Can't connect to Cisco VPN Devices

I'd appreciate some help, too. I'm using Cisco's VPNClient.app version 4.9.01.0180. That is to say I was using it until today. It worked fine until yesterday when I upgraded to OS 10.6.6 which obviously broke something, and now my client won't mount. I have an fread: invalid argument error.

I welcome any suggestions.

David

No, I don't use the built-in VPN. I was doing so until our corporate folks did something which broke that. Since then I've used the Cisco software which was cobbled together by someone (our IT guy found it for me), and that worked reliably until 10.6.6 was released. Need I add that Macs are not supported by my corporate IT people?

If you're using the built-in VPN, may I suggest having a talk with whatever IT person you deal with. That was enough to get me started. I walked in with my laptop, plugged it into the network, and our technician helped me set it up.

David

Exact same problem here. Once I upgraded to 10.6.6 vpn no longer works. The log file from the Cisco VPN client:

Cisco Systems VPN Client Version 4.9.01 (0100)
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Mac OS X
Running on: Darwin 10.6.0 Darwin Kernel Version 10.6.0: Wed Nov 10 18:13:17 PST 2010; root:xnu-1504.9.26~3/RELEASE_I386 i386
Config file directory: /etc/opt/cisco-vpnclient

1 10:52:20.526 01/11/2011 Sev=Info/4 CM/0x43100002
Begin connection process

2 10:52:20.526 01/11/2011 Sev=Warning/2 CVPND/0x83400011
Error -28 sending packet. Dst Addr: 0x0A0001FF, Src Addr: 0x0A000107 (DRVIFACE:1158).

3 10:52:20.865 01/11/2011 Sev=Info/4 CM/0x43100004
Establish secure connection using Ethernet

4 10:52:20.865 01/11/2011 Sev=Info/4 CM/0x43100024
Attempt connection with server "134.124.99.1"

5 10:52:20.865 01/11/2011 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).

6 10:52:20.865 01/11/2011 Sev=Warning/2 CVPND/0xC340001C
Privilege Separation: unable to bind to port: (500).

7 10:52:21.865 01/11/2011 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).

8 10:52:21.865 01/11/2011 Sev=Warning/2 CVPND/0xC340001C
Privilege Separation: unable to bind to port: (500).

9 10:52:22.865 01/11/2011 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).

10 10:52:22.866 01/11/2011 Sev=Warning/2 CVPND/0xC340001C
Privilege Separation: unable to bind to port: (500).

11 10:52:23.866 01/11/2011 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).

12 10:52:23.866 01/11/2011 Sev=Warning/2 CVPND/0xC340001C
Privilege Separation: unable to bind to port: (500).

13 10:52:23.866 01/11/2011 Sev=Critical/1 CVPND/0xC3400003
Function SocketApiBind() failed with an error code of 0xFFFFFFFF(ike-init-state.cpp:402)

14 10:52:23.866 01/11/2011 Sev=Critical/1 CVPND/0x43400012
Unable to bind to IKE port. This could be because there is another VPN client installed or running. Please disable or uninstall all VPN Clients other than the Cisco VPN Client.

15 10:52:23.866 01/11/2011 Sev=Info/4 CM/0xC3100003
Failure to Initialize IKE ports

16 10:52:23.866 01/11/2011 Sev=Info/5 CM/0x43100025
Initializing CVPNDrv

17 10:52:23.866 01/11/2011 Sev=Info/4 CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.

18 10:52:23.867 01/11/2011 Sev=Info/4 IPSEC/0x43700008
IPSec driver successfully started

19 10:52:23.867 01/11/2011 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

20 10:52:23.867 01/11/2011 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

21 10:52:23.867 01/11/2011 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

22 10:52:23.867 01/11/2011 Sev=Info/4 IPSEC/0x4370000A
IPSec driver successfully stopped

I am really interested in an answer to this problem as well... For some reason the default gateway is not being updated when I connect to the enterprise VPN. Could this be a server side issue or is there an incompatibility with the built in Cisco VPN client for Mac OS X 10.6.6 and certain VPN servers?

I just did a new install, and upgrade to 10.6.6 and a "fresh" install of the CiscoVPN client, but it dosent work AT ALL... has anyone figured out how to get the OS X Cisco IPSec option working properly?

Message was edited by: mdwhitis

I can't see a way to delete my last posting, or I would... IT DOES WORK, but my networking people were telling me the wrong info for the "Shared Secret".

