About the Post

Author Information

CISCO VPN with MacOS Lion

If you have been using the 4.x release of Cisco’s VPNClient on the Mac — be prepared for a change.   By default the VPNClient is a 32-bit piece of software and it does not run on Lion, unless you boot your machine in 32-bit mode (which sort of defeats the purpose).   However, the built-in MacOS VPN client works just fine.    Here’s one man’s take on a fast tutorial for getting it up and running.

Step 1: Add a new network connection

The first step is to add a new network connection from within System Preferences.   Click on the Network Icon to start the process, then hit the “+” sign to create a new network connection.

MacOS Network Connections

Figure 1: MacOS Network Connections

Clicking on the “+” sign will make the following panel appear (Step 2).   For the interface, choose the value “VPN”.   For the VPN Type, choose “Cisco IPSec”.   The system will provide a default value for the service name, but you can call it anything that you like.   Choose the “Create” button to create the new VPN connection.   (You aren’t ready to go yet, but this is the first step in the process).

Add a new network connection

Figure 2: Add a new network connection

Step 2: Add the server information and your username and password

Add server IP address and username/password

Figure 3:Add server IP address and username/password

For the “server address” enter the IP address or the fully qualified domain name (someserver.yyy.com).   For the account name, enter your username.  for the password, enter your password.  (You can leave the password blank — it will prompt you for the password when you attempt to connect).  The next step in the process is to add the “Authentication Settings”.   You will need to do a couple of things before you are ready to enter the data into the authentication settings section.

Step 3:   Find/edit your PCF file

Find your “PCF” file.  All CISCO VPNs use “PCF” files to store configuration information.  Locate your PCF file for the site that you want to connect to, or export the PCF file from entries in your CISCO client.  (You will want to do this before you upgrade, since you can’t run the client after the upgrade.  If you’ve ALREADY upgraded and do not have your PCF files — then boot in 32-bit mode by holding down the “3” and “2” keys when you power up — run the Cisco client and and export your VPN entries.   Edit your PCF file and look for the following lines:


You should already have the “host” from previous steps, but if you could not find it before — it’s here in this file as well.    You will need the group name and the “enc_GroupPwd” values for the next step in the process.

Step 4: Translate the “enc_GroupPwd” value

Surf to the following URL — http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode — to display the page as shown below.   Copy the “enc_GroupPwd” value (everything AFTER the “=” sign) and paste it into the “Encrypted (Group) Password” field on the screen and hit the “decode!” button.  The value that you need will appear next to the “clear:” field at the bottom of the page (after you hit the decode button)

Decode Cisco Group Password

Figure 4: Decode Cisco Group Password

Step 5: Go back to “Authentication Settings — Step 2”

Head back to step 2 and press the “authentication settings” button to display the panel as shown in Figure 5.   Paste the value that you got for the “clearirr” field from step 4 into the “Shared Secret” field.   Enter the value of the “GroupName” field from the PCF file into the “Group Name” field in this panel.  Press the “ok” button to save the changes.    Use the “Connect” button as shown in Figure 3 to connect to your Cisco VPN.

Authentication Settings

Figure 5: Authentication Settings

Tags: , , , ,

36 Comments on “CISCO VPN with MacOS Lion”

  1. Lloyd Hohn July 26, 2011 at 6:57 pm #

    Unfortunately, one may not discover the consequences for breaking in to retrieve the “secret password” in the CISCO PCF and when and if the Corp IT dept finds out what you have done, you may be unemployed. If you ask for the “secret” and they say no and you choose to go this route, there may be consequences. UNLESS, there is no way for them to know which client you are using to connect. Does anyone know the answer to that question??

  2. James Milbery July 26, 2011 at 9:11 pm #

    I’m not advocating violating company policies. In my case I AM the policy maker. In fact, it might just be a “Corp IT dept” following the steps outlined in this process.

  3. Kevin August 2, 2011 at 3:30 am #

    Great tutorial and it works like a charm on my new Airbook with Lion. Thanks for the help and information.

