Cisco’s VPN client software is pretty standard and most people have access to it through their subscriptions or jobs. OS X users don’t actually need it though because we can use the built-in VPN client in System Preferences as an alternative!

In this entry, I’ll explain how to extract the necessary information from a profile configuration file (.pcf), typically bundled with your employer’s VPN client, to use with the OS X System Preferences application.

Extract vars from a .pcf

Open your .pcf with a text editor. It should look like this:

[main]
UserPassword=
enc_UserPassword=
AuthType=
GroupName=GROUP_NAME
GroupPwd=
enc_GroupPwd=ENCYPTED_GROUP_PASSWORD
EnableISPConnect=
ISPConnectType=
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=USERNAME
SaveUserPassword=
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=
BackupServer=
EnableMSLogon=
MSLogonType=
EnableNat=
TunnelingMode=
TcpTunnelingPort=
CertStore=
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
SendCertChain=
PeerTimeout=
EnableLocalLAN=
Description=
Host=HOST_HERE

Note the values for these lines:

[main]
GroupName=GROUP_NAME
enc_GroupPwd=ENCYPTED_GROUP_PASSWORD
Username=USERNAME
Host=HOST_HERE

Decrypt the Group Password

Download this decryption library: cisco-decrypt.c

You’ll need to compile this file. It’s likely that you will need to install libgcrypt to compile it. The easiest way to do this is to install it using Homebrew. To install Homebrew, follow the simple instructions on the Homebrew homepage.

After installing Homebrew, run this command to install libgcrypt:

brew install libgcrypt

Next, compile the cisco-decrypt program by running this command:

gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)

Finally, decrypt your group password by running this command, replacing ENCYPTED_GROUP_PASSWORD with your group password (from the .pcf):

./cisco-decrypt ENCYPTED_GROUP_PASSWORD

Note the returned value, which is your group password.

Setup the Network Connection

Go to System Preferences and click Network in the middle row. The left pane shows a list of all your network connections. Click the plus icon at the bottom of the left pane.

In the window that appears, choose the following settings:

Setting Value
Interface VPN
VPN Type Cisco IPSec
Service Name Work VPN (or whatever you want to call it)

Click Create and then click the Authentication Settings... button.

In the Shared Secret field, enter the decrypted group password. In the group name field, enter the GROUP_NAME from the .pcf file.

Now click Ok and then Apply.

Click Connect, enter your usual password, and you should be good to go!

If you connect to this VPN often, you can check the box next to “Show VPN status in menu bar” to activate the menu bar dropbown. I recommend it 100%.