Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Tiger's VPN Capabilities

D

Diomedes

macrumors 6502
Original poster
Oct 5, 2004
250
0
San Francisco
I, like many users out there, are forced to use a Cisco-distributed VPN client to authenticate with their servers. Does anyone know if Tiger's VPN will allow connections to Cisco VPN appliances?

From what I can tell, the Cisco client doesn't do anything remarkable superficially - it uses IPSec over UDP. My organization uses group authentication, then user authentication.

Does the Cisco VPN client do something behind the scenes which allows it to be the only client to connect to its VPN servers? (And I mean a technical reason, not Cisco-bashing.)

To be honest, I can't complain about their upkeep of the application - it pretty much has parity with the Windows version. However, since you can only get it through Cisco, it is another thing I have to keep on my WAN team about (and I'm an IT manager, fer crying out loud...)

So...I digress. Does anyone know if Tiger will allow connections to Cisco VPN servers?
 
Diomedes said:
...
So...I digress. Does anyone know if Tiger will allow connections to Cisco VPN servers?
Click to expand...
In theory it works.

In practice, it depends on which Cisco VPN product you are using and how it is customized. However, I too am also interested in the answer specifically for the VPN3000 product.
 
Just FYI, there is no current Cisco VPN client that works with Tiger... and the Tiger VPN client doesn't have any group authentication options that I could find... so if you upgrade to Tiger you're SOL.
 
ZildjianKX said:
Just FYI, there is no current Cisco VPN client that works with Tiger... and the Tiger VPN client doesn't have any group authentication options that I could find... so if you upgrade to Tiger you're SOL.
Click to expand...

You've tested the Cisco VPN client (4.602) on Tiger and confirmed it doesn't work?
 
Diomedes said:
You've tested the Cisco VPN client (4.602) on Tiger and confirmed it doesn't work?
Click to expand...

I tested 4.6.00, I didn't raelize 4.6.02 came out, sorry. Unless 4.602 specifically addressed the changes Apples made with OS X's API with Tiger, it won't work. If you google there is a lot of discussion about people not switching until there is a working version.

Can anyone find the changelog?
 
ZildjianKX said:
I tested 4.6.00, I didn't raelize 4.6.02 came out, sorry. Unless 4.602 specifically addressed the changes Apples made with OS X's API with Tiger, it won't work. If you google there is a lot of discussion about people not switching until there is a working version.

Can anyone find the changelog?
Click to expand...

I'll ask my WAN people. They usually send me an FAQ with a new release.

What exactly does Tiger "break" with the Cisco client?
 
Diomedes said:
I'll ask my WAN people. They usually send me an FAQ with a new release.

What exactly does Tiger "break" with the Cisco client?
Click to expand...

Well, VPN interacts on a pretty low level with the OS, so any reworking of how it handles the network components or how to interface them would kill it. I'm sure the Cisco programmers are having fun right now.
 
Tiger and Cisco VPN

Peter Sichel, the guy who wrote IPNetMonitor and many other useful Mac networking utilities, was quoted on Macintouch as saying:

Mac OS X Tiger has changed the API for developing Network Kernel Extensions (NKEs), such that previous NKEs will not load on Tiger without being re-written to use the new stable KPIs (Kernel Programming Interfaces). Although the number of applications dependent on NKEs is small, the changes will require significant work from a small number of developers. Applications that involve low level networking like 3rd party VPN clients, network firewalls, or IP gateways could be affected.

so in short, all network applications that approach the OS on a low-level basis that were written for Panther will very likely need to be rewritten for Tiger.
 
Cisco VPN Client definitely does not work.

The latest version of the Cisco VPN client (4.6.02.0023) certainly does not work. I upgraded from the latest 10.3 release to Tiger this afternoon and am no longer able to use it. I receive the following error message at startup:

Error 51: IPC socket allocation failed with error ffffffffffffffch. This is most likely due to the Cisco Systems, Inc. VPN Service not being started. Please start this service and try again.

PowerBook G4 1.25GHz
Version 10.4
 
mcco7614 said:
The latest version of the Cisco VPN client (4.6.02.0023) certainly does not work. I upgraded from the latest 10.3 release to Tiger this afternoon and am no longer able to use it. I receive the following error message at startup:

Error 51: IPC socket allocation failed with error ffffffffffffffch. This is most likely due to the Cisco Systems, Inc. VPN Service not being started. Please start this service and try again.

PowerBook G4 1.25GHz
Version 10.4
Click to expand...

I used to get that error occasionally with 4.6. Restarting the VPN client almost always resolved that.

