Running Cisco Systems VPN Client with FreeBSD
Hello list, We have a couple of clients which use Cisco VPN's for network access and I'm responsible to configure a common gate to establish the VPN to the client network. I have a Linux box which runs Cisco Systems VPN Client with no problems but I would like to give freebsd a go. My main concern is that this client, in linux, includes a kernel loadable module named cisco_ipsec. I haven't made any deep deep research on this but would like to know if there is anyone that works with this software with FreeBSD. Thanks in advance for your time. Regards, -- Alexandre Vieira - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running Cisco Systems VPN Client with FreeBSD
El día Monday, October 23, 2006 a las 09:58:36AM +0100, Alexandre Vieira escribió: Hello list, We have a couple of clients which use Cisco VPN's for network access and I'm responsible to configure a common gate to establish the VPN to the client network. I have a Linux box which runs Cisco Systems VPN Client with no problems but I would like to give freebsd a go. My main concern is that this client, in linux, includes a kernel loadable module named cisco_ipsec. I haven't made any deep deep research on this but would like to know if there is anyone that works with this software with FreeBSD. Thanks in advance for your time. Hello, from the ports /usr/ports/security/vpnc worked for me out of the box; matthias -- Matthias Apitz Manager Technical Support - OCLC PICA GmbH Gruenwalder Weg 28g - 82041 Oberhaching - Germany t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e [EMAIL PROTECTED] - w http://www.oclcpica.org/ http://guru.UnixLand.de/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running Cisco Systems VPN Client with FreeBSD
On 10/23/06, Matthias Apitz [EMAIL PROTECTED] wrote: El día Monday, October 23, 2006 a las 09:58:36AM +0100, Alexandre Vieira escribió: Hello list, We have a couple of clients which use Cisco VPN's for network access and I'm responsible to configure a common gate to establish the VPN to the client network. I have a Linux box which runs Cisco Systems VPN Client with no problems but I would like to give freebsd a go. My main concern is that this client, in linux, includes a kernel loadable module named cisco_ipsec. I haven't made any deep deep research on this but would like to know if there is anyone that works with this software with FreeBSD. Thanks in advance for your time. Hello, from the ports /usr/ports/security/vpnc worked for me out of the box; matthias -- Matthias Apitz Manager Technical Support - OCLC PICA GmbH Gruenwalder Weg 28g - 82041 Oberhaching - Germany t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e [EMAIL PROTECTED] - w http://www.oclcpica.org/ http://guru.UnixLand.de/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello Matthias, Thanks for the reply. I was talking with a network engie and he told me that he already made some tests in the past with vpnc and that it doesn't work with most of the newest equipment that our clients use. The software tells me that it works with VPN concentrator 3000 and EasyVPN compliant equipments. I don't have, yet, details about the devices that will be used in the client side but I know that we'll use RSA randomized rotative SecureID's and we'll use IPSEC. I'm not aware if this kind of auth mecanism has anything to do with the client itself. Anyway, I will give vpnc a go :) Many thanks. Regards, -- Alexandre Vieira - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Running Cisco Systems VPN Client with FreeBSD
On 10/23/06, Joao Barros [EMAIL PROTECTED] wrote: On 10/23/06, Alexandre Vieira [EMAIL PROTECTED] wrote: I don't have, yet, details about the devices that will be used in the client side but I know that we'll use RSA randomized rotative SecureID's and we'll use IPSEC. I'm not aware if this kind of auth mecanism has anything to do with the client itself. That authentication mechanism is configured on the vpn concentrator but performed with the help from an additional box running an RSA specific app. Most likely the VPN Concentrator and the PIX will disappear and the ASAs will be a multi purpose device so keep those in mind if it's a new buy. Keep us informed on your progress :) -- Joao Barros Hello, I'm installing the machine atm. I will still have to read about vpnc in order to migrate client profiles (I have the cisco client profiles) to the vpnc config files. I will post my updates/questions in this thread. Thanks in advance -- Alexandre Vieira - [EMAIL PROTECTED] -- Alexandre Vieira - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running Cisco Systems VPN Client with FreeBSD
