Guest

Cisco VPN 3000 Series Concentrators

IPSec Tunnel Between VPN 3000 Concentrator and Mac OS X with VPN Client 3.7 Configuration Example

Document ID: 20224

Updated: Mar 24, 2008

   Print

Introduction

This document describes how to configure an IP Security (IPSec) tunnel from a PC that runs a Mac OS X operating system (OS) with the Cisco Virtual Private Network (VPN) Client 3.7 to a Cisco VPN 3000 Series Concentrator that allows for secure network access inside the VPN 3000 concentrator.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco VPN 3000 Series Concentrator Version 3.6.3

  • Cisco VPN Client Version 3.7

  • PowerPC G4 that runs Mac OS X 10.2.1 (Darwin Kernel Version 6.1)

Note: This configuration has been verified with Cisco VPN Client version 4.0 on MAC OS X.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram (Optional)

This document uses this network setup:

vpn3k_MAC_os_01.gif

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

Task

In this section, you are presented with the information to configure the features described in this document.

Configure the VPN 3000 Concentrator

Complete these steps in order to configure the VPN 3000 Concentrator:

  1. Connect to the VPN Concentrator console port, and verify that the IP addresses are assigned to the private (inside) and public (outside) interfaces.

    Also, verify that a default gateway is assigned so that the Concentrator can forward to the default gateway packets for unrecognized destinations.

    This output provides an example of a VPN 3000 Concentrator configuration:

    Welcome to
    Cisco Systems
    VPN 3000 Concentrator Series
    Command Line Interface
    Copyright (C) 1998-2001 Cisco Systems, Inc. 
    
    1) Configuration
    2) Administration
    3) Monitoring
    4) Save changes to Config file
    5) Help Information
    6) Exit
    
    Main -> 1
    
    1) Interface Configuration
    2) System Management
    3) User Management
    4) Policy Management
    5) Back
    
    Config -> 1
    
    
    !--- This table shows current IP addresses.
    
    
    Intf Status IP Address/Subnet Mask MAC Address
    ---------------------------------------------------------------
    Ether1-Pri| UP |192.168.20.1/255.255.255.0 | 00.03.A0.88.00.7DEther2-Pub| 
    UP |10.66.79.45/255.255.255.224| 00.03.A0.88.00.7EEther3-Ext|Not Configured| 
    0.0.0.0/0.0.0.0 | 
    ---------------------------------------------------------------
    DNS Server(s): DNS Server Not Configured
    DNS Domain Name: 
    Default Gateway: Default Gateway Not Configured
    
    1) Configure Ethernet #1 (Private)
    2) Configure Ethernet #2 (Public)
    3) Configure Ethernet #3 (External)
    4) Configure Power Supplies
    5) Back
    
    Interfaces -> 5 
    
    1) Interface Configuration
    2) System Management
    3) User Management
    4) Policy Management
    5) Back
    
    Config -> 2
    
    1) Servers (Authentication, Accounting, etc.)
    2) Address Management
    3) Tunneling Protocols (PPTP, L2TP, etc.)
    4) IP Routing (static routes, OSPF, etc.)
    5) Management Protocols (Telnet, TFTP, FTP, etc.)
    6) Event Configuration 
    7) General Config (system name, time, etc.)
    8) Client Update
    9) Load Balancing Configuration
    10) Back
    
    System -> 4
    
    1) Static Routes
    2) Default Gateways
    3) OSPF
    4) OSPF Areas
    5) DHCP
    6) Redundancy
    7) Reverse Route Injection
    8) Back
    
    Routing -> 2
    
    1) Set Default Gateway
    2) Set Default Gateway Metric
    3) Set Default Gateway Override
    4) Set Tunnel Default Gateway
    5) Back
    
    Routing -> 1
    
    > Default Gateway
    
    Routing -> 10.66.79.33
    1) Set Default Gateway
    2) Set Default Gateway Metric
    3) Set Default Gateway Override
    4) Set Tunnel Default Gateway
    5) Back
  2. Assign an available range of IP addresses.

    1. Point your browser to the inside interface of the VPN 3000 Concentrator, and choose Configuration > System > Address Management > Pools > Modify.

