Built-in Cisco VPN on Lion still doesn't work - and now neither does the Cisco Client :-(

Question

Until today, I&#x27;ve always used the Cisco client to setup the VPN - mostly because I could never get the built-in Cisco VPN (IPSec) to work in Snow Leopard. But even that stopped working with Lion (I saw some posts elsewhere that suggest that if you boot the O/S into 32-bits it might still work; others who&#x27;ve had the problem in the past also suggest re-installing the client).  But I don&#x27;t want to do either of these things - after all, what good is Apple&#x27;s built-in Cisco support if it doesn&#x27;t work?Here&#x27;s what I did so far: I created a VPN (Cisco IPSec) and put in our vpn&#x27;s server address and my account id.  Under "Authentication Settings..." I entered the shared secret and our Group Name.  I then tried to connect.  It seems to do so as it asks for my account&#x27;s password (presumably the shared secret for the group has already been trasmitted).  But when I give it the password, the VPN quietly disconnects again after a second or so.  No warnings, no error messages - nothing!Can someone here point me to where this network setup tool writes logs that I might look into to get a clue as to what&#x27;s going on?Better yet - if you know what (if anything) I&#x27;m doing wrong, please tell me?  Any help is much appreciated.Dead in the water,Tom

DrVenture · Accepted Answer

Tom,I just tried this on my Lion client. I was able to set up a Cisco IP sec VPN from my Lion client to my Cisco ASA. I used a shared secret and group config, vs a certificate and group config.Open a console and click on all messages (on the left). Then try to connect with your VPN client. Copy and past from the first message from the racoon service that says IPSec connecting to server X.X.X.X to last message after the VPN connection attempt fails. That might give us a better idea of what is going on.

wifiguru · Answer

Use the Console app. and look under All Messages. Might throw some light on this issue.

Templeton Peck · Answer

Download and isntall the latest version of Cisco&#x27;s client.  Works fine for us, just as their AnyConnect client works as well.