El día Monday, October 23, 2006 a las 11:39:31AM +0100, Alexandre Vieira escribió: Hello, I'm installing the machine atm. I will still have to read about vpnc in order to migrate client profiles (I have the cisco client profiles) to the vpnc config files. I'm attaching you what I have stored in my private how-to area about the vpnc configuration, hope it helps you matthias -- Matthias Apitz Manager Technical Support - OCLC PICA GmbH Gruenwalder Weg 28g - 82041 Oberhaching - Germany t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e [EMAIL PROTECTED] - w http://www.oclcpica.org/ http://guru.UnixLand.de/ $Id: vpnc.txt,v 1.3 2006/10/23 11:38:39 guru Exp $ messages from make install: === Installing for vpnc-0.3.3_1 /bin/mkdir -p /usr/local/share/doc/vpnc ... This port has installed the following files which may act as network servers and may therefore pose a remote security risk to the system. /usr/local/sbin/vpnc This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/vpnc.sh.sample If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.unix-ag.uni-kl.de/~massar/vpnc/ to config: /usr/local/etc/vpnc.conf: IPSec gateway xxx.xxx.xxx.xxx IPSec ID aa IPSec secret bb Xauth username Xauth password some comments about how it works: - the gateway is contacted first on UDP 500 and later on 4500 as proposed by the server; - the 'aa' (IPSec ID) is Cisco's 'GroupName' value; - the 'bb' (IPSec secret) is Cisco's 'enc_GroupPwd' but in clear text; there is a tool to recalculate the clear text GroupPwd which is written in C in may be fetched from: http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c (local copy is in ~guru/sysSrc/cisco-decrypt.c) and may be compiled with: $ gcc -o cisco-decrypt -I/usr/local/include cisco-decrypt.c -L/usr/local/lib -lgcrypt you lauch it just as root with: # vpnc --no-detach routings, /etc/resolv.conf are set/reset on up and down via a call to a script /usr/local/sbin/vpnc-script in our case /etc/resolv.conf gets changed to: [EMAIL PROTECTED]@ -- this file is generated by vpnc # and will be overwritten by vpnc # as long as the above mark is intact domain Sisis.de nameserver ... the routings to the various networks the Concentrator knows are also set and unset by the above script if the Concentrator provided 'split-network settings'; they are passed as environment variables to /usr/local/sbin/vpnc-script that's all ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running Cisco Systems VPN Client with FreeBSD
On 10/23/06, Alexandre Vieira [EMAIL PROTECTED] wrote: I don't have, yet, details about the devices that will be used in the client side but I know that we'll use RSA randomized rotative SecureID's and we'll use IPSEC. I'm not aware if this kind of auth mecanism has anything to do with the client itself. That authentication mechanism is configured on the vpn concentrator but performed with the help from an additional box running an RSA specific app. Most likely the VPN Concentrator and the PIX will disappear and the ASAs will be a multi purpose device so keep those in mind if it's a new buy. Keep us informed on your progress :) -- Joao Barros ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running Cisco Systems VPN Client with FreeBSD
On 10/23/06, Matthias Apitz [EMAIL PROTECTED] wrote: El día Monday, October 23, 2006 a las 11:39:31AM +0100, Alexandre Vieira escribió: Hello, I'm installing the machine atm. I will still have to read about vpnc in order to migrate client profiles (I have the cisco client profiles) to the vpnc config files. I'm attaching you what I have stored in my private how-to area about the vpnc configuration, hope it helps you matthias -- Matthias Apitz Manager Technical Support - OCLC PICA GmbH Gruenwalder Weg 28g - 82041 Oberhaching - Germany t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e [EMAIL PROTECTED] - w http://www.oclcpica.org/ http://guru.UnixLand.de/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello, Thanks, I will try this as soon as our client gets the cisco up :) Regards, -- Alexandre Vieira - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]