Is it possible to connect to a Cisco VPN using OpenVPN?
May 18, 2010 4:50 AM   Subscribe

I'm a freelance contractor, and I'm having trouble connecting to a client's VPN. The problem is that I'm a contractor for a client of a client, so no one really seems to know what's going on, and I myself just barely understand how to set up a VPN to begin with. Google is only proving more confusing. Can the hive maybe point me in the right direction?

So, here's the situation. I just joined this project yesterday. I was emailed a .pcf file with the security credentials for the VPN, and Google tells me that this means our customer is using Cisco for their VPN. The other two people I'm working with already had Cisco VPN clients set up on their machines but can't remember any details about how or when they got there. I don't have a Cisco client installed on my computer, and when I went to download one, the Cisco website tells me I can't until I have some kind of officially sanctioned account registered on their website, which I don't.

So I downloaded OpenVPN instead, and I opened the .pcf file with a text editor and tried to manually configure the connection based on what I saw there, but no dice.

FWIW, this VPN belongs to a large multi-national company which has a lot of security restrictions, and connecting requires a token that changes every 60 seconds, so it's not just a little network someone set up in their basement.

So here are my questions:

1. Can I connect to a Cisco VPN using OpenVPN (or some other open-source client)? Or does it absolutely have to be Cisco's proprietary client?

2. Is there some way I can convert this .pcf file so that my open-source client can read it, rather than me having to manually enter the info?

3. Or am I just chasing my tail here, and this can only be solved by getting in touch with the customer's IT dept.? I'd like to avoid that if at all possible, since it might raise some unnecessary red flags and potentially bring the project to a temporary halt.

Sorry if this is a stupid question, and thanks for any help you can give!
posted by roscopcoletrane to Computers & Internet (15 answers total)
It sounds like you might be in a legal gray area in whether or not the client has actually given you permission to use their network. Your employer could get in a boatload of trouble if the client finds out and has not expressly allowed sharing of their network credentials. Tread very carefully.

That said, I've successfully connected to Cisco VPNs using a freely downloadable client from the Ubuntu library (can't remember which one it was but the description expressly mentioned being able to use .pcfs). I didn't need to alter the .pcf file in any way.

I'm sure there are other sources of the Cisco client software. I'm not sure about the official legality of it, but if you really do have permission to connect to their network, and one of those little hardware tokens, I would guess that whomever is giving you that is implicitly giving to you their permission to download the VPN software as well.
posted by mneekadon at 5:02 AM on May 18, 2010

I'm not a VPN expert, but I'm a freelance contractor who definitely feels your pain; I hate it when I have to spend the first few days of a new contract just getting to the point where I can start to do the job.

've been in this exact situation with a past client. I'm almost certain you need the Cisco client -- I dinked around with others just as you are, but nothing else would work. I had to get the customer to supply a copy of the program because (as you say) it's not available for download.

So, yes, you're chasing your own tail. I don't see where mneekadon is getting his 'legal gray area' -- you've been contracted to do work that presumably has to be done inside this network; if you can't connect to that network you can't complete your contract. Personally I wouldn't try contacting their IT department directly, rather pass the request on to whoever your primary contact is. Doing so shouldn't "bring the project to a halt" any more than you not being able to do your work would, yeah?
posted by ook at 5:21 AM on May 18, 2010

Can I connect to a Cisco VPN using OpenVPN (or some other open-source client)? Or does it absolutely have to be Cisco's proprietary client?

I don't know about OpenVPN, but Shrew Soft VPN imports .pcf files.
posted by belladonna at 5:37 AM on May 18, 2010

I've been in exactly your situation. Seriously, call the help desk for the client (the ultimate client, the multi-national). You need to use their setup, not a substitute downloaded somewhere. Their help desk will have a script that they will read to you, to walk you through the setup process. It's the help desk's job to help you, and the client wants you to do this. You should already be in their system, as it went through an approval process already to grant you access.
posted by Houstonian at 5:47 AM on May 18, 2010

I am about 80% sure that OpenVPN will not do this. I was in a similar situation once and tried to get OpenVPN working, and it didn't work. Just couldn't get it going. VPN stuff is apparently standardized at the low level, but the authentication and other high-level handshaking stuff is extremely proprietary, particularly when it's integrated with a SSO / two-factor system.

My guess is that you really need to get the official Cisco client. Cisco, for whatever reason, doesn't make these things particularly easy to find or download. Generally companies send you a link to a download site at the same time that they send you the VPN settings file (if they're competent, anyway).

If you have a hardware token it sounds like you have permission to access the VPN; I would call up BigCo's internal tech support line and ask them. It's probably a question that they get about a dozen times a day or more. They'll probably just email you a link to a download location for the VPN client, or even just send you an installer.

The other thing you could ask for, or maybe poke around for yourself, is a "web VPN" ... many Cisco systems offer this in addition to working with the Cisco thick client. Basically you go to a web site and the VPN client gets loaded as an in-browser ActiveX control (so, yeah, they're generally IE-only). Terrible, ugly hack, but sometimes the only way to get into some corporate systems. And I've seen them working with RSA tokens and stuff too. Sometimes if you just go to the VPN concentrator's address using a web browser you will get to it.
posted by Kadin2048 at 5:55 AM on May 18, 2010

IIRC, Cisco's VPN is ipsec based. OpenVPN is its own protocol, and the two aren't compatible.

