VPN CLIENT RUNNING MAC OSX 1.06.2 - KERNEL 64

Unanswered Question
Dec 15th, 2009

I'm in trouble after switched my Macbook Pro SL kernel in 64 bit mode: my VPN Client (vpnclient-darwin-4.9.01.0180-universal-k9) won't work.

The "ERROR 51: Unable to communicate with the VPN subsystem" is well documented everywhere, however if I try to stop and restart the service via terminal "udo SystemStarter restart CiscoVPN" (or other equivalent) I received the following advise:

"(kernel) Kext com.cisco.nke.ipsec not found for unload request.
Failed to unload com.cisco.nke.ipsec - (libkern/kext) not found.
Starting Cisco Systems VPN Driver
/System/Library/Extensions/CiscoVPN.kext failed to load - (libkern/kext) requested architecture/executable not found; check the system/kernel logs for errors or try kextutil(8)."

Doubtful that problem is that the client is not released as x86_64 build for Mac Osx Snow Leopard.

There is a possible solution about this situation (that is not to turn on kernel to 32 bit)?

Thank you in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
busterswt Tue, 12/15/2009 - 20:10

I still haven't had any luck getting Cisco's client to work in Snow Leopard. Apple does have a built-in Cisco IPSec client, though it only works with xauth as far as I know. I've only used it to connect to ASA's, so I'm not sure if a PIX using xauth will work. If you need help configuring it, let me know.

James

DaustoCob Wed, 12/16/2009 - 13:08

Hi James, thank you for your availability,

when my Mac Osx was working with 32 Bit kernel, the Cisco VPN Client was working fine too.

I did not try yet to switch back the kernel setting for verify if the problem is the 64 bit running mode, however I am sure that the reason can not be other.

I would be happy if Cisco Systems will give me an officially response about VPN Client for Mac Osx 1.06.x 64 Bit Kernel compatibility: would answer many questions that assail Apple users hopeless.

Now I'm forced to use  Apple Cisto IPSec and it works very fine and fast, but Sys Administrators are not happy to reveal shared group key, they prefer distribute PCF files (which Apple/Cisco is not able to import!!).

Bye

billcole Wed, 07/28/2010 - 10:35

DaustoCob wrote:

[...]

Now I'm forced to use  Apple Cisto IPSec and it works very fine and fast, but Sys Administrators are not happy to reveal shared group key, they prefer distribute PCF files (which Apple/Cisco is not able to import!!).

I realize this is an old thread, but this statement implies a false and risky assumption that shared secrets in PCF files are (or even logically can be) safe from discovery. The encryption used to store group and user passwords in PCF files has to be reversible because the client needs to know the secret to use it. The mechanism has been widely known for almost 5 years and there's freely available C source code for a simple decryption program. The group shared secret is much less vulnerable when using Apple's client in Snow Leopard than it is when using Cisco's client with a PCF file, as is the user password if it is allowed to be saved in the PCF.

It is possible to create a network config file for the Snow Leopard VPN client so that users don't have to be given a shared secret to enter manually, but those files share the fundamental risk as a PCF: the encrypted secret can be decrypted. However, unlike PCF's they are only needed for distributing configurations. If you can get users to delete the distributed file once they've imported it, the overall risk of exposing the group shared secret is significantly less than with PCF's. It would be helpful if Apple imported PCF's directly, but given the need to decrypt passwords for that I would not expect them to do so.

Craig Lorentzen Wed, 03/09/2011 - 12:47

Hello All,

The Cisco IPSec cliet for Mac OS X does not support the 64 bit kernel.  The solution is to re-configure your Mac to boot into the 32bit kernel.  The VPN driver only has i386 and PPC extensions, not x86_64 extensions.

This had not been much of a concern until recently when Apple began to release there Macbook Pro systems configured to boot into 64 bit by default

Some information

Default Architecture

http://support.apple.com/kb/HT3770

snip

These Macs use the 64-bit kernel by default in Mac OS X v10.6.

  • Mac Pro (Mid 2010)
  • MacBook Pro (Early 2011)

How to Set the Boot Architecture

http://support.apple.com/kb/ht3773

You can see which kernel you are using in System Profiler:

  1. Choose About This Mac from the Apple menu.
  2. Click More Info.
  3. Select Software in the Contents pane.
  4. Look for "64-bit Kernel and Extensions: Yes (or No)" under the System Software Overview heading.

It is highly recommended to use the Apple built-in client moving forward to ensure continued support as the Mac OS Evolves.

Document write up here:

https://supportforums.cisco.com/docs/DOC-3613

-Craig

Actions

Login or Register to take actions

This Discussion

Posted December 15, 2009 at 9:43 AM
Stats:
Replies:4 Avg. Rating:5
Views:7137 Votes:0
Shares:0

Related Content

Discussions Leaderboard