Click for MacWindows home
 
 
 

Parallels Desktop for Mac Run all the applications you need without switching between Windows and Mac OS X! Better integration of Mac and Windows. Supports Windows 7 Aero, with graphics peformance up to 7 times greater than before. Supports Apple trackpad gestures, new Crystal mode, speech recognition, good notebook battery life, and more.

"Parallels is the clear winner running each group of tests...Parallels Desktop 5 runs 30% faster with Windows XP, and 43% faster with Windows 7, than VMware Fusion 3.0.1."
--MacTech Magazine


Troubleshooting Macs on
Virtual Private Networks

Last updated May 4, 2006


On this page:

Have you found a tip or problem with Macs and VPNs? Let us know.

See also releated information at these pages:

Introduction

Virtual Private Networks are used to create a secure connection from a computer to another network, often over the Internet. This can be done with client software on the Mac, Sometimes in conjunction with server software or gateways. There are several choices of "tunneling protocols," that can be used by the server and client, including Microsoft's PPTP (point-to-point tunneling protocol), LT2P (Layer 2 tunneling protocol) created by an industry group that included Microsoft and Cisco, and the more secure IPsec. There are also VPN products that use proprietary technology. VPNs also use encryption of data and authentication of the client.

See a list of Macintosh VPN hardware and software products on our Network Solutions page.

Reader Reports

Cisco VPN5000

June 20, 2001
Dr. Andrew R. Jones

I am a member of the University of Southern California Space Science Center, but for the last 2 years I have been living in Phoenix AZ. In order to make the academic resources of USC available to external users, a VPN gateway was set up.

I use the Cisco VPN5000 client on the Mac, and the IntraPort client on a portable PC. Both systems seem to work flawlessly, though with a fairly significant network performance penalty.

I have had no need to use other systems, but am very happy on the whole with the system I am using.

June 20, 2001
Ben Levin

So far it works great! I have not yet tested it with Dave to see if I can access shared network drives. At my office we have two Cisco 5001 VPN Concentrators that we've been testing, and they work very well with the Mac, at least as far as IP goes. I've never been able to get AppleTalk working, even though it is supposedly supported(at least on the VPN Concentrator end). However, with OS 9 and X features such as AppleShare IP, AppleTalk is not necessary. Cisco is even working on a VPN client for Mac OS X.

I've been involved with beta testing, and it works just as well as the final Windows clients. I would definitely recommend that anyone looking for VPN solutions for the Mac look into the Cisco products.

June 20, 2001
Rick Bates

Forced to use Cisco VPN 5000 Mac client but have no complaints in general. I mostly use it to access a few specific applications or to get to my office Mac via Timbuktu for which it works fine. Minor (in my case) complaint is that my company is PC-centric and has not set up the AppleTalk tunneling but I don't typically print from home or get files (except off my own Mac)

Cisco VPN and AirPort (use NAT transparency mode)

June 20, 2001
Pedro Gelabert

I just got VPN access into Texas Instruments.

Considering how anti-Mac OS Texas Instruments is, I was surprised to find that a VPN client was made available. I am currently using a Cisco 777 DSL modem connected to an Airport and I am happily surfing the intranet. The client software is a Cisco VPN 5000. To work with the airport, all I needed to enable is the check box: use NAT transparency mode.

Cisco and Timbuktu

June 21, 2001
Claire McKnight

Our company also uses the Cisco VPN5000 client and I use Timbuktu Pro 5.2.4 with Mac OS 9.1 on a 8600/G3 using Remote Access Dialup with a 56K modem. Surprisingly, it works extremely well.

More on the Cisco VPN product line

June 25, 2001
John Lockwood

Cisco currently has three different VPN server solutions, a) using a standard Cisco PIX firewall, b) using the VPN 3000 series, and c) using the VPN 5000 series (which used to be the Compatible Systems Intraport). However Cisco do not have a Mac client for the first two options, and the Mac client for the 5000 series only works with the 5000 series (at least currently).

There is a small chance Cisco might update the 5000 series client to work with their other product ranges. People might be interested to know that Apple has used the Intraport as their internal solution for a long time.

Cisco VPN and VPC

July 31, 2001
Sue Frary

The Cisco 5000 Mac client works flawlessly into my company's PC-centric systems from my Ti powerbook using Airport - I also found the only change in settings is to use NAT.

The Win98 Cisco VPN client also works flawlessly on Virtual PC, also using Airport. And that's fairly amazing.

Cisco VPN 5000 OS X Mac client problem with OS X 10.1

October 5, 2001 -- Sue Frary reports this problem with Mac OS X and the Cisco 5000 virtual private network client:

After installing OS 10.1, I happily unpackaged my new Cisco VPN 5000 OS X client v. 5.1.1 and installed that. Unfortunately my past experiences with bulletproof installation and performance of the 5000 client on OS 9.1 didn't prepare me for an error screen on first launch of the client. Error ID = -1, app could not find something called a Network Kernel Extension VLan. I have no clue. Aqua error window was pretty, though. Back to the drawing board with our friends at Cisco. Had a good network thru Airport, TCP/IP was right. Dunno where the elusive NKE VLan might have got to. Did not try this client version with 10.0. Maybe it does not like 10.1.

A number of other readers also reported this problem. The reason was that Apple rewrote the kernel in Mac OS X 10.1. You can read Apple's technical explanation on our Mac OS X report page.

EDITOR'S NOTE: October 29, 2001 -- Cisco has released Cisco VPN 5000 Client Version 5.1.4, which adds support for Mac OS X 10.1. To download it, you need to register for a Cisco CCO account. Cisco also has Release notes.

Cisco 3000 series

[NOTE: We would like to point out that Nortel offers a Netlock VPN Client for Cisco for Mac OS 8 and 9.]

July 17, 2001
Jim Ahearne

Several months ago Cisco unveiled a cross platform hardware solution to their 3000 VPN series. The new product is called the Cisco VPN 3002 Hardware Client. Before I drop the requests on my IT dept. to get one of these, I would love to know from the field how well it works.

We'd be interested in hearing from you if you've used the Ciscco VPN 3000 series with Macs.

Reports on Cisco VPN3000 beta for OS X

December 6, 2001
Jeff Hokit explains why some MacWindows readers have been unable to download the client:

I think that downloading the Cisco Mac VPN software requires a full Cisco web account, not just a guest account. It's a pretty confusing web site. I don't know how you get a full account, I asked an IT technician at my company with a Cisco account to download it for me.

By the way, the new Cisco "Universal" VPN software is working well for me, despite it's primitive user interface.

December 6, 2001
Zack Fisher

We got a copy of the VPN3000 for my little iBook at work (the entire school is Dell, I'm the only Mac.) The IS guy got a copy from Cisco's website . We have installed the program (very difficult process - you have to access the hidden files through a root login to get everything where it needs to be - all done through command line, too) - We have successfully connected, but we are still unable to actually access drives, yet. We think it may be because we need to update the actual concentrator (using 3.0, the Mac client is 3.5) to the 3.5 version. It may also have something to do with OS X not correctly reading hostnames (it doesn't recognize the same Go: connect to server: address I use when I am directly connected - perhaps the VPN loses something in the translation - we are looking into hostfile names now, and how we can assign them addresses in OS X).

DNS resolution on Mac OS X

December 12, 2001
Ed Dyer

I know, from just doing this myself, that OS X can be configured to resolve server names from additions in the Net Info manager, but it does not pass on this information to the Classic environment, should Zack be attempting to use Outlook.

A successful DNS resolution is realized when you are able to ping "servername" from the Network utility without putting in the IP. Net Info additions are described here.

I know there is another method to add hosts, but I've stuck with the NetInfo way and it works fine.

If using Outlook or needing to access drives in Classic, updates on Classic Hosts file syntax (from your Outlook/Exchange page in fact-your site rocks!) are here http://www.consultdifferent.com/vpnpdf.html

I don't have any specific experience with the Cisco client, though.

December 27, 2001
Zack Fisher

Regarding my attempts to connect my iBook running OS X 10.1.1 to the PC network at work from home - The IS guy here and I have been in contact with a Cisco rep and he has suggested there is a bug in the current software - He did give us a work around idea. He suggested turning off the hardware checksum on the computer - this is done through the root commands
sysctl -w net.link.ether.inet.apple_hwcksum_rx=0

and

sysctl -w net.link.ether.inet.apple_hwcksum_tx=0

(to turn hardware checksum back on, replace the 0 with a 1)

After we typed in this commands, and restarted the computer, we were able to access drives! However, not ALL of the drives. While we were always able to ping IP addresses, after turning off the hardware checksum we were also able to ping some drive names - but seemingly only random ones. We tried around 10 drives, and 4 were able to be located with a ping command and opened through the go: connect to server: address name

Using Ed Dyer's tip given in the response to my original post, I assigned the "servernames" IP addresses in Netinfo Manager. This yielded successful connection to any and all drives.

Only semi-problem is that even with the IP address assigned, it takes around 30 seconds to connect because it does not use the assigned IP address from the beginning. It tries to resolve the name first by itself (perhaps 30 seconds waiting for a ping) then uses the assigned address and connects.

Is there a way to change this setting?

Cisco 3002 and Mac

December 10, 2001
Scott Ripley

I am the VPN administrator (among other things) at a major government site, and we have been using the 3002.

Since it's hardware, it'll work with anything. You just need the $1000 or so to buy it.

Bug: Cicso 3000 client 3.5 doesn't work in OS X Classic; upgrade to 3.5.1

Classic mode networking apps can't access the network when the Cisco 3000 VPN client 3.5 for OS X is running over Ethernet. Strangely, the apps do work over a PPP connection. The 3.5.1 upgrade fixes this bug

Description of problem

June 7, 2002
Warwick Teale

There have been a series of posts on this subject in Microsoft.public.outlook.mac. I have the same problem and it is driving me mad. Classic mode apps like Outlook 2001 can't access the network when running under the Cisco 3000 VPN client 3.5 on OS/X when connected via Ethernet. All native OS X network apps work fine including NSLOOKUP and DNS accesses.

I can access Outlook 2001 under the OS X Cisco VPN client only when I use PPP (dial up modem). This is true for all other Classic mode applications that access the network, whilst running under the VPN. However, it doesn't work when I use Ethernet via ADSL.

I am able to access ALL OS X network applications under the VPN client. I have resolved all the issues with DNS's on OS X including disabling the hardware checksum settings as stipulated by CISCO.

The big problem for me is accessing my corporate email on one of the Exchange servers. I can access the server from OS X (ping , FTP, etc) via explicit IP and DSN (partial DNS as well).

However OS/9 applications such as WHATROUTE, Netscape, IE 5, and Outlook2001cannot access any of the network when I use the ethernet connection in the network panels. Classic mode network apps (under Mac OS X) work fine when the VPN Client 3.5 is disabled.

