From owner-freebsd-questions@FreeBSD.ORG Sun Aug 14 17:14:36 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0753016A41F for ; Sun, 14 Aug 2005 17:14:36 +0000 (GMT) (envelope-from scott@fishballoon.org) Received: from mta08-winn.ispmail.ntl.com (mta08-winn.ispmail.ntl.com [81.103.221.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D56C43D46 for ; Sun, 14 Aug 2005 17:14:35 +0000 (GMT) (envelope-from scott@fishballoon.org) Received: from aamta09-winn.ispmail.ntl.com ([81.103.221.35]) by mta08-winn.ispmail.ntl.com with ESMTP id <20050814171433.MLAE23002.mta08-winn.ispmail.ntl.com@aamta09-winn.ispmail.ntl.com> for ; Sun, 14 Aug 2005 18:14:33 +0100 Received: from llama.fishballoon.org ([81.104.195.171]) by aamta09-winn.ispmail.ntl.com with ESMTP id <20050814171433.GDAS1947.aamta09-winn.ispmail.ntl.com@llama.fishballoon.org> for ; Sun, 14 Aug 2005 18:14:33 +0100 Received: from tuatara.fishballoon.org ([192.168.1.6]) by llama.fishballoon.org with esmtp (Exim 4.52 (FreeBSD)) id 1E4M47-000DTg-Hm for freebsd-questions@freebsd.org; Sun, 14 Aug 2005 18:14:31 +0100 Received: (from scott@localhost) by tuatara.fishballoon.org (8.13.1/8.13.1/Submit) id j7EHEVe6091193 for freebsd-questions@freebsd.org; Sun, 14 Aug 2005 18:14:31 +0100 (BST) (envelope-from scott) Date: Sun, 14 Aug 2005 18:14:30 +0100 From: Scott Mitchell To: freebsd-questions@freebsd.org Message-ID: <20050814171430.GA88530@tuatara.fishballoon.org> References: <20050410153834.GA893@tuatara.fishballoon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050410153834.GA893@tuatara.fishballoon.org> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 4.11-STABLE i386 Subject: Re: Connect to Cisco VPN server from FreeBSD? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Aug 2005 17:14:36 -0000 On Sun, Apr 10, 2005 at 04:38:34PM +0100, Scott Mitchell wrote: > Hi all, > > As in the subject - has anyone managed to get a FreeBSD machine to connect > to a Cisco VPN server, using IPSec and 2-factor authentication (password + > SecurID card)? My employer has been acquired by another company, and this > will soon be the only remote-access method available. Linux client > software exists, but given that it relies on a kernel module I'm not > holding out much hope of it working. The security/vpnc port looks like it > might be useful. No idea if racoon + FreeBSD native IPSec can be persuaded > to do the SecurID authentication. In case this is useful to anybody else - Finally got my SecurID card and can report that it works very well with the latest security/vpnc port. I had to decode the "group password" in the config file for the Cisco client I was given, but the vpnc web page has a handy service for doing just that. Apart from that, it just worked. The vpnc client doesn't support re-keying, so the connection hangs when the other side decides to do this. I'm mostly just connecting to machines at work over VNC or rdesktop, so this is no big deal for me - just re-connect. It also doesn't deal well with requests to re-authenticate after the SecurID token changes, which I think only happen if you get your password wrong. It does seem to correctly handle any DNS and split-tunnelling setup requested by the server, although you can tweak the connect script to ignore all that stuff if it annoys you :-) I'm connecting to a Cisco 2600 series router, with SecurID authentication done by some RADIUS server at another site. Haven't tried, but I expect I would have no trouble connecting to our central Cisco 3000 VPN concentrator box. Scott -- =========================================================================== Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott at fishballoon.org | 0xAA775B8B | -- Anon