Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

OS X VPN client and Cisco ASA Network
Disclaimer: The following is a highly technical hint.

Summary: This hint is for Network Engineers who want their firewalls to accept VPN connections from standard OS X L2TP / IPSec clients (should also work for Windows and Linux clients). If you are not a network engineer, but are having trouble connecting to one of these devices, you can also forward this tip to your company's "firewall person," so that they can fix it.

Problem: A Cisco ASA or PIX firewall can be a VPN server, but a basic VPN configuration will not allow the default OS X L2TP/IPSec client to connect, even though the Cisco client will. It may not be convenient to distribute the Cisco VPN clients, or your users may not wish to use them.


Step 1: First use the Cisco documentation to setup the VPN on the ASA or PIX. Make sure it works as desired with the Cisco client first.

Step 2: DefaultRAGroup
In Panther, and on Windows 2k/XP, the VPN client does not allow the user to specify which tunnel group they belong to, so use the DefaultRAGroup to setup all your VPN rules instead of a custom named group. By default, any client not specifying a group goes into DefaultRAGroup. Tiger allows you to specify a group.

Step 3: 3des, sha, group2
I tried to use aes encryption, but it didn't seem like OS X likes that type, so make sure you use 3des encryption, sha, and Diffie Hellman group2. On an ASA 5520 with 8.0 code, it looks like the following:
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
Step 4: transform set mode should be transport
You have to set the transform set mode to 'transport' to work with OS X (or Windows). It looks like the following on my box:
crypto ipsec transform-set VPNTRANS mode transport
Step 5: mschap passwords
I was not using an Authentication server in my setup, instead creating user accounts on the ASA to use for authentication. If you do this, the password has to be of type mschap, or the authentication will fail. Note: After you set the password, it will show up as nt-encrypted in the config, but it is really mschap. The line you enter for the user should be something like:
username thisuser password thatpassword mschap
Step 6: Client configuration

On OS X: Open Internet Connect, File -> New Connection -> L2TP over IPSec. Click drop-down box by Configuration -> Edit Configurations. Enter Description, Server IP, Account Name, Password, and Shared Secret, Group Name (if you didn't use DefaultRAGroup), then click OK. You can optionally click Connect -> Options -> uncheck "Send all traffic over VPN connection", click OK.

If you leave that last item checked, it will try to send all your internet traffic over the VPN. Unchecked, it only sends traffic destined for the VPN addresses over the VPN and the rest goes out your normal Internet connection.
  • Currently 1.83 / 5
  You rated: 1 / 5 (6 votes cast)

OS X VPN client and Cisco ASA | 6 comments | Create New Account
Click here to return to the 'OS X VPN client and Cisco ASA' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
OS X VPN client and Cisco ASA
Authored by: macavenger on Aug 29, '07 08:35:41AM

I set this up several months ago on the Cisco ASA 5510 at the company I work for, and it works, with one caviat: if you are connecting from a nat'd computer (most home networks) the connection will disconnect after 45 minutes, i.e. when it attempts to re-key. I have been in touch with both Cisco and Apple tech support about this, but have yet to find a solution. Cisco says it is a problem with the Apple client, and Apple says they are aware of it, but don't have a fix and aren't likely to any time soon. It can get annoying if trying to do extended VPN sessions. If anyone knows of a work around, I would be glad to hear it!

iMac FP 17" 800MHz OS X 10.4.x

[ Reply to This | # ]
OS X VPN client and Cisco ASA
Authored by: sfuller on Aug 29, '07 10:27:50AM

The latest 8.x code for the Cisco ASA hardware has OS X and Linux support for SSL VPN connections. This is a departure from the 7.x code release where only Windows was supported as an SSL VPN platform, and everyone else had to suffice with Web VPN access.

[ Reply to This | # ]
OS X VPN client and Cisco ASA
Authored by: MacMesch on Sep 05, '07 01:30:45AM

The SSL VPN Client even supports IPv6, but you have to buy extra licences for the ASA to use the SSL VPN cLient. One other issue is that the tun kernel extension, which is installed with the SSL VPN Client, is not compatible with the tum kernel extension openvpn or vpnc use.

