Cisco’s VPN client software is pretty standard, and most people have access to it through their subscriptions or jobs. OS X users don’t actually need it, though, because we can use the built-in VPN client in System Preferences as an alternative.
In this entry, I’ll explain how to extract the necessary information from a
profile configuration file (.pcf) — typically bundled with your employer’s
VPN client — for use with the OS X System Preferences application.
Extract variables from a .pcf
Open your .pcf in a text editor. It should look like this:
[main]
UserPassword=
enc_UserPassword=
AuthType=
GroupName=GROUP_NAME
GroupPwd=
enc_GroupPwd=ENCRYPTED_GROUP_PASSWORD
EnableISPConnect=
ISPConnectType=
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=USERNAME
SaveUserPassword=
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=
BackupServer=
EnableMSLogon=
MSLogonType=
EnableNat=
TunnelingMode=
TcpTunnelingPort=
CertStore=
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
SendCertChain=
PeerTimeout=
EnableLocalLAN=
Description=
Host=HOST_HERE
Note the values for these lines:
[main]
GroupName=GROUP_NAME
enc_GroupPwd=ENCRYPTED_GROUP_PASSWORD
Username=USERNAME
Host=HOST_HERE
Decrypt the Group Password
Download this decryption library: cisco-decrypt.c.
You’ll need to compile this file. To do so, you’ll most likely need to install
libgcrypt. The easiest way is via Homebrew — follow the
instructions on the Homebrew homepage to install it.
After installing Homebrew, run this command to install libgcrypt:
brew install libgcrypt
Next, compile the cisco-decrypt program:
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)
Finally, decrypt your group password by running this command, replacing
ENCRYPTED_GROUP_PASSWORD with the encrypted group password from your .pcf:
./cisco-decrypt ENCRYPTED_GROUP_PASSWORD
Note the returned value — that’s your decrypted group password.
Set Up the Network Connection
Go to System Preferences and click Network in the middle row. The left pane
shows a list of all your network connections. Click the plus icon at the bottom
of that pane.
In the window that appears, choose the following settings:
| Setting | Value |
|---|---|
| Interface | VPN |
| VPN Type | Cisco IPSec |
| Service Name | Work VPN (or whatever you want to call it) |
Click Create and then click the Authentication Settings... button.
In the Shared Secret field, enter the decrypted group password. In the Group Name
field, enter the GROUP_NAME from the .pcf file.
Now click OK and then Apply.
Click Connect, enter your usual password, and you should be good to go.
If you connect to this VPN often, check the box next to “Show VPN status in menu bar” to activate the menu bar dropdown. I recommend it 100%.