OS X Lion (10.7) VPN changes?

It sounds like you need two VPN setups: one for outside network with the company's external ip and one for inside the network with the internal ip of the vpn server. Why do you need to connect to the vpn inside your company's network?

James

Just as another security measure. There are wireless access points throughout the building, which a computer can "connect" to, but the computer won't be able to do anything on the network until an encrypted VPN session is authenticated/established first.

I have asked IT to review the Cisco iOS settings between the "internal" and "external" path to see what the differences may be (session timeouts, iOS versions, etc, etc).

So I tried rebooting Lion into 32-bit mode, but the built-in Cisco IPSec client still would not connect to our internal network. Whether it connects or not seems to be Cisco hardware/firmware dependent.

If I try to connect IPSec (shared secret / group name) over our Cisco Aironet 1200 series wireless access points, I get prompted for username/password credentials just fine, but the connection times out.

If I connect to the same network over a Cisco (LinkSys) WRT610N Dual-N Band router, the connection works just fine.

I have asked IT if they can get ahold of the Cisco "Anyware" client (or just the latest Cisco VPN client for Mac) to see if that makes any difference. For now I will just use the LAN or those Linksys access points.

Try rebooting manually hold the 3 2 keys, verify or deny you kernel:

Apple() --> About this Mac --> More info --> Overview -->SystemReport

System Software Overview:

64-bit Kernel and Extensions:

No if it is boot into 32-bit,

Yes if it is booted 64-bit

System Software Overview:

System Version: Mac OS X 10.7 (11A511)

Kernel Version: Darwin 11.0.0

Boot Volume: Macintosh HD

Boot Mode: Normal

Computer Name: Keaton Adams’s MacBook Pro

User Name: Keaton Adams (keaton)

Secure Virtual Memory: Enabled

64-bit Kernel and Extensions: No

Time since boot: 2 minutes

We were using the Cisco VPN client in SL and when I upgraded to Lion it woulnd't work. I just setup the VPN using the built in client in Lion and we haven't had any problems.

I have just purchased mac with Lion OS. The builtin client of the Lion asks for shared key. What should be used as shared key, because in case of Cisco vpn client it was only username and password.

the group name is the name of the group and the shared secret is the password for that group.

In our setup, we have a group VPN logon and then it needs my individual creditials.

So, under account name I have josh.lastname and then my password. I then click Authentication Settings and put my group name, we'll say mine is users, and the in the shared secret I put the password.

A few of us in a dev group (includng myself) upgraded to Lion and we could no longer connect to our Cisco VPN network using the built-in OS X client, while other Snow Leopard users were able to connect just fine. We were hoping that 10.7.2 would fix the issue, but that patch didn't make a difference. One of our engineers finally figured out a VPN configuration that allows us to connect to our Cisco VPN network the first time, every time a connection attempt is made.

1. Create a new VPN network connection of type L2TP over IPSec and give it a name:

2. Enter the same server name / IP address you currently use to connect to your Cisco network, along with your domain ID:

3. Click on Authentication Settings. Enter your Cisco VPN shared secret password. Some of us had success with the group name field being populated (if you have one), while some of us had to leave the group name field blank even if we had being using a value before. Click OK to save the changes:

4. Click on the Advanced button. Under the Options tab, click "Send all traffic over VPN connection" to enable it. Click OK to save the change:

5. Apply all changes and then try to connect. If it does not work, restart your Mac and try again. At this point you should be able to connect to the Cisco VPN network like you did before when running OSX prior to the Lion upgrade.

It worked for everyone on our team who had been dealing with the issue for the past several weeks after upgrading to Lion, and now the rest of the Dev team is working to upgrade over the next week or so.

Hope this helps. Good luck.

After upgrading to 10.7.2, seems to work perfectly...

Hopefully it is that simple for most users. We put in a concentrated effort to see if just upgrading to 10.7.2 would help, but in our Cisco environment it did not. It is most likely a combination of Cisco hardware / software configurations - versions that determines exactly what fix will work for an individual Mac trying to use the built-in Cisco VPN client under Lion.

I have the same issue but I get the error : Could not find the PPP kernel extension.

My system software overview is as follows:

System Version: Mac OS X 10.7.2 (11C74)

Kernel Version: Darwin 11.2.0

Boot Volume: Macintosh HD

Boot Mode: Normal

Computer Name: ---------

User Name: -----------

Secure Virtual Memory: Enabled

64-bit Kernel and Extensions: Yes

Time since boot: 1:09

If I change the Kernel and extensions: to NO..would it work?

I'm using Airport wirless.

I am having the exact same issue as KAdamsInCo -- Cisco IPSec connection works fine remotely using 10.7.2 but fails when connecting to an ASA from inside the office. No problems when using 10.6 clients.