In Cisco's FAQ, I think they state that you need to uninstall the previous version before installing 4.6.0. They don't mention that error specifically, but I have have no problems with it since 4.6.02.
 
I pray that Apple breaks it and Cisco's engineers can't get it to work. That'll force my University to quit require it for wireless internet. Seriously, wireless internet. You can't even connect to campus resources from the wireless VPN. They're internet connection is tighter locked down than the commercial for-pay hotspots. They claim they need to make sure non-students don't use it. Okay, there are a thousand ways to do that short of Cisco VPN.

The real story is that they're trying to make it as hard as possible to use because they like being able to say there's no demand for it.
 
Having looked extensively into the different vpn options of the Cisco 3000 concentrator, I can definitely say it is a pain in the ass to come up with a service that will work with Mac OS, Windows, and Linux that does not require paying for a third party client...

At least not using a protocol that was subject to some sort of vulnerability somewhere in the protocol... Here are some things to consider...

How much do you trust the host OS? If someone compromises a host through their machine firewall while the user is sitting at starbucks, they can then launch attacks through the vpn tunnel... In fact, they might be able to clone the vpn client information by capturing the user passwords... Sounds crazy? Do you know all the software your users try to install on their machines? Can you really trust every bit of free/shareware out there... Do you trust it with your corporate secrets?

How many services can be provided securely to external users without a vpn?

Mail... imap over SSL using kerberos authentication
WWW services... SSL

If you really want security, you don't get it by putting a vpn client on a windows machine... I mean really... a Mac, maybe, a Windows box, fuhgetaboutit... :)

It is a pain in the butt, but an external hardware vpn client is the best way to go...

Consider these products:
http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=639
http://www.linksys.com/products/product.asp?grid=34&scid=30&prid=543
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html

What is nice about these products is that they can be centrally managed by the corporate IT staff... You can use certificate based authentication for the "group auth" Doing the user auth is trickier.. depending on what you are using on the backend... You will either need a reversible copy of the user password or a shared hash... or else personal certificates for the user auth.

The hardware devices can also provide some front line protection for the user machines... Some companies even forbid their user machines being connected to the Internet without being behind a company firewall...

So, you sound like a person who is in charge of something... Make a decision.. Do you want real security for the network, or just a good show. If you want real security, you won't use a software vpn client on a Windows machine...
 
There is a beta Cisco VPN client out that does indeed work with Tiger, though I doubt it's being distributed yet. I tested it out last night and had no problems with it at all.

I haven't heard word of when it will be official, but since it's working, I would think it should be out soon.
 
The Cisco VPN 3000 supports IPSec and PPTP simultaneously, so you should be able to use the Tiger PPTP client to connect to a 3000. The Cisco Group & Password concept is proprietary and not interoperable with other implementations, but if you use a generic IPSec client you can configure the Base Group with a pre-shared key and that should be compatible with a generic client. However, those other clients generally do not support xauth, so user authentication is often not possible with those clients. Tiger also supports L2TP over IPSec, but you can't do that and IPSec in the 3000 at the same time, so that's not a realistic option.


BTW, I work specifically on Cisco security products and am a CCIE (#1937), so I can try to provide additional information on this if people are interested.

HTH
 
Well, i've been runninng tiger for over a week now, and still have no way to access my wireless network at school. This sucks! Do they need donations to get this out the door?

If anyone knows anything about this products status or anything, please post it. i'm getting tired of searching google with the same results. Gosh this sucks.
 
SumoHamster said:
There is a beta Cisco VPN client out that does indeed work with Tiger, though I doubt it's being distributed yet. I tested it out last night and had no problems with it at all.

I haven't heard word of when it will be official, but since it's working, I would think it should be out soon.
Click to expand...

This is great news.

I hope 10.4.1 fixes the other painful bugs that take a lot of the joy out of Tiger.
 
Cisco Tiger Compatible VPN Client Now Available

BWhaler said:
This is great news.

I hope 10.4.1 fixes the other painful bugs that take a lot of the joy out of Tiger.
Click to expand...

Version 4.6.03 is now available, and it is Tiger-ready. Just finished some rounds of testing.
 
Diomedes said:
Version 4.6.03 is now available, and it is Tiger-ready. Just finished some rounds of testing.
Click to expand...

It works but only partially.
After connecting to my workplace I tried to connect a network drive with AFP. I could see the server and authenticate myself, but after selecting the drive Tiger crashed. On windows I would call it blue screen on OSX maybe black screen?

So be carfull. But the good news it that it almost works. So any day now....

- Ivan
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back