How to create a Cisco VPN Connection in Apple Mac OS X LION

I’ve a MacBook Pro with macOS X Lion on it. the Cisco VPN Client which i had doesn’t work on LION. See the explanation below why. Now a colleague of me figured out how to create a Cisco VPN connection in LION described below.
If you used the Cisco VPN Client with the release 4.x. Be prepared for a change. The Cisco VPN Client is by default 32-bit and won’t run on Mac OS X Lion. Unless you boot your machine in 32-bit mode ( which is not really recommended )
How ever there is built-in MacOS VPN Client which is Cisco VPN Native. Below I describe how to configure this MacOS VPN Client for Cisco purposes )
First things you have to do.
Go to applications and Select System Preferences.

Select Network

Click on the + for a new Network connection

Give the Service a Name so if you have more VPN Connection you know which one you need to use. Click on create

Select the VPN Client. Fill in the information you got from your administrator. And click on Authentication Settings

Fill in the Shared Secret and Group Name.

Enable Show VPN Status in menu bar. ( this make it easier to connect when you close the network settings window. )

Click on Apply
Look in the Menu bar if you see this logo. If you see this logo you can click to connect and the VPN connection will prompt a login for your credentials

46 thoughts on “How to create a Cisco VPN Connection in Apple Mac OS X LION”

  1. Thx guys. Is the shared secret a password my system admin needs to provide? I have the Cisco VPN client on my old PC and I did not see a Shared Secret box. Could I perhaps copy my VPN certificate from my PC onto my MAC? Thx.

    1. Some additional of your certificate if your system admin can provide you a certificate you would be able to import it in the configuration of the VPN. I haven’t work yet with certificates and VPN Clients. Software I need to figure out some day how to use that instead of a pre-shared key.

  2. Is there a setting on the native client to modify the tcp port? The organisation I work for uses a non-default port.

    1. Did anyone ever figure out how to change from the default port? Is there a config file I can find through terminal?

  3. Thank you for the post. Unfortunately, I’m stuck with the other users. I don’t know what my secret password is and didn’t need one before. I don’t know where to find the pcf file either.

    1. You can find the encrypted key behind one of these settings
      enc_GroupPwd= or enc_UserPassword=
      And to find the *.pcf file
      PCF files are usually found in /private/etc/CiscoSystemsVPNClient/Profiles.
      Open up /Applications/Terminal and type the following:
      cd /private/etc/CiscoSystemsVPNClient/Profiles
      cat *.pcf

        1. You will only see this folder when you have installed the cisco vpn client from cisco it self. if you haven’t installed this software ( which is not supported on the x64 systems. ) than you are unable to find it.
          So you have to know the vpn configuration of your Cisco device of you have to ask your system-administrator or network-administrator.

      1. Has anybody seen updated instructions anywhere? We’re using v3.1.x of the Cisco AnyConnect client and it stores the profile differently. I can’t see the information in /opt/cisco/anyconnect/profile/my_client_profile.xml. Not even sure if it’s using a shared secret or certificate. Any ideas how to extract this information from my installation?

        1. Any connect is using a own application which is not the same as the build in Cisco vpn. Omit the firewall device has a weblog in in most cases you get this software download to your system.

  4. Is anyone else getting a prompt to “Enter your user authentication” after going through these steps? The prompt contains not inputs and if I click “OK”, the system continues attempting to connect before crapping out with a “navigating to host” error.
    Any thoughts would be appreciated.

    1. Same issue, I get the prompt three times then a disconnect. I duplicate the same on both a Snow and Lion system so it’s not tied to just Lion.

  5. Rob, I haven’t seen a message like that yet.
    I’ve tested so far 2 VPN connections, 1 was connect to a Cisco Router 2811 and the other was connected to an Cisco ASA 5505. But I’ve seen that DNS for example with a Cisco ASA 5505 worked for me but when i connected to a Cisco Router 2811 it didn’t even with the DNS settings enabled.
    So when i connected to the cisco asa 5505 and did a ping to I got an answer and I could RDP to this server.

    1. Thanks. Evidently we’re using an older version of the Cisco software that’s not compatible with OSX’s native VPN option and Cisco hasn’t (yet?) released a version of its own software that’s compatible with Lion. Guess it sucks to be me.
      Thanks for the input.

