UPDATE! – Now that I have Lion, I can verify that the following works with Lion as well.
Snow Leopard excitedly came out-of-the-box with support for Cisco IPsec VPN which is what a lot of companies use.
The problem came when I tried to connect to the VPN at work. We were using the Cisco VPN client before but it was a nightmare to keep working all the time and the lack of any good error messages made debugging the connection near impossible.
So I took some time to figure out how to use the .pcf file that was given to me by the Network Admin to work with Snow Leopard.
You’d think that you could just add the .pcf file to your Keychain Access application and have it pull the information from there, but you’d be wrong. It couldn’t possibly be that easy. So we have to do the following instead.
- Make a VPN connection in your Network Preferences pane. Be sure to choose “Cisco IPsec” for the VPN Type.
- Enter your VPN server and credentials into the VPN Network Preferences. This will be your VPN username and password that your Network Admin gave you.
- Open the .pcf file in a text editor. Copy the text from the ‘enc_GroupPwd’ field, paste it into the form on this web site: http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode and click ‘decode!’. Select and copy the text next to ‘clear:’ and go to the next step.
(Note: if there isn’t anything in ‘enc_GroupPwd’ but there is something in ‘GroupPwd’ they you can skip this step. Just copy the text from ‘GroupPwd’) - Go back to the Network Preferences panel and click on the “Authentication Settings…” button. You’ll get a dialog that looks like this:
- Paste the text you copied from the decoding web site (or the ‘GroupPwd’ field of the .pcf file if you had that instead) into the ‘Shared Secret’ text box.
- Copy+Paste the text from the ‘GroupName’ field of the .pcf file into the ‘Group Name’ text box and click ‘OK’.
- Now you can try it out by clicking the ‘Connect’ button (and click ‘Apply’ if it asks which it probably will.)
Hopefully it all worked out. If not, there’s quite a few things that could go wrong. You could be entering in some other login credentials other than your VPN ones (typically, they are different than your workstation login credentials.) The .pcf file could be old. Etc, etc.
The best way to clear up any errors is to have a chat with your Network Admin and verify that you are using the right credentials and the .pcf file is the latest.
Anyway, hope that helped someone. Let me know if there were any problems.
hugely helpful. thank you for posting this info.
Thank you! I have been searching for a solution to this problem for ages.
Awesome! Thanks so much for this solution! Worked the first time! :D
And, I’m running OS X Lion 10.7 as well!
Worked like a charm. Thanks mate.
Thanks, man! Works great on Lion.
thx
any idea what to do if there is no enc_GroupZPwd GroupPwd set in the file?
I assume that it means that you don’t have to fill in that field. I’ve never seen it blank before, but I suppose it’s possible.
Hey, thanks for sharing. This tool saved my day when figuring out what the heck was wrong with my non-native cisco clients.
Super, thanks.
thanks ! good blog. I will introduction my friends
I’ve been trying to get this working, but keep getting an odd prompt to “Enter your user authentication”. I’ve entered all of the data fields, but what seems more strange is that while it’s telling me to enter that data, the prompt itself offers no way to do so. Only “Cancel” and “OK” buttons.
Has anyone else seen this?
Depending on how the VPN is set up, you may not be able to save your user password, so it will prompt you. This is how my current employer has it set up. I’ve never seen it where the prompt did not have a spot for your password though. Weird.
Sadly OS X Lion still doesnt support certificate-based authentication.
Ah well. Back to using SOCKS and what not.
Just tested on Lion with multi-factor auth. Works great!
Thanks for sharing, setting up the connection works like a charm, but then Safari does not load any pages. Any ideas on how to fix this?
That just means that the network you are connecting to does not allow internet access (or just internet access to the sites you are trying to get to.) What you can do is use a SOCKS proxy to keep your internet through your internet connection. I explained this in a previous comment. Good luck.
Same is happening with me – where it is prompting for user authentication but no window to enter credentials shows. Just an OK or Cancel button. Anybody find a fix to this?
I followed these instructions and I am able to connect to our VPN (and the connection timer in the menu bar increments). However, I can’t seem to access any of our internal websites (which I was able to access when using VPNClient on OSX).
Any ideas why I can’t seem to access internal URLs? Does it have anything to do with tunneling settings in the PCF file:
EnableNat=1
TunnelingMode=1
TcpTunnelingPort=10000
Any help would be great, thanks!
Ask your Admin if there are any proxy settings that would’ve been automatically setup by the VPNClient that you would have to manually enter into the OS X VPN settings.
Any idea if this would work with certificate based authentication on Lion?
I am having trouble getting the in-built client authentication settings to recognize the .cer file, although the .cer is in Keychain Access. It says I don’t have any certificates.
Any suggestion/ideas would be much appreciated.
FYI, my IT dept. does not support Macs. :(
Thanks.
Sorry, I don’t have any experience with utilizing certificates in the VPN connection. I’ve never been anywhere that used it. It sounds like you’re doing it right though. Maybe you can connect with a certificate OR a shared secret. Ask your IT department if that’s available.
Thanks for sharing these experience & very pleasurably for solving this problem.
YESS!! Big help!!
Awesome! Thanks for this.
This is really helpful! AWESOME!
Any clues as to where I can find the .pcf file to extract the info I need?
Usually you will receive it from your Network Administrator when they send you your VPN credentials.
You just made my day ! THANK YOU SO MUCH ! very very helpful and works perfectly
in DOS, go to the root of your c: and then type ‘dir /w/s *.pcf’ without the quotes to search your hdd for the pcf file. Then, ‘cd’ to that folder, and type ‘more ‘ to show the contents of the file.
Great info – I think more and more people will be turning to VPN to ward off Facebook and Google!
Very good!!!! Me helped lot!!!
Hi, came across this the other day and has helped me out loads – thanks very much!
Thanks a lot!
Technology And Software » How To: Cisco VPN with Snow Leopard & Lion via .pcf File // May 5, 2012 at 12:19 am
[...] http://erbmicha.com/2009/09/07/how-to-cisco-vpn-with-snow-leopard-via-pcf-file/ [...]
Hi-
Sorry if this sounds ignorant, but I have no idea where the .pcf file would be. I’ve googled around, and haven’t found the answer. Thanks,
You could open Terminal and use this to find it:
sudo find / -name *.pcfThis worked perfectly. Thanks.
Holly, you can probably find the .pcf file in c:\program files\cisco systems\profiles (or somewhere similar), on Windows.
Thanks! Saved my ass.
Great help, thank you a ton
Thanks a bunch. This was very helpful!
THANK YOU!!! You seriously saved me a half day of trial and error.
Works on Mountain Lion also
Thanks! I’ll update the title :)
Awesome! Worked great… Thanks for sharing
Thanks so much ! I had been struggling to find a solution. My network admin did not provide support for mac
Works great