[ Reply to This | # ]
"safe" IPSec configurations for network admins
Authored by: cuberoot on Aug 29, '07 03:59:28PM

Network admins beware: If you are allowing access to your network using IPSec then you should make sure you understand the risks associated with any configuration you enable.

IKE typically has two well-supported ways of negotiating a phase-1 security association: certificates and preshared keys. The rub is that both ends of the connection must use the same mechanism. I.e. the server can't present a cert while the client presents a PSK. Since the phase-1 SA always happens first and is used to protect the rest of the session, it is important to understand that:

  • In certificate-based IKE phase-1 exchanges, the client can authenticate the server based on the FQDN of the server in the CN of the server's cert before continuing.
  • In PSK-based IKE phase-1 exchanges, the client can only be sure that the other end knows the same PSK (a.k.a. group password) that the client knows.

This means that in the PSK-case, anyone with knowledge of the PSK (it can be cracked, ex or other rogue employees have it, anyone who can download your vpn client config or anyone who has had temporary access to a machine with your VPN information configured has it, etc.) and who is capable of intercepting traffic between a vpn user and your vpn concentrator (coffee shop|home|hotel wifi, FakeIKEd, etc...) can steal the user's credentials and make their own connection to your network using them.

AFAIK, there are three well-supported ways to use IPSec to do client-termination "safely":

  • For those with a deployed PKI or those with the resources and inclination to deal with the overhead of deploying one, certificates are probably the way to go. Certificates provide a means for the client to authenticate the server and for the server to authenticate the client.
  • For folks using a Cisco VPN client or another client that uses XAUTH/MODE-CONFIG, you should enforce the use of Hybrid mode IKE (Cisco calls it Mutual Group Authentication) wherein the phase 1 exchange is authenticated as part of the ensuing XAUTH/MODE-CONFIG exchange using a certificate for the server-side only. This is much easier to manage than the above because only the VPN concentrators need a certificate.
  • Those with IPSec clients using L2TP/IPSec such as the Windows and OSX built-in clients should require a certificate-based phase-1 exchange. You do not, however, have to issue certificates to all your users! You can use a single client-side "machine auth" certificate that is shared among all your users for your phase-1 exchange (because that enables the client to authenticate the server during phase 1) and use passwords via PAP or MSCHAP or whatever for the actual "user authentication" in the L2TP exchange.

I don't have the cycles at the moment, but I'd love to see someone document the above three "safe" configurations for both the windows native client (potentially both with and without the CMAK), the OSX native client, the Cisco client, Cisco concentrators, ipsec-tools+l2tpd-base concentrators, openswan, etc.. Does this already exist somewhere? Cheers!

[ Reply to This | # ]

OS X VPN client and Cisco ASA
Authored by: bailey_ca on Aug 30, '07 08:17:02PM

A bit off-topic:

My employer, no matter how often I bugged them, refused to allow IPSEC access to our Cisco VPN any way other than the official Cisco client because a.) they didn't like the security risks and b.) they didn't want to be forced to support anything other than the official client.

If, like me, you despise how clunky, ugly, and intrusive the Cisco GUI is, I highly recommend Shimo. It's a GUI front-end that replaces Cisco's GUI, resides in your menu bar, and uses the Cisco-supplied command-line tool.

For me, this was just as good as using the built-in OS X client, as my only complaint was I wanted something a bit more integrated. You do still need to install the full Cisco VPN package and delete the Cisco VPN Client afterwards; I'm not sure why, but it took me a while to figure out!

[ Reply to This | # ]

OS X VPN client and Cisco ASA
Authored by: cerniuk on Sep 03, '07 07:30:34AM

for the most part, the larger enterprise red flag has been the inability to enforce policy on the built in clients... specifically the ability to prohibit split tunneling. We have over 250K users and a fair number of them would like to "share" the corporate VPN to the rest of their home wireless network.

[ Reply to This | # ]