  4. Lloyd Hohn August 2, 2011 at 12:09 pm #

    Hey, my initial wording was incorrect as it allowed you to misinterpret my point. I should have not used the pronoun “you” when meaning to refer generically to any individual. I meant to clarify that initially and then got busy with other stuff. What we are going to do for now is to simply boot into 32bit mode when it becomes necessary to connect to the corp network via VPN. It works really well and we can reboot when finished with that task since we would only use the VPN to reset a user password over the weekend or something occasional like that task. I am really enjoying LION and the full screen mode personally.

  5. James Milbery August 2, 2011 at 8:24 pm #

    We use our VPN extensively — so booting into 32-bit mode isn’t really an option. (Ok, Ok, technically it IS an option, just not one that I’m going to choose ;o)

  6. Rob Wilkerson August 11, 2011 at 11:40 am #

    I’ve been trying to get this working, but keep getting an odd prompt to “Enter your user authentication”. I’ve entered all of the data fields, but what seems more strange is that while it’s telling me to enter that data, the prompt itself offers no way to do so. Only “Cancel” and “OK” buttons.

    Has anyone else seen this?

    • Allen Hartwig August 12, 2011 at 8:50 pm #

      Rob, try adding \[hybrid\] to the end of your group name. That stopped the error for me, however it is now insisting my shared secret is wrong instead ;) Maybe you’ll have better luck.

    • Andre Seesink January 5, 2012 at 5:23 pm #

      Have you already solved this? (or anyone else?)
      Still puzzling about this part.

    • Sam July 20, 2012 at 5:17 am #

      I have the same issue. Did you ever manage to resolve this?

  7. Herman Porshnikoff August 11, 2011 at 7:26 pm #

    So what I have seen (since we’re on a windows AD) that, for me, it’s asking for the domain user login/password, since our VPN device is resolving thru our AD. Does that help?

  8. Maria August 12, 2011 at 10:38 am #

    Rob, I get the same thing. Anyone can help us?

  9. Andy August 22, 2011 at 4:56 pm #

    That worked perfectly. Thank you!

  10. Mike Benner (@refriedchicken) August 30, 2011 at 5:22 pm #

    I have the same issue as Rob and Maria. Has anyone found a way to resolve this issue?

  11. Jonathan Brooks September 3, 2011 at 10:23 pm #

    It’s weird – it’s like Lion is trying to get permission to check credentials, but it’s asking for your credentials to check something that is password protected. Does that make any sense….?

    I’ve never been able to get my password to “stick” with the built in VPN – anyone else have that problem?

    Cheers, Jon

  12. Bob September 14, 2011 at 6:09 pm #

    I followed these instructions and I am able to connect to our VPN (and the connection timer in the menu bar increments). However, I can’t seem to access any of our internal websites (which I was able to access when using VPNClient on OSX).

    Any ideas why I can’t seem to access internal URLs? Thanks!

    • James Milbery September 14, 2011 at 6:18 pm #

      Can you get to them via the IP address as opposed to the domain name? If so it’s likely related to DNS entries handled by the VPN client. You can add them manually into your /etc/hosts file (bad, but workable) — or — edit your VPN entry in the network panel, clicked the “advanced” button and add a new DNS entry. Note that you may need to check with your IT staff to find out the address of your DNS server (and THIS server may need to be referenced in your /etc/hosts file)

      • Gilwar September 19, 2011 at 7:10 pm #

        Same problem than Bob, apparently good VPN connection but no traffic through the VPN connection and therefore, can not reach intranet machines. Also external IP does not change.

        Solutions? any idea? DNS? change routing?


      • Brian M. Workman (@gesslar) October 4, 2011 at 5:07 am #

        I am having this exact same issue. I have no idea where to look. I’m connected, I get the banner message after I connect. But there’s no traffic. I get an IP, I get the DNS servers sent to me, and I get my domain suffix search order sent to me, but I cannot even ping my default gateway.

        My firewall is turned off in Lion, I think it was off by default. Any suggestions would be welcome.

      • Yannis R. November 23, 2011 at 7:31 am #

        I have exactly the same issue on Mac OS Lion 10.7.2. Could it be a Lion bug?

