I have an ASA 5510 box with software version 7.2(1) which I am trying to get to work with the built-in VPN client on Mac OS X 10.4.x I have the ASA is set up to the point that client machines using the Cisco client can VPN in properly with everything working, and the Apple client can seemingly connect properly. When connected via the apple client, however, the network is not accessible. Both the ASA with logging set to the debug level and the apple VPN log show a good connection. The apple client receives the addresses of our internal DNS servers properly, and a netstat -rn shows the 10.x destinations (our inside network) being routed over ppp0-the VPN connection. All this looks good-but no traffic flows. If, for example, I try to ping a computer inside the network, I get no response. The ASA log only shows a string of errors like the following:
3 Dec 07 2006 08:58:24 713042 IKE Initiator unable to find policy: Intf inside, Src: 10.9.1.59, Dst: 10.8.1.2
where 10.8.1.2 is the address assigned to the VPN client, and 10.9.1.59 is a computer inside the network that I know responds to pings. I know this error is described as being "probably timing related" and "likely to correct itself", but in this case it seems to be denying me access to the network. As mentioned before, the Cisco client works fine. How can I correct this, other than using the Cisco client? There are a number of reasons why I would rather use the Apple client. Thanks!
If it helps any, when connected the ASA VPNn statistics show the protocol for the apple client as "L2TPOverIPSecOverNatT" and the Encryption as 3DES. For the cisco client, the protocol is listed as only "IPSecOverNatT". Everything else looks the same. Any ideas? Thanks.
I'm no expert, but based on your IKE message it seems like you need some policy in place that allows the traffic from 10.8.x.x to 10.9.x.x?
I'm attempting something similiar, but with a ASA5505, I can get a Mac OS 10.3 client to connect to my ASA, but I can't ping it on the same subnet 192.168.1.x. I'm trying to use ARD (Apple Remote Desktop) to control/observe that logged in client.
PS: I'm using Cisco's VPN client, I realize you're using Apple VPN client.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :