Re: [Fed-Talk] VPN in Snow Leopard
Re: [Fed-Talk] VPN in Snow Leopard
- Subject: Re: [Fed-Talk] VPN in Snow Leopard
- From: "Shawn A. Geddis" <email@hidden>
- Date: Thu, 27 Aug 2009 10:56:32 -0400
On Aug 27, 2009, at 8:14 AM, Nichols, Jared wrote:
One thing I found (and submitted a bug report for) is that the built
in CiscoVPN client ignored the split tunneling setting as pushed
down by our VPN concentrators.
So, if you're in an environment that disables split tunneling when
you're VPNed (i.e. ALL of your traffic is forced through the VPN)
you may want to make sure this works before relying on the built-in
client.
Jared,
Apple does not ship a built-in CiscoVPN Client... but rather, Apple's
built-in client supports Cisco IPSec.
Considerably different and one important point for everyone to keep in
mind.
Apple's VPN Client has never promised nor supported Split Tunneling
settings from the Concentrators.
You can enforce/allow split tunneling with a simple network
configuration best practice:
System Preferences => Network => "Set Service Order..."
Set the Priority of the Services (Physical & Logical interfaces)
with ordering in the list
(highest in the list has highest priority - lowest has.... well you
get it)
Examples:
*IF* My Service Priority is:
VPN <Config of Choice>
Ethernet
AirPort
Then ALL default traffic will go over the VPN connection (i.e. DNS
Lookups)
ONLY traffic destined for LAN will cross the Ethernet interface
You can also force this by selecting "Send all traffic over VPN
Connection" in the Config window.
(This effectively sets the Service Priority)
(*Locking* Network Prefs from Users prevents their modifications of
this.)
*IF* My Service Priority is:
Ethernet
AirPort
VPN <Config of Choice>
Then ALL default traffic will go over the Ethernet port (i.e. DNS
Lookups)
ONLY traffic destined for that network will traverse the VPN
defined network
Last I checked (and I think it was with the GM release) this was not
fixed. I can try it tonight to be doubly sure. I have been using
the actual Cisco VPN client (4.9.01 100) with success.
Remember that Cisco VPN Client does not support Smart Cards (on Mac OS
X), but Apple's VPN Services properly utilizes Mac OS X's Credential
Services which gives full use of supported smart cards.
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden