[nycbug-talk] ipsec-tools racoon with Cisco VPN client...

Dru dlavigne6 at sympatico.ca
Thu Feb 1 17:48:44 EST 2007

On Thu, 1 Feb 2007, Brian A. Seklecki wrote:

> On Thu, 1 Feb 2007, Dru wrote:
>> Sounds like they aren't agreeing on policy. What's the config at the Cisco
>> end?
> In my experience; the Cisco VPN Client is a highly simplified IPSEC engine 
> that relies heavily on extra proprietary in-bound/in-line data to help it 
> negotiate.
> This is how Cisco accomplishes all kinds out-of-RFC-spec features like 
> DNS-interception, two-phase challenge-authentication.
> Getting to it to talk to Racoon might be a lot of shots-in-the-dark kind of 
> work.  Unless there's an advanced mode / registry hacks that I don't know 
> about.

A tcpdump on the racoon end should show which parts of the policy aren't
matching up as Phase 1 is in clear text. You could then try modifying the
racoon end accordingly. The proprietary bits probably will take a registry 
hack (the proprietary stuff is much easier to override on a pix, at least 
you have a command line interface instead of some GUI hiding everything).


More information about the talk mailing list