Apple recently released Mac OS X 10.11.4, the latest update for OS X El Capitan. I’m generally an early adopter. If I’m not running a beta release (which I must admit, I’m not doing nearly as much of anymore), I am certainly the first in line to update OS X or iOS to the latest release as soon as it’s reached GA status.
If you’re like me, the latest OS X update, 10.11.4, broke some VPN profiles, specifically certain Cisco IPsec profiles. When I first discovered the VPN client wouldn’t connect to a Cisco IPsec profile that was working just fine before the update, I first thought it may be a problem on the remote end, or even perhaps with my ISP. I tried a secondary VPN profile that’s L2TP over IPsec and had no issues. I then tried a third profile using Cisco IPsec, with no luck. After successfully connecting to a fourth VPN profile (also L2TP over IPsec), I was beginning to think the issue had nothing at all to do with the original VPN endpoint I was attempting to connect to or my ISP. A quick test of the same VPN profiles on a second Mac that had been updated to 10.11.4 yielded the same results, even when connected to a second ISP, confirming my theory.
What next? Google to the rescue, of course!
A quick search for “OSX 10.11.4 IPsec” yielded a thread in Apple’s Support Communities that was opened just yesterday with multiple users having similar issues. Yes, I was on to something – my Google Foo was strong!
After reading through a handful of “me too’s”, I found a reply that suggested increasing the DH Group to 14 on the VPN appliance would fix the issue. Of course I was remote – the reason I was trying to connect to VPN in the first place, so I couldn’t test this theory until later when I actually made it onsite. I can confirm that in my case, changing the DH Group to 14 solved my problem. It appears that starting with OS X 10.11.4, Apple requires a minimum of a 2048 bit modulus (DH Group 14) to connect to IPSec VPNs. These two “broken” VPN profiles were using 1024 bit modulus.
How to modify an existing IPsec Tunnel on a FortiGate firewall using FortiOS 5.4
If you have an IPSec VPN Tunnel configured on a FortiGate firewall, and you used the default “Dialup – Cisco IPsec Client” template, it’s likely that your DH Group is set to 2. I couldn’t find a way to modify the DH Group for an existing IPSec tunnel in the FortiOS 5.4 GUI, but here are the CLI commands to make the change:
FW01 # config vpn ipsec phase1-interface
FW01 (phase1-interface) # edit YOUR_VPN_TUNNEL
FW01 (YOUR_VPN_TUNNEL) # set dhgrp 14
FW01 (YOUR_VPN_TUNNEL) # end
That’s it! One thing I love about the FortiOS CLI is that it’s incredibly powerful, yet very easy to navigate – much easier to navigate than Cisco IOS in my opinion. I was able to apply this to a handful of FortiGate firewalls that I manage for SquarePlanIT customers who were using Cisco IPsec VPN tunnels and weren’t already using a 2048 bit modulus. Speaking of managed firewalls – if you’re looking for a managed IT solutions provider, or even just have some project work to knock out, get in touch! I’d love to tell you about all that we have to offer.
Learn more about Diffie-Hellman groups
To learn more about the Diffie-Hellman key exchange, here’s an excellent Wikipedia article. For a brief overview of the different DH Groups that can be configured, check out here’s a Cisco Support Community article.