RE: Vpn Connections.

[Dan Williams <dcbw redhat com>]

On Tue, 2008-10-28 at 08:43 +0000, New Acct wrote:
> 
> ----------------------------------------
> > Subject: Re: Vpn Connections.
> > From: dcbw redhat com
> > To: paul xelerance com
> > Date: Mon, 27 Oct 2008 13:01:28 -0400
> > CC: patrik martinsson smhi se; networkmanager-list gnome org
> > 
> > On Mon, 2008-10-27 at 12:34 -0400, Paul Wouters wrote:
> >> On Mon, 27 Oct 2008, Martinsson Patrik wrote:
> >> 
> >>> How does NetworkManagaer handle the import of cisco pcf file ? 
> >>> What im really interested in is if it uses all the settings i have in that file ?
> >> 
> >> Openswan has a pcf2os.pl script on contrib/ that can convert pcf files to openswan
> >> config files. However, the pcf file can contain an obfuscated group PSK. I don't know
> >> if anyone ever wrote a proper deobfuscation program. There used to be something at
> >> http://femto.cs.uiuc.edu/~sbond/vpnc/ which basically amounted to running the
> >> cisco client through ltrace -i and read it from a memcpy statement.
> > 
> > It's been completely handled now, vpnc ships a 'cisco-decrypt' in the
> > tarball which doesn't depend on the binary cisco client.  There are some
> > patches awaiting my review that will automatically decrypt the group
> > password on import.
> > 
> > Dan
> 
> In fact, it's even easier. vpnc runs a web form to decode encrypted group password. You just have to type in the encrypted password and click decode:
> http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

Um, that's sort of insecure :)

Seriously, /usr/bin/cisco-decrypt is the easiest solution by far.  If
you have vpnc installed, you have cisco-decrypt (or else your distros
vpnc maintainer should be shot).  You don't even need network access for
it, and your group secret doesn't escape outside your machine.

Dan