Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6: Save Cisco IPSec password in the Keychain Network
Mac OS X Snow Leopard adds support for Cisco IPSec VPN connections -- that is, plain IPSec with XAuth authentication and mode_cfg.

That makes it two layers of authentication: first, Machine Authentication with a password (Shared Secret) or an X509 certificate. Then a traditional username-password pair for XAuth, both of which you can enter and save in the Account Name and Password fields respectively when you set up the connection. Trouble is, even though you entered your password and it is apparently saved in the keychain properly, Mac OS X keeps nagging you to manually enter the password every time you connect. Turns out this is a just bug with a simple fix.

Open the Keychain Access Application, select the System keychain and find your saved XAuth password entry in the list. Its Kind field will say IPSec XAuth Password. Open it, then on the Access Control tab click the Plus button to add another application. The file we need to select, /usr/libexec/configd, resides in a hidden folder. To navigate there, press Command-Shift-G, enter /usr/libexec, then pick configd in the dialog. Save your changes and that's it -- your saved password should now work.

[robg adds: I can confirm that this fix works as described.]
    •    
  • Currently 4.14 / 5
  You rated: 3 / 5 (36 votes cast)
 
[74,607 views]  

10.6: Save Cisco IPSec password in the Keychain | 24 comments | Create New Account
Click here to return to the '10.6: Save Cisco IPSec password in the Keychain' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Save Cisco IPSec password in the Keychain
Authored by: JaxMyers on Aug 28, '09 08:52:13AM

I can't find a IPSec XAuth Password entry in my keychain for my Cisco VPN in Snow Leopard. I only find the IPSec Shared Secret in my keychain.

When I connect it does not save my user password, it always says "server will prompt for password" and it does not create a keychain item for my user password (only the shared secret). Any idea how to get it to save my password?



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: frogmella on Aug 28, '09 10:29:12AM
I believe this is defined by policy on the VPN server, and is a deliberate restriction put in by your network administrator. I have the same problem.

One way around this is to install vpnc as an alternative (see this hint, but I haven't tested if this works with Snow Leopard yet.

[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: JaxMyers on Aug 28, '09 12:15:23PM

I've been using Shimo for some time now as an alternative front end to the awful Cisco VPN GUI and it always remembers my password. Maybe I'll just keep using it now that it has been updated for Snow Leopard. I was kind of hoping to avoid installing any 3rd party VPN software and stick with Apple's built in VPN support though. I've noticed that the Leopard Cisco VPN implementation keeps asking me for my password every few hours which is a bit of a pain. Anyways, thanks for the reply.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: fold on Sep 06, '09 05:53:38PM

This isn't Apple's fault. The Cisco VPN Concentrator, PIX, or ASA to which you are connecting is probably configured to disable password saving. If the client software is designed to Cisco specs, nothing you do will enable it to save your password if the VPN server prohibits it.

The Cisco IPSec client in iPhone OS 2 was broken in such a way that it would save the password. This was fixed in iPhone OS 3, and the same fix seems to incorporated in the Mac OS 10.6 IPSec client.

Sorry to disappoint, but after all the whole point of VPN is private network security.

---
Chip Old
BCPL.NET Internet Services



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: JaxMyers on Sep 08, '09 10:55:19AM

Just to let you know, Shimo will apparently ignore the server's request to always prompt the user for a password and use the password stored in the keychain. I guess this is technically a "bug" although I'm sure most Shimo users want to keep it that way.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: mfripp on Jan 11, '12 02:32:28PM
The hint above doesn't explain very well how to find the IPSec XAuth Password entry.

By default, Keychain Access only shows you your own keychain. If you click the expand button (triangle inside a square) at the bottom left corner of the Keychain Access window, you can show other keychains, including the System keychain. Once you're looking at the System keychain, the item you want has a Name matching your VPN, and its Kind is "IPSec XAuth Password". You can find it by sorting by Kind.

An easier alternative (from here) is simply to type "xauth" in the search box at the top right corner of the Keychain Access window. (This works even if you don't have the Keychain list expanded and aren't looking at the System keychain.)

Then you can follow the rest of the instructions above to allow configd to access the password.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: NoLongerAnon on Aug 29, '09 03:05:03AM

Has anyone found a way to import the cisco PCF file which stores the shared secret? Having our IT support group type in the shared secret manually doesn't seem like a sustainable option.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: devlogic on Aug 29, '09 06:16:17AM
I couldn't find a way to import the .pcf file, but you can decrypt the shared secret that's in the PCF file with this site, or you can download the source code for the decryption program from the same page, compile it (on a linux box, in my case) and run the decryption locally.

