From owner-freebsd-current Fri Jan 31 18:16:28 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03D4A37B405 for ; Fri, 31 Jan 2003 18:16:27 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.65.60]) by mx1.FreeBSD.org (Postfix) with SMTP id C52CC43F85 for ; Fri, 31 Jan 2003 18:16:25 -0800 (PST) (envelope-from mdcki@gmx.net) Received: (qmail 24441 invoked by uid 0); 1 Feb 2003 02:16:24 -0000 Received: from cvpn016.gwdg.de (HELO gmx.net) (134.76.22.16) by mail.gmx.net (mp007-rz3) with SMTP; 1 Feb 2003 02:16:24 -0000 Message-ID: <3E3B2EFA.6030305@gmx.net> Date: Sat, 01 Feb 2003 03:20:42 +0100 From: Marcin Dalecki User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021230 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sean Chittenden Cc: Christoph Kukulies , freebsd-current@freebsd.org Subject: Re: Cisco vpnclient References: <200301311053.LAA25242@accms33.physik.rwth-aachen.de> <20030201012800.GH15936@perrin.int.nxad.com> In-Reply-To: <20030201012800.GH15936@perrin.int.nxad.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sean Chittenden wrote: >>Cisco is offering a VPN client for Linux. I wonder if it would be >>possible to run this under FreeBSD. An extra linux kernel module is >>being built. Is this already the 'ruled out'? >> >>If this won't work, I'm afraid I will have to set a dedicated redhat >>6.x/7.x beside my FreeBSD gateway. Would it be possible to use NAT >>to extend the VPN (I only have one dedicated fixed IP on the >>gateway). > > > Might I suggest using pppd + ssh. In my prior experience, it worked > worlds better than the Cisco VPN client and was likely provided a more > secure authentication (ssh keys vs. IKE?). As an added bonus, it ssh > + pppd doesn't hijack your interface so you can connect to the > Internet directly and to your office without having to send your > normal Internet traffic through the office. Yes there are security > problems with this, but running ipf(w) on the split host works > exceedingly well and is generally a tighter firewall than what's put > up to protect the office. ;) -sc The "connection hijack" by Cisco is indeed a very silly thing, since the disabling of the routing of interfaces different from the *one true and very secure* IPSec connection it is establishing can be easly, very easly circumvented be deliberately changing a string in the cisco linux kernel module. You have just to change the string "eth" to "eth0" or whatever in the source code there. Well indeed some linux ethernet devices do not obey the "ethXX" naming schema, namely they register themself as "usbXXX" devices, so the whole thing in without any good reason in first place anyway. -- Marcin Dalecki To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message