Just got an ASA 5505 to replace our old firewall/vpn device. It's a steep learning curve and I have been able to work through most of the initial issues, however this Mac VPN connection issue is leaving me stumped. When I try to connect via the built in Mac OSX 10.6 Cisco IPSec connection I get the following: 'A configuration error occured. Verify your settings and try reconnecting'.
Dec 20, 2018 - Overview The Cisco Umbrella roaming client works with most VPN software, but. OpenVPN Connect (OSX)≈, the DNS resolution zones (optional split DNS. ASA 4.2+ (Sends Roaming Client Encrypted DNS over tunnel).
I can confirm that the host, pre-shared key, group name, and user name are correct. It does not even get to the point where it prompts for a password. Using the VPN Client on Windows XP it connects without issue. Opera for the mac. I have tried using debug crypto isakmp and debug crypto ipsec but no information is collected when attempting to connect on a Mac. Here is the config on the ASA 5505: ASA Version 8.2(1)!
Downloading apps requires an Apple ID. • Pages for Mac, Numbers for Mac, and Keynote for Mac are available on the Mac App Store. IOS 11 or later required. 
Hostname ciscoasa enable password xxx encrypted passwd xxx encrypted names! Interface Vlan1 nameif inside security-level 100 ip address 192.168.5.1 255.255.255.0! Interface Vlan2 nameif outside security-level 0 ip address 207.148.xxx.xxx 255.255.255.252! Interface Ethernet0/0 switchport access vlan 2! Interface Ethernet0/1! Interface Ethernet0/2!
Interface Ethernet0/3! Interface Ethernet0/4! Interface Ethernet0/5! Interface Ethernet0/6! Interface Ethernet0/7!
We have following scenario, my side we have Cisco ASA and we have IPsec tunnel to Customer US-Datacenter and i can ping 172.16.0.0 subnet from my ASA (local LAN 10.0.0.0/8) but now i want to ping EU-Datacenter subnet too which is 172.20.0.0 and confused how do i add that remote subnet in my IPsec tunnel? We have following ACL for interesting traffic. Access-list ACL-VPN extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 I have tried add following ACL to see if it work but it didn't work. Access-list ACL-VPN extended permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0 EDIT My ASA Config: crypto isakmp identity 49.XX.XX.101 crypto ikev1 enable outside crypto ikev1 policy 100 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400! Tunnel-group 49.XX.XX.101 type ipsec-l2l tunnel-group 49.XX.XX.101 ipsec-attributes ikev1 pre-shared-key SuperSecret! Crypto ipsec ikev1 transform-set TSET esp-3des esp-md5!
Crypto map VPN 10 match address ACL-VPN crypto map VPN 10 set peer 49.XX.XX.101 crypto map VPN 10 set ikev1 transform-set TSET crypto map VPN 10 set security-association lifetime seconds 3600! Access-list ACL-VPN extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0!
Nat (any,outside) source static 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 destination static 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0. 1 What you did is NOT enough. You have to ensure VPN configuration is updated for the additional subnet (172.20.0.0/16) at BOTH ends. To be specific, the following points need to be satisfied: At your end: • Add Crypto ACL for additional subnet. You already did this. • Add Interface ACL for additional subnet. I do not see rules for 172.16.0.0/16 in your configuration.
Anyway, if you have rules configured for 172.16.0.0/16, you have to do the same for 172.20.0.0/16. • Add NAT Exemption statement for additional subnet such as: nat (any,outside) source static 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 destination static 172.20.0.0 255.255.0.0 172.20.0.0 255.255.0.0 • Add a route for additional subnet. I do not see a route for 172.16.0.0/16 in your configuration, so I assume you have a default route. Otherwise, if you have a route for 172.16.0.0/16, you have to configure a similar route for 172.20.0.0/16. At your US DC customer end: On the device where VPN tunnel configured, they also have to update their VPN configuration (mirror points #1 - #3 mentioned above) for additional/second subnet 172.20.0.0/16 (EU DC). In US DC network, they do not need the point #4, because they already a route for your network (10.0.0.0/8). However, they would need a route for their EU DC subnet on the device where VPN tunnel configured.