Mountain Lion IPsec VPN randomly drops out (usually around 45 minutes)


I’ve had this issue with both Lion (MAC OS X 10.7) and Mountain Lion (MAC OS X 10.8). I decided to use the built in VPN client to connect to a CISCO VPN using IPsec, however the connection fails at around 45 minutes every time.

[Side note] – If you are looking to use Apple’s inbuilt VPN client opposed to CISCOs on Mac OS X, check out this great article on migrating across


To fix this I found the resolution on Apple’s forums here

Before proceeding remember, the usual disclaimer applied – you are doing this at your own risk, I take no responsibility if your system dies or turns into a pumpkin. I’ve used this method successfully and have had a VPN connection stay connected for over 9 hours. Also if you are not comfortable using the terminal, I wouldn’t recommended attempting this.

Also, this is a hack at best, you will need to make further changes if you have more then 1 VPN profile configured as we change the included config to be static for the VPN you are connecting to, as opposed to whatever is generated when connecting.

  1. Connect to your VPN as you usually would, this generates the racoon config file we need to use.
  2. The configuration file is generated on /var/run/racoon/ and will be a file named after the ip address you are connecting to followed by the extension .conf – for this example I’ve used the invalid address of – we need to copy this to /etc/racoon so we can modify it. From a terminal run a command such as:  sudo cp /var/run/racoon/ /etc/racoon
  3. Using the editor of your choice (such as vim or pico – I’ll use vim) from the terminal run: sudo vim /etc/racoon/racoon.conf
  4. Go to the end of the file (in Vim you can do this by pressing shift-g) and remark out the line that reads: include “/var/run/racoon/*.conf” ; To remark out a line, simply add a hash (#) to the beginning of it. The line will then read  #include “/var/run/racoon/*.conf” ;
  5. While the file is still open, under the line you just remarked out, configure a new include using the file we copied earlier. Remember to update the path to the correct config file, depending on the IP address you have in the filename. The new line will look like this: include “/etc/racoon/” ;
  6. Save the file
  7. Now we must edit the file we copied earlier, again, in your favourite text editor edit the file, remember to update the command to use the correct filename: sudo vim /etc/racoon/
  8. Once open, look for the line that says dpd_delay xx; xx will be a value, in my case this was 20. We need to change this to 0 (Zero). Update the value so the line now reads: dpd_delay 0;
  9. Next, find the line that states proposal_check xxxx; xxxx will be a word, mine was set to obey. We need to change this to claim. Update the word so the line now reads: proposal_check claim;
  10. Next we need to find all lines in the file (there will be multiple) that state lifetime time xxxx sec; xxxx is a value, mine was 3600. We need to update the value AND the time format (ie, from sec to hours). Update EVERY instance of this line so it reads: lifetime time 12 hours;
  11. Save the file
  12. Disconnect from the VPN session.
  13. Next time you reconnect racoon will use the updated config file and you should find you won’t get disconnected every 45 or so minutes.


Original Apple Support Thread wiki article guide to migrating from CISCO VPN Client to Inbuilt Mac OS X client

Apple Radar bug #12449876


If you have any feedback, or if this works for you please leave a comment. Comments keep me motivated to publish more solutions to issues I come across.


  1. Joseph

    I keep getting the following error: “A configuration error occurred. Verify your settings and try reconnecting.”

  2. Matthew Dresden

    This solution didn’t seem to quite work in 10.8

    The /var/run/racoon/ directory has a sticky bit set on it that is not set on the /etc/racoon directory.

    For whatever reason just copying the file to the /etc/racoon folder and not even making changes to it and then changing the include in the racoon.conf file to the new path results in a conf file parse error.

    The resolution was to cp the to the /etc/racoon folder, make your changes, then save. Then chmod the file to 400, then make a symbolic link in the /var/run/racoon folder that points to the /etc/racoon/blah.conf file you made.

    then start the vpn connect and since its permissions are 400 it can’t be overwritten, but will accept your changes.

    also, btw I have read, changing the dpd_delay setting is not nessessary or prefered.

    Good luck! Wish apple would fix the client as this is a crappy hack and for each additional cisco ipsec vpn client you would have to do a lot of editing as you would have to create multiple symbolic links and then change the name of all the sym links you dont want to use so they are not included by the racoon conf each time. For myself I will write a script to launch the vpn client that automates this process, but in the mean time it works but not well.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2020

Theme by Anders NorenUp ↑