Tiger's VPN Capabilities

Discussion in 'Mac Apps and Mac App Store' started by Diomedes, Apr 20, 2005.

  1. Diomedes macrumors 6502

    Joined:
    Oct 5, 2004
    Location:
    San Francisco
    #1
    I, like many users out there, are forced to use a Cisco-distributed VPN client to authenticate with their servers. Does anyone know if Tiger's VPN will allow connections to Cisco VPN appliances?

    From what I can tell, the Cisco client doesn't do anything remarkable superficially - it uses IPSec over UDP. My organization uses group authentication, then user authentication.

    Does the Cisco VPN client do something behind the scenes which allows it to be the only client to connect to its VPN servers? (And I mean a technical reason, not Cisco-bashing.)

    To be honest, I can't complain about their upkeep of the application - it pretty much has parity with the Windows version. However, since you can only get it through Cisco, it is another thing I have to keep on my WAN team about (and I'm an IT manager, fer crying out loud...)

    So...I digress. Does anyone know if Tiger will allow connections to Cisco VPN servers?
     
  2. Bear macrumors G3

    Joined:
    Jul 23, 2002
    Location:
    Sol III - Terra
    #2
    In theory it works.

    In practice, it depends on which Cisco VPN product you are using and how it is customized. However, I too am also interested in the answer specifically for the VPN3000 product.
     
  3. ZildjianKX macrumors 68000

    ZildjianKX

    Joined:
    May 18, 2003
    #3
    Just FYI, there is no current Cisco VPN client that works with Tiger... and the Tiger VPN client doesn't have any group authentication options that I could find... so if you upgrade to Tiger you're SOL.
     
  4. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #4
    Anyone know if NAT traversal is implemented in Tiger?
     
  5. Diomedes thread starter macrumors 6502

    Joined:
    Oct 5, 2004
    Location:
    San Francisco
    #5
    You've tested the Cisco VPN client (4.602) on Tiger and confirmed it doesn't work?
     
  6. ZildjianKX macrumors 68000

    ZildjianKX

    Joined:
    May 18, 2003
    #6
    I tested 4.6.00, I didn't raelize 4.6.02 came out, sorry. Unless 4.602 specifically addressed the changes Apples made with OS X's API with Tiger, it won't work. If you google there is a lot of discussion about people not switching until there is a working version.

    Can anyone find the changelog?
     
  7. Diomedes thread starter macrumors 6502

    Joined:
    Oct 5, 2004
    Location:
    San Francisco
    #7
    I'll ask my WAN people. They usually send me an FAQ with a new release.

    What exactly does Tiger "break" with the Cisco client?
     
  8. ZildjianKX macrumors 68000

    ZildjianKX

    Joined:
    May 18, 2003
    #8
    Well, VPN interacts on a pretty low level with the OS, so any reworking of how it handles the network components or how to interface them would kill it. I'm sure the Cisco programmers are having fun right now.
     
  9. Earl Urly macrumors regular

    Joined:
    Jul 11, 2004
    #9
    Tiger and Cisco VPN

    Peter Sichel, the guy who wrote IPNetMonitor and many other useful Mac networking utilities, was quoted on Macintouch as saying:

    Mac OS X Tiger has changed the API for developing Network Kernel Extensions (NKEs), such that previous NKEs will not load on Tiger without being re-written to use the new stable KPIs (Kernel Programming Interfaces). Although the number of applications dependent on NKEs is small, the changes will require significant work from a small number of developers. Applications that involve low level networking like 3rd party VPN clients, network firewalls, or IP gateways could be affected.

    so in short, all network applications that approach the OS on a low-level basis that were written for Panther will very likely need to be rewritten for Tiger.
     
  10. mcco7614 macrumors newbie

    Joined:
    Apr 26, 2005
    #10
    Cisco VPN Client definitely does not work.

    The latest version of the Cisco VPN client (4.6.02.0023) certainly does not work. I upgraded from the latest 10.3 release to Tiger this afternoon and am no longer able to use it. I receive the following error message at startup:

    Error 51: IPC socket allocation failed with error ffffffffffffffch. This is most likely due to the Cisco Systems, Inc. VPN Service not being started. Please start this service and try again.

    PowerBook G4 1.25GHz
    Version 10.4
     
  11. Diomedes thread starter macrumors 6502

    Joined:
    Oct 5, 2004
    Location:
    San Francisco
    #11
    I used to get that error occasionally with 4.6. Restarting the VPN client almost always resolved that.

    In Cisco's FAQ, I think they state that you need to uninstall the previous version before installing 4.6.0. They don't mention that error specifically, but I have have no problems with it since 4.6.02.
     
  12. AllieNeko macrumors 6502a

    Joined:
    Sep 25, 2003
    #12
    I pray that Apple breaks it and Cisco's engineers can't get it to work. That'll force my University to quit require it for wireless internet. Seriously, wireless internet. You can't even connect to campus resources from the wireless VPN. They're internet connection is tighter locked down than the commercial for-pay hotspots. They claim they need to make sure non-students don't use it. Okay, there are a thousand ways to do that short of Cisco VPN.

    The real story is that they're trying to make it as hard as possible to use because they like being able to say there's no demand for it.
     
  13. peterjhill macrumors 65816

    peterjhill

    Joined:
    Apr 25, 2002
    Location:
    Seattle, WA
    #13
    Having looked extensively into the different vpn options of the Cisco 3000 concentrator, I can definitely say it is a pain in the ass to come up with a service that will work with Mac OS, Windows, and Linux that does not require paying for a third party client...

