Small note: Linux and Cisco VPN client (vpnc)

The scenario I faced is probably typical of many IT guys who work from home: I needed to connect to my work VPN but I prefer to use my more powerful linux machine from home. IT here only really support windows so I was on my own here. The VPN uses cisco technology, and IT had already configured my windows laptop with the “.PCF” configuration files that the cisco VPN client uses to connect to the VPN server.

So I had my PCF file, all I needed was to use this from my linux machine. Enter “vpnc” (apt-get install vpnc) which seems to be the more widely used linux cisco vpn client (it’s now integrated into ubuntu’s native Network manager; see here). Also, there are some simple guides on the internet that describe just how to do this:

http://www.debuntu.org/how-to-connect-to-a-cisco-vpn-using-vpnc

There were one or two others, google is your friend here. The observation I wanted to make is about the group password (cisco speak for the VPN Pre Shared Key). In most PCF files, for security reasons the group password is encrypted and would be a hexadecimal string that starts of looking like this:

enc_GroupPwd=AD6C59431B2990AAC5DC09AB…

Most of these articles seem to think that you need to decrypt this string to use this decrypted password with VPNC. It’s relatively easy to do this (search for cisco-decrypt.c, so IT admins beware if you are in a high-security environment) but I think it’s an unnecessary step. Going through the VPNC man pages, we see an interesting option:

(configfile only option)
              your group password (obfuscated)
       conf-variable: IPSec obfuscated secret <hex string>

So, you can simply copy/past the encrypted group password from your windows .PCF file to your linux vpnc.conf file, similar to:

IPSec obfuscated secret AD6C59431B2990AAC5DC09AB…

No need to decrypt🙂