This discussion is locked
gsimp

Q: Importing Cisco VPN Certificate into Snow Leopard's Cisco IPSec VPN

I'm trying to import the certificate that we use for the Cisco VPN client into the Keychain so that Snow Leopard's Cisco IPSec VPN and use it. The certificate is x509 Base64. I can import it into my Keychain ok, but when I try to select it under Machine Authentication, I get a message that No machine certificates found. I converted the certificate to PKCS#7 which also I can import into the Keychain but I still get the message No machine certificates found. What is the minimum certificate I can use for Snow Leopards Cisco IPSec VPN? Where in the keychain should I be placing these. Currently, it is in login under Certificates.

MacBook, Mac OS X (10.6.2)

Posted on Dec 23, 2009 11:07 AM

Close

Q: Importing Cisco VPN Certificate into Snow Leopard's Cisco IPSec VPN

  • All replies
  • Helpful answers

Page 1 Next
  • by F430,

    F430 F430 Jan 5, 2010 2:03 PM in response to gsimp
    Level 1 (25 points)
    Jan 5, 2010 2:03 PM in response to gsimp
    Did you find an answer to your question yet? I'm facing the same issue.
  • by Adam Aulick,

    Adam Aulick Adam Aulick Jan 8, 2010 9:20 PM in response to F430
    Level 1 (34 points)
    iTunes
    Jan 8, 2010 9:20 PM in response to F430
    Me, too. There needs to be documentation for this but I can't find any.
  • by Adam Aulick,

    Adam Aulick Adam Aulick Jan 8, 2010 9:31 PM in response to Adam Aulick
    Level 1 (34 points)
    iTunes
    Jan 8, 2010 9:31 PM in response to Adam Aulick
    I fixed it for myself -- the certificate needed to be in the System keychain for the VPN setup to find it.

    I am using a PKCS#12 cert, I'm not sure if the certification type matters.

    Unfortunately I still can't connect due to "A configuration error occurred"
  • by F430,

    F430 F430 Jan 22, 2010 2:14 PM in response to Adam Aulick
    Level 1 (25 points)
    Jan 22, 2010 2:14 PM in response to Adam Aulick
    I too was able to import a PK12 certificate into the System part of the keychain so that VPN could see the certificate. However, I am getting negotiating errors with the VPN server. When I tried to do the same with the Cisco VPN client, it used a root certificate and everything was okay.

    However, I don't know how to convert my .cer root certificate to the PK12 standard to use as a machine certificate. I have read about some command line ability to do this in Terminal but they are quite not easily understood by the lay person.

    So now I'm forced to go back to the Cisco client until I figure this all out.
  • by carlinw,

    carlinw carlinw Feb 21, 2010 7:26 AM in response to F430
    Level 1 (0 points)
    Feb 21, 2010 7:26 AM in response to F430
    1) Has anybody figured this out?

    2) If you haven't been able to get it to work with a certificate how about shared secret mode?

    3) If that hasn't worked, where did you find the Cisco VPN client?

    Thanks,
    cw
  • by kohj,

    kohj kohj Mar 15, 2010 11:36 PM in response to gsimp
    Level 1 (0 points)
    Mar 15, 2010 11:36 PM in response to gsimp
    VPN trouble in my environment

    CA Server
    - OpenSSL CA server : fail
    - Windows Server 2003 CA Server : success...and no problem

    Cisco ASA VPN Group Setting
    - Custom Group : fail
    - DefaultGroup : success

    Snow Leopard Certificate : DN OU=none
    Though Certificate OU will be VPN Group Name(, and CN will be VPN User Name).
    But Snow Leopard Keychain cannot create CSR with OU setting.
  • by direwolf8,

    direwolf8 direwolf8 Mar 16, 2010 11:40 AM in response to carlinw
    Level 4 (1,280 points)
    Mar 16, 2010 11:40 AM in response to carlinw
    If that hasn't worked, where did you find the Cisco VPN client?