[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: playdrums on Aug 29, '09 01:35:31PM

So, far it doesn't support import of .pcf files. There is a way to save OS X network configs to text files similar to a .pcf. I don't know if there is any ability to encrypt the password.

Even better though is that you can use a cert. If your organization has a cert your admin can put that on their machine in a secure way then use the above option to add an appropriate vpn config that uses the cert.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: nukular on Aug 29, '09 08:47:35AM

I found my problem. Apple once again half-assed a "feature", it doesn't seem to support IPSec over UDP, only IPSec over TCP.

Now I've had TWO jobs over nine years....both use the same thing and Apple has had countless updates where VPN was mentioned, yet somehow this one stinkin' connection method just doesn't make it out of their hallowed halls. Bit dissapointed.

Oh and I had to go out and find the "latest" cisco client to install just because the install broke my old one.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: NoLongerAnon on Aug 31, '09 08:02:05PM

Others I know have simply reinstalled the version they had and didn't need the latest version. They were all on some variant of 4.9.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: Anoble on Aug 30, '09 08:40:53AM

I opened the file in textedit and manually entered the data into the fields.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: frimpo on Sep 01, '09 01:34:41PM

What file did you open? I'm having the same problem as the first commenter. I don't see IPSec XAuth Password in my Keychain Access under system. Thus, I am not able to modify anything.



[ Reply to This | # ]
Password insecurity
Authored by: ptwithy on Sep 01, '09 12:16:14PM

Wow. What nitwit thought that my VPN would be more secure if they made me type my password every time? I really thought I was screwed by the "no UDP" support thing, but it was really just that "TQrV9yo8varLjI" was too difficult for me to type with _no_ visual feedback. What bonehead thought that you should not be allowed to see while you are typing your password? It's not like it will be left around in my teletype printout... And why, oh why, would they think that disabling paste would make things more secure? I wrote my password down anyways in the keychain -- so disabling paste didn't stop me from writing it down.

The upshot is, I've changed my password to the shortest, simplest phrase that will be accepted as a password, surely totally defeating the purpose of having a VPN in the first place.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: grav on Sep 04, '09 06:19:20AM

Seems to me that the mentioned setting in Keychain is lost when you log out. Can anyone confirm this?



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: JaxMyers on Sep 08, '09 10:53:37AM

Just to let you know, Shimo will apparently ignore the server's request to always prompt the user for a password and use the password stored in the keychain. I guess this is technically a "bug" although I'm sure most Shimo users want to keep it that way.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: linuxer on Sep 14, '09 01:58:55AM

This does not work with 10.6.1. I set the password in keychain to allow all applications to access it, but it was still deleted upon connection, and restoring a copy of it did not make the client refer to it later. If this did work in 10.6.0, then maybe I can revert the client.

This is stupid, because Cisco's own client saves my password. The idea that you can enforce client behavior from the server is ludicrous. If your security depends on that, you're in trouble.

I'll get a saved password solution, but I'd rather use the integrated client.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: jeffwingo on Sep 26, '09 12:08:53PM

I agree...This tip does not work on 10.6.1.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: torbreck on Mar 25, '10 02:45:58PM

works for me in 10.6.2



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: linuxer on Oct 07, '09 05:19:34PM
I think Shimo 1.0.7 (the free version) works well enough for Cisco VPN:

http://code.google.com/p/shimogpl/

but I went with vpnc, which can now be successfully installed on Snow Leopard from Macports. Either way, no retyping required.

One more annoyance worked around.


[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: web_knows on Jul 20, '10 06:11:38PM

I confirm it works with SL 10.6.4.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: UncleLongHair on Mar 11, '11 05:52:42AM

Nice! Thank you. This corrected the problem on 10.6.6.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: irbis on Apr 19, '11 04:45:41AM

Thanks! Works on my 10.6.7.



[ Reply to This | # ]
10.6: Save Cisco IPSec password in the Keychain
Authored by: Tantali on Jul 23, '11 04:56:03PM

This trick doesn't work with Lion anymore.
The XAuth password doesn't show in Keychain anymore, but somehow I managed to get it appear for a little while (irreproducible unfortunately) but even then this trick won't work.

Anyone who knows a solution for Lion?



[ Reply to This | # ]