Mac OS X Lion and Cisco IPSEC VPN pitfalls
The Mac OS X Lion, Native VPN client, with Cisco IPSEC EasyVPN Server was NOT working properly for myself. The problem I faced was that traffic was NOT passed to the remote LAN when connected to VPN. Split-tunnel and normal EasyVPN setups did NOT work.
When presented with a split-tunnel ACL the Apple client will create a proxy pair for each line.
i.e. VPN IP address of A with a split ACL of:
- permit B
- permit C
- permit D
You would see an ipsec sa from A to B, A to C, and A to D.
When presented with a split-tunnel ACL the Cisco client will create a single ipsec sa:
- i.e. A to any
However the client will only route traffic to B, C, D over the tunnel.
This is fine and has no problems when using a crypto map style setup for Cisco EasyVPN.
However when you configure the use of dVTI this becomes difficult. This is because the VTI can only support 1 ipsec sa built to it. As a results when the Apple client tries to propose the proxy pair for the A to C entry it is rejected.
This leaves you with two options here:
- Switch to a tunnel-all configuration
- Switch back to the crypto map configuration rather than the virtual-template configuration.
I chose to take the “old” crypto map style setup. Here’s how I made it work on a Cisco 877 DSL router:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
|
I have tested this setup with Mac OS X Lion VPN client and with iPhone IOS 5.0.1. All is working well now. Yeeaay!