Talk to the IT people. They should have provided some sort of way to download the Cisco client software.
posted by chengjih at 6:10 AM on May 18, 2010

It may depend which VPN servers you're trying to connect to. Fwiw, I have no problem whatsoever connecting to my university's Cisco based VPN setup using Ubuntu. Much depends on the precise configuration, but if the server is running the old Cisco Anyconnect solution (IIRC) which uses a group password encrypted in the pcf file, possibly together with a username and password pair for authentication then you need to grab a copy of cisco-decrypt, or just use this site to decrypt the group password.

Then you just need to make sure you have the network-manager-vpnc client packages installed in your Ubuntu install & select the VPN setup from the network icon at top right, put the details from the pcf file in (including the group password you just decrypted) & everything should just work.

If your employer is using the newer Cisco setup, which has a more secure authentication setup, then vpnc doesn't work IIRC: you need one of the other network-manager-vpn clients.
posted by pharm at 6:13 AM on May 18, 2010

You'll probably need network-manager-vpnc-gnome as well btw.

Oh, and I lied: vpnc is for Cisco Concentrator based VPNs. You need network-manager-openconnect for AnyConnect servers.
posted by pharm at 6:18 AM on May 18, 2010

The reason you don't find much info is that this is security territory, and sharing security info is unwise. If possession of the .pcf file granted access, it wouldn't be secure. My employer uses a Cisco VPN, not the same type. I can't think of any reason that using the Cisco VPN client would cause your computer harm. I'd call their Helpdesk, ask what authorization is required for VPN connectivity, and get that. If you use someone else's credentials at my work, their account gets shut down until they discuss the Acceptable Use Policy with IT. If a contractor did this, it would be a problem.

From an IT standpoint, people who do end-runs around security are unwelcome. If you're that guy, everything will be more difficult.
posted by theora55 at 6:30 AM on May 18, 2010

Contact the customers IT department and get the Cisco VPN client from them. This is important, as some versions of Cisco Firewalls will only work with certain versions of the client. Cisco will not provide you with a download of the client - the idea is that you should get it from the IT department whom Cisco did provide with the software.

Most places I have worked had a web page where you download the client after some sort of authentication. So, if you don't want to call IT, you can probably poke around a bit and see if this company has a secure employee resources website.

In my experience, the open source clients can sometimes work with Cisco, sometimes not. Usually, its not worth the hassle, especially as Cisco provides clients for almost any OS you like (although the linux ones will require compiling a kernel module).

As for your ambivalence about calling IT.... well, you might consider how they will feel about you using someone else's credentials. At the places I worked, that wouldn't merely result in the project being temporarily terminated but also the employee(s). If you actually have your own access then there is nothing to worry about.
posted by Pogo_Fuzzybutt at 6:36 AM on May 18, 2010

Pogo, in my experience the Cisco clients for Linux and OSX have been terrible. The Linux versions require compiling weird kernel modules that reimplement an entire IPSEC stack for no good reason and often don't compile against current kernels (where current might mean "released in the last 18 months) & have a bloated GUI which is a massive pain to use. Last I saw the OSX client was the same, only with some horrendous OS9 GUI (UI guidelines? What are they?) that regularly fell over when I tried to use it: I ended up having to compile my own vpnc binaries under OSX in order to get a reliable connection.

VPNC on the other hand, is a mere 16kb or so of code that uses the existing IPSEC infrastructure in the Linux kernel. It just works. Personally, if I can get the open source clients working, then I'll choose them *every* time over the Cisco code.

theora55: Given the way the Cisco client insists on installing it's own IPSEC infrastucture into the kernel, combined with the very poor QA on the GUI, I personally wouldn't be surprised at all if the kernel code had horrible bugs that were quite capable of causing my computer harm. The security of the connection is the responsibility of the server anyway: it should be independent of the choice of client.
posted by pharm at 7:03 AM on May 18, 2010 [1 favorite]

If you Google around a bit, you can usually find download links for Cisco VPN clients hosted on university pages. "My friend" found the Mac client this way pretty easily.
posted by mkultra at 7:16 AM on May 18, 2010

Yes the Official Cisco VPN client for Mac is terrible, but with 10.6 the builtin vpn client has an option for Cisco IPSec and works wonderfully.
posted by thewalledcity at 9:09 AM on May 18, 2010

As for your ambivalence about calling IT.... well, you might consider how they will feel about you using someone else's credentials. At the places I worked, that wouldn't merely result in the project being temporarily terminated but also the employee(s). If you actually have your own access then there is nothing to worry about.

posted by mneekadon at 10:11 AM on May 18, 2010

I would voice a second vote for the shrew soft client. I had trouble finding the cisco client for windows 7 anywhere and my organization doesn't support Windows 7. Hell they barely support IE 7. Shrew Soft met my needs, imported my pcf file and has worked flawlessly for the last two months.
posted by mickbw at 9:47 PM on May 18, 2010

« Older Are my spelling mistakes out there for all to see?   |   Is Atlanta a Good Place for a Budding Music Career... Newer »
This thread is closed to new comments.