UPDATE! – Now that I have Lion, I can verify that the following works with Lion as well.
Snow Leopard excitedly came out-of-the-box with support for Cisco IPsec VPN which is what a lot of companies use.
The problem came when I tried to connect to the VPN at work. We were using the Cisco VPN client before but it was a nightmare to keep working all the time and the lack of any good error messages made debugging the connection near impossible.
So I took some time to figure out how to use the .pcf file that was given to me by the Network Admin to work with Snow Leopard.
You’d think that you could just add the .pcf file to your Keychain Access application and have it pull the information from there, but you’d be wrong. It couldn’t possibly be that easy. So we have to do the following instead.
- Make a VPN connection in your Network Preferences pane. Be sure to choose “Cisco IPsec” for the VPN Type.
- Enter your VPN server and credentials into the VPN Network Preferences. This will be your VPN username and password that your Network Admin gave you.
- Open the .pcf file in a text editor. Copy the text from the ‘enc_GroupPwd’ field, paste it into the form on this web site: http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode and click ‘decode!’. Select and copy the text next to ‘clear:’ and go to the next step.
(Note: if there isn’t anything in ‘enc_GroupPwd’ but there is something in ‘GroupPwd’ they you can skip this step. Just copy the text from ‘GroupPwd’) - Go back to the Network Preferences panel and click on the “Authentication Settings…” button. You’ll get a dialog that looks like this:
- Paste the text you copied from the decoding web site (or the ‘GroupPwd’ field of the .pcf file if you had that instead) into the ‘Shared Secret’ text box.
- Copy+Paste the text from the ‘GroupName’ field of the .pcf file into the ‘Group Name’ text box and click ‘OK’.
- Now you can try it out by clicking the ‘Connect’ button (and click ‘Apply’ if it asks which it probably will.)
Hopefully it all worked out. If not, there’s quite a few things that could go wrong. You could be entering in some other login credentials other than your VPN ones (typically, they are different than your workstation login credentials.) The .pcf file could be old. Etc, etc.
The best way to clear up any errors is to have a chat with your Network Admin and verify that you are using the right credentials and the .pcf file is the latest.
Anyway, hope that helped someone. Let me know if there were any problems.
Thanks — this was super helpful! Are there any security issues with using the link you posted to decode the group password?
I don’t think so. Cisco’s encryption algorithms aren’t terribly robust and have been out there for a while…
Thanks so much, this saved me so much time! Works perfectly.
Right….I’m just wondering if someone could steal the password that I entered into that form and hack into the VPN with it? Or would they need more info than just the group password?
Ah! I see what you mean. They would certainly need the group name and the server and your login and your password but other than that, yes, they could save it and use it
Seriously, I wouldn’t worry about it.
Thank you! The link to the group key decipher is crucial. This is really a very valuable post. Thanks again!
OK, thanks! Really, this post is awesome. I spread the word and a lot of my colleagues are going to use this as well!
KMT – glad to help :o)
wondeful ! works perfectly for me (pix + token RSA)
Merci beaucoup/thanks a lot !
Great stuff! Thanks!
Thank you, this helped me a lot.
flying_gramma (Flying gramma) // Sep 15, 2009 at 8:49 pm
http://tinyurl.com/lvr5lu
How To: Cisco VPN with Snow Leopard via .pcf File
Thanks! Great job.
For those with a RSA SecureID keyfab you don’t have to enter a password. Just enter your userid or account name. When you connect the server will ask for your password and you will enter your PIN and your RSA SecureId code.
so I tried it; and voila, it works here at University of Washington
What if the .pcf file has TcpTunnelingPort set to something other than the default of 10000? Can the Snow Leopard built-in VPN software handle that? I tried entering [ip addr]:[port] in the _Server Address_ field, but OS X does not like that.
Sorry about the repost, my content between less-than and greater-than signs was automatically removed.
I had the decode and tried this before. When all is entered correctly, it cycles on asking for username and password as if the password was incorrectly entered.
