How to save password for Cisco IPSec in Mac native VPN client?

Solution 1:

This looks like a very annoying and longstanding bug in Mac OS X/macOS.

10.6: Save Cisco IPSec password in the Keychain:

Mac OS X Snow Leopard added the support for Cisco IPSec VPN connections – that is, plain IPSec with XAuth authentication and mode_cfg.

That makes it two layers of authentication: first, Machine Authentication with a password (Shared Secret) or an X509 certificate. Then a traditional username-password pair for XAuth, both of which you can enter and save in the Account Name and Password fields respectively when you set up the connection. Trouble is, even though you entered your password and it is apparently saved in the keychain properly, Mac OS X keeps nagging you to manually enter the password every time you connect. Turns out this is a just bug with a simple fix.

Open the Keychain Access Application, select the System keychain and find your saved XAuth password entry in the list. Its Kind field will say IPSec XAuth Password. Open it, then on the Access Control tab click the Plus button to add another application. The file we need to select, /usr/libexec/configd, resides in a hidden folder. To navigate there, press Command+Shift+G, enter /usr/libexec, then pick configd in the dialog. Save your changes and that's it – your saved password should now work.

Another guide using pretty pictures: https://anders.com/guides/native-cisco-vpn-on-mac-os-x/

Apparently the same manual fix of adding configd to the Keychain-allowed applications has to be applied for using the built-in ipsec-vpn tools.

VPN ipsec Prompting Saved Password:

Symptoms:

On Mac OS X Snow Leopard (10.6.x) you are prompted to enter your VPN password even though you’ve previously saved it in the keychain You are using IPSec on the built in VPN client on Mac OS X Snow Leopard

Explanation:

This is caused by a problem with the Keychain Access item for the VPN IPSec connection. A two minute fix will sort it out for you.

Solution:

  • Launch Keychain Access by clicking Applications > Utilities > Keychain Access
  • On the left upper pane, under Keychains select System
  • On the left lower, under Category select All Items
  • On the right side of the screen scroll to the bottom and locate the two items called VPN(IPSec)
  • Double-click the VPN(IPSec) whos kind is IPSec XAuth Password
  • Click the Access Control button/tab. The applications permitted to use this keychain item will be displayed below. If you’re prompted for your password, enter it.
  • Click the plus (+) sign
  • When the Finder window appears, press Cmd + Shift + G on your keyboard
  • When the Go To Folder dialog appears, enter /usr/libexec
  • Click Go
  • When the /usr/libexec folder appears scroll to configd, select it and click Add
  • Click Save Changes
  • Close Keychain Access and try connecting to your VPN again

Solution 2:

I found a neat workaround with AnyConnect CLI and Keychain.

The idea is to store my AnyConnect credential in Keychain, and use the AnyConnect's command line interface to access my saved credential and connect to VPN. It even works well with two factor authorization.

Say I want to connect to foo.bar.com with account acc and password pas.

  1. Save acc and pas pair in Keychain (under login not iCloud) with name fookey
  2. Run the following bash script to connect (save it in /usr/local/bin)
/opt/cisco/anyconnect/bin/vpn connect foo.bar.com -s << EOM
0    # foo.bar.com doesn't require two factor authorization
acc  # vpn account
$(sudo security find-generic-password -ws fookey)  # look up [pas] from keychain
EOM

Using this approach, I don't need to type in my vpn password every time, and I won't write my password to files without encryption :)


If you are not familiar with bash script:

  • /opt/cisco/anyconnect/bin/vpn connect -s enters non-interactivel mode.
  • << EOM ... EOM is called here-docs, which uses a string to replace a file. It is very useful to script interactive CLI, by writing each respond as a new line.
  • security is a nice tool to access your Keychain from the command line.