SA 540 & Mac OS X Lion VPN - Nothing Works

Answered Question
Jan 21st, 2012

Very frustrated. I sold this SA 540 a year ago with the full package of security additions and everytime I try to enable one, it doesn't work. The latest is client VPN connections using Mac OS X Lion. I have a MacBook Pro OS X Lion my client gave me to work on. He couldn't make it work either by using the built-in Cisco IPsec client or the SSL client. Here are the problems one at a time.

First the SA 540 firmware is the latest as of the date of this posting (2.1.71). The MacBook Pro OS X Lion version is 10.7.2.

The Apple Cisco IPsec client is looking for a group entry, but none is obvious in the SA 540 IPsec VPN setup. I’m sure the SA 540 supports an IPsec client since the user setup gives the option to use Standard IPsec (XAuth) or Cisco QuickVPN. What do I use for the group entry in the Apple Cisco IPsec client? Here are the SA 540 IPsec log entries when I try to connect.

Sat Jan 21 17:43:25 2012 (GMT -0500): [Cisco] [IKE] ERROR: Local configuration for x.xxx.xxx.xx [4500] does not have mode config

Sat Jan 21 17:43:25 2012 (GMT -0500): [Cisco] [IKE] ERROR: Local configuration for xx.xxx.xxx.xx 4500] does not have mode config

Sat Jan 21 17:43:25 2012 (GMT -0500): [Cisco] [IKE] ERROR: Local configuration for xx.xxx.xxx.xx [4500] does not have mode config

Sat Jan 21 17:43:25 2012 (GMT -0500): [Cisco] [IKE] ERROR: Local configuration for xx.xxx.xxx.xx [4500] does not have mode config

Next, I tried the SSL portal. It works fine with Windows XP and Windows 7. It does not work with the MacBook Pro. I keep getting a message, “Check if you have root/administrative privileges on your system.” I found a posting that explains how to enable root/administrative privileges and did so. It didn’t make any difference.

I spent a lot of time reading posts on this Cisco forum and others. It seems many techs are having the same problem and while a few said they solved the problem, I followed their solution when it was offered, but to no avail.

So my question is, “Is this yet another thing that just doesn’t work on the SA 540?” If any type of VPN is possible from the MacBook Pro OS X Lion, then, please, tell me where I can get clear step by step instructions on how to do it. Do I need a third party VPN client? I can’t find a Cisco QuickVPN client for the Mac.

I have this problem too.
0 votes
Correct Answer by doug_counsil@ya... about 2 years 2 months ago

Cisco Tech Support is painfully aware that Mac OSX Lion is not currently working with SSL VPN on the RV220W, SA500 series routers, and probably more.

I have found 2 ways to get VPN to work with our SA540 for our Max OSX Lion machines.  The first is IPSecuritas and the second is by using the built-in VPN client in Mac OSX Lion.

This should get you going with using the built-in VPN client.  NOTE:  The VPN and IKE policy you create here will work for the iPhone/iPad as well! 

Also, I use XAUTH and dead peer detection.  When turning on XAUTH chose to use the edge device and user database.  Then all you have to do is setup the users in SA540 (XAUTH users not QuickVPN).

https://supportforums.cisco.com/thread/2095921

This should get you going with using IPSecuritas...

https://supportforums.cisco.com/docs/DOC-10279

BTW, you don't have to change "local.com" or "remote.com" when using the wizard.  Feel free to use the defaults. 

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
doug_counsil@ya... Sat, 01/21/2012 - 19:15

Cisco Tech Support is painfully aware that Mac OSX Lion is not currently working with SSL VPN on the RV220W, SA500 series routers, and probably more.

I have found 2 ways to get VPN to work with our SA540 for our Max OSX Lion machines.  The first is IPSecuritas and the second is by using the built-in VPN client in Mac OSX Lion.

This should get you going with using the built-in VPN client.  NOTE:  The VPN and IKE policy you create here will work for the iPhone/iPad as well! 

Also, I use XAUTH and dead peer detection.  When turning on XAUTH chose to use the edge device and user database.  Then all you have to do is setup the users in SA540 (XAUTH users not QuickVPN).

https://supportforums.cisco.com/thread/2095921

This should get you going with using IPSecuritas...

https://supportforums.cisco.com/docs/DOC-10279

BTW, you don't have to change "local.com" or "remote.com" when using the wizard.  Feel free to use the defaults. 

txlombardi_2 Sun, 01/22/2012 - 08:19

Thanks, Curtis.  I downloaded the IPsecurities client.  It is listed as a release candidate, but I had no problem installing and configuring it.  The VPN was up in minutes.  I also found this link to similar instruction from your PDF.  It looks like these may be newer.

http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_mac_appnote.pdf

txlombardi_2 Tue, 01/31/2012 - 07:46

I think an addendum to  this thread is needed.  In my last post, I said the VPN is working, which it was.  However, DNS is not working.  When I tried to change the configuration of the VPN client release candidate, the client crashed.  From that point forward nearly everything I attempted to do to get DNS to work crashed the program and required restarting the Mac Book Pro.  I never could get DNS to work.

I tried to sign up to the software publisher's forum to post the problem, but that didn't work.  I went through the registration process and tried to login, but my login did not work.  Next, I sent an email with the problem to the support address listed on their web site, but to this date have not received a reply.

Moral of the story, don't use the IPsecuritas VPN client until they fix it or at least enable some method of acquiring support from them direct or through a community.

The client removed the IPsecuritas VPN client and he is eyeing the SA 540 as the next thing to remove.

doug_counsil@ya... Tue, 01/31/2012 - 08:24

The built-in IPSec client in Mac OSX Lion allows you to add DNS servers.  Click on the following link and go down about 4 or 5 posts where I state "You can easily test my scenario in your lab."  Follow my instructions and should be able to easily get IPSec up and running on a Mac running Lion.  The entries for the Mac are similiar to the iPhone and iPad.  Let me know if you have issues.

https://supportforums.cisco.com/thread/2126526?tstart=0

txlombardi_2 Tue, 01/31/2012 - 09:07

The Mac was a client's computer and I had to return it when I could not get DNS to work with IPsercuritas. 

I read all the posts about the resident VPN client and tried many different configurations, but just could not get that one to work either.  One post said don't use split tunneling, but that was not an option.  The main problem was centered on no available place to enter the group.  I tried your method used on the IPad but it did not work either.  Maybe I did something wrong.

Anyway, we have moved on to bypass VPN for Mac users.  The plan now is to use port translation from a SA 540 configured external port (9833) for a RDP session to an internal workstation with the standard configured port 3389.  That is not working either, but that's another discussion, which I have already posted.

doug_counsil@ya... Tue, 01/31/2012 - 09:23

We use the built-in version of IPSec on several MacBook Pro laptops everyday. It works flawlessly on each laptop. They are all running Mac OSX Lion. I will create a how-to document later today outlining all the steps. I believe you are getting hung up on the VPN configuration on the MAC which is NOT very intuitive. I will start from the beginning just to make sure though. We should have your client up and running by tomorrow. Hang tight.

Sent from Cisco Technical Support iPhone App

doug_counsil@ya... Tue, 01/31/2012 - 18:54

I have attached a document on how I setup all our MacBook Pro's to VPN into our SA540.  All of our MacBook Pro's work flawlessly for hours on end.  No one has complained yet.  I did enable Dead Peer Detection so users have to keep re-connecting if their laptop goes to sleep.  I did that just to keep the number of connected peers to a minimum.

Also, you mentioned that you needed to add DNS servers.  When you setup your VPN connection in Network Preferences, there is a an Advanced button that allows you to setup DNS servers, as well as, Search Domains.  This should be exactly what your client is needing based on your posts.

As I mention in the document, you can also use the same exact VPN/IKE Policies you created on the SA540 (for the MacBook Pro's) for an iPhone, an iPad, or even the Cisco VPN Client.    That should make your client very happy.  The only maintenance needed is to add new users when applicable.

Good Luck!

doug_counsil@ya... Tue, 01/31/2012 - 19:44

Another comment based on your previous post.  We also use split tunnelling.  All I had to do was select Split Tunnel from the Tunnel Mode drop down box on the Dynamic IP Range tab.

Also, regarding setting up DNS servers in IPSecuritas, this functionality works for me.  I don't know why you received errors.  We have never had an issue with IPSecuritas.  We have IPSecuritas setup on each of our MacBook Pro's as a backup just in case someone runs into an issue with the built-in version of IPSec on their Mac.

At any rate, let us know how it goes.

txlombardi_2 Mon, 02/06/2012 - 10:09

Curtis,

Thanks for the VPN how-to document.  I will forward it on to my client.

Actions

Login or Register to take actions

This Discussion

Posted January 21, 2012 at 3:32 PM
Stats:
Replies:10 Avg. Rating:5
Views:5277 Votes:0
Shares:0

Related Content

Discussions Leaderboard