      1. I’ve just looked on the site of Cisco but they don’t support yet Max OS X Lion. But I doubt if they going to support it because they native client in Lion. How ever the Cisco AnyConnect client should work as written below from the release notes
        Lion Support
        ————————————————————————————————————–
        AnyConnect 2.5.3051 provides support for Lion OS X 10.7.Without the appropriate JAVA and Web applet, OS X users may experience CSCtq62860 or CSCto09628. You must install JAVA and enable the appropriate Applet plug-in and web start applications using these steps:
        Step 1 Open the JAVA Preferences when doing Hostscan or Weblaunch with Safari on OS X 10.7.
        Step 2 If JAVA is not already installed, you are prompted to do so.
        Step 3 Check the Enable applet plug-in and Web Start applications option.
        ————————————————————————————————————–
        url: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/release/notes/anyconnect25rn.html#wp1188713

  6. daniel on thego

    guys reboot while holding the 3 and 2 button simply does the trick, probably the computer is in 32 bit mode. But i don’t feel a difference and the vpn works and i can work. It is incredible apple takes so long to update their lion,

    1. I’ts not apple they made the decision to make lion standard startup in 64bit mode which is only Intel CPU compatible. The original VPN client of Cisco is intel / ppc compatible but in the 64 bit mode the ppc software doesn’t run. So i think it’s more to Cisco if they are willing to change their vpn software to the 64 bit modes of mac os x lion.
      But it’s a workaround to boot up your system in 32 bits mode and run the cisco vpn client. I haven’t test it yet. But as i read your command you working with it. I doubt that simple users will boot in 32 bit mode.

  7. daniel on thego

    well if you don’y know too much about the tech aspects as I do this solution at least makes me happy that it works without much hastle and installing, at the end that is why I switched to apple.
    Is there a negative consequence technically in working in the 32 bit mode? Can it destroy something? To switch back is simple too reboot and hold the 6 and 4.

    1. I can’t destroy any thing but with the 32 bit mode you can’t use more than 4 GB of memory in the 64 bit mode you could use more than 4GB of memory. Which I have by my self 8 GB. I found a Apple KB which tells you how to start up your system by default in 32bit mode without pressing the 3 + 2 key combination.
      http://support.apple.com/kb/ht3773

      You use the First Method 1: Startup key combination (for current startup only)
      If your Mac uses the 32-bit kernel by default, but supports the 64-bit kernel, you can start up using the 64-bit kernel by holding the 6 and 4 keys during startup.
      If your Mac uses the 64-bit kernel by default, you can start up with the 32-bit kernel by holding the 3 and 2 keys during startup.
      Your Mac will revert to the default kernel the next time you reboot it.

      Second Method 2: On-disk setting (persistent)
      To select the 64-bit kernel for the current startup disk, use the following command in Terminal:
      sudo systemsetup -setkernelbootarchitecture x86_64
      To select the 32-bit kernel for the current startup disk, use the following command in Terminal:
      sudo systemsetup -setkernelbootarchitecture i386
      Note: This setting is stored in the /Library/Preferences/SystemConfiguration/com.apple.Boot.plist file and will take effect every time you start up from this disk. If you start up from a different disk, the setting on that disk, or the hardware default, will take effect.

      Additional Information

      Keys held during startup (such as 3-2 or 6-4, method 1 above) will override the setting in com.apple.Boot.plist (method 2 above).

  8. Yay, it works! Just need to sort out DNS now – the VPN provides a DNS server but the Mac continues to use the one defined in /etc/resolv.conf. Any idea how to make it use the VPN-provided server automatically, ie. without manually modifying /etc/resolv.conf every time I connect to the VPN?

    1. What you could try to do is open a terminal window > type dscacheutil -flushcache
      Other question do you have static IP address configured on your mac? maybe that could be an issue, I think.

    2. I found an alternative program that solves the problem very well, it is called shim, it is simple and it works
      good luck

  9. Issues with 32 bit mode :
    you have to install it in 64 bit mode, then boot into 32 bit mode to use it.
    the Cisco client crashes if you try to import a connection entry.
    The issue I have right now is that the Mac OS X Lion VPN client is disconnecting after about 45-50 minutes of connection time. The log for the Cisco client shows it is sending a keep alive on the IPSec SA every 10 seconds – how do I show the same log for Mac OS X ?