I have also tried:

  • to play with localhost and the TCP/IP control panel while in Classic mode.
  • starting CLASSIC mode AFTER the VPNCLIENT session is established. A poster on this board said that works.. well it doesn't.
  • using Entourage native via IMAP (can't get connected to EXCHANGE server).

If you've seen this problem, please let us know.

Solution

June 10, 2002 -- Several readers wrote that this is a known bug. Readers also say that version 3.5.1 fixes the problem. Sonya Chang sent us a link to the Cisco release notes:

The lack of network access from Classic with Cisco VPN 3.5 was a known bug and has been fixed in the 3.5.1 release (which has been out since May). The documentation for this release is here. So you know what to look for, note that the docs refer to Classic apps as "legacy."

Version 3.5.1 is available for download from Cisco, though you need to have a partner username and password to get it.

A reader named Steve agrees:

This is a problem that's documented in the release notes for version 3.5 and is fixed in version 3.5.1. I've been using 3.5.1 for a month or two with my company's VPN and it's been working well.

DigiTunnel to access Cisco 3000

One reader reported using the DigiTunnel VPN client on OS X to access a Cisco 3000 VPN. See report below.

Jaguar problems with Cisco VPN 3.6.1

Note: most problem are cleared up in version 3.6.2 (below).

September 16, 2002 -- Cisco Systems has sent an explanation of the MacWindows reader reports (below) of problems with Mac OS X 10.2 and the Cisco VPN Client. Brian Daugherty told us that the problem is caused by some changes to Darwin, and that Cisco will release a version 3.6.2 to fix the problems. He also explained why some users don't see the problem:

I read over your readers experiences with the Cisco 3.6.1 VPN client on 10.2, and wanted to clarify some things.

First there will be a 3.6.2 release within a month which addresses all of the issues raised. There were many changes in the Darwin layer of OS X which affected the 3.6 client (ie broke it). A beta release may be available sooner if it's needed

Unfortunately the timing of the release of Jaguar and the release of our 3.6 client happened in such a way as to make it nearly impossible to ensure the clients full interoperability with Jaguar.

Meanwhile, to clarify what users have been experiencing. The problems arose mostly from the addition of IPV6 into Darwin. When IPV6 was added it introduced several new interfaces and extra addresses to existing interfaces. These caused the 3.6 client to exceed the maximum number of supported interfaces. This is why turning off IPV6, or using just Ethernet or just wireless works, but using a combination or all of the above does not. This is why the client works for some and not others. Some people are using PPP or wireless and some are not. This increases or decreases the number of interfaces above or below the supported threshold.

Brian Daugherty
Software Engineer
Cisco Systems, Inc.

September 9, 2002 -- Cisco has released its Cisco VPN 3000 Client for OS X version 3.6.1, which now supports Mac OS X 10.2. Matt Richard reports:

I have been running v3.6.1 all morning without issues. Also, Cisco VPN concentrator code 3.6.1 was released, which fixes 6 or 8 security issues with version 3.6. Anyone running 3.6 should upgrade ASAP.

V3.6 doesn't work with Jaguar. Reports are below.

Problem description

August 27, 2002
Stephen Dampier

I installed Jaguar last night on my Power Mac and I can no longer use Cisco VPN. I even reinstalled Cisco VPN and still not working.

August 27, 2002
Rich Long

The Cisco 3000 VPN client (Darwin, 3.6) seems to break under Jaguar. The connection establishes, but no traffic passes.

Suggestions

August 30, 2002
Greg Priglmeier

I have confirmation from Cisco that 3.6 is required with OS 10.2. I'm not sure that they realized the client was broken with Jag because they talk about 3.6 like it was supposed to work.

Unfortunately, I have not been able to get it to run correctly as of today. If you load the software, and boot your OS 10.2 machine in verbose mode (command v after the chime) you will see the Cisco NKE load okay, but then 2 Cisco scripts fail to load properly. I have been told that the next version (3.7) will have a GUI interface and will work with 10.2. The expected release date is November 2002.

August 30, 2002
Remes Chuck

I originally ran 3.5.2 under 10.1.x, so after the 10.2 upgrade I installed the 3.6 client. It connects and passes traffic without a hitch. I've been using it now since Sunday.

August 30, 2002
Jeep Hauser

FYI, I've got the Cisco VPN 5000 client (latest version, 3.5.2), and it works just fine. Anything older did break with Jaguar.

I've used it on my TiBook --> Airport --> G4 Tower (software base station with Jaguar) --> DSL --> VPN Network and it works great.

September 4, 2002
Matt Richard

The Cisco VPN 3000/PIX/IOS client version 3.6 is not officially supported by Cisco on Mac OSX 10.2. I was told this by Cisco employees. They were hoping to get a fix release about the same time that 10.2 was released.

September 4, 2002
Nojan Moshiri has another suggestion:

As a workaround until a new version is released by Cisco, turning IPV6 off works. Either edit /etc/hostconfig and put IPV6=-NO- and reboot or use

sudo /usr/sbin/ip6config stop-v6 [interface] or for example:

sudo /usr/sbin/ip6config stop-v6 en0

This has worked for several people.

September 4, 2002
An anonymous reader thinks he knows why only some people see the problem:

I found a part of the configuration manual that I thought may shed some light on why some people are working while others are not.
"Note: The VPN Client still supports DES/MD5; however, support for DES/SHA is no longer available. Because of the latter, Release 3.6 VPN Clients cannot connect to any central-site device group that is configured for (or proposing) DES/SHA. The VPN Client must either connect to a different group or the administrator for the central-site device must change the configuration from DES/SHA to DES/MD5 or another supported configuration. The VPN Client Administrator Guide lists all the supported encryption configurations."

Unfortunately since I am pretty darn sure that we will not be updating our concentrators any time soon, this means I wont be working from home unless I wipe and go back to 10.1.

September 4, 2002
Matt Richard

The Cisco VPN 3000/PIX/IOS client version 3.6 is not officially supported by Cisco on Mac OSX 10.2. I was told this by Cisco employees. They were hoping to get a fix release about the same time that 10.2 was released.

3.6 worked fine with all the Jaguar pre-releases that I checked out. Apple must have changed something at the last minute, and it threw the 3.6 client for a loop.

Does anyone know when Trolltech will release a QT toolkit for Jaguar?

Perhaps this support is in QT 3.1? We're all waiting for this, whether we know it or not.

The Cisco VPN 5000 client 5.2.3 for OSX does work for on 10.2 for me, when using Airport cards. If I try to use it with a Lucent card and wireless driver 5.1 beta it causes an instant kernel panic when I try to connect.

Cisco does not, and will not support VPN 5000 clients on 10.2. I was told this by Cisco employees. So, your mileage may vary. The 5000 is basically a dead platform - Cisco will probably only release security fixes only from here out, and I don't blame them. They want to move all their developers to the 3000, which in my opinion, is a much better platform.

September 4, 2002
Ed Coye

Some of you that still cannot get version 3.6 of the Cisco VPN client working with Jag may be experiencing a bug if you are using a wireless router. Cisco has just identified a bug in version 3.6 working with OSX 10.2 on wireless. Since the bug was found within the last few days, no fix is known. They are still looking for a solution. However, 3.6 should work with a wired connection.

Confirmation that 3.7 with a GUI interface is in Beta. However, if you get on the beta program now, the wireless bug may not be fixed as of yet. They will require a wired connection to test.

September 4, 2002
Warwick Teale

Well I have had no satisfaction and would ask if someone would be able to help.I can't get access to any work emails via OUTLOOK Exchange using a public network and VPN anymore. Here is a log of the manually started script.

[warwick-Computer:/usr/local/bin] warwick% ./vpnclient connect towork

Cisco Systems VPN Client Version 3.6 (Rel)

Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Mac OS X

Running on: Darwin 6.0 Darwin Kernel Version 6.0: Sat Jul 27 13:18:52

PDT 2002; root:xnu/xnu-344.obj~1/RELEASE_PPC Power Macintosh

Could not attach to driver. Is kernel module loaded?

[warwick-Computer:/usr/local/bin] warwick%

I get the message "Could not attach to driver. Is kernel module loaded?Any Ideas? I can confirm the NKE is started.

September 6, 2002
Jeffrey Sheldon

The best way to avoid the problems from VPN client 3.5.2 (or 3.6) and 10.2 is, if possible have the person's company set PPTP setting on on the VPN 3000. As we know Cisco uses IPsec but there is an option for PPTP.

Once I had my network administrator turn this setting on I could bypass the VPN client and use the built-in VPN client in 10.2 Internet Connect.

September 9, 2002
Sue Frary says Jaguar works just fine with the Cisco 5000 client:

The Cisco 5000 client (5.2.3) works fine in Jag - my company uses IPsec and a Radius server, and there are no problems.

Jaguar VPN needs to support IPsec - (the odds of getting most corporations to change how they do VPN in order to support Macs are slim to none.) Then we can ditch the Cisco client which is in the dreaded "end of life" status.

We've heard that IPSec is actually in Jaguar at the Darwin level, and is accessible via the Unix shell (Terminal). However, we've not seen how to access it. If you have, please let us know.

Most readers say version 3.6.1 doesn't fix problem.

September 12, 2002 -- A number of readers wrote to say that the new Cisco VPN Client 3.6.1 still does not work with Mac OS X 10.2. Two readers report that versions 3.6 and the new 3.6.1 do work. However, most readers report that although they can make a connection, no traffic passes over it.

September 12, 2002
Jeff Hokit

A couple of us here have tried the latest (3.6.1) Cisco VPN on Jaguar, but we can't get it to work. Same symptoms as the previous version: it will connect but no data will flow. Our VPN servers have been upgraded to the latest version, so a version mismatch not the problem.

September 12, 2002
Dave Harrod found a discussion of the issue at the Apple forums:

At this point I've got the 3.6.1 client installed on Mac OS X 10.2 and if I'm using AirPort (to Linksys Cable/DSL router, to cable modem) it appears that I've made a connection successfully, BUT I can't access anything that I should be able to access on the company network, and I lose my Internet connection too. The funny thing is that if I turn airport off, and use Ethernet to the Linksys I can't even make the bogus connection.

I found this on the Apple discussion forums but I didn't feel confident in applying the fix described there.

September 12, 2002
Patrick Ford

I was supplied with the macvpnclient-darwin-3.6.1.Rel-k9.tar.gz client last week and I have the following error when trying to use it. (The kernel is loaded.)
% vpnclient connect slehCisco Systems VPN Client Version 3.6.1 (Rel)Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.Client Type(s): Mac OS XRunning on: Darwin 6.0 Darwin Kernel Version 6.0: Sat Jul 27 13:18:52 PDT 2002; root:xnu/xnu-344.obj~1/RELEASE_PPC Power Macintosh Could not attach to driver. Is kernel module loaded?

