[c-nsp] Linux VPN client suggestion?

Eloy Paris elparis at cisco.com
Thu Nov 5 15:59:13 EST 2009


Hi Charles,

On Thu, Nov 05, 2009 at 10:48:29AM -0800, Charles Klement wrote:

> One important thing to remember is that VPNC can ignore pretty much
> any policy sent down from the concentrator. This includes split
> tunnelling as well as client versioning.
>
> This is one of the reasons that I've been pushing the company I work
> for towards anyconnect.

I would think that OpenConnect (OpenConnect is to AnyConnect what vpnc
is to the Cisco VPN Client) suffers from the same lack of enforcement
issues. And even if the authors tried to enforce policies it should be
easy to modify OpenConnect so it doesn't enforce anything.

Don't get me wrong -- it's a good thing to move to AnyConnect since no
new features are being added to the old Cisco VPN Client; I just don't
think that policy enforcement is a good reason to justify a migration.

Cheers,

Eloy Paris.-
Cisco PSIRT

> On Thu, Nov 5, 2009 at 9:56 AM, luismi <asturluismi at gmail.com> wrote:
> 
> > Ubuntu karmic 9.10 here, using graphic gnome vpn assistant (which uses
> > vpnc in the background) and zero poblems against a vpn3030
> >
> > El mar, 03-11-2009 a las 11:01 -0800, Scott Granados escribió:
> > > Hi all, looks like VPNC wins with Cisco anyconnect ssl VPN coming in
> > second.
> > > (I actually think we have a license for this feature set already)
> > >
> > > Thanks as always for the great suggestions.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Eloy Paris" <elparis at cisco.com>
> > > To: "Scott Granados" <gsgranados at comcast.net>
> > > Cc: <cisco-nsp at puck.nether.net>
> > > Sent: Tuesday, November 03, 2009 10:53 AM
> > > Subject: Re: [c-nsp] Linux VPN client suggestion?
> > >
> > >
> > > > Hi Scott,
> > > >
> > > > On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote:
> > > >
> > > >> Hi all,
> > > >> I'm running presently Cisco ASA 5520 hardware with the Cisco VPN
> > client
> > > >> to provide remote users access to network resources.  I have one user
> > who
> > > >> is interested in a client for Linux (specifically CentOS) and not sure
> > > >> what to suggest.  Does anyone have any good pointers for a good client
> > > >> that I can point him to?
> > > >>
> > > >> Any pointers would be appreciated.
> > > >
> > > > The Cisco VPN Client does support *some* versions of Linux. However, it
> > > > does not work with the latest versions of the Linux kernel so if you
> > > > user's kernel is recent (and unfortunately, "recent" doesn't really
> > have
> > > > to be very recent) then the official Cisco VPN Client is not an option.
> > > >
> > > > However, there is an open source VPN client that works with Cisco VPN
> > > > headends. I personally use and it works great:
> > > >
> > > > http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
> > > >
> > > > It's included in pretty much all Linux distributions. A quick Google
> > > > search for "centos vpnc" turned this up as the first hit:
> > > >
> > > > http://wiki.centos.org/HowTos/vpnc
> > > >
> > > > Hope this helps.
> > > >
> > > > Cheers,
> > > >
> > > > --
> > > >
> > > > Eloy Paris
> > > > Cisco PSIRT
> > > > Ph: +1 919 392-9118
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list