tjwolf · Answer

DrVenture,Here&#x27;s the log - from the time I&#x27;m asked for my account password to the time it disconnects:7/20/11 2:50:08.938 PM racoon: IPSec Phase1 established (Initiated by me).7/20/11 2:50:09.088 PM racoon: IPSec Extended Authentication requested.7/20/11 2:50:09.089 PM configd: IPSec requesting Extended Authentication.7/20/11 2:50:30.714 PM configd: IPSec sending Extended Authentication.7/20/11 2:50:30.715 PM racoon: IKE Packet: transmit success. (Mode-Config message).7/20/11 2:50:30.715 PM racoon: IPSec Extended Authentication sent.7/20/11 2:50:31.065 PM racoon: IKEv1 XAUTH: success. (XAUTH Status is OK).7/20/11 2:50:31.065 PM racoon: IPSec Extended Authentication Passed.7/20/11 2:50:31.065 PM racoon: IKE Packet: transmit success. (Mode-Config message).7/20/11 2:50:31.065 PM racoon: IKEv1 Config: retransmited. (Mode-Config retransmit).7/20/11 2:50:31.065 PM racoon: IPSec Network Configuration requested.7/20/11 2:50:32.115 PM racoon: IPSec Network Configuration established.7/20/11 2:50:32.115 PM racoon: IKE Packet: receive success. (MODE-Config).7/20/11 2:50:32.115 PM configd: IPSec Network Configuration started.7/20/11 2:50:32.115 PM configd: IPSec Network Configuration: INTERNAL-IP4-ADDRESS &#x3D; 172.16.110.216.7/20/11 2:50:32.115 PM configd: IPSec Network Configuration: INTERNAL-IP4-MASK &#x3D; 255.255.255.0.7/20/11 2:50:32.115 PM configd: IPSec Network Configuration: SAVE-PASSWORD &#x3D; 1.7/20/11 2:50:32.115 PM configd: IPSec Network Configuration: INTERNAL-IP4-DNS &#x3D; 172.16.120.120.7/20/11 2:50:32.115 PM configd: IPSec Network Configuration: BANNER &#x3D; This system is restricted to authorized users only. Unauthorized users will be traced and prosecuted..7/20/11 2:50:32.115 PM configd: IPSec Network Configuration: SPLIT-INCLUDE.7/20/11 2:50:32.116 PM configd: IPSec Network Configuration: DEF-DOMAIN &#x3D; netforensics.com.7/20/11 2:50:32.117 PM configd: host_gateway: write routing socket failed, command 2, No such process7/20/11 2:50:32.117 PM configd: installed route: (address 146.127.93.0, gateway 172.16.110.216)7/20/11 2:50:32.117 PM configd: installed route: (address 146.127.94.0, gateway 172.16.110.216)7/20/11 2:50:32.117 PM configd: installed route: (address 172.16.93.0, gateway 172.16.110.216)7/20/11 2:50:32.117 PM configd: installed route: (address 172.16.94.0, gateway 172.16.110.216)7/20/11 2:50:32.117 PM configd: installed route: (address 172.16.92.0, gateway 172.16.110.216)7/20/11 2:50:32.118 PM configd: installed route: (address 172.16.90.0, gateway 172.16.110.216)7/20/11 2:50:32.118 PM configd: installed route: (address 172.16.100.0, gateway 172.16.110.216)7/20/11 2:50:32.118 PM configd: installed route: (address 172.16.110.0, gateway 172.16.110.216)7/20/11 2:50:32.118 PM configd: installed route: (address 172.16.120.0, gateway 172.16.110.216)7/20/11 2:50:32.118 PM configd: installed route: (address 172.16.80.0, gateway 172.16.110.216)7/20/11 2:50:32.118 PM configd: installed route: (address 172.16.50.0, gateway 172.16.110.216)7/20/11 2:50:32.121 PM configd: IPSec Phase2 starting.7/20/11 2:50:32.123 PM racoon: IPSec Phase2 started (Initiated by me).7/20/11 2:50:32.123 PM racoon: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).7/20/11 2:50:32.124 PM configd: IPSec Network Configuration established.7/20/11 2:50:32.124 PM configd: IPSec Phase1 established.7/20/11 2:50:32.125 PM configd: event_callback: Address added. previous interface setting (name: en1, address: 192.168.1.23), current interface setting (name: utun0, family: 1001, address: 172.16.110.216, subnet: 255.255.255.0, destination: 172.16.110.216).7/20/11 2:50:32.000 PM kernel: utun_ctl_connect: creating interface utun07/20/11 2:50:32.132 PM configd: network configuration changed.7/20/11 2:50:32.141 PM racoon: IPSec Phase2 started (Initiated by me).7/20/11 2:50:32.141 PM racoon: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).7/20/11 2:50:32.155 PM racoon: IPSec Phase2 started (Initiated by me).7/20/11 2:50:32.155 PM racoon: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).7/20/11 2:50:32.186 PM racoon: IKE Packet: receive success. (Information message).7/20/11 2:50:32.187 PM configd: IPSec Controller: IKE FAILED. phase 5, assert 07/20/11 2:50:32.187 PM configd: IPSec disconnecting from server 173.210.124.797/20/11 2:50:32.188 PM racoon: IPSec disconnecting from server 173.210.124.797/20/11 2:50:32.000 PM kernel: SIOCPROTODETACH_IN6: utun0 error&#x3D;67/20/11 2:50:32.204 PM configd: network configuration changed.7/20/11 2:50:47.160 PM UserEventAgent: ServermgrdRegistration cannot load config data7/20/11 2:50:47.160 PM UserEventAgent: ServermgrdRegistration oldConfig is nil during net changed notification

tjwolf · Answer

Templeton,Where did you download the latest Cisco client from?  You tried it under Lion?  I was under the impression that they stopped active development to concentrate on the non-free AnyConnect client.  Also, I read that the Cisco VPN client was 32-bits and that Lion no longer supported that either.But in any event - if othes have successfully connected via the built-in VPN client, I want to go that route too.  Just gotta get it working.By the way (in case it helps), our VPN hardware is a Cisco 3000 VPN concentrator.

tjwolf · Answer

As an additional point of information.  I did a google search on "kernel: SIOCPROTODETACH_IN6: utun0 error&#x3D;6" and found this old apple forum discussion:https://discussions.apple.com/thread/2132634?start&#x3D;0&amp;tstart&#x3D;0That was in 2009.  There was no answer on that thread.  I hope I fare better ;-)Tom

