Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2312
Views
0
Helpful
1
Replies

EasyVPN connectivity to UC560

telecastle
Level 1
Level 1

‎12-12-2011 10:14 AM - edited ‎03-21-2019 05:03 AM

I configured EasyVPN on UC560, using CCA. I had to use CCA because Cisco Small Business Pro support informed me that the entire configuration had to be done in CCA in order for Cisco to support the system. Because I am installing this for my client, I do not want to be involved in the support in the future. My hope is for my client's network administrator to use Cisco Small Business Pro support to take care of any support issues should they arise in the future. 

To comply with the Cisco Small Business Pro requirements, I had to factory-default the UC560 and start the configuration from scratch. At this point, UC560 is in production as a router/firewall/EasyVPN server (I have not yet configured the voice portion of it). I exported the .pcf file, using CCA, and then imported the .pcf file into a Cisco VPN client (for Windows). Everything seems to be working OK there. However, when I tried to manually configure a Mac (Mac OS X Lion) to connect to the UC560 via IPSec VPN, Mac OS connects, but I can only communicate with the subnet listed in ACE configured first in the ACL called from within "crypto isakmp client configuraiton group EZVPN_GROUP_1".

That ACL has four ACEs in it:

10 permit ip 192.168.101.0 0.0.0.255 any

20 permit ip 10.1.1.0 0.0.0.255 any

30 permit ip 192.168.10.0 0.0.0.255 any

40 permit ip 10.1.10.0 0.0.0.3 any

From a Mac located on the Internet, I can only communicate with hosts on 192.168.101.0/24. From the same MAC, when I launch a VM with Windows, and connect to UC560 using the Cisco VPN Client software, I can communiate with hosts on any of the four networks listed above.

I have configured a Remote Access VPN many times on Cisco routers, using CLI. I use an EasyVPN-like configuration except for I use a route-map and a dynamic route-map instead of virtual templates. I have no problem connecting to an EasyVPN server configured this way and communicating with any networks specified in the ACL called from within the "crypto isakmp client configuration group".

When I issue the "netstat -r" command in both Mac OS and in Windows, the routing tables look almost identical in that every network in the above ACL is installed into the routing table and the next hop for these networks points to the OS's interface connected to the Internet. Just to answer your question, I tried it with the Mac OS firewall off, and it doesn't work anyway.

It appears that Mac OS (10.7.2 Lion) is having a compatibility problem when the EasyVPN server is  configured with virtual-templates whereas at the same time, Windows'  Cisco VPN client is not having these issues.

Has anyone encountered this problem before?

Labels:
0 Helpful
1 Reply 1

eric.ahernandez
Level 1
Level 1

‎12-16-2011 07:43 AM

Hi telecastle,

I haven't had this problem yet because in all my UC500 VPN deployments everyone had windows pc's, but I found this link that maybe can help you.

http://anders.com/guides/native-cisco-vpn-on-mac-os-x/

I also found something from another thread, someone who contacted the Cisco TAC got their official response  which was to switch the config to use crypto maps or to tunnel-all:

"I do want to put it out there first that we do not technically  support the apple built-in client.  That has been written by Apple and  we have no capabilities to support/provide bug fixes for.  With that  being said here is the technical information on why it is not working  for you.

1)  When presented with a split tunnel ACL the Apple client will create a proxy pair for each line.

                        i.e.  VPN IP address of A

                                    split ACL of:

                                                            permit B

                                                            permit C

                                                            permit D

                        You would see an ipsec sa from A to B, A to C, and A to D.

2)  When presented with a split tunnel ACL the Cisco client will crete a single ipsec sa:

                        i.e. A to any

            However the client will only route traffic to B, C, D over the tunnel.

This is fine and has no problems when using a crypto map style setup for ezvpn.

However  when you configure the use of dVTI this becomes difficult.  This is  because the VTI can only support 1 ipsec sa built to it.  As a results  when the apple client tries to propose the proxy pair for the A to C  entry it is rejected.

This leaves you two options here:

1)  Switch to a tunnel-all configuration

2)  Switch back to the crypto map configuration rather than the virtual-template configuration."

Hope this helps. As I said, never happened to me this is just info I got on the web.

0 Helpful
Customers Also Viewed These Support Documents