Currently Being ModeratedApr 6, 2013 12:37 AM (in response to 3g91ld3a)
It seems that things have been fixed since OX 10.8.3
For me, everything started to work again after this update, at last !
Currently Being ModeratedApr 15, 2013 3:01 AM (in response to 3g91ld3a)
thanks Adam for the hint. But when i enable access for anyone, a new problem occur. The server cert cannot be verified. The client cert is valid a trusted. The CA has been imported. The server cert too. So, it worked with 10.7.x out of the box. Since 10.8 i have the problem. I will debug the problem in forgeground and will update this thread.
Currently Being ModeratedJul 30, 2013 11:13 AM (in response to Frankenburger)
You'll need to ensure the server certificate contains a subjectAltName field with a DNS name entry that matches the VPN gateway's hostname. This solved the problem for me.
Currently Being ModeratedFeb 13, 2014 4:08 PM (in response to haraldfromenns)
May be not simply a problem with Apple's software (10.9.1 Mavericks) but (also) with the router – Cisco noticed something similar (on http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client4 8/release/notes/48client.html):
If you use the VPN Client with a Digital Certificate and your Client sits behind a Cable/DSL router or some other NAT device, you might not be able to connect to your VPN Gateway device (that is, the VPN 3000 Concentrator). The problem is not with the VPN Client or the Gateway; it is with the Cable/DSL router. When the VPN Client uses a Digital Certificate, it sends the Certificate to the VPN Gateway. Most of the time, the packet with the Certificate is too big for a standard Ethernet frame (1500), so it is fragmented. Many Cable/DSL routers do not transmit fragmented packets, so the connection negotiation fails (IKE negotiation).
This problem might not occur if the Digital Certificate you are using is small enough, but this is only in rare cases. This fragmentation problem happens with the D-Link DI-704 and many other Cable/DSL routers on the market. We have been in contact with a few of these vendors to try to resolve the issue.
Testing with the VPN Client Release 3.1 indicates that VPN Client connections using Digital Certificates can be made using the following Cable/DSL routers with the following firmware: …
Compare also https://discussions.apple.com/thread/3202997?start=16&tstart=0 who identifies problems with too long Shared Secrets.
And finally compare also https://discussions.apple.com/message/11230155#11230155 finding that the certificate has to be placed in the system keychain, not the login one. (Did not solve it for me.)