From owner-freebsd-questions@FreeBSD.ORG Mon Oct 23 11:44:01 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 217DB16A40F for ; Mon, 23 Oct 2006 11:44:01 +0000 (UTC) (envelope-from M.Apitz@oclcpica.org) Received: from mail.pica.nl (mail.pica.nl [192.87.44.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CD0943DB6 for ; Mon, 23 Oct 2006 11:43:19 +0000 (GMT) (envelope-from M.Apitz@oclcpica.org) Received: from rebelion.Sisis.de ([193.31.10.34]) by mail.pica.nl with Microsoft SMTPSVC(6.0.3790.1830); Mon, 23 Oct 2006 13:42:20 +0200 Received: (from guru@localhost) by rebelion.Sisis.de (8.13.4/8.13.4/Submit) id k9NBhFNQ006793; Mon, 23 Oct 2006 13:43:15 +0200 (CEST) (envelope-from m.apitz@oclcpica.org) X-Authentication-Warning: rebelion.Sisis.de: guru set sender to m.apitz@oclcpica.org using -f Date: Mon, 23 Oct 2006 13:43:15 +0200 From: Matthias Apitz To: Alexandre Vieira Message-ID: <20061023114315.GA6598@rebelion.Sisis.de> References: <755cb9fc0610230158p7327fcm6b7d64a5376d082a@mail.gmail.com> <20061023090653.GA3564@rebelion.Sisis.de> <755cb9fc0610230227t53c5b718i10392d32d31b45e7@mail.gmail.com> <70e8236f0610230324m7dbdf28fr4ea95700850b1307@mail.gmail.com> <755cb9fc0610230329p79045e31p8789470bec022a38@mail.gmail.com> <755cb9fc0610230339k4fec810co260835dcb729b28b@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <755cb9fc0610230339k4fec810co260835dcb729b28b@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.0-RELEASE (i386) X-OriginalArrivalTime: 23 Oct 2006 11:42:20.0531 (UTC) FILETIME=[4C7C3C30:01C6F698] Cc: freebsd-questions@freebsd.org Subject: Re: Running Cisco Systems VPN Client with FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthias Apitz List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 11:44:01 -0000 --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit El día Monday, October 23, 2006 a las 11:39:31AM +0100, Alexandre Vieira escribió: > Hello, > > I'm installing the machine atm. I will still have to read about vpnc in > order to migrate client profiles (I have the cisco client profiles) to the > vpnc config files. I'm attaching you what I have stored in my private how-to area about the vpnc configuration, hope it helps you matthias -- Matthias Apitz Manager Technical Support - OCLC PICA GmbH Gruenwalder Weg 28g - 82041 Oberhaching - Germany t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.oclcpica.org/ http://guru.UnixLand.de/ --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="vpnc.txt" $Id: vpnc.txt,v 1.3 2006/10/23 11:38:39 guru Exp $ messages from "make install": ===> Installing for vpnc-0.3.3_1 /bin/mkdir -p /usr/local/share/doc/vpnc ... This port has installed the following files which may act as network servers and may therefore pose a remote security risk to the system. /usr/local/sbin/vpnc This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/vpnc.sh.sample If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.unix-ag.uni-kl.de/~massar/vpnc/ to config: /usr/local/etc/vpnc.conf: IPSec gateway xxx.xxx.xxx.xxx IPSec ID aaaaaaaaaa IPSec secret bbbbbbbbbb Xauth username xxxxxxxx Xauth password xxxxxxxx some comments about how it works: - the gateway is contacted first on UDP 500 and later on 4500 as proposed by the server; - the 'aaaaaaaaaa' (IPSec ID) is Cisco's 'GroupName' value; - the 'bbbbbbbbbb' (IPSec secret) is Cisco's 'enc_GroupPwd' but in clear text; there is a tool to recalculate the clear text GroupPwd which is written in C in may be fetched from: http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c (local copy is in ~guru/sysSrc/cisco-decrypt.c) and may be compiled with: $ gcc -o cisco-decrypt -I/usr/local/include cisco-decrypt.c -L/usr/local/lib -lgcrypt you lauch it just as root with: # vpnc --no-detach routings, /etc/resolv.conf are set/reset on up and down via a call to a script /usr/local/sbin/vpnc-script in our case /etc/resolv.conf gets changed to: #@VPNC_GENERATED@ -- this file is generated by vpnc # and will be overwritten by vpnc # as long as the above mark is intact domain Sisis.de nameserver ........... the routings to the various networks the Concentrator knows are also set and unset by the above script if the Concentrator provided 'split-network settings'; they are passed as environment variables to /usr/local/sbin/vpnc-script that's all --4Ckj6UjgE2iN1+kY--