Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Install vpnc as a replacement for the Cisco VPN client Network
Here's how to build vpnc as a drop-in replacement for the Cisco VPN client. Why on earth would I want to do this? Because, in my opinion, Cisco's client is a pretty poor piece of software, you shouldn't have to have a Cisco contract to download the thing, and I am a big proponent of open source software.

This process has been tested under Mac OS X 10.5.5 and Ubuntu Intrepid 64 bit, and it's written up in detail on this page on my site. Here's the executive summary version: Requirements:
  • A UNIX system. (Sorry, Windows folks. I have neither the time nor patience to even try to set it up under Windows).
  • A development environment (Xcode).
  • A basic working knowledge of UNIX.
  • The ability to follow instructions.
Required software: Read on for the short version of the installation instructions...

For greater detail on each of the following steps, see the full instructions on my site. If you've got Unix experience, though, this version should be enough to get you going:
  1. Download, compile (if necessary), and install libgpg-error, libgcrypt, vpnc, and TunTap.
  2. Start TunTap using the tun and tap scripts in the /Library/Startup Items folder.
  3. Copy and Convert the Cisco Profiles. For this example, we'll assume the profiles are installed in /etc/opt/cisco-vpnclient/Profiles, which is standard on OS X. Run these commands in Terminal:
    $ sudo cp -R /etc/opt/cisco-vpnclient/Profiles ~
    $ cd ~/Profiles
    $ curl -O http://www.gdanko.net/convert_profiles.sh
    $ sudo sh ~/Profiles/convert_profiles.sh
  4. Download and install a simple launcher I wrote:
    $ cd /usr/local/bin
    $ sudo curl -O http://www.gdanko.net/vpnc_launcher.txt
    $ sudo mv vpnc_launcher.txt vpnc_launcher.php
    $ sudo chmod 755 vpnc_launcher.php
Whew! We're finished. The client and its prerequisites are installed, and the Cisco profiles have been converted over. It's time to test our VPN client. To use the client, launch it by typing sudo vpnc_launcher.pl in Terminal. You should see something like the following:
Unix VPN Connection Utility (new and improved!)
Available VPN Servers:

[1] Bangalore
[2] Dallas
[3] NewYork

Please select a VPN to connect to: 3

Connecting to NewYork...
Enter username for vpn.newyork.foo.com: myname
Enter password for myname@vpn.newyork.foo.com: mypass
add net x.x.x.x: gateway x.x.x.x
add host x.x.x.x: gateway x.x.x.x
delete net default
add net default: gateway x.x.x.x
VPNC started in background (pid: 7557)...
bash-3.2$ vpnc-disconnect
Terminating vpnc daemon (pid: 7557)
That's it, we're done!

[robg adds: In testing this, I was able to download, compile, and install all the components, and convert my Cisco profiles. However, I wasn't able to successfully connect to Macworld's VPN. The problem is probably a configuration issue on my end with vpnc, but I haven't had time to delve into it yet.

In case the two required files on the linked site ever go away, I've mirrored them here on macosxhints: convert_profiles.shvpnc_launcher.txt.]
    •    
  • Currently 2.18 / 5
  You rated: 2 / 5 (11 votes cast)
 
[45,682 views]  

Install vpnc as a replacement for the Cisco VPN client | 9 comments | Create New Account
Click here to return to the 'Install vpnc as a replacement for the Cisco VPN client' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Install vpnc as a replacement for the Cisco VPN client
Authored by: giulio on Feb 20, '09 08:15:50AM

The only reason I am holding onto XP is because that version of Cisco is the only one that has the stately firewall that some companies require.

Does this solution include that?
Do you plan to release some sort of binary for the 'rest of us'?

---
Freelance web development
WebVeteran.com



[ Reply to This | # ]
Install vpnc as a replacement for the Cisco VPN client
Authored by: Schwie on Feb 23, '09 06:44:03AM
I too would like to be able to access VPN servers that have the stateful firewall requirement, but from what I'm gathering "vpnc" cannot do this either.

It appears that Cisco knows about the issue and documented it here:

http://tinyurl.com/58p6na

or

http://supportwiki.cisco.com/ViewWiki/index.php/VPN_Client_on_the_MAC_OS_is_not_able_to_connect_to_the_VPN_3000_Series_Concentrator_and_the_user_receives_the_reason_=_PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH_message

I tried the latest VPN client for the Mac that I was able to get my hands on (4.9.01.100), but it still doesn't work for me. This issue has been around for years, so it would seem that Cisco has no intention of ever fixing this.

The best work around appears to be to ask your IT people to set up a new group account for *nix platforms whose firewalls don't integrate with the vpn client (or atleast offer the correct response to Cisco's Concentrator). Until then, my Cisco VPN client will continue to fill my log with crap like this:

130 08:42:11.617 02/23/2009 Sev=Info/4 IKE/0x4300004B
Discarding IKE SA negotiation (I_Cookie=A3546266FB25C222 R_Cookie=5F3E545C336A69AF) reason = PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH


[ Reply to This | # ]
MacPorts or Fink have vpnc too
Authored by: earlshango on Feb 20, '09 08:24:06AM
Great hint. You could also use MacPorts or Fink too to build and install vpnc.

