Another one of my frequent postings on this page throughout the years!
Anyway, even though I might not be the most active blogger on this side of Indus, this one should be useful to some people for now and probably some time forward.
As most people* know, Cisco IPSec VPN and 64-bit operating systems aren’t best friends, since Cisco wants people to use their Anyconnect client for licensing reasons, and decided to never make a 64-bit version. So, since I use IPSec for most of my VPN connections, and I don’t want to be stuck in a 32-bit world forever, I spent some time getting it to work om my workstation. *) Most people = Network guys.
The components I used for testing was a Cisco 3000 VPN Concentrator (although it should work with PIX and ASA as well) and MacOS X Lion 10.7 (now also confirmed working on the 10.7.1 update). Basicly, most of this stuff should work on clients of any UNIX flavor, with the exception of some path names and the Applescript.
The instructions are written in a way that even users not familiar to UNIX environments should be able to pull it off, which makes them look kind of childish for an experienced UNIX guy, but you can’t make everybody happy, can you?
Downloads
All software you need to download for this is listed here. You don’t have to download these now, you can do it along the way further down, but starting that Xcode download could be a good thing, since it is 3GB big.
http://itunes.apple.com/us/app/xcode/id448457090?mt=12#
ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.9.tar.bz2
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.bz2
http://sourceforge.net/projects/tuntaposx/files/tuntap/20090913/tuntap_20090913.tar.gz/download
http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.5.3.tar.gz
http://www.ithora.se/public/software/macos-vpnc/vpnc-fix
http://www.ithora.se/public/software/macos-vpnc/vpn/launcher.command
http://www.ithora.se/public/software/macos-vpnc/VPN%20Actions.scpt
General information:
Open a terminal and type:
whoami
Record your MacOS username. Everywhere you see “pbodin” in this document, replace it with either your MacOS username, or your VPN username (in my case, both are pbodin).
When you use the sudo command throughout this task, it might ask for your password. Then feed it with your MacOS password.
There might be newer versions of the software used in these instructions. Feel free to try the newer versions. Your mileage may vary, and I’ve only tested this with the versions mentioned below.
Tip for the non-frequent vi users: If you screw up inside vi, press ESC a couple of times and type :q! to get out of vi without saving, and then start over from the vi command. Or read this: http://www.cs.colostate.edu/helpdocs/vi.html
All commands you’re supposed to type in a terminal or something are in italic font. Beware that this page wraps the lines, so use copy and paste to make sure to have your newlines in order.
The setup redirects all non-local traffic through the VPN tunnel (i.e. no split-tunneling). Also, local DNS will cease to work, all queries will end up on the DNS servers provided by the VPN connection. All this can easily be changed within the script, if you know how to.
Install a compiler
The easiest is to download Xcode from App Store: http://itunes.apple.com/us/app/xcode/id448457090?mt=12#
The download is 3 GB though, so if you’re on a slow connection and know what you’re doing, you might choose to get a standalone gcc or similar instead.
Install libgpg-error
Open a terminal and type:
curl -o libgpg-error-1.9.tar.bz2 ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.9.tar.bz2
tar -zxvf libgpg-error-1.9.tar.bz2
cd libgpg-error-1.9
./configure
make
sudo make install
Install libgrcypt
Open a terminal and type:
curl -o libgcrypt-1.5.0.tar.bz2 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.bz2
tar -zxvf libgcrypt-1.5.0.tar.bz2
cd libgcrypt-1.5.0
./configure
make
sudo make install
Install tuntap
Open a terminal and type:
curl -o tuntap_20090913.tar.gz http://downloads.sourceforge.net/project/tuntaposx/tuntap/20090913/tuntap_20090913.tar.gz?r=&ts=1314366011&use_mirror=surfnet
tar -zxvf tuntap_20090913.tar.gz
open tuntap_20090913.pkg
This will open a GUI installation. Accept all defaults during the installation, and then return to the terminal and type:
sudo /Library/StartupItems/tap/tap
sudo /Library/StartupItems/tun/tun
Install vpnc
Open a terminal and type:
curl -o vpnc-0.5.3.tar.gz http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.5.3.tar.gz
tar -zxvf vpnc-0.5.3.tar.gz
cd vpnc-0.5.3
vi Makefile
Press / (shift+7) to get a search prompt, enter OPENSSL_GPL_VIOLATION as search phrase and press return.
Place the cursor above the # in the beginning of the line, and then press x to delete the # character. Do this on these two lines:
#OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
#OPENSSLLIBS = -lcrypto
Type :wq to save the file and exit vi.
vi sysdep.h
Press / (shift+7) to get a search prompt, enter defined(__APPLE__) as search phrase and press return.
Press o to get in edit mode and start a new line.
Add this line below the APPLE line:
#define HAVE_GETLINE 1
Press ESC to get out of edit mode, and type :wq to save the file and exit vi.
make
make install
sudo vi /etc/vpnc/vpnc-script
Press / (shift+7) to get a search prompt, enter d.add Router as search phrase and press return. You should end up on this line:
# d.add Router $INTERNAL_IP4_ADDRESS
Place the cursor above the # in the beginning of the line, and then press x to delete the # character.