    2. Specify a range of IP addresses that does not conflict with any other device on the inside network.

    vpn3k_MAC_os_02.gif

  3. In order to instruct the Concentrator to use the IP pool, choose Configuration > System > Address Management > Assignment, and check the Use Address Pools check box.

    vpn3k_MAC_os_03.gif

  4. In order to configure an IPSec group for the users, choose Configuration > User Management > Groups > Modify, and define a group name and password.

    This example uses group name macgroup and password cisco123.

    vpn3k_MAC_os_04.gif

  5. From the General tab, choose the IPSec check box for Tunneling Protocols.

    vpn3k_MAC_os_05.gif

  6. From the IPSec tab, choose Internal from the Authentication drop-down list.

    vpn3k_MAC_os_06.gif

  7. In order to enable split tunneling, choose Configuration > Policy Management > Traffic Management > Network Lists, and configure a network list named MacSplitTunneling.

    The MacSplitTunneling network list identifies the networks that traffic should encrypt. In this example, the network is the internal subnet of the VPN 3000 Concentrator.

    vpn3k_MAC_os_07.gif

  8. In order to enable split tunneling on the group, choose Configuration > User Management > Groups, select macgroup, and then click Modify Group.

    vpn3k_MAC_os_08.gif

    Under the Identity tab, this identity information is displayed:

    vpn3k_MAC_os_09.gif

  9. Click the Client Config tab, and scroll down to Split Tunneling Policy. Ensure that the Only tunnel networks in this list radio button is selected.

    vpn3k_MAC_os_10.gif

  10. Choose the network list you created in step 7 (MacSplitTunneling) from the Split Tunneling Network List drop-down list.

  11. Select Configuration > User Management > Users > Modify in order to add a user to the group you created in step 4.

    In this example, the user is macuser and the password is macuser123 is added to the macgroup group.

    vpn3k_MAC_os_11.gif

Configuring the Cisco VPN Client 3.7 for the Mac OS X

Complete these steps in order to configure the Cisco VPN Client 3.7 for the Mac:

  1. Click New in order to create a new connection entry.

    vpn3k_MAC_os_12.gif

    A VPN Client Properties dialog box for the new connection appears.

    vpn3k_MAC_os_12a.gif

  2. Enter connection information, and click Save.

  3. Click Connect in order to initiate the connection to the Concentrator.

    vpn3k_MAC_os_13.gif

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

Use this section in order to troubleshoot your configuration.

Turn on Client Logging

In order to turn on logging on the client, complete these steps:

  1. Click the Log tab, and then click Options.

  2. Verify that the logging levels are set as shown in this image:

    vpn3k_MAC_os_14.gif

This image shows logging options per the client.

vpn3k_MAC_os_15.gif

How to Uninstall the Cisco VPN Client 3.7

In order to uninstall the Cisco VPN Client 3.7, locate the directory in which you installed the application, double-click the Uninstall Cisco VPN Client icon, and follow the onscreen instructions.

vpn3k_MAC_os_16.gif

Activating the Root

Complete these steps in order to activate the root:

  1. Choose Applications > Utilities > NetInfo Manage in order to open the NetInfo Manager.

  2. Click the button with the lock, and enter your password for authentication.

  3. From the menu, choose Domain > Security > Authenticate, and then choose Domain > Security > Enable Root User.

  4. At the prompt, enter a password for the user root.

You should now be able to log in as user root with your new password.

Note: You must be logged on as root in order to install the VPN Client. Also, Cisco recommends that you do not remain logged in as root as this enables you to make numerous changes to the SWAT.

VPN Client is Unable to Connect

Problem: VPN Client on the MAC OS is not able to connect to the VPN 3000 Series Concentrator, and the user receives this message:

reason = PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH

Cause: This message indicates that the required software firewall is not running on the client PC. You can specify that a software firewall must run on the VPN Client PC in the VPN Concentrator Group Settings. However, only the Windows version of the VPN Client supports this firewall function. All other versions (Mac/Linux/Solaris) of the Cisco VPN Client do not support this firewall function.

Resolution: In order to resolve this issue, verify the firewall settings. Uncheck the Firewall Required option on the Group Settings in the VPN 3000 Concentrator, and try again to connect.

vpn3k_MAC_os_17.gif

Related Information

Updated: Mar 24, 2008
Document ID: 20224