I frequently work remotely, out of reach of WiFi, and simply rely on tethering my Mac to my iPhone for internet access. This works great, except I am unable to connect to one of my client's Cisco AnyConnect VPN Network using my Mac whenMac when tethered to my iPhone. I have spent three years vaguely looking for a solution and the last 48 hours trying solidly, so would be grateful for help.
To be clear:
- MacOSX connected to Anyconnect VPN via wifi internet works fine.
- MacOSX connected to VPN via tether to a Samsung S7 LTE works fine
- MacOSX connected to VPN via tether to an iPhone, via either Lighting USB or Wifi does not work
By "doesn't work" I mean that I have no internet access whatsoever (chrome displays DNS_PROBE_FINISHED_NO_INTERNET when accessing any website.) Internet access is restored upon disconnecting to VPN.
Also interestingly:
- VPN from Windows 10, connected via any of the above (WiFi, Samsung, iPhone) works fine from both a Macbook running Win10, and a Surface 3. This implies that if ports are blocked by iPhone Personal Hotspot, this somehow isn't an issue for the Windows Client, but is for the OSX AnyConnect Client.
- VPN Directly on the iPhone (via Cisco AnyConnect iOS App works fine) but does not change the inability to connect my mac.
Things I have already tried:
I tried setting up MacOSX builtin Cisco VPN support in Apple Network Settings, but I don't see where my profile file is stored to allow specifying a groupname or password (following instructions to find a PCF file in /opt/cisco etc). To be clear, I have confirmed that on a clean Surface 3, all that is necessary is to download the Cisco VPN installer from the company website, and specify remote.companyname.com as the server in AnyConnect. I never download a personal certificate file or similar from which a group key can be decrypted. Are there more up to date instructions on how to do this? I can confirm that on a if a group name/password is available, the company have declined to provide it, and I don't understand why OpenConnect (below) would be able to connect without it if it is required.
I tried connecting using OpenConnect installed via Macports, which seemed to authenticate correctly (including the company's 2 factor authentication via Duo Push), but I have no DNS for internal sites (jira confluence etc.) To be clear, the result is different to other failed tethered connections in that I DO have access to the wider internet.
Some web pages implied that UDP ports used by IPSec are blocked on IPhone Personal hotspot. However, I can find no option in anyConnect to fall back to TCP as suggested. Perhaps the fact that the Windows AnyConnect client DOES work implies that it does that automatically?
I have not called my cellphone carrier, as Windows VPN connections demonstrably work via tether to the iPhone.
I have been looking for a solution to this for 3 years. Currently, my best solution is a Microsoft Surface that I keep with me (updating Confluence/JIRA from an iPhone is inconvenient.) The internet is full of vague questions regarding this over the past 6 years, so I have tried to be as specific as possible.
(Originally posted on ServerFault, where it was put on hold and I was told to post here. Sorry. I am an engineer, so if you need to ask me to explain further or test something, I'll be happy to report back.)