DrVenture · Answer

Looks like your credentials are good (username, password, shared key and group name) because you are gettiung passed phase 1 of the IKE. However, the tunnel is failing in Phase 2 of the IKE exchange. It looks like Lion is starting Phase 2 of the IKE, but the VPN concentrator does not respond to the first request. Then Lion tries again, and it gets a response, but the connection fails at that point.7/20/11 2:50:32.141 PM racoon: IPSec Phase2 started (Initiated by me).7/20/11 2:50:32.141 PM racoon: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).7/20/11 2:50:32.155 PM racoon: IPSec Phase2 started (Initiated by me).7/20/11 2:50:32.155 PM racoon: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).7/20/11 2:50:32.186 PM racoon: IKE Packet: receive success. (Information message).7/20/11 2:50:32.187 PM configd: IPSec Controller: IKE FAILED. phase 5, assert 0Phase 2 of the IKE (taken from Cisco press) is as follows:Step 3—IKE Phase 2The purpose of IKE phase 2 is to negotiate IPSec SAs to set up the IPSectunnel. IKE phase 2 performs the following functions:Negotiates IPSec SA parameters protected by an existing IKE SAEstablishes IPSec security associationsPeriodically renegotiates IPSec SAs to ensure securityOptionally performs an additional Diffie-Hellman exchangeIKE phase 2 has one mode, called quick mode. Quick mode occurs afterIKE has established the secure tunnel in phase 1. It negotiates a shared IPSecpolicy, derives shared secret keying material used for the IPSec securityalgorithms, and establishes IPSec SAs. Quick mode exchanges nonces that providereplay protection. The nonces are used to generate new shared secret keymaterial and prevent replay attacks from generating bogus SAs.Quick mode is also used to renegotiate a new IPSec SA when the IPSec SAlifetime expires. Base quick mode is used to refresh the keying material used tocreate the shared secret key based on the keying material derived from theDiffie-Hellman exchange in phase 1.Perfect Forward SecrecyIf perfect forward secrecy (PFS) is specified in the IPSec policy, anew Diffie-Hellman exchange is performed with each quick mode, providing keyingmaterial that has greater entropy (key material life) and thereby greaterresistance to cryptographic attacks. Each Diffie-Hellman exchange requires largeexponentiations, thereby increasing CPU use and exacting a performance cost.So, I am wondering if your VPN concentrator is setup to pass some SA&#x27;s that Lion does not like. Here is how I would debug this:1. Go to System Prefs - Network and create a new network location. To do this, go the Location and choose Edit Locations. Hit the "+" to add a new network location.2. Hit Apply.3. Add your Cisco IPSec VPN back in with the correct username, shared key and group.4. Try to connect again.if this fails, then you might need to look at the logs from the VPN concentrator. If the concentrator is an ASA, then there are logs the administrator can turn up to get a better idea of what is going on during the IKE exchange.You may want to find out of your VPN concentrator supports Quickmode as well.To get your Lion client back to your default config, just go back to network locations and choose your original location and hit apply.

scooterian · Answer

Your account password is not the same thing as the shared secret password.

tjwolf · Answer

@scooterian,I know they&#x27;re not the same thing.  I don&#x27;t think I said they are.@DrVenture,Thanks for the technical explanation.  As far as the debugging instructions are concerned, I&#x27;m not sure why you&#x27;re describing the steps for creating a VPN again.  That&#x27;s how I got as far as I did.  In any event, I did recreate another Cisco IPSec VPN entry - but with the same result.  I also asked our IT guy to enable L2TP over IPSec just to get another option to try (I don&#x27;t really know what any of these mean :-).  Instead of getting errors when I try to connect using that, it just sits there for awhile and then a dialog tells me it couldn&#x27;t connect (that&#x27;s actually an improvement from a usability perspective - an *actual dialog box* to tell me something didn&#x27;t work...not very informative, but at least  dialog :-)  Anyway, the console log shows this while I try to connect:7/20/11 3:29:43.764 PM configd: SCNC: start, triggered by System Preferen, type L2TP, status 07/20/11 3:29:43.780 PM pppd: pppd 2.4.2 (Apple version 560.12) started by twolf, uid 5017/20/11 3:29:47.379 PM pppd: L2TP connecting to server &#x27;vpn.netforensics.com&#x27; (173.210.124.79)...7/20/11 3:29:47.380 PM pppd: IPSec connection started7/20/11 3:29:47.395 PM racoon: Connecting.7/20/11 3:29:47.395 PM racoon: IPSec Phase1 started (Initiated by me).7/20/11 3:29:47.399 PM racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).7/20/11 3:29:47.807 PM racoon: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).7/20/11 3:29:47.807 PM racoon: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).7/20/11 3:29:47.807 PM racoon: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).7/20/11 3:29:47.807 PM racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).7/20/11 3:29:47.807 PM racoon: IPSec Phase1 established (Initiated by me).7/20/11 3:29:48.808 PM racoon: IPSec Phase2 started (Initiated by me).7/20/11 3:29:48.809 PM racoon: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).7/20/11 3:29:48.860 PM racoon: IKE Packet: transmit success. (Mode-Config message).7/20/11 3:29:49.001 PM racoon: IKE Packet: transmit success. (Mode-Config message).7/20/11 3:29:49.140 PM racoon: IKE Packet: transmit success. (Mode-Config message).7/20/11 3:29:49.295 PM racoon: IKE Packet: receive success. (Information message).7/20/11 3:30:18.809 PM pppd: IPSec connection failedI think I will follow your advice and ask the IT guy to look at his logs while I try to connect.  We don&#x27;t have an ASA - our&#x27;s is a Cisco 3000-series VPN concentrator.As always, thanks for your help.tom

