How To connect to a Cisco VPN using Mac OS X 10.6

43

Snow LeopardCisco’s VPN solution are quite popular in the enterprise market and a lot of companies use them to provide their employees access to the company’s networks and resources when the employees are not onsite.

Most of these companies use the default Cisco client which Cisco supplies with a couple of modifications to suit their particular needs. More specifically, the configuration of this client involves creating a .pcf file which the client uses to read the settings for the specific network.

The .pcf file is a plain text only file which a couple of config options, the important of which are the VPN server address, the encrypted group password and the group name.

Mac OS X, since the last few version came with the ability to connect to L2TP and IPSec based VPNs out of the box but lacked the ability to connect to Cisco’s implementation. That has now changed with the release of Mac OS X 10.6 aka. Snow Leopard. OS X now ships with the ability to connect to Cisco based VPNs out of the box.

The only problem is that the configuration of the built in client requires a little bit of “homework” and in this post today I’ll be taking you through just that.

First of all you need to get hold of the .pcf file for your company’s network. If you’d been connecting to the VPN using Cisco’s client all this time, you’ll have the .pcf somewhere on your computer – Search for it and save it somewhere convenient. Or else ask your network admin to provide you with a copy of the file. Either way you need to open this file with a text editor (TextEdit on OS X) and make note of a couple of config parameters.

The first config option that we’re interested in is the Host=xxx.xxx.xxx.xxx option where the xxx.xxx.xxx.xxx is an IP address.

The second option that you’d need is the GroupName=xxx option and the third option that we want is the enc_GroupPwd=xxx where xxx will be a long string of seemingly random characters. The seemingly random characters is the encrypted group password that is needed to connect to your company’s VPN server.

We need to first get the decrypted the encrypted password that we got from the .pcf file. To do this, visit this website and enter the encrypted password from enc_GroupPwd field in the Text box and click decode. The website will decode the password and output the decrypted password in clear form. Make note of this decrypted password as we’ll need to use this later on.

Now, open the Network config panel from the System Preferences application.

Snow Leopard Network Preferences

Click on the + sign to add a new Network connection and Select VPN as the Interface and Cisco IPSec as the VPN Type and press Create.

Now, you need to fill in the details that you’d collected earlier from the .pcf file.

The server address comes from the Host parameter that we looked at earlier. The Account name is the username that you use to connect to the VPN. Password is the one that you use to connect to the VPN. If you use a dongle provided by RSA or some other company which generates a random password each time you login, leave this field blank.

Snow Leopard VPN Settings

Now, click on the Authentication Settings button and in the Shared Secret text box, enter the decrypted password that you got earlier. Enter the text from the GroupName field that we looked at earlier in the Group Name text box. Click on the Ok button and you’re all set.

Snow Leopard VPN Settings

Apply the settings and Click connect to get online and connect to your company’s VPN server.

Sharninder:
Programmer, blogger and a geek making a living shifting bits around the Internet. Sharninder is the owner of Geeky Ninja

Related Posts :

43 Responses

  1. Sarah says:

    I’m a network tech for a medium-sized healthcare company. A few of our doctors have recently gotten MACs, and we are trying to set up the VPN client for them (our network is Windows based). The Cisco VPN client we have uses group authentication. We were able to set it up on one of the Doc’s machines (he’s running regular leopard) but we can’t get it to work on snow leopard. I followed the instructions on this page, using the VPN password as the shared secret, put in the group name, have the connection type right. (yes, I do have the cisco VPN software installed) but it’s still not working. Any suggestions?

  2. Sharninder says:

    Sarah,

    I’m not quite sure why this isn’t working for you since I use a similar setup and everything works for me. There may be something different about your setup that snow leopard doesn’t handle yet. Since the support is built into snow leopard, I think you should be able to get support from Apple for this ?

    Or see if Cisco has a newer version of their client out. That might work for you. There are a couple of third party cisco clients also available for OS X so you might want to give them a look too.

  3. Caleb Walker says:

    I have 10.6 as well and have never gotten this to work. I can get it to work with Cisco’s client but on the client that comes with either the iPhone or the Mac it says, “Enter your user authentication” with no place to enter it. After clicking ok it says, “The negotiation with the VPN server failed. Verify the server address and try reconnecting.” In the PIX log I find that a user and password never traverse so its not authenticating.

    • Sharninder says:

      I’m not sure what problem you’re facing. Did you try following the steps I’ve mentioned to the ‘T’ ? I’ve always connected to my work VPN with this method and never needed to use the official Cisco client.

