Macos – Cisco VPN Mac OSX Connections fails when tethered to iPhone Personal Hotspot

cisco-vpn-clientiphonemacosvpn

I frequently work remotely, out of reach of WiFi, and simply rely on tethering my Mac to my iPhone for internet access. This works great, except I am unable to connect to one of my client's Cisco AnyConnect VPN Network using my Mac when tethered to my iPhone. I have spent three years vaguely looking for a solution and the last 48 hours trying solidly, so would be grateful for help.

To be clear:

MacOSX connected to Anyconnect VPN via wifi internet works fine.
MacOSX connected to VPN via tether to a Samsung S7 LTE works fine
MacOSX connected to VPN via tether to an iPhone, via either Lighting USB or Wifi does not work

By "doesn't work" I mean that I have no internet access whatsoever (chrome displays DNS_PROBE_FINISHED_NO_INTERNET when accessing any website.) Internet access is restored upon disconnecting to VPN.

Also interestingly:

VPN from Windows 10, connected via any of the above (WiFi, Samsung, iPhone) works fine from both a Macbook running Win10, and a Surface 3. This implies that if ports are blocked by iPhone Personal Hotspot, this somehow isn't an issue for the Windows Client, but is for the OSX AnyConnect Client.
VPN Directly on the iPhone (via Cisco AnyConnect iOS App works fine) but does not change the inability to connect my mac.

Things I have already tried:

I tried setting up MacOSX builtin Cisco VPN support in Apple Network Settings, but I don't see where my profile file is stored to allow specifying a groupname or password (following instructions to find a PCF file in /opt/cisco etc). To be clear, I have confirmed that on a clean Surface 3, all that is necessary is to download the Cisco VPN installer from the company website, and specify remote.companyname.com as the server in AnyConnect. I never download a personal certificate file or similar from which a group key can be decrypted. Are there more up to date instructions on how to do this? I can confirm that on a if a group name/password is available, the company have declined to provide it, and I don't understand why OpenConnect (below) would be able to connect without it if it is required.
I tried connecting using OpenConnect installed via Macports, which seemed to authenticate correctly (including the company's 2 factor authentication via Duo Push), but I have no DNS for internal sites (jira confluence etc.) To be clear, the result is different to other failed tethered connections in that I DO have access to the wider internet.
Some web pages implied that UDP ports used by IPSec are blocked on IPhone Personal hotspot. However, I can find no option in anyConnect to fall back to TCP as suggested. Perhaps the fact that the Windows AnyConnect client DOES work implies that it does that automatically?
I have not called my cellphone carrier, as Windows VPN connections demonstrably work via tether to the iPhone.

I have been looking for a solution to this for 3 years. Currently, my best solution is a Microsoft Surface that I keep with me (updating Confluence/JIRA from an iPhone is inconvenient.) The internet is full of vague questions regarding this over the past 6 years, so I have tried to be as specific as possible.

(Originally posted on ServerFault, where it was put on hold and I was told to post here. Sorry. I am an engineer, so if you need to ask me to explain further or test something, I'll be happy to report back.)

Best Answer

It seems that others have experienced this problem and have been able to workaround it by disabling the IPv6 functionality on the devices which are affected by this issue.

In cases where a device only uses IPv6 or it cannot be forced to use IPv4, then you can configure the Cisco router to have the client-bypass-protocol "enabled" so the IP address type is not dropped when it uses IPv6.

The issue may be related to inherited DNS names when connected to an Anyconnect VPN tunnel where Split Tunneling is defined.

If possible, have the network team check the Cisco router logs when a device affected by this problem is connected to the Anyconnect VPN tunnel and see what the logs show.

Cisco ASA Series Command Reference, A - H Commands

client-bypass-proxy

To configure how the ASA manages IPv4 traffic when it is expecting only IPv6 traffic or how it manages IPv6 traffic when it is expecting only IPv4 traffic, use the client-bypass-proxy command in group-policy configuration mode. To clear the client bypass protocol setting, use the no form of this command.

client-bypass-protocol { enable | disable }

no client-bypass-protocol { enable | disable }

Syntax Description

enable: If Client Bypass Protocol is enabled, the IP traffic for which the ASA did not assign an IP address type is sent from the client in the clear.

disable: If Client Bypass Protocol is disabled, the IPv6 traffic for which the ASA did not assign an IP address type is dropped.

Defaults

Client Bypass Protocol is disabled by default in the DfltGrpPolicy.

_source

Related Solutions

Macos – use OSX Native VPN settings instead of Cisco Anyconnect

I'll bet your client's IT security group set the VPN standard and require the use of the Cisco client to connect to their network. Many companies do this. If you don't use it, likely you won't connect, or if you do you could find yourself disconnected, flagged as a security breach.... And if you have to use any shared files or resources on the client's network, it's likely that only through the Cisco client will this be allowed. With all that....

Here's the link to Cisco's support page for the AnyConnect client.

Now, you've installed the package on your Mac, you've got login credentials. Your client should have given you configuration settings to go with your credentials. The logs for the client are in /opt/cisco/vpn -- you should look in there and see what/any error messages you are getting.

Your connection options are Layer 2 tunneling (L2TP), IPSec and IKE42 (IKE is Internet Key Exchange). Per Cisco's support pages you need 4.3 MR3 for Sierra to work, do you have that installed? Once you've checked that out, then I'd set it for IPSec and try to connect.

If you continue to have problems, you should contact your client's IT group; I've seen odd parameters with VPN's and you want to make sure you have all the information you need.

Networking – VPN Issue – successful connection through mobile (iPhone Hotspot) but unsuccessful through home WIFI

With the further information you have supplied it looks like your issue is due to your router resolving the IP to an address in you local network.

Whilst this could be handled by creating routing tables I advise changing the range of one of your routers.

Looking at the image of the second router you have attached I would advise to change to the following:

Internet-Box IP Address: 192.168.2.1
Subnet Mask: 255.255.255.0

Leave "IP address Application part" setting on "Automatic"

DHCP Range from 192.168.2.101 to 192.168.2.161

You should now be able to communicate with devices through the VPN on the 192.168.1.1/24 subnet/range.

If you have any devices on a static IP in the network that you are changing this on you will need to update them with the same range of 192.168.2.* with the following details:

IP Address: 192.168.2.X (X being a number outside of the DHCP range)
Subnet Mask: 255.255.255.0
DNS: 192.168.2.1
Gateway: 192.168.2.1

Best Answer

Cisco ASA Series Command Reference, A - H Commands

Related Solutions

Macos – use OSX Native VPN settings instead of Cisco Anyconnect

Networking – VPN Issue – successful connection through mobile (iPhone Hotspot) but unsuccessful through home WIFI

Related Question