Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
2
Replies

OSX Mountain Lion and IPSec Rules

berto-fett
Level 1
Level 1

‎11-21-2012 10:05 AM - edited ‎02-21-2020 06:30 PM

Hi there,

I am currently have a Cisco 881 router running EasyVPN server.

I recently created come IPSec rules that allow trafiic to specific IP's for a specific security group:

access-list 105 permit ip host 10.1.0.5 any

access-list 105 permit ip host 10.1.0.15 any

access-list 105 permit ip host 10.1.0.16 any

access-list 105 permit ip host 10.1.0.32 any

This works as expected with our Windows users, however our Mac users (using native VPN Client) can only reach the FIRST ip in the string of access statements.  When I was torubleshooting this, I moved .32 as the first statement and I could only reach it and none of the others.

All of the routes look right locally:

netstat -r:

default                192.168.1.1       UGSc          148        0     en0

default                utun0                UCSI           1        0   utun0

10.1.0.5/32         10.3.0.133         UGSc           1       11   utun0

10.1.0.15/32       10.3.0.133         UGSc            1        2   utun0

10.1.0.16/32       10.3.0.133         UGSc            0        0   utun0

10.1.0.32/32       10.3.0.133         UGSc            1        0   utun0

10.1.0.50/32       10.3.0.133         UGSc            0        0   utun0

10.1.0.51/32       10.3.0.133         UGSc            0        0   utun0

10.1.0.60/32       10.3.0.133         UGSc            0        0   utun0

10.3.0.133          10.3.0.133         UH              10        0   utun0

10.3.0.255          utun0                UHW3Ii          0        6   utun0   2279

route get 10.1.0.5:

route to: 10.1.0.5

destination: 10.1.0.5

gateway: 10.3.0.133

interface: utun0

flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF>

recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire

       0         0         0         0         0         0      1280         0

route get 10.1.0.15:

route to: 10.1.0.15

destination: 10.1.0.15

gateway: 10.3.0.133

interface: utun0

flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF>

recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire

       0         0         0         0         0         0      1280         0

ping 10.1.0.5:

PING 10.1.0.5 (10.1.0.5): 56 data bytes

64 bytes from 10.1.0.5: icmp_seq=0 ttl=61 time=66.426 ms

ping 10.1.0.15:

PING 10.1.0.15 (10.1.0.15): 56 data bytes

Request timeout for icmp_seq 0

And yes, host 10.1.0.15 is up.

Any help on this would be greatly appreciated!

Thanks!

Labels:
0 Helpful
2 Replies 2

fb_webuser
Level 6
Level 6

‎11-21-2012 12:18 PM

by using native vpn client on mac users to access the host ip's which is configured access-list on your vpn server, means you're using split tunneling. My suggestion is try to hardcode a static route on the hosts you want to access via mac users using vpn client.maybe it will work. o_0

---

Posted by WebUser Antonio Isip Jr from Cisco Support Community App

0 Helpful

berto-fett
Level 1
Level 1
In response to fb_webuser

‎11-21-2012 12:56 PM

That might work, however the end users who bounce between the office and remote would have issues if these routes were permanent.  And this would be equally troublesome for remote users for arent saavy enough to do these kinds of modifications.

The solution that hopefully exists will be one that will make the native client behave exactly as the Windows clients using Cisco's application.

0 Helpful
Customers Also Viewed These Support Documents