    The Cisco VPN client can be downloaded from Cisco, but you need CCO access to get it (and theoretically need to be licensed to use it).
  • by bturton,

    bturton bturton Apr 16, 2010 1:26 PM in response to gsimp
    Level 1 (10 points)
    Apr 16, 2010 1:26 PM in response to gsimp
    I am also having issues with this...The VPN system is actually causing a Kernel Panic on my computer, with increasing regularity. I have talked to both Genius's and IT people, the later of which was useless. The Genius told me that this has become an increasing problem between the Cisco VPN and Snow Leopard but that Cisco won't update for Snow Leopard.
    Sorry if this is irrelevant to your question/post, but I can't find anywhere else to post my problems with the VPN System...
  • by wilsonics,

    wilsonics wilsonics Apr 28, 2010 7:17 PM in response to direwolf8
    Level 1 (0 points)
    Apr 28, 2010 7:17 PM in response to direwolf8
    Not true, I found out tonight

    http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=270636499

    You must download the version 4.x version for MacOSX. It is, however, buggy...but it works. (Ugly as sin)

    Message was edited by: wilsonics

    Message was edited by: wilsonics

    Message was edited by: wilsonics
  • by Bradford Schwie,

    Bradford Schwie Bradford Schwie May 26, 2010 5:25 AM in response to gsimp
    Level 1 (149 points)
    Servers Enterprise
    May 26, 2010 5:25 AM in response to gsimp
    To get Snow Leopard's built in VPN client to import your personal certificate, I had to import the certificate into Keychain.app as a .pkcs12 file into the "System" keychain. If you already imported it into the "User" keychain, delete it and try again. It never worked for me when it was in the User keychain.

    Although the built in VPN client now acknowledges my personal certificate and I am able to finish configuring the client, I am still unable to connect to the VPN server. The server address and my certificate are properly configured, but when I click connect, I'm greeted with the following error message:

    "VPN Connection

    The negotiation with the VPN server failed. Verify the server address and try reconnecting."

    To be sure I had the correct server address, I resolved the name server address and typed in the numerical IP address. Same message… Help! When I use the same settings in the Cisco VPN Client, I connect without a hitch.
  • by tofergregg,

    tofergregg tofergregg Jul 7, 2010 3:40 PM in response to Bradford Schwie
    Level 1 (0 points)
    Jul 7, 2010 3:40 PM in response to Bradford Schwie
    I have the same problem with authentication using a certificate. "The negotiation with the VPN server failed. Verify the server address and try reconnecting."

    The VPN on my iPhone works perfectly, though, so I think it is just a Snow Leopard issue.
  • by aschafu,

    aschafu aschafu Jul 22, 2010 5:50 AM in response to gsimp
    Level 1 (0 points)
    Jul 22, 2010 5:50 AM in response to gsimp
    I also have the same problem. The linux and windows machines in our group have no problem connecting, but I don't get my Mac into our VPN. The network setup always complains "No machine certificates found", even though it is in the keychain. -- I'd really like to see this problem solved!
  • by Bradford Schwie,

    Bradford Schwie Bradford Schwie Jul 22, 2010 7:37 AM in response to aschafu
    Level 1 (149 points)
    Servers Enterprise
    Jul 22, 2010 7:37 AM in response to aschafu
    I think this has something to do with the root certificate not validating. Try going to Keychain.app, right click on your personal certificate, and choose "Evaluate +name of certificate+"….

    When you do this, Certificate Assistant will fire up. Choose "Generic (certificate chain validation only)". If your issue is like mine, you'll see under "Evaluation Status:" that "No root cert found".

    I've filed a bug report with Apple and they are saying the same thing, that the root certificate needs to be found. The root certificate is in my Keychain, so I'm not sure why I'm getting this message.

    Since the root certificate is not found, my (and possibly your) certificate are not valid for the Cisco VPN client to authenticate.
  • by hblnk,

    hblnk hblnk Oct 10, 2010 4:05 AM in response to gsimp
    Level 1 (0 points)
    Oct 10, 2010 4:05 AM in response to gsimp
    Same problem here. The Cisco certificate imports fine, but the VPN configuration dialogue cannot find it, regardless of where you locate it - System or Login.

    The routers log has a rather discouraging message:
    "Dynamic VPN Client in Main Mode is only supported for Microsoft VPN Client, please use Aggressive mode instead."
    "[Tunnel Negotiation Info]<<<Responder Received Aggressive Mode 1st packet."
    "Initial Aggressive Mode message from xxx.xxx.xxx.xxx but no (wildcard) connection has been configured."

    Thanks in advance for an update.
Page 1 Next