Is it possible to connect to a Cisco VPN using OpenVPN?

I'm not a VPN expert, but I'm a freelance contractor who definitely feels your pain; I hate it when I have to spend the first few days of a new contract just getting to the point where I can start to do the job. 've been in this exact situation with a past client. I'm almost certain you need the Cisco client -- I dinked around with others just as you are, but nothing else would work. I had to get the customer to supply a copy of the program because (as you say) it's not available for download. So, yes, you're chasing your own tail. I don't see where mneekadon is getting his 'legal gray area' -- you've been contracted to do work that presumably has to be done inside this network; if you can't connect to that network you can't complete your contract. Personally I wouldn't try contacting their IT department directly, rather pass the request on to whoever your primary contact is. Doing so shouldn't "bring the project to a halt" any more than you not being able to do your work would, yeah?

Can I connect to a Cisco VPN using OpenVPN (or some other open-source client)? Or does it absolutely have to be Cisco's proprietary client? I don't know about OpenVPN, but http://www.shrew.net/ imports .pcf files.

I've been in exactly your situation. Seriously, call the help desk for the client (the ultimate client, the multi-national). You need to use their setup, not a substitute downloaded somewhere. Their help desk will have a script that they will read to you, to walk you through the setup process. It's the help desk's job to help you, and the client wants you to do this. You should already be in their system, as it went through an approval process already to grant you access.

I am about 80% sure that OpenVPN will not do this. I was in a similar situation once and tried to get OpenVPN working, and it didn't work. Just couldn't get it going. VPN stuff is apparently standardized at the low level, but the authentication and other high-level handshaking stuff is extremely proprietary, particularly when it's integrated with a SSO / two-factor system. My guess is that you really need to get the official Cisco client. Cisco, for whatever reason, doesn't make these things particularly easy to find or download. Generally companies send you a link to a download site at the same time that they send you the VPN settings file (if they're competent, anyway). If you have a hardware token it sounds like you have permission to access the VPN; I would call up BigCo's internal tech support line and ask them. It's probably a question that they get about a dozen times a day or more. They'll probably just email you a link to a download location for the VPN client, or even just send you an installer. The other thing you could ask for, or maybe poke around for yourself, is a "web VPN" ... many Cisco systems offer this in addition to working with the Cisco thick client. Basically you go to a web site and the VPN client gets loaded as an in-browser ActiveX control (so, yeah, they're generally IE-only). Terrible, ugly hack, but sometimes the only way to get into some corporate systems. And I've seen them working with RSA tokens and stuff too. Sometimes if you just go to the VPN concentrator's address using a web browser you will get to it.

IIRC, Cisco's VPN is ipsec based. OpenVPN is its own protocol, and the two aren't compatible. Talk to the IT people. They should have provided some sort of way to download the Cisco client software.

It may depend which VPN servers you're trying to connect to. Fwiw, I have no problem whatsoever connecting to my university's Cisco based VPN setup using Ubuntu. Much depends on the precise configuration, but if the server is running the old Cisco Anyconnect solution (IIRC) which uses a group password encrypted in the pcf file, possibly together with a username and password pair for authentication then you need to grab a copy of cisco-decrypt, or just use http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode site to decrypt the group password. Then you just need to make sure you have the network-manager-vpnc client packages installed in your Ubuntu install & select the VPN setup from the network icon at top right, put the details from the pcf file in (including the group password you just decrypted) & everything should just work. If your employer is using the newer Cisco setup, which has a more secure authentication setup, then vpnc doesn't work IIRC: you need one of the other network-manager-vpn clients.

You'll probably need network-manager-vpnc-gnome as well btw. Oh, and I lied: vpnc is for Cisco Concentrator based VPNs. You need network-manager-openconnect for AnyConnect servers.

The reason you don't find much info is that this is security territory, and sharing security info is unwise. If possession of the .pcf file granted access, it wouldn't be secure. My employer uses a Cisco VPN, not the same type. I can't think of any reason that using the Cisco VPN client would cause your computer harm. I'd call their Helpdesk, ask what authorization is required for VPN connectivity, and get that. If you use someone else's credentials at my work, their account gets shut down until they discuss the Acceptable Use Policy with IT. If a contractor did this, it would be a problem. From an IT standpoint, people who do end-runs around security are unwelcome. If you're that guy, everything will be more difficult.

Contact the customers IT department and get the Cisco VPN client from them. This is important, as some versions of Cisco Firewalls will only work with certain versions of the client. Cisco will not provide you with a download of the client - the idea is that you should get it from the IT department whom Cisco did provide with the software. Most places I have worked had a web page where you download the client after some sort of authentication. So, if you don't want to call IT, you can probably poke around a bit and see if this company has a secure employee resources website. In my experience, the open source clients can sometimes work with Cisco, sometimes not. Usually, its not worth the hassle, especially as Cisco provides clients for almost any OS you like (although the linux ones will require compiling a kernel module). As for your ambivalence about calling IT.... well, you might consider how they will feel about you using someone else's credentials. At the places I worked, that wouldn't merely result in the project being temporarily terminated but also the employee(s). If you actually have your own access then there is nothing to worry about.