Mailing List Archive

cert+username+password authentication
I am trying to connect using user certificate authentication and I can't get it working.
I compiled vpnc with OPENSSL_GPL_VIOLATION and it accepts hybrid authentication, but I can't find the correct configurations.

In the windows client I select the option "Certificate authentication" and I imports 3 certiricates: the CA, the server and the client.

For using it with vpnc, I converted them to .pem but I don't know how to tell vpnc to use them. I tryed  CA-File but making strace I don't see the program reading this file nor searching for any other certificate.

Another problem is vpnc always asks me for ipsec id and ipsec secret but in this mode the windows client only uses user and password. Then I think may be it is not using this option.

The documentation mentions a --hybrid command-line option but it is not accepted and I don't see it in the source code.

--

Alejandro Vargas
Departamento de sistemas
607760045
anv@zener.es
www.zener.es || Linkedin: GrupoZener
Re: cert+username+password authentication [ In reply to ]
On Tue, 2017-02-14 at 15:38 +0100, Alejandro Vargas wrote:
> I am trying to connect using user certificate authentication and I
> can't get it working.
> I compiled vpnc with OPENSSL_GPL_VIOLATION and it accepts hybrid
> authentication, but I can't find the correct configurations.
>
> In the windows client I select the option "Certificate
> authentication" and I imports 3 certiricates: the CA, the server and
> the client.
>
> For using it with vpnc, I converted them to .pem but I don't know how
> to tell vpnc to use them. I tryed  CA-File but making strace I don't
> see the program reading this file nor searching for any other
> certificate.
>
> Another problem is vpnc always asks me for ipsec id and ipsec secret
> but in this mode the windows client only uses user and password. Then
> I think may be it is not using this option.
>
> The documentation mentions a --hybrid command-line option but it is
> not accepted and I don't see it in the source code.

vpnc is not particularly well maintained and hasn't had a real release
in a very long time. The Hybrid option only exists in SVN trunk, even
though it was committed to SVN years ago. So unless you have a vpnc
build from trunk, you won't have the hybrid mode option.

I think you'd use these options (along with the others for xauth):

--auth-mode=hybrid
--ca-file=<path to the CA certificate in PEM/DER format>

vpnc doesn't support client certificates, it only supports receiving
and verifying the server's certificate against the given CA.

There are references to '--auth-mode=cert' which wouldn't involve XAUTH
(and thus wouldn't need the ipsec id or ipsec secret) but AFAICT that
never was fully implemented. You might be out of luck there.

Dan
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: ?==?utf-8?q? cert+username+password authentication [ In reply to ]
El Martes, Febrero 14, 2017 18:47 CET, Dan Williams <dcbw@redhat.com> Ha escrito:
 vpnc doesn't support client certificates, it only supports receiving
and verifying the server's certificate against the given CA.

There are references to '--auth-mode=cert' which wouldn't involve XAUTH
(and thus wouldn't need the ipsec id or ipsec secret) but AFAICT that
never was fully implemented. You might be out of luck there.
 Is there any other way to connect to a cisco vpn with user certificates. I was checking the official cliente "vpnclient" but it is a propietary software that works only with old kernels. 
I was able to get it working on a virtual machine with a 2010 linux version... but can't control the routes and it intercepts all ip traffic... and it needs an old kernel and crashes from time to time...

It is strange that there is not any working linux client for this...

--

Alejandro Vargas
Departamento de sistemas
607760045
anv@zener.es
www.zener.es || Linkedin: GrupoZener