| 1 |
On Tuesday 03 Mar 2015 19:52:14 Petric Frank wrote: |
| 2 |
> Hello Mick, |
| 3 |
> |
| 4 |
> Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick: |
| 5 |
> > > The homepage on vpnc in chapter TODO tells: |
| 6 |
> > > "phase2-rekeying is now supported as of svn revision 126!" |
| 7 |
> > > |
| 8 |
> > > Changelog states for 0.5.2: |
| 9 |
> > > "Fix Phase 2 rekeying, by various authors" |
| 10 |
> > > |
| 11 |
> > > I don't know whether this is along your statement above. |
| 12 |
> > > |
| 13 |
> > > So it seems not to be completely fixed. The homepage is not updated the |
| 14 |
> > > last 7 years. |
| 15 |
> > |
| 16 |
> > OK, then yes, it has been fixed and your problem is not related to that |
| 17 |
> > old bug, but could it be a more recent regression? |
| 18 |
> |
| 19 |
> maybe. |
| 20 |
> |
| 21 |
> > > > BTW, have you tried more actively developed VPN software like |
| 22 |
> > > > strongswan (it has a networkmanager plugin) or even ipsec-tools |
| 23 |
> > > > instead of vpnc, to see if you're getting the same problem? I think |
| 24 |
> > > > that they should work with Cisco VPN gateways, although it may be |
| 25 |
> > > > fiddly to set them up. |
| 26 |
> > > |
| 27 |
> > > i can find only ebuilds of (networkmanager-)openswan in the official |
| 28 |
> > > tree. |
| 29 |
> > |
| 30 |
> > No, this only good for the SSL VPN solution of Cisco. |
| 31 |
> |
| 32 |
> good to know. |
| 33 |
|
| 34 |
I beg your pardon, I typed too fast. I was referring to net-misc/openconnect, |
| 35 |
which is an alternative client for Cisco AnyConnect SSL VPN. The net- |
| 36 |
misc/openswan package is hard masked because of the security bug #499870. You |
| 37 |
could try net-misc/libreswan instead, a fork of openswan. It may just work |
| 38 |
with the net-misc/networkmanager-openswan plugin. |
| 39 |
|
| 40 |
|
| 41 |
> > > strongswan is in the stable tree but not the networkmanager plugin. |
| 42 |
> > |
| 43 |
> > Are you sure? This is what I see here for strongswan-5.2.2 |
| 44 |
> > |
| 45 |
> > [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql |
| 46 |
> > networkmanager |
| 47 |
> > ^^^^^^^^^^^^^^ |
| 48 |
> > +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish |
| 49 |
> > strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm |
| 50 |
> > strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led |
| 51 |
> > +strongswan_plugins_lookip strongswan_plugins_ntru |
| 52 |
> > strongswan_plugins_padlock strongswan_plugins_rdrand |
| 53 |
> > +strongswan_plugins_systime-fix |
| 54 |
> > strongswan_plugins_unbound +strongswan_plugins_unity |
| 55 |
> > +strongswan_plugins_vici strongswan_plugins_whitelist] |
| 56 |
> |
| 57 |
> True, strongswan is in tree, but not networkmanager-strongswan |
| 58 |
> (NetworkManager plugin). |
| 59 |
|
| 60 |
My understanding is that as long as you enable the networkmanager plugin in |
| 61 |
the strongswan package, it will interoperate with the networkmanager front end |
| 62 |
- but I have not tried it. Reading now the relevant webpage it says that it |
| 63 |
is *only* available for IKEv2 - so probably not good for your use case. |
| 64 |
|
| 65 |
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager |
| 66 |
|
| 67 |
|
| 68 |
> > The latest version 5.2.2 has a bug with some IKEv1 implementations. |
| 69 |
> > There is a patch proposed which works and will be included in the next |
| 70 |
> > version 5.2.3 when released. If your VPN server is affected then you'll |
| 71 |
> > have to apply the patch yourself in a local overlay: |
| 72 |
> > |
| 73 |
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 |
| 74 |
> |
| 75 |
> Stable strongswan is already compiled and installed on my system. Any of |
| 76 |
> the "strongswan_plugins_*" use flags i have to enable here ? |
| 77 |
|
| 78 |
Since its networkmanager plugin is only useful for IKEv2 I don't think it |
| 79 |
would make any odds. You can enable it anyway and initially try it from the |
| 80 |
command line (/etc/init.d/ipsec start) to see if it works with the Cisco VPN |
| 81 |
gateway. If it does, then try it with the networkmanager front end, but I |
| 82 |
don't expect this to work. If a GUI is a must for you, libreswan with the |
| 83 |
net-misc/networkmanager-openswan plugin may be a better bet. |
| 84 |
|
| 85 |
-- |
| 86 |
Regards, |
| 87 |
Mick |
Archives