    1. Hello Darin,
      I’ve seen the same issue also that the connection lost after some certain moment of 45 to 50 minutes. But I haven’t seen in all of the configurations. For example on a Cisco IOS router I’ve seen this issue but when I connect to a Cisco ASA I haven’t the issue.
      I’ve to figure out how to create a Anyconnect Profile on a Cisco ASA if I found that one it would be easier probably. Because there is an Anyconnect client available from Cisco which supports Mac OS X Lion.
      On the question where you could find the log files ( I’ve no clue yet I looked but couldn’t find any in the /var/log/ directory. )
      Fred

    1. Could you please explain on which part you are mention. I don’t understand it correctly (or it’s just to early at the moment for me)
      If you mean which information you need to create the VPN connection
      – DNS Name or External IP address of the main location where you want to connect too.
      – Group name which is configured on the access-device
      – Key name which is configured on the access-device
      – granted access for the user who want to connect.

  10. hey guys,
    it says in the steps that we have to fill the blanks with the information provided by the “administrator” , wat administrator??
    i just downloaded the vpn client from a random website

    1. What administrator depends on the situation and to where you connect to.
      There should be someone who can provide the information in case you can’t connect right?

    1. Hey Bob,
      I noticed that also but only when I connect to a Cisco IOS router. To a Cisco ASA it doesn’t happen. ( well I didn’t noticed it yet with a connection to a Cisco ASA )

    1. Indeed I haven’t seen it yet or it should be fixed in an IOS update or Mac OS X update. The only thing I could test if i found the issue in a configuration compared to one where i may not have the issue.

  11. I keep getting the below error and unable to connect to Cisco VPN. I tried restarting and starting racoon services but as soon as i click on connect, the racoon services gets stopped. I’m in a fix dependent on VPN as my job involves late night meeting.
    “The VPN server did not respond. Verify the server address and try reconnecting.”
    Can anyone help me?

    1. Uhm it sounds that you have something wrong configured in your VPN profile or on the cisco device in the office. Does the login prompt pop-up where you enter your username and password. If that doesn’t show up it doesn’t work. (I hope you use the build in VPN of mac OS X (mountain) lion ?) because the Cisco VPN which Cisco provides is only available for 32 bits operating system (unless you use Windows where the 32 and the 64 bit version is available).
      Can you ping the VPN server (which is the cisco router or asa ) if you can ping that one. check your pr-eshared key if that’s correct. and of course the Group name.)

      1. Hi Fred,
        Thanks for your response. It connects sometimes but couldn’t find the trend on when it’s getting connected and when it doesn’t. So i don’t think there is an issue with the configuration. It’s a complex issue. When i connect it at office, it connects without any issue as well so couldn’t reproduce the same issue at work.
        Yes, i use the built in VPN for mac Lion os X. whenever it doesn’t connect, i couldn’t ping the server.

  12. The built in “native” cisco vpn client on lion uses UDP for the transport protocol. Many WiFi hotspots block all UDP by default. The cisco client allows you to use TCP but doesn’t work in 64 bit mode on lion. So it might connect at the office just fine but take it home or to the coffee bar or hotel and it will fail. Wish there was a way to configure the native client to use TCP instead of UDP.

  13. Hi, thanks a lot for your help! I have a problem, though.
    My ifconfig shows this:
    utun0: flags=8051 mtu 1280
    inet 10.0.56.23 –> 10.0.56.23 netmask 0xffffffff
    as you can see, both point are the same (10.0.56.23), so the gateway for my ip is also my ip !!
    netstat -r -n shows only this line, regarding the utun0
    10.0.56.23 10.0.56.23 UH 1 30 utun0
    so the ip range I need to reach is not there, I have no route for the ip range I need.
    Do you have any idea? Thanks in advance!
    Cheers,
    Ramiro.

    1. Hey Ramiro,
      It think there is something in your vpn configuration on the Cisco IOS router or ASA. At the company where I work. we use a Cisco ASA 5505. and when I made a vpn connection with my macbook pro. I see the following router. ( you don’t have an Exempt which allows traffic from
      In my case this is the networks where I’m connected too. The IP address you got for your VPN connection is indeed your gateway also.
      172.18/22 192.168.253.119 UGSc 0 11 utun0
      172.18.8/24 192.168.253.119 UGSc 0 0 utun0
      Just aware you don’t use the same subnet in your local network where your working. If this is the same as your VPN network than you may have issue with not getting into the companies network.
      I can show you at the moment only a sample of a Cisco ASA.
      You need a split tunneling to permit usage of your local internet connection when connected to the office.
      access-list remote_splitTunnelAcl standard permit 172.18.0.0 255.255.252.0
      Create an outbound NAT ACL
      access-list outside_nat0_outbound extended permit ip 172.18.0.0 255.255.252.0 192.168.254.0 255.255.255.0
      I hope I gave you some inspiration of your issue. And I hope you find the problem and solve it. If you need further information contact.
      Fred

Leave a Reply to FredCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.