September 12, 2002
Two readers don't see the problem with 3.6.0 or 3.6.1. David Wolski reports:

I read the item about the new Cisco VPN client - 3.6.1, and felt compelled to say that I installed 3.6 moments after installing 10.2, and was able to access our VPN successfully and completely. Still, I will upgrade to the 3.6.1 client.

Howard Moftich says 3.6 works with OS X 10.2 on Ethernet, but not with one wireless networking card. 3.6.1 fixes this:

v3.6 of the Cisco 3000 VPN client worked fine for me on my Lombard although it did NOT work w/ my Lucent 802.11 card (ie. worked only w/ wired Ethernet) under Jag 10.2. I don't know why folks are saying it doesn't.

I tried v3.6.1 today and this version of the client fixes the 802.11 problem so I'm quite happy I don't have to wait until Nov. for their 3.7 client. Interestingly, they include a boatload of .png files in the .tar.gz. to support the new GUI but the GUI is nowhere to be found.

September 12, 2002
Maurizio Ortolani

Since upgrading to 10.2 I have not been able to tunnel through our Cisco Pix Firewall with the Cisco VPN client (3.5.x or 3.6) -- I can make a connection but once connected I cannot ping anything on the other side of the firewall. I had no such problems under Mac OS 10.1.x

I have tried installing and reinstalling with IPv6 enabled and disable. No luck. I just tried the newly posted Cisco VPN client 3.6.1, and still I'm not able to ping anything once the connection is made.

Cisco has not been able to tell much beyond the fact that version 3.7 of the VPN client is due out in the middle of November.

I know Cisco VPN client 3.6.x is reported to now work with the Cisco 3000/5000 concentrators, but have any MacWindows readers been able to get the Cisco VPN client to work with a Cisco Pix Firewall? What about enabling PPTP on the Pix and connecting with the built in Jaguar VPN client? Can one enter a group name and password and browse network resources in the Network connection pane?

September 12, 2002
Phil Ershler

I still can't get the Cisco VPN 3.6.1 client to pass any traffic. I've been working with my PB G4/500 Ti that is running 10.2.

September 12, 2002
Michael Crispin

Version 3.6.1 still does not work on a wired on airport connection using OS X 10.2 ... weird.

September 12, 2002
Jens Francke

I just installed the new Cisco 3.6.1 client. for me it is still the same as it was with 3.6: connects fine but no IP traffic/resources are possible. The bad thing is that I don't know how to check the concentrator´s system version (not our admin thing :/).

Reader suggestions

September 16, 2002
Anthony Trumbo got some advice from Cisco:

I was also having trouble with the Cisco VPN client 3.6.1 and Jaguar. I contacted Cisco and the problem occurs if you have split tunneling enabled on the VPN concentrator. I disabled split tunneling and the client works fine. This problem should be fixed in the next release scheduled for next month. That client is also supposed to have a GUI.

September 16, 2002
Robert Lasher

I have used both Cisco VPN client 3.6 and 3.6.1 with OS X 10.2 with absolutely no problems. The only issues I had were in initially configuring the user profile.pcf file correctly. The default configurations in the sample user file needed to be altered to work with our VPN server. Additionally, VPNConnect 1.0.4 is a great utility to simplify using the Cisco client.

September 16, 2002
Daniel Sandstrom

We run the Cisco 3000 server at work. After upgrading to Jaguar I got problems, with 3.6 as well with the 3.6.1 version of the client.

Our 3000 concentrator is load balanced, therefore we use one IP address as the load balancing address. I discovered I could not use the load balance address, but I had to use the real IP address of the concentrator. Maybe this problem affects others ?

September 16, 2002
Sammie Chan

Concerning Cisco's VPN 3.6.1 client, I only experienced two very minor problems after installation on my 10.2 upgraded eMac. I had to start and stop the VPN service twice (YMMV) before I can connect.

Use: /System/Library/StartupItems/CiscoVPN/CiscoVPN action_cmd ; where

action_cmd = { start, stop, restart }

The second is more of a convenience issue than a problem. 10.2 does not have the PATH shell variable set to include /usr/local/bin so that you have to type

/usr/local/bin/vpnclient connect config_file

to start the VPN session. Appending /usr/local/bin to the setenv PATH line in /etc/csh.login as root solves that issue.

I have full access to all resources at work when connected. (eMac -> Airport -> MaxGate 3200P (NAT router) -> Comcast -> Internet -> cisco3030.) Traffic flows nicely.

I would recommend that folks look at the firmware version in their NAT router or looking at their personal firewall settings. I originally had problems with IPsec using the Netlock VPN client for MacOS 9. Upgrading to the latest firmware solved those connection problems as it added IPsec transparency to the MaxGate (aka UGate) 3200P NAT router.

One last bit of advice is: Get to know your VPN admin. I worked very closely with my VPN admin to ensure all my Mac users are getting their fair share of attention.

June 13, 2003 -- Chip Witt has the same problem

I saw your post on www.macwindows.com/VPN.html regarding the difficulties using Outlook 2001 via the OS X Cisco VPN Client. I have a user working with the 3.7 version that is experiencing the same difficulties.

Cisco VPN Client 3.6.2--fixes most OS X problems

October 4, 2002
Bernard Bernstein reports that yesterday Cisco released its VPN Client 3.6.2 for OS X, which fixes problems introduced with Mac OS 10.2. On September 16 that we reported that Cisco Systems told us that the 3.6.2 version was in the works to address the Jaguar problems. Bernstein told us that the new version does indeed fix the problems:

I'm running it now and it seems to have resolved the problems we have been seeing since upgrading to OS X 10.2 (Jaguar)

October 7, 2002
Jonathan Rubin offers a suggestion on using it:

I tried the new Cisco Client 3.6.2, and it works. Just need to type /usr/local/bin/ before the command to connect

October 7, 2002
Howard Moftich:

I've been running v3.6.2 since it came out and have had no problems at all.

The only problem I saw w/ 3.6.1 was that the kernel module somehow became corrupted on sleep so that after wakeup, I'd have to reload it to work. Version 3.6.2 fixes that. Works fine under 10.2.1 w/ Orinoco PCMCIA card for me. Since I only use wireless, I never experienced the lack of resources problems in 3.6.1 that others saw when trying to setup multiple interfaces.

October 7, 2002
Dave Pooser:

The 3.6.2 software client, like all of Cisco's VPN client software, requires a valid service contract for access to the software downloads page.

That said, it is posted and is working fine for me with 10.2.1 and a Cisco 3005 concentrator with the 3.6.1 firmware.

October 7, 2002
Bernard Bernstein sent use the link to the Cisco download page, which requires that you log in with a a valid service contract. He also sent us an excerpt of the readme file.

They even have the readme under the secure area, so here's the relevant part of the readme (the rest are just notes from 3.6.1 and below):
Revision: Release 3.6.2
Files: vpnclient-win-is-3.6.2.Rel-k9.exe
vpnclient-win-msi-3.6.2.Rel-k9.exe
vpnclient-darwin-3.6.2.Rel-k9.tar.gz
vpnclient-solaris5.6-3.6.2.Rel-k9.tar.Z
vpnclient-solaris5.8-3.6.2.Rel-k9.tar.Z
Note: No Linux version of 3.6.2 is provided

Contents:

CSCdy29594 Using Multiple Line config in NT only one line gets connected
CSCdy48192 ctcp does not work with Mac OS X 10.2
CSCdy51818 unity client Mac OS x 10.2 fails to split tunnel
CSCdy55145 Client intermittently gets DPD ACK from reversed Conc IP address
CSCdy59183 vpnclient for macosx 10.2 fails with ipv6 enabled

So I'm guessing that the Contents section are the bugs that were fixed because the split tunnel is now working for me on Jaguar.

Bug in Cisco 3000 3.6.2 client.

October 10, 2002 -- A reader who wishes to remain anonymous reports this bug in the new Cisco VPN Client 3.6.2:

Below is a bug from Cisco's database that is a show-stopper for us. Companies that permit split tunneling might not notice the problem.
Symptom:

Unable to browse the web with split tunneling enabled on Mac OS X 10.2.1 [& 10.2] VPN Client 3.6.2. Are able to ping, nslookup traceroute etc., to external addresses.

Conditions:

Mac OS X 10.2.1 with version 3.6.1 or v 3.6.2 Cisco VPN Client installed with Split tunneling enabled + IPsec over UDP enabled. This was only tested with Ethernet not with wireless.

Workaround:

Tunnel everything or run Cisco VPN Client on Mac OS X 10.1.x

Further Problem Description:

Packets are sent out the Mac 's Ethernet interface with a source address of the Ethernet NOT the virtual assigned IP address. The website that is targeted receives the SYN and send back an ACK but there is never an ACK from the Mac.

Cisco goes GUI with VPN Client 3.7 for OS X

October 28, 2002 -- Last Friday, Cisco released version 3.7 of its VPN Client for Mac OS X, new software for use with the Cisco virtual private network hardware systems. The main new feature is a graphical user interface for managing the VPN Client for Mac OS X. The download requires a Cisco account, but anyone can read the release notes and the User Guide. Opinions among readers readers are generally favorable.

October 28, 2002
Chuck Culley

It has a GUI installer that worked great except for taking about 5-10 minutes to install. It installs a nice app to configure your connection settings and to connect and disconnect. Everything has worked great so after doing about ten different connect and disconnect test without a hitch.

October 28, 2002
Michael Perbix

The file is named vpnclient-darwin-3.7.Rel-GUI-k9.zip.

Some things to note. The installer is no longer a shell script, but actually an installer created with Zero-G Install Anywhere. Also Cisco now has it's own GUI which is similar to the Windows application.

This now puts this VPN client into the hands of the average person with no need to look at any other 3rd party GUI utilities (although before they were excellent) or the need to know any terminal commands. The installer does need an Admin authentication (as it should).

October 28, 2002
Edwin Adlerman adds that it "fixes the bugs introduced in version 3.6.x."

October 28, 2002
Neil Christie

It fixes a number of issues with Jaguar and includes for the first time a GUI. (A third party GUI called VPNConnect is available for previous versions from.) This GUI makes configuration and usage much easier.

October 30, 2002
Lisa Smith

This version fixes the split tunneling problem from v. 3.6.2, and is the only way I could get Cisco VPN to work with Jaguar. I've been trying unsuccessfully since v. 3.5.1 and OS X 10.1!

Tips for installing and configuring Cisco VPN Client 3.7

November 1, 2002
Anthony Trumbo

Just a quick note on the new Cisco VPN client. If you have installed the test version of Java 1.4.1 the install will just hang. It appears the installer is Java based. All you have to do is switch back to 1.3.1 to perform the install. You can then switch back to 1.4.1. The command to switch is jsettestjdk 1.3.1 (or 1.4.1).

