From owner-freebsd-questions@FreeBSD.ORG Wed Oct 27 17:00:42 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D140116A4CF for ; Wed, 27 Oct 2004 17:00:42 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CF3643D48 for ; Wed, 27 Oct 2004 17:00:41 +0000 (GMT) (envelope-from adnichols@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so338286wri for ; Wed, 27 Oct 2004 10:00:40 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=YADnsQk0necHhbEbvePYRi1E5tn5PbdV38DAW/FpqcXQJ3Lgu3kuiUbb/hVH5584ytkW4Pv+jtmHfh/uH9nR82DUqOTTuAWvHNTMs86B8/xZPlAsXZNF+NUPtV4FVSUMX/PP5kF+N6kpBiniwQXcLFV4TcqihqXDBJBzjKJJbH8= Received: by 10.54.38.27 with SMTP id l27mr102074wrl; Wed, 27 Oct 2004 10:00:40 -0700 (PDT) Received: by 10.54.35.52 with HTTP; Wed, 27 Oct 2004 10:00:40 -0700 (PDT) Message-ID: Date: Wed, 27 Oct 2004 10:00:40 -0700 From: Aaron Nichols To: Michael Clark In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: cc: "Aaron P. Martinez" cc: questions@freebsd.org Subject: Re: VPN questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Aaron Nichols List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Oct 2004 17:00:42 -0000 On Wed, 27 Oct 2004 11:47:43 -0500, Michael Clark wrote: > > > Any suggestions for something compatible with Cisco's 3080 VPN > > product? Something that will work from behind my home NAT box, > > ideally? > > There is nothing that I know of, I have a 3000 at work and wanted to do the > same thing. There is a cli client for the 3000 in ports that I did manage to > get working at one time, its not site to site though. The Cisco 3000 is a difficult beast in this case. I have a site to site VPN between the Cisco and an OpenBSD host which works fine, I assume it would also work for FreeBSD. The challenge however, is that for site to site (known as Lan to Lan in the Cisco) a static IP must be used, this mode does not support a dynamic client that I know of. You can connect a dynamic client to the Cisco using the "Base Group", but their PSK structure for dynamic clients basically requires that you use the same PSK for all clients, not exactly ideal. I believe you can use certificates to get around this, but I've not tried. The Cisco client itself uses XAUTH to allow user/pass type authentication and can then be pointed to a backend authentication service (RADIUS, AD, etc) - if there is some software for FreeBSD that can do XAUTH you would be much closer to getting this to work - I don''t think such a thing exists however. If you have a static IP from your ISP and want to use Lan to Lan, I'm pretty sure that would work (though I'm currently battling this specific scenario on the FreeBSD side trying to get NAT working on the VPN itself to masquerade the LAN behind the VPN). As a Hint, you'll want to use aggressive mode and some identifier for the client other than the IP (I use an email address). I've resigned to having a few different VPN "concentrators" for clients to connect to as each seems to have it's own specific strengths and weaknesses and our company has a wide variety of clients connecting. Aaron