Cisco VPN Client & OSX Lion

Unanswered Question
Jul 26th, 2011

Whats the timeline looking like for an update to the Cisco VPN Client for the newest version of OSX?

I am aware of the current workaround, which involves booting into 32bit mode.  Is there a future update in the works that will work without having to boot into 32bit mode?

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.4 (6 ratings)
hdashnau Tue, 07/26/2011 - 09:39

You could use AnyConnect (support was just added in the latest release of AC) or try the built in MAC IPSec client instead as well.

hdashnau Tue, 07/26/2011 - 09:41

Heres some more information about anyconnect + lion support

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1369279

Lion Support

AnyConnect 3.0.3050 provides support for Lion OS X 10.7.Without the  appropriate JAVA and Web applet, OS X users may experience CSCtq62860 or  CSCto09628. You must install JAVA and enable the appropriate Applet  plug-in and web start applications using these steps:

Step 1 Open the JAVA Preferences when doing Hostscan or Weblaunch with Safari on OS X 10.7.

Step 2 If JAVA is not already installed, you are prompted to do so.

Step 3 Check the Enable applet plug-in and Web Start applications option.

markr1406 Tue, 08/02/2011 - 20:17

I've been having trouble with DNS resolution if I use the native OSX client (in Snow Leopard) 10.6.8. Specifically I'm having trouble connecting to a Cisco IPSec VPN, the trouble seems to be that the service pushes DNS, which can't be received by the OSX VPN client. Does that make sense? Specifiying the DNS manually doesn't work. I can ping everything, but not resolve any names.

hdashnau Tue, 07/26/2011 - 09:42

And here are some instructions about using the Apple built-in client. Using the Apple built-in client will help ensure support as the Mac OS Evolves.

    Here's how to use the Apple built-in client instead:

        1. Open System Preferences > Network

        2. Click the lock button to unlock it and make changes

        3. Click the plus sign above the unlocked lock button to add an interface.

        4. On the "Interface" drop-down select "VPN"

        5. On the "VPN Type:" drop-down select "Cisco IPSec"

        6. In the "Service Name:" text box create a memorable interface name such as "Corp IPsec VPN"

        7. Click OK and then select this new interface

        8. Configure the interface with server address, vpn group and pre-shared key, username and password, etc.

chubirka Tue, 07/26/2011 - 19:56

The above process works on OSX Snow Leopard, but it doesn't seem to work on Lion. Seems to get stuck on Phase2. I get the following message in my logs: IKE Packet:  transmit success. (Phase2 Retransmit). Not sure why we're having problems with Lion, but not Snow Leopard on our network.

dylan.scholz Tue, 07/26/2011 - 10:26

Hi hdashnau, thank you for the prompt reply. You offered some great alternatives to using the Cisco VPN Client.

Although the alternatives may work, I would like to stick with the Cisco VPN Client.  I'm still wondering if there is a future update in the works to reflect the new version of Lion, and if so when?

hdashnau Tue, 07/26/2011 - 10:33

As far as I know, there is nothing in works right now and it is highly unlikely that there will be a new Cisco IPSec VPN client developed for MAC.  Your best bet would be to persue the alternative solutions.

saspringer Sun, 07/31/2011 - 08:17

Hi hdashnau,

Regarding your instrux above using the Apple built-in client: I can't tell from the way you wrote it whether it would still be necessary to use the install disc for Mac that I got from my IT department.  Could you clarify please?  Thanks.

leigh@Hi-Powered.net Tue, 08/02/2011 - 20:54

I have the built in lion client connecting fine with a Virtual Tunnel Interface on my Cisco 2821 router, into a vrf. The problem is the built in client only works with the first route in the access-list in the isakmp client configuration. This might be why some users report DNS issues - if their DNS is outside the route set up by the first line of the acl in the isakmp client config.

These routes work fine in the PC client and the MAC client for earlier OS's but not with the built in Lion client. I am also getting the same issue with the built in iOS client in iphone and ipad.

leigh@Hi-Powered.net Tue, 08/02/2011 - 20:57

I should add that the client (both iPad and Lion) are getting the routes, they just arent working, almost as if the client end is not encrypting/decrypting for any routes other than the primary

fabian.dimian Tue, 08/16/2011 - 08:34

Hello Leigh,

I have the exact problem, VPN Client (Integrated) on mac works pretty good but only for the first route in the access list of the vpn server router, all routes below first does not work in any way...

Did you find some way to solve it? With the Cisco VPN Client for Mac, all routes work ok (Snow...) but here in Lion with integrated Cisco iPSec only first one works...

Thanks a lot,

Rens.Boeren@cz.nl_2 Wed, 08/03/2011 - 22:30

The problem with the Mac vpn client is that cerfificates don't seem to work.
I find it strange that Cisco wouldn't make a new VPN client for the Mac.

Mac is being more popular then ever...

eric.bradford Sun, 08/07/2011 - 11:21

We too are having issues with the Native VPN client in OS X Lion, and iPhones as well.  The Windows Cisco VPN client works perfectly.  We have just upgraded our branch routers from 2821 devices to 2921 devices running latest IOS.  There are many networks behind this VPN connection as well as OSPF routing.  The windows machines will connect using the .pcf file and are able to get to each network the ACLs allow behind the tunnel.  We then move over to Lion and iPhone4 hosts using the native client and connect pefectly. However, the native client only works with the first route in the access-list in the isakmp client configuration ACL.  This is most likely due to something Apple has modified recently in both Lion and iPhone.  Any ideas would be helpful.

taylor.williams Mon, 08/08/2011 - 17:48

I found another post (cant remember the link) but to get the Cisco IPSEC client version 4.9 to work I hold down the 3 and the 2 key during boot and then the Cisco client will work. I am able to get the native Lion vpn to work with an ASA.

eric.bradford Tue, 08/16/2011 - 10:05

In order to resolve our issue, we had to revert back to the old style crypto map away from the virtual template configuration.  This is the official response from Cisco TACs.

