Document ID: 116080
Updated: May 17, 2013
Contributed by Cisco TAC Engineers.
Contents
Introduction
This document answers frequently asked questions about Cisco's VPN Client solutions available on Mac OS X.
General Questions
Q. What options do I have in order to provide remote access to Mac users?
A.
There are three VPN Client solutions that can be implemented, dependent upon the Mac OS Version.
| VPN Client | Technology/Protocol | Mac OS X 10.5 | Mac OS X 10.6 | Mac OS X 10.7 | Mac OS X 10.8 |
| Mac Built-in VPN Client | IPsec | X | X | X | |
| Cisco Remote Access IPsec Client | IPsec | X | X | ||
| Cisco AnyConnect Secure Mobility Client | SSL, IKEv2/IPsec | X* | X | X** | X*** |
*Mac OS X 10.5 (Leopard) is no longer supported in AnyConnect Release 3.1. Also, PowerPC support was dropped in Release 3.0 and later.
**Mac OS X 10.7 (Lion) is supported in AnyConnect Releases 2.5.3051 and 3.0.3054 and later.
***Mac OS X 10.8 (Mountain Lion) is supported in AnyConnect Releases 3.0.08057 and 3.1 and later.
Q. How do I uninstall Cisco VPN Client on Mac OS X?
A.
In order to uninstall the Cisco VPN Client, complete these steps:
- Enter these commands to clean out the old Cisco VPN kernel extension and reboot the system.
sudo -s
rm -rf /System/Library/StartupItems/CiscoVPN
rm -rf /Library/StartupItems/CiscoVPN
rm -rf /System/Library/Extensions/CiscoVPN.kext
rm -rf /Library/Extensions/CiscoVPN.kext
rm -rf /Library/Receipts/vpnclient-kext.pkg
rm -rf /Library/Receipts/vpnclient-startup.pkg
reboot - If you installed the Cisco VPN for Mac version 4.9.01.0180 package, enter these commands to delete the misplaced files. The deletion of these files will not affect your system, since applications do not use these misplaced files in their current location.
sudo -s
rm -rf /Cisco\ VPN\ Client.mpkg
rm -rf /com.nexUmoja.Shimo.plist
rm -rf /Profiles
rm -rf /Shimo.app
exit - Enter these commands if you no longer need the old Cisco VPN Client or Shimo.
sudo -s
rm -rf /Library/Application\ Support/Shimo
rm -rf /Library/Frameworks/cisco-vpnclient.framework
rm -rf /Library/Extensions/tun.kext
rm -rf /Library/Extensions/tap.kext
rm -rf /private/opt/cisco-vpnclient
rm -rf /Applications/VPNClient.app
rm -rf /Applications/Shimo.apprm -rf /private/etc/opt/cisco-vpnclient
rm -rf /Library/Receipts/vpnclient-api.pkg
rm -rf /Library/Receipts/vpnclient-bin.pkg
rm -rf /Library/Receipts/vpnclient-gui.pkg
rm -rf /Library/Receipts/vpnclient-profiles.pkg
rm -rf ~/Library/Preferences/com.nexUmoja.Shimo.plist
rm -rf ~/Library/Application\ Support/Shimo
rm -rf ~/Library/Preferences/com.cisco.VPNClient.plist
rm -rf ~/Library/Application\ Support/SyncServices/Local/TFSM/com.
nexumoja.Shimo.Profiles
rm -rf ~/Library/Logs/Shimo*
rm -rf ~/Library/Application\ Support/Shimo
rm -rf ~/Library/Application\ Support/Growl/Tickets/Shimo.growlTicket
exit
Q. What are the feature differences between the Cisco Remote Access VPN Client and AnyConnect VPN Client?
A.
This is beyond the scope of this document, but fundamentally SSL VPN has more features than the Cisco Remote Access Software VPN Client as it is a newer technology and new features are being rolled into each new release of AnyConnect. The latest AnyConnect Mobility Client, Version 3.0, includes the same feature-rich support for both SSL VPN and IKEv2.
IPsec VPN Questions
Q. If I want to use IPsec, should I use the built-in Mac VPN Client or the Cisco Remote Access VPN Client?
A. Either VPN Client can be used. The advantages of each are explained here:
Mac VPN Client
- + The Apple built-in client ensures support as the Mac OS evolves.
- + The client is integrated into Mac OS X 10.6 and later.
- + Faster to configure as it does not require installation of another application.
- - Not built into Mac OS X 10.5.
Cisco Remote Access VPN Client
- + Supported in Mac OS X 10.5 and 10.6
- - Requires installation of another software application on your Mac.