I figured it out by following the steps here: http://anders.com/guides/native-cisco-vpn-on-mac-os-x/

Presumably if you are running your own Cisco VPN concentrator, you already know what your shared secret is, but if you don't happen to know, the CiscoVPN Client keeps an encrypted copy in a .pcf file found in:

/private/etc/CiscoSystemsVPNClient/Profiles

Cisco's method for encrypting this data has been reverse engineered so recovering the shared secret is fairly trivial. My guide (linked in the previous post) includes a form which converts "enc_GroupPwd" strings from .pcf files to their plain-text variant which when used as the shared secret make the native OS X VPN work in place of the CiscoVPN Client.

As an aside, the current version of Cisco VPNClient is 4.9.01.0280 - released in January. Unfortunately, you have to have a Cisco Connection Online account (which usually means a SmartNet Maintenance contract) in order to have access to download it. If you work for an organization, have whomever manages your Cisco equipment log in and download it for you.

I've been able to make the built-in Snow Leopard IPSec VPN client work 99% of the time. However, I have one environment, where end users are VPN'ing into an ASA 5520, where they can connect with the built-in client, but not resolve DNS or pass any traffic. Cisco VPNClient works fine with the exact same info. I opened a TAC case with Cisco; they reviewed the ASA config, and pronounced it correct, yet it does not work.

I originally stumbled on this thread because a user had purchased one of the new Early 2011 MacBook Pro's, however she could not get Cisco VPNClient to connect (the kext wouldn't load, complained of wrong architecture). That's when I found the new .0280 version; there was a .0230 version released awhile ago which we had been using with no problems under Snow Leopard...

Anders, I read your article and I have to say it's the best write up I've seen in some time.

Thanks,
Don

Glad I could help, Don, however proper praise should also go to HAL-9000 at evilscientists.de who actually reversed the algorithm and Massar who wrote cisco-decrypt.c which my decoder uses.

I found a TEMPORARY solution.

The short answer: "hard code" all DNS servers. No Automatic configurations.

I have observed that traffic is still route-able over the regular internet connection and to the remote network being accessed via Cisco IPSEC, only DNS is hurt!

To fix this you will have to "hard code" all DNS servers in your network configuration, DHCP and other automatic configurations will be ignored!

On the plus side, you will have all the IP addresses you need will be in your network interface's config as "soft" in a light grey font.
To get to a typical DNS configuration for an interface you will go into System Settings -> Network -> Click on a required interface --> Advanced button and then finally there will be a DNS tab. All you need to do is put that nice and soft IP address in by clicking the "+" button.

If your in a bit of a BIND, for a public DNS server (On your Airport or Ethernet interfaces) may I recommend Google's DNS server at 8.8.8.8 because it is very easy to remember. This will allow you to speed up your configuration by not having to even think of "192.168.0.1","10.0.0.1" or "234.245.12.333". (Good luck with that last one!)

Possibly Optional:
And as for your VPN interface, you will need to add your super secret domains into the "Search Domains" box by clicking on the "+". I have observed some odd behavior with adding these.

If you have issues with the above, you should setup a resolver configuration.
To do this you will have to do the following:

Open up the terminal, type "sudo bash" and then enter your password.
Make a directory with "mkdir /etc/resolver"
Change the current directory to resolver with "cd /etc/resolver"
Now you will have to create a file for each domain on the VPN you wish to access (yes pain, thankfully I only have a couple to setup). For this example I will use the domain "foo.com", so create the file by typing in "nano foo.com".
Now fill the file with the following (note the almost bogus IP address) :


domain foo.com
nameserver 8.8.8.8 <-- change to your VPN's DNS server

Hit "Control+x" to save and exit.

And then you should be OK.

It isn't ideal, but it is working for me at the moment.

BONUS:
Hopefully your host list isn't long, Edit /etc/hosts:
Company hostnames that exist on the public internet you will want to specify in your hosts file.
ie:
mail.your-company-email-hosted-by-google.com
VPN endpoints
Any other site you need outside the VPN

The reason for doing this is once you connect to vpnendpoint.foo.com, you may not be able to resolve it again because of the resolver config or the OS X DNS configuration. So re-connecting to the VPN without rebooting will be impossible, and in one case where I used the raw IP instead of a hostname!

Apple: you're not off the hook, please fix so we don't have to do this crap!

OH, and fix the ** key management issue! I am sick of re-entering my passwords and keys!!