You are here: Home Tech VPN to Cisco on OS X with 'vpnc'

VPN to Cisco on OS X with 'vpnc'

by Chris Shenton last modified May 08, 2009 02:30 PM
vpnc builds fine and can auth, but then complains about ESP error, unless you use the right switch.

I use 'vpnc' on FreeBSD to get to my client's Cisco VPN concentrator, works great. It has the advantage of allowing me to modify the connection script so I can maintain access to my LAN -- vital since my system mounts its home directories from a fileserver.

I wanted to do the same on my OS X laptop, as the Cisco VPN client is a bit flakey and cuts me off the LAN.  I used the excellent instructions at http://www.gdanko.net/vpnc.html except that I re-used the profile I had previously converted.  I name it ~/.vpnc and it looks like this (names changed to protect the innocent):

IPSec gateway 10.1.2.3
IPSec ID CorpVpnName
IPSec secret ShArEd.SeCrEt
Xauth username myuserid

You will need to decode the enc_GroupPwd from your Cisco profile .pcf file; I used a perl program I found, but this site does it for you.

You then invoke the vpn software, as root so it can muck with interfaces and routes, specifying this profile:

sudo /usr/local/sbin/vpnc  ~/.vpnc
[... authentication, banner display, route mangling...]
Couldn't open socket of ESP. Maybe something registered ESP already.
Please try '--natt-mode force-natt' or disable whatever is using ESP.
socket(PF_INET, SOCK_RAW, IPPROTO_ESP): Protocol wrong type for socket

I tried the suggested --natt modes but this was the only one that worked for me. Perhaps it's unique to my Cisco concentrator's configuration, but it gets the job done:

sudo /usr/local/sbin/vpnc  --natt-mode cisco-udp  ~/.vpnc
[... authentication, banner, route mangling...]
VPNC started in background (pid: 18731)...

You'll have to kill it manually:

sudo kill 18731

I'm now a happy camper as I can access my LAN and my work resources.

Share this: