Whats the timeline looking like for an update to the Cisco VPN Client for the newest version of OSX?
I am aware of the current workaround, which involves booting into 32bit mode. Is there a future update in the works that will work without having to boot into 32bit mode?
Heres some more information about anyconnect + lion support
AnyConnect 3.0.3050 provides support for Lion OS X 10.7.Without the appropriate JAVA and Web applet, OS X users may experience CSCtq62860 or CSCto09628. You must install JAVA and enable the appropriate Applet plug-in and web start applications using these steps:
Step 1 Open the JAVA Preferences when doing Hostscan or Weblaunch with Safari on OS X 10.7.
Step 2 If JAVA is not already installed, you are prompted to do so.
Step 3 Check the Enable applet plug-in and Web Start applications option.
I've been having trouble with DNS resolution if I use the native OSX client (in Snow Leopard) 10.6.8. Specifically I'm having trouble connecting to a Cisco IPSec VPN, the trouble seems to be that the service pushes DNS, which can't be received by the OSX VPN client. Does that make sense? Specifiying the DNS manually doesn't work. I can ping everything, but not resolve any names.
And here are some instructions about using the Apple built-in client. Using the Apple built-in client will help ensure support as the Mac OS Evolves.
Here's how to use the Apple built-in client instead:
1. Open System Preferences > Network
2. Click the lock button to unlock it and make changes
3. Click the plus sign above the unlocked lock button to add an interface.
4. On the "Interface" drop-down select "VPN"
5. On the "VPN Type:" drop-down select "Cisco IPSec"
6. In the "Service Name:" text box create a memorable interface name such as "Corp IPsec VPN"
7. Click OK and then select this new interface
8. Configure the interface with server address, vpn group and pre-shared key, username and password, etc.
The above process works on OSX Snow Leopard, but it doesn't seem to work on Lion. Seems to get stuck on Phase2. I get the following message in my logs: IKE Packet: transmit success. (Phase2 Retransmit). Not sure why we're having problems with Lion, but not Snow Leopard on our network.
Hi hdashnau, thank you for the prompt reply. You offered some great alternatives to using the Cisco VPN Client.
Although the alternatives may work, I would like to stick with the Cisco VPN Client. I'm still wondering if there is a future update in the works to reflect the new version of Lion, and if so when?
As far as I know, there is nothing in works right now and it is highly unlikely that there will be a new Cisco IPSec VPN client developed for MAC. Your best bet would be to persue the alternative solutions.
Regarding your instrux above using the Apple built-in client: I can't tell from the way you wrote it whether it would still be necessary to use the install disc for Mac that I got from my IT department. Could you clarify please? Thanks.
I have the built in lion client connecting fine with a Virtual Tunnel Interface on my Cisco 2821 router, into a vrf. The problem is the built in client only works with the first route in the access-list in the isakmp client configuration. This might be why some users report DNS issues - if their DNS is outside the route set up by the first line of the acl in the isakmp client config.
These routes work fine in the PC client and the MAC client for earlier OS's but not with the built in Lion client. I am also getting the same issue with the built in iOS client in iphone and ipad.
I should add that the client (both iPad and Lion) are getting the routes, they just arent working, almost as if the client end is not encrypting/decrypting for any routes other than the primary
I have the exact problem, VPN Client (Integrated) on mac works pretty good but only for the first route in the access list of the vpn server router, all routes below first does not work in any way...
Did you find some way to solve it? With the Cisco VPN Client for Mac, all routes work ok (Snow...) but here in Lion with integrated Cisco iPSec only first one works...
Thanks a lot,
The problem with the Mac vpn client is that cerfificates don't seem to work.
I find it strange that Cisco wouldn't make a new VPN client for the Mac.
Mac is being more popular then ever...
RE: "I find it strange that Cisco wouldn't make a new VPN client for the Mac"
The traditional Cisco IPSec Client has been announced as end of life:
EOL/EOS for the Cisco VPN Client
There is support built into the Cisco AnyConnect VPN product.
We too are having issues with the Native VPN client in OS X Lion, and iPhones as well. The Windows Cisco VPN client works perfectly. We have just upgraded our branch routers from 2821 devices to 2921 devices running latest IOS. There are many networks behind this VPN connection as well as OSPF routing. The windows machines will connect using the .pcf file and are able to get to each network the ACLs allow behind the tunnel. We then move over to Lion and iPhone4 hosts using the native client and connect pefectly. However, the native client only works with the first route in the access-list in the isakmp client configuration ACL. This is most likely due to something Apple has modified recently in both Lion and iPhone. Any ideas would be helpful.