    • Brian says:

      Caleb…I’m having the exact same issue you described, both with Snow Leopard and iPhone clients. I can connect using the Cisco VPN client software. From what I can tell, the ACS never even receives the authentication request — there’s nothing listed in the logs as access approved or denied.

      If I find a solution I’ll swing back and post it.

    • Brian H. says:

      Caleb… We were experiencing the exact same symptoms, but resolved the issue by upgrading our PIX IOS to 7.2.4. This also resolved the VPN issue for iPhones. Cisco says the following about the iPhone VPN but the same holds true for the built-in VPN in Snow Leopard:

      Which Cisco platforms work with the Cisco VPN Client on the iPhone?

      Cisco ASA 5500 Security Appliances and PIX Firewalls. We highly recommend the latest 8.0.x software release (or greater), but you can also use 7.2.x software.

      Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.

      • Sharninder says:

        Aah ! This explains it all. Looks like a Cisco bug and the box at my work was probably already on the latest firmware revision and so everything worked fine for me.

        Thanks for digging out the solution Brian and posting it here.

  4. John R Nash says:

    Getting the same error as Brian H with Snow Leopard 10.6.3 connecting to a Cisco VPN on a Cisco 1721 running version “Cisco Internetwork Operating System Software
    IOS ™ C1700 Software (C1700-K9O3SY7-M), Version 12.3(22), RELEASE SOFTWARE (fc2)”.

    Cisco VPN client works fine but not native Mac OS/X. As the admin of the VPN server, I checked the log with the command “show log history” and found this message with my client IP in it.

    entry number 28 : CRYPTO-4-IKMP_NO_SA
    IKE message from xxx.xxx.xxx.229 has no SA and is not an initialization offer

    I found information relating to this bug on the following cisco web site with this information: http://www9.cisco.com/en/US/docs/ios/12_2/sem1/system/message/emfcpad.html

    Error Message

    %CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer

    Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

    Recommended Action Contact the remote peer and the administrator of the remote peer.

    I will schedule an IOS upgrade but the Cisco CCO Bug Toolkit (http://tools.cisco.com/Support/BugToolKit/) (CCO account required) has no listing of any bugs specific to the MAC client so in depth research/testing would be required to point the finger in the right direction.

    -John

  5. prometeo says:

    Working like a charme :)

    Thanks

  6. Tom says:

    Hi Sharninder,

    just wanted to thank you for this tutorial… worked perfectly right away… you saved my day :-D

    Thanks and cheers

    Tom

  7. KevinC says:

    I can use these directions to connect – but no traffic ever seems to be routed over this connection. Any guesses?

    • Dan says:

      I’m experiencing the same “no traffic” after connecting. Did you find any solution?

      • Alex says:

        So, I have the same trouble.
        Mac with SnowLeo fastly and easily connects to cisco 2821 router which was set up to serve vpn connectivity (and serves it well for original cisco client for pc and 32-bit macs).
        But when I use builtin MacOsX csico vpn client there is no traffic between client and vpn network. If I do “netstat -r” in terminal it shows no routing paths added to VPN network.
        Furthermore when I disconnect apple-cisco:) VPN client it deletes any routing notes at all!!!
        “netstat -r” after disconnect shows that there is no routing paths even for local network ! And any network connectivity disappears and appears only after eth interface shutdown and startup on a client mac.
        Does anybody knows how to beat this trouble??? Any suggestions.

  8. Andre says:

    Hello, Im using the VPN in a little bit different way. I’ve installed the Cisco VPN Client from my company, that comes all configured. Im able to connect con the VPN but after I connect, Im losing my internet connection. Do you have any idea of what can be happening?

    Thanks in advance.

    • Dave says:

      Sounds like your company doesn’t permit “split tunneling”. Without it, once you connect to the VPN, you will lose your ability to connect to the Internet.

  9. Frank C. says:

    Thanks so much. I started trying to download Cisco Client for MAC but I was not an authorized Cisco user. Found your instructions and voilà I connected in a snap. Thanks so much!

  10. Ray Page says:

    I too, got this procedure to work. Koodoos to you. But, since I am new at this … How do you follow it up and access files on the server you have just logged onto? I am now connected to the server, but can’t figure out how to make my files available for use. Can you help? I am sure it is as easy as you made the hookup to be, but I am having trouble figuring it out.
    Thanks
    Ray

  11. dawoo says:

    Hi.

    Thanks for the guide, worked a treat.

    Cheers,
    Darren.
    (@dawoo)

  12. Omu says:

    Hi Sharninder.

    Greatly appreciate for the info! It worked out for me without any trouble on 2011 Macbook Pro, Snow Leopard OS X 10.6.7. (:

    Thank you very much!

    Omu

  13. Christi says:

    This worked great! Thanks so much. I spent hours on the phone with my hospitals IT department and all they had were instructions for Mac 10.1. Completely useless.
    This really saved me a lot of angry phone calls!

  14. Shaun Reiff says:

    Having problems with my MBP. Get error that “the negotiation with the VPN server failed. Verify the server address and try reconnecting.” Our VPN is set up using group authentication but no username or password is used to log into vpn.

    My MBP is set up with parallels as well. I can connect on the windows side using the cisco VPN software but continually lose connection to the server once it is connected.

    Any ideas??

  15. Dan says:

    One thing to keep in mind: osx cisco ipsec only accepts aes-256 + esp-sha-hmac as transform set, so make sure your vpn server accepts this proposal

    And yes after you disconnect you loose network connectivity on the mac

  16. alberto says:

    After upgrading to Mac OS X 10.6.7 I spent a lot of time trying to use Cisco VPNClient I used before. I tried also to use the Mac OS built in client, but I was not able to config it correctly. In particular I did not know how to use the encripted password of my .pcf file. After reading this web page all the problems disappeared.
    Thank you so much Sharninder !

  17. Doug says:

    Just a note that this does not appear to work with a Cisco VPN 3000 concentrator.
    We get the following msg;

    Client-reported firewall does not match configured firewall: terminating tunnel.
    Received — Vendor: (0), Product (0), Caps: 0000.
    Expected — Vendor: Cisco Systems(1), Product: Cisco Integrated Client(0×00000001), Caps: 0002

    Looks like an ASA or PIX has to be in place,.

  18. J-M says:

    I managed to connect to the VPN network (status is connected and the clock is running), but I can’t seem my server folders. In finder the ‘network’ is empty…
    What am I doing wrong? Our system administrator doesn’t know mac…

    Thanks for the help!

    • Bob says:

      Same sort of issue here. I am able to connect to our VPN (and the connection timer in the menu bar increments). However, I can’t seem to access any of our internal websites (which I was able to access when using VPNClient on OSX).

      Any ideas why I can’t seem to access internal URLs? Does it have anything to do with tunneling settings in the PCF file:
      EnableNat=1
      TunnelingMode=1
      TcpTunnelingPort=10000

    • Levent says:

      i have the same problem. Everything seems ok. But i can not connect to server folders. Any solutions?

  19. Thx, this post help me so much…

  20. aditya says:

    It worked for me. Thanks for very clear instructions and the URL to decode group password.

  21. El.Duderin0 says:

    I have Snow Leopard 10.6, VPN Cisco did not work, kept receiving error 51 every time I tried to start it and online solutions didn’t help until I used the native VPN (Cisco IPSec) in OSX 10.6. I followed these instructions to a T, worked beautifully… for a time. Now, while I am on a functional wireless network, the VPN no longer works for beans, always says that a configuration error occurred despite fellow students using the same network, but using Cisco VPN on the exact same authentication having no problems. It seems like a specific error of the native VPN, but I can’t be too sure.

    • Kai says:

      The current version of the Cisco VPN Client does not appear to run properly if Mac OS is running the 64-bit kernel. Users will see the error “Error 51: Unable to communicate with the VPN subsystem” when starting the VPN

      • Sharninder says:

        Well, to tell you the truth, I feel Cisco isn’t really interested in the legacy VPN client anymore. The new method is the Cisco Anywhere client and they want everyone to move to that. This is just my opinion, though.

  22. Kendon says:

    I have the exact same error as Shaun Reiff – “The VPN server did not respond. Verify the server address and try reconnecting.” One inconsistency with this article is that I have no username, only a group name. Also, I’m on Lion, not Snow Leopard. Any ideas??

  23. Lisa says:

    THANK YOU, THANK YOU! A lifesaver, indeed!

  24. Donald says:

    Thank you so much for publishing this info – the VPNClient we were given for home access does not install on Mountain Lion, but this article helped us use the built-in one instead.

Leave a Reply

© 2014 Geeky Ninja. All rights reserved.
Proudly designed by Theme Junkie.