresponding replies as these are used for many things, not just VPN. A smaller subset of routers/connections will be configured to pass IP protocol 50/51 on a routable IP used by classic (non-NAT-T) ipsec. Your mileage may therefore vary, but I know that I’m reliant on NAT-T for most connectivity.

  5. inassi

    I have my IPSecuritas/NetGear SRX3205/Yosemite VPN working without disabling NAT traversal now, from all 3 locations I’ve tested. (Previously it worked from some sites, but after further testing, not ALL sites). You have to use the kext-dev-mode fix suggested above. You MAY need also to start it up on login, but I have not done an A/B comparison. I also upgraded my NetGear to the latest firmware version, which I was worried about, but it did not hurt.

  6. Andrew Pease

    Thank you for this tip! Brilliant. I am lost on the road without being able to get back into my lab network and didn’t want to give up on IP Securitas. It is a shame about their forum, but the software used to host it, phpBB, is very attractive for hackers (I know, I tried to use it once on another site).

    Cheers!

  7. inassi

    I had been having a lot of problems with IPSecuritas (4.0rc and 4.5) but finally I believe I’ve solved it. I need to do some more testing, but Haven’t seen a failure in several days, from several different locations. What I had been seeing were intermittent failures, and I could not track it down to a specific set of conditions.

    The solution for me turned out to be relatively simple.

    I had my IPSEC VPN home router sitting in the DMZ behind my Xfinity (Comcast) cablemodem. I changed the configuration in the cablemodem. I turned off the DMZ and put it in bridge mode. I lost the cablemodem’s WiFI capability in this, which was a little painful, but now I have both my cablemodem and my IPSEC router using separate IP addresses, both on the Xfinity WAN. Now IPSecuritas 4.5 works fine connecting to my IPSEC router. Further, the connection time is quite fast. I wish I didn’t have to give up my WiFi, but can accept the tradeoff.

Leave a Reply