Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco VPN 3000 Series Concentrators

IPSec Tunnel Between VPN 3000 Concentrator and Mac OS X with VPN Client 3.7 Configuration Example

Downloads

Document ID: 20224


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Network Diagram (Optional)
      Conventions
Configure
      Task
      Configure the VPN 3000 Concentrator
      Configuring the Cisco VPN Client 3.7 for the Mac OS X
Verify
Troubleshoot
      Turn on Client Logging
      How to Uninstall the Cisco VPN Client 3.7
      Activating the Root
      VPN Client is Unable to Connect
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document describes how to configure an IP Security (IPSec) tunnel from a PC that runs a Mac OS X operating system (OS) with the Cisco Virtual Private Network (VPN) Client 3.7 to a Cisco VPN 3000 Series Concentrator that allows for secure network access inside the VPN 3000 concentrator.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco VPN 3000 Series Concentrator Version 3.6.3

  • Cisco VPN Client Version 3.7

  • PowerPC G4 that runs Mac OS X 10.2.1 (Darwin Kernel Version 6.1)

Note: This configuration has been verified with Cisco VPN Client version 4.0 on MAC OS X.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram (Optional)

This document uses this network setup:

vpn3k_MAC_os_01.gif

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

Task

In this section, you are presented with the information to configure the features described in this document.

Configure the VPN 3000 Concentrator

Complete these steps in order to configure the VPN 3000 Concentrator:

  1. Connect to the VPN Concentrator console port, and verify that the IP addresses are assigned to the private (inside) and public (outside) interfaces.

    Also, verify that a default gateway is assigned so that the Concentrator can forward to the default gateway packets for unrecognized destinations.

    This output provides an example of a VPN 3000 Concentrator configuration:

    Welcome to
Cisco Systems
VPN 3000 Concentrator Series
Command Line Interface
Copyright (C) 1998-2001 Cisco Systems, Inc. 

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main -> 1

1) Interface Configuration
2) System Management
3) User Management
4) Policy Management
5) Back

Config -> 1


!--- This table shows current IP addresses.


Intf Status IP Address/Subnet Mask MAC Address
---------------------------------------------------------------
Ether1-Pri| UP |192.168.20.1/255.255.255.0 | 00.03.A0.88.00.7DEther2-Pub| 
UP |10.66.79.45/255.255.255.224| 00.03.A0.88.00.7EEther3-Ext|Not Configured| 
0.0.0.0/0.0.0.0 | 
---------------------------------------------------------------
DNS Server(s): DNS Server Not Configured
DNS Domain Name: 
Default Gateway: Default Gateway Not Configured

1) Configure Ethernet #1 (Private)
2) Configure Ethernet #2 (Public)
3) Configure Ethernet #3 (External)
4) Configure Power Supplies
5) Back

Interfaces -> 5 

1) Interface Configuration
2) System Management
3) User Management
4) Policy Management
5) Back

Config -> 2

1) Servers (Authentication, Accounting, etc.)
2) Address Management
3) Tunneling Protocols (PPTP, L2TP, etc.)
4) IP Routing (static routes, OSPF, etc.)
5) Management Protocols (Telnet, TFTP, FTP, etc.)
6) Event Configuration 
7) General Config (system name, time, etc.)
8) Client Update
9) Load Balancing Configuration
10) Back

System -> 4

1) Static Routes
2) Default Gateways
3) OSPF
4) OSPF Areas
5) DHCP
6) Redundancy
7) Reverse Route Injection
8) Back

Routing -> 2

1) Set Default Gateway
2) Set Default Gateway Metric
3) Set Default Gateway Override
4) Set Tunnel Default Gateway
5) Back

Routing -> 1

> Default Gateway

Routing -> 10.66.79.33
1) Set Default Gateway
2) Set Default Gateway Metric
3) Set Default Gateway Override
4) Set Tunnel Default Gateway
5) Back

  2. Assign an available range of IP addresses.

    1. Point your browser to the inside interface of the VPN 3000 Concentrator, and choose Configuration > System > Address Management > Pools > Modify.

