Guest

Cisco AnyConnect Secure Mobility Client

VPN Clients For Mac OS X FAQ

Document ID: 116080

Updated: May 17, 2013

Contributed by Cisco TAC Engineers.

   Print

Introduction

This document answers frequently asked questions about Cisco's VPN Client solutions available on Mac OS X.

Tip: Cisco recommends that you migrate to the AnyConnect VPN Client for both Secure Sockets Layer (SSL) as well as IPSec. The built-in IPSec client on Mac OS is an Apple product, so any questions/upgrades/bug fixes and other issues on the client side need to be addressed by Apple while the Cisco Remote Access VPN client is EOS. Therefore, no fixes will be put in for this client.

General Questions

Q. What options do I have in order to provide remote access to Mac users?

A.

There are three VPN Client solutions that can be implemented, dependent upon the Mac OS Version.

VPN Client
Technology/Protocol

Mac OS X 10.5
Leopard

Mac OS X 10.6
Snow Leopard

Mac OS X 10.7
Lion

Mac OS X 10.8
Mountain Lion

Mac Built-in VPN ClientIPsec XXX
Cisco Remote Access IPsec ClientIPsecXX  
Cisco AnyConnect Secure Mobility ClientSSL, IKEv2/IPsecX*XX**X***

*Mac OS X 10.5 (Leopard) is no longer supported in AnyConnect Release 3.1. Also, PowerPC support was dropped in Release 3.0 and later.
**Mac OS X 10.7 (Lion) is supported in AnyConnect Releases 2.5.3051 and 3.0.3054 and later.
***Mac OS X 10.8 (Mountain Lion) is supported in AnyConnect Releases 3.0.08057 and 3.1 and later.

Q. How do I uninstall Cisco VPN Client on Mac OS X?

A.

In order to uninstall the Cisco VPN Client, complete these steps:

  1. Enter these commands to clean out the old Cisco VPN kernel extension and reboot the system.
    sudo -s
    rm -rf /System/Library/StartupItems/CiscoVPN
    rm -rf /Library/StartupItems/CiscoVPN
    rm -rf /System/Library/Extensions/CiscoVPN.kext
    rm -rf /Library/Extensions/CiscoVPN.kext
    rm -rf /Library/Receipts/vpnclient-kext.pkg
    rm -rf /Library/Receipts/vpnclient-startup.pkg
    reboot
  2. If you installed the Cisco VPN for Mac version 4.9.01.0180 package, enter these commands to delete the misplaced files. The deletion of these files will not affect your system, since applications do not use these misplaced files in their current location.
    sudo -s
    rm -rf /Cisco\ VPN\ Client.mpkg
    rm -rf /com.nexUmoja.Shimo.plist
    rm -rf /Profiles
    rm -rf /Shimo.app
    exit
  3. Enter these commands if you no longer need the old Cisco VPN Client or Shimo.
    sudo -s
    rm -rf /Library/Application\ Support/Shimo
    rm -rf /Library/Frameworks/cisco-vpnclient.framework
    rm -rf /Library/Extensions/tun.kext
    rm -rf /Library/Extensions/tap.kext
    rm -rf /private/opt/cisco-vpnclient
    rm -rf /Applications/VPNClient.app
    rm -rf /Applications/Shimo.apprm -rf /private/etc/opt/cisco-vpnclient
    rm -rf /Library/Receipts/vpnclient-api.pkg
    rm -rf /Library/Receipts/vpnclient-bin.pkg
    rm -rf /Library/Receipts/vpnclient-gui.pkg
    rm -rf /Library/Receipts/vpnclient-profiles.pkg
    rm -rf ~/Library/Preferences/com.nexUmoja.Shimo.plist
    rm -rf ~/Library/Application\ Support/Shimo
    rm -rf ~/Library/Preferences/com.cisco.VPNClient.plist
    rm -rf ~/Library/Application\ Support/SyncServices/Local/TFSM/com.
    nexumoja.Shimo.Profiles
    rm -rf ~/Library/Logs/Shimo*
    rm -rf ~/Library/Application\ Support/Shimo
    rm -rf ~/Library/Application\ Support/Growl/Tickets/Shimo.growlTicket
    exit

Q. What are the feature differences between the Cisco Remote Access VPN Client and AnyConnect VPN Client?

A.

This is beyond the scope of this document, but fundamentally SSL VPN has more features than the Cisco Remote Access Software VPN Client as it is a newer technology and new features are being rolled into each new release of AnyConnect. The latest AnyConnect Mobility Client, Version 3.0, includes the same feature-rich support for both SSL VPN and IKEv2.

IPsec VPN Questions

Q. If I want to use IPsec, should I use the built-in Mac VPN Client or the Cisco Remote Access VPN Client?

A. Although it is possible to use either VPN Client, the advantages of each are explained here.

Note: Cisco recommends that you use AnyConnect, which allows you to take advantage of Next Generation Encryption (NGE) ciphers and advancements in the IKEv2 protocol.

Mac VPN Client

  • + The Apple built-in client ensures support as the Mac OS evolves.
  • + The client is integrated into Mac OS X 10.6 and later.
  • + Faster to configure as it does not require installation of another application.
  • - Not built into Mac OS X 10.5.

