Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Snow Leopard: Cisco VPN - IPSec Over UDP

rwilliams

rwilliams

macrumors 68040
Original poster
Apr 8, 2009
3,877
1,291
Raleigh, NC
After some testing on Snow Leopard, it appears that it's built-in Cisco VPN client only connects using IPSec over TCP, which is very problematic for those of us using IPSec over UDP connections. Has anyone tried this out, and does anyone have any idea of how UDP support might be enabled? If not, perhaps Apple will release an update at some point that addresses this issue. Thanks.
 
Snow Leopard VPN (Cisco IPsec) - Ericom

I'm certainly not qualified to answer the specific question about UDP, but I am also having problems with VPN (Cisco IPsec). After installing Snow Leopard (SL), I was not able to use my old Cisco connection. So, I went to my Network and created a new VPN (Cisco IPsec). Note, the settings are not the same as used for my previous Cisco VPN. I had to use the same settings our Network Administrator created for my iPhone to connect to our AS/400. The connection seems ok, but I will lose the link to the AS/400 after some period of time. On Leopard 10.5 with Cisco installed as an app, I could stay connected all day. The VPN connection remains and all I have to do is re-open my emulator software and re-connect to the AS/400. On Saturday, I connected with Boot Camp using the Cisco app and I stayed connected to the AS/400 all day even though afk for long periods. I called Ericom (one of the emulators I use -- Mocha is another) and they gave me a link to their AS/400 that was thru the internet -- no VPN required. It lasted only about 30 minutes before disconnecting and my VPN to work was fine. That implies the VPN may not be the cause, but some hiccup in the "top level" SL software? Maybe something with my internet service provider -- but, what a coincidence it happened just after SL was installed. I'm doing some more experiments to see if I notice a difference between Ericom's PowerTerm or MochaSoft. Any suggestions would be appreciated.
 
The latest vpn client from Cisco works fine with IPsec over UDP

The latest vpn client from Cisco works fine with IPsec over UDP

I just installed Snow Leopard and I couldn't get the built-in VPN to connect, but after installing the latest client from Cisco, I am able to connect using the Cisco client.
 
Was the Cisco Client you installed the free one? Or the one they require customers to buy, like they require for Vista-64? Also, if the free client -- where did you find? I had to use an old download that I had saved. Currently using the built-in version. Thanks
 
I can't even get it to work, which is very annoying. I know I have the settings correct, but when it put in my password, it just disconnects.

This is what I get in my logs:
Code: 
Sep 11 22:49:44 nebuchadnezzar racoon[9644]: Connecting.
Sep 11 22:49:44 nebuchadnezzar racoon[9644]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Sep 11 22:49:44 nebuchadnezzar racoon[9644]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Sep 11 22:49:44 nebuchadnezzar racoon[9644]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Sep 11 22:49:45 nebuchadnezzar racoon[9644]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Sep 11 22:49:45 nebuchadnezzar racoon[9644]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Sep 11 22:49:45 nebuchadnezzar racoon[9644]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
Sep 11 22:49:45 nebuchadnezzar racoon[9644]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Sep 11 22:49:45 nebuchadnezzar racoon[9644]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
Sep 11 22:49:45 nebuchadnezzar racoon[9644]: IKE Packet: transmit success. (Information message).
Sep 11 22:49:45 nebuchadnezzar racoon[9644]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Sep 11 22:49:46 nebuchadnezzar configd[18]: IPSec Controller: Ignoring unsupported Xauth Domain
Sep 11 22:49:51 nebuchadnezzar racoon[9644]: IKE Packet: transmit success. (Mode-Config message).
Sep 11 22:49:51 nebuchadnezzar configd[18]: IPSec Controller: Received unsupported Xauth Vendor attribute (value 3)
Sep 11 22:49:51 nebuchadnezzar configd[18]: SCNCController: Disconnecting. (Connection tried to negotiate for, 0 seconds).
Sep 11 22:49:51 nebuchadnezzar racoon[9644]: IKE Packet: transmit success. (Information message).
Sep 11 22:49:51 nebuchadnezzar racoon[9644]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Sep 11 22:49:52 nebuchadnezzar racoon[9644]: Disconnecting. (Connection tried to negotiate for, 7.491457 seconds).

I can connect using UDP or TCP to my company, so that does not matter. I just don't get it.
 
Me either. This VPN client is a massive FAIL. The discussions section of Apple's support site is filled with people having problems with this. Which is why it was quite disappointing that they didn't address VPN in 10.6.1.
 
Losing connection after five minutes

I also have problems with the Cisco IPsec connection in SL. I get connected and it works fine for about five minutes, and then it won´t work anymore. To reconnect i have to turn off airport, and then connect with IPsec. Any of you have a solution to this?
 
I have used the built-in client using TCP connecting to an ASA 5520 with 8.0.4 software running on it. I can use either the Cisco client or the built-in client without error. What is everyone else using on the backend? Are you inputting the Group ID and password (case sensitive)?

Regarding the poster talking about a "paid" client, there is no such thing (at least I have not heard of it). If you have support, you can download the client for any OS they support.

EDIT: Correction, the connection using the built-in client is using IPSec over UDP. Using netstat, when the client connects, I see the UDP sockets open, but no TCP sockets. I don't even see a setting to change it in the built-in client.
 
LeSigh

Same issues here. The main problem for me is I prefer to run my mac in 64-bit mode. The Crisco client only runs in 32-bit mode. The real problem for me is the lack of GUI-based error reporting and the fact that the system.log errors are not very helpful in finding the solution. I believe my issue is older cisco infrastructure that I am connecting to, but I cannot confirm this.

Sure wish Apple would put some time into this and/or Cisco would release a 64-bit version of their client.
 
Still an issue

Well, we're now in to the era of Lion and this still seems like an issue. The Lion installer managed to screw up my boot support for my other systems, so I also cannot boot in to Linux & Windows where I have this working fine. My sister also uses the same Cisco VPN rig I'm trying to connect to and she used the Cisco VPN client on OSX - which lead to a kernel panic after an OSX upgrade - so I'd rather use the built-in client... Which I can't get to work. I'm pretty sure my company only allows UDP access - though maybe I can get changed, it's not like our admin even knows what UDP is.

Still, seems like this is a problem for many, maybe we should all get on submitting feature requests to Apple over it?
 
I have the same issue with Lion it connects for 35-45 mins then disconnects. Really annoying!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back