[c-nsp] Cisco VPN Client Causes Mac OS X Crash - Update!

Mon Sep 14 07:19:49 EDT 2009

Thought I'd provide an update for the archives...

Many thanks to one folk who contacted me privately after 
Google'ing their way to this thread:

Frequent kernel panics have been experienced on all versions 
of Mac OS X 10.5 (Leopard) with VMware Fusion 2 and the 
Cisco VPN Client installed.

Workaround 1: disable IPv6 on Mac when working with the VPN
	    on a system that has VMware Fusion installed.

Workaround 2: uninstall VMware Fusion (may not be feasible
              for most).

Workaround 3: run the VPN inside VMware Fusion (doesn't
              protect traffic generated inside Mac OS X).

Cisco are aware about the problem, and said they won't fix 
the it since the Cisco VPN Client and virtual environments 
is unsupported (whatever that means). 

Suffice it to say, AFAIK, the Cisco VPN Client doesn't 
support IPv6.

Bug ID CSCsj38286 was filed for this case. Details as below:

=====

unity mac fails with parallels fusion and crossover

Symptoms
Parallels, Fusion, and CrossOver prevent the VPN Client from 
working properly.

Conditions
The VPN Client does not support the use of virtual 
environments.

Workarounds

Cisco VPN with Parallels:

* Install the VPN Client SW on MacOS.
* Configure Paralllels Networking. You'll probably want to 
use "shared networking" in Parallels. This causes Parallels 
to share a single MacOSX-side IP address by using NAT on all 
network traffic to/from the guest virtual machines/OS's. 
Some applications (IPTV) are NAT-intolerant and won't work 
in this case.

Alternately, instead of running Cisco VPN Client on MacOS, 
it can be run on the Windows side. Of course, then MacOSX 
would not be 'inside' the VPN but Windows would be. 

=====

Since Cisco don't plan to do anything about this, I'll have 
a chat with VMware and see what they say (considering it's 
clear that the Cisco VPN Client kernel extension is the one 
that crashes the system).

My private messenger also had this interesting bit to add:

"Also, worth nothing is that the "Local LAN access" feature 
in Cisco VPN client is IPv4 only. Which means that an 
attacker could access your computer over IPv6 and then be 
able to enter your company's network over the VPN connection 
from your machine. I've pointed that out too and Cisco hid 
behind the 'IPv6 is not supported' excuse."

Perhaps I can bug my account team, again :-).

Hope this is useful for some.

PS: I'm now running Snow Leopard (10.6.1). No crashes due to
    this, thus far, but who knows...

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090914/939caf88/attachment.bin>