Programatially determine if Cisco VPN Client is connected

Asked 4/2, 2009 at 17:18 Answered 25/6, 2023 at 12:0

I am working with the basic Cisco VPN client (v.5 I believe). Is there anyway to determine programatically if a partciular profile (or any profile for that matter) is connected?

I'm looking to somehow get a status from the client itself. I don't want to have to try to ping some IP on the other end of the VPN to see if I get a response.

Mcvey answered 4/2, 2009 at 17:18 Comment(1)

You did not mention the specifics of what language/platform/vpn method you are interested in so its hard to give specifics, but when using the full blown vpn client software, a virtual network interface is created that you should be able to query for up/down status using the same tools that you would query any other network interface. – Obduce 4/10, 2012 at 23:15

There is an API for Cisco VPN (vpnapi.dll).

Rossini answered 1/3, 2010 at 21:7 Comment(1)

The documentation at that link is missing. – Ivaivah 29/3, 2023 at 15:5

I am unaware of any APIs for Cisco VPN client but you could use the underlying OS.

On Mac OS X, you can query the System Configuration framework because when Cisco VPN client connects it creates a number of keys in the configuration directory (DNS and stuff):

$ printf "get State:/Network/Service/com.cisco.VPN" | sudo scutil

The programmatic equivalent of the above can be achieved in plain C Carbon or ObjC Cocoa.

Halitosis answered 5/2, 2009 at 11:58 Comment(0)

There is an API for Cisco VPN (vpnapi.dll).

Rossini answered 1/3, 2010 at 21:7 Comment(1)

The documentation at that link is missing. – Ivaivah 29/3, 2023 at 15:5

There are several ways, actually, without using the API (which I still cant find/DL)

One of the easiest ways is to check a registry setting found at: HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems\VPN Client\AllAccess\TunnelEstablished (0 or 1)

Another way is to do it is to detect it by the name of the network interface it establishes via using ManagementObjectSearcher, sample code below:

  ManagementObjectSearcher query = null;
                try { query = new ManagementObjectSearcher("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'TRUE'"); }
                catch (Exception ex)
                {

                }
                // "native code call stack error" 
                try { queryCollection = query.Get(); }
                catch (Exception ex)
                {

                }
                int i = 0;
                try
                {
                    foreach (ManagementObject mo in queryCollection)
                    {
                        MojPopisDostupnih[i] = mo["Description"].ToString();
                        // networksListBox.Items.Add(mo["Description"].ToString());
                        i = i + 1;
                    }
                    for (int j = 0; j <= MojPopisDostupnih.Length - 1; j++)
                    {
                        if (MojPopisDostupnih[j] != null)
                        {
                            if (MojPopisDostupnih[j].IndexOf("Cisco Systems VPN Adapter") != -1)
                            {  }
                            else 
                             {  }
                        }
                    }
                }
                catch (Exception ex)
                {

                }

Yet another way is to use process.start to run a CLI (command line) of "vpnclient stat", redirect standard output to a stringbuilder in your app and then check the string whether it contains appropriate data - for more info on this see here:

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/administration/guide/vcAch5.html

Corrianne answered 7/7, 2011 at 19:30 Comment(0)

Below a vbs script to check the connection status:

bIsVPNConnected = False

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2") 
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration",,48) 

For Each objItem in colItems 
   strConnection = LCase(objItem.Description)

   If(InStr(strConnection, "cisco") > 0) Then
      wscript.echo (strConnection)
      bIsVPNConnected = objItem.IPEnabled
   End If
Next

If(bIsVPNConnected) Then
   WScript.echo  "VPN connected"
Else
   WScript.echo  "Not VPN connected"
End If

Participle answered 4/3, 2016 at 15:8 Comment(1)

This still works in 2018! It also works for querying remote machines, if you replace the "\.\" with "\machine-name-here\". WMI is great stuff for querying machine config. – Gander 25/9, 2018 at 15:8

Well if all else fails, parse the output of "route". The routing used by CiscoVPN has a telltale mark there.

Viniferous answered 1/3, 2010 at 21:9 Comment(0)

As "diciu" wrote, you can query the System Configuration framework. The programmatic equivalent of the scutil command that he gave is something like

#import <SystemConfiguration/SystemConfiguration.h>

- (void)printPrimaryService {

    SCDynamicStoreRef dynamicStoreDomainState = SCDynamicStoreCreate(NULL,
                                                                     CFSTR("myApplicationName"),
                                                                     NULL,
                                                                     NULL);
    if (dynamicStoreDomainState) {
        NSString *netIPv4Key = [NSString stringWithFormat:@"%@/%@/%@/%@",
                                kSCDynamicStoreDomainState,
                                kSCCompNetwork,
                                kSCCompGlobal,
                                kSCEntNetIPv4];
        NSMutableDictionary *netIPv4Dictionary = (NSMutableDictionary *) SCDynamicStoreCopyValue(dynamicStoreDomainState, (CFStringRef)netIPv4Key);
        if (netIPv4Dictionary ) {
            NSString *primaryService = [netIPv4Dictionary objectForKey:(NSString *)kSCDynamicStorePropNetPrimaryService];
            if (primaryService) {
                NSLog(@"primary service = \"%@\"\n", primaryService);   /* When the Cisco VPN is active, I get "com.cisco.VPN" here */
            }
            [netIPv4Dictionary release];
        }
        CFRelease(dynamicStoreDomainState);
    }
}

Using the above, you can tell if the Cisco VPN client is connected. You can then do something similar to get the DNS servers associated with the VPN connection. I compare the resulting DNS servers to the DNS server of my company to tell if I'm VPN'd into my company. Klunky, but it works and it's fast - no waiting for a ping to timeout.

Note that with the recent version of the Cisco VPN Client, Cisco published an API. Unfortunately, it's only for Microsoft Windows. Maybe they'll produce one for Macs some day.

Pasquale answered 25/4, 2011 at 22:25 Comment(1)

I think the primary service is not necessarily the VPN, on some cases I get the VPN, but in others I get the physical en0, even if the VPN is further in the list. – Tine 16/7, 2021 at 10:43

Building on @Joshua's answer, this will echo if you're on or off VPN.

if (-not(route print | select-string AnyConnect)) { echo "Not on VPN" } else { echo "On VPN" }

While off VPN:

PS C:\
> if (-not(route print | select-string AnyConnect)) { echo "Not on VPN" } else { echo "On VPN" }
Not on VPN

When on VPN:

PS C:\
> if (-not(route print | select-string AnyConnect)) { echo "Not on VPN" } else { echo "On VPN" }
On VPN

Tenure answered 25/6, 2023 at 12:0 Comment(0)

Recommended topics

Hot tags