cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
248442
Views
25
Helpful
26
Replies

Cisco VPN Client & OSX Lion

dylan.scholz
Level 1
Level 1

Whats the timeline looking like for an update to the Cisco VPN Client for the newest version of OSX?

I am aware of the current workaround, which involves booting into 32bit mode.  Is there a future update in the works that will work without having to boot into 32bit mode?

26 Replies 26

hdashnau
Cisco Employee
Cisco Employee

You could use AnyConnect (support was just added in the latest release of AC) or try the built in MAC IPSec client instead as well.

Heres some more information about anyconnect + lion support

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1369279

Lion Support

AnyConnect 3.0.3050 provides support for Lion OS X 10.7.Without the  appropriate JAVA and Web applet, OS X users may experience CSCtq62860 or  CSCto09628. You must install JAVA and enable the appropriate Applet  plug-in and web start applications using these steps:


Step 1 Open the JAVA Preferences when doing Hostscan or Weblaunch with Safari on OS X 10.7.

Step 2 If JAVA is not already installed, you are prompted to do so.

Step 3 Check the Enable applet plug-in and Web Start applications option.

I've been having trouble with DNS resolution if I use the native OSX client (in Snow Leopard) 10.6.8. Specifically I'm having trouble connecting to a Cisco IPSec VPN, the trouble seems to be that the service pushes DNS, which can't be received by the OSX VPN client. Does that make sense? Specifiying the DNS manually doesn't work. I can ping everything, but not resolve any names.

And here are some instructions about using the Apple built-in client. Using the Apple built-in client will help ensure support as the Mac OS Evolves.

    Here's how to use the Apple built-in client instead:

        1. Open System Preferences > Network

        2. Click the lock button to unlock it and make changes

        3. Click the plus sign above the unlocked lock button to add an interface.

        4. On the "Interface" drop-down select "VPN"

        5. On the "VPN Type:" drop-down select "Cisco IPSec"

        6. In the "Service Name:" text box create a memorable interface name such as "Corp IPsec VPN"

        7. Click OK and then select this new interface

        8. Configure the interface with server address, vpn group and pre-shared key, username and password, etc.

The above process works on OSX Snow Leopard, but it doesn't seem to work on Lion. Seems to get stuck on Phase2. I get the following message in my logs: IKE Packet:  transmit success. (Phase2 Retransmit). Not sure why we're having problems with Lion, but not Snow Leopard on our network.

Hi hdashnau, thank you for the prompt reply. You offered some great alternatives to using the Cisco VPN Client.

Although the alternatives may work, I would like to stick with the Cisco VPN Client.  I'm still wondering if there is a future update in the works to reflect the new version of Lion, and if so when?

As far as I know, there is nothing in works right now and it is highly unlikely that there will be a new Cisco IPSec VPN client developed for MAC.  Your best bet would be to persue the alternative solutions.

Hi hdashnau,

Regarding your instrux above using the Apple built-in client: I can't tell from the way you wrote it whether it would still be necessary to use the install disc for Mac that I got from my IT department.  Could you clarify please?  Thanks.

leigh
Level 1
Level 1

I have the built in lion client connecting fine with a Virtual Tunnel Interface on my Cisco 2821 router, into a vrf. The problem is the built in client only works with the first route in the access-list in the isakmp client configuration. This might be why some users report DNS issues - if their DNS is outside the route set up by the first line of the acl in the isakmp client config.

These routes work fine in the PC client and the MAC client for earlier OS's but not with the built in Lion client. I am also getting the same issue with the built in iOS client in iphone and ipad.

I should add that the client (both iPad and Lion) are getting the routes, they just arent working, almost as if the client end is not encrypting/decrypting for any routes other than the primary

Hello Leigh,

I have the exact problem, VPN Client (Integrated) on mac works pretty good but only for the first route in the access list of the vpn server router, all routes below first does not work in any way...

Did you find some way to solve it? With the Cisco VPN Client for Mac, all routes work ok (Snow...) but here in Lion with integrated Cisco iPSec only first one works...

Thanks a lot,

Rens Boeren
Level 1
Level 1

The problem with the Mac vpn client is that cerfificates don't seem to work.
I find it strange that Cisco wouldn't make a new VPN client for the Mac.

Mac is being more popular then ever...

RE: "I find it strange that Cisco wouldn't make a new VPN client for the Mac"

The traditional Cisco IPSec Client has been announced as end of life:

     EOL/EOS for the Cisco VPN Client

     http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps2308/end_of_life_c51-680819.html

There is support built into the Cisco AnyConnect VPN product.

eric.bradford
Level 1
Level 1

We too are having issues with the Native VPN client in OS X Lion, and iPhones as well.  The Windows Cisco VPN client works perfectly.  We have just upgraded our branch routers from 2821 devices to 2921 devices running latest IOS.  There are many networks behind this VPN connection as well as OSPF routing.  The windows machines will connect using the .pcf file and are able to get to each network the ACLs allow behind the tunnel.  We then move over to Lion and iPhone4 hosts using the native client and connect pefectly. However, the native client only works with the first route in the access-list in the isakmp client configuration ACL.  This is most likely due to something Apple has modified recently in both Lion and iPhone.  Any ideas would be helpful.