Bug 241774 - Given pcf file could not be imported
Given pcf file could not be imported
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: NetworkManager-vpnc (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Denis Leroy
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-30 10:53 EDT by Roland Wolters
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-22 09:24:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The pcf file of my university (191 bytes, application/x-font-pcf)
2007-05-30 10:53 EDT, Roland Wolters
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 498758 None None None Never

  None (edit)
Description Roland Wolters 2007-05-30 10:53:27 EDT
Description of problem:
My university provided me a pcf file for configuring my vpn access (Cisco). 
However, importing the pcf file with
nm-vpn-properties --import-service 
org.freedesktop.NetworkManager.vpnc --import-file vpn.university.de.pcf
fails because the file "does not contain valid data".

The pcf file is attached - the university also provides a binary certificate 
file, if this is of any interest.
Comment 1 Roland Wolters 2007-05-30 10:53:27 EDT
Created attachment 155695 [details]
The pcf file of my university
Comment 2 Tomas Mraz 2007-05-30 11:03:19 EDT
I'm not really sure if the command line above should work as you expect.

However '/usr/share/doc/vpnc-0.4.0/pcf2vpnc ~/download/vpn.university.de.pcf'
works fine and produces a config file for vpnc.

So I'm reassigning it to NM-vpnc.
Comment 3 Roland Wolters 2007-05-30 11:16:17 EDT
I took the command line above from the gnome menu entry for the NetworkManager 
import of vpnc files.
But even if I use pcf2vpnc to create a vpnc file I cannot import it into the 
NetworkManager vpnc client.
Comment 4 Denis Leroy 2007-06-14 18:23:11 EDT
The file can't be imported because it is incomplete, and the vpnc import code
can only handle a PCF file that has the following fields set: Description, Host
and GroupName.

I wrote a patch to change that behavior, to make it fill the fields it can from
a partial pcf file. Expect an update soon.
Comment 5 Roland Wolters 2007-06-15 06:16:43 EDT
Thanks, nice. I will test it as soon as it is available.
Comment 6 Roland Wolters 2007-11-20 13:19:17 EST
Anything new about this bug? I checked with the current Fedora 8 and the 
import still doesn't work.
Comment 7 Denis Leroy 2007-11-21 08:51:59 EST
The problem I see is that even if I relax the PCF import code, you still won't
be able to connect unless you provide a group name (the --id option of vpnc)
manually. How do you connect manually with vpnc ? Do you happen to know the
group name and type it manually ? Could you give me the vpnc command you're using ?

I guess I could make the patch display a warning if it imports an incomplete PCF
file.
Comment 8 Roland Wolters 2007-11-21 11:46:30 EST
I never connected with these data with a free VPN client. My university only 
provides a Cisco VPN client together with a certificate and the above 
mentioned configuration file.
But I asked the administrators about the missing group and now wait for an 
answer.
Comment 9 Denis Leroy 2007-11-21 12:01:28 EST
I would recommend to first try to connect manually directly using the "vpnc"
command. Next we will tackle how to integrate whatever options you needed in the
NM-vpnc gui. For example, I can connect to my work vpn with the simple command:

vpnc --gateway somevpngateway.sun.com --id vpn --username myusername

If they provided a client-side certificate, that could mean the use of the
"--auth-mode cert" option which is apparently not implemented in vpnc, according
to the man page.
Comment 10 Roland Wolters 2007-11-22 09:24:26 EST
Closed as WONTFIX.

I talked to my system administrators: they do not use group authentication due 
to a security problem:
http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml

Instead, the system uses a special way of authentication described by Karl 
Gaissmaier:
http://cert.uni-stuttgart.de/files/fw/vpn-concentrator-xauth-kochrezept.txt
Unfortunately, this description is in German only, but I will try to roughly 
translate the first paragraphs (but not the actual howto):
"The idea is to configure the Cisco VPN concentrator without PSK's and without 
full featured PKI. The clients get a dummy certificate (you can call it "group 
certificate" if you are mean). The VPN server gets a "real" certificate you 
have to keep an eye on; the client certificates can be shared with anyone 
(each VPN group will require a certificate).
The certificate makes sure that no one can be a MitM during the IKE Phase 1. 
In the now secured tunnel XAUTH and MODE-CFG can be used as usual."

The system admins also mentioned that vpnc currently does not support this way 
of authentication as far as they know. Therefore I closed the bug report as 
WONTFIX. But thanks for the help and the support during the bug report.

Note You need to log in before you can comment on or make changes to this bug.