Post #388,817
4/21/14 12:08:12 AM
|
Fun with VPN on Linux Mint.
After messing around a few hours, I managed to get my CAC working with Mint, (gotta run the 64-bit driver. To extact it, one has to manually create the output directory - /usr/lib64 - and one has to load the proper .so from there...). It works with Firefox. Hurray!
Now I need to figure out how to get VPN connections working.
I'm using XFCE as my desktop on Mint 13 (Maya). I downloaded the OpenConnect package (and the Gnome bits) and it seems to be present according to Synaptic, but it's not on the XFCE menu in any clear way. But in Gear -> Settings -> Network Connections -> VPN it does show up as a choice.
It's not at all clear to me what I'm supposed to enter - they boxes don't match the Winders Cisco VPN Client boxes. But after I make some guesses and save them, it's not at all clear how I use them.
How does one start a VPN connection from XFCE? Why doesn't the Gnome app for OpenConnect (network-manager-openconnect-gnome) show up anywhere after I've installed it on XFCE?
(It's things like this that worry me about Linux. I know I'll eventually get it working, but losing a day or more figuring it out isn't a good use of my time. :-(
Thanks.
Cheers,
Scott.
|
Post #388,839
4/21/14 6:07:10 PM
|
Oh dear...
This is a very large can of worms. Basically, from the manufacturer's standpoint, VPN appliances are Windows-only. One must consider oneself lucky if anything else can be made to work with them. Even OS X + VPNTracker is a royal pain to get going. And trying to get multiple vendors' clients to coexist on Windows has wrecked quite a few installs.
Usually, to make things convenient for Windows operators, the VPN appliance is biased towards using XAuth (i.e. the familiar name and password prompt.) The problem is that XAuth never became part of the IPSec standard because it could not be made secure. As a result, each mfg. implements XAuth "their way" to provide extras for their proprietary Windows clients.
I would start at Cisco. There should be something on their support site that will give hints as to the right incantations to invoke. Most likely, you'll need the device ID (can be anything, like it's serial numnber), and the shared group secret.
|
Post #388,840
4/21/14 8:05:32 PM
|
Thanks for the pointers. I'll go spelunking...
|
Post #388,886
4/23/14 5:53:09 PM
|
WaddayaKnow?!? We've got the Cisco VPN client for Linux.
It was just a matter of looking in the right place for it...
It works just fine on Mint. :-)
Thanks.
Cheers,
Scott.
|
Post #388,843
4/21/14 8:49:56 PM
|
you shouldnt be using your cac card with that variant :-)
against STIG GEN00100
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
|
Post #388,844
4/21/14 9:01:56 PM
|
Hmmm... Gotta do some reading. Thanks. :-)
|
Post #388,845
4/21/14 10:14:48 PM
|
general rule of thumb
If you cannot show a support contract for active "call and we will fix the problem" support, one cannot use that product. Stupid I know
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
|
Post #388,846
4/21/14 10:22:33 PM
|
That rule doesn't apply everywhere.
http://iase.disa.mil...gs/faqs.html#STIG
STIG
Question:
What is a STIG?
Answer:
A Security Technical Implementation Guide is a DoD document created by DISA Field Security Operations for certain products and technologies. A STIG provides secure configuration guidance for a product to reduce the attack surface. STIGs do not exist for all products.
Question:
May I deploy a product if no STIG exists?
Answer:
Yes, based on mission need and with DAA approval.
Thanks for giving me cause to check into this stuff before I get too committed.
Cheers,
Scott.
|
Post #388,960
4/26/14 9:37:01 PM
|
Re: That rule doesn't apply everywhere. until it does
If what you are working on is a linux derivative the general unix stigs are applicable. (I know that doesnt make any sense) it is what the auditors require. Check with a security admin at your workplace on that rule. Your shop may vary
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
|
Post #388,962
4/26/14 9:48:56 PM
|
Thanks.
|
