Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

OS X + VPN = frustrated

Hello.

This is my last chance to overcome VPN on OS X. I have written a lot of message on different boards this month but problem still exists. Actually problem concerns getting routes when VPN is connected. I have PPTP and easyVPN on my 3825 (c3825-adventerprisek9-mz.124-24.T.bin). With PPTP i used DHCP (option 121 and 249) with easyVPN i used split tunneling. So. The problem with PPTP is that OS X ignores routing information. Here is virtual-template interface

interface Virtual-Template1

ip unnumbered Loopback1

ip tcp header-compression

peer default ip address dhcp-pool XX-VPN-POOL

compress mppc

ppp encrypt mppe auto required

ppp authentication ms-chap-v2

ppp chap refuse

I found out that ip unnumbered Loopback1 is couse of the problem. If i replace "ip unnumbered" with "ip address ...." OS X can recive routing information but huge delay occures about 7000ms and even more.

Than i decided to configure easyVPN server. And the same problem with routes happened. Imagine you have an acl

access-list 101 permit ip 172.16.16.0 0.0.1.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.0.255.255 172.16.6.0 0.0.0.255

As you can see OS X cisco IPsec client must accept 2 routes but only  first (access-list 101 permit ip 172.16.16.0 0.0.1.255 172.16.6.0  0.0.0.255) works.

if i change ACL like this

access-list 101 permit ip 10.0.0.0 0.0.255.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 172.16.16.0 0.0.1.255 172.16.6.0 0.0.0.255

then only access-list 101 permit ip 10.0.0.0 0.0.255.255 172.16.6.0 0.0.0.255 will work.

Although both routes exist in routing table.

182
Views
0
Helpful
0
Replies