I configured EasyVPN on UC560, using CCA. I had to use CCA because Cisco Small Business Pro support informed me that the entire configuration had to be done in CCA in order for Cisco to support the system. Because I am installing this for my client, I do not want to be involved in the support in the future. My hope is for my client's network administrator to use Cisco Small Business Pro support to take care of any support issues should they arise in the future.
To comply with the Cisco Small Business Pro requirements, I had to factory-default the UC560 and start the configuration from scratch. At this point, UC560 is in production as a router/firewall/EasyVPN server (I have not yet configured the voice portion of it). I exported the .pcf file, using CCA, and then imported the .pcf file into a Cisco VPN client (for Windows). Everything seems to be working OK there. However, when I tried to manually configure a Mac (Mac OS X Lion) to connect to the UC560 via IPSec VPN, Mac OS connects, but I can only communicate with the subnet listed in ACE configured first in the ACL called from within "crypto isakmp client configuraiton group EZVPN_GROUP_1".
That ACL has four ACEs in it:
10 permit ip 192.168.101.0 0.0.0.255 any
20 permit ip 10.1.1.0 0.0.0.255 any
30 permit ip 192.168.10.0 0.0.0.255 any
40 permit ip 10.1.10.0 0.0.0.3 any
From a Mac located on the Internet, I can only communicate with hosts on 192.168.101.0/24. From the same MAC, when I launch a VM with Windows, and connect to UC560 using the Cisco VPN Client software, I can communiate with hosts on any of the four networks listed above.
I have configured a Remote Access VPN many times on Cisco routers, using CLI. I use an EasyVPN-like configuration except for I use a route-map and a dynamic route-map instead of virtual templates. I have no problem connecting to an EasyVPN server configured this way and communicating with any networks specified in the ACL called from within the "crypto isakmp client configuration group".
When I issue the "netstat -r" command in both Mac OS and in Windows, the routing tables look almost identical in that every network in the above ACL is installed into the routing table and the next hop for these networks points to the OS's interface connected to the Internet. Just to answer your question, I tried it with the Mac OS firewall off, and it doesn't work anyway.
It appears that Mac OS (10.7.2 Lion) is having a compatibility problem when the EasyVPN server is configured with virtual-templates whereas at the same time, Windows' Cisco VPN client is not having these issues.
I also found something from another thread, someone who contacted the Cisco TAC got their official response which was to switch the config to use crypto maps or to tunnel-all:
"I do want to put it out there first that we do not technically support the apple built-in client. That has been written by Apple and we have no capabilities to support/provide bug fixes for. With that being said here is the technical information on why it is not working for you.
1) When presented with a split tunnel ACL the Apple client will create a proxy pair for each line.
i.e. VPN IP address of A
split ACL of:
You would see an ipsec sa from A to B, A to C, and A to D.
2) When presented with a split tunnel ACL the Cisco client will crete a single ipsec sa:
i.e. A to any
However the client will only route traffic to B, C, D over the tunnel.
This is fine and has no problems when using a crypto map style setup for ezvpn.
However when you configure the use of dVTI this becomes difficult. This is because the VTI can only support 1 ipsec sa built to it. As a results when the apple client tries to propose the proxy pair for the A to C entry it is rejected.
This leaves you two options here:
1) Switch to a tunnel-all configuration
2) Switch back to the crypto map configuration rather than the virtual-template configuration."
Hope this helps. As I said, never happened to me this is just info I got on the web.
SFP Module Support List for RV160x and RV260x Devices
Small form-factor pluggable (SFP) ports are included on the RV160 and 260 routers to allow the use of optical SFP transceiver modules. SFP’s convert the optical signals to electrical signals. SFP’s al...
Cisco is excited to offer its San Jose customers a unique opportunity to join us at Cisco headquarters for a design thinking workshop. This exclusive gathering, of no more than 20 people, is designed for an immersive interactive one-day session bet...
Welcome and thanks for visiting the Small Business Community Newsletter. This is our first of what we will make a monthly newsletter where you will be provided information on New products and trends, What’s ...
Hello @All ,
I am Bhuvi Chopra, a product manager on the Cisco Business (formerly SBTG) Team.
Cisco Business is excited to offer its San Jose customers a unique opportunity to join us at Cisco headquarters for a design thinki...
Join us on Thursday, November 14 at 10:00 am PT to learn more about how Cisco is empowering small business. From connectivity to cloud applications, networking plays a crucial role in every business journey. Cisco Business offers simple-to-deploy, fl...