[Openswan Users] tunnel using XAUTH client mode to Cisco 3000
series
David Edmondson
dme at dme.org
Thu Jul 8 11:11:24 CEST 2004
* mcr at sandelman.ottawa.on.ca [20040707T183042]:
> >>>>> "David" == David Edmondson <dme at dme.org> writes:
> David> The configuration is based on that described in
> David> docs/README.XAUTHclient, with only the IP addresses,
> David> authentication tokens, etc. changed. No RSA signatures
> David> are involved, only a pre-shared password.
>
> You understand that you have to create a group with the name (in
> ascii) of the IP address you are coming from on the 3K?
Ouch. I didn't really interpret the instructions as meaning that.
I'm getting hold of a copy of the 3k configuration to look at, so I
can see if it makes more sense then.
This doesn't appear to be a requirement for the Cisco client or vpnc -
people connect from random places without any prior configuration of
the client IP address.
We currently use a single group with a single well-known passphrase
(well, well-known if you know how to read the Cisco client
configuration files) and then username and token card authentication.
> David> I noticed in a tcpdump of the IKE traffic that Openswan
> David> is using 'main mode' where vpnc (which works okay, apart
> David> from not supporting re-keying) uses 'aggressive mode'. [
> David> I've read why Openswan doesn't currently support
> David> aggressive mode and I'm not complaining, just providing
> David> this as additional information. ]
>
> Yes, that's correct.
It's tempting to ask "is it likely to be relevant", but obviously it
is as one works and the other doesn't :-)
> David> I have no access to the remote Cisco 3000 machine (though
> David> I can ask the people responsible questions).
>
> Without a bug fix on the VPN3K, which Cisco people have told me that
> aren't likely to do, because the PIX replaces the VPN3K in their
> product line, you need to have a custom configuration on the 3K to
> make things work.
Thanks for the information. Is the 'custom configuration' the
creation of the group with the name of my IP address that you mention
above, or is there more?
dme.
More information about the Users
mailing list