Document ID: 20224
This document describes how to configure an IP Security (IPSec) tunnel from a PC that runs a Mac OS X operating system (OS) with the Cisco Virtual Private Network (VPN) Client 3.7 to a Cisco VPN 3000 Series Concentrator that allows for secure network access inside the VPN 3000 concentrator.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Cisco VPN 3000 Series Concentrator Version 3.6.3
Cisco VPN Client Version 3.7
PowerPC G4 that runs Mac OS X 10.2.1 (Darwin Kernel Version 6.1)
Note: This configuration has been verified with Cisco VPN Client version 4.0 on MAC OS X.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This document uses this network setup:
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
Complete these steps in order to configure the VPN 3000 Concentrator:
Connect to the VPN Concentrator console port, and verify that the IP addresses are assigned to the private (inside) and public (outside) interfaces.
Also, verify that a default gateway is assigned so that the Concentrator can forward to the default gateway packets for unrecognized destinations.
This output provides an example of a VPN 3000 Concentrator configuration:
Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface Copyright (C) 1998-2001 Cisco Systems, Inc. 1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit Main -> 1 1) Interface Configuration 2) System Management 3) User Management 4) Policy Management 5) Back Config -> 1 !--- This table shows current IP addresses. Intf Status IP Address/Subnet Mask MAC Address --------------------------------------------------------------- Ether1-Pri| UP |192.168.20.1/255.255.255.0 | 00.03.A0.88.00.7DEther2-Pub| UP |10.66.79.45/255.255.255.224| 00.03.A0.88.00.7EEther3-Ext|Not Configured| 0.0.0.0/0.0.0.0 | --------------------------------------------------------------- DNS Server(s): DNS Server Not Configured DNS Domain Name: Default Gateway: Default Gateway Not Configured 1) Configure Ethernet #1 (Private) 2) Configure Ethernet #2 (Public) 3) Configure Ethernet #3 (External) 4) Configure Power Supplies 5) Back Interfaces -> 5 1) Interface Configuration 2) System Management 3) User Management 4) Policy Management 5) Back Config -> 2 1) Servers (Authentication, Accounting, etc.) 2) Address Management 3) Tunneling Protocols (PPTP, L2TP, etc.) 4) IP Routing (static routes, OSPF, etc.) 5) Management Protocols (Telnet, TFTP, FTP, etc.) 6) Event Configuration 7) General Config (system name, time, etc.) 8) Client Update 9) Load Balancing Configuration 10) Back System -> 4 1) Static Routes 2) Default Gateways 3) OSPF 4) OSPF Areas 5) DHCP 6) Redundancy 7) Reverse Route Injection 8) Back Routing -> 2 1) Set Default Gateway 2) Set Default Gateway Metric 3) Set Default Gateway Override 4) Set Tunnel Default Gateway 5) Back Routing -> 1 > Default Gateway Routing -> 10.66.79.33 1) Set Default Gateway 2) Set Default Gateway Metric 3) Set Default Gateway Override 4) Set Tunnel Default Gateway 5) Back
Assign an available range of IP addresses.
Point your browser to the inside interface of the VPN 3000 Concentrator, and choose Configuration > System > Address Management > Pools > Modify.
Specify a range of IP addresses that does not conflict with any other device on the inside network.
In order to instruct the Concentrator to use the IP pool, choose Configuration > System > Address Management > Assignment, and check the Use Address Pools check box.
In order to configure an IPSec group for the users, choose Configuration > User Management > Groups > Modify, and define a group name and password.
This example uses group name macgroup and password cisco123.
From the General tab, choose the IPSec check box for Tunneling Protocols.
From the IPSec tab, choose Internal from the Authentication drop-down list.
In order to enable split tunneling, choose Configuration > Policy Management > Traffic Management > Network Lists, and configure a network list named MacSplitTunneling.
The MacSplitTunneling network list identifies the networks that traffic should encrypt. In this example, the network is the internal subnet of the VPN 3000 Concentrator.
In order to enable split tunneling on the group, choose Configuration > User Management > Groups, select macgroup, and then click Modify Group.
Under the Identity tab, this identity information is displayed:
Click the Client Config tab, and scroll down to Split Tunneling Policy. Ensure that the Only tunnel networks in this list radio button is selected.
Choose the network list you created in step 7 (MacSplitTunneling) from the Split Tunneling Network List drop-down list.
Select Configuration > User Management > Users > Modify in order to add a user to the group you created in step 4.
In this example, the user is macuser and the password is macuser123 is added to the macgroup group.
Complete these steps in order to configure the Cisco VPN Client 3.7 for the Mac:
Click New in order to create a new connection entry.
A VPN Client Properties dialog box for the new connection appears.
Enter connection information, and click Save.
Click Connect in order to initiate the connection to the Concentrator.
There is currently no verification procedure available for this configuration.
Use this section in order to troubleshoot your configuration.
In order to turn on logging on the client, complete these steps:
Click the Log tab, and then click Options.
Verify that the logging levels are set as shown in this image:
This image shows logging options per the client.
In order to uninstall the Cisco VPN Client 3.7, locate the directory in which you installed the application, double-click the Uninstall Cisco VPN Client icon, and follow the onscreen instructions.
Complete these steps in order to activate the root:
Choose Applications > Utilities > NetInfo Manage in order to open the NetInfo Manager.
Click the button with the lock, and enter your password for authentication.
From the menu, choose Domain > Security > Authenticate, and then choose Domain > Security > Enable Root User.
At the prompt, enter a password for the user root.
You should now be able to log in as user root with your new password.
Note: You must be logged on as root in order to install the VPN Client. Also, Cisco recommends that you do not remain logged in as root as this enables you to make numerous changes to the SWAT.
Problem: VPN Client on the MAC OS is not able to connect to the VPN 3000 Series Concentrator, and the user receives this message:
reason = PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH
Cause: This message indicates that the required software firewall is not running on the client PC. You can specify that a software firewall must run on the VPN Client PC in the VPN Concentrator Group Settings. However, only the Windows version of the VPN Client supports this firewall function. All other versions (Mac/Linux/Solaris) of the Cisco VPN Client do not support this firewall function.
Resolution: In order to resolve this issue, verify the firewall settings. Uncheck the Firewall Required option on the Group Settings in the VPN 3000 Concentrator, and try again to connect.
- Cisco VPN 3000 Series Concentrators
- IPSec Negotiation/IKE Protocols
- Security and VPN - Support
- Technical Support & Documentation - Cisco Systems
|Updated: Mar 24, 2008||Document ID: 20224|