Using a Cisco IPSec VPN on your iPhone / OS X 10.6

We’re in the process of deploying a new set of servers behind a new firewall. The servers can only be accessed via our IPSec VPN provided through the Cisco hardware firewalls and whilst this works “out of the box” with the provided Cisco client, it’s so horrible (Java) that it’s worth taking some time to configure the firewall so it can be used with the iPhone and OS X 10.6 Cisco VPN clients.

The first time we encountered the issue, it took a lot of time and research from us and our provider, Rackspace, to get the right configuration – the default options won’t let your iPhone / OS X connect.

Changes to the firewall

Minimum requirements:

• You must run the firewall firmware v7 or above to get VPN support for the iPhone client (Cisco docs).
• The entry level Cisco Pix 506 firewall provided by Rackspace as standard cannot be updated to v7. You must use a PIX 515/515E, PIX 525, PIX 535, ASA5510, 5520, 5540 or 5550 (Cisco docs).

The configuration of the firewall itself requires enabling extended authentication for the tunnel group with a shared secret. The tunnel group needs to be tied to a group policy that defines the tunnel protocol and split tunneling settings. This is a case of removing the “isakmp ikev1-user-authentication none” IPSec attribute and creating one or more users in the local user database.

Here is our configuration (from an ASA5505) with passwords removed:

group-policy iphone internal
group-policy iphone attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 202

username david password PASSWORDHERE encrypted

tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
 address-pool ippool
 default-group-policy iphone
tunnel-group iphone ipsec-attributes
 pre-shared-key SHAREDKEYHERE

The client

You can connect to the Cisco IPSec VPN through OS X 10.6′s inbuilt client. This is in System Preferences > Network > Add > VPN > Cisco IPSec. You’ll be asked to provide a username, server name and password. You also have to click on the authentication settings and enter your shared secret and group name as configured on your firewall.

Unfortunately there is a bug in OS X which means it will not remember the password. This is very annoying as it means you’ll have to enter the password every single time you connect to the VPN. It’s reported to Apple under bug ID #7573884 and is compounded by another bug which prevents copy/pasting the password, also known by Apple under bug ID #5296712.

If you get errors that look like the below then you probably haven’t configured the firewall as described above. You’ll find these logged in /var/log/system.log on OS X.

Feb 24 18:06:58 Panama racoon[20256]: Connecting.
Feb 24 18:06:59 Panama racoon[20256]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Feb 24 18:06:59 Panama racoon[20256]: IKEv1 Phase1 AUTH: failed. (Initiator, Aggressive-Mode Message 2).
Feb 24 18:06:59 Panama racoon[20256]: IKE Packet: transmit success. (Information message).
Feb 24 18:06:59 Panama racoon[20256]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Feb 24 18:06:59 Panama racoon[20256]: IKE Packet: receive failed. (Initiator, Aggressive-Mode Message 2).
Feb 24 18:06:59 Panama racoon[20256]: Disconnecting. (Connection tried to negotiate for, 1.054018 seconds).
Feb 24 18:06:59 Panama racoon[20256]: IKE Packets Receive Failure-Rate Statistic. (Failure-Rate = 100.000).
Feb 24 18:06:59 Panama racoon[20256]: IKE Phase1 Authentication Failure-Rate Statistic. (Failure-Rate = 100.000).