Pete Davis Jan 25, 2008

Cisco AnyConnect VPN Client Release 2.1 and the Cisco VPN Client 4.9.01.0100 and greater both provide support for Mac OS X 10.5 / Leopard.

Mark Bodette Feb 6, 2008

Do we have to use Cisco’s VPN Client on our Macs (running Leopard) or can we use/configure Apples Network/VPN connection?

Pete Davis Feb 8, 2008

Hi Mark,

The short answer is that both options are possible. While some information on this is available in the ASA Users Guide, Jamey Heary of Cisco posted information on this topic in a blog at Network World in December:

http://www.networkworld.com/community/node/23023

Cisco VPN gateways support the iPhone
Submitted by jheary on Thu, 12/13/2007 - 3:55pm.

So you have your shiny cool new iPhone. You’re addicted to their very cool web browser. Now you want to be able to surf to your internal home or corporate networks using VPN right? The embedded iPhone VPN client works over both Wi-Fi and EDGE network connections. Good news, both the Cisco IOS routers and the ASA appliance support this. In fact, they’ve supported it all along. Here are some of the geeky details and how to set it up.

The iPhone vpn client uses L2TP/IPSEC. This is the same VPN protocol that the MacOS and Windows XP native vpn clients use. For those not familiar with L2TP/IPSEC, just think of it as an alternative to using native IPSEC. The Cisco routers and firewalls (ASA) have included support for L2TP/IPSEC for a number of years now. Apple, in its infinite wisdom, has made the iPhone L2TP/IPSEC vpn client almost identical to the one on its MacOS. As a result, Cisco VPN gateways support it.

However, the iPhone L2TP/IPSEC vpn client does have some limitations. It is not as full featured as the vpn client that is on the MacOS. Here are the officially supported features from Apple that you’ll need to know when configuring your VPN gateway to handle the iPhone.

  * IKE phase 1—3DES encryption with SHA1 hash method. (no md5 support)
  * IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.
  * PPP Authentication—MSCHAPv2 (officially) but PAP, MS-CHAPv1 also worked in testing.
  * Pre-shared key (no certificate support).

So how do you configure this on a Cisco ASA firewall? Well, here is a sample configuration using the CLI. If you use ASDM (the GUI) then you can run through the wizard and enable the features the iPhone requires. Also, the Cisco ASA config guide has a partial CLI example found here
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219

ip local pool CLIENT-POOL 10.1.99.128-10.1.99.141 mask 255.255.255.240
crypto ipsec transform-set iPhone esp-3des esp-sha-hmac
crypto ipsec transform-set iPhone mode transport

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set iPhone
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

group-policy iPhone internal
group-policy iPhone attributes
vpn-tunnel-protocol l2tp-ipsec
address-pools value CLIENT-POOL

tunnel-group iPhone type remote-access
tunnel-group iPhone general-attributes
default-group-policy iPhone
authentication-server-group denlab-RADIUS
tunnel-group iPhone ipsec-attributes
pre-shared-key test
tunnel-group iPhone ppp-attributes
authentication ms-chap-v2
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

To those of you familiar with the ASA vpn CLI commands, you’ll notice that this config is nothing special. It is the same config you’ve used to setup any L2TP/IPSEC tunnels in the past. Basically, supporting the iPhone doesn’t change things. You just need to ensure that you are allowing the protocols/options that iPhone supports.

To check to see if the iPhone user is connected you can use the command
show vpn-sessiondb detail remote filter protocol L2TPOverIPSec or
show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNAtT

These show commands gives you just the L2TP/IPSEC clients that are connected. The second show command shows you any clients that are using nat traversal (meaning they are behind a PAT device somewhere).

For information on how to configure the Apple iPhone side of things see here http://docs.info.apple.com/article.html?artnum=305827 or here http://docs.info.apple.com/article.html?artnum=305723 .

For information on how to configure L2TP/IPSEC on an IOS VPN router see here http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804dfa69.html

Anyone have this setup at your site? Anyone have another iPhone I can have for “testing” purposes.

The opinions and information presented here are my personal views not those of my employer.

Pete Davis Feb 11, 2008

Hi Mark,

I should have added that Cisco supports the embedded L2TP/IPsec client on Leopard very similarly to the iPhone. The Cisco ASA documentation should include information on how to set this up via some of the referenced links.

