VPN to Cisco on OS X with 'vpnc'
I use 'vpnc' on FreeBSD to get to my client's Cisco VPN concentrator, works great. It has the advantage of allowing me to modify the connection script so I can maintain access to my LAN -- vital since my system mounts its home directories from a fileserver.
I wanted to do the same on my OS X laptop, as the Cisco VPN client is a bit flakey and cuts me off the LAN. I used the excellent instructions at http://www.gdanko.net/vpnc.html except that I re-used the profile I had previously converted. I name it ~/.vpnc and it looks like this (names changed to protect the innocent):
IPSec gateway 10.1.2.3 IPSec ID CorpVpnName IPSec secret ShArEd.SeCrEt Xauth username myuserid
You will need to decode the enc_GroupPwd from your Cisco profile .pcf file; I used a perl program I found, but this site does it for you.
You then invoke the vpn software, as root so it can muck with interfaces and routes, specifying this profile:
sudo /usr/local/sbin/vpnc ~/.vpnc [... authentication, banner display, route mangling...] Couldn't open socket of ESP. Maybe something registered ESP already. Please try '--natt-mode force-natt' or disable whatever is using ESP. socket(PF_INET, SOCK_RAW, IPPROTO_ESP): Protocol wrong type for socket
I tried the suggested --natt modes but this was the only one that worked for me. Perhaps it's unique to my Cisco concentrator's configuration, but it gets the job done:
sudo /usr/local/sbin/vpnc --natt-mode cisco-udp ~/.vpnc [... authentication, banner, route mangling...] VPNC started in background (pid: 18731)...
You'll have to kill it manually:
sudo kill 18731
I'm now a happy camper as I can access my LAN and my work resources.