- - In early 2011 Mac began to ship Mac OS X 10.6 with a 64-bit kernel. This is not supported by the Cisco Remote Access VPN Client and results in Error 51 after install. Refer to Cisco IPsec VPN Client on MAC OS X generates the error "Error 51: Unable to communicate with the VPN subsystem".
You can also use AnyConnect, which allows you to take advantage of Next Generation Encryption (NGE) ciphers and advancements in the IKEv2 protocol.
Q. How do I configure the Mac built-in VPN Client?
A.
In Mac OS X 10.6 and later:
- Choose System Preferences > Network.
- Click the lock button to unlock it and make changes.
- Click the plus sign
above the unlocked lock button to add an interface. - From the Interface drop-down list, choose VPN.
- From the VPN Type drop-down list, choose Cisco IPSec.
- In the Service Name text box, type an easy to remember interface name such as 'Corp IPsec VPN'.
- Click OK and then select this new interface.
- Click on the new VPN interface to configure the interface.
- Server Address-VPN headend's outside interface IP address (WAN/publicly routable IP address)
- Account Name-Username
- Account Password-User's password
- Click Authentication Settings.
- Under Machine Authentication, click the radio button for your respective authentication mechanism (pre-shared-key or certificate authentication).
- If a pre-shared key that matches the pre-shared-key defined on the VPN headend is used, type the key into the Shared Secret dialog box.
- Enter the Group Name that matches the one defined in the EZVPN configuration on the VPN headend device (ASA 'tunnel-group', IOS 'crypto ipsec client ezvpn group').
Q. I tried to use the built-in Mac Client on Lion, but I receive a phase 2 mismatch. What should I do?
A.
If your Microsoft Windows clients work or your older Macs that use the Cisco Remote Access VPN Clients work, and only the Lion machines do not seem to be able to connect, then it is likely a phase 2 mismatch issue. You see this error message if you enable 'debug crypto ipsec' on the ASA. This essentially means the transform sets used probably do not support the encryption used by the Mac built-in client. For Lion, the client uses 3DES or AES. It does not support DES. In order to work around this issue, either switch the transform set to use 3DES completely or add multiple transform sets as shown here:
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535
set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA
ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
ESP-DES-SHA ESP-DES-MD5
This issue is usually caused by running an ASA software release earlier than Release 8.4. The later ASA software comes with all transforms sets defined by default, so additional configuration is not requried to make it work.
Q. Are there any compatibility issues with the Cisco Remote Access VPN Client?
A.
Refer to the Software Release Notes first for compatibility guidelines. Note the Error 51 compatibility issue between the Cisco Remote Access VPN Client and 64-bit Mac kernel mentioned later in this document.
Q. Where can I download the Cisco Remote Access VPN Client?
A.
- Open the Cisco Support Page.
- Click Download Software.
- Choose Products > Security > Virtual Private Networks (VPN) > Cisco VPN Clients > Cisco VPN Client.
- Choose Cisco VPN Client v4.x.
- Choose Mac OS.
Q. I tried to use Cisco VPN Client, but received Error 51. What should I do?
A.
Q. Does the built-in Mac VPN Client support ESP-NULL transforms?
A.
No, the built-in client does not support this transform set.
SSL VPN Questions
Q. Are there compatibility issues with the AnyConnect Client?
A.
Refer to the Software Release Notes for compatibility guidelines. The ASA VPN Compatibility Reference is another great reference. AnyConnect is compatible with any ASA Version 8.0 or later and Cisco IOS Release 12.4(15)T or later.
Q. Where can I download the Cisco AnyConnect VPN Client?
A.
- Open the Cisco Support Page.
- Click Download Software.
- Choose Products > Security > Virtual Private Networks (VPN) > Cisco VPN Clients.
- For version 3.0, choose Cisco AnyConnect Secure Mobility Client.
- For versions 2.5 and earlier, choose Cisco AnyConnect VPN Client.
- Select the necessary package to upload to your ASA. Look for 'mac' and '.pkg' in the filename and choose the '.dmg' file for the software to install directly on the Mac.
Q. I can connect with AnyConnect in Windows, but not Mac. Why not?
A.
A separate AnyConnect software package must be loaded onto the ASA for each client operating system that you support. There are several common errors that users run into when they browse to the webvpn portal from an unsupported OS and try to launch AnyConnect. These include:
- AnyConnect package unavailable on the Peer. Contact your system administrator.
- AnyConnect package unavailable or corrupted. Contact your system administrator.
Related Information
- ASA and AnyConnect Configuration Examples and TechNotes
- AnyConnect VPN Client FAQ
- ASA VPN Compatibility Reference
- Cisco IPSec VPN Client on MAC OS X generates the error "Error 51: Unable to communicate with the VPN subsystem"
- Technical Support & Documentation - Cisco Systems
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.