DrVenture · Answer

Your IT guys should be able to get almost the same log types off of your 3000. The funny thing is the error with LT2P looks very simular. Phase 1 completes, the Phase 2 bombs out. Notice agan, how the Lion client transmits a couple of times with no answer from the 3000. Then when the 3000 replies, pppd reports the connection failed. So I would take this to mean any of the following:1. The Lion client is transmitting a SA that the 3000 does not like. Or the 3000 is sending a SA that the client does not like.2. The Lion client&#x27;s pppd is timing out because the 3000 is not responding quickly enough.

tjwolf · Answer

Hi again.I captured the log from the Cisco concentrator (see below).  It looks like (to a layman like me) that the Mac &amp; Cisco are negotiating some encryption protocol and then has some troubles with IKEDECODE and then shows the following problem near the end:2989 07/21/2011 11:31:07.220 SEV&#x3D;6 IKE/130 RPT&#x3D;11002 172.16.110.252Group [NF_SE_IPSec] User [twolf]Received unsupported transaction mode attribute: 52991 07/21/2011 11:31:07.220 SEV&#x3D;5 IKE/184 RPT&#x3D;9995 172.16.110.252If you have any idea as to what to try next, please do.  Any info is much appreciated.Tom2851 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12318 172.16.110.252Transform # 1 Decode for Proposal # 1:  Transform #   : 1  Transform ID  :                IKE (1)  Length        :       362853 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12319 172.16.110.252Phase 1 SA Attribute Decode for Transform # 1:  Life Time     :     3600 seconds  Encryption Alg:                AES (7)  Key Length    :  256 Bits (256)  Auth Method   :              XAUTH with Preshared Key (Initiator authenticated) (65001)  Hash Alg      :     SHA (2)  DH Group      :   Oakley Group 2 (2)2859 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12320 172.16.110.252Transform # 2 Decode for Proposal # 1:  Transform #   : 2  Transform ID  :                IKE (1)  Length        :       362861 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12321 172.16.110.252Phase 1 SA Attribute Decode for Transform # 2:  Life Time     :     3600 seconds  Encryption Alg:                AES (7)  Key Length    :  128 Bits (128)  Auth Method   :              XAUTH with Preshared Key (Initiator authenticated) (65001)  Hash Alg      :     SHA (2)  DH Group      :   Oakley Group 2 (2)2867 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12322 172.16.110.252Transform # 3 Decode for Proposal # 1:  Transform #   : 3  Transform ID  :                IKE (1)  Length        :       362869 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12323 172.16.110.252Phase 1 SA Attribute Decode for Transform # 3:  Life Time     :     3600 seconds  Encryption Alg:                AES (7)  Key Length    :  256 Bits (256)  Auth Method   :              XAUTH with Preshared Key (Initiator authenticated) (65001)  Hash Alg      :     MD5 (1)  DH Group      :   Oakley Group 2 (2)2875 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12324 172.16.110.252Transform # 4 Decode for Proposal # 1:  Transform #   : 4  Transform ID  :                IKE (1)  Length        :       362877 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12325 172.16.110.252Phase 1 SA Attribute Decode for Transform # 4:  Life Time     :     3600 seconds  Encryption Alg:                AES (7)  Key Length    :  128 Bits (128)  Auth Method   :              XAUTH with Preshared Key (Initiator authenticated) (65001)  Hash Alg      :     MD5 (1)  DH Group      :   Oakley Group 2 (2)2883 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12326 172.16.110.252Transform # 5 Decode for Proposal # 1:  Transform #   : 5  Transform ID  :                IKE (1)  Length        :       322885 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12327 172.16.110.252Phase 1 SA Attribute Decode for Transform # 5:  Life Time     :     3600 seconds  Encryption Alg:                Triple-DES (5)  Auth Method   :              XAUTH with Preshared Key (Initiator authenticated) (65001)  Hash Alg      :     SHA (2)  DH Group      :   Oakley Group 2 (2)2890 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12328 172.16.110.252Transform # 6 Decode for Proposal # 1:  Transform #   : 6  Transform ID  :                IKE (1)  Length        :       322892 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12329 172.16.110.252Phase 1 SA Attribute Decode for Transform # 6:  Life Time     :     3600 seconds  Encryption Alg:                Triple-DES (5)  Auth Method   :              XAUTH with Preshared Key (Initiator authenticated) (65001)  Hash Alg      :     MD5 (1)  DH Group      :   Oakley Group 2 (2)2897 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12330 172.16.110.252Transform # 7 Decode for Proposal # 1:  Transform #   : 7  