Press ESC to get out of edit mode, and type :wq to save the file and exit vi.
Make vpnc runnable by a normal user (you):
sudo visudo
This starts vi and loads the file /etc/sudoers
Press G (shift+g) to get to the bottom of the file.
Press o to get in edit mode and start a new line.
Add this line:
pbodin ALL = NOPASSWD: /usr/local/sbin/vpnc, /usr/local/sbin/vpnc-disconnect, /usr/local/sbin/vpnc-fix
Where pbodin is replaced by your MacOS username.
Press ESC to get out of edit mode, and type :wq to save the file and exit vi.
Convert pcf profiles
Copy your pcf profile(s) into your Documents folder.
Open a terminal and type:
cd /etc/vpnc
sudo cp /Users/pbodin/Documents/filename.pcf .
sudo pcf2vpnc filename.pcf > filename.conf
Replace pbodin with your MacOS username and filename.pcf with the actual filename. Repeat the two sudo commands for every pcf file you want to convert.
Launch the VPN connection:
Open a terminal and type:
sudo /usr/local/sbin/vpnc –local-port 0 filename.conf
If you get an error saying DES is insecure, instead type:
sudo /usr/local/sbin/vpnc –local-port 0 –enable-1des filename.conf
If it still fails, type this to get more information:
sudo /usr/local/sbin/vpnc –debug 2 –local-port 0 –enable-1des filename.conf
In all three cases with the actual filename instead of filename.conf.
To disconnect, type:
sudo /usr/local/sbin/vpnc-disconnect
If the connection gets dropped without you disconnecting using the command above, you might have to turn Wi-Fi off and on again (or pull the ethernet cable and put it in again) to get Internet working again. Or you can use the provided vpnc-fix script, that fixes this problem at least on my machine. Do this by typing:
sudo /usr/local/sbin/vpnc-fix
VPN fixer
If your computer goes to sleep while connected to VPN, or if you lose the VPN connection by some other magical reason, you’re network might end up in limbo. The you need to fix the routing and DNS settings to get things to work again. This might be done by turning your network on and off again, it might be done by changing location to something else and back again and it can definitely be done by rebooting or fixings things manually.
But just for you my friends, I created a script that does it for you. Download it here: http://www.ithora.se/public/software/macos-vpnc/vpnc-fix and put it in /usr/local/sbin/
VPN launcher
I’ve included a terminal based VPN-launcher written in perl, that you can use if you have several profiles to choose from, and for instance wants to create an icon in your dock or similar. It also has a disconnect option. Download it here: http://www.ithora.se/public/software/macos-vpnc/vpn-launcher.command and put it in /usr/local/sbin
Menu bar menu
There’s a GUI! I’ve written an Applescript file. Put it in /Users/pbodin/Library/Scripts or /Library/Scripts (create the Scripts folders if they’re not already existing). Then start Applescript Editor (under Utilities) and check the Show script menu in menu bar option. If you put the files in /Library/Scripts you also need to check the Show computer scripts option. I prefer to have that option unchecked and keep the scripts in my user scripts folder, to limit the menu size (there’s a whole bunch of system scripts in the computer scripts folder).
This gives a small paper roll like menu item in the menu bar, with the “VPN Actions” script as an option. It will check if there are any active VPN connections. If there are, it will show you the active commands for these (which tells you the VPN server, your username and similar), and ask you if you want disconnect them, connect another connection or if you just wanted to know.
If there are not, it will ask you if you want to connect to VPN, fix a lost VPN connection limobo or if you just wanted to know.
If you choose to connect, the script will ask you for what profile file you want to use. If there is a username and/or password included in the profile file you choose, it will use them, and if not, it will ask you for the information.
It should work with profile files with spaces in the name. It should work with passwords including strange characters (except “). But neither is tested.
There’s some basic error handling (process existance) in the script, but if things go wrong, you’re probably better off if you’re one of those that are able to troubleshoot manually on your own. If you’re not – reboot and try again.
You could also edit the connect script to automatically include your information, eliminating the need to answer the prompts. However, I would recommend keeping the prompt for the password.
Download the Applescript here: http://www.ithora.se/public/software/macos-vpnc/VPN%20Actions.scpt and put it in your Scripts folder.
Credit
I wrote the Applescript and parts of the perl launcher. All other code is written by other people, and all I did was combining them to get it to work. Afaik, all involved tools are open source.
Disclaimer
This how-to is written without any trace of support commitment or endorsement from my employer as a company or me as the author. And if it makes your computer blow up, you alone were the one pressing the enter key. I will of course try to help you if you get stuck and I have the time, but without commitments.
I think I got all actions I had to do into this how-to, but I might have missed something. If you get stuck, send me an email or catch me on Skype, and I’ll try to recall what I did.