If I put a bogus GroupPWD in, it flags the bad GroupPWD as incorrect.
In our environment the EnableMSLogin=1 is set. I suspect that this is the problem as it would likely not naturally encrypt using some proprietary MS encryption but rather something standard. Unfortunately there is no option for using this encryption method exposed by the interface and I suspect we must hack some config file hidden in the system somewhere. Now on a conf file hack-hunt…
My company’s settings are the same, and it works fine for me.
It’s probably that.. your username or password is incorrect. =) Try your username with/without the domain.
I have a problem with VPN osx snow leopard
I have personal certificate only and address of server, no user, group name and password.
Cisco vpn for mac osx doesnt work.
any advice please??
In that case, you just need to tick the “Certificate” option in step 4. Your company is not using a group / shared secret. (certs are a PITA, but arguably more secure)
Thanks a lot !
… after 2 hours on google here is the solution !
In step 2 of your posting “How To: Cisco VPN with Snow Leopard via .pcf File” it states “Enter your VPN server and credentials into the VPN Network Preferences.” However, I do not know my server address and cannot get it from my employer. Is there another way for me to obtain it?
It will be whatever comes after “Host=” in the .pcf file.
Thanks! This was *so* useful. Got onto OS X 10.6, couldn’t use the VPN, couldn’t read the pcf file … and now after finding your posting I am happily working on the network again.
Outstanding!! Thanks for the walkthrough, got me connected right away!!!
Whoo Hoo! With these instructions, I was able to do what my corp network admin mgr couldn’t do. Granted he’s not a “mac guy” but come, on…
I didn’t know the IP address off the top of my head, but it, too is in the .pcf file! Thanks for publishing. Your solution was the high on my Google search for “snow leopard vpn”. Great help!
Thanks a lot!!! It worked.
Superb. Thank you a lot. I would never have thought about that decoding the group PW is the way to go!
Looks like your images are gone.
I see the images on my iphone. It’s just GE’s firewall preventing them from showning up.
Thanks for posting these instructions.
interesting behavior for the firewall. the content made it through but the images got killed? from the same domain? oh, well. GE’s admins should know this stuff already :)
here’s an embarrassing question: so now that I connected to another server… what do I do??
I see the green dot and connection is running fine.
but where do I go now? what application do I use? I’m supposed to change some settings on a remote server and don’t even know where I can do that!
piroc: well, it kinda depends a lot on the systems you have. if they are windows servers, you’d remote desktop into them and if they are UNIX server, you would either remote desktop or SSH into them. you should probably find a sysadmin to help you out. all the VPN does is securely connect you to an internal network so it is as if you were sitting at a computer inside that network.
I googled this and your site was at or near the top, for obvious reasons. Thanks for such helpful and useful information – made it an easy morning instead of a hard day. :-)
happy to help! glad it saved you time.
This may be too technical but any help gratefully received. My University IT uses CISCO vpn client which crashes my MAC but works OK.
I have tried the built in SL client following the excellent instructions, it correctly contacts the server which then challenges me for my Uni ID & passwd. If I mistype the user ID, it re-prompts (it seems to recognise user name). However it times out no matter whether I use the right or wrong passwd. I guess its a setting at their end that makes it incompatible with SnoLeo IPsec. I think it is configured correctly (shared secret etc) since if I mistype these it fails to get to the challenge step.
The Uni IT support “WINTEL” only and discourage MAC. Its my fault for using an otherwise perfect client on a MAC.
If I can figure out the problem, they will fix it but they wont troubleshoot.
I attach the output from my system log.
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: Connecting.
