Cisco Vpn Client For The Mac

  1. Cisco Vpn Client For Linux
  2. Cisco Vpn Client For Mac 64 Bit

Installing Cisco AnyConnect VPN client on a Mac Follow these instructions for installing the Cisco Any Connect Desktop Client on an Apple Mac computer. Windows installation instructions. This page provides instructions on how to install and connect to Cisco AnyConnect client for Macintosh OS 10.6 (Snow Leopard) and later. The Cisco AnyConnect VPN client is a web-based VPN client that does not require user configuration.

Here's how to configure Snow Leopard (and iPhone) to use an enterprise Cisco VPN concentrator (which is what you connect to from internet when you want to virtually join a company or school's LAN).

Open System Preferences --> Network --> click the plus sign (Create a new service). On the iPhone, choose Settings --> General --> Network --> VPN --> Add VPN Configuration. On the Mac, chose VPN as the interface. Choose Cisco IPSec as the VPN type, and supply a service name as a description (an arbitrary name for the connection, whatever makes sense to you).

The rest of the necessary information is supplied by you eyeballing a configuration file (or profile file) used by the typical Cisco VPN client. These files have a .pcf extension and they're usually distributed by an organization as part of the Cisco VPN client installer, usually in a folder called Profiles, but sometimes they are distributed just by themselves for users of other Cisco-compatible VPN clients.


If the .pcf has already been installed on your Mac, you can find the containing directory here: /private/etc/opt/cisco-vpnclient/Profiles/ — which you can see in the Finder by selecting Go --> Go to Folder... ---> and entering that full path above.

Not all the values in the Mac or iPhone configuration windows are used. Certificates, for example, are not common and can be left off or blank. Passwords need not be entered and saved; instead, they can be entered whenever a connection is made.

Open the .pcf file using any text editor. You will see rows of options and values — these are what you will enter in the Mac or iPhone network preferences. For example, to enter your organization's server address, use the corresponding Host value in the .pcf file.

Back at the System Preferences --> Network --> VPN option, there's the Authentication Settings button. Here, you need two important settings: the Group Name and the Shared Secret. The former is found in the configuration file under the GroupName line. The final field that's necessary to make the VPN connection is something called the 'Shared Secret' (it is also sometimes called the Group Password).

Cisco VPN clients use two factors for authentication to connect users to your LAN (called SUNet here at Stanford). One is very weak, and that's the Shared Secret. The other is strong: your own username and password.

In the .pcf file, you will see this as the value associated with enc_GroupPwd line. You'll notice it looks like an encrypted string, a bunch of letters and numbers. Because it's encrypted, you cannot cut-and-paste this string into the System Preference field.

I can't tell you what that string is or what it decrypts to, but it's simple enough to use a search engine like Google to find a website that decrypts Cisco group passwords. You enter the long string, click a button and it spits out the passphrase. It's that passphrase that you enter in the Mac or iPhone's Shared Secret field.

What will this Shared Secret get you? Remember, it's only one of two factors necessary to connect. The other, of course, is your username and password. That should never be disclosed, shared or mismanaged.

I use multiple VPN clients, depending on which customer I am supporting on which day. I regularly use the Cisco VPN Client, the Cisco AnyConnect VPN Client, and the built-in Native Cisco VPN Support on my Mac (I’m currently running Snow Leopard version 10.6.8.) However, a recent customer project led me to install the Shrew Soft VPN Client they supported so that I could access their network through their Netscreen firewall. (This client is a free IPsec client distributed under open source license, to get it to work in the Mac I needed to also install the LGPL Qt Framework and a TUN/TAP driver, but that is another story…)

Some time later, I found out that after installing the Shrew Soft Client, neither the Cisco VPN Client nor the built-in Native Cisco VPN Support would work on my Mac. The AnyConnect VPN Client still worked fine. Obviously it was time for some troubleshooting.

As a first step, I rebooted my Mac, but the Cisco VPN Client was still unhappy – it could not initialize the IKE ports. From the VPN Client Log file I saw messages such as:

The console messages for the built-in Cisco VPN support were not as detailed, but also indicated an issue:

(On the Mac, you can find console messages using the via Applications > Utilities > Console )

Ok, I removed the Shrew Soft VPN Client, the LGPL Qt Framework, and the TUN/TAP driver. I still got the same messages. Rebooted. I got the same messages. I removed and reloaded the Cisco VPN Client software. I got the same messages. Rebooted. I got the same messages.

Partial Work-around
I did find a partial work-around – if I added “UseLegacyIKEPort=0” at the end of the .pcf files, I could get the Cisco VPN Client to connect. However, I still had issues with the built-in Native Cisco VPN Support.

Releasing Port 500
I decided that I really needed to release whatever was binding port 500 that IKE/ISAKMP was trying to use. Something was not completely cleaned out from my removal of the Shrew Soft VPN Client. I did try asking the IT Support desk for one of my customers (hey, I was having issues with the VPN to them), as well as the official Apple Support number about how to determine what program was binding a port, and how to release it. I got a couple hints from them, but also did a bunch of Google searches. Other folks had run into a similar binding issue, so I tried to put together the pieces.

By the way, Port 500 is mapped to ISAKMP by default on the Mac, you can see that based on the /etc/services file:

What worked for me to find the process using port 500 was a “list open files” command, and then kill the process with super user priviledges:

After I killed the iked process, I was able to run the Cisco VPN Client, and the built-in Native Cisco VPN Support.

Permanently Removing the Binding
If you recall, the problem persisted even when I rebooted the Mac previously. So the iked daemon was being called during the start up process. I needed to find and remove this daemon call as well. I started looking for likely processes in startup directories and found it pretty quickly:

Cisco Vpn Client For Linux

I rebooted my Mac, and success! My three regularly used VPN clients (the Cisco VPN Client, the Cisco AnyConnect VPN Client, and the built-in Native Cisco VPN Support) all worked. If required, I am pretty sure I could re-install the Shrew Soft VPN Client, and manually kill the iked daemon as needed if I wanted to run other VPN clients.

Cisco Vpn Client For Mac 64 Bit

I hope this explanation may help others with Cisco VPN Client issues.

— cwr