Date: Mon, 3 Feb 2003 14:29:19 -0500 (EST) From: "James E. Flemer" <jflemer@acm.jhu.edu> To: Andre Oppermann <oppermann@pipeline.ch> Cc: <freebsd-net@freebsd.org>, <anthonyv@brainlink.com> Subject: Re: MPD and Cisco PIX Message-ID: <Pine.LNX.4.33L2.0302031403100.1805-100000@centaur.acm.jhu.edu> In-Reply-To: <3E3EBA9E.205CA244@pipeline.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Feb 2003, Andre Oppermann wrote: > "James E. Flemer" wrote: > > > > Anyone trying to establish PPTP between FreeBSD and Cisco > > hardware should take a look at this: > > > > http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/ > > > > It gives a brief description of what was necessary for me > > to use PPTP between FreeBSD and a 3000 series Cisco VPN > > concentrator. I would guess that connecting to a PIX would > > be very similar. The quick version is, you need to use > > mpd's "iface up-script" to re-address your tun interface > > and fix the routing table since Cisco send the wrong addrs > > in the PPP IPCP phase. > > If the cisco is wrong, have you told cisco about this bug so > that they have a chance to fix it? It depends on what you consider "wrong". It works for windows, but on FreeBSD it causes a routing conflict. The cisco sets the endpoint of the ppp link to the ip address that you connect to for the pptp negotiation. However once the pptp link is up, there is a new route added passing all packets for that destination over the tunnel; the tunnel is really just gre packets sent to the cisco tho. But now the route for the gre packets is *over the tunnel*. Do you see the problem. I explained this whole problem to someone at RPI who in turn "told cisco", but I do not think cisco is too concerned. They support most platforms with their (semi-proprietary) IPsec client, so supporting a hand full of bsd boxes using PPTP is probably not high on their list unfortunately. If they were concerned, then they'd just release a BSD version of the IPsec client, or release the source code for it. I spent several weeks with ethereal and isakmpd trying to get a IPsec tunnel to work, but the IPsec implementation[1] used by the 3000 concentrators uses XAuth (X-Auth) which does not seem to be supported by any IKE tools for BSD. If someone was determined to do so, I believe that isakmpd could be extended to work with Cisco IPsec implementations. I think that just XAuth and IKE Mode Config need to be implemented is isakmpd for this to work. (Perhaps work on this has already been done since I last checked ...) -James (sorry for the long url) [1] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/ipsecstd.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33L2.0302031403100.1805-100000>