November 1, 2002
Steve Mack

I installed the new Cisco VPN Client 3.7 last night and overall it did very well. I had the old version installed and the installer removed the old one before installing the new one. It also picked up my old settings and everything showed up in the new client.

I did notice a couple of things though. I had my user name in the old pcf file. The GUI for the client does not have an option to put the user name in when building a new connection settings file. The only way to do this would be to edit the .pcf file. The GUI does allow you to put the group name in. It will ask for a user name and password when logging into the VPN.

Also, you can preconfigure the installer to add your .pcf file whenever the software is installed. This can be great when doing large rollouts.

December 4, 2002
Barry Riddle had trouble getting the Cisco virtual private network Mac client from his own company, but found the Mac virtual private network client at a college site that offered online degrees:

I was unable to get the free Cisco VPN client v. 3.7 for Mac OS X from my company's anti-Mac, anti-help desk, but was able to find it and a downloadable manual at the Colorado State web site and at other universities' web sites. Now I'm trying to decipher the PC VPN package that my company provides, so I can translate its configuration information to the Mac client.

December 13, 2002
Michael Alatorre

As a suggestion/shortcut to Barry Riddle for his Mac VPN installations, grab (and save somewhere) the profile text file (it will have the .pcf extension) from a successfully configured PC VPN client. Install it in this OS X directory (which it created by the 3.7 installer):

/etc/CiscoSystemsVPNClient/Profiles/ (you can use the Terminal to do this).

It should contain all the relevant connection information the client will need. Launch the Mac VPN client and it'll will be sitting in profile window. Select it and you're ready to go. This is what we did on our campus for our Mac clients and it worked without a problem. In fact, we even run an AppleScript (after running the 3.7 installer) which will copy it down from a file server to make it easier for getting VPN installs done.

December 16, 2002
Brian Willett

There is an even better way to deploy an organization's .pcf file to Cisco VPN 3.7 clients than described in Michael Alatorre's article.

Instead of copying the .pcf file after the installation an administrator can edit the VPN client installer so that it will automatically put the organization's .pcf file into the VPN client's Profiles folder during each installation:

To distribute custom user profiles to the installer program, place the files inside the installer application in the directory:

CiscoVPN.app/Contents/Resources/

To access the Resources folder, right-click (or Ctrl-click) the VPN client installer icon to access the installer menu (Figure 2-1).

Choose Show Package Contents to open the installer directory.

Click on the Contents folder.

Click on the Resources folder.

Copy the configuration files (.pcf files) into the Resources directory.

Any file with a .pcf extension found in this folder is placed in the Profiles directory when the VPN client is installed.

The instructions above are copied from Cisco's online VPN guide. It also provides instructions for preconfiguring the GUI preferences for VPN client as well.

December 16, 2002
Matt Richard

If you have a large installation of VPN users, and you want to provide them with a preconfigured client, here's how you can do it.

The Cisco installer package is just a directory that you can open, just like an OSX ".app" folder. Open up your installer folder (do "Show Package Contents" from control-click or right-click) , and you will see a "Contents" folder. Double-click on that folder, and then double-click on the "Resources" folder.

Place any ".pcf" profiles that you want to have installed with the VPN application. They will automatically be placed in the configuration folder, /etc/CiscoSystemsVPNClient/Profiles/ .

One note - these files have to be plain text files. If they're anything else, like bbedit files, the installer will skip right over them. If you edit them with bbedit, then when saving them click on "options" and set file creator to "generic text file".

If you don't want the "sample.pcf" file to be installed, that's a bit trickier. You have to go inside the second CiscoVPN installer (within that Resources folder) and look for Installer.zip in Contents/Resources/Java. Unzip this file, delete sample.pcf, zip it back up again (use store, no compression) and replace the original Installer.zip file with your new one (same filename).

To distribute the VPN installer, I put everything in a read-only compressed Disk copy .dmg file. This way all the permissions, icons, etc. are preserved, and the whole thing compresses down from 14 MB to 5.6 MB. I've had problems in the past with using various installers from a fileserver, and this trick has always solved it for me.

This is all undocumented by Cisco at this point, and probably not supported by them either. But it all worked for me, and your mileage may vary.

December 16, 2002
Barry Riddle

I appreciate the tips the readers offered and will try them, but I think I still have a configuration issue that hasn't been addressed. I have unwrapped a VPN package for our Windows machines and obtained the *.pcf configuration text files. The Mac client is able to import these files with no problem. I can even modify them before importing them in order to leave out Windows-specific instructions to dial the ISP. However, the Windows VPN package also includes a folder of security certificates. The Mac VPN client notifies me that it cannot import these unless I enter a password that I don't have. Is there a workaround for this issue like just putting these security certificates in some subdirectory somewhere?

Cisco VPN Client 3.7.2 -- problem with AirPort, and Networks

December 18, 2002 -- Cisco has released VPN Client 3.7.2, a minor update to its IPsec virtual private network client for Mac OS X. (See the release notes here.) The new version does not add features, but does fix a number of bugs, including:

December 28, 2002
Fergus Hammond says there is now a newer version:

The version of 3.7.2 that was posted on 12/16 didn't have a GUI. Cisco posted a new version today (12/26 where you are) that does have a GUI. Haven't tested it yet but hopefully it's fixed the bugs of 3.7.1 (and 3.7 and 3.6 and...). We've been spending lots of time with their development team, trying to get a reliable client. Cross your fingers.

December 28, 2002
Paul Booth had to uninstall 3.7.2 to get it to work with AirPort on OS X 10.2.3

Couple of quick notes re. Cisco's 3.7.2 VPN client for OS X. First off, it's _not_ a GUI client! The download looks exactly like the pre-3.7 packages -- shell script installation, etc. If you uninstall 3.7 prior to installing 3.7.2, you'll need to go back to the cli or use someone else's front end.

Second, I did try installing 3.7.2 on top of the 3.7 client. Appears to work okay, with one caveat (see below). The GUI is unchanged -- still says it's version 3.7 -- but my VPN concentrator shows my client version as 3.7.2 when I connect.

Finally, there appears to be an interaction between 3.7.2 and AirPort network interfaces. After installing 3.7.2 (on an iBook w/10.2.3) and restarting the machine (or resetting the airport card), the airport no longer picks up an IP address from my DHCP servers. "ifconfig -a" shows that the airport card is there and active, but it never gets an IP. This happens whether or not I leave the 3.7 GUI on the machine. Uninstalling 3.7.2 and reinstalling 3.7 fixes the problem. The Ethernet port works fine throughout.

December 28, 2002
Eric Carr says that upgrading to Mac OS X 10.2.3 produced a conflict with Cisco VPN Client 3.7.2 that affected the Mac's IP address.

I experienced the same problem as indicated in a MacSlash post. For some reason, whenever I went to sleep or tried to renew a DHCP address or set a new static IP address, the MTU of the networking interface got set to zero (usually 1500 for Ethernet and 802.11). Anyways, removed VPN Client 3.7.2 and everything is working fine now.

December 31, 2002
Paul Booth

Tried 3.7.2 GUI yesterday. It still causes problems with the AirPort interface. With 3.7.2 installed: airport comes up fine at system start, but will not reacquire an IP address from a DHCP server after the system has been put into standby or if the airport interface is turned off and back on. Doesn't matter if the GUI is running or not. Version 3.7 has no such issue.

January 30, 2003
David Morgenstern
Columnist for Ziff Davis Media's Storage Supersite

Thanks for all the great information at MacWindows on VPNs. I installed Cisco's VPN Client Version 3.7.2 the other day. Despite an occasional moment of concern, the installation went smoothly and the program has a nice tabbed interface.

The client connected fine to the 3000-series concentrator. I'm running OS X 10.2.3 and haven't run into the reported sleep problem -- yet. (An aside: I wonder if folks used to AppleShare assume they will see the concentrator show up as a server in the Go/Connect to server... menu. Or see the network behind the concentrator? The client says it's connected and a check of its Tunnel Details tab shows the client and server addresses, an essential sign. Any ambiguity can be reduced by pinging a server address inside the network.)

One thing, I noticed that my AIM connection in iChat is disconnected after logging into the VPN. No idea.

NOTE: Below, Morgenstern updates his report to say he has seen the sleep problem, and has a workaround.

February 5, 2003
Patrick Ford passes on some observations about AIM and Internet connections:

Regarding AIM connections dropping on the Cisco VPN Client: I have noticed that ports associated with Internet services are affected by the VPN. In my home network on Macs running pre X OSes, if I have the AppleTalk TCP setting set, I loose the connections and I will not be able access any of those systems until I disconnect the VPN. Turning TCP off permits AppleTalk to continue. After thinking about it, it made sense since all the FTP and HTTP protocols were going through the office network that I was connected to. Somewhere some how there may be a list of ports that can be opened of closed in the VPN. If that is the case, the port(s) associated with AIM could be changed.

Workaround for dropped network connections

February 5, 2003
Dr. Paul Fons has a workaround:

It turns out that installing the latest Cisco VPN Client 3.7.2 (GUI) under 10.2.3 (at least) causes a DHCP connection (either AirPort or Ethernet) to break upon waking from sleep. The apparent cause from perusing the logs is that the MTU (Ethernet packet length) has been set to an inappropriately long value.

The problem can be fixed temporarily by using ifconfig "sudo ifconfig en1 up mtu 1500" for an airport connection. This problem only fixes things until waking from sleep again or from a restart. A better solution is to downgrade to 3.7 (or so I am told -- I am in the process of downgrading now). I did not have this problem when I had 3.7 installed before.

February 5, 2003
David Morgenstern sent an update to his report of last week on the Cisco VPN Client 3.7.2. He now has seen the sleep problem we've previously reported, and has a workaround:

Update: I discovered the previously reported sleep problem: networking isn't restored after waking, requiring a restart to bring things back to normal. This happened even if the Cisco client wasn't launched that day.

In fact, I found that it happened because the client wasn't launched after the restart. If I connect to the VPN and then disconnect, I can then sleep and wake with no problems. But until that's done, networking won't resume after sleep.

TunnelBuilder

TunnelBuilder from Efficient Networks (formally from NTS) is a PPTP VPN client for Macs that has been around for several years.

November 19, 2001
Nadine Bailey reports that the TunnelBuilder virtual private network client for Mac does not work with Mac OS X Classic:

Just thought I would let you know that TunnelBuilder does not work with OS X not even through the classic environment. I did try to contact Efficient Networks and ask if there was going to be anything developed to use with OS X and got a "I don't know" response. Too bad since it is a good product.