Did your solution involving L2TP over IPSec require any additional configuration on the Cisco side?

No changes on the Cisco side. Several users running Lion can now connect to the Cisco VPN both remotely (using existing Cisco IPSec) and while at the office using L2TP over IPSec. I imagine L2TP would work both at home and in the office, but I haven't bothered to change my VPN profile for home use.

Wierd for sure, but at least it works with Lion.

I'm on Lion 10.7.2 and still having the same problem reported above - two tries are necessary to log in to the VPN. Since I didn't have this problem on Snow Leopard using the same server and same client-side parameters, isn't this a Mac OS regression?

Here's an extract of system.log which may help in diagnosing the problem (with host name changed to vpn.xxxxxx.com for protection and server address changed to 65.xxx.xx.x). The log entry with timestamp Nov 24 19:47:13 is where I manually disconnected and then re-tried:

Nov 24 19:47:12 Glyn-Normingtons-MacBook-Pro configd[16]: IPSec connecting to server vpn.xxxxxx.com

Nov 24 19:47:12 Glyn-Normingtons-MacBook-Pro configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0

Nov 24 19:47:12 Glyn-Normingtons-MacBook-Pro configd[16]: IPSec Phase1 starting.

Nov 24 19:47:12 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec connecting to server 65.xxx.xx.x

Nov 24 19:47:12 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec Phase1 started (Initiated by me).

Nov 24 19:47:12 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Nov 24 19:47:13 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Nov 24 19:47:13 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Nov 24 19:47:13 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Nov 24 19:47:13 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Nov 24 19:47:13 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec Phase1 established (Initiated by me).

Nov 24 19:47:13 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec Extended Authentication requested.

Nov 24 19:47:32 Glyn-Normingtons-MacBook-Pro configd[16]: SCNC: stop, type IPSec

Nov 24 19:47:32 Glyn-Normingtons-MacBook-Pro configd[16]: IPSec disconnecting from server 65.xxx.xx.x

Nov 24 19:47:32 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKE Packet: transmit failed. (Information message).

Nov 24 19:47:32 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKEv1 Information-Notice: transmit failed. (Delete ISAKMP-SA).

Nov 24 19:47:32 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec disconnecting from server 65.xxx.xx.x

Nov 24 19:47:37 Glyn-Normingtons-MacBook-Pro configd[16]: IPSec connecting to server vpn.******.com

Nov 24 19:47:37 Glyn-Normingtons-MacBook-Pro configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0

Nov 24 19:47:37 Glyn-Normingtons-MacBook-Pro configd[16]: IPSec Phase1 starting.

Nov 24 19:47:37 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec connecting to server 65.xxx.xx.x

Nov 24 19:47:37 Glyn-Normingtons-MacBook-Pro racoon[1393]: Connecting.

Nov 24 19:47:37 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec Phase1 started (Initiated by me).

Nov 24 19:47:37 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Nov 24 19:47:38 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Nov 24 19:47:38 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Nov 24 19:47:38 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Nov 24 19:47:38 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Nov 24 19:47:38 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec Phase1 established (Initiated by me).

Nov 24 19:47:38 Glyn-Normingtons-MacBook-Pro racoon[1393]: IPSec Extended Authentication requested.

Nov 24 19:47:38 Glyn-Normingtons-MacBook-Pro configd[16]: IPSec requesting Extended Authentication.

Nov 24 19:47:47 Glyn-Normingtons-MacBook-Pro configd[16]: IPSec sending Extended Authentication.

Nov 24 19:47:47 Glyn-Normingtons-MacBook-Pro racoon[1393]: IKE Packet: transmit success. (Mode-Config message).

I'm also getting the issue where you have to connect twice to get a successful connection. I'm on OSX 10.7.2 connecting to a Cisco ASA 5510 using IPSEC. The ASA 5510 is on version 8.4(2)8. Here's the thing.. I was on ASA version 8.2.5 and Lion connected perfectly. It wasn't until I upgraded the ASA to 8.4(2)8 that I started having the issue where I had to connect twice to get it to work. So the issue seems to be some sort if incompatibility between OSX Lion and the ASA firmware version (somewhere between 8.2.5 and 8.4(2)8). If I use the latest AnyConnect client on the same Lion computer, it works fine. My iPhone (iOS5) also connects to the VPN just fine. My windows machine using AnyConnect also works fine. I've checked all the VPN settings on the ASA and I don't see anything that looks suspect.

Since Lion was able to connect successfully every time to the previous version of the ASA software, I'm going to try opening a ticket with Cisco and see if they know anything. I'll post my findings here. If anyone has found a solution or workaround to this, please share!

Thanks,

Jeremy

"Me too" - 10.7.2, can't stay connected reliably, and starting a connection requires two attempts. Huge hassle.