Mailing List Archive: Cisco: NSP

Linux VPN client suggestion?

Index | Next | Previous | View Threaded

gsgranados at comcast

Nov 3, 2009, 10:34 AM

Post #1 of 24 (1656 views)
Permalink

Linux VPN client suggestion?

Hi all,
I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to
provide remote users access to network resources. I have one user who is
interested in a client for Linux (specifically CentOS) and not sure what to
suggest. Does anyone have any good pointers for a good client that I can
point him to?

Any pointers would be appreciated.

Thank you
Scott

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

RGoldberg at compudyne

Nov 3, 2009, 10:42 AM

Post #2 of 24 (1624 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

I use vpnc all the time to connect to ASAs.

http://www.unix-ag.uni-kl.de/~massar/vpnc/

Ryan

> -----Original Message-----
> From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-
> bounces [at] puck] On Behalf Of Scott Granados
> Sent: Tuesday, November 03, 2009 12:34 PM
> To: cisco-nsp [at] puck
> Subject: [c-nsp] Linux VPN client suggestion?
>
> Hi all,
> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client
> to
> provide remote users access to network resources. I have one user who
> is
> interested in a client for Linux (specifically CentOS) and not sure
> what to
> suggest. Does anyone have any good pointers for a good client that I
> can
> point him to?
>
> Any pointers would be appreciated.
>
> Thank you
> Scott
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

BBlackford at nwresd

Nov 3, 2009, 10:46 AM

Post #3 of 24 (1625 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

VPNC

http://www.unix-ag.uni-kl.de/~massar/vpnc/

-b

-----Original Message-----
From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Scott Granados
Sent: Tuesday, November 03, 2009 10:34 AM
To: cisco-nsp [at] puck
Subject: [c-nsp] Linux VPN client suggestion?

Hi all,
I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to
provide remote users access to network resources. I have one user who is
interested in a client for Linux (specifically CentOS) and not sure what to
suggest. Does anyone have any good pointers for a good client that I can
point him to?

Any pointers would be appreciated.

Thank you
Scott

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

rwest at zyedge

Nov 3, 2009, 10:47 AM

Post #4 of 24 (1627 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

Scott,

There is support in the standard client for linux in the 4.x line, but none in the 5.x. Might also consider AnyConnect Essentials for ~$250 that allows for the SSL client in pretty much all flavors, including 64-bit support.

http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=4.8.02.0030&mdfid=281940729&sftType=VPN+Client+Software&optPlat=Linux&nodecount=2&edesignator=null&modelName=Cisco+VPN+Client+v4.x&treeMdfId=268438162&treeName=Security&modifmdfid=&imname=&hybrid=&imst=&lr=Y

-ryan

> -----Original Message-----
> From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-
> bounces [at] puck] On Behalf Of Scott Granados
> Sent: Tuesday, November 03, 2009 1:34 PM

> Hi all,
> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client
> to
> provide remote users access to network resources. I have one user who
> is
> interested in a client for Linux (specifically CentOS) and not sure
> what to
> suggest. Does anyone have any good pointers for a good client that I
> can
> point him to?
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

jeff at ocjtech

Nov 3, 2009, 10:50 AM

Post #5 of 24 (1623 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

On Tue, Nov 3, 2009 at 12:34 PM, Scott Granados <gsgranados [at] comcast> wrote:
>
> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to
> provide remote users access to network resources. I have one user who is
> interested in a client for Linux (specifically CentOS) and not sure what to
> suggest. Does anyone have any good pointers for a good client that I can
> point him to?

vpnc - if your user enables the EPEL repositories he'll be able to
install it without any trouble:

https://fedoraproject.org/wiki/EPEL

--
Jeff Ollie
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

elparis at cisco

Nov 3, 2009, 10:53 AM

Post #6 of 24 (1624 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

Hi Scott,

On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:

> Hi all,
> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client
> to provide remote users access to network resources. I have one user who
> is interested in a client for Linux (specifically CentOS) and not sure
> what to suggest. Does anyone have any good pointers for a good client
> that I can point him to?
>
> Any pointers would be appreciated.

