Does Security Belong Near Endpoints?
I use multiple VPN clients, depending on which customer I am supporting on which day. I regularly use the Cisco VPN Client, the Cisco AnyConnect VPN Client, and the built-in Native Cisco VPN Support on my Mac (I’m currently running Snow Leopard version 10.6.8.) However, a recent customer project led me to install the Shrew Soft VPN Client they supported so that I could access their network through their Netscreen firewall. (This client is a free IPsec client distributed under open source license, to get it to work in the Mac I needed to also install the LGPL Qt Framework and a TUN/TAP driver, but that is another story…)
Some time later, I found out that after installing the Shrew Soft Client, neither the Cisco VPN Client nor the built-in Native Cisco VPN Support would work on my Mac. The AnyConnect VPN Client still worked fine. Obviously it was time for some troubleshooting.
As a first step, I rebooted my Mac, but the Cisco VPN Client was still unhappy – it could not initialize the IKE ports. From the VPN Client Log file I saw messages such as:
. . . 314 14:39:38.673 07/10/2012 Sev=Info/4 CVPND/0x43400019 Privilege Separation: binding to port: (500). 315 14:39:38.674 07/10/2012 Sev=Warning/2 CVPND/0xC340001C Privilege Separation: unable to bind to port: (500). 316 14:39:38.674 07/10/2012 Sev=Critical/1 CVPND/0xC3400003 Function SocketApiBind() failed with an error code of 0xFFFFFFFF(ike-init-state.cpp:402) 317 14:39:38.674 07/10/2012 Sev=Critical/1 CVPND/0x43400012 Unable to bind to IKE port. This could be because there is another VPN client installed or running. Please disable or uninstall all VPN Clients other than the Cisco VPN Client. 318 14:39:38.674 07/10/2012 Sev=Info/4 CM/0xC3100003 Failure to Initialize IKE ports . . .
The console messages for the built-in Cisco VPN support were not as detailed, but also indicated an issue:
. . . [0x0-0x3a03a].com.cisco.VPNClient bind: Address already in use [0x0-0x3a03a].com.cisco.VPNClient bind: Address already in use [0x0-0x3a03a].com.cisco.VPNClient bind: dst addr 0.0.0.0 port 500 . . .
(On the Mac, you can find console messages using the console.app via Applications > Utilities > Console )
Ok, I removed the Shrew Soft VPN Client, the LGPL Qt Framework, and the TUN/TAP driver. I still got the same messages. Rebooted. I got the same messages. I removed and reloaded the Cisco VPN Client software. I got the same messages. Rebooted. I got the same messages.
I did find a partial work-around – if I added “UseLegacyIKEPort=0” at the end of the .pcf files, I could get the Cisco VPN Client to connect. However, I still had issues with the built-in Native Cisco VPN Support.
Releasing Port 500
I decided that I really needed to release whatever was binding port 500 that IKE/ISAKMP was trying to use. Something was not completely cleaned out from my removal of the Shrew Soft VPN Client. I did try asking the IT Support desk for one of my customers (hey, I was having issues with the VPN to them), as well as the official Apple Support number about how to determine what program was binding a port, and how to release it. I got a couple hints from them, but also did a bunch of Google searches. Other folks had run into a similar binding issue, so I tried to put together the pieces.
By the way, Port 500 is mapped to ISAKMP by default on the Mac, you can see that based on the /etc/services file:
~ cwr$ grep ' 500/' /etc/services isakmp 500/udp # isakmp isakmp 500/tcp # isakmp ~ cwr$
What worked for me to find the process using port 500 was a “list open files” command, and then kill the process with super user priviledges:
~ cwr$ sudo lsof -i ... iked 46 root 15u IPv4 0x0dac7d38 0t0 UDP *:isakmp iked 46 root 16u IPv4 0x0dac7c5c 0t0 UDP *:ipsec-msft ... ~ cwr$ sudo kill -1 46 ~ cwr$
After I killed the iked process, I was able to run the Cisco VPN Client, and the built-in Native Cisco VPN Support.
Permanently Removing the Binding
If you recall, the problem persisted even when I rebooted the Mac previously. So the iked daemon was being called during the start up process. I needed to find and remove this daemon call as well. I started looking for likely processes in startup directories and found it pretty quickly:
~ cwr$ cd /Library/StartupItems StartupItems cwr$ ls StartupItems cwr$ ~ cwr$ cd /Library/LaunchDaemons LaunchDaemons cwr$ ls com.adobe.fpsaud.plist com.barebones.authd.plist com.barebones.textwrangler.plist com.cisco.anyconnect.vpnagentd.plist com.google.keystone.daemon.plist com.microsoft.office.licensing.helper.plist com.rim.BBDaemon.plist com.symantec.MissedTasks.plist com.symantec.Sched501-1.plist com.symantec.avscandaemon.plist com.symantec.deepsight-extractor.plist com.symantec.diskMountNotify.plist com.symantec.navapd.plist com.symantec.navapdaemonsl.plist com.symantec.sharedsettings.plist com.symantec.symSchedDaemon.plist com.symantec.symdaemon.plist net.shrew.iked.plist LaunchDaemons cwr$ sudo rm net.shrew.iked.plist Password: LaunchDaemons cwr$
I rebooted my Mac, and success! My three regularly used VPN clients (the Cisco VPN Client, the Cisco AnyConnect VPN Client, and the built-in Native Cisco VPN Support) all worked. If required, I am pretty sure I could re-install the Shrew Soft VPN Client, and manually kill the iked daemon as needed if I wanted to run other VPN clients.
I hope this explanation may help others with Cisco VPN Client issues.
Does Security Belong Near Endpoints?
Replicating at Speed
Practice Safe BGP
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.