Cisco Remote Access VPN Client

   

Q. How do I configure the Mac built-in VPN Client?

A.

In Mac OS X 10.6 and later:

  1. Choose System Preferences > Network.
  2. Click the lock button to unlock it and make changes.
  3. Click the plus sign  above the unlocked lock button to add an interface.
  4. From the Interface drop-down list, choose VPN.
  5. From the VPN Type drop-down list, choose Cisco IPSec.
  6. In the Service Name text box, type an easy to remember interface name such as 'Corp IPsec VPN'.
  7. Click OK and then select this new interface.
  8. Click on the new VPN interface to configure the interface.
    • Server Address-VPN headend's outside interface IP address (WAN/publicly routable IP address)
    • Account Name-Username
    • Account Password-User's password
  9. Click Authentication Settings.
    • Under Machine Authentication, click the radio button for your respective authentication mechanism (pre-shared-key or certificate authentication).
    • If a pre-shared key that matches the pre-shared-key defined on the VPN headend is used, type the key into the Shared Secret dialog box.
    • Enter the Group Name that matches the one defined in the EZVPN configuration on the VPN headend device (ASA 'tunnel-group', IOS 'crypto ipsec client ezvpn group').

Q. I tried to use the built-in Mac Client on Lion, but I receive a phase 2 mismatch. What should I do?

A.

If your Microsoft Windows clients work or your older Macs that use the Cisco Remote Access VPN Clients work, and only the Lion machines do not seem to be able to connect, then it is likely a phase 2 mismatch issue. You see this error message if you enable 'debug crypto ipsec' on the ASA. This essentially means the transform sets used probably do not support the encryption used by the Mac built-in client. For Lion, the client uses 3DES or AES. It does not support DES. In order to work around this issue, either switch the transform set to use 3DES completely or add multiple transform sets as shown here:

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535
set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA
ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
ESP-DES-SHA ESP-DES-MD5

This issue is usually caused by running an ASA software release earlier than Release 8.4. The later ASA software comes with all transforms sets defined by default, so additional configuration is not requried to make it work.

Q. Are there any compatibility issues with the Cisco Remote Access VPN Client?

A.

Refer to the Software Release Notes first for compatibility guidelines. Note the Error 51 compatibility issue between the Cisco Remote Access VPN Client and 64-bit Mac kernel mentioned later in this document.

Q. Where can I download the Cisco Remote Access VPN Client?

A.

  1. Open the Cisco Support Page.
  2. Click Download Software.
  3. Choose Products > Security > Virtual Private Networks (VPN) > Cisco VPN Clients > Cisco VPN Client.
  4. Choose Cisco VPN Client v4.x.
  5. Choose Mac OS.

Note: The VPN Client v5.x was only released for Windows PCs. The latest Mac release is v4.9.

Q. I tried to use Cisco VPN Client, but received Error 51. What should I do?

A.

Refer to Cisco IPsec VPN Client on MAC OS X generates the error "Error 51: Unable to communicate with the VPN subsystem".

Q. Does the built-in Mac VPN Client support ESP-NULL transforms?

A.

No, the built-in client does not support this transform set.

SSL VPN Questions

Q. Are there compatibility issues with the AnyConnect Client?

A.

Refer to the Software Release Notes for compatibility guidelines. The ASA VPN Compatibility Reference is another great reference. AnyConnect is compatible with any ASA Version 8.0 or later and Cisco IOS Release 12.4(15)T or later.

Note: As of August 2011, AnyConnect Releases 3.0.3054 and 2.5.3054 are compatible with Mac Lion OS X 10.7. If you encounter an issue, reference Cisco bug IDs CSCtl43150CSCtq62860, CSCtr64798, and CSCto09628 (registered customers only) for workarounds/fixes.

Q. Where can I download the Cisco AnyConnect VPN Client?

A. 

  1. Open the Cisco Support Page.
  2. Click Download Software.
  3. Choose Products > Security > Virtual Private Networks (VPN) > Cisco VPN Clients.
    • For version 3.0, choose Cisco AnyConnect Secure Mobility Client.
    • For versions 2.5 and earlier, choose Cisco AnyConnect VPN Client.
  4. Select the necessary package to upload to your ASA. Look for 'mac' and '.pkg' in the filename and choose the '.dmg' file for the software to install directly on the Mac.

Note: New Macs all have Intel processors, but older Mac computers have a PowerPC processor. There is a separate AnyConnect package for each hardware architecture, so pay close attention to the name of the package that you download.

Q. I can connect with AnyConnect in Windows, but not Mac. Why not?

A.

A separate AnyConnect software package must be loaded onto the ASA for each client operating system that you support. There are several common errors that users run into when they browse to the webvpn portal from an unsupported OS and try to launch AnyConnect. These include:

  • AnyConnect package unavailable on the Peer. Contact your system administrator.
  • AnyConnect package unavailable or corrupted. Contact your system administrator.

Note: If you see the message 'The installer was not able to start the Cisco VPN Client.', there is probably a compatibility issue. More specifically, the latest AnyConnect versions (for example, 2.5 and 3.0) are not compatible with earlier ASA versions such as 8.0.3.  Refer to ASA VPN Compatibility Reference for more information.

Related Information



Updated: May 17, 2013
Document ID: 116080