A How-to PDF

August 24, 2000
Ed Dyer offered to share this information on Virtual Private Networks with MacWindows readers:

I've done some extensive testing of NTS's TunnelBuilder for Mac VPN client, MS Outlook 8.2.2, etc. I've put a quickie page with a PDF (7 pages or so) which goes into great detail on how to setup a system VPN into an Exchange server using PPTP, and get Outlook mail. Hope it is helpful. I'm still testing other VPN clients that don't need to have respectively branded server counterparts.

No MS CHAP v2 support

June 20, 2001
Dave Brown

Unfortunately, TunnelBuilder doesn't support MS CHAP v2 (with no plans to do so in the future. Our LAN requires CHAP v2, so I am out of luck (and the nonrefundable $100).

Setup a breeze

June 20, 2001
Joshua Thomas

We set up three Macs using TunnelBuilder to access our File server and MS Exchange server. It took a little patience but we got it up and running on those three Macs within a few days. so far all three Mac users seem happy with it. Frankly, it was much easier than I had envisioned.

VPN into office from home over satellite

June 20, 2001
Kerry Griggs

With the help of Ed Dyer and some info on his excellent baudesign.com web site, I am doing this e-mail from home (Mac Outlook 2001 beta), connected through a TunnelBuilder VPN connection to my NT-only office network, including my office Exchange server. My home desktop G4 is accesses the Internet using Sprint's "broadband direct" service. Basically, I have a little satellite-looking dish mounted to my roof. It accepts some sort of microwave wireless signals (line-of-sight) from a transmitter mounted on the TV towers on top of a mountain behind my house. Co-ax cabling comes from the dish into a hardware router, that is then plugged into my Mac's Ethernet port. Sprint has teamed up with Earthlink to offer this service. As such, Earthlink is my ISP. I'm thinking that this setup is more like a very fast cable connection and less like DSL. It's just wireless to my house. Anyway, to get TunnelBuilder to establish a VPN connection, I had to manually enter in all of the addresses to identify my home Internet set up (no luck so far with DHCP). Fortunately, Sprint provides a fixed address. I simply verified all of the numbers by opening my G4's TCP/IP control panel, and then entered them all into the TunnelBuilder control panel.

Consistent with Ed Dyer's suggestion, I had to enter my user name using the "company.com\username" format. I also had to enter the address of my work's VPN server using the XXX.XXX.XX.XXX numbers. I never had any luck entering the "exchange.company.com" format, even with a TCP/IP hosts file that was set up to resolve this name to the numbers. I still used a host file, however, in the "exchange.company.com A XXX.XXX.XX.XXX" style. I don't know if this was necessary, but I did it as a precaution. I remembered that this was the biggest hurdle I had to overcome to get the Mac Outlook client to resolve the name of our exchange server. No port mapping was required. This was a big relief because I don't know how confident I would have been rising to this level of geek-dom.

In addition to running the Outlook client, I am running the Mac Citrix client, logging onto our NT Citrix server as a Windows NT box. This gives me full access to my entire office network. Eventually, this may allow me to get rid of Virtual PC.

So far, this is working without a hitch. I would be happy to respond to any more specific inquiries concerning my experience.

Using Linksys router with TunnelBuilder thru DSL

June 21, 2001
Chris DeSalvo

I have been seeing a lot of people complaining about the fact that they want to use TunnelBuilder but have to use PPPoE with their DSL connection. Personally, I use a LinkSys router to solve this problem. The router is very cheap ($79), provides NAT, firewall, MAC address cloning, packet filtering, and is a great DHCP server. Most importantly it will handle all of the PPPoE headache.

So, you let the router do the PPPoE work and your Mac can run the TunnelBuilder software with no problems. If you need to use TunnelBuilder on a PPPoE link I can't recommend LinkSys's wired routers enough. It took less than five minutes to configure (handy web interface) and has worked like a champ.

TunnelBuilder works with Aurorean VPN

July 17, 2001
Brian Heath

I thought you might want to know that I was able to get TunnelBuilder from Efficient Networks to work with our Aurorean VPN. It actually was pretty simple to configure. It even works from behind my IPNetRouter IP NAT gateway. The product is basically a PPTP implementation for the Mac and supports both 40 and 128 bit encryption. They have an eval. version for those who might want to try it out.

VPN-1 SecuRemote from Check Point

June 20, 2001
Dani Smart

I am currently working with the beta version (v 1.0) of VPN-1 SecuRemote from Check Point. I have been having some problems with the initial configurations (not nearly as simple as it is on the PC client) but hope to have it running for our 180+ Mac users who need remote access. This beta has been out for some time and I think it would be helpful for Check Point to hear that there are others who could utilize a fully released copy of their VPN software for Mac.

I would love to hear from anyone else who is currently working with this beta.

October 4, 2001
Tim Dubois

I believe that the beta period for Checkpoint's Mac VPN client is over. I tried a couple of months ago to download the Mac beta and was told the beta period had ended. They weren't sure at the time when the final release was going to be or if it was going to be X compatible.

Mac OS X 10.3.9 problem with VPN Checkpoint SecureClient

April 19, 2005 -- Richard Dupuy reports that upgrading to Mac OS X 10.3.9 caused the Checkpoint VPN Client to stop working.

After having upgraded my Mac with OS 10.3.9 my VPN Client from Checkpoint "VPN-1" does not launch anymore. A reinstallation of the software doesn't help. Has anyone an idea our a workaround with a third party solution ?

April 21, 2005
Manfred Vorderwülbecke had to reinstall 10.3.8:

I had the same problem and I had to reinstall 10.3.8. On checkpoint.com I didn't find any information.

No Problems before from 10.3.4. up to 10.3.8 with all security-updates etc.

April 21, 2005
Gamal Khaldi in Belgium:

I have the same problem. The only thing so far that helped was to rollback to 10.3.8.

April 21, 2005
Phillip Molaro describes the symptoms:

Having the same issue. When I reboot, Checkpoint says it can't start and the machine needs to be rebooted. Rebooting does nothing. Please let me know if you know of a solution.

April 21, 2005
John Erik Johnsen of Norway:

After updating to Mac OS 10.3.9, SecureClient stopped working. Uninstalling SecureClient and installing newest version does not help.

April 21, 2005
Mark Anthony Fojas:

I hope that Apple and Checkpoint work to resolve this because it IS a showstopper for many places.

A fix:

Over a dozen MacWindows readers have reported that this fix works, uncategorically.

April 21, 2005
Michael White forwarded a fix you can perform in Terminal:

The following is a procedure that can be accomplished completely via the terminal app.

Open Terminal and use the following steps

1. sudo bash (admin password)

2. pico wdog.sh

3. Add the following to file

#!/bin/tcsh
cd /opt/CPsrsc-50/bin
while (1)
./SR_Service
end

4. Press "control" and "x", yes to save and press return

5. mv ~/wdog.sh /opt/CPsrsc-50/bin

6. chmod 755 /opt/CPsrsc-50/bin/wdog.sh

7. chown 0:0 /opt/CPsrsc-50/bin/wdog.sh

8. pico /System/Library/StartupItems/SecureClient/SecureClient

9. Change the following line $SRDIR/bin/SR_Watchdog &> $SRDIR/log/ScBootlog.txt & to

#$SRDIR/bin/SR_Watchdog &> $SRDIR/log/ScBootlog.txt &

10. After that line add

$SRDIR/bin/SR_Service &> $SRDIR/log/ScBootlog.txt &

11. Press "control" and "x", yes to save and press return

12. Exit Terminal

13. Reboot.

Most readers reported unconditional success with the fix.

April 25, 2005
Ward Rosin of Calgary, Alberta, notes one caveat:

Michael White's fix for SC on 10.3.9 works like a champ! Thanks for posting this!

I noticed that if you exit SecureClient after applying the fix then attempt to restart it, it will fail as before (requiring a reboot to get going).

This shouldn't be too much of a big deal for most folks who probably leave it running all the time.

April 25, 2005
Scott Smith notes that Apple's Java fix did not work:

The fix worked very well and thanks. I was about to rollback and feeling nervous about it.

I also applied the Java fix Apple released, but that failed to fix SecureClient.

April 25, 2005
Peter da Silva recommends a slight modification to the fix:

Oh, god, please don't use csh/tcsh for scripting. It's a fine CLI, I use it by preference to Bash, but it's godawful for scripting.

#!/bin/tcsh
cd /opt/CPsrsc-50/bin
while (1)
../SR_Service
end

Try this:

#!/bin/sh
cd /opt/CPsrsc-50/bin
while true
do ./SR_Service
done

I realise that the problems of csh as a scripting language don't show up here, but they are extremely serious. I'd rather program in Visual Basic than trust csh. The basic problem is that csh does not parse the script, it just runs commands. There's some really nasty problems that can show up with complex quoting and "here documents."

SonicWALL, VPN in a box

June 21, 2001
Adam Glick

As of the 6.0.0 firmware update for the SOHO, XPRS and PRO firewalls support IPSec VPN via the PGP client. I'm in the middle of testing it out with a client and will send on an update.

June 21, 2001
Ford Pedersen

This information might be valuable to those wishing to set up a VPN with a Mac or _any_ other Operating System on a network to another network.

I have been installing SonicWALL devices for many of my clients. All of their Internet access devices (well, except for one which can be upgraded) include VPN functionality. The nice feature about these devices is that you can create a VPN from device to device over the Internet _without_ having to have a VPN Client on each system. SonicWALL's VPN is IPsec compliant (although they report that some clients do not work well with their devices currently), and are ICSA (International Computer Security Association) certified. The boxes start at $500, on up to gigabit speeds for multiple VPN connections. You can have VPN Clients too, so the options are open.

SonicWALL VPN hints: problems with firmware, management software, gigabit versions.

June 25, 2001
Ford Pedersen reported problems with the SonicWALL virtual private network gateway running firmware 6.0:

The 6.0.0 firmware upgrade (all are free for lifetime with all SonicWALL Internet Security Appliance products) should be upgraded to the 6.0.1.1 revision which fixes some bugs. I had a lot of client problems with 6.0.0 before 6.0.1.1 was placed on the device.

Pedersen also mentioned an admin package for Windows:

For those organizations that require management of numerous SonicWALL devices in geographic distant (or nearby) locations the devices can be managed with a software package called Global Management System (GMS) from SonicWALL. Unfortunately, the software is only available for Windows NT 4.0 SP3 or Windows 2000.

Pedersen also said that SonicWALL has released gigabit versions of its boxes.  

April 26, 2002
Bernard Becker

I have a number of SonicWall's and they work well. The only thing that I find very annoying is the inability to manage them from any OS X Native browsers. The only way I've been able to manage them is by using NetScape 4.72 in Classic. My Packeteer has the same whacky problems with JavaScript and I have to manage it the same way.

(SonicWall GMS is also available for Solaris)

May 2, 2002
Fritz Mills

This is in response to Bernard Becker's comment regarding managing SonicWalls from OS X native browsers. I also have several SonicWalls, and have been very happy with them, and had the same native management problem until Netscape 6.2.1 was released. Netscape 6.2.1 and 6.2.2 both work fine for managing SonicWalls under OS X (well, at least with 10.1.3 and 10.1.4). I don't know if it is important to upgrade to the most recent firmware (which offers a lot of improvements), but the current firmware is 6.3.1.0.

Parenthetically, between 6.3.0.0 and 6.3.1.0, even though it's only a point-point release, a couple of important new capabilities were added, including the ability to manage Ethernet packet size (which can make a huge difference when accessing Yahoo! mail accounts with certain DSL modems), and the ability to use a DHCP server on a remote network to assign addresses on a local network.

Also, since 6.3.0.0, SonicWall offers NAT Traversal, which solves problems with ISPs that insist on providing NAT even with static IP addresses (Ameritech, for instance, will give you a bank of valid, static IP addresses, but they all are translated to 192.168.254.x addresses on your LAN. Ameritech configures your modem remotely, and insists that this translation is the only way it can be done).

On a related note, your VPN page states that "Macs can connect to a SonicWall VPN network without a VPN client or with one." I'm not sure what that means. SonicWall doesn't offer a Mac client.

May 10, 2002
Luis Antezana responds to this last point:

Regarding[the May 2] post about SonicWall VPNs, it is true SonicWall does not offer a Mac client. They do, however, say a Mac could use PGP (PGPfreeware 7.0.3 is the last freeware version I have). I haven't tried it yet, nor do I know what one would do under OS X.

May 6, 2002
Bryan Schappel

I have several SonicWall devices all running VPN. I can manage them from MacOS X using Mozilla 1.0rc1 and the latest version of IE without problems. IE started working perfectly after the latest security patch was installed via Software Update. (IE started working with the 10.1.4 update.)

To use Mozilla you'll need to find the Java plug-in. All SonicWall devices are running the latest firmware.

Using Jaguar's built in IPsec to access SonicWall VPN. October 11, 2002 -- Joel Rennich created a successful Mac OS X virtual private network connection to the SonicWall:

Just a note to let you know that we have successfully connected a Mac running OS X 10.2 to a SonicWall VPN using the built-in IPsec support in OS X. So forget having to wait for SonicWall to release a client. Here's an article. You also might want to take a look at:

http://www.afp548.com/Articles/Jaguar/ipsec-1.html, and

http://www.afp548.com/Articles/Jaguar/ipsec-2.html since they give a little bit more background on IPsec on OS X 10.2.

Supposedly we can use this same basic setup to connect to a most any standards-compliant IPsec VPN solution out there. To that end we plan in the near future to setup an IPsec VPN clearing house to keep track of all working configurations, test new devices and to get some collaboration on a freeware GUI IPsec client. We'll have more on this early next week. Until then we welcome VPN admins how are willing to test out some configurations and programmers with time to e-mail us at.

Of course, if we wouldn't mind you e-mailing MacWindows as well.

VaporSec a GUI VPN IPsec client for Jaguar. December 2, 2002 -- VaperSec is a beta release of an open source virtual private network client for Mac OS X 10.2.x that use the IPsec protocol and has a graphic user interface. Testing is currently between Mac OS X 10.2 machines and a SonicWall firewall. Joel Rennich, one of the developers, offers some help with the beta:

I wrote in a few weeks ago with tips about setting up an IPsec VPN between OS X 10.2 and a SonicWall. Well, we now have a GUI for it, and other IPsec connections. It is currently a beta but will be free and open source for it's entire life. We plan on adding more features, such as the ability to recreate the VPN connections when rebooting or changing network locations.

We also welcome anybody who has an IPsec device that would like to help us add more functionality to VaporSec. Let us know if it doesn't work and we'll try to help you.

We also welcome anyone interested in giving us a hand with coding, graphics, help or whatever else might be needed.

Either way let us know at ipsec@afp548.com.

We'd also like to hear from you about your experience with VaporSec. (See the MacWindows VPN Report page for previous reports about Macs and SonicWall.)

PiePants VPN client for Mac OSX

The Beta 3 is most current version of Rob Newberry's PiePants.

Beta 1 comments

March 12, 2002 -- Rob Newberry has posted a first beta (prerelease) version of PiePants, my PPTP virtual private network client for Mac OS X. This first release supports a single encrypted PPTP connection between a Mac OS X Mac and a PPTP server. Newberry says he has tested this version with Mac OS X 10.1.2 and a Windows 2000 PPTP server. This beta release is free.

March 14, 2002
Travis Hamilton

Finally! I can now connect to my company's VPN! I now have CITRIX (via JAVA client), telnet, intranet web resources now all I need are some OS X native ORACLE tools. This is through an Asanté router. Mr. Newberry ROCKS!

March 14, 2002
Jason Paikowsky

I tested PiePants from my OS X box to a Linux-based firewall. I seem to make the connection okay, but can't get to the resources behind the firewall.

For other feedback, have a look at Apple's support site; OS X forums; forum on Networking and the Web. I posted a message on PiePants yesterday, and others have tried it. No one reports any good results.

March 15, 2002
Jason Paikowsky tempered his criticism of yesterday:

I may have come off a little harsh in my initial reaction to PiePants. I noticed that the author may be expecting people to VPN to a Win 2000 server. That server is indeed my final "destination" but first I need to authenticate to, and get past, a Linux firewall and that may be the point of the bottleneck.

March 15, 2002 -- We've had more reader reports about Rob Newberry's PiePants beta 1, a prerelease virtual private network client for Mac OS X. Brett Turner liked PiePants in OS X better than with TunnelBuilder for OS 9:

I downloaded and installed the software effortlessly. It works beautifully for me.

In fact I have more functionality with PiePants than using NTS TunnelBuilder under OS 9. With TunnelBuilder it was "all or nothing." With the VPN connection running I could not access any IP addresses other than those served by the other end of the tunnel. With PiePants I have full access to everything. I'm now able to pickup email from my corporate office site as well as the rest of the world all with one "Connect" request to PowerMail.

March 18, 2002
Nathan Marentette

Just wanted to chime in with some positive feedback regarding PiePants (I wish all final release software was as reliable as this beta).

On a lark I downloaded it and installed at home on Mac OS X 10.1.3. Over my 26400 bps dial-up, I had no trouble authenticating to a Windows 2000 server using PPTP.

My only trouble was not using the proper subnet mask for my network (duh me :)). My VPN server and the file server are in different IP ranges, so I needed a subnet mask of 255.255.0.0, rather than the default.

Anyway, as usual any fault was my own, the software performed excellently. I could mount my AppleShare volumes (over IP) and ping hosts inside the network, launch a Citrix session, etc.

Hope this motivates a few more people to try it out, and if you're reading, thanks Rob for writing this. It ought to be included in the base OS.

March 18, 2002
Gianpiero Meazza

I have seen negative reports about PiePants VPN client for Mac OS X and I am a bit surprised, as I have been testing PiePants in the last few days and my experience with it is quite positive. I was able to connect to my company's network resources on both a conventional modem with PPP and on an ADSL link with PPPoE. We are using the Microsoft PPTP Server which comes with Windows 2000. I am running Mac OS X 10.1.3 on a PowerBook G3/500 with 256 MB of RAM.

I had a minor problem only with the DNS settings, that I solved by defining a new location for network settings where the DNS and proxy addresses are those of the target link after VPN connection.

Also, after a suggestion of PiePants' developer, I lowered a bit the MTU parameter of the connection to get a better performance when connecting to the IMAP mail server. This has to be done manually in the terminal: "sudo ifconfig pptp0 mtu <size>". An MTU value just below 1000 worked fine for me instead of the default that is around 1500.

March 18, 2002
Ed Dyer

Having just come back from vacation, this is a wonderful thing to find!

PiePants works just fine to get to my company's three VPN servers, but of course since the Classic Environment can't get to them, we're out of luck for Outlook. Ti/500/OS X 10.1.3 with ISDN 128K.

PiePants beta 2

March 29, 2002
Ed Dyer

PiePants [beta 2] is still able to connect to my company's three VPN servers. However, when I check "use remote DNS" and/or "use remote gateway" I can no longer get DNS resolution and still cannot see remote Windows shares via Sharity or SMB Browse. My Wins server is out of the range of computers to which I'm connected, as per the dialogue in PiePants. Putting in 255.255.255.255 (as with DAVE) does not help.

An extra bonus-as my ISDN router times out after two minutes of no traffic, and my computer uses the remote DNS and route, the router detects no traffic (no packets sent to it's IP) it dumps the connection. Piepants does not error out, but persists in thinking its connected.

I also cannot ping any address, including those to which I'm connected.

DigiTunnel

Gracion Software released DigiTunnel 1.0 on June 17, 2002. DigiTunnel uses the Microsoft Point-to-Point Tunneling Protocol (PPTP) to let Mac OS X connect to VPN servers running on Windows platforms. DigiTunnel creates a 128-bit encrypted connection for IP-based network applications. Classic applications running in OS X can also use the VPN. If you've had any experience with the release version, please let us know.

On April 10, Gracion Software released DigiTunnel 1.0b1, a first public beta release of a new virtual private network client for Mac OS X. The Current version is Beta3, released May 24. DigiTunnel uses PPTP for connecting to Microsoft VPN servers. According to the press release, DigiTunnel will work with Classic applications, and uses MS-CHAPv2 authentication and 128-bit-key MPPE encryption. The press release also provides this note about using DigiTunnel with NAT:

To use DigiTunnel on a Mac behind a NAT router, that router must support PPTP connections. Many do, although currently Airport's built-in NAT does not. DigiTunnel does work over Airport if its NAT feature is turned off. For more information on NAT requirements and routers, see the online DigiTunnel Users Guide.

(In February and March, we reported that DigiTunnel had been announced.)

Reports on DigiTunnel beta versions:

April 11, 2002
Hugh Bryant-Parsons

The install and setup was a breeze, but unfortunately I have hit two problems with my cable Internet connection. Both of which I have not got around yet. (but I guess it's early days.)

1. DNS: I haven't been able to get name resolution working over my cable Internet connection, even after trying Gracion's suggested workaround.

2. My Cable Internet provider (Telstra BigPond) insists on using a heartbeat in their own logon client, which I think gets interfered with when I start a DigiTunnel session. This causes the Internet session to get dropped.

