Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC OS X VPN client / Certificates / Cisco ASA series

I spent a lot of time surfing the web for the solution, but alas, so I finally concluded that this might be an interesting topic to discover.

I write the whole story here, but I would be glad if someone could help with it even partly by answering one or several questions at the end of my explaination.

Here's the task:

1. I need to establish VPN connection from MAC OS X (preferrably built in IPSec client or something you would recommend instead) to remote Cisco ASA 5500.

2. What I have: two certificates, one for VPN connection cyphering, one for remote desktop login. Both of them stored on eToken. Host name, login name and pass.

The problem is in setting up the connection:

On the cisco official website there is a remark about supported vpn clients and there mac os x built in IPSec client seems to be suitable. Moreover, for ASA 5500 it's suitable both in "l2tp over ipsec" and "Cisco IPSec" modes.

Assume we want to establish "Cisco IPSec" (settings>network>add connection).

I have host address, account name and password, and I'm sure it's correct because I checked it in Win7.

sThe most interesting thing is in "Authentication settings": here, I supposed to choose a certificate, but my Keychain reports, that there are no suitable certificates in my Keychain.

And the reason for that might be in "type" of certificates. All the certificates I have are identified by OS X as a user certificates so it cannot be used to authorize the machine (am I right?)

Okay, if we try the l2tp over IPSec there is the same problem: I can even choose a user cerificate from eToken, but I still have no machine cert.

This is how it usually looks like in Windows:

1. Run Cisco VPN Client

2. Set up Host address, than just choose certificate (which is allowed to be choosed somehow )

3. Tap connect, enter pin for eToken and you are connected

So, the questions are

1. What's so different about IPSec realization in unix and windows? While in Win7 one simply have no choice, in other systems there a lot of decisions and most of them have some feature, which is not working (eToken, auth with certs and etc.)...

2. Should I try the AnyConnect client in case there is Cisco ASA on the other side? Will it work?

3. As one might conclude, I have the problem with identifying which instrument (like certain certificate) used where: so if someone shortly explain the steps of establishing vpn with Cisco ASA series or provide a link with documentation.

System: OS X Lion 10.7.4, eToken SafeNet Authentication Client 8.0.

CreatePlease login to create content