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
log/system.log:Jan 2 11:55:12 monty-burns racoon[2044]: IKE Packet: receive success. (Information message).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: transmit success. (Mode-Config message).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKEv1 XAUTH: success. (XAUTH Status is OK).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: transmit success. (Mode-Config message).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKEv1 Config: retransmited. (Mode-Config retransmit).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: receive success. (MODE-Config).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
log/system.log:Jan 2 11:55:32 monty-burns racoon[2044]: IKE Packet: receive success. (Information message).
log/system.log:Jan 2 11:55:35 monty-burns racoon[2044]: IKE Packet: transmit success. (Phase2 Retransmit).
log/system.log:Jan 2 11:55:41 monty-burns racoon[2044]: IKE Packet: transmit success. (Phase2 Retransmit).
log/system.log:Jan 2 11:55:47 monty-burns racoon[2044]: IKE Packet: transmit success. (Information message).
log/system.log:Jan 2 11:55:47 monty-burns racoon[2044]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
log/system.log:Jan 2 11:55:47 monty-burns racoon[2044]: Disconnecting. (Connection tried to negotiate for, 35.340420 seconds).
In case there are technical people we use Cisco IPsec module on a blade supporting a catalyst 6513 system
It looks like it’s AUTHing okay, but then failing.
What version of OS X are you using?
If your system is crashing, it looks like you have different problems. I’ve never had an issue with the Cisco client. Perhaps you’re using an older version.
You can grab v4.9 here:
http://files.schnooze.com/CiscoVPN-Mac-4.9.01.0100.universal.dmg
dog_race (dog_race) // Feb 9, 2010 at 10:40 pm
http://tinyurl.com/lvr5lu
How To: Cisco VPN with Snow Leopard via .pcf File
Dude, you are awesome. That saved my day!
I am using snow leopard (latest updates) and CISCO VPN client 4.9.01.0180
I get kernel panics with it whenever the VPN is live.
This is a known issue for many people.
http://eternalmedia.se/2009/09/02/cisco-vpn-causes-kernel-panic-on-mac-os-x/
It is most likely if you use IPV6 (I do because at home I have a timemachine)
This is why I am so keen to switch to the inbuilt ipsec.
However for some reason our vpn server does not fully authenticate the inbuilt client. Does anyone know how to fix? (I realise by now the answer is no). However, anyone else getting kernel panics, its not you its cisco
Well, the decode link you give comes back with a GroupPwd that looks exactly like one that would come from my company’s IT dept, so I have no doubt it’s decoding it correctly.
Yet I get “The VPN Shared Secret is incorrect.” Is it as simple as that? Maybe I have an old .pcf file?
Thanks a lot for the instructions. I could connect successfully, but after that nothing works that used to work correctly when I was connecting with the Cisco PVN. Isn’t the connection created with Cisco VPN or OS X native VPN that same? What other setting could be a problem here?
Great tutorial, thanks
great trick!!
Shared secret and GroupName are sorted out now without asking sys admin, but still not managing to log in, after a few seconds of the VPN icon retrying. I suspect that the NTdomain appearing in the .pcf file might have something to do. I used to use it together with my username and pwd in the login screen at Cisco VPN. Where should I use such Domain name? should I use it together with the user/account name or the pwd? what should be the syntax?
Also works for iPhones VPN. Thanks tons!
import pcf file snow leopard « APE // Jul 7, 2010 at 9:41 am
[...] http://erbmicha.com/2009/09/07/how-to-cisco-vpn-with-snow-leopard-via-pcf-file/ [...]
Cheet’s Blog » Blog Archive » Cisco VPN with Snow Leopard using a .pcf File // Jul 13, 2010 at 7:11 am
[...] Full How-To instruction here: http://erbmicha.com/2009/09/07/how-to-cisco-vpn-with-snow-leopard-via-pcf-file/ [...]
This didnt work for me but the current client did in snow leopard 10.6.4
http://helpdesk.ugent.be/vpn/download/vpnclient-darwin-4.9.01.0080-universal-k9-5-10.dmg
Erb, Brilliant, although I use the separate CiscoVPN client for work mac and all other macs at home, (via RBA SecureID) – this saves me having to fetch the fob every time I need to RTD to a window machine in my office. I do have a question; when using the OS built VPN all works, RDT, accessing shared servers, etc, however our backend admin tool (https and .local) as well as other web apps which are IP restricted and normally work when I connect via RSA – do not work via this method – Any ideas? much appreciated in advance.