The Cisco VPN Client does support *some* versions of Linux. However, it
does not work with the latest versions of the Linux kernel so if you
user's kernel is recent (and unfortunately, "recent" doesn't really have
to be very recent) then the official Cisco VPN Client is not an option.

However, there is an open source VPN client that works with Cisco VPN
headends. I personally use and it works great:

http://www.unix-ag.uni-kl.de/~massar/vpnc/

It's included in pretty much all Linux distributions. A quick Google
search for "centos vpnc" turned this up as the first hit:

http://wiki.centos.org/HowTos/vpnc

Hope this helps.

Cheers,

--

Eloy Paris
Cisco PSIRT
Ph: +1 919 392-9118
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

nicotine at warningg

Nov 3, 2009, 10:57 AM

Post #7 of 24 (1620 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
> Hi all,
> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to
> provide remote users access to network resources. I have one user who is
> interested in a client for Linux (specifically CentOS) and not sure what to
> suggest. Does anyone have any good pointers for a good client that I can
> point him to?
>
> Any pointers would be appreciated.
>
> Thank you
> Scott
>

I believe the Anyconnect client is supported on Linux installs. Anyconnect
is supported on 8.x software versions, and Anyconnect Essentials
(Client-based tunnels only, no clientless SSL, supported in 8.2) licenses
are available for a low cost.

If your supported user count is low, and you do not currently utilize any
Anyconnect SSL slots, the base license allows a maximum of two active
Anyconnect clients without additional license purchase.

--
Brandon Ewing (nicotine [at] warningg)

gsgranados at comcast

Nov 3, 2009, 11:01 AM

Post #8 of 24 (1622 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in second.
(I actually think we have a license for this feature set already)

Thanks as always for the great suggestions.

----- Original Message -----
From: "Eloy Paris" <elparis [at] cisco>
To: "Scott Granados" <gsgranados [at] comcast>
Cc: <cisco-nsp [at] puck>
Sent: Tuesday, November 03, 2009 10:53 AM
Subject: Re: [c-nsp] Linux VPN client suggestion?

> Hi Scott,
>
> On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
>
>> Hi all,
>> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client
>> to provide remote users access to network resources. I have one user who
>> is interested in a client for Linux (specifically CentOS) and not sure
>> what to suggest. Does anyone have any good pointers for a good client
>> that I can point him to?
>>
>> Any pointers would be appreciated.
>
> The Cisco VPN Client does support *some* versions of Linux. However, it
> does not work with the latest versions of the Linux kernel so if you
> user's kernel is recent (and unfortunately, "recent" doesn't really have
> to be very recent) then the official Cisco VPN Client is not an option.
>
> However, there is an open source VPN client that works with Cisco VPN
> headends. I personally use and it works great:
>
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
> It's included in pretty much all Linux distributions. A quick Google
> search for "centos vpnc" turned this up as the first hit:
>
> http://wiki.centos.org/HowTos/vpnc
>
> Hope this helps.
>
> Cheers,
>
> --
>
> Eloy Paris
> Cisco PSIRT
> Ph: +1 919 392-9118

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

moua0100 at umn

Nov 3, 2009, 11:11 AM

Post #9 of 24 (1624 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

yum install vpnc

you may need to "epel" repo for his.

