Snow Leopard and built-in CISCO VPN access

Thanks everyone - the reload of the Cisco VPN client fixed my issue as well - and the original config was still in place, so no issues there.

A quick warning from Apple on VPNs would have been useful here.

Good job I decided to check if it all still worked early this AM, before work started!

Snow Leopard VPN Connectivity
Go to System Preferences:
Click on Network:
Click the "+" control button on the bottom left and corner of your screen to create a new service.
Select the interface: "VPN"
Select the VPN Type: "Cisco IPSEC
Name your Service Name: "My VPN Connection"
Type in your Server Address: IP Address or FQDN
Type in your Account Name: "vpn-userid"
Type in your Password: "vpnpassword"
Note, if you fill in the password you will be prompted for it when logging in.
Click on Authentication Settings,
Type in your Shared Secret: "group-shared-secret"
Type in your Group Name: "VPN-Group-Name"
Click Okay.
Optional: Click Advanced for VPN DNS Settings
Click the "+" on the DNS Servers Pane to add a DNS Server IP Address.
Click the "+" on the Search Domain Pane to add a Search Domain for your connection.
This optional DNS and Search Domain entries will enable connections by name rather than use IP addresses.
Click Apply.
Click Connect or click the VPN connection icon in the Apple menu bar to start a connection to the newly created VPN Location.

Chiming in here, I have a separate discussion thread that I just posted, which may be relevant to the problems people are experiencing with the built-in Cisco VPN:

[ http://discussions.apple.com/thread.jspa?threadID=2136622 ]

Hello Everyone,

We're having a problem with the Cisco VPN connection capability in Snow Leopard.

The transaction complains that our shared secret is incorrect. What I believe is happening is that certain assumptions are made about the IKE proposals and encryption etc. There doesn't appear to be a place to tailor these in the connection profile. There may be at the system level (which I'm unaware of).

Has anyone else experienced this problem?

I believe the same problem applies to the iPhone's Cisco VPN connector.

Furthermore, Cisco is not providing Snow-Leopard IPSec home-to-network clients any longer; they are promoting the AnyConnect SSL VPN instead, for which they have a BETA build available specifically for Snow Leopard.

So this reduces our options (yes, I'm working on VPNTracker).

Thank you.

I would like to see support for importing my PCF configuration file to avoid all this nonsense.

Alex

Alex,

I don't think that will solve the problem, for connection profiles that have specific IKE proposals and encryption algorithms, etc. Though I can't confirm it yet, I think the Apple version of Cisco VPN makes certain assumptions -- in my case, Phase 1 fails with the shared-secret hash not being correct.

I'm still trying to figure it out.

Is new built-in Cisco VPN client working for anyone at all? Does anyone with working client here have access to the VPN concentrator config as well?
I'm trying to configure PIX 506 to work with Snow Leopard client and I can't make it work. It works fine with Cisco VPN client for OS X.

Yes I have it working. My server happens to use IPSEC-TCP not UDP. I didn't have any trouble connecting with the built-in CISCO VPN access save for having to manually decrypt the shared hash. Once I decrypted it, I was able to plug in my credentials and it actually works faster than the Cisco VPN Client.

Zanth,

Thanks a lot for replying? What is the other VPN endpoint, is it an ASA appliance? Do you have access to configs?

Thank you,

Aleksey

"While the Cisco VPN supports IPSEC over UDP and TCP, the default connection is over UDP. The Snow Leopard must be using IPSEC over UDP as my connections are all IPSEC over UDP."

Then what would explain so many IPSec over UDP users not being able to connect using the Snow Leopard client? You're saying that you can connect using IPSec over UDP?

Hi, was able to configure the native apple cisco but like everyone else it keeps on asking for the password over and over again.
When you look at the dialogue box it asks you for a username, password and domain.
Not sure if this is pertinent but maybe the password has to include a domain too but not sure what format it wants i.e password/domain, passworddomian, password\domain or it may not need it in the first place.
Does anyone have a guess??

I'm not sure if we are all having the same problem ... I am able to connect using the native snow leopard Cisco settings, however once I'm connected I cannot actually mount any of my network drives or browse any intranet websites.

I took a look in my PCF file (from within the cisco client) it indicates IPSec over UDP (NAT/PAT) so I assume that I am having the same problem as everyone else... on the other hand it appears a lot of people are saying that they cannot connect at all.

Any thoughts?

Folks, what Apple is doing is just encapsulating in straight IPsec which isn't TCP or UDP. It is actually a separate IP protocol type 51.

The default connection type in the Cisco VPN client is actually straight IPsec. You can choose IPsec over UDP and also IPsec over TCP. If you are having problems getting the Cisco VPN client working with SL, just try a reinstall and it should work. Make sure that you are also running the latest release.

Bottom line, if you need any sort of IPsec encapsulation UDP or TCP then you are going to need to stay with the Cisco client. This would hold true if you are traversing any NAT devices.

Also, just an FYI that if you are running the 64-bit kernel, you'll get that Error 51 everyone's talking about. Hopefully Cisco will have an update for us, or Apple will fix their VPN to work over UDP.

I do not trust that download link. The checksum of the file differs from versions obtained elsewhere.

Thanks so much, Cisco. By making it difficult to obtain the software legitimately, you force people into obtaining copies from unknown sources that might contain malware.

We have a support contract with Cisco. I spoke with them last night, and they made it clear that they DO NOT SUPPORT Snow Leopard for the (soon to be deprecated) Cisco VPN IPSec client.

That means don't expect fixes, etc.