I found another post (cant remember the link) but to get the Cisco IPSEC client version 4.9 to work I hold down the 3 and the 2 key during boot and then the Cisco client will work. I am able to get the native Lion vpn to work with an ASA.
In order to resolve our issue, we had to revert back to the old style crypto map away from the virtual template configuration. This is the official response from Cisco TACs.
"I do want to put it out there first that we do not technically support the apple built-in client. That has been written by Apple and we have no capabilities to support/provide bug fixes for. With that being said here is the technical information on why it is not working for you.
1) When presented with a split tunnel ACL the Apple client will create a proxy pair for each line.
i.e. VPN IP address of A
split ACL of:
You would see an ipsec sa from A to B, A to C, and A to D.
2) When presented with a split tunnel ACL the Cisco client will crete a single ipsec sa:
i.e. A to any
However the client will only route traffic to B, C, D over the tunnel.
This is fine and has no problems when using a crypto map style setup for ezvpn.
However when you configure the use of dVTI this becomes difficult. This is because the VTI can only support 1 ipsec sa built to it. As a results when the apple client tries to propose the proxy pair for the A to C entry it is rejected.
This leaves you two options here:
1) Switch to a tunnel-all configuration
2) Switch back to the crypto map configuration rather than the virtual-template configuration."
I have been attempting to get the MAC built in Cisco VPN client to do split tunneling on my ASA IPSEC VPN with no luck.
My ASA setup is:
ACL Exclude Network List Below:
In that ACL I have 1 host: ex. 18.104.22.168 255.255.255.255
When I use the MAC built in Cisco VPN client, no traffic gets to this host 22.214.171.124, just gets blackholed somewhere, traceroute goes nowhere. All other traffic goes through the VPN tunnel fine. Is the client just not listening to the split tunnel ACL?
Any advice would be helpfull.
I have been successfully using the built in Mac OS X IPSec client on Lion 10.7.2 for a couple months now. I have no need for the Cisco IPSec client anymore and to boot into stupid 32-bit mode .
Not sure if the issues you guys are having but I followed this guide and it works perfectly. Most of my customers I only have a .pcf file for, which of course, I cannot use to figure out the groupname and password....until now...
You can also try the latest Shimo3 beta: http://dev.chungwasoft.com/Shimo/
It has support for IPSecVPN and also AnyConnect in both, 32 and 64 bit.
I know that i'm late to this party, but I'm a sys admin that has recently upgraded his ASA to 8.4 code. Ever since i've been working with Cisco to get mac clients working from inside my network to external ASAs. There is an issue with the mac client not changing the source port from 4500 to something else and the reply getting dropped. There is a fix for the 32 bit client, but who wants to boot into 32 bit mode every time?
I'm with this Mac OSX Lion and need to upload the .PCF file from a client.
I'm connected right now from a VM running windows from the MAC, since using the IPsec Cisco VPN client.
But, I'm trying to use the native IPsec client on Mac (which I don't have the pre-shared key), so can't configure it manually...
And I'm trying to find out if there's a way to upload a .PCF file on a client on the MAC to be able to forget the VM and connect without knowing the ''pre-shared key''.
Thanks anyone ;-)
I use this tool to decode the preshared key from the .pcf files. Works like a charm.
There's significant issue with MacOSX Lion/Mt Lion.
As all you know Cisco client does not work with 64 bit kernel, and from Lion MacOSX does not support 32 bit kerner booting.
Cisco's recommendation to use IPSec VPN on MacOSX is to use OS built-in client.
The problem is built-in client DOES NOT support UDP connection.
I have to use UDP connection to connect to company's VPN, but I can't because of that.
It's same with VPN on iOS devices.
I'm using VPN on my virtual machine with Windows XP and it discourages a lot to use VPN.
I cannot go to specific internal page from Mac Mail, so I always copy link and paste it in IE's address box.
Cisco should build 64-bit Mac client or provide anything to Apple to support IPSec over UDP.
If there's anyone who could connect VPN over UDP on MacOSX, please let me know howto.
I also have the same problem; are there any news from Cisco about a new VPNCLIENT version in 64 bit?????
I'm searching now for more than 1 year!!!