Cisco’s VPN solution are quite popular in the enterprise market and a lot of companies use them to provide their employees access to the company’s networks and resources when the employees are not onsite.
Most of these companies use the default Cisco client which Cisco supplies with a couple of modifications to suit their particular needs. More specifically, the configuration of this client involves creating a .pcf file which the client uses to read the settings for the specific network.
The .pcf file is a plain text only file which a couple of config options, the important of which are the VPN server address, the encrypted group password and the group name.
Mac OS X, since the last few version came with the ability to connect to L2TP and IPSec based VPNs out of the box but lacked the ability to connect to Cisco’s implementation. That has now changed with the release of Mac OS X 10.6 aka. Snow Leopard. OS X now ships with the ability to connect to Cisco based VPNs out of the box.
The only problem is that the configuration of the built in client requires a little bit of “homework” and in this post today I’ll be taking you through just that.
First of all you need to get hold of the .pcf file for your company’s network. If you’d been connecting to the VPN using Cisco’s client all this time, you’ll have the .pcf somewhere on your computer – Search for it and save it somewhere convenient. Or else ask your network admin to provide you with a copy of the file. Either way you need to open this file with a text editor (TextEdit on OS X) and make note of a couple of config parameters.
The first config option that we’re interested in is the Host=xxx.xxx.xxx.xxx option where the xxx.xxx.xxx.xxx is an IP address.
The second option that you’d need is the GroupName=xxx option and the third option that we want is the enc_GroupPwd=xxx where xxx will be a long string of seemingly random characters. The seemingly random characters is the encrypted group password that is needed to connect to your company’s VPN server.
We need to first get the decrypted the encrypted password that we got from the .pcf file. To do this, visit this website and enter the encrypted password from enc_GroupPwd field in the Text box and click decode. The website will decode the password and output the decrypted password in clear form. Make note of this decrypted password as we’ll need to use this later on.
Now, open the Network config panel from the System Preferences application.
Click on the + sign to add a new Network connection and Select VPN as the Interface and Cisco IPSec as the VPN Type and press Create.
Now, you need to fill in the details that you’d collected earlier from the .pcf file.
The server address comes from the Host parameter that we looked at earlier. The Account name is the username that you use to connect to the VPN. Password is the one that you use to connect to the VPN. If you use a dongle provided by RSA or some other company which generates a random password each time you login, leave this field blank.
Now, click on the Authentication Settings button and in the Shared Secret text box, enter the decrypted password that you got earlier. Enter the text from the GroupName field that we looked at earlier in the Group Name text box. Click on the Ok button and you’re all set.
Apply the settings and Click connect to get online and connect to your company’s VPN server.
|
About: Sharninder: Programmer, blogger and a geek making a living shifting bits around the Internet. Sharninder is the owner of Geeky Ninja |
![[Mac] How To use Automator to Test your Website’s iPhone version](http://geekyninja.com/wp-content/themes/bigfoot/includes/timthumb.php?src= http://geekyninja.com/wp-content/uploads/2010/03/automator-iphone.gif &h=48&w=48&zc=1)
I’m a network tech for a medium-sized healthcare company. A few of our doctors have recently gotten MACs, and we are trying to set up the VPN client for them (our network is Windows based). The Cisco VPN client we have uses group authentication. We were able to set it up on one of the Doc’s machines (he’s running regular leopard) but we can’t get it to work on snow leopard. I followed the instructions on this page, using the VPN password as the shared secret, put in the group name, have the connection type right. (yes, I do have the cisco VPN software installed) but it’s still not working. Any suggestions?
Sarah,
I’m not quite sure why this isn’t working for you since I use a similar setup and everything works for me. There may be something different about your setup that snow leopard doesn’t handle yet. Since the support is built into snow leopard, I think you should be able to get support from Apple for this ?
Or see if Cisco has a newer version of their client out. That might work for you. There are a couple of third party cisco clients also available for OS X so you might want to give them a look too.
I have 10.6 as well and have never gotten this to work. I can get it to work with Cisco’s client but on the client that comes with either the iPhone or the Mac it says, “Enter your user authentication” with no place to enter it. After clicking ok it says, “The negotiation with the VPN server failed. Verify the server address and try reconnecting.” In the PIX log I find that a user and password never traverse so its not authenticating.
I’m not sure what problem you’re facing. Did you try following the steps I’ve mentioned to the ‘T’ ? I’ve always connected to my work VPN with this method and never needed to use the official Cisco client.
Caleb…I’m having the exact same issue you described, both with Snow Leopard and iPhone clients. I can connect using the Cisco VPN client software. From what I can tell, the ACS never even receives the authentication request — there’s nothing listed in the logs as access approved or denied.
If I find a solution I’ll swing back and post it.
Caleb… We were experiencing the exact same symptoms, but resolved the issue by upgrading our PIX IOS to 7.2.4. This also resolved the VPN issue for iPhones. Cisco says the following about the iPhone VPN but the same holds true for the built-in VPN in Snow Leopard:
Aah ! This explains it all. Looks like a Cisco bug and the box at my work was probably already on the latest firmware revision and so everything worked fine for me.
Thanks for digging out the solution Brian and posting it here.
Getting the same error as Brian H with Snow Leopard 10.6.3 connecting to a Cisco VPN on a Cisco 1721 running version “Cisco Internetwork Operating System Software
IOS ™ C1700 Software (C1700-K9O3SY7-M), Version 12.3(22), RELEASE SOFTWARE (fc2)”.
Cisco VPN client works fine but not native Mac OS/X. As the admin of the VPN server, I checked the log with the command “show log history” and found this message with my client IP in it.
entry number 28 : CRYPTO-4-IKMP_NO_SA
IKE message from xxx.xxx.xxx.229 has no SA and is not an initialization offer
I found information relating to this bug on the following cisco web site with this information: http://www9.cisco.com/en/US/docs/ios/12_2/sem1/system/message/emfcpad.html
Error Message
%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer
Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.
Recommended Action Contact the remote peer and the administrator of the remote peer.
I will schedule an IOS upgrade but the Cisco CCO Bug Toolkit (http://tools.cisco.com/Support/BugToolKit/) (CCO account required) has no listing of any bugs specific to the MAC client so in depth research/testing would be required to point the finger in the right direction.
-John