[ Reply to This | # ]
Install vpnc as a replacement for the Cisco VPN client
Authored by: Tlalox on Feb 20, '09 08:27:52AM
It's even simpler to get the TUN/TAP driver via an installer package and install vpnc using port or fink. Also the Cisco profiile to vpnc profile converter is included. Unfortunately I've name resolution problems using vpnc... (also by following the instruction above):
$ time ping -c1 google.de
PING google.de (216.239.59.104): 56 data bytes
64 bytes from 216.239.59.104: icmp_seq=0 ttl=243 time=40.732 ms
--- google.de ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 40.732/40.732/40.732/0.000 ms
real	0m0.044s
user	0m0.001s
sys	0m0.002s
$ sudo vpnc theProfile.conf 
add host 131.220.242.5: gateway 192.168.0.254
delete net default
add net default: gateway 131.220.243.90
VPNC started in background (pid: 57065)...

$ time ping -c1 google.de
PING google.de (66.249.93.104): 56 data bytes
64 bytes from 66.249.93.104: icmp_seq=0 ttl=240 time=29.647 ms
--- google.de ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 29.647/29.647/29.647/0.000 ms
real	0m10.043s
user	0m0.001s
sys	0m0.002s

$ time ping -c1 google.de
PING google.de (66.249.93.104): 56 data bytes
64 bytes from 66.249.93.104: icmp_seq=0 ttl=240 time=33.610 ms
--- google.de ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 33.610/33.610/33.610/0.000 ms
real	0m0.046s
user	0m0.001s
sys	0m0.002s


[ Reply to This | # ]
Install vpnc as a replacement for the Cisco VPN client
Authored by: micmoo on Feb 20, '09 10:23:26AM
Download and install a simple launcher I wrote:
$ cd /usr/local/bin
$ sudo curl -O http://www.gdanko.net/vpnc_launcher.txt
$ sudo mv vpnc_launcher.txt vpnc_launcher.php
$ sudo chmod 755 vpnc_launcher.php

Don't you mean
$sudo mv vpnc_launcher.txt vpnc_launcher.pl?
Because the next step says launch it as pl... i'm assuming this is a typo correct? Might as well point it out if someone is confused by it, but I assume anyone following along is savy enough to figure it out...

[ Reply to This | # ]
Install vpnc as a replacement for the Cisco VPN client
Authored by: ataraxia on Feb 20, '09 12:51:13PM

Note that vpnc does not yet support certificate-based authentication - it says so right on the vpnc site.

As far as I know, nothing but the original Cisco client supports it. I'd love to be proven wrong about this.



[ Reply to This | # ]
Install vpnc as a replacement for the Cisco VPN client
Authored by: BobHarris on Feb 20, '09 08:43:53PM
I get link errors when I try to build vpnc
make
gcc -o vpnc sysdep.o vpnc-debug.o isakmp-pkt.o tunip.o config.o dh.o \
 math_group.o supp.o decrypt-utils.o vpnc.o -g -L/usr/local/lib \
 -lgcrypt -L/opt/local/lib -lgpg-error -lcrypto
Undefined symbols:
  "_gcry_cipher_setkey", referenced from:
      _vpnc_doit in tunip.o
      _vpnc_doit in tunip.o
      _deobfuscate in decrypt-utils.o
      _isakmp_crypt in vpnc.o
      _process_late_ike in vpnc.o
      _process_late_ike in vpnc.o
  "_gcry_cipher_setiv", referenced from:
      _encap_esp_recv_peer in tunip.o
      _encap_esp_encapsulate in tunip.o
      _deobfuscate in decrypt-utils.o
      _isakmp_crypt in vpnc.o
ld: symbol(s) not found
collect2: ld returned 1 exit status
make: *** [vpnc] Error 1


[ Reply to This | # ]
Shimo as a replacement for the Cisco VPN client
Authored by: jtrull on Feb 23, '09 09:52:04AM

I have had good luck with Shimo.

It includes its own copy of vpnc, so there is no need to build it or install Fink/MacPorts. The installation is easy. It will import Cisco VPN profiles. It will also act as a (more attractive) front end for the Cisco VPN client as well as a number of other VPN systems.

It's not free, but the pricing is reasonable (€12.95).

I don't work for them; I'm just a satisfied customer.



[ Reply to This | # ]
Install vpnc as a replacement for the Cisco VPN client
Authored by: Prasanna K Rao on Jan 23, '10 05:08:09AM

I have tried this solution and it works fine for me.. I am able to connect to the desired network. :-) I am yet to test the pros against my regular cisco client though..

I also referred to http://www.koansys.com/tech/vpn-to-cisco-on-os-x-with-vpnc

Edited on Jan 23, '10 05:09:49AM by Prasanna K Rao



[ Reply to This | # ]