How do I troubleshoot Mac OS X Cisco IPSec VPN not working over a Samsung Verizon 4G LTE WiFi hotspot?
Solution 1
I believe this is a problem with the Samsung device. I have the Verizon 4510L 4G MiFi and it works perfectly with our Cisco IPSec VPN and SSL VPN. There are a few threads on the Verizon Wireless community about the Samsung device not working with PPTP VPN. They say they will have a firmware update to resolve those issues. GRE packets are being blocked currently with the device. Some have reported trouble with Cisco IPSec as well.
Solution 2
The problem lies in the firewall configuration. They obviously have split-tunneling enabled and set up but may not have split-dns config'd. I had the same issue with Mac OS and my ASA. Once I had both config'd properly it all was seamless.
Related videos on Youtube
02 : 46
41 : 26
20 : 10
10 : 31
02 : 17
Daryl Spitzer
Father of three, husband, computer programmer (Pythonista), skeptic, atheist, podcast listener, baseball fan, Canadian (in the United States).
Updated on September 18, 2022Comments
-
Daryl Spitzer almost 2 years
I have Cisco IPSec VPN (to my employer) configured on my MacBook Air. It works perfectly when I'm at home connected through WiFi to my cable modem (through an Airport Extreme). But when I try to connect through my Samsung Verizon 4G LTE Mobile Hotspot (that I got when attending Google I/O), I can't connect to anything (inside or outside my employers firewall). If I disconnect the VPN, network access returns.
I can't asked my employer's IT department for support because they don't support Mac OS X.
How do I troubleshoot this?
Update: Jason Berg suggested in a comment below that I reproduce the problem on a PC so I can get support from my employer's IT department. Unfortunately VPN works over the mobile hotspot on my Windows 7 notebook. So I (still) can't get support from IT.
Update #2: xeon's answer below links details on Verizon Wireless's forums where details are given about connections being "double natted" and which doesn't work with PPTP. That may not apply to my Cisco IPSec VPN. I wonder if I've failed to enable "VPN passthrough" as mentioned in some posts in that thread.
Update #3: I enabled "VPN passthrough" (following the instructions in the user manual downloaded from http://www.samsung.com/us/support/downloads/SCH-LC11ZKAVZW) but it still doesn't work. (There was also an undocumented "Privacy Separator enable" checkbox. I tried with it both unchecked and checked, and it didn't work either way.)
-
Jason Berg about 13 yearsReplicate the issue on a PC and then ask your IT department for help. Seriously, this could be a configuration thing on the firewall (like a NAT traversal issue) or it could be related to Verizon blocking certain types of traffic. You wouldn't be able to solve either of those issues without your IT department's help, so replicate the issue on a supported device and ask them for assistance.
-
Daryl Spitzer about 13 yearsThat's good advice. I'll try that.
-
Daryl Spitzer about 13 yearsUnfortunately VPN works through the mobile hotspot on my Windows 7 notebook. :-(
-
Jason Berg about 13 yearsOK. What type of vpn client are you using? Mac OS built in? Cisco VPN Client? Cisco Anyconnect VPN client? What version? What's the error? Enable logging, what do you see in the log screen?
-
Daryl Spitzer about 13 yearsI'm using Mac OS X built-in, configured for Cisco IPSec VPN. It connects (and reports no errors and doesn't act any differently from when it works at home). I believe I get an IP address, but I can't ping the DNS server or any other machines.
-
Daryl Spitzer about 13 yearsI'm going to look into how to enable "VPN passthrough" first...
-
Daryl Spitzer about 13 years...then I'll see if I'm being "double natted" as described in community.vzw.com/t5/4G-Discussion/…. (Unless anyone has other suggestions or questions.)
-
Daryl Spitzer about 13 yearsI enabled VPN passthrough (using the hotspot's HTTP server) but still have the same problem. I also tried enabling (the undocumented checkbox) "Privacy Separator enable", but it still doesn't work.
-
Daryl Spitzer about 13 yearsHow do I determine if I'm getting "double natted"? When I'm not trying to use VPN I'm getting issued 192.168.1.4, and the router (and DNS server) is 192.168.1.1.
-
Jason Berg about 13 years@Daryl - Can you post log files for your VPN client? You'll find logs in /var/logs/system.log. It might also be fruitful to try it out with the official Cisco client to see if you get the same results.
-
-
Daryl Spitzer about 13 yearsThanks. community.vzw.com/t5/4G-Discussion/… describes my problem perfectly.
-
Daryl Spitzer about 13 yearsI wonder why I don't have the problem on my Windows 7 notebook. (See the update to my question.)
-
Daryl Spitzer almost 13 yearsWhat lead you to write "obviously"?