The good news is that it works for me over dial up into my work Win2K based remote access server. DNS seems to work just fine in this setup - now to work out how to access my Outlook Exchange account. (I guess I'll need to use Classic to do that, as there's no Outlook Exchange for OS X)

April 26, 2002
Hugh Bryant-Parsons updates his April 11 report :

Let me share my happy moment - Whoopee! I'm writing this message using:
  • OutLook:Mac 2001 running in the Classic environment under MacOS X
  • through a VPN Tunnel over a cable Internet connection (aka Telstra BigPond Cable)

The trick to get it to work was the mask, I just had to keep changing it till it was right. And you know what, it almost seems faster then at work.

April 12, 2002 -- Paul Collins of Gracion Software reports that the first beta of DigiTunnel has a problem with Thursby's DAVE software:

I'm getting reports that "installing DigiTunnel disables DAVE". The same people report that uninstalling DigiTunnel restores DAVE's functionality. I've put a note on my download page, and you might want to pass this on. DAVE users should hold off on DigiTunnel until I've checked out the issue.

I'm not sure what the problem is. DigiTunnel shouldn't interfere with anything (famous last words) - it adds a configuration to OS X System Configuration, but it's a private type that should be ignored by everything except Sys Config and Internet Connect. And it adds a pane to System Preferences per a public API.

I do intend to fix it as soon as possible: I've been talking with some friendly Thursby people and we're hot on the trail of this issue.

Later, Collins sent us another report of issues with the beta:

Here's a bit of an update--48 hours after the release of DigiTunnel 1.0b1.

Some people are having great results with the DigiTunnel beta, others are finding issues which we are working to address. The more common issues are: Airport's built-in NAT does not support PPTP (we have a web page of workaround options); Our configuration causes Dave for OS X to stop working (a fix is on the way); Servers that have not been upgraded from 40-bit encryption to 128-bit can't currently be connected to. And our configuration instructions need some work.

On the plus side, not only does it work with Windows 2000 and NT 4 RAS servers, users have reported it works with a "Astaro Secure Linux" PPTP server and a "Netopia 9131 router" (apparently a series 9100 router; these do have a PPTP server but compatibility has not been confirmed by Gracion).

April 15, 2002
Laszlo Kardos compares it to PiePants, another VPN client for OS X currently in beta (prerelease status):

I tried DigiTunnel 1,0b1. Although getting it working wasn't as intuitive as I had hoped (compared to PiePants). After referring to the User's Guide

I was successful at making a connection. I had to use Plumber 0.1 to confirm that I had a connection.

Although I could not get Internet Explorer to recognize our intranet, probably proxy settings related - no an issue for me.

I did however have success with MS Outook:Mac 2001. It works! Yippee, no more rebooting on OS 9 just to check work e-mail from home.

April 15, 2002
Russ Ball

Using the menu modem icon, DigiTunnel will not connect if I select "pptp:default" then "Connect". Instead it's a two stage process:

1. Select the USB ADSL modem port to my ISP and click "Connect"
2. Select the "pptp:default" and click "Disconnect". Yes, that is "Disconnect".

I am now connected to the company VPN with the Mystery Machine Citrix client (highly recommended), X Windows and telnet all working

April 15, 2002
Jim Lane

I'm able to get a stable encrypted VPN connection to our offices' Netopia R9100 router using DigiTunnel. I've been waiting for this... Now if the DAVE compatibility problem can be fixed soon, life will be great!

Reports on DigiTunnel 1.0

July 8, 2002 -- Sunil Raman tried two virtual private network clients for Mac OS X, the free PiePants beta and Gracion Software's DigiTunnel 1.0, and found that the latter satisfied his needs:

I had to telecommute from Australia to San Francisco...connecting to a Cisco 3000 VPN.

PiePants: Connected 'fine' and received IP address but GRE error appeared in log.

DigiTunnel: No problems with authenticated PPTP. Able to connect to IMAP Exchange server, able to Timbuktu to machines in office.

Importantly, DigiTunnel was able to tunnel on top of an existing PPPoE connection (eg. Home PacBell DSL account).

This was with Mac OS X 10.1.5 on Apple iBook G3 (500 MHZ 192MB RAM).

I have to add though that recently I found that whenever I restart the computer, the 'PPTP' configuration seems to be 'lost' from the Internet Connect dialog box.

I have to run the DigiTunnel installer again and the PPTP configuration is restored, with my previous VPN settings 'remembered.'

Netopia routers and gateways

June 25, 2001 -- Netopia routers and gateways offer IPSec and PPTT virtual private network functionality, though they don't mention Macintosh. For instance, a web page called Netopia IPSec Compatibility describes the IPsec gateway functionality of their products. Another page describes how the Netopia R-series router can act as a PPTP server, and describes how a Windows PPTP client would work with it. We would assume that the TunnelBuilder Mac VPN client could work with the Netopia router set set up this way. A reader below confirms it:

June 26, 2001
Michael Peirce

A few months back I successfully used TunnelBuilder to connect to the PPTP client on my Netopia R5300 T1 router on MacOS 9.1 (possible 9.0?). There wasn't anything tricky, I just set up the R5300 to use MS-CHAP Authentication and it worked the first time.

SnapGear VPN boxes

July 12, 2002 -- We've added SnapGear to our list of cross-platform virtual private network products on our Network Solutions page. It offers both PPTP and IPSec VPN will interoperate with "almost all leading VPN software and appliance vendors."

Reader Steve Mansfield had this to say about SnapGear:

We bought one for testing / demo because it does 2 things that we thought had lots of value. The first is that it is a firewall for Ethernet / routed Internet connection...It also has a PPTP VPN client and server capability. Put simply this means that you can use it to get around the lack of PPTP clients for OS 9 and lower. In fact I'm sending this from Outlook 2001 through the VPN tunnel to our E2K server somewhere else on the Internet.

They can do DHCP, static routes, inbound connections, in fact most what Linux can do (it's basically embedded Linux).

Miscellaneous Reports

December 4, 2000
Sean M. Sloane wants to establish a VPN connection over DSL (to a Windows 2000 server), but with a Mac client instead of a Windows client, but without AirPort. He also needs to use PPPoE (PPP over Ethernet):

We have just setup a VPN server with Win2K. I would like to be able to connect from home. Fine, just get Tunnel Builder. The catch is that I also use Pacific Bell DSL with EnterNet 300. On NTS's site they say in the FAQs that EnterNet (PPPoE client) and NTS's TunnelBuilder (a VPN client, LTP2 protocol ) cannot reside or coexist on the same machine. They will, at some point, make TunnelBuilder support PPPoE but don't have a specific date for release.

We were wondering if another PPPoE solution, MacPoET would work, so we checked Wind River's MacPoET FAQ, which says that two VPN products have been tested with MacPoET:

The IntraPort MacOS client that works with Compaq/Compatible System's IntraPort server.

The AltaVista/Compaq MacOS client that worked with AltaVista's/Compaq's AltaVista/Compaq Tunnel product. (Sold to Axent, known as RaptorMobile EC.)

Based on this, it is conceivable that MacPoET may work with NTS's TunnelBuilder, but it hasn't been tested. If you've tested running MacPoET with TunnelBuilder, please let us know what you found.

In the next report below, a reader suggests using a home router.

February 15, 2001
John DeRosa

I read the [above] item at MacWindows and might have a more generic solution than finding a PPPoE/VPN combo client, albeit more costly (but with more features).

First, PPPoE is the devil's work and I wish it would just go away. Be that as it may, there are ways around Sean's dilemma.

The solution is to find a hardware device that will 1) pass his Macintosh VPN authentication and 2) do the PPPoE authentication also. That hardware device is a home router.

My choice is to purchase one of the many hardware firewall/routers on the market today from such companies as NexLand and LinkSys. More seem to appear on the scene every day.

Besides performing the PPPoE authentication, an added benefits is that these routers protect your home LAN from hacker intrusion by the incorporation of firewall technology.

NOTE: Before you go out and spend $200 or so on a hardware router/firewall, contact the manufacturer and make sure that it will work with the VPN client you want to use. Now, all the devices on your LAN can safely utilize your single Internet DSL address without having to individually dance the PPPoE dance.

MacPGP VPN through NetScreen Firewall

You can use the open source MacPGP VPN client through the NetScreen product. Some information about documentation is provided below.

Problem with AirPort

June 21, 2001
Orion Smith reports of problem getting a virtual private network connection through a NetScreen hardware firewall:

I've had no luck getting a tunnel going through a NetScreen Firewall using Mac OS 9.1. Netscreen makes a PC client but I have yet to find out how to use a Mac client (PGP 7) to get into the IPSec.

Netscreen is actually a hardware firewall maker and they include IPSec VPN in their firewall, they sell VPN client software for PCs but not for Macs.

The people at Netscreen suggested using PGP Desktop Security 7.0 as the Mac client and using pre-shared keys. The problem is that PGP seems so over-engineered, with so many options, while Netscreen's client software for PCs is very specific (IPSec, interacts only with the Netscreen firewall etc.). So I don't know where to begin or even if it is possible to use PGP's client with a Netscreen firewall.

March 20, 2002
Thomas Hauber

We have been successful in getting PGP Desktop to connect via IPsec to a Netscreen firewall. Where I discovered a problem was when attempting to do this over an Airport network. That simply would not work. I would either get packet failures or no secure connection from the start. The only solution was to do it from a Mac with a hardwired connection to my home router (Linksys).

The other downside is that this will only work for OS 9. McAfee has dropped all development on PGP Desktop and will not be updating it (translation = no OS X client).

A fix:

March 21, 2002
ames Woodyatt

The AirPort base station does not pass IPsec through its NAT transparently. If you're using a Netscreen firewall, and you have enabled its NAT function, then you probably want to turn off the NAT in the AirPort base station.

Configured as a bridge between wired and wireless networks, the AirPort Base Station simply forwards 802.1 packets without having to look at their payloads. An IPsec VPN should go right through without any trouble.

March 29, 2002
However, we've mentioned several times before that in order to use AirPort over a virtual private network with a Cisco 3000, readers recommend using NAT transparency mode. Mark Duling got a similar story from Apple:

I couldn't get a VPN connection to work with an AirPort so I contacted Apple and they said AirPorts do in fact do VPN transparent mode. Sure enough, I found out that the default group setup on our Cisco 3000 didn't have transparent mode enabled. Once I did that the AirPort works fine with VPN transparent settings.

Documentation about using PGP with Netscreen

October 4, 2002 -- Georg Eie reports that Netscreen is providing a Word document that describes how to setup the MacPGP virtual private network client with the Netscreen device. Eie told us that Netscreen sent the Word file to him via e-mail. The document is called "Creating a VPN to Netscreen from a Macintosh with a Dial Up Connection Document Number: VPN-250-005." It starts like this:

This document goes through a cookbook procedure on configuring MacPGP 7.0.3 client VPN to Netscreen. MacPGP is the only known Mac-based client that interoperates with Netscreen. This will go through configuration using IKE and with PKI/certificates.