"I do want to put it out there first that we do not technically support the apple built-in client.  That has been written by Apple and we have no capabilities to support/provide bug fixes for.  With that being said here is the technical information on why it is not working for you.

1)  When presented with a split tunnel ACL the Apple client will create a proxy pair for each line.

                        i.e.  VPN IP address of A

                                    split ACL of:

                                                            permit B

                                                            permit C

                                                            permit D

                        You would see an ipsec sa from A to B, A to C, and A to D.

2)  When presented with a split tunnel ACL the Cisco client will crete a single ipsec sa:

                        i.e. A to any

            However the client will only route traffic to B, C, D over the tunnel.

This is fine and has no problems when using a crypto map style setup for ezvpn.

However when you configure the use of dVTI this becomes difficult.  This is because the VTI can only support 1 ipsec sa built to it.  As a results when the apple client tries to propose the proxy pair for the A to C entry it is rejected.

This leaves you two options here:

1)  Switch to a tunnel-all configuration

2)  Switch back to the crypto map configuration rather than the virtual-template configuration."

fabian.dimian Fri, 08/19/2011 - 16:33

Hi Eric,

Thanks for the info... You are right, I switch back to crypto maps (dynamic in my case...) and then the Built-In Cisco IPSec Client of OSX Lion works pretty good with all my networks defined in the access list, with virtual templates always use the first one...

Thanks a lot,

You helped to me a lot,

Best Regards,

Fabian.

thoulihan@allai... Wed, 09/07/2011 - 14:38

I have been attempting to get the MAC built in Cisco VPN client to do split tunneling on my ASA IPSEC VPN with no luck.

My ASA setup is:

IPSEC profile:

ACL Exclude Network List Below:

     In that ACL I have 1 host:  ex.   1.1.1.1    255.255.255.255

When I use the MAC built in Cisco VPN client, no traffic gets to this host 1.1.1.1, just gets blackholed somewhere, traceroute goes nowhere.  All other traffic goes through the VPN tunnel fine.  Is the client just not listening to the split tunnel ACL?

Any advice would be helpfull.

rcarricato Tue, 11/08/2011 - 11:19

I have been successfully using the built in Mac OS X IPSec client on Lion 10.7.2 for a couple months now. I have no need for the Cisco IPSec client anymore and to boot into stupid 32-bit mode .

Not sure if the issues you guys are having but I followed this guide and it works perfectly. Most of my customers I only have a .pcf file for, which of course, I cannot use to figure out the groupname and password....until now...

http://anders.com/guides/native-cisco-vpn-on-mac-os-x/

allenferdinand Wed, 06/27/2012 - 20:36

I know that i'm late to this party, but I'm a sys admin that has recently upgraded his ASA to 8.4 code.  Ever since i've been working with Cisco to get mac clients working from inside my network to external ASAs.  There is an issue with the mac client not changing the source port from 4500 to something else and the reply getting dropped.  There is a fix for the 32 bit client, but who wants to boot into 32 bit mode every time?

coto.fusionet Thu, 06/28/2012 - 11:32

Hey guys,

I'm with this Mac OSX Lion and need to upload the .PCF file from a client.

I'm connected right now from a VM running windows from the MAC, since using the IPsec Cisco VPN client.

But, I'm trying to use the native IPsec client on Mac (which I don't have the pre-shared key), so can't configure it manually...

And I'm trying to find out if there's a way to upload a .PCF file on a client on the MAC to be able to forget the VM and connect without knowing the ''pre-shared key''.

Thanks anyone ;-)

Federico.

pighairlab Sun, 08/26/2012 - 19:25

There's significant issue with MacOSX Lion/Mt Lion.

As all you know Cisco client does not work with 64 bit kernel, and from Lion MacOSX does not support 32 bit kerner booting.

Cisco's recommendation to use IPSec VPN on MacOSX is to use OS built-in client.

The problem is built-in client DOES NOT support UDP connection.

I have to use UDP connection to connect to company's VPN, but I can't because of that.

It's same with VPN on iOS devices.

I'm using VPN on my virtual machine with Windows XP and it discourages a lot to use VPN.

I cannot go to specific internal page from Mac Mail, so I always copy link and paste it in IE's address box.

Cisco should build 64-bit Mac client or provide anything to Apple to support IPSec over UDP.

If there's anyone who could connect VPN over UDP on MacOSX, please let me know howto.

elstevo01 Thu, 09/06/2012 - 00:59

Hi all,

I also have the same problem; are there any news from Cisco about a new VPNCLIENT version in 64 bit?????

I'm searching now for more than 1 year!!!

Actions

Login or Register to take actions

This Discussion

Posted July 26, 2011 at 8:58 AM
Stats:
Replies:26 Avg. Rating:4.375
Views:222068 Votes:1
Shares:2
Tags: No tags.

Discussions Leaderboard