Best Regards,
-Pete

Timothy Cunningham Mar 9, 2008

“By the time Steve Jobs takes that stage to introduce the next insanely great Apple product…”

“Even if a customer has no Macs today, or the Macs are currently only in the ‘creative’ department, it looks like there’s an increasing chance that Mac use will grow in the future.”

I thought your comments came across a little bit insincere, condescending and maybe narrow-minded. While it’s true that there is an “insane” amount of hype surrounding a lot of Mac products, there is no need to patronize someone who makes people excited about his products. And then your jibe about “creative” departments, that seems a little dismissive too as if to say there are us and then there are “those” people. If you have time and an open mind, it might be worth checking out the insanely great thing the other people in the board room and the “creative” department are using. And even if this doesn’t pass moderation, I think it’s good that you’ve read this far.

Dan Oblak - MacBigot.com Aug 26, 2008

Wow, I was just happy to see Cisco being more open (i.e., an article that one doesn’t have to obtain through a VAR) about Mac support—I was really happy to see this and quite surprised to see a knee-jerk comment below the article; I understand where all that pent-up angst comes from (I’ve made my living standing firm between IT departments and professional designers, audio/video technicians, artists, journalists, and other ‘creative types’); but from most vantage points, the platform wars are over—just pick the best tool for the job, and everyone is happy.

The fact that Cisco is reaching across the aisle to MacOS users is a side-effect, I believe, of their willingness to look at Linux on the back end (and look how much great technology has grown out of that since then).

Having been among thousands of ‘MacEvanglists’ over the last couple of decades, I can attest to the emotional attachment people can have to technology that works well.  I’m sure that among Cisco’s ranks, there are evangelists with equal fervor who are eager to spread the ‘Truth’.  I look forward to becoming immersed.

But as we who take technology so personally interact with other people who may not, and other technologies that were not designed with our favorite toy/tech as it’s highest priority, we must take a moment to realize our efforts can be hindered by our own bubbling zeal—when all the audience perceives is a minority wallowing in victimhood.  Here in the United States, we are experts at that dynamic; so claiming righteousness indignation can no longer be blamed on ignorance—but simply bad sportsmanship.

Welcome, Cisco, to the Mac platform—we’re glad to share the market; both ‘churched’ and ‘unchurched’.

Terry Aug 28, 2008

The Network World article may be incorrect. I just finished reading the following Cisco paper which states:

“Cisco ASA 5500 Security Appliances and PIX Firewalls. We highly recommend the latest 8.0.x software release (or greater), but you can also use 7.2.x software.

Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.”

Link:

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iphone.html

Xerox Printers Nov 4, 2008

I am also very anxious about this new theme. Like all the other users, this is my biggest dream at this moment. I am sure that in no time we will get what we are expecting so much right now.

Anon Mar 5, 2009

Cisco vpn gateways support the iPhone

Juliana Lazzari Sep 2, 2009

Does Cisco VPN Client 4.9.01 support Snow Leopard? If so how can we download the plug-in?

Phil Burk Oct 19, 2009

I upgraded from Leopard to Snow Leopard on my Macbook and my Cisco VPN client stopped working. It says I need “at least one network interface”, which I clearly have or I could not leave this comment. I tried rebooting. No luck. It says:

Error 51: Unable to communicate with the VPN Subsystem.

I notice in the download section there is only mention of Mac OS 10.1. That is very old. Snow Leopard is 10.6. Does Cisco plan to support Mac?

simone Oct 23, 2009

in this site http://snowleopard.wikidot.com/ there are compatibility list.
Cisco VPN Client   4.9 0180 work is true?

Laura Smith Oct 25, 2009

I too am having the same error message since upgrading to Snow Leopard.

“Error 51: Unable to communicate with the VPN Subsystem.”

I have been unable to find anything to determine if there is an update or fix for this issue. Is there an update coming? If so, how soon?

Phil Burk Oct 26, 2009

I had Error 51 on Snow Leopard. I installed Cisco VPN Client 4.9.0100. It works now.  I think there are later versions that should also work.

The key is to reinstall or upgrade the client. The problem on Snow Leopard is fixed during installation.