  13. josh September 20, 2011 at 4:11 pm #

    We are having a problem using the built in VPN client in Lion. It doesn’t resolve DNS well or something. If we go to //server/website.aspx it will work fine. If we go to admin.site.com it says the page can’t be found. We having been looking for an alternative to the built in version but can’t find one.

    everything words fine in SL using the old VPN client and windows users.

    • josh September 20, 2011 at 4:12 pm #

      going to IP works fine

      • James Milbery September 27, 2011 at 1:15 pm #

        Did you try changing the DNS settings in the advanced tab (use the IP for the DNS servers as opposed to the names). You could also *try* adding the entries manually in your /etc/hosts file as an interim work-around.

      • josh September 27, 2011 at 3:14 pm #

        I tried modifying the info in the DNS tab and then connecting to VPN. (although it populated it whenever I would VPN with the IP addresses) There was no change. I also tried editing that host file and unless I did something wrong, no change there either.

        I guess I’ll just wait until Apple does something.

    • Mac October 14, 2011 at 4:34 pm #

      Requires a bit of command line experience, but this will work:

      create a folder under /etc/ called: ‘resolver’

      cd /etc/resolver

      vi my.domain.com (or pico, or emacs, or whatever command line editor you are comfortable with)

      insert in the following lines:

      nameserver XXX.XXX.XXX.XXX
      nameserver XXX.XXX.XXX.XXX
      domain my.domain.com

      (obviously, replace all the XXX’s with your primary and secondary DNS servers, and all the my.domain.com’s with your default domain.) Save, connect to VPN, and leave flowers at my doorstep.

      Here is a printout to the example file: /etc/resolver/example.company.com

      domain examplecompany.com

      • Jenson Yu October 25, 2011 at 4:16 am #

        There is a flaw in this method. It may work in some environment but not all. Take my case as example (it doesn’t work for me). I have a mail server (mail.company.com), external IP 216.x.x.x, internal IP 192.168.x.11.

        Using your method, when connected to VPN, the mail server resolves to 192.168.x.11. That’s all fine.

        However, because your resolver file is permanently in place (even after reboot), when NOT connected to VPN, the mail server still resolves to 192.168.x.11 which is wrong. It should be resolved to 216.x.x.x.

  14. Marco September 23, 2011 at 1:57 pm #

    Works perfect! Many thanks, so helpful!

  15. fidepus September 27, 2011 at 11:56 am #

    Our University provides all the data needed, nevertheless the Cisco VPN won’t cooperate with a 64bit Lion. The client keeps telling that the server IP is wrong, which it isn’t. According to our tech support the only option is to boot Lion into 32bit mode and connect from there.

    • James Milbery September 27, 2011 at 1:13 pm #

      Are you using IP addresses in the configuration or are you using DNS names?

      • fidepus September 27, 2011 at 1:15 pm #

        I’m using the IP. They don’t provide a DNS name.

  16. Uncle Jon November 1, 2011 at 2:32 am #

    Works perfect for me too. Many thanks.

  17. Michel November 30, 2011 at 3:37 pm #

    Thanks for the tip… saved me some trouble

  18. Steve Laurel (@slaurel) December 5, 2011 at 3:40 pm #

    Is there a way to set a timer so the VPN will logout automatically, or ask if I want to stay connected?

  19. tim July 11, 2012 at 7:16 pm #

    Worked like a charm! thanks

  20. Joe Robertson September 24, 2012 at 4:33 am #


    Good writeup!

    I know this is an older post. I have gone through the steps on OS X 10.8.

    I am having trouble connecting to a PIX 6.3(5) that works well with the Cisco Clients (not the anywhere version). Do you know if this is compatible with this PIX version? If so is there a required setup for the crypto and isakmp that might be different that I have?

    I am the sysadmin – so I have access to the PIX and can make changes there if necessary.

    Do you know how to enable verbose debug statements for the VPN Client on OS X 10.8?


  21. Mritunjay January 16, 2014 at 5:38 am #

    It work like Charm in MacOSx 10.9

  22. DE March 30, 2014 at 6:19 am #

    Thank you, works perfectly

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 268 other followers

%d bloggers like this: