[Openswan Users] Trouble figuring out how to connect Openswan client to Cisco VPN

[Paul Wouters]

On Wed, 8 Apr 2009, Steven Don wrote:

> First, let me describe the playing field. Not under my control are:
> - There's a Cisco VPN server (can't post the IP address here as instructed by my
> employer, but let's say it's 1.2.3.4)
> - group name and PSK (let's pretend it's "users" and "there be dragons here")
> - personal username and password (let's say "me" and "secret" -- cliche, I know)
>
> Under my control:
> - A Speedtouch ADSL Modem/Router with an externally visible IP address, the usual
> NAT and port forwarding for a few services (http, ssh and imap) to the main server

For the record, this is a horrible setup to get working. Not only is it
very hard due to PSK+IP authentication, it is hard because it is Cisco XAUTH
on top of it, and on top of that you're adding NAT. Also, combining XAUTH+PSK
is the most insecure IPsec rollout possible due to anyone with the PSK (eg
any client or compromised client) being able to pretend they're the gateway
and snag your user/pass.

Grab the pcf file from Windows and look at openswan's contrib/cisco/pcf2os.pl
and contrib/cisco-decrypt/

> to be able to connect from a Linux box instead. This machine box is running a
> 2.6.23.11 kernel. Everything I've read says that I should first set up Openswan to do
> the initial IPSec connection and then l2tpd, but I'm not really getting to the second bit.

You are most likely not doing l2tp but cisco xauth/modeconfig. Verify this
before spending the time on the wrong solution.

> which doesn't really mean anything to me, other than "it's not working" :(

Welcome Cisco. They prefer to not leak information and therefor you really
need the Cisco logs to figure out what's going on. My guess is your l2tp
is not liked and it wants xauth/modeconfig.

Paul