Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

enc_GroupPwd on different platforms (client 4.6)

I'm in the process of