12-15-2009 09:43 AM
I'm in trouble after switched my Macbook Pro SL kernel in 64 bit mode: my VPN Client (vpnclient-darwin-4.9.01.0180-universal-k9) won't work.
The "ERROR 51: Unable to communicate with the VPN subsystem" is well documented everywhere, however if I try to stop and restart the service via terminal "udo SystemStarter restart CiscoVPN" (or other equivalent) I received the following advise:
"(kernel) Kext com.cisco.nke.ipsec not found for unload request.
Failed to unload com.cisco.nke.ipsec - (libkern/kext) not found.
Starting Cisco Systems VPN Driver
/System/Library/Extensions/CiscoVPN.kext failed to load - (libkern/kext) requested architecture/executable not found; check the system/kernel logs for errors or try kextutil(8)."
Doubtful that problem is that the client is not released as x86_64 build for Mac Osx Snow Leopard.
There is a possible solution about this situation (that is not to turn on kernel to 32 bit)?
Thank you in advance.
12-15-2009 08:10 PM
I still haven't had any luck getting Cisco's client to work in Snow Leopard. Apple does have a built-in Cisco IPSec client, though it only works with xauth as far as I know. I've only used it to connect to ASA's, so I'm not sure if a PIX using xauth will work. If you need help configuring it, let me know.
James
12-16-2009 01:08 PM
Hi James, thank you for your availability,
when my Mac Osx was working with 32 Bit kernel, the Cisco VPN Client was working fine too.
I did not try yet to switch back the kernel setting for verify if the problem is the 64 bit running mode, however I am sure that the reason can not be other.
I would be happy if Cisco Systems will give me an officially response about VPN Client for Mac Osx 1.06.x 64 Bit Kernel compatibility: would answer many questions that assail Apple users hopeless.
Now I'm forced to use Apple Cisto IPSec and it works very fine and fast, but Sys Administrators are not happy to reveal shared group key, they prefer distribute PCF files (which Apple/Cisco is not able to import!!).
Bye
07-28-2010 10:35 AM
DaustoCob wrote:
[...]
Now I'm forced to use Apple Cisto IPSec and it works very fine and fast, but Sys Administrators are not happy to reveal shared group key, they prefer distribute PCF files (which Apple/Cisco is not able to import!!).
I realize this is an old thread, but this statement implies a false and risky assumption that shared secrets in PCF files are (or even logically can be) safe from discovery. The encryption used to store group and user passwords in PCF files has to be reversible because the client needs to know the secret to use it. The mechanism has been widely known for almost 5 years and there's freely available C source code for a simple decryption program. The group shared secret is much less vulnerable when using Apple's client in Snow Leopard than it is when using Cisco's client with a PCF file, as is the user password if it is allowed to be saved in the PCF.
It is possible to create a network config file for the Snow Leopard VPN client so that users don't have to be given a shared secret to enter manually, but those files share the fundamental risk as a PCF: the encrypted secret can be decrypted. However, unlike PCF's they are only needed for distributing configurations. If you can get users to delete the distributed file once they've imported it, the overall risk of exposing the group shared secret is significantly less than with PCF's. It would be helpful if Apple imported PCF's directly, but given the need to decrypt passwords for that I would not expect them to do so.
03-09-2011 12:47 PM
Hello All,
The Cisco IPSec cliet for Mac OS X does not support the 64 bit kernel. The solution is to re-configure your Mac to boot into the 32bit kernel. The VPN driver only has i386 and PPC extensions, not x86_64 extensions.
This had not been much of a concern until recently when Apple began to release there Macbook Pro systems configured to boot into 64 bit by default
Some information
Default Architecture
http://support.apple.com/kb/HT3770
snip
These Macs use the 64-bit kernel by default in Mac OS X v10.6.
How to Set the Boot Architecture
http://support.apple.com/kb/ht3773
You can see which kernel you are using in System Profiler:
It is highly recommended to use the Apple built-in client moving forward to ensure continued support as the Mac OS Evolves.
Document write up here:
https://supportforums.cisco.com/docs/DOC-3613
-Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide