Snow Leopard and built-in CISCO VPN access

No Cisco development being done for a 64bit IPSec client - Mac, Windows, or otherwise. AnyConnect (SSL) is the direction Cisco is going. Better licensing model.

This is true, but the most recent client (4.9.01.0180) works fine with the 32bit kernel. You just have to re-install after upgrading to 10.6. Anyone with Cisco hardware providing IPSec VPNs has access to CCO and can download the client, so there should be no need to download it from any other sources.

tsarna wrote:
Thanks so much, Cisco. By making it difficult to obtain the software legitimately, you force people into obtaining copies from unknown sources that might contain malware.

It's not difficult at all; ask your IT department for a copy. They have the support contracts with Cisco and can login and download the client directly from Cisco.

Encryption regulations are why Cisco can't make the client available for random download.

Built in Client not working here too 😟
I can connect to the network, get an IP Adress and DNS-Server, but i cannot reach any machine in that network. No ssh, no nslookup…
In my .pcf it says:

EnableNat=1
TunnelingMode=1
TcpTunnelingPort=10000

Is that the problem?

Greetings
Sven

The SL Cisco IPsec client only support straight IPsec not tunneled in UDP or TCP. Tunneling in UDP or TCP is required to support IPsec over any NAT device. Since you are asking for tunneling and NAT it won't work.

Just use the Cisco client. It works fine with SL.

I just tested the SL Cisco VPN client and connected to the VPN 3000 series concentrator at work and verified that it DOES support the standards-track "NAT Traversal" feature that uses UDP to encapsulate the ESP (IP protocol 50) traffic if either or both endpoints of the VPN connection are behind a NAT device. This is the newer flavor of encapsulation that has replaced the older versions of TCP and UDP encapsulations and is the preferred encapsulation technique.

In case anyone's interested, I used the same VPN group that I use with the Cisco VPN client, so the SL client appears to be reasonably compatible (assuming you don't use Cisco's older versions of TCP and UDP encapsulation). Anyone trying to configure a Cisco device at the head end to support the SL client should just pretend they're setting it up for a Cisco IPSec client, but make sure you specify "NAT-T" instead of the older TCP or UDP versions that default to port 10000 (NAT-T defaults to UDP port 4500).

HTH

Dana
CCIE #1937

I too ran into problems -- I found a beta release of Cisco AnyConnect which supports Snow Leopard.

http://unf.net/snowleopard/anyconnect-macosx-i386-2.4.0154-k9-BETA.zip

and the release notes:

http://unf.net/snowleopard/anyconnect2.4.0154rnBeta.pdf

Hope this helps!

Andy

I too have lost my Cisco VPN connection ability.

Even after trying to re-install Cisco AnyConnect (4.9.01.0180) I just keep getting the "Failed to initialize VPN API, aborting." message.

Just when I got my company to think they could look at moving more people to Macs. Doh!

I was really hoping that the built in Snow Leopard Cisco VPN support would take care of all this.

Bughuntr,

In speaking with Cisco, they mentioned that Snow Leopard support is in a new beta of AnyConnect:

anyconnect-macosx-i386-2.4.0154-k9-BETA

If you have access to their downloads, grab it and it should work for you.


Best,

Forrest

Hey Sven,

My .pcf configuration file has the same settings are yours:
EnableNat=1
TunnelingMode=1
TcpTunnelingPort=10000

Mine is from Rice University. Are you from Rice? I'm trying to avoid the Cisco VPN client due to two kernel panics this week that I traced to the Cisco IPsec.kext. I have gotten the default SL VPN client to connect and authenticate but half the time it works and half the time I have the same problem as you (nothing is accessible or pingable). I'm having trouble figuring out what might have gone wrong because everything looks okay aside from my network not responding. Did you get anywhere with this?

This is the sort of gaff that ruins our attempts to convince our companies that mac is a viable platform, and the sort of "hey user ... it's your problem" behavior I'd expect from Microsoft ... not from Apple.

A re-install of Cisco VPN Client MAC 4.9 reproduced the 051 issue. However installing vpnclient-darwin-4.9.01.0100-universal-k9 yielded a Cisco vpn that works on SL.

Hi J-a-x,

sorry for answering so late - I didn't find the time. Till now I have no solution. I'm still using the cisco client.

Greetings
Sven

P.S.: No, I'm not from Rice. Actually I'm living in Switzerland. 🙂

Cisco's web pages are confusing but it shouldn't take you long to find where to download the VPN client. If you're purchased a license, you can download it with your Cisco CCO account. Nobody should have to get a (legitimate) copy from anywhere else.

I "fixed" the VPN issue I was having. My built in VPN would also connect but not "ping" other servers within the domain. I manually added the search domains/servers to the VPN connection (Network->VPN Connection->Advanced->DNS tab. When that didn't work, I also added them to my airport connection and voila, it worked... seems as if Apple is not forcing a routing through he VPN connection... my case I also tried the Cisco 2.4 osx client beta and the old client, neither worked for me despite uninstall/install.

Create two locations (Home/Office) so that you can keep the Airport settings intact.

Hope this helps someone.

Message was edited by: foertter