vpnc launchd and start/stop control scripts

org.macports.vpnc.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
  <key>Disabled</key>
  <true/>
  <key>Label</key>
  <string>org.macports.vpnc</string>
  <key>ProgramArguments</key>
  <array>
    <string>/opt/local/sbin/vpnc</string>
    <string>--debug</string>
    <string>2</string>
	<string>--no-detach</string>
	<string>/opt/local/etc/vpnc/default.conf</string>	
  </array>
  <key>StandardErrorPath</key>
  <string>/opt/local/var/log/vpnc/vpnc.log</string>
  <key>StandardOutPath</key>
  <string>/opt/local/var/log/vpnc/vpnc.log</string>
  <key>RunAtLoad</key>
  <true/>
  <key>KeepAlive</key>
  <!-- NetworkState key is no longer implemented in OS X 10.10 Yosemite.
  	<dict>
  		<key>NetworkState</key>
  		<true/>
  	</dict> -->
  <true/>
</dict>
</plist>

vpnc-start

#!/bin/sh
if [ "$(id -u)" -ne 0 ]; then
	SELF=`echo $0 | sed -ne 's|^.*/||p'`
	echo "$SELF must be run as root." 1>&2
	echo "try: sudo $SELF" 1>&2
	exit 1
fi
PLIST=/Library/LaunchDaemons/org.macports.vpnc.plist 
CONF=`grep \.conf $PLIST | sed 's/<[^>]*>//g' | tr -d " \t"`
GATEWAY=`grep gateway $CONF`
ERROR=$( { /bin/launchctl load -w $PLIST; } 2>&1 )
if [ -z "$ERROR" ]; then
	echo "starting vpnc daemon connection to $GATEWAY."
else
	echo $ERROR
fi

vpnc-stop

#!/bin/sh
if [ "$(id -u)" -ne 0 ]; then
	SELF=`echo $0 | sed -ne 's|^.*/||p'`
	echo "$SELF must be run as root." 1>&2
	echo "try: sudo $SELF" 1>&2
	exit 1
fi
PLIST=/Library/LaunchDaemons/org.macports.vpnc.plist 
CONF=`grep \.conf $PLIST | sed 's/<[^>]*>//g' | tr -d " \t"`
GATEWAY=`grep gateway $CONF`
ERROR=$( { /bin/launchctl unload -w $PLIST; } 2>&1 )
if [ -z "$ERROR" ]; then
	echo "stopping vpnc daemon connection to $GATEWAY."
else
	echo $ERROR
fi

vpnc.conf

# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
/opt/local/var/vpnc/*.log                644  3     1000    *   J

Installing vpnc from MacPorts

sudo port install vpnc tuntaposx
sudo launchctl -w load /Library/LaunchDaemons/org.macports.tuntaposx

• Configure VPN connection in /opt/local/etc/vpnc/defualt.conf
• use cisco-derypt(1) to convert enc_GroupPwd from corporate .pcf file to "IPSec secret" field in default.conf

Example config

IPSec gateway **vpn-server-hostname-or-ip**
IPSec ID **GroupName-from-.pcf**
IPSec secret **output-of-cisco-decrypt-here**
IKE Authmode psk
Xauth username **my-corporate-username**
Xauth password **super-secure-password**
NAT Traversal Mode cisco-udp
DPD idle timeout (our side) 0

File locations

• plist goes in /Library/LaunchDaemons
  • when plist is loaded it will restart vpnc and reconnect as long as network is available
• start/stop shell scripts go in /usr/local/bin (or somewhere in path) with +x bit set.
• vpnc.conf goes in /etc/newsyslog.d
• create /var/log/vpnc and symlink /opt/local/var/log/vpnc/vpnc.log to /var/log/vpnc/vpnc.log for integration with Console.app

Usage

$ sudo vpnc-start
Password:
starting vpnc daemon connection to IPSec gateway vpn.corporate.com.
$ sudo vpnc-stop
stopping vpnc daemon connection to IPSec gateway vpn.corporate.com.
$ 

Yosemite disables loading of unsigned kernel extensions by default which makes tuntaposx build by MacPorts fail to load and vpnc fail to work. Enabling kext developer mode solves the problem at the expense of a less secure posture than the default.

sudo nvram boot-args="kext-dev-mode=1" 

Reversible:

sudo nvram -d boot-args

Alternative. Replace tun.kext and tap.kext built by MacPorts with signed versions.

curl -O http://download.wolfereiter.com/tuntaposx.extensions.tgz
tar xzvf tuntaposx.extensions.tgz -C /opt/local

(These came from Tunnelblick v3.4.1.)