Decoding a .mobileconfig file containing a Cisco IPsec VPN configuration
When someone wants to give you access to a Cisco VPN, they might give you a .mobileconfig file. This is apparently used by MacOS and iOS to encapsulate the configuration parameters needed to connect to a VPN. You should be able to connect to it with open source software (such as NetworkManager and vpnc) as long as you have the right configuration. Some helpful soul has tried to give you that configuration, but it’s wrapped up in an Apple-specific container. Here’s how you rip it open and get the goodies.
File format
A .mobileconfig appears to contain:
- Some binary garbage which is safe to ignore
- An XML document containing the good bits, i.e.:
- The “local identifier” (i.e. IPsec group name)
- The “remote address” (i.e. IPsec gateway host)
- The shared secret (base64 encoded)
- Some more binary garbage which is safe to ignore
…and it looks like this:
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>LocalIdentifier</key>
<string>LOCAL_IDENTIFIER_HERE</string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
<key>RemoteAddress</key>
<string>REMOTE_ADDRESS_HERE</string>
<key>SharedSecret</key>
<data>
BASE64_ENCODED_SHARED_SECRET_HERE
</data>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PayloadDescription</key>
<string>...</string>
<key>PayloadDisplayName</key>
<string>...</string>
<key>PayloadIdentifier</key>
<string>...</string>
<key>PayloadOrganization</key>
<string>...</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>...</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
<key>ProxyAutoConfigEnable</key>
<integer>0</integer>
<key>ProxyAutoDiscoveryEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>...</string>
<key>VPNType</key>
<string>IPSec</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>...</string>
<key>PayloadDisplayName</key>
<string>...</string>
<key>PayloadIdentifier</key>
<string>...</string>
<key>PayloadOrganization</key>
<string>...</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>...</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
The shared secret is base64-encoded, so you can decode it with:
$ echo -n 'BASE64_ENCODED_SECRET_HERE' | base64 -d
Network Manager configuration
- Make sure you have network-manager-vpnc installed
- Click the Network Manager icon, select “VPN Connections”, “Configure VPN…”
- Create a “Cisco-compatible (vpnc)” connection
Create a “Cisco-compatible (vpnc)” VPN connection
- Configure the connection settings as follows:
Configure the connection settings
- Enter the “remote address” in the “Gateway” field
- Enter the “local identifier” in the “Group name” field
- Enter the shared secret in the “Group password” field
- To connect, click the Network Manager icon, select “VPN Connections”, and select the connection you just configured
Good luck and enjoy!
Syndicated 2012-11-16 02:29:03 from We'll see | Matt Zimmerman