From owner-freebsd-net@FreeBSD.ORG Thu Oct 16 15:13:24 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FA3816A4BF for ; Thu, 16 Oct 2003 15:13:24 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B18E643FBD for ; Thu, 16 Oct 2003 15:13:23 -0700 (PDT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA19994 for ; Thu, 16 Oct 2003 16:13:19 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031016160155.038eca38@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 16 Oct 2003 16:13:19 -0600 To: net@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Connecting to Cisco VPN concentrator X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2003 22:13:24 -0000 Here's an interesting problem that I'm not sure how to solve. A user, whose machine runs Windows, connects to his ISP via PPTP (he can also use PPPoE, but there's no change in what happens). Once on the Internet, he wants to use the Cisco VPN client software to tunnel into a LAN at the office. Trouble is, as soon as the Cisco VPN client fires up on his Windows machine, it blocks the PPTP or PPPoE connection. In short, it strangles itself by cutting off the link over which it must connect. With the machine no longer able to reach the Internet, the VPN connection can't work, and everything falls apart. Cisco's literature hints that the Cisco VPN client contains a built-in firewall which downloads rules from the Cisco VPN router (which Cisco calls a "concentrator") as it connects. But I've explored the configuration of the concentrator, and the rules appear to allow pretty much everything through, including GRE and PPTP. I've also tried to see if the user can connect to the VPN concentrator using the built-in VPN software in Windows rather than the special Cisco VPN client software. So far, the answer is "Yes, but not in a way that's useful." I can only connect to the VPN concentrator via PPTP when encryption is turned off, thus defeating the purpose of having a VPN in the first place. When I tell the Windows system to require encryption, the connection fails. Does anyone have experience with connecting to Cisco VPN concentrators -- using either Cisco's VPN client software for Windows or a the PPTP or L2TP client software built into Windows? --Brett