Transform ID  :                IKE (1)  Length        :       322899 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12331 172.16.110.252Phase 1 SA Attribute Decode for Transform # 7:  Life Time     :     3600 seconds  Encryption Alg:                DES-CBC (1)  Auth Method   :              XAUTH with Preshared Key (Initiator authenticated) (65001)  Hash Alg      :     SHA (2)  DH Group      :   Oakley Group 2 (2)2904 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12332 172.16.110.252Transform # 8 Decode for Proposal # 1:  Transform #   : 8  Transform ID  :                IKE (1)  Length        :       322906 07/21/2011 11:31:02.550 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12333 172.16.110.252Phase 1 SA Attribute Decode for Transform # 8:  Life Time     :     3600 seconds  Encryption Alg:                DES-CBC (1)  Auth Method   :              XAUTH with Preshared Key (Initiator authenticated) (65001)  Hash Alg      :     MD5 (1)  DH Group      :   Oakley Group 2 (2)2911 07/21/2011 11:31:02.660 SEV&#x3D;12 IKEDECODE/0 RPT&#x3D;12334IKE Decode of received SA attributes follows:0000: 800B0001 800C0E10 80010007 800E0100     ................0010: 8003FDE9 80020002 80040002              ............2914 07/21/2011 11:31:02.660 SEV&#x3D;12 IKEDECODE/0 RPT&#x3D;12335IKE Decode of received SA attributes follows:0000: 800B0001 800C0E10 80010007 800E0080     ................0010: 8003FDE9 80020002 80040002              ............2917 07/21/2011 11:31:02.660 SEV&#x3D;12 IKEDECODE/0 RPT&#x3D;12336IKE Decode of received SA attributes follows:0000: 800B0001 800C0E10 80010007 800E0100     ................0010: 8003FDE9 80020001 80040002              ............2920 07/21/2011 11:31:02.660 SEV&#x3D;12 IKEDECODE/0 RPT&#x3D;12337IKE Decode of received SA attributes follows:0000: 800B0001 800C0E10 80010007 800E0080     ................0010: 8003FDE9 80020001 80040002              ............2923 07/21/2011 11:31:02.660 SEV&#x3D;12 IKEDECODE/0 RPT&#x3D;12338IKE Decode of received SA attributes follows:0000: 800B0001 800C0E10 80010005 8003FDE9     ................0010: 80020002 80040002                       ........2926 07/21/2011 11:31:02.660 SEV&#x3D;12 IKEDECODE/0 RPT&#x3D;12339IKE Decode of received SA attributes follows:0000: 800B0001 800C0E10 80010005 8003FDE9     ................0010: 80020001 80040002                       ........2929 07/21/2011 11:31:02.910 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12340 172.16.110.252ISAKMP HEADER :            ( Version 1.0 )  Initiator Cookie(8):        0D DE A3 55 D2 30 3A 92  Responder Cookie(8): C2 D8 6D 76 A8 2B DE 37  Next Payload  :                HASH (8)  Exchange Type :             Oakley Aggressive Mode  Flags         :          1   (ENCRYPT )  Message ID    :                 0  Length        :       842935 07/21/2011 11:31:02.910 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12341 172.16.110.252Notify Payload Decode :  DOI           :          IPSEC (1)  Protocol      :      ISAKMP (1)  Message       :   Initial contact (24578)  Spi           :            0D DE A3 55 D2 30 3A 92 C2 D8 6D 76 A8 2B DE 37  Length        :       282967 07/21/2011 11:31:06.900 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12346 172.16.110.252ISAKMP HEADER :            ( Version 1.0 )  Initiator Cookie(8):        0D DE A3 55 D2 30 3A 92  Responder Cookie(8): C2 D8 6D 76 A8 2B DE 37  Next Payload  :                HASH (8)  Exchange Type :             Oakley Transactional  Flags         :          1   (ENCRYPT )  Message ID    :                 3964d242  Length        :       842974 07/21/2011 11:31:07.210 SEV&#x3D;4 IKE/52 RPT&#x3D;11077 172.16.110.252Group [NF_SE_IPSec] User [twolf]User (twolf) authenticated.2975 07/21/2011 11:31:07.220 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12347 172.16.110.252ISAKMP HEADER :            ( Version 1.0 )  Initiator Cookie(8):        0D DE A3 55 D2 30 3A 92  Responder Cookie(8): C2 D8 6D 76 A8 2B DE 37  Next Payload  :                HASH (8)  Exchange Type :             Oakley Transactional  Flags         :          1   (ENCRYPT )  Message ID    :                 5495234e  Length        :       682982 07/21/2011 11:31:07.220 SEV&#x3D;8 IKEDECODE/0 RPT&#x3D;12348 172.16.110.252ISAKMP HEADER :            ( Version 1.0 )  Initiator Cookie(8):        0D DE A3 55 D2 30 3A 92  Responder Cookie(8): C2 D8 6D 76 A8 2B DE 37  Next Payload  :                HASH (8)  Exchange Type :             Oakley Transactional  Flags         :          1   (ENCRYPT )  Message ID    :                 ebe3575e  Length        :       1642989 07/21/2011 11:31:07.220 SEV&#x3D;6 IKE/130 RPT&#x3D;11002 172.16.110.252Group [NF_SE_IPSec] User [twolf]Received unsupported transaction mode attribute: 52991 07/21/2011 11:31:07.220 SEV&#x3D;5 IKE/184 RPT&#x3D;9995 172.16.110.252

