This post is intented to be a merge of two of the technologies of my life. In one hand Cisco networking with the old IPSec VPN, and on the other hand OSX, which has been a good friend in my iOS development career.
I was using Cisco anyconnect in the past (let’s say “the new” or “the good” solution), but dealing with updates on the client of the router on each OSX new version is something that can keep more than one out of the anyconnect option.
Here we will address two configuration, firstly we will explain the data needed to configure a Cisco IPSec VPN, and then we will go further explaining the steps needed to configure one, in the first step, we will address Cisco router configuration, and then we will be able to configure it on the MAC.
The IPSec has two steps to start, in first step manages the ISAKMP tunnel, and on the second step is created the IPSec tunnel for the data. The data to know before start is:
- GROUP name
- GROUP password
- Username
- Password
- Local network
- Remote VPN network
All the rest of the configuration can be fine-tuned, but isn’t important to the client (will work if not modified, but Apple does not support all the options on hashing does not support header compression).
Network traffic and NAT configuration
First we will specify clearly which IP addresses will be used localy, which address will be used remotely, and the traffic we will encrypt, for the example, the network will be:
- Local network (*): 192.168.1.0/24
- Remote VPN network (*): 192.168.2.0/24
- VPN Pool name: VPN-POOL
- VPN Pool address: 192.168.2.1-192.168.2.100
(*) Please note it would be a good idea to use another IP addresses, as many local networks are default configured with these adresses, and can make the VPN unusable, any 192.168.x.0/24 keeping x greater than 2 could be a good option.
We will configure the VPN Pool with the VPN remote addresses, the access-list to define traffic to encrypt and will modify the current NAT access-list to avoid NATing of the VPN traffic (**), we will assume the VPN access-list is 101 and the NATed access-list is 100:
ip local pool VPN-POOL 192.168.2.1 192.168.2.100
access-list 100 remark NAT
access-list 100 deny ip 192.168.10 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark VPN Traffic
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
(**) NAT configuration excluded from the example, any using access-list would work
ISAKMP negotiation
The first part of the ISAKMP configuration has nothing to do with the parameters to configure on the OSX, so just copying and pasting this will work, we are free to define more negotiation types here (just with other preference than 20). In the next part we are using MY_IPSEC_VPN_GROUP for the group, and MySharedKeyForTheIPSecVPNGroup as the password, please change with the data collected at the begining of the configuration, here you must change
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 20
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group MY_IPSEC_VPN_GROUP
key MySharedKeyForTheIPSecVPNGroup
pool VPN-POOL
acl 101
crypto isakmp profile VPNClient
description VPN Clients profile
match identity group MY_IPSEC_VPN_GROUP
client authentication list <Put here a local authentication method>
client authorization list <Put here a local authorization method>
client configuration address respond
If local authentication and authorization is used, it would be needed to configure a local user, to prevent local access to the router configuration, it would be needed to not specifing the privilege for the user:
username <VPN user> password <password>
Basic IPSec negotiation
The next step is to provide the basis of the IPSec tunnel, here we will assume 3DES for encryption and SHA for hashing, we have to remember here that the OSX does not provide header compression, so we should never enable it.
crypto ipsec security-association lifetime kilobytes 536870912
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
Crypto map configuration
Here we will need to know the outer interface, for the example it would be Dialer1, but will need to be changed to whatever your outer interface will be. Here we can define more IPSec options, just taking note to have other preference than 31.
crypto dynamic-map DYNMAP 10
description VPN Clients
set transform-set 3DES-SHA
set isakmp-profile VPNClient
crypto map CLIENTMAP local-address Dialer1
crypto map CLIENTMAP 31 ipsec-isakmp dynamic DYNMAP discover
Assigning the crypto map configuration
The last step is configuring the crypto map in the outer interface, as in this example the outer interface is Dialer1, the crypto map will be aplied to that interface, please note the name of the crypto map is matched with the crypto map from the last step:
interface Dialer1
crypto map CLIENTMAP
Now we have the router configured, now we will have to configure the OSX.
- In setting, network, we wil click the + sign at the bottom left of the list of interfaces to add a new interface, we will choose VPN as interface type, and Cisco IPSec as VPN type. We can provide here any familiar name for the VPN.
- In the server address we will provide the outer address of our router, if dynamic, here we will put the name we use with our prevered dynamic DNS provider, a static address is always painless, but dynamic DNS works fine with Cisco routers
- On the name of the account we will put the username configured on the router
- Clicking on authentication configuration, we will provide the secret for the group, and the group name
We are able to click on the Connect button to test our VPN connection.
Hope this could be helpfull for anybody trying to configure an IPSec VPN in the Cisco routers to a MAC OSX client, I would like to know the problems people has configuring this kind of VPN, and if anybody has other preferences for the kind of client.