[nycbug-talk] ipsec-tools racoon with Cisco VPN client...
Dru
dlavigne6 at sympatico.ca
Thu Feb 1 17:48:44 EST 2007
On Thu, 1 Feb 2007, Brian A. Seklecki wrote:
> On Thu, 1 Feb 2007, Dru wrote:
>
>>
>> Sounds like they aren't agreeing on policy. What's the config at the Cisco
>> end?
>
> In my experience; the Cisco VPN Client is a highly simplified IPSEC engine
> that relies heavily on extra proprietary in-bound/in-line data to help it
> negotiate.
>
> This is how Cisco accomplishes all kinds out-of-RFC-spec features like
> DNS-interception, two-phase challenge-authentication.
>
> Getting to it to talk to Racoon might be a lot of shots-in-the-dark kind of
> work. Unless there's an advanced mode / registry hacks that I don't know
> about.
A tcpdump on the racoon end should show which parts of the policy aren't
matching up as Phase 1 is in clear text. You could then try modifying the
racoon end accordingly. The proprietary bits probably will take a registry
hack (the proprietary stuff is much easier to override on a pix, at least
you have a command line interface instead of some GUI hiding everything).
Dru
More information about the talk
mailing list