January 10, 2010

How to migrate a Cisco VPN configuration into Snow Leopard

Recently, I had to get access to a VPN connection to grab some files. My OSX 10.6 (Snow Leopard) install borked my Cisco VPN client, which caused it to throw the following error:

Error 51: Unable to communicate with the VPN subsystem.

This presented  a problem: I couldn’t get the updated client, since Cisco protects downloading that client software. Snow Leopard, however, comes with improved VPN capabilities that obviates the need for the client itself.

Could I migrate an old Cisco profile into Snow Leopard with borderline zero knowledge about my VPN connection? Yep–and here’s how I did it.

Disclaimer: This is perhaps the most kludgy way to accomplish this task. I’m not a network guy and I have no idea if this will work for you. It worked for my unique case. Proceed with caution.

Prerequisites

To do this, you should be comfortable using Terminal and you should know your VPN account name and password.

Find your Cisco profile.

Open Terminal and go to the cisco-vpnclient directory that holds your profile:
/etc/opt/cisco-vpnclient/Profiles

In this directory, there are one or more .pcf files, which are what Cisco uses to mange VPN connections. A PCF file is just text, so issuing the command more profilename.pcf will show you its contents. Replace “profilename.pcf” with the name of your file.

In this file, you’re looking for three specific things to give to Snow Leopard’s Network system preference manager:

1. Host
2. GroupName
3. enc_GroupPwd.

Unencode the GroupPwd

The group password is stored encrypted. You’ll need to give Snow Leopard the plaintext version. Copy the entire hexidecimal string.

Open a Web browser and visit the Cisco VPN password decoder. Paste in the password and click “decode.” You should receive a plaintext version. Copy everything after “clear:” to your clipboard.

Create a VPN Network connection

Open System Preferences > Network. In the left pane, click “+” to add a new connection. Choose the following:

• Interface: VPN
• VPN Type: Cisco IPSec

You can name “Service Name” whatever you like. Go with your heart and then click “Create”.

Type the “Host” value from your .pcf file into “Server Address”. Add in your Account Name and Password and click “Authentication Settings”.

In the Machine Authentication dialog, paste the unencrypted password into the “Shared Secret” field. Type in your Group Name and click “Ok”

Click “Apply”, then “Connect”.

That’s it. If this worked right, you should logged into your VPN. If you’re like me, this now means you have no excuse not to be working on the weekend. Good luck!