VPN shared secret? [Solved]

[darkplanets]

Hey guys, a quick question.

I'm trying to set up a VPN connection in SL to my schools servers to use smb to grab my on-campus directory, but I'm running into a bit of a snafu. Under SL I have the options of L2TP over IPSec, or Cisco IPSec; I know multiple VPN server addresses for my school, my login credentials, and the group name-- the problem I'm having is the shared secret or certificate. The issue here is that the documented VPN support is through two Cisco VPN clients, AnyConnect and VPNClient, neither of which I care to run, especially given the built in VPN support for SL. They both come pre-configured.

My school's IT department is of no help; I've had zero responses to date from them. I was wondering if it was possible to grab the shared secret from these pre-configured programs, and if so, how? I've done some poking around but I haven't found anything yet. If it's certificate based, could I just go into Keychain and move some certificates around?

 

[belvdr]

Those secrets are in encrypted form in the profiles. The IT department is acting smart here and not handing that information out.

 

[darkplanets]

While that would normally be the case; this VPN is available to over 40,000 people; there's not too much secret and safe-keeping done here. Case in point;
the VPN I'm trying to connect to is the public, unknown shared secret VPN, set up by the IT department. The VPN's set up for each department individually all have publicly shared shared secrets, posted on the web. They're even obvious too; the Ag one is AgVPN, etc. I mean if they were secretive about ALL VPN's, then I would be understanding, but this VPN is really much less sensitive than the departmental ones, and set up by the same people. It doesn't make sense to go public on all the important ones and hush hush over the public one...

Not to mention; in the one application they give more specific details about the network, like the mode, protocol, cipher, and secure routes (Ip's and subnets). If you can get all this... why not the shared secret?

 

[RandomKamikaze]

If you can get the profile there are ways to decrypt the secret, but there is nothing wrong with the Cisco VPN client

 

[CaliJ177]

IPSec VPN's can are a tricky beast to troubleshoot.

Any idea what kind of headend device your school uses to terminate the VPN connection? It might be worth trying the clients you school has made available.

In my expirences I have only been able to connect to Cisco VPN's with the built-in SL client if the terminating headend device was a ASA firewall. I am not sure if any of the newer routers would work with the SL client.

If the headend device was a older Cisco router or a VPN concentrator I had to use an older Cisco IPSec client program.

*Edit*

Here is the version number / name of the VPN client software I have used that will connect to older Cisco equipment. It was the last one made before the integrated SL client.

vpnclient-darwin-4.9.01.0180-universal-k9

 

[darkplanets]

While I have no idea which headend device my school uses to terminate the VPN connection, i had tried the clients my school had made available, Cisco EasyConnect and Cisco VPNClient, and was not impressed with either. Not to mention the fact that the integrated aspect into the operating system preferences is a really nice feature to have.

Instead of hacking/decrypting the profile to get the shared secret (since I had the cypher), I instead chose to try logical shared secrets first, and viola, I got it. This was later confirmed by the schools IT department, which in their infinite wisdom responded to my inquiry two weeks later

Long story short, it appears as if my school has multiple VPN servers; vpn., webvpn., ipsec., l2tp., and one for every department as well (vpn.department.edu). I'm pretty impressed. I have both the Cisco Ipsec shared secret as well as the L2TP shared secret, and have chosen to use the L2TP configuration under SL. It works without a hitch, and I can route all my traffic through it or just the SMB connection; its rather nice. The Cisco Ipsec option also works under SL, obviously I just have to use the Ipsec selector when making a new profile instead of L2TP. Both work, but I really just trust L2TP over Ipsec more than CIsco Ipsec, simply because I'm not a huge fan of Cisco

 

[belvdr]

Both work, but I really just trust L2TP over Ipsec more than CIsco Ipsec, simply because I'm not a huge fan of Cisco

You're still using IPsec. It's a standard, not proprietary Cisco.

Whether it's L2TP or not makes no difference really. I'd connect to both and see what encryption is used. Whichever has the stronger encryption, that's the one I'd choose. If they are both using the the same encryption method, I'd go for IKE/IPsec. I was never a big fan of L2TP/PPP tunnels personally, and you never see them in site-to-site (i.e. lan-to-lan) tunnels.

 

[darkplanets]

Yeah, I was really being sarcastic about the Cisco comment, hence the glasses

All of the methods provided have the same encryption method, so its really pick and choose for me; any of the provided works. The nice thing is if I want to switch methods its nice and easy, just a profile change.