Joined: Wed 02-20-2002 11:27PM Posts: 867 Location: No one's really sure what became of Castorite after graduation
Source: Off Campus
Taking a cue from the Linux thread, I'll write this. Here's hoping I can post without a VPN connection before getting cockblocked.
I don't suppose anyone's got a good OpenBSD ipsecctl configuration kicking around somewheres?
This shoddy hack doesn't seem to do much at all:
Code:
ike dynamic esp \ from 192.168.0.0/24 to 131.151.0.0/16 \ peer vpn.umr.edu \ psk UMRIPSec
Now, I don't have any user/pass info in there, so that's a known. The deal is, I'm not seeing any "hey idiot, enable the foobaz-5 crypto module" messages coming back at me, just isakmpd dumping this:
Code:
204732.665243 Default message_validate_notify: protocol not supported
As I understand it, any unnamed options are supposed to default to "sane" values, so I'm missing something else important or the Cisco is doing something wonky. A cursory browse of the guides I'm seeing out there on the web are either far out of date or using some way overcomplicated setup. I haven't really dug in to this yet and I'm hoping someone will have a good configuration so I won't have to. This trainwreck of standards makes me yearn for the bygone days of SSH tunnels.
I almost had the vpnc package running. Very simple to configure and run the client itself--I was impressed. However, attempting to fix the helper vpnc-script and coming up with correct routing tables plus pf filtering rules got me pretty close to putting a fork in my eyeball. Not recommended for mass consumption.
For what it's worth, here's a few strings from a vpnc session:
Code:
IKE SA selected psk+xauth-3des-md5 peer is using type 130 for NAT-Discovery payloads NAT status: NAT-T VID seen, no NAT device detected got 4 acls for split include acl 0: addr: 131.151.0.0/255.255.0.0 (16), protocol: 0, sport: 0, dport: 0 acl 1: addr: 192.65.97.0/255.255.255.0 (24), protocol: 0, sport: 0, dport: 0 acl 2: addr: 10.20.0.0/255.255.255.224 (27), protocol: 0, sport: 0, dport: 0 acl 3: addr: 10.22.0.0/255.255.0.0 (16), protocol: 0, sport: 0, dport: 0 Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.K IPSEC SA selected 3des-md5
I wish IT would be more forthcoming with this sort of information on their website.
If this helps at all, the vpnc for FreeBSD (/usr/ports/security/vpnc) works just as seamlessly as the Linux build, if I were you, I would look at the vpnc-script for FreeBSD since OpenBSD is *close* (similar ifconfig, pf rules etc). I do remember at one time using an older release for Linux and having the same hair-pulling expierence with getting my route tables set and working >.<.
_________________ KOK - 011, Pullin rank on bitches since 2005
Users browsing this forum: No registered users and 1 guest
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum