Matthias Apitz guru at unixarea.de
Sat Feb 22 08:41:33 UTC 2014

El día Saturday, February 22, 2014 a las 11:51:23AM +0330, Farzin Falahati escribió:

> hello all,
> i  wanna create an ipsec tunnel between my FreeBSD and a Cisco router. i
> have FreeBSD 9.2 with ipsec-tools 0.8.0. is it possible? you know i
> struggle to do it in FreeBSD 8.2 but unfortunately i can't do that. now i
> migrate to FreeBSD 9.2 and i heard that ipsec is changed to be more
> standard in it. so is it possible to create an ipsec tunnel between
> freebsd9.2 and a Cisco router or not?


I've checked my old files from around 2007/2008 and I was using
something like:

# vpnc --no-detach --gateway xxx.xxx.xxx.xxx --id ipsec --username  xxxxxx

and some configuration file like (see attached notes).

the 'secret' must have been extracted from the a crypted value which your Cisco
admin generated for the access; there was/is some C-written tool to do
the extraction.

I'm attaching my notes from how to configure this;

I do not use it anymore, so I can't help with tests.


Sent from my FreeBSD netbook

Matthias Apitz, <guru at unixarea.de>, http://www.unixarea.de/ f: +49-170-4527211
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
-------------- next part --------------

$Id: vpnc.txt,v 1.5 2007/06/11 14:07:41 guru Exp $

messages from "make install":

===>  Installing for vpnc-0.3.3_1

/bin/mkdir -p /usr/local/share/doc/vpnc

      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage: 

to config:


IPSec gateway xxx.xxx.xxx.xxx
IPSec ID aaaaaaaaaa
IPSec secret bbbbbbbbbb
Xauth username xxxxxxxx
Xauth password xxxxxxxx

some comments about how it works:

- the gateway is contacted first on UDP 500 and later on 4500 as
  proposed by the server;
- the 'aaaaaaaaaa' (IPSec ID) is Cisco's 'GroupName' value;
- the 'bbbbbbbbbb' (IPSec secret) is Cisco's 'enc_GroupPwd' but in
  clear text; there is a tool to recalculate the clear text GroupPwd
  which is written in C in may be fetched from:
  (local copy is in ~guru/sysSrc/cisco-decrypt.c) and may be compiled
  $ gcc -o cisco-decrypt -I/usr/local/include cisco-decrypt.c -L/usr/local/lib -lgcrypt

you lauch it just as root with:

# vpnc --no-detach
# vpnc --no-detach --debug 3 --udp(?)

routings, /etc/resolv.conf are set/reset on up and down via a call
to a script /usr/local/sbin/vpnc-script

in our case /etc/resolv.conf gets changed to:

#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
domain blabla.de 
nameserver xxx.xxx.xxx.xxx

the routings to the various networks the Concentrator knows
are also set and unset by the above script if the Concentrator
provided 'split-network settings'; they are passed as environment
variables to /usr/local/sbin/vpnc-script

that's all

More information about the freebsd-questions mailing list