Regards,
Ge Moua | Email: moua0100 [at] umn

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services

Scott Granados wrote:
> Hi all,
> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN
> client to provide remote users access to network resources. I have
> one user who is interested in a client for Linux (specifically CentOS)
> and not sure what to suggest. Does anyone have any good pointers for
> a good client that I can point him to?
>
> Any pointers would be appreciated.
>
> Thank you
> Scott
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

szmetal at gmail

Nov 3, 2009, 11:37 AM

Post #10 of 24 (1619 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

http://www.shrew.net/software

<http://www.shrew.net/software>Regards,
Shawn Zandi

On Tue, Nov 3, 2009 at 10:53 PM, Eloy Paris <elparis [at] cisco> wrote:

> Hi Scott,
>
> On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
>
> > Hi all,
> > I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client
> > to provide remote users access to network resources. I have one user who
> > is interested in a client for Linux (specifically CentOS) and not sure
> > what to suggest. Does anyone have any good pointers for a good client
> > that I can point him to?
> >
> > Any pointers would be appreciated.
>
> The Cisco VPN Client does support *some* versions of Linux. However, it
> does not work with the latest versions of the Linux kernel so if you
> user's kernel is recent (and unfortunately, "recent" doesn't really have
> to be very recent) then the official Cisco VPN Client is not an option.
>
> However, there is an open source VPN client that works with Cisco VPN
> headends. I personally use and it works great:
>
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
> It's included in pretty much all Linux distributions. A quick Google
> search for "centos vpnc" turned this up as the first hit:
>
> http://wiki.centos.org/HowTos/vpnc
>
> Hope this helps.
>
> Cheers,
>
> --
>
> Eloy Paris
> Cisco PSIRT
> Ph: +1 919 392-9118
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

szmetal at gmail

Nov 3, 2009, 11:54 AM

Post #11 of 24 (1616 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

Yes, ASA has built-in license for 2 concurrent SSL connection, SSL-VPN is
the better choice

On Tue, Nov 3, 2009 at 11:01 PM, Scott Granados <gsgranados [at] comcast>wrote:

> Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in
> second. (I actually think we have a license for this feature set already)
>
> Thanks as always for the great suggestions.
>
>
>
> ----- Original Message ----- From: "Eloy Paris" <elparis [at] cisco>
> To: "Scott Granados" <gsgranados [at] comcast>
> Cc: <cisco-nsp [at] puck>
> Sent: Tuesday, November 03, 2009 10:53 AM
> Subject: Re: [c-nsp] Linux VPN client suggestion?
>
>
>
> Hi Scott,
>>
>> On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
>>
>> Hi all,
>>> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client
>>> to provide remote users access to network resources. I have one user who
>>> is interested in a client for Linux (specifically CentOS) and not sure
>>> what to suggest. Does anyone have any good pointers for a good client
>>> that I can point him to?
>>>
>>> Any pointers would be appreciated.
>>>
>>
>> The Cisco VPN Client does support *some* versions of Linux. However, it
>> does not work with the latest versions of the Linux kernel so if you
>> user's kernel is recent (and unfortunately, "recent" doesn't really have
>> to be very recent) then the official Cisco VPN Client is not an option.
>>
>> However, there is an open source VPN client that works with Cisco VPN
>> headends. I personally use and it works great:
>>
>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>
>> It's included in pretty much all Linux distributions. A quick Google
>> search for "centos vpnc" turned this up as the first hit:
>>
>> http://wiki.centos.org/HowTos/vpnc
>>
>> Hope this helps.
>>
>> Cheers,
>>
>> --
>>
>> Eloy Paris
>> Cisco PSIRT
>> Ph: +1 919 392-9118
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

berghauz at gmail

Nov 3, 2009, 12:54 PM

Post #12 of 24 (1618 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

>
> I believe the Anyconnect client is supported on Linux installs. Anyconnect
>
Yep. Cisco VPN support Linux.

