Date: Wed, 27 Oct 2004 10:00:40 -0700 From: Aaron Nichols <adnichols@gmail.com> To: Michael Clark <mclark@nemschoff.com> Cc: questions@freebsd.org Subject: Re: VPN questions Message-ID: <ac05538404102710003cbf6e5f@mail.gmail.com> In-Reply-To: <A2A28DB6D52E084783ACD6E6C6F5D7900274F8EB@EMAILSERVER2.nemschoff.com> References: <A2A28DB6D52E084783ACD6E6C6F5D7900274F8EB@EMAILSERVER2.nemschoff.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 27 Oct 2004 11:47:43 -0500, Michael Clark <mclark@nemschoff.com> wrote: > > > Any suggestions for something compatible with Cisco's 3080 VPN > > product? Something that will work from behind my home NAT box, > > ideally? > > There is nothing that I know of, I have a 3000 at work and wanted to do the > same thing. There is a cli client for the 3000 in ports that I did manage to > get working at one time, its not site to site though. The Cisco 3000 is a difficult beast in this case. I have a site to site VPN between the Cisco and an OpenBSD host which works fine, I assume it would also work for FreeBSD. The challenge however, is that for site to site (known as Lan to Lan in the Cisco) a static IP must be used, this mode does not support a dynamic client that I know of. You can connect a dynamic client to the Cisco using the "Base Group", but their PSK structure for dynamic clients basically requires that you use the same PSK for all clients, not exactly ideal. I believe you can use certificates to get around this, but I've not tried. The Cisco client itself uses XAUTH to allow user/pass type authentication and can then be pointed to a backend authentication service (RADIUS, AD, etc) - if there is some software for FreeBSD that can do XAUTH you would be much closer to getting this to work - I don''t think such a thing exists however. If you have a static IP from your ISP and want to use Lan to Lan, I'm pretty sure that would work (though I'm currently battling this specific scenario on the FreeBSD side trying to get NAT working on the VPN itself to masquerade the LAN behind the VPN). As a Hint, you'll want to use aggressive mode and some identifier for the client other than the IP (I use an email address). I've resigned to having a few different VPN "concentrators" for clients to connect to as each seems to have it's own specific strengths and weaknesses and our company has a wide variety of clients connecting. Aaron
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac05538404102710003cbf6e5f>