Hi, Fedora ships the open source "vpnc" client which supports the Cisco VPN environment. I'm using it daily and it works for me without any problems. There is also a proprietary client from Cisco: http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html . On 11/14/2011 06:34 PM, Tomasz Torcz wrote: > On Mon, Nov 14, 2011 at 09:08:05PM +0400, Lucas wrote: >> I am talking about ipsec over TCP. >> Everything can do ipsec over UDP, but none over TCP. But on my job for the security reason UDP is >> blocked, cisco vpn can do ipsec over tcp. > > It seems you have your layering wrong. IPSec operates on IP protocol, below UDP and TCP. Only > IKE, the key exchange, protocol works on UDP. Maybe you thought about different technology? > For VPN, OpenVPN provided in Fedora support TCP transport. To clarify the misunderstanding: Cisco's VPN concentrator provides the feature "IPSec over TCP". Unfortunately, vpnc does not support it: man 8 vpnc: [...] --natt-mode <natt/none/force-natt/cisco-udp> Which NAT-Traversal Method to use: · natt -- NAT-T as defined in RFC3947 · none -- disable use of any NAT-T method · force-natt -- always use NAT-T encapsulation even without presence of a NAT device (useful if the OS captures all ESP traffic) · cisco-udp -- Cisco proprietary UDP encapsulation, com‐ monly over Port 10000 Note: cisco-tcp encapsulation is not yet supported Default: natt conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp> [...] So it looks like that for your use case (connecting to a Cisco VPN using IPSec over TCP) you have to use Cisco's proprietary client. Best regards, Christian -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