WBR Aleksey Polyakoff ICQ:9001016
Mike Ditka <http://www.brainyquote.com/quotes/authors/m/mike_ditka.html> -
"If God had wanted man to play soccer, he wouldn't have given us arms."
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

brandon at burn

Nov 3, 2009, 1:01 PM

Post #13 of 24 (1621 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

On Tue, 3 Nov 2009, Brandon Ewing wrote:

> I believe the Anyconnect client is supported on Linux installs. Anyconnect
> is supported on 8.x software versions, and Anyconnect Essentials
> (Client-based tunnels only, no clientless SSL, supported in 8.2) licenses
> are available for a low cost.
>
> If your supported user count is low, and you do not currently utilize any
> Anyconnect SSL slots, the base license allows a maximum of two active
> Anyconnect clients without additional license purchase.
>
> --
> Brandon Ewing (nicotine [at] warningg)
>

I'm still on old PIXes here, but looking to the future (and I'm a linux
guy) I found Openconnect.

http://www.infradead.org/openconnect.html

>From what I've read the Cisco Anyconnect client for Linux suffers problems
again, not kernel level but SSL / library / 32/64 bit issues. Openconnect
reads like it's a lot cleaner than all the workarounds to get Anyconnect
working.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151. This is the serial number, of our orbital gun."

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

nsp at sky-haven

Nov 3, 2009, 1:13 PM

Post #14 of 24 (1617 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

Scott Granados wrote:
> Hi all,
> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client
> to provide remote users access to network resources. I have one user
> who is interested in a client for Linux (specifically CentOS) and not
> sure what to suggest. Does anyone have any good pointers for a good
> client that I can point him to?
>
> Any pointers would be appreciated.

Have had good luck with VPNC on Linux. You can try the ShrewSoft Linux
client (http://www.shrew.net/) as well if you're of a mind, but vpnc
tends to win on simplicity.

If yourself (or your user) is a bit of a sick puppy[1], you can actually
get things working with Linux IPsec-tools (e.g. Racoon and XFRM). But I
advise against it unless the Linux station in question is obligated to
maintain existing IPsec sessions. In this case, neither vpnc or
ShrewSoft (or probably anything else IPsec-based) will work since both
IPsec-tools and vpnc will insist on binding a listener on 500/udp.

Best,
Lance Dryden

[1] For non-Americans, this means something like "a fan of tinkering
with Linux, perhaps to the point of obsession."

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

kgraham at industrial-marshmallow

Nov 5, 2009, 1:48 AM

Post #15 of 24 (1572 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

> Have had good luck with VPNC on Linux. You can try the ShrewSoft Linux
> client (http://www.shrew.net/) as well if you're of a mind, but vpnc
> tends to win on simplicity.

Out of curiosity, how much actual functionality of the Unity/AnyConnect/etc
VPN software are any of you using? L2TP+IPSec is a pretty straightforward
config (even w/ VRF-lite) and is doable w/ just a ADVSECURITY license.

Most Linux distros, Windows (going back to at least XP), OS X, Windows
Mobile (to at least 5) and the iPhone all support it out of the box..
RFC3948 support is also very common, allowing easy NAT traversal.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

asturluismi at gmail

Nov 5, 2009, 9:56 AM

Post #16 of 24 (1568 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses
vpnc in the background) and zero poblems against a vpn3030

El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi�:
> Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in second.
> (I actually think we have a license for this feature set already)
>
> Thanks as always for the great suggestions.
>
>
>
> ----- Original Message -----
> From: "Eloy Paris" <elparis [at] cisco>
> To: "Scott Granados" <gsgranados [at] comcast>
> Cc: <cisco-nsp [at] puck>
> Sent: Tuesday, November 03, 2009 10:53 AM
> Subject: Re: [c-nsp] Linux VPN client suggestion?
>
>
> > Hi Scott,
> >
> > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
> >
> >> Hi all,
> >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client
> >> to provide remote users access to network resources. I have one user who
> >> is interested in a client for Linux (specifically CentOS) and not sure
> >> what to suggest. Does anyone have any good pointers for a good client
> >> that I can point him to?
> >>
> >> Any pointers would be appreciated.
> >
> > The Cisco VPN Client does support *some* versions of Linux. However, it
> > does not work with the latest versions of the Linux kernel so if you
> > user's kernel is recent (and unfortunately, "recent" doesn't really have
> > to be very recent) then the official Cisco VPN Client is not an option.
> >
> > However, there is an open source VPN client that works with Cisco VPN
> > headends. I personally use and it works great:
> >
> > http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >
> > It's included in pretty much all Linux distributions. A quick Google
> > search for "centos vpnc" turned this up as the first hit:
> >
> > http://wiki.centos.org/HowTos/vpnc
> >
> > Hope this helps.
> >
> > Cheers,
> >
> > --
> >
> > Eloy Paris
> > Cisco PSIRT
> > Ph: +1 919 392-9118
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