MJhaber · Answer

This is due to Lion booting into a 64 bit kernel verses older releases starting in 32 bit mode. There is no patch but a simple workaround involves booting into 32 mode and running the VPN client normally. This method will work on 10.7 until Cisco actually creates a 64 bit extension for mac os x. Details for booting into 32 bit mode are here: http://9to5mac.com/2011/03/20/new-macbook-pros-default-boot-in-64-bit-mode/Cheers, -mjh

tjwolf · Answer

@MJhaber,Thanks for trying to help, but I mention this in my initial post:     "I saw some posts elsewhere that suggest that if you boot the O/S into 32-bits it might still work; others      who&#x27;ve had the problem in the past also suggest re-installing the client"I don&#x27;t want to have to boot into 32-bit mode just to VPN into my workplace when I work from home.  That&#x27;s just too ********.  I&#x27;d rather force my work bosses to spring for the "for-pay" VPN client from Cisco (connect anywhere) - presumably that will work with Lion.  But before I do that, I want to eliminate the possibility of getting Mac&#x27;s VPN client working with our Cisco VPN hardware.

eduhightrance · Answer

Hi, yesterday installed Lion (10.7) and when tried to open Cisco VPN Client, cudnt and gave meError 51 Unable to communicate with the VPN subsystem. Please make sure you have at least one network interface that its currently active and has an IP adress and start this application again.It was fine using Cisco Client in Snow Leopar until yesterday that downloaded Lion.Do u have any idea if tis beacuse of the 64bit ?ThanksHightranceImac 27/2.66GHZ/Lion 10.7

anluis · Answer

@eduhightranceAfter a few hour I was able to connect to VPN using the built in software in Lion.  Cisco VPN client wont work on Lion because its 64 bit.  To have the VPN settings including the shared secret that the VPN server looks for you need to google in the web how to decrypt this info.  If you follow the instructions on Geek Ninja under the subject How to connect to a cisco VPN using MAC OS X 10.6 it would work. You would need your .pcf file used on Cisco VPN Client to get this information.  Follow all the steps and you would be very happy and stop regretting upgrading to Lion like I was until 30 minutes ago.Happy VPNAngel