Importing Cisco VPN Certificate into Snow Leopard's Cisco IPSec VPN

Did you find an answer to your question yet? I'm facing the same issue.

Me, too. There needs to be documentation for this but I can't find any.

I fixed it for myself -- the certificate needed to be in the System keychain for the VPN setup to find it.

I am using a PKCS#12 cert, I'm not sure if the certification type matters.

Unfortunately I still can't connect due to "A configuration error occurred"

I too was able to import a PK12 certificate into the System part of the keychain so that VPN could see the certificate. However, I am getting negotiating errors with the VPN server. When I tried to do the same with the Cisco VPN client, it used a root certificate and everything was okay.

However, I don't know how to convert my .cer root certificate to the PK12 standard to use as a machine certificate. I have read about some command line ability to do this in Terminal but they are quite not easily understood by the lay person.

So now I'm forced to go back to the Cisco client until I figure this all out.

1) Has anybody figured this out?

2) If you haven't been able to get it to work with a certificate how about shared secret mode?

3) If that hasn't worked, where did you find the Cisco VPN client?

Thanks,
cw

VPN trouble in my environment

CA Server
- OpenSSL CA server : fail
- Windows Server 2003 CA Server : success...and no problem

Cisco ASA VPN Group Setting
- Custom Group : fail
- DefaultGroup : success

Snow Leopard Certificate : DN OU=none
Though Certificate OU will be VPN Group Name(, and CN will be VPN User Name).
But Snow Leopard Keychain cannot create CSR with OU setting.

If that hasn't worked, where did you find the Cisco VPN client?

The Cisco VPN client can be downloaded from Cisco, but you need CCO access to get it (and theoretically need to be licensed to use it).

I am also having issues with this...The VPN system is actually causing a Kernel Panic on my computer, with increasing regularity. I have talked to both Genius's and IT people, the later of which was useless. The Genius told me that this has become an increasing problem between the Cisco VPN and Snow Leopard but that Cisco won't update for Snow Leopard.
Sorry if this is irrelevant to your question/post, but I can't find anywhere else to post my problems with the VPN System...

Not true, I found out tonight 😉

http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=270636499

You must download the version 4.x version for MacOSX. It is, however, buggy...but it works. (Ugly as sin)

Message was edited by: wilsonics

Message was edited by: wilsonics

Message was edited by: wilsonics

To get Snow Leopard's built in VPN client to import your personal certificate, I had to import the certificate into Keychain.app as a .pkcs12 file into the "System" keychain. If you already imported it into the "User" keychain, delete it and try again. It never worked for me when it was in the User keychain.

Although the built in VPN client now acknowledges my personal certificate and I am able to finish configuring the client, I am still unable to connect to the VPN server. The server address and my certificate are properly configured, but when I click connect, I'm greeted with the following error message:

"VPN Connection

The negotiation with the VPN server failed. Verify the server address and try reconnecting."

To be sure I had the correct server address, I resolved the name server address and typed in the numerical IP address. Same message… Help! When I use the same settings in the Cisco VPN Client, I connect without a hitch.

I have the same problem with authentication using a certificate. "The negotiation with the VPN server failed. Verify the server address and try reconnecting."

The VPN on my iPhone works perfectly, though, so I think it is just a Snow Leopard issue.

I also have the same problem. The linux and windows machines in our group have no problem connecting, but I don't get my Mac into our VPN. The network setup always complains "No machine certificates found", even though it is in the keychain. -- I'd really like to see this problem solved!

I think this has something to do with the root certificate not validating. Try going to Keychain.app, right click on your personal certificate, and choose "Evaluate +name of certificate+"….

When you do this, Certificate Assistant will fire up. Choose "Generic (certificate chain validation only)". If your issue is like mine, you'll see under "Evaluation Status:" that "No root cert found".

I've filed a bug report with Apple and they are saying the same thing, that the root certificate needs to be found. The root certificate is in my Keychain, so I'm not sure why I'm getting this message.

Since the root certificate is not found, my (and possibly your) certificate are not valid for the Cisco VPN client to authenticate.

Same problem here. The Cisco certificate imports fine, but the VPN configuration dialogue cannot find it, regardless of where you locate it - System or Login.

The routers log has a rather discouraging message:
"Dynamic VPN Client in Main Mode is only supported for Microsoft VPN Client, please use Aggressive mode instead."
"[Tunnel Negotiation Info]<<<Responder Received Aggressive Mode 1st packet."
"Initial Aggressive Mode message from xxx.xxx.xxx.xxx but no (wildcard) connection has been configured."

Thanks in advance for an update.

I've had this same issue. Finally, today I dug up the source code and fixed it myself!

Detailed description of the fix and instructions on setting up a Cisco VPN connection with a certificate can be found in the README of my project here:

https://github.com/p120ph37/darwin-racoon-cisco-cert-fix

-Aaron