    At least not using a protocol that was subject to some sort of vulnerability somewhere in the protocol... Here are some things to consider...

    How much do you trust the host OS? If someone compromises a host through their machine firewall while the user is sitting at starbucks, they can then launch attacks through the vpn tunnel... In fact, they might be able to clone the vpn client information by capturing the user passwords... Sounds crazy? Do you know all the software your users try to install on their machines? Can you really trust every bit of free/shareware out there... Do you trust it with your corporate secrets?

    How many services can be provided securely to external users without a vpn?

    Mail... imap over SSL using kerberos authentication
    WWW services... SSL

    If you really want security, you don't get it by putting a vpn client on a windows machine... I mean really... a Mac, maybe, a Windows box, fuhgetaboutit... :)

    It is a pain in the butt, but an external hardware vpn client is the best way to go...

    Consider these products:
    http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=639
    http://www.linksys.com/products/product.asp?grid=34&scid=30&prid=543
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html

    What is nice about these products is that they can be centrally managed by the corporate IT staff... You can use certificate based authentication for the "group auth" Doing the user auth is trickier.. depending on what you are using on the backend... You will either need a reversible copy of the user password or a shared hash... or else personal certificates for the user auth.

    The hardware devices can also provide some front line protection for the user machines... Some companies even forbid their user machines being connected to the Internet without being behind a company firewall...

    So, you sound like a person who is in charge of something... Make a decision.. Do you want real security for the network, or just a good show. If you want real security, you won't use a software vpn client on a Windows machine...
     
  14. wHo_tHe macrumors regular

    Joined:
    Jan 2, 2002
    Location:
    :: sfbay.ca :: All bay, all day.
    #14
    FYI, Tiger also breaks Nortel/Apani Contivity VPN Client 3.0.2, presumably for the reasons already mentioned.
     
  15. Diomedes thread starter macrumors 6502

    Joined:
    Oct 5, 2004
    Location:
    San Francisco
    #15
    Final word...

    One of my WAN engineers got this for me.
     

    Attached Files:

  16. soloer macrumors 6502a

    soloer

    Joined:
    Sep 27, 2004
    Location:
    Omaha
    #16
    There is a beta Cisco VPN client out that does indeed work with Tiger, though I doubt it's being distributed yet. I tested it out last night and had no problems with it at all.

    I haven't heard word of when it will be official, but since it's working, I would think it should be out soon.
     
  17. djdawson macrumors member

    djdawson

    Joined:
    Apr 28, 2005
    Location:
    Minnesota
    #17
    The Cisco VPN 3000 supports IPSec and PPTP simultaneously, so you should be able to use the Tiger PPTP client to connect to a 3000. The Cisco Group & Password concept is proprietary and not interoperable with other implementations, but if you use a generic IPSec client you can configure the Base Group with a pre-shared key and that should be compatible with a generic client. However, those other clients generally do not support xauth, so user authentication is often not possible with those clients. Tiger also supports L2TP over IPSec, but you can't do that and IPSec in the 3000 at the same time, so that's not a realistic option.


    BTW, I work specifically on Cisco security products and am a CCIE (#1937), so I can try to provide additional information on this if people are interested.

    HTH
     
  18. aarong macrumors newbie

    Joined:
    Jul 22, 2003
    Location:
    Denver, CO
    #18
    cisco vpn beta

    what is the version number of the beta?
     
  19. soloer macrumors 6502a

    soloer

    Joined:
    Sep 27, 2004
    Location:
    Omaha
    #19
    Version 4.6 (interim_bwotring)
     
  20. Converted2Truth macrumors 6502a

    Converted2Truth

    Joined:
    Feb 6, 2004
    Location:
    Hell@HighAltitude
    #20
    Well, i've been runninng tiger for over a week now, and still have no way to access my wireless network at school. This sucks! Do they need donations to get this out the door?

    If anyone knows anything about this products status or anything, please post it. i'm getting tired of searching google with the same results. Gosh this sucks.
     
  21. BWhaler macrumors 68020

    BWhaler

    Joined:
    Jan 8, 2003
    #21
    This is great news.

    I hope 10.4.1 fixes the other painful bugs that take a lot of the joy out of Tiger.
     
  22. Diomedes thread starter macrumors 6502

    Joined:
    Oct 5, 2004
    Location:
    San Francisco
    #22
    Cisco Tiger Compatible VPN Client Now Available

    Version 4.6.03 is now available, and it is Tiger-ready. Just finished some rounds of testing.
     
  23. subotic macrumors newbie

    Joined:
    May 17, 2005
    #23
    It works but only partially.
    After connecting to my workplace I tried to connect a network drive with AFP. I could see the server and authenticate myself, but after selecting the drive Tiger crashed. On windows I would call it blue screen on OSX maybe black screen?

    So be carfull. But the good news it that it almost works. So any day now....

    - Ivan
     
  24. asterizk macrumors member

    asterizk

    Joined:
    Oct 24, 2003
    Location:
    Sarasota, Florida
    #24
    According to this post, it only works on single processor Tiger systems. Anyone heard any word of a dual-proc (G4) compatible version coming?
     
  25. kilara999 macrumors newbie

    Joined:
    May 11, 2006
    #25

Share This Page