Configuring the built-in Cisco IPSec VPN client in Snow Leopard and iPhone

| 10 Comments | No TrackBacks

Here's how to configure Snow Leopard (and iPhone) to use an enterprise Cisco VPN concentrator (which is what you connect to from internet when you want to virtually join a company or school's LAN).

Open System Preferences --> Network --> click the plus sign (Create a new service). On the iPhone, choose Settings --> General --> Network --> VPN --> Add VPN Configuration. On the Mac, chose VPN as the interface. Choose Cisco IPSec as the VPN type, and supply a service name as a description (an arbitrary name for the connection, whatever makes sense to you).

The rest of the necessary information is supplied by you eyeballing a configuration file (or profile file) used by the typical Cisco VPN client. These files have a .pcf extension and they're usually distributed by an organization as part of the Cisco VPN client installer, usually in a folder called Profiles, but sometimes they are distributed just by themselves for users of other Cisco-compatible VPN clients.

If the .pcf has already been installed on your Mac, you can find the containing directory here: /private/etc/opt/cisco-vpnclient/Profiles/ — which you can see in the Finder by selecting Go --> Go to Folder... ---> and entering that full path above.

Not all the values in the Mac or iPhone configuration windows are used. Certificates, for example, are not common and can be left off or blank. Passwords need not be entered and saved; instead, they can be entered whenever a connection is made.

Open the .pcf file using any text editor. You will see rows of options and values — these are what you will enter in the Mac or iPhone network preferences. For example, to enter your organization's server address, use the corresponding Host value in the .pcf file.

Back at the System Preferences --> Network --> VPN option, there's the Authentication Settings button. Here, you need two important settings: the Group Name and the Shared Secret. The former is found in the configuration file under the GroupName line. The final field that's necessary to make the VPN connection is something called the "Shared Secret" (it is also sometimes called the Group Password).

Cisco VPN clients use two factors for authentication to connect users to your LAN (called SUNet here at Stanford). One is very weak, and that's the Shared Secret. The other is strong: your own username and password.

In the .pcf file, you will see this as the value associated with enc_GroupPwd line. You'll notice it looks like an encrypted string, a bunch of letters and numbers. Because it's encrypted, you cannot cut-and-paste this string into the System Preference field.

I can't tell you what that string is or what it decrypts to, but it's simple enough to use a search engine like Google to find a website that decrypts Cisco group passwords. You enter the long string, click a button and it spits out the passphrase. It's that passphrase that you enter in the Mac or iPhone's Shared Secret field.

What will this Shared Secret get you? Remember, it's only one of two factors necessary to connect. The other, of course, is your username and password. That should never be disclosed, shared or mismanaged.

No TrackBacks

TrackBack URL: http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/67

10 Comments

I tried this method with the .pfc file for Stanford_Public_VPN and SoM_VPN for iPhone 3GS running OS 3.1.3. It responds with error: The VPN server did not respond. Is there a workaround for this? Thanks.

Hi Noah. Thanks for the tips, do you know if this will work with the iPad as well?
inkasso

Great, I was just looking how to connect my iphone with a VPN. I did not find such complete information in French (I'am fron France). I have not succeeded but I think I'm on the right track. Thanck you !

For some reason I can't seem to get it past this step: Open System Preferences --> Network --> click the plus sign (Create a new service). On the iPhone, choose Settings --> General --> Network --> VPN --> Add VPN Configuration
This option is grayed out , so I can't access it. Oh, well, I'll keep trying. Thanks for sharing this by the way.
Laila,
Plagiarism Checker

It works with iPad, i tried it myself

Pablo's Fotolog

I am stuck here:
Open System Preferences --> Network --> click the plus sign (Create a new service)

Please help...

Ok.

I think I got it ...

I deleted any VPN settings I have and Add a new one under "VPN Configuration"

Thanks for the tips.

Steve
Dish Network

The rest of the necessary information is supplied by you eyeballing a configuration file (or profile file) used by the typical Cisco VPN client. These files have a .pcf extension and they're usually distributed by an organization as part of the Cisco VPN client installer, usually in a folder called Profiles, but sometimes they are distributed just by themselves for users of other Cisco-compatible VPN clients.

Leave a comment

About this Entry

This page contains a single entry by Noah Abrahamson published on August 27, 2009 10:53 AM.

AFP stops logging after indicated period was the previous entry in this blog.

Getting LDAP entries to work in 10.6 Address Book.app is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.