This post is intented to be a merge of two of the technologies of my life. In one hand Cisco networking with the old IPSec VPN, and on the other hand OSX, which has been a good friend in my iOS development career.<\/p>\n
I was using Cisco anyconnect in the past (let’s say “the new” or “the good” solution), but dealing with updates on the client of the router on each OSX new version is something that can keep more than one out of the anyconnect option.<\/p>\n
Here we will address two configuration, firstly we will explain the data needed to configure a Cisco IPSec VPN, and then we will go further explaining the steps needed to configure one, in the first step, we will address Cisco router configuration, and then we will be able to configure it on the MAC.<\/p>\n
The IPSec has two steps to start, in first step manages the ISAKMP tunnel, and on the second step is created the IPSec tunnel for the data. The data to know before start is:<\/p>\n
All the rest of the configuration can be fine-tuned, but isn’t important to the client (will work if not modified, but Apple does not support all the options on hashing does not support header compression).<\/p>\n
First we will specify clearly which IP addresses will be used localy, which address will be used remotely, and the traffic we will encrypt, for the example, the network will be:<\/p>\n
(*) Please note it would be a good idea to use another IP addresses, as many local networks are default configured with these adresses, and can make the VPN unusable, any 192.168.x.0\/24 keeping x greater than 2 could be a good option.<\/p>\n
We will configure the VPN Pool with the VPN remote addresses, the access-list to define traffic to encrypt and will modify the current NAT access-list to avoid NATing of the VPN traffic (**), we will assume the VPN access-list is 101 and the NATed access-list is 100: The first part of the ISAKMP configuration has nothing to do with the parameters to configure on the OSX, so just copying and pasting this will work, we are free to define more negotiation types here (just with other preference than 20). In the next part we are using MY_IPSEC_VPN_GROUP for the group, and MySharedKeyForTheIPSecVPNGroup as the password, please change with the data collected at the begining of the configuration, here you must change If local authentication and authorization is used, it would be needed to configure a local user, to prevent local access to the router configuration, it would be needed to not specifing the privilege for the user: The next step is to provide the basis of the IPSec tunnel, here we will assume 3DES for encryption and SHA for hashing, we have to remember here that the OSX does not provide header compression, so we should never enable it. Here we will need to know the outer interface, for the example it would be Dialer1, but will need to be changed to whatever your outer interface will be. Here we can define more IPSec options, just taking note to have other preference than 31. The last step is configuring the crypto map in the outer interface, as in this example the outer interface is Dialer1, the crypto map will be aplied to that interface, please note the name of the crypto map is matched with the crypto map from the last step: Now we have the router configured, now we will have to configure the OSX.<\/p>\n We are able to click on the Connect button to test our VPN connection.<\/p>\n Hope this could be helpfull for anybody trying to configure an IPSec VPN in the Cisco routers to a MAC OSX client, I would like to know the problems people has configuring this kind of VPN, and if anybody has other preferences for the kind of client.<\/p>\n","protected":false},"excerpt":{"rendered":" This post is intented to be a merge of two of the technologies of my life. In one hand Cisco networking with the old IPSec VPN, and on the other hand OSX, which has been a good friend in my iOS development career. I was using Cisco anyconnect in the past (let’s say “the new” […]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,18,5,19],"tags":[],"_links":{"self":[{"href":"http:\/\/iosnow.net\/index.php?rest_route=\/wp\/v2\/posts\/50"}],"collection":[{"href":"http:\/\/iosnow.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/iosnow.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/iosnow.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/iosnow.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=50"}],"version-history":[{"count":6,"href":"http:\/\/iosnow.net\/index.php?rest_route=\/wp\/v2\/posts\/50\/revisions"}],"predecessor-version":[{"id":56,"href":"http:\/\/iosnow.net\/index.php?rest_route=\/wp\/v2\/posts\/50\/revisions\/56"}],"wp:attachment":[{"href":"http:\/\/iosnow.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/iosnow.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/iosnow.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n
\nip local pool VPN-POOL 192.168.2.1 192.168.2.100
\naccess-list 100 remark NAT
\naccess-list 100 deny ip 192.168.10 0.0.0.255 192.168.2.0 0.0.0.255
\naccess-list 100 permit ip 192.168.1.0 0.0.0.255 any
\naccess-list 101 remark VPN Traffic
\naccess-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
\n<\/code>
\n(**) NAT configuration excluded from the example, any using access-list would work<\/p>\nISAKMP negotiation<\/h2>\n
\n
\ncrypto isakmp policy 20
\n encr 3des
\n authentication pre-share
\n group 2
\ncrypto isakmp keepalive 20
\ncrypto isakmp xauth timeout 60
\n!
\ncrypto isakmp client configuration group MY_IPSEC_VPN_GROUP
\n key MySharedKeyForTheIPSecVPNGroup
\n pool VPN-POOL
\n acl 101
\ncrypto isakmp profile VPNClient
\n description VPN Clients profile
\n match identity group MY_IPSEC_VPN_GROUP
\n client authentication list <Put here a local authentication method>
\n client authorization list <Put here a local authorization method>
\n client configuration address respond
\n<\/code><\/p>\n
\nusername <VPN user> password <password><\/code><\/p>\nBasic IPSec negotiation<\/h2>\n
\n
\ncrypto ipsec security-association lifetime kilobytes 536870912
\ncrypto ipsec security-association lifetime seconds 86400
\ncrypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
\n<\/code><\/p>\nCrypto map configuration<\/h2>\n
\n
\ncrypto dynamic-map DYNMAP 10
\n description VPN Clients
\n set transform-set 3DES-SHA
\n set isakmp-profile VPNClient
\ncrypto map CLIENTMAP local-address Dialer1
\ncrypto map CLIENTMAP 31 ipsec-isakmp dynamic DYNMAP discover
\n<\/code><\/p>\nAssigning the crypto map configuration<\/h2>\n
\n
\ninterface Dialer1
\n crypto map CLIENTMAP
\n<\/code><\/p>\n\n