Red Hat Bugzilla – Bug 241774
Given pcf file could not be imported
Last modified: 2007-11-30 17:12:05 EST
Description of problem:
My university provided me a pcf file for configuring my vpn access (Cisco).
However, importing the pcf file with
org.freedesktop.NetworkManager.vpnc --import-file vpn.university.de.pcf
fails because the file "does not contain valid data".
The pcf file is attached - the university also provides a binary certificate
file, if this is of any interest.
Created attachment 155695 [details]
The pcf file of my university
I'm not really sure if the command line above should work as you expect.
However '/usr/share/doc/vpnc-0.4.0/pcf2vpnc ~/download/vpn.university.de.pcf'
works fine and produces a config file for vpnc.
So I'm reassigning it to NM-vpnc.
I took the command line above from the gnome menu entry for the NetworkManager
import of vpnc files.
But even if I use pcf2vpnc to create a vpnc file I cannot import it into the
NetworkManager vpnc client.
The file can't be imported because it is incomplete, and the vpnc import code
can only handle a PCF file that has the following fields set: Description, Host
I wrote a patch to change that behavior, to make it fill the fields it can from
a partial pcf file. Expect an update soon.
Thanks, nice. I will test it as soon as it is available.
Anything new about this bug? I checked with the current Fedora 8 and the
import still doesn't work.
The problem I see is that even if I relax the PCF import code, you still won't
be able to connect unless you provide a group name (the --id option of vpnc)
manually. How do you connect manually with vpnc ? Do you happen to know the
group name and type it manually ? Could you give me the vpnc command you're using ?
I guess I could make the patch display a warning if it imports an incomplete PCF
I never connected with these data with a free VPN client. My university only
provides a Cisco VPN client together with a certificate and the above
mentioned configuration file.
But I asked the administrators about the missing group and now wait for an
I would recommend to first try to connect manually directly using the "vpnc"
command. Next we will tackle how to integrate whatever options you needed in the
NM-vpnc gui. For example, I can connect to my work vpn with the simple command:
vpnc --gateway somevpngateway.sun.com --id vpn --username myusername
If they provided a client-side certificate, that could mean the use of the
"--auth-mode cert" option which is apparently not implemented in vpnc, according
to the man page.
Closed as WONTFIX.
I talked to my system administrators: they do not use group authentication due
to a security problem:
Instead, the system uses a special way of authentication described by Karl
Unfortunately, this description is in German only, but I will try to roughly
translate the first paragraphs (but not the actual howto):
"The idea is to configure the Cisco VPN concentrator without PSK's and without
full featured PKI. The clients get a dummy certificate (you can call it "group
certificate" if you are mean). The VPN server gets a "real" certificate you
have to keep an eye on; the client certificates can be shared with anyone
(each VPN group will require a certificate).
The certificate makes sure that no one can be a MitM during the IKE Phase 1.
In the now secured tunnel XAUTH and MODE-CFG can be used as usual."
The system admins also mentioned that vpnc currently does not support this way
of authentication as far as they know. Therefore I closed the bug report as
WONTFIX. But thanks for the help and the support during the bug report.