Snow Leopard excitedly came out-of-the-box with support for Cisco IPsec VPN which is what a lot of companies use.
The problem came when I tried to connect to the VPN at work. We were using the Cisco VPN client before but it was a nightmare to keep working all the time and the lack of any good error messages made debugging the connection near impossible.
So I took some time to figure out how to use the .pcf file that was given to me by the Network Admin to work with Snow Leopard.
You’d think that you could just add the .pcf file to your Keychain Access application and have it pull the information from there, but you’d be wrong. It couldn’t possibly be that easy. So we have to do the following instead.
- Make a VPN connection in your Network Preferences pane. Be sure to choose “Cisco IPsec” for the VPN Type.
- Enter your VPN server and credentials into the VPN Network Preferences. This will be your VPN username and password that your Network Admin gave you.
- Open the .pcf file in a text editor. Copy the text from the ‘enc_GroupPwd’ field, paste it into the form on this web site: http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode and click ‘decode!’. Select and copy the text next to ‘clear:’ and go to the next step.
(Note: if there isn’t anything in ‘enc_GroupPwd’ but there is something in ‘GroupPwd’ they you can skip this step. Just copy the text from ‘GroupPwd’) - Go back to the Network Preferences panel and click on the “Authentication Settings…” button. You’ll get a dialog that looks like this:
- Paste the text you copied from the decoding web site (or the ‘GroupPwd’ field of the .pcf file if you had that instead) into the ‘Shared Secret’ text box.
- Copy+Paste the text from the ‘GroupName’ field of the .pcf file into the ‘Group Name’ text box and click ‘OK’.
- Now you can try it out by clicking the ‘Connect’ button (and click ‘Apply’ if it asks which it probably will.)
Hopefully it all worked out. If not, there’s quite a few things that could go wrong. You could be entering in some other login credentials other than your VPN ones (typically, they are different than your workstation login credentials.) The .pcf file could be old. Etc, etc.
The best way to clear up any errors is to have a chat with your Network Admin and verify that you are using the right credentials and the .pcf file is the latest.
Anyway, hope that helped someone. Let me know if there were any problems.
Thanks — this was super helpful! Are there any security issues with using the link you posted to decode the group password?
I don’t think so. Cisco’s encryption algorithms aren’t terribly robust and have been out there for a while…
Thanks so much, this saved me so much time! Works perfectly.
Right….I’m just wondering if someone could steal the password that I entered into that form and hack into the VPN with it? Or would they need more info than just the group password?
Ah! I see what you mean. They would certainly need the group name and the server and your login and your password but other than that, yes, they could save it and use it
Seriously, I wouldn’t worry about it.
Thank you! The link to the group key decipher is crucial. This is really a very valuable post. Thanks again!
OK, thanks! Really, this post is awesome. I spread the word and a lot of my colleagues are going to use this as well!
KMT – glad to help :o)
wondeful ! works perfectly for me (pix + token RSA)
Merci beaucoup/thanks a lot !
Great stuff! Thanks!
Thank you, this helped me a lot.
flying_gramma (Flying gramma) // Sep 15, 2009 at 8:49 pm
http://tinyurl.com/lvr5lu
How To: Cisco VPN with Snow Leopard via .pcf File
Thanks! Great job.
For those with a RSA SecureID keyfab you don’t have to enter a password. Just enter your userid or account name. When you connect the server will ask for your password and you will enter your PIN and your RSA SecureId code.
so I tried it; and voila, it works here at University of Washington
What if the .pcf file has TcpTunnelingPort set to something other than the default of 10000? Can the Snow Leopard built-in VPN software handle that? I tried entering [ip addr]:[port] in the _Server Address_ field, but OS X does not like that.
Sorry about the repost, my content between less-than and greater-than signs was automatically removed.
I had the decode and tried this before. When all is entered correctly, it cycles on asking for username and password as if the password was incorrectly entered.
If I put a bogus GroupPWD in, it flags the bad GroupPWD as incorrect.
In our environment the EnableMSLogin=1 is set. I suspect that this is the problem as it would likely not naturally encrypt using some proprietary MS encryption but rather something standard. Unfortunately there is no option for using this encryption method exposed by the interface and I suspect we must hack some config file hidden in the system somewhere. Now on a conf file hack-hunt…
My company’s settings are the same, and it works fine for me.
It’s probably that.. your username or password is incorrect. =) Try your username with/without the domain.
I have a problem with VPN osx snow leopard
I have personal certificate only and address of server, no user, group name and password.
Cisco vpn for mac osx doesnt work.
any advice please??
In that case, you just need to tick the “Certificate” option in step 4. Your company is not using a group / shared secret. (certs are a PITA, but arguably more secure)
Thanks a lot !
… after 2 hours on google here is the solution !
In step 2 of your posting “How To: Cisco VPN with Snow Leopard via .pcf File” it states “Enter your VPN server and credentials into the VPN Network Preferences.” However, I do not know my server address and cannot get it from my employer. Is there another way for me to obtain it?
It will be whatever comes after “Host=” in the .pcf file.
Thanks! This was *so* useful. Got onto OS X 10.6, couldn’t use the VPN, couldn’t read the pcf file … and now after finding your posting I am happily working on the network again.
Outstanding!! Thanks for the walkthrough, got me connected right away!!!
Whoo Hoo! With these instructions, I was able to do what my corp network admin mgr couldn’t do. Granted he’s not a “mac guy” but come, on…
I didn’t know the IP address off the top of my head, but it, too is in the .pcf file! Thanks for publishing. Your solution was the high on my Google search for “snow leopard vpn”. Great help!
Thanks a lot!!! It worked.
Superb. Thank you a lot. I would never have thought about that decoding the group PW is the way to go!
Looks like your images are gone.
I see the images on my iphone. It’s just GE’s firewall preventing them from showning up.
Thanks for posting these instructions.
interesting behavior for the firewall. the content made it through but the images got killed? from the same domain? oh, well. GE’s admins should know this stuff already :)
here’s an embarrassing question: so now that I connected to another server… what do I do??
I see the green dot and connection is running fine.
but where do I go now? what application do I use? I’m supposed to change some settings on a remote server and don’t even know where I can do that!
piroc: well, it kinda depends a lot on the systems you have. if they are windows servers, you’d remote desktop into them and if they are UNIX server, you would either remote desktop or SSH into them. you should probably find a sysadmin to help you out. all the VPN does is securely connect you to an internal network so it is as if you were sitting at a computer inside that network.
I googled this and your site was at or near the top, for obvious reasons. Thanks for such helpful and useful information – made it an easy morning instead of a hard day. :-)
happy to help! glad it saved you time.
This may be too technical but any help gratefully received. My University IT uses CISCO vpn client which crashes my MAC but works OK.
I have tried the built in SL client following the excellent instructions, it correctly contacts the server which then challenges me for my Uni ID & passwd. If I mistype the user ID, it re-prompts (it seems to recognise user name). However it times out no matter whether I use the right or wrong passwd. I guess its a setting at their end that makes it incompatible with SnoLeo IPsec. I think it is configured correctly (shared secret etc) since if I mistype these it fails to get to the challenge step.
The Uni IT support “WINTEL” only and discourage MAC. Its my fault for using an otherwise perfect client on a MAC.
If I can figure out the problem, they will fix it but they wont troubleshoot.
I attach the output from my system log.
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: Connecting.
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKE Packet: receive success. (Information message).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: transmit success. (Mode-Config message).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKEv1 XAUTH: success. (XAUTH Status is OK).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: transmit success. (Mode-Config message).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKEv1 Config: retransmited. (Mode-Config retransmit).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: receive success. (MODE-Config).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: receive success. (Information message).
log/system.log:Jan 2 11:55:35 monty-burns racoon[2044]: IKE Packet: transmit success. (Phase2 Retransmit).
log/system.log:Jan 2 11:55:41 monty-burns racoon[2044]: IKE Packet: transmit success. (Phase2 Retransmit).
log/system.log:Jan 2 11:55:47 monty-burns racoon[2044]: IKE Packet: transmit success. (Information message).
log/system.log:Jan 2 11:55:47 monty-burns racoon[2044]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
log/system.log:Jan 2 11:55:47 monty-burns racoon[2044]: Disconnecting. (Connection tried to negotiate for, 35.340420 seconds).
In case there are technical people we use Cisco IPsec module on a blade supporting a catalyst 6513 system
It looks like it’s AUTHing okay, but then failing.
What version of OS X are you using?
If your system is crashing, it looks like you have different problems. I’ve never had an issue with the Cisco client. Perhaps you’re using an older version.
You can grab v4.9 here:
http://files.schnooze.com/CiscoVPN-Mac-4.9.01.0100.universal.dmg
dog_race (dog_race) // Feb 9, 2010 at 10:40 pm
http://tinyurl.com/lvr5lu
How To: Cisco VPN with Snow Leopard via .pcf File
Dude, you are awesome. That saved my day!
I am using snow leopard (latest updates) and CISCO VPN client 4.9.01.0180
I get kernel panics with it whenever the VPN is live.
This is a known issue for many people.
http://eternalmedia.se/2009/09/02/cisco-vpn-causes-kernel-panic-on-mac-os-x/
It is most likely if you use IPV6 (I do because at home I have a timemachine)
This is why I am so keen to switch to the inbuilt ipsec.
However for some reason our vpn server does not fully authenticate the inbuilt client. Does anyone know how to fix? (I realise by now the answer is no). However, anyone else getting kernel panics, its not you its cisco
Well, the decode link you give comes back with a GroupPwd that looks exactly like one that would come from my company’s IT dept, so I have no doubt it’s decoding it correctly.
Yet I get “The VPN Shared Secret is incorrect.” Is it as simple as that? Maybe I have an old .pcf file?
Thanks a lot for the instructions. I could connect successfully, but after that nothing works that used to work correctly when I was connecting with the Cisco PVN. Isn’t the connection created with Cisco VPN or OS X native VPN that same? What other setting could be a problem here?
Great tutorial, thanks
great trick!!
Shared secret and GroupName are sorted out now without asking sys admin, but still not managing to log in, after a few seconds of the VPN icon retrying. I suspect that the NTdomain appearing in the .pcf file might have something to do. I used to use it together with my username and pwd in the login screen at Cisco VPN. Where should I use such Domain name? should I use it together with the user/account name or the pwd? what should be the syntax?