    2. Specify a range of IP addresses that does not conflict with any other device on the inside network.

    vpn3k_MAC_os_02.gif

  3. In order to instruct the Concentrator to use the IP pool, choose Configuration > System > Address Management > Assignment, and check the Use Address Pools check box.

    vpn3k_MAC_os_03.gif

  4. In order to configure an IPSec group for the users, choose Configuration > User Management > Groups > Modify, and define a group name and password.

    This example uses group name macgroup and password cisco123.

    vpn3k_MAC_os_04.gif

  5. From the General tab, choose the IPSec check box for Tunneling Protocols.

    vpn3k_MAC_os_05.gif

  6. From the IPSec tab, choose Internal from the Authentication drop-down list.

    vpn3k_MAC_os_06.gif

  7. In order to enable split tunneling, choose Configuration > Policy Management > Traffic Management > Network Lists, and configure a network list named MacSplitTunneling.

    The MacSplitTunneling network list identifies the networks that traffic should encrypt. In this example, the network is the internal subnet of the VPN 3000 Concentrator.

    vpn3k_MAC_os_07.gif

  8. In order to enable split tunneling on the group, choose Configuration > User Management > Groups, select macgroup, and then click Modify Group.

    vpn3k_MAC_os_08.gif

    Under the Identity tab, this identity information is displayed:

    vpn3k_MAC_os_09.gif

  9. Click the Client Config tab, and scroll down to Split Tunneling Policy. Ensure that the Only tunnel networks in this list radio button is selected.

    vpn3k_MAC_os_10.gif

  10. Choose the network list you created in step 7 (MacSplitTunneling) from the Split Tunneling Network List drop-down list.

  11. Select Configuration > User Management > Users > Modify in order to add a user to the group you created in step 4.

    In this example, the user is macuser and the password is macuser123 is added to the macgroup group.

    vpn3k_MAC_os_11.gif

Configuring the Cisco VPN Client 3.7 for the Mac OS X

Complete these steps in order to configure the Cisco VPN Client 3.7 for the Mac:

  1. Click New in order to create a new connection entry.

    vpn3k_MAC_os_12.gif

    A VPN Client Properties dialog box for the new connection appears.

    vpn3k_MAC_os_12a.gif

  2. Enter connection information, and click Save.

  3. Click Connect in order to initiate the connection to the Concentrator.

    vpn3k_MAC_os_13.gif

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

Use this section in order to troubleshoot your configuration.

Turn on Client Logging

In order to turn on logging on the client, complete these steps:

  1. Click the Log tab, and then click Options.

  2. Verify that the logging levels are set as shown in this image:

    vpn3k_MAC_os_14.gif

This image shows logging options per the client.

vpn3k_MAC_os_15.gif

How to Uninstall the Cisco VPN Client 3.7

In order to uninstall the Cisco VPN Client 3.7, locate the directory in which you installed the application, double-click the Uninstall Cisco VPN Client icon, and follow the onscreen instructions.

vpn3k_MAC_os_16.gif

Activating the Root

Complete these steps in order to activate the root:

  1. Choose Applications > Utilities > NetInfo Manage in order to open the NetInfo Manager.

  2. Click the button with the lock, and enter your password for authentication.

  3. From the menu, choose Domain > Security > Authenticate, and then choose Domain > Security > Enable Root User.

  4. At the prompt, enter a password for the user root.

You should now be able to log in as user root with your new password.

Note: You must be logged on as root in order to install the VPN Client. Also, Cisco recommends that you do not remain logged in as root as this enables you to make numerous changes to the SWAT.

VPN Client is Unable to Connect

Problem: VPN Client on the MAC OS is not able to connect to the VPN 3000 Series Concentrator, and the user receives this message:

reason = PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH

Cause: This message indicates that the required software firewall is not running on the client PC. You can specify that a software firewall must run on the VPN Client PC in the VPN Concentrator Group Settings. However, only the Windows version of the VPN Client supports this firewall function. All other versions (Mac/Linux/Solaris) of the Cisco VPN Client do not support this firewall function.

Resolution: In order to resolve this issue, verify the firewall settings. Uncheck the Firewall Required option on the Group Settings in the VPN 3000 Concentrator, and try again to connect.

vpn3k_MAC_os_17.gif

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for VPN
Service Providers: VPN Service Architectures
Service Providers: Network Management
Virtual Private Networks: Security
Virtual Private Networks: General

Related Information

Updated: Mar 24, 2008Document ID: 20224