Cisco VPN Client & OSX Lion - Page 2

dylan.scholz · ‎07-26-2011

Whats the timeline looking like for an update to the Cisco VPN Client for the newest version of OSX?

I am aware of the current workaround, which involves booting into 32bit mode. Is there a future update in the works that will work without having to boot into 32bit mode?

TAYLOR WILLIAMS · ‎08-08-2011

I found another post (cant remember the link) but to get the Cisco IPSEC client version 4.9 to work I hold down the 3 and the 2 key during boot and then the Cisco client will work. I am able to get the native Lion vpn to work with an ASA.

eric.bradford · ‎08-16-2011

In order to resolve our issue, we had to revert back to the old style crypto map away from the virtual template configuration. This is the official response from Cisco TACs.

"I do want to put it out there first that we do not technically support the apple built-in client. That has been written by Apple and we have no capabilities to support/provide bug fixes for. With that being said here is the technical information on why it is not working for you.

1) When presented with a split tunnel ACL the Apple client will create a proxy pair for each line.

i.e. VPN IP address of A

split ACL of:

permit B

permit C

permit D

You would see an ipsec sa from A to B, A to C, and A to D.

2) When presented with a split tunnel ACL the Cisco client will crete a single ipsec sa:

i.e. A to any

However the client will only route traffic to B, C, D over the tunnel.

This is fine and has no problems when using a crypto map style setup for ezvpn.

However when you configure the use of dVTI this becomes difficult. This is because the VTI can only support 1 ipsec sa built to it. As a results when the apple client tries to propose the proxy pair for the A to C entry it is rejected.

This leaves you two options here:

1) Switch to a tunnel-all configuration

2) Switch back to the crypto map configuration rather than the virtual-template configuration."

TITO · ‎08-19-2011

Hi Eric,

Thanks for the info... You are right, I switch back to crypto maps (dynamic in my case...) and then the Built-In Cisco IPSec Client of OSX Lion works pretty good with all my networks defined in the access list, with virtual templates always use the first one...

Thanks a lot,

You helped to me a lot,

Best Regards,

Fabian.

thoulihan · ‎09-07-2011

I have been attempting to get the MAC built in Cisco VPN client to do split tunneling on my ASA IPSEC VPN with no luck.

My ASA setup is:

IPSEC profile:

ACL Exclude Network List Below:

In that ACL I have 1 host: ex. 1.1.1.1 255.255.255.255

When I use the MAC built in Cisco VPN client, no traffic gets to this host 1.1.1.1, just gets blackholed somewhere, traceroute goes nowhere. All other traffic goes through the VPN tunnel fine. Is the client just not listening to the split tunnel ACL?

Any advice would be helpfull.

rcarricato · ‎11-08-2011

I have been successfully using the built in Mac OS X IPSec client on Lion 10.7.2 for a couple months now. I have no need for the Cisco IPSec client anymore and to boot into stupid 32-bit mode .

Not sure if the issues you guys are having but I followed this guide and it works perfectly. Most of my customers I only have a .pcf file for, which of course, I cannot use to figure out the groupname and password....until now...

http://anders.com/guides/native-cisco-vpn-on-mac-os-x/

chungwaCisco · ‎02-06-2012

You can also try the latest Shimo3 beta: http://dev.chungwasoft.com/Shimo/

It has support for IPSecVPN and also AnyConnect in both, 32 and 64 bit.

allenferdinand · ‎06-27-2012

I know that i'm late to this party, but I'm a sys admin that has recently upgraded his ASA to 8.4 code. Ever since i've been working with Cisco to get mac clients working from inside my network to external ASAs. There is an issue with the mac client not changing the source port from 4500 to something else and the reply getting dropped. There is a fix for the 32 bit client, but who wants to boot into 32 bit mode every time?

Federico Coto Fajardo · ‎06-28-2012

Hey guys,

I'm with this Mac OSX Lion and need to upload the .PCF file from a client.

I'm connected right now from a VM running windows from the MAC, since using the IPsec Cisco VPN client.

But, I'm trying to use the native IPsec client on Mac (which I don't have the pre-shared key), so can't configure it manually...

And I'm trying to find out if there's a way to upload a .PCF file on a client on the MAC to be able to forget the VM and connect without knowing the ''pre-shared key''.

Thanks anyone ;-)

Federico.

dijohn · ‎08-15-2012

I use this tool to decode the preshared key from the .pcf files. Works like a charm.

http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

pighairlab · ‎08-26-2012

There's significant issue with MacOSX Lion/Mt Lion.

As all you know Cisco client does not work with 64 bit kernel, and from Lion MacOSX does not support 32 bit kerner booting.

Cisco's recommendation to use IPSec VPN on MacOSX is to use OS built-in client.

The problem is built-in client DOES NOT support UDP connection.

I have to use UDP connection to connect to company's VPN, but I can't because of that.

It's same with VPN on iOS devices.

I'm using VPN on my virtual machine with Windows XP and it discourages a lot to use VPN.

I cannot go to specific internal page from Mac Mail, so I always copy link and paste it in IE's address box.

Cisco should build 64-bit Mac client or provide anything to Apple to support IPSec over UDP.

If there's anyone who could connect VPN over UDP on MacOSX, please let me know howto.

S. K. · ‎09-06-2012

Hi all,

I also have the same problem; are there any news from Cisco about a new VPNCLIENT version in 64 bit?????

I'm searching now for more than 1 year!!!

chungwaCisco · ‎09-06-2012

Have you tried Shimo ( http://www.chungwasoft.com/shimo/ ) ?