« AFP stops logging after indicated period | Main | Getting LDAP entries to work in 10.6 Address Book.app »

Configuring the built-in Cisco IPSec VPN client in Snow Leopard and iPhone

Here's how to configure Snow Leopard (and iPhone) to use an enterprise Cisco VPN concentrator (which is what you connect to from internet when you want to virtually join a company or school's LAN).

Open System Preferences --> Network --> click the plus sign (Create a new service). On the iPhone, choose Settings --> General --> Network --> VPN --> Add VPN Configuration. On the Mac, chose VPN as the interface. Choose Cisco IPSec as the VPN type, and supply a service name as a description (an arbitrary name for the connection, whatever makes sense to you).

The rest of the necessary information is supplied by you eyeballing a configuration file (or profile file) used by the typical Cisco VPN client. These files have a .pcf extension and they're usually distributed by an organization as part of the Cisco VPN client installer, usually in a folder called Profiles, but sometimes they are distributed just by themselves for users of other Cisco-compatible VPN clients.

If the .pcf has already been installed on your Mac, you can find the containing directory here: /private/etc/opt/cisco-vpnclient/Profiles/ — which you can see in the Finder by selecting Go --> Go to Folder... ---> and entering that full path above.

Not all the values in the Mac or iPhone configuration windows are used. Certificates, for example, are not common and can be left off or blank. Passwords need not be entered and saved; instead, they can be entered whenever a connection is made.

Open the .pcf file using any text editor. You will see rows of options and values — these are what you will enter in the Mac or iPhone network preferences. For example, to enter your organization's server address, use the corresponding Host value in the .pcf file.

Back at the System Preferences --> Network --> VPN option, there's the Authentication Settings button. Here, you need two important settings: the Group Name and the Shared Secret. The former is found in the configuration file under the GroupName line. The final field that's necessary to make the VPN connection is something called the "Shared Secret" (it is also sometimes called the Group Password).

Cisco VPN clients use two factors for authentication to connect users to your LAN (called SUNet here at Stanford). One is very weak, and that's the Shared Secret. The other is strong: your own username and password.

In the .pcf file, you will see this as the value associated with enc_GroupPwd line. You'll notice it looks like an encrypted string, a bunch of letters and numbers. Because it's encrypted, you cannot cut-and-paste this string into the System Preference field.

I can't tell you what that string is or what it decrypts to, but it's simple enough to use a search engine like Google to find a website that decrypts Cisco group passwords. You enter the long string, click a button and it spits out the passphrase. It's that passphrase that you enter in the Mac or iPhone's Shared Secret field.

What will this Shared Secret get you? Remember, it's only one of two factors necessary to connect. The other, of course, is your username and password. That should never be disclosed, shared or mismanaged.

TrackBack

TrackBack URL for this entry:
http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/67

Comments (10)

I tried this method with the .pfc file for Stanford_Public_VPN and SoM_VPN for iPhone 3GS running OS 3.1.3. It responds with error: The VPN server did not respond. Is there a workaround for this? Thanks.

Noah Abrahamson Author Profile Page:

Hi there, William. You'll want to submit a HelpSU ticket for assistance. I've confirmed this configuration process works for Stanford_Public_VPN, but there's a known issue with our campus VPN configuration when accessed over AT&T's network. WiFi is fine, including outside of campus. I don't know about the School of Medicine's VPN settings.

Tom Author Profile Page:

Hi Noah. Thanks for the tips, do you know if this will work with the iPad as well?
inkasso

Noah Abrahamson Author Profile Page:

I don't have an iPad myself, but I would expect the instructions to be the same for all iOS devices.

Great, I was just looking how to connect my iphone with a VPN. I did not find such complete information in French (I'am fron France). I have not succeeded but I think I'm on the right track. Thanck you !

For some reason I can't seem to get it past this step: Open System Preferences --> Network --> click the plus sign (Create a new service). On the iPhone, choose Settings --> General --> Network --> VPN --> Add VPN Configuration
This option is grayed out , so I can't access it. Oh, well, I'll keep trying. Thanks for sharing this by the way.
Laila,
Plagiarism Checker

It works with iPad, i tried it myself

Pablo's Fotolog

I am stuck here:
Open System Preferences --> Network --> click the plus sign (Create a new service)

Please help...

Ok.

I think I got it ...

I deleted any VPN settings I have and Add a new one under "VPN Configuration"

Thanks for the tips.

Steve
Dish Network

The rest of the necessary information is supplied by you eyeballing a configuration file (or profile file) used by the typical Cisco VPN client. These files have a .pcf extension and they're usually distributed by an organization as part of the Cisco VPN client installer, usually in a folder called Profiles, but sometimes they are distributed just by themselves for users of other Cisco-compatible VPN clients.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


About

This page contains a single entry from the blog posted on August 27, 2009 10:53 AM.

The previous post in this blog was AFP stops logging after indicated period.

The next post in this blog is Getting LDAP entries to work in 10.6 Address Book.app.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Traffic analyzed by Google Analytics. Site powered by Movable Type 4.32-en