The document provides screen shots of Mac OS 9 configuration. Eie told us that some of the screen shots may be out of date:

Please note that the menus in the newest Screen OS (which you should upgrade to) are slightly different from the ones in the document.

As client I used 'PGP Desktop 7.1' from 'www.pgpi.org'. Please also note that for the setup in this document you will need to use the commercial client ($60).

He also said that IPsec doesn't work with Mac OS X:

I found out yesterday evening that the IPsec client does not work for MacOS X. I first tested it on 9.1 [where IPsec did work].

Hopefully the 8.0 version of the IPsec client will be available soon, and this is supposed to work on Mac OS X.

October 4, 2002 -- Georg Eie reports that Netscreen is providing a Word document that describes how to setup the MacPGP virtual private network client with the Netscreen device. Eie told us that Netscreen sent the Word file to him via e-mail. The document is called "Creating a VPN to Netscreen from a Macintosh with a Dial Up Connection Document Number: VPN-250-005." It starts like this:

This document goes through a cookbook procedure on configuring MacPGP 7.0.3 client VPN to Netscreen. MacPGP is the only known Mac-based client that interoperates with Netscreen. This will go through configuration using IKE and with PKI/certificates.

The document provides screen shots of Mac OS 9 configuration. Eie told us that some of the screen shots may be out of date:

Please note that the menus in the newest Screen OS (which you should upgrade to) are slightly different from the ones in the document.

As client I used 'PGP Desktop 7.1' from 'www.pgpi.org'. Please also note that for the setup in this document you will need to use the commercial client ($60).

He also said that IPsec doesn't work with Mac OS X:

I found out yesterday evening that the IPsec client does not work for MacOS X. I first tested it on 9.1 [where IPsec did work].

Hopefully the 8.0 version of the IPsec client will be available soon, and this is supposed to work on Mac OS X.

VPN Tracker for OS X

VPN Tracker for OS X is an IPsec VPN client for Mac OS X 10.2 and later. The first section below, "Prerelease info" contains reports before version 1 shipped. Below that are reports of the shipping version.

Prerelease info

VPN Tracker ads GUI to IPsec in Jaguar. September 12, 2002 -- VPN Tracker 1.0 Preview Release 2 is a free beta version of a utility that creates a virtual private network connection on Mac OS X 10.2 using the IPsec protocol. (IPsec is built into Mac OS X10.2, but has no graphics user interface.) This preview release expires on September 19. The company says that the final release (which will not be free) will be available "soon."

If you've tried VPN Tracker and would like to comment on how it works, please let us know.

Report VPN Tracker: IPsec for OS X. September 16, 2002 -- David Harrod says that he can't get VPN Tracker to work. As we reported on September 12 (below), VPN Tracker adds a graphical user interface to the IPSec features of Mac OS X 10.2. Harrod writes:

I attempted to use VPN Tracker. I was not able to get it working. They don't really include any documentation so I may have been unable to configure it correctly. After trying every combination I could think of I gave up.

If you can verify any of this, please let us know.

VPN Tracker developer responds; 1.0 due this week. September 17, 2002 -- Equinox, developer of VPN Tracker 1.0 Preview Release 2, sent us a note about yesterday's reader report about a problem with this beta software.(VPN Tracker creates a virtual private network connection on Mac OS X 10.2 using the IPsec protocol.) The developer indicated that the finished version may be released this week:

We, the authors of VPN Tracker, have read your report about our product not working and would like to clarify the following:

The currently available version is a preview release and clearly states in the readme file that documentation will be available in the final version, which is due to be released on Thursday or Friday this week. The current version is for people who are experienced enough to get it working by themselves.

Our experience, and that of many other users who wrote us, is that VPN Tracker is working very well. Configuring an IPsec connection is not an easy task, there are many pitfalls and also situations where it won't work at all due to the design of the IPsec protocol (e.g. if you are behind a NAT router).

If you are still in contact with David Harrod, please let him know that we would be happy to solve his problems, if he provides us with details about his configuration.

If you have further questions about our product, please do not hesitate to contact us.

Best regards,
Frederik Seiffert

VPN Tracker 1.0 reports

November 6, 2002
Bernard Becker

It's bit pricey for what is essentially a GUI for the built in IPSec and raccoon functionality in OS X 10.2, but it seems elegant and it works. I have it working with my SonicWall Pro and can remotely access my network when working from home.

November 18, 2002
Greg Myers

I have used it to successfully connect to printers on the other side of my SonicWall Tele3. Given the high price, I think I'll work at mastering the configuration through Terminal rather than use it beyond the demo period. Other than making that configuration easy, it doesn't seem to do much.

The following pages were the ones I was able to use successfully configure through the Terminal application:

http://www.afp548.com/Articles/Jaguar/ipsec-1.html

http://www.afp548.com/Articles/Jaguar/ipsec-2.html

http://www.afp548.com/Articles/Jaguar/ipsec-3.html

You have to log in as root to work on the shared secret file.

November 18, 2002
Richard Kunert

This product works fine for me connecting to a VPN on our Netscreen firewall. I think I saved $50 worth of my time using it rather than trying to set up a VPN through the command line interface, I don't think it took much more than 20 minutes to find the right settings and get it running. With a VPN that uses one of the predefined settings it would have been faster.

That said, I think $50 would be about my limit for an application like this. At the upcoming $80 price I probably would have skipped the purchase and done it the hard way.

I've set up a number of VPNs and am pretty familiar with the process. For someone without this experience setting up a VPN using the command line interface could be fairly difficult, especially if you don't have access to the logs of the machine you're trying to connect to so you can see what sort of negotiations are taking place.

 VPN Tracker 1.5 beta 2 released.

December 28, 2002 -- During the past two weeks Equinux has released two preview release of the VPN Tracker 1.5, the next version of the IPsec virtual private network client for Mac OS X 10.2 and later. The later version, released earlier this week, is VPN Tracker 1.5 PR2 (The current released version is 1.0.4.) Improvements include:

Firmware for LinkSys box breaks Mac VPN connections.

September 26, 2003
Gabriele de Simone reports that updating the firmware to his LinkSys BEFSR41 created problems with Mac virtual private network connections. Installing older firmware fixed the problem.

I just wanted to give a heads up to fellow owners of the popular LinkSys 4 ports Cable/DSL router (BEFSR41 v1/v2 but I could not verify v3). Yesterday I had the unhealthy urge to upgrade the firmware of the router in a perfectly working configuration. The latest firmware available on the LinkSys website is 1.45.7. After the upgrade, I was unable to connect to my usual VPN (PPTP) server. A PC behind the same router had no problems connecting (naturally the right option has to be on on the router for either platform to work).

Luckily there is still a version 1.44.2z available on the website which dates back to 2002. By reinstalling the older firmware I am now able to create VPN tunnels without problems.

This quirk may only affect earlier models of the BEFSR41, as the latest version of this product (v3) has a different firmware upgrade path.

October 6, 2003
Michael Wilmar found another fix:

I had a similar problem as Gabriele de Simone, only worse. I couldn't connect to the Internet at all after installing the upgrade. However, I was able to fix it by accessing the router itself and reentering my name and password, which for some reason the upgrade had apparently deleted. I then made a connection to the Internet using the router to make sure that was working. Thereafter, everything worked fine, including my VPN connection. I use PPPoE and ADSL.

October 6, 2003
Gary McKnight did not see the problem:

No problems for me using firmware 1.45.7 on an older BEFSR41 with Mac OS 10.2.8. VPN worked just fine.

October 9, 2003
Alex Spring

I recently updated the firmware on my Linksys BEFW11S4 to version 1.45.3. As the other reports for BEFSR41, I lost VPN ability once I updated the firmware. The PC's on my network have VPN ability. I haven't changed the firmware back to an older version. I'm hoping that there's another solution besides that.

 Tiger 10.4.0 breaks most VPN clients

The first release of Tiger is incompatible with most (if not all) third-party virtual private network client software. The main symptom is very slow bandwidth over the connection. This affects clients from Cisco, CheckPoint, Equinux, Apani (formerly Netlock), and Lobotomo Software have since followed suit, and readers also reporting incompatibles with the Check Point VPN client.

For more information, see our Tiger Special Reports page.

OpenVPN

March 7, 2006
Wolfgang Peschmann

I found a very stable and great working VPN solution for both Mac and Win platforms. It is the openVPN project. I have it installed on my Windows 2000 Advanced Server and on various Windows 2000 and XP professional client notebooks and finally on my G4 PowerBook running Mac OS X 10.4.5. There is also a GUI available that also works stable. See www.openvpn.net and www.openvpn.se and www.tunnelblick.net for the Mac GUI.

March 9, 2006
An anonymous read reports a problem:

I have been using Tunnelblick on a PowerBook G4 867MHz for past 6 months. OpenVPN itself works well.

However, Tunnelblick/OpenVPN as a Mac application is not well integrated into the operating system.

The biggest problem for users is that when putting the computer to sleep, then waking it up again, Tunnelblick indicates that it is re-connecting and menu bar user interface indicates a connection, but checking IP address shows that the secure tunnel is NOT actually established. Thus, Tunnelblick consistently fails to provide security upon waking from sleep. That makes the program hard to recommend to novices.

I suspect that only Apple can do an adequate job of integrating OpenVPN onto the Mac in a way that would be guaranteed to be as reliable as the two alternatives already provided (L2TP over IPSec & PPTP).

April 24, 2006
Korbinian Riedhammer reports that Tunnelblick 3.0RC2, an updated to the Mac front end to openVPN, fixes the problem mentioned above:

I'm using openVPN with the Tunnelblick GUI on a MacBook Pro. I experienced the same problems as Anonymous on 2006 Mar 09 in combination with DHCP: When returning from stand-by Tunnelblick tried to reconnect before the network/DHCP was set up again which screwed up the whole network settings. The Tunnelblick team released the 3.0RC2 version on 2006 April 12 which seems to fix this issue, it works pretty fine now.

May 5, 2006
Leandro Conde Trombini reports a positive experience with implementing OpenVPN in his office:

When I first arrived at the office where I work, a VPN was only a dream. I tried to use Mac OS X’s IPSec VPN with Microsoft Windows Server 2003, but it was difficult to create a VPN that really shared the entire intranet like a bridge.

So I found the OpenVPN, and with a little work I did it in bridge mode. Now all the employees can access the intranet from any place. I think this is the way that the offices will go.

If you've tried Tunnelblick and openVPN


| Top of This Page |

Other MacWindows Departments

| Product Solutions | Reports and Tips | News Archives | Site Map |
|
MacWindows Home |

Serving the cross-platform community since November 15, 1997.
This site created and maintained by

Copyright 2001-2006 John Rizzo. All rights reserved.