I would use both CiscoVPN and the OS X VPN and do some checking as to what IP address was assigned after you connected as well as some ‘dig’ing around the DNS to make sure you’re using the internal DNS server to locate the .local sites. You can also go into the Advanced Settings for the VPN connection and see if checking “Send all traffic over VPN connection” helps. While you’re at it you would enable “Verbose Logging” and see if anything shows up in the logs. Also check to see if the CiscoVPN is setting up any proxies that you’d have to tell the OS X VPN client about in the Advanced Settings. Good luck!
Worked great for me! Just twitted your article! Thanks!
-Francois
Thank you, thank you. The Cisco client my school provides has been causing kernel panics with the new version of OSX and this saved the day.
Super! This rocks, thanks!
thanks for sharing! very helpful
THANK.
YOU.
Thank you, this helped me alot:-)
Just another thanks. The password decrypter is a great resource! Now I’m connecting with my MacBook Pro when I couldn’t connect with my Windows 7 64Bit laptop.
Muchas Gracias!
Hi,
As Cisco VPN client doesn’t work with 64 bit Kernell, I used to restart my MAC in 32bit mode.
I just tried your hints to use built in VPN, and I find out that I can connect to my work VPN, but I cannot browse the internet with Safari.
I guess it has to do with split tunneling, but I think this is not blocked from my IT administrators as in the pcf I have EnableNAT=1 and everything work smooth when i am connected via the old vpnClient.
I found out that i have the same problem with iPhone and iPad: I can connect, but not browse the internet.
This is annoying, as I ofetn use VPN when I need to download or read a paper from academic online journals.
Any suggestion?
This is usually a function of your employer locking down web access from their network. You can set up a SOCKS proxy under the Advanced screen of your VPN connection and you can use something like Sidestep (http://chetansurpur.com/projects/sidestep/), Meerkat (http://codesorcery.net/meerkat) or the built-in ssh tools to create the tunnel. If there are special domains that your company has that aren’t available outside the network, you can add them to the “Bypass proxy settings for these Hosts & Domains” text area.
If you aren’t familiar with any of this, try Sidestep. They make it pretty easy…and free.
The native Cisco VPN client does do something really nice in that it will separate the public traffic from the VPN traffic. Well, it would be nice if Cisco updated their VPN client to actually work on Snow Leopard, but I digress.
Thank you so much. My previous mac with leopard on it died (logic board) and I got a new one with snow leopard on it and initially thought the problem with the vpn client was just internally at work, but tried from home this week and the error 51 made me go argh. And google. And google. And now I found this and all is good!
Save me some major headache tonight, thanks so much for providing these details.
Having a strange problem with the native Snow Leopard client vs. the Cisco client. When attempting to connect using the native client, it keeps asking me to re-enter my user credentials. If I use the Cisco client, configured with the exact same group & user credentials, it allows me to log in fine. So it seems like the native client is somehow munging either my username and/or password, but no idea how to figure this out. I’m able to use the native client for all of my virtual connections except this one, I’d like to understand why this one doesn’t work.
Hmmm. Without seeing your .pcf file I can’t really tell what the problem might be. There are quite a few things that could go wrong.
Having the same problem! After setting up the native vpn as instructed, with the Server address xxx.xxx.xx.xxx, account name, password, group name and shared secret. (got all of these from the sysadmin, so didnt have to decode for use, but did the same to double check). But every time I connect, to prompts me for my authentication and after three times it displays an error Unable to negotiate with the server. Please help if I need to alter any other settings! Cheers
i am using snow leopard 10.6.7 and the Profiles folder which contains the .pcf file is empty . Any help will be highly appreciated
I’m not sure if Spotlight would find it but if you open the Terminal and type “find / -name *.pcf” it will show you all the .pcf files on your system. You can probably get a new .pcf file from your Network Administrator as well.