Connect to Cisco VPN server from FreeBSD?

Scott Mitchell scott+lists.freebsd at
Sun Aug 14 17:14:36 GMT 2005

On Sun, Apr 10, 2005 at 04:38:34PM +0100, Scott Mitchell wrote:
> Hi all,
> As in the subject - has anyone managed to get a FreeBSD machine to connect
> to a Cisco VPN server, using IPSec and 2-factor authentication (password +
> SecurID card)?  My employer has been acquired by another company, and this
> will soon be the only remote-access method available.  Linux client
> software exists, but given that it relies on a kernel module I'm not
> holding out much hope of it working.  The security/vpnc port looks like it
> might be useful.  No idea if racoon + FreeBSD native IPSec can be persuaded
> to do the SecurID authentication.

In case this is useful to anybody else - 

Finally got my SecurID card and can report that it works very well with the
latest security/vpnc port.  I had to decode the "group password" in the
config file for the Cisco client I was given, but the vpnc web page has a
handy service for doing just that.  Apart from that, it just worked.

The vpnc client doesn't support re-keying, so the connection hangs when the
other side decides to do this.  I'm mostly just connecting to machines at
work over VNC or rdesktop, so this is no big deal for me - just re-connect.
It also doesn't deal well with requests to re-authenticate after the
SecurID token changes, which I think only happen if you get your password
wrong.  It does seem to correctly handle any DNS and split-tunnelling setup
requested by the server, although you can tweak the connect script to
ignore all that stuff if it annoys you :-)

I'm connecting to a Cisco 2600 series router, with SecurID authentication
done by some RADIUS server at another site.  Haven't tried, but I expect I
would have no trouble connecting to our central Cisco 3000 VPN concentrator


Scott Mitchell           | PGP Key ID | "Eagles may soar, but weasels
Cambridge, England       | 0x54B171B9 |  don't get sucked into jet engines"
scott at | 0xAA775B8B |      -- Anon

More information about the freebsd-questions mailing list