vpn: how to complicate your life

Source

Let's continue the story started on a wonderful day.

Of course I didn't give up just like that. Instead, I discovered that the lack of openssl support in the version of vpnc shipped with all current distributions is due to a licensing issue. Thus encouraged, I got the rpms of vpnc and compiled it with openssl support enabled ... but I was still unable to establish a connection to our gateway. After some research, I found that vpnc does not (yet?) support a certificate-based client authentication despite its option 'auth-mode cert' ... Note that this way of authenticating inbound connections is the only sensible one within the framework of a PKI infrastructure, and is thus the way we are enforcing.

After this ... eehhhh ... illuminating experience, I grew quite hesitant to keep myself busy with this obviously complicated issue. Ok, after installing new kernel versions, I've always tried to connect using the Cisco vpnclient (*shudder*), and indeed, there has been a certain improvement: since 2.6.29.1 I did not experience a kernel panic anymore. Instead, the client connects happily with our gateway, and then just sits there ... doing exactly nothing. Not even a ping will work. 😄

Today, I've checked tuxx-home for updates. Hey, an update from May 20 ... let's try!

Welcome back, kernel panic. 😞

If you're now under the impression that the Cisco vpnclient is a promising candidate for the worst-software-on-this-planet contest, you're wrong. It's the clear winner (check out the 64 bit and SMP issues which exist for all platforms, including Windows).

Are there alternatives? We have seen above that vpnc is not a viable replacement for me. A quick search in the net shows that most discussions of alternatives revolve around the ShrewSoft client, and the FreeS/Wan implementations OpenSwan and StrongSwan.

If you now expect a test of these clients, I have to disappoint you. I really can't be bothered with responsibilities of others, and I anyway don't have the time for it. No, I leave that to the guy who sold us the Cisco ASA and promised a functional vpn. Mr. Network Professional. 😉

Update: Turned out that Mr. Network Professional has not enabled SSL on our Cisco ASA, so that the openssl support of vpnc did not matter at all. Bummer.