cjk at klement

Nov 5, 2009, 10:48 AM

Post #17 of 24 (1567 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

One important thing to remember is that VPNC can ignore pretty much any
policy sent down from the concentrator. This includes split tunnelling as
well as client versioning.

This is one of the reasons that I've been pushing the company I work for
towards anyconnect.

On Thu, Nov 5, 2009 at 9:56 AM, luismi <asturluismi [at] gmail> wrote:

> Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses
> vpnc in the background) and zero poblems against a vpn3030
>
> El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi�:
> > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in
> second.
> > (I actually think we have a license for this feature set already)
> >
> > Thanks as always for the great suggestions.
> >
> >
> >
> > ----- Original Message -----
> > From: "Eloy Paris" <elparis [at] cisco>
> > To: "Scott Granados" <gsgranados [at] comcast>
> > Cc: <cisco-nsp [at] puck>
> > Sent: Tuesday, November 03, 2009 10:53 AM
> > Subject: Re: [c-nsp] Linux VPN client suggestion?
> >
> >
> > > Hi Scott,
> > >
> > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
> > >
> > >> Hi all,
> > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN
> client
> > >> to provide remote users access to network resources. I have one user
> who
> > >> is interested in a client for Linux (specifically CentOS) and not sure
> > >> what to suggest. Does anyone have any good pointers for a good client
> > >> that I can point him to?
> > >>
> > >> Any pointers would be appreciated.
> > >
> > > The Cisco VPN Client does support *some* versions of Linux. However, it
> > > does not work with the latest versions of the Linux kernel so if you
> > > user's kernel is recent (and unfortunately, "recent" doesn't really
> have
> > > to be very recent) then the official Cisco VPN Client is not an option.
> > >
> > > However, there is an open source VPN client that works with Cisco VPN
> > > headends. I personally use and it works great:
> > >
> > > http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
> > >
> > > It's included in pretty much all Linux distributions. A quick Google
> > > search for "centos vpnc" turned this up as the first hit:
> > >
> > > http://wiki.centos.org/HowTos/vpnc
> > >
> > > Hope this helps.
> > >
> > > Cheers,
> > >
> > > --
> > >
> > > Eloy Paris
> > > Cisco PSIRT
> > > Ph: +1 919 392-9118
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp [at] puck
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

jmayer at loplof

Nov 5, 2009, 12:00 PM

Post #18 of 24 (1566 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote:
> One important thing to remember is that VPNC can ignore pretty much any
> policy sent down from the concentrator. This includes split tunnelling as
> well as client versioning.
>
> This is one of the reasons that I've been pushing the company I work for
> towards anyconnect.

Oh, and for anyconnect there isn't such a workaround?

ciao
Joerg
--
Joerg Mayer <jmayer [at] loplof>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

jmayer at loplof

Nov 5, 2009, 12:01 PM

Post #19 of 24 (1565 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote:
> One important thing to remember is that VPNC can ignore pretty much any
> policy sent down from the concentrator. This includes split tunnelling as
> well as client versioning.

And since a recent patch even the Firewall requirements :-)

Ciao
Joerg
--
Joerg Mayer <jmayer [at] loplof>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

elparis at cisco

Nov 5, 2009, 12:59 PM

Post #20 of 24 (1565 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

Hi Charles,

On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote:

> One important thing to remember is that VPNC can ignore pretty much
> any policy sent down from the concentrator. This includes split
> tunnelling as well as client versioning.
>
> This is one of the reasons that I've been pushing the company I work
> for towards anyconnect.

I would think that OpenConnect (OpenConnect is to AnyConnect what vpnc
is to the Cisco VPN Client) suffers from the same lack of enforcement
issues. And even if the authors tried to enforce policies it should be
easy to modify OpenConnect so it doesn't enforce anything.

Don't get me wrong -- it's a good thing to move to AnyConnect since no
new features are being added to the old Cisco VPN Client; I just don't
think that policy enforcement is a good reason to justify a migration.

Cheers,

Eloy Paris.-
Cisco PSIRT

> On Thu, Nov 5, 2009 at 9:56 AM, luismi <asturluismi [at] gmail> wrote:
>
> > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses
> > vpnc in the background) and zero poblems against a vpn3030
> >
> > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi�:
> > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in
> > second.
> > > (I actually think we have a license for this feature set already)
> > >
> > > Thanks as always for the great suggestions.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Eloy Paris" <elparis [at] cisco>
> > > To: "Scott Granados" <gsgranados [at] comcast>
> > > Cc: <cisco-nsp [at] puck>
> > > Sent: Tuesday, November 03, 2009 10:53 AM
> > > Subject: Re: [c-nsp] Linux VPN client suggestion?
> > >
> > >
> > > > Hi Scott,
> > > >
> > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
> > > >
> > > >> Hi all,
> > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN
> > client
> > > >> to provide remote users access to network resources. I have one user
> > who
> > > >> is interested in a client for Linux (specifically CentOS) and not sure
> > > >> what to suggest. Does anyone have any good pointers for a good client
> > > >> that I can point him to?
> > > >>
> > > >> Any pointers would be appreciated.
> > > >
> > > > The Cisco VPN Client does support *some* versions of Linux. However, it
> > > > does not work with the latest versions of the Linux kernel so if you
> > > > user's kernel is recent (and unfortunately, "recent" doesn't really
> > have
> > > > to be very recent) then the official Cisco VPN Client is not an option.
> > > >
> > > > However, there is an open source VPN client that works with Cisco VPN
> > > > headends. I personally use and it works great:
> > > >
> > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
> > > >
> > > > It's included in pretty much all Linux distributions. A quick Google
> > > > search for "centos vpnc" turned this up as the first hit:
> > > >
> > > > http://wiki.centos.org/HowTos/vpnc
> > > >
> > > > Hope this helps.
> > > >
> > > > Cheers,
> > > >
> > > > --
> > > >
> > > > Eloy Paris
> > > > Cisco PSIRT
> > > > Ph: +1 919 392-9118
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp [at] puck
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp [at] puck
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

cjk at klement

Nov 5, 2009, 1:20 PM

Post #21 of 24 (1565 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

Oh well, I guess policy enforcement will just have to be via the HR
department rather than a technical solution. :)

On Thu, Nov 5, 2009 at 12:59 PM, Eloy Paris <elparis [at] cisco> wrote:

> Hi Charles,
>
> On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote:
>
> > One important thing to remember is that VPNC can ignore pretty much
> > any policy sent down from the concentrator. This includes split
> > tunnelling as well as client versioning.
> >
> > This is one of the reasons that I've been pushing the company I work
> > for towards anyconnect.
>
> I would think that OpenConnect (OpenConnect is to AnyConnect what vpnc
> is to the Cisco VPN Client) suffers from the same lack of enforcement
> issues. And even if the authors tried to enforce policies it should be
> easy to modify OpenConnect so it doesn't enforce anything.
>
> Don't get me wrong -- it's a good thing to move to AnyConnect since no
> new features are being added to the old Cisco VPN Client; I just don't
> think that policy enforcement is a good reason to justify a migration.
>
> Cheers,
>
> Eloy Paris.-
> Cisco PSIRT
>
> > On Thu, Nov 5, 2009 at 9:56 AM, luismi <asturluismi [at] gmail> wrote:
> >
> > > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses
> > > vpnc in the background) and zero poblems against a vpn3030
> > >
> > > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribi�:
> > > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in
> > > second.
> > > > (I actually think we have a license for this feature set already)
> > > >
> > > > Thanks as always for the great suggestions.
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Eloy Paris" <elparis [at] cisco>
> > > > To: "Scott Granados" <gsgranados [at] comcast>
> > > > Cc: <cisco-nsp [at] puck>
> > > > Sent: Tuesday, November 03, 2009 10:53 AM
> > > > Subject: Re: [c-nsp] Linux VPN client suggestion?
> > > >
> > > >
> > > > > Hi Scott,
> > > > >
> > > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
> > > > >
> > > > >> Hi all,
> > > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN
> > > client
> > > > >> to provide remote users access to network resources. I have one
> user
> > > who
> > > > >> is interested in a client for Linux (specifically CentOS) and not
> sure
> > > > >> what to suggest. Does anyone have any good pointers for a good
> client
> > > > >> that I can point him to?
> > > > >>
> > > > >> Any pointers would be appreciated.
> > > > >
> > > > > The Cisco VPN Client does support *some* versions of Linux.
> However, it
> > > > > does not work with the latest versions of the Linux kernel so if
> you
> > > > > user's kernel is recent (and unfortunately, "recent" doesn't really
> > > have
> > > > > to be very recent) then the official Cisco VPN Client is not an
> option.
> > > > >
> > > > > However, there is an open source VPN client that works with Cisco
> VPN
> > > > > headends. I personally use and it works great:
> > > > >
> > > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
> <http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
> > > > >
> > > > > It's included in pretty much all Linux distributions. A quick
> Google
> > > > > search for "centos vpnc" turned this up as the first hit:
> > > > >
> > > > > http://wiki.centos.org/HowTos/vpnc
> > > > >
> > > > > Hope this helps.
> > > > >
> > > > > Cheers,
> > > > >
> > > > > --
> > > > >
> > > > > Eloy Paris
> > > > > Cisco PSIRT
> > > > > Ph: +1 919 392-9118
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list cisco-nsp [at] puck
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp [at] puck
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp [at] puck
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

jeff at ocjtech

Nov 5, 2009, 1:52 PM

Post #22 of 24 (1567 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

On Thu, Nov 5, 2009 at 3:20 PM, Charles Klement <cjk [at] klement> wrote:
> Oh well, I guess policy enforcement will just have to be via the HR
> department rather than a technical solution. :)

Which is where it belongs anyway.

--
Jeff Ollie
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

jeff at ocjtech

Nov 5, 2009, 1:52 PM

Post #23 of 24 (1565 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

gsgranados at comcast

Nov 5, 2009, 2:04 PM

Post #24 of 24 (1566 views)
Permalink

Re: Linux VPN client suggestion? [In reply to]

I second that.

Besides, we're talking about a flavor of Unix here not a Microsoft rough
approximation of an operating system. Policies are for the week windows
users who don't know better and who think a registry is something you have
for weddings. Besides, your group policies can be undone with a resourceful
end user and a live boot Linux cd with the correct tool set. If you don't
trust your employees you might consider keeping them out of the building
because we all know that physical access trumps most other types.;)

----- Original Message -----
From: "Jeffrey Ollie" <jeff [at] ocjtech>
To: <cisco-nsp [at] puck>
Sent: Thursday, November 05, 2009 1:52 PM
Subject: Re: [c-nsp] Linux VPN client suggestion?

> On Thu, Nov 5, 2009 at 3:20 PM, Charles Klement <cjk [at] klement> wrote:
>> Oh well, I guess policy enforcement will just have to be via the HR
>> department rather than a technical solution. :)
>
> Which is where it belongs anyway.
>
> --
> Jeff Ollie
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads