Customizing the Cisco or IPSec VPN client in Snow Leopard

The Snow Leopard VPN is not very configurable from the GUI, but behind the scenes it is using a racoon configuration.

To grab the configuration it is generating, configure the VPN in the System Preferences GUI, then rename /usr/sbin/racoon and try connecting. The config file will be written in /var/run/racoon/. Grap a copy of that file and customize it to your needs. Once you have the config file, rename racoon back to its original name.

Then to make the GUI use your custom config file instead of the one it generates, edit /etc/racoon/racoon.conf to include your custom config file and comment out the line:
include "/var/run/racoon/*.conf" ;

By making a few changes I was able to get a successful connection to our Cisco VPN Concentrators.

I’m hoping there is a less hacky way to accomplish this. If you know of one, let me know. Otherwise file a bug with Apple.


9 thoughts on “Customizing the Cisco or IPSec VPN client in Snow Leopard

  1. Following this procedure, I get “A configuration error occurred. Verify your settings” etc. etc. when I try a connection after renaming racoon. Bummer.

    • Renaming racoon is only so you have time to grab the config file in /var/run/racoon/. Once you have that, you’ll need to rename it back. You may also need to start racoon manually.

  2. That’s really cool, I’ll have to give that a try.

    Do you know if the VPN client config will apply to all network Locations that are set up?

      • You have to be somewhat quick in grabbing the config file from /var/run. Renaming the racoon binary causes a delay so you can grab it. I haven’t tried it on newer versions of 10.6. They may have changed the code. You could try on 10.6.0.

  3. Followed the instructions. Hard to capture the file before racoon deletes it. I used TextWrangler to open it immediately when it was created and TW held a copy in memory after the file was deleted (!!)

    Now I have to figure out how to mod the config to use different logon options. Our Cisco engineers have the concentrators set to use the MSLogon=1 option and the type is 0. Not sure how to tell racoon to do that.

  4. I am looking for someone who successfully connected with racoon/setkey to a Cisco concentrator via the command line. Please let me know as I have some questions regarding a software project. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s