[vpnc-devel] Working on certificate authentication ...

[Jonathan Schaeffer]

2006/8/24, Mattias Nissler <mattias.nissler at gmx.de>:
> On Wed, 2006-08-23 at 15:43 +0000, Sven Geggus wrote:
> > Hans-Werner Hilse <hilse at web.de> wrote:
> >
> > > Because there's ipsec-tools/racoon. It does all of this already and has
> > > gotten a decent certificate, hybrid-auth, PSK and Xauth support as well
> > > as (real) keep-alive, dead peer detection and rekeying support. It
> > > should be possible to use it instead of vpnc for most use cases.
> >
> > Hm, setting up and using vpnc is somehwere next to trivial!
> >
> > Is there any HOWTO Document or simular how I would use ipsec-tools/racoon
> > instead of vpnc when connecting to aur Cisco ASA Firewall?

> >
> > last time I checked it was impossible to do so, just LAN <-> LAN connection
> > has been supported.
>
> Well, I switched to ipsec-tools/raccon a while ago (earlier in 2006). I
> had to use the CVS version because much of the xauth support wasn't
> available in the latest release back then. Don't know about 0.6.6
> though.
>
> I use it to connect to the uni-kl concentrator, which I guess is the
> machine that vpnc was originally made for ;-) It took me a full day and
> lots of pain reading source code and packet dumps to figure out the
> correct parameters. But now it has been working nicely since then, no
> problems whatsoever. The ipsec rekeying works correctly, I haven't
> checked the isakmp rekeying, because I only use the connection
> occasonally. I'll attach my configuration file just in case somebody is
> interested.
>
> Mattias

Hi people,

sorry if I bother a bit but ...
I feel I'm way behind you in my understanding of some things you say ...

ipsec/racoon is sufficient to provide certificate authentication with
a cisco VPN server ? Did you have to cope with some obfuscated
protocol with the cisco vpn concentrator ?
Could you tell a bit more about the parameters you had to tune ?

thanks a lot,

jo