The Cisco VPN Client for Mac OS X is a software application that runs on any Macintosh computer using operating system Version 10.1.0 or later. The VPN client on a remote PC, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. This connection allows you to access a private network as if you were an on site user, creating a virtual private network (VPN).
The following VPN devices can terminate VPN connections from VPN clients:
Cisco IOS software devices that support Easy VPN server functionality
Cisco VPN 3000 Series Concentrators
Cisco PIX Firewall Series, Version 6.2 or later
With the graphical user interface for the VPN Client for Mac OS X, you can establish a VPN connection to a private network, manage connection entries, certificates, events logging, and view tunnel routing data.
You can also manage the VPN client for Mac OS X using the command-line interface (CLI). If you are running Darwin software, or if you prefer to manage the VPN client from the CLI, refer to the Cisco VPN Client Adminstration Guide.
The VPN client works with a Cisco VPN device to create a secure connection, called a tunnel, between your computer and a private network. It uses Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) tunneling protocols to establish and manage the secure connection.
The steps used to establish a VPN connection can include:
The VPN client supports the program features listed in Table 1-2.
Table 1-2 Supported Program Features
Program Feature
Description
Servers supported
Cisco IOS software devices that support Easy VPN server functionality
Cisco VPN 3000 Series Concentrators
Cisco PIX Firewall Series, Version 6.2 or later
Interface supported
Graphical user interface
Command line interface
Local LAN access
The ability to access resources on a local LAN while connected through a secure gateway to a central-site VPN server (if the central site grants permission).
Automatic VPN client configuration option
The ability to import a configuration file.
Event logging
The VPN client log collects events for viewing and analysis.
NAT Transparency (NAT-T)
Enables the VPN client and the VPN device to automatically detect when to use IPSec over User Datagram Protocol (UDP) to work properly in Port Address Translation (PAT) environments.
Update of centrally controlled backup server list
The VPN client learns the backup VPN server list when a connection is established. This feature is configured on the VPN device and pushed to the VPN client. The backup servers for each connection entry are listed on the Backup Servers tab.
Set MTU size
The VPN client automatically sets a size that is optimal for your environment. However, you can also set the maximum transmission unit (MTU) size manually. For information on adjusting the MTU size, see the Cisco VPN Client Administrator Guide.
Support for Dynamic Domain Name System (Dynamic DNS host name population)
The VPN client sends its host name to the VPN device when the connection is established. If this occurs, the VPN device can send the host name in a Dynamic Host Configuration Protocol (DHCP) request. This causes the DNS server to update its database to include the new host name and VPN client address.
IPSec Features
The VPN client supports the IPSec features listed in Table 1-3
Table 1-3 Supported IPSec Features
IPSec Feature
Description
Tunnel protocol
IPSec
Transparent tunneling
IPSec over UDP for NAT and PAT
IPSec over Transmission Control Protocol (TCP) for NAT and PAT
Key management protocol
Internet Key Exchange (IKE)
IKE keepalives
A tool for monitoring the continued presence of a peer and report of the VPN client's continued presence to the peer. The VPN client notifies you when the peer is no longer present. Also used to keep NAT ports alive.
Split tunneling
The ability to simultaneously direct packets over the Internet in clear text, encrypted through an IPSec tunnel. The VPN device supplies a list of networks to the VPN client for tunneled traffic. You enable split tunneling on the VPN client and configure the network list on the VPN device.
Support for split DNS
The ability to direct DNS packets in clear text over the Internet to domains served through an external DNS (serving your ISP) or through an IPSec tunnel to domains served by the corporate DNS. The VPN server supplies a list of domains to the VPN client for tunneling packets to destinations in the private network. For example, a query for a packet destined for corporate.com travels through the tunnel to the DNS that serves the private network, while a query for a packet destined for myfavoritesearch.com is handled by the ISP's DNS. This feature is configured on the VPN server (VPN concentrator) and enabled on the VPN client by default. To use split DNS, you must also have split tunneling configured.
VPN Client IPSec Attributes
The VPN client supports the IPSec attributes listed in Table 1-4.
Table 1-4 IPSec Attributes
IPSec Attribute
Description
Main Mode and Aggressive Mode
Ways to negotiate phase one of establishing ISAKMP Security Associations (SAs)
Authentication algorithms
HMAC (Hashed Message Authentication Coding) with MD5 (Message Digest 5) hash function
HMAC with SHA-1 (Secure Hash Algorithm) hash function
Authentication modes
Preshared Keys
X.509 Digital Certificates
Diffie-Hellman Groups
1
2
Encryption algorithms
56-bit DES (Data Encryption Standard)
168-bit Triple-DES
AES 128-bit and 256-bit
Extended Authentication (XAUTH)
The capability of authenticating a user within IKE. This authentication is in addition to the normal IKE phase 1 authentication, where the IPSec devices authenticate each other. The extended authentication exchange within IKE does not replace the existing IKE authentication.
Mode configuration
ISAKMP configuration method
Tunnel encapsulation modes
IPSec over UDP (NAT/PAT)
IPSec over TCP (NAT/PAT)
IP compression (IPCOMP) using LZS
Data compression algorithm
Authentication Features
The VPN client supports the authentication features listed in Table 1-5.
Table 1-5 Authentication Features
Authentication Feature
Description
User authentication through VPN central-site device
Internal, through the VPN device's database
RADIUS (Remote Authentication Dial-In User Service)
NT Domain (Windows NT)
RSA (formerly SDI) SecurID or SoftID
Certificate Management
Allows you to manage the certificates in the certificate stores.
Certificate Authorities (CAs)
CAs that support PKI simple certificate enrollment protocol (SCEP).
Peer Certificate Distinguished Name Verification
Prevents a VPN client from connecting to an invalid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the VPN client connection also fails.
