Apple recently released Mac OS X 10.11.4, the latest update for OS X El Capitan. I’m generally an early adopter. If I’m not running a beta release (which I must admit, I’m not doing nearly as much of anymore), I am certainly the first in line to update OS X or iOS to the latest release as soon as it’s reached GA status.
If you’re like me, the latest OS X update, 10.11.4, broke some VPN profiles, specifically certain Cisco IPsec profiles. When I first discovered the VPN client wouldn’t connect to a Cisco IPsec profile that was working just fine before the update, I first thought it may be a problem on the remote end, or even perhaps with my ISP. I tried a secondary VPN profile that’s L2TP over IPsec and had no issues. I then tried a third profile using Cisco IPsec, with no luck. After successfully connecting to a fourth VPN profile (also L2TP over IPsec), I was beginning to think the issue had nothing at all to do with the original VPN endpoint I was attempting to connect to or my ISP. A quick test of the same VPN profiles on a second Mac that had been updated to 10.11.4 yielded the same results, even when connected to a second ISP, confirming my theory.
What next? Google to the rescue, of course!
Cisco Ipsec Vpn
An Internet Protocol Security Virtual Private Network (IPSEC VPN) allows you to securely obtain remote resources by establishing an encrypted tunnel across the internet. The MAC built-in client, is a built in Client available on all MACs that allows you to connect to the VPN using IPSEC. Connecting to a Cisco IPSec VPN on Mac OSX with a PCF File Brandon Clapp When connecting to a Cisco VPN on Windows, we typically take the route of using third party VPN software such as the Cisco VPN client or Shrew Soft. Each of these products allow you to specify a.pcf file, which contains the VPN information, in order to connect. Configuration Cisco IPSEC VPN in Mac OS X. With the release of OS X Snow Leopard (10.6) Apple has added support for establishing an encrypted connection to a VPN server through the L2TP over IPSec, PPTP and Cisco IPSec protocols without the need for a third party VPN client.
The MAC built in VPN (L2TP) has the opiotn to 'Send all traffic over VPN connection' but the MAC Cisco IPSec configuraton does not have that option/checkbox. I am just wondering if there is somewhere else I can be setting that on the client. Apparently Mac OS X uses Apple's own GUI frontend to the standard command line pppd software. Setting up VPN access over Cisco IPSec under Mac OS is quick and easy. The following instructions will take you step by step in setting up your connection. STEP 1) Open system preferences and click onto 'Network'. STEP 2) Click the '+' button on the network connections pane.
Ipsec Vpn Cisco Asa
A quick search for “OSX 10.11.4 IPsec” yielded a thread in Apple’s Support Communities that was opened just yesterday with multiple users having similar issues. Yes, I was on to something – my Google Foo was strong!
After reading through a handful of “me too’s”, I found a reply that suggested increasing the DH Group to 14 on the VPN appliance would fix the issue. Of course I was remote – the reason I was trying to connect to VPN in the first place, so I couldn’t test this theory until later when I actually made it onsite. I can confirm that in my case, changing the DH Group to 14 solved my problem. It appears that starting with OS X 10.11.4, Apple requires a minimum of a 2048 bit modulus (DH Group 14) to connect to IPSec VPNs. These two “broken” VPN profiles were using 1024 bit modulus.
How to modify an existing IPsec Tunnel on a FortiGate firewall using FortiOS 5.4
If you have an IPSec VPN Tunnel configured on a FortiGate firewall, and you used the default “Dialup – Cisco IPsec Client” template, it’s likely that your DH Group is set to 2. I couldn’t find a way to modify the DH Group for an existing IPSec tunnel in the FortiOS 5.4 GUI, but here are the CLI commands to make the change:FW01 # config vpn ipsec phase1-interfaceFW01 (phase1-interface) # edit YOUR_VPN_TUNNELFW01 (YOUR_VPN_TUNNEL) # set dhgrp 14FW01 (YOUR_VPN_TUNNEL) # end
That’s it! One thing I love about the FortiOS CLI is that it’s incredibly powerful, yet very easy to navigate – much easier to navigate than Cisco IOS in my opinion. I was able to apply this to a handful of FortiGate firewalls that I manage for SquarePlanIT customers who were using Cisco IPsec VPN tunnels and weren’t already using a 2048 bit modulus. Speaking of managed firewalls – if you’re looking for a managed IT solutions provider, or even just have some project work to knock out, get in touch! I’d love to tell you about all that we have to offer.
Learn more about Diffie-Hellman groups
To learn more about the Diffie-Hellman key exchange, here’s an excellent Wikipedia article. For a brief overview of the different DH Groups that can be configured, check out here’s a Cisco Support Community article.
TheJackMan wrote:
I set up my built in MAC VPN (Cisco IPSec) client, but it does not appear the client is getting my split tunnel details, it routes all traffic over VPN in the split tunnel list and any traffic that is not configured to go down the VPN tunnel appears to just get droped an it just does not pass that traffic out the local internet connection. On the MAC built in VPN (L2TP) configuration in advanced options, you see a check box for 'Send all traffic over VPN connection', but that option is not available in the MAC built in VPN (Cisco IPSec), would this check box be similar to the Cisco client, 'allow local lan access', that particular feature allows for split tunneling in the Cisco client. Is there a way for the built in VPN (Cisco IPSec) client to get the split tunnel rules? Thanks
I have not set up the Cisco VPN server end, but I have used a Cisco system from the Client end. I can therefore tell you often the IT department will have set policies in the Cisco VPN server to force all traffic to go via their system whether you as a user would prefer or not. This allows them to monitor and filter all the traffic.
Apple's own VPN server can be configured in a similar way, although I chose to allow non-work traffic to go via the users own connection.
Cisco Ios Ipsec Vpn
Sep 1, 2011 2:58 AM