1 |
On Tuesday 03 Mar 2015 19:52:14 Petric Frank wrote: |
2 |
> Hello Mick, |
3 |
> |
4 |
> Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick: |
5 |
> > > The homepage on vpnc in chapter TODO tells: |
6 |
> > > "phase2-rekeying is now supported as of svn revision 126!" |
7 |
> > > |
8 |
> > > Changelog states for 0.5.2: |
9 |
> > > "Fix Phase 2 rekeying, by various authors" |
10 |
> > > |
11 |
> > > I don't know whether this is along your statement above. |
12 |
> > > |
13 |
> > > So it seems not to be completely fixed. The homepage is not updated the |
14 |
> > > last 7 years. |
15 |
> > |
16 |
> > OK, then yes, it has been fixed and your problem is not related to that |
17 |
> > old bug, but could it be a more recent regression? |
18 |
> |
19 |
> maybe. |
20 |
> |
21 |
> > > > BTW, have you tried more actively developed VPN software like |
22 |
> > > > strongswan (it has a networkmanager plugin) or even ipsec-tools |
23 |
> > > > instead of vpnc, to see if you're getting the same problem? I think |
24 |
> > > > that they should work with Cisco VPN gateways, although it may be |
25 |
> > > > fiddly to set them up. |
26 |
> > > |
27 |
> > > i can find only ebuilds of (networkmanager-)openswan in the official |
28 |
> > > tree. |
29 |
> > |
30 |
> > No, this only good for the SSL VPN solution of Cisco. |
31 |
> |
32 |
> good to know. |
33 |
|
34 |
I beg your pardon, I typed too fast. I was referring to net-misc/openconnect, |
35 |
which is an alternative client for Cisco AnyConnect SSL VPN. The net- |
36 |
misc/openswan package is hard masked because of the security bug #499870. You |
37 |
could try net-misc/libreswan instead, a fork of openswan. It may just work |
38 |
with the net-misc/networkmanager-openswan plugin. |
39 |
|
40 |
|
41 |
> > > strongswan is in the stable tree but not the networkmanager plugin. |
42 |
> > |
43 |
> > Are you sure? This is what I see here for strongswan-5.2.2 |
44 |
> > |
45 |
> > [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql |
46 |
> > networkmanager |
47 |
> > ^^^^^^^^^^^^^^ |
48 |
> > +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish |
49 |
> > strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm |
50 |
> > strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led |
51 |
> > +strongswan_plugins_lookip strongswan_plugins_ntru |
52 |
> > strongswan_plugins_padlock strongswan_plugins_rdrand |
53 |
> > +strongswan_plugins_systime-fix |
54 |
> > strongswan_plugins_unbound +strongswan_plugins_unity |
55 |
> > +strongswan_plugins_vici strongswan_plugins_whitelist] |
56 |
> |
57 |
> True, strongswan is in tree, but not networkmanager-strongswan |
58 |
> (NetworkManager plugin). |
59 |
|
60 |
My understanding is that as long as you enable the networkmanager plugin in |
61 |
the strongswan package, it will interoperate with the networkmanager front end |
62 |
- but I have not tried it. Reading now the relevant webpage it says that it |
63 |
is *only* available for IKEv2 - so probably not good for your use case. |
64 |
|
65 |
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager |
66 |
|
67 |
|
68 |
> > The latest version 5.2.2 has a bug with some IKEv1 implementations. |
69 |
> > There is a patch proposed which works and will be included in the next |
70 |
> > version 5.2.3 when released. If your VPN server is affected then you'll |
71 |
> > have to apply the patch yourself in a local overlay: |
72 |
> > |
73 |
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 |
74 |
> |
75 |
> Stable strongswan is already compiled and installed on my system. Any of |
76 |
> the "strongswan_plugins_*" use flags i have to enable here ? |
77 |
|
78 |
Since its networkmanager plugin is only useful for IKEv2 I don't think it |
79 |
would make any odds. You can enable it anyway and initially try it from the |
80 |
command line (/etc/init.d/ipsec start) to see if it works with the Cisco VPN |
81 |
gateway. If it does, then try it with the networkmanager front end, but I |
82 |
don't expect this to work. If a GUI is a must for you, libreswan with the |
83 |
net-misc/networkmanager-openswan plugin may be a better bet. |
84 |
|
85 |
-- |
86 |
Regards, |
87 |
Mick |