Running Cisco Systems VPN Client with FreeBSD

Matthias Apitz m.apitz at
Mon Oct 23 11:44:01 UTC 2006

El día Monday, October 23, 2006 a las 11:39:31AM +0100, Alexandre Vieira escribió:

> Hello,
> I'm installing the machine atm. I will still have to read about vpnc in
> order to migrate client profiles (I have the cisco client profiles) to the
> vpnc config files.

I'm attaching you what I have stored in my private how-to area about
the vpnc configuration, hope it helps you

Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <m.apitz at> - w
-------------- next part --------------

$Id: vpnc.txt,v 1.3 2006/10/23 11:38:39 guru Exp $

messages from "make install":

===>  Installing for vpnc-0.3.3_1

/bin/mkdir -p /usr/local/share/doc/vpnc

      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:

to config:


IPSec gateway
IPSec ID aaaaaaaaaa
IPSec secret bbbbbbbbbb
Xauth username xxxxxxxx
Xauth password xxxxxxxx

some comments about how it works:

- the gateway is contacted first on UDP 500 and later on 4500 as
  proposed by the server;
- the 'aaaaaaaaaa' (IPSec ID) is Cisco's 'GroupName' value;
- the 'bbbbbbbbbb' (IPSec secret) is Cisco's 'enc_GroupPwd' but in
  clear text; there is a tool to recalculate the clear text GroupPwd
  which is written in C in may be fetched from:
  (local copy is in ~guru/sysSrc/cisco-decrypt.c) and may be compiled
  $ gcc -o cisco-decrypt -I/usr/local/include cisco-decrypt.c -L/usr/local/lib -lgcrypt

you lauch it just as root with:

# vpnc --no-detach

routings, /etc/resolv.conf are set/reset on up and down via a call
to a script /usr/local/sbin/vpnc-script

in our case /etc/resolv.conf gets changed to:

#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
nameserver ...........

the routings to the various networks the Concentrator knows
are also set and unset by the above script if the Concentrator
provided 'split-network settings'; they are passed as environment
variables to /usr/local/sbin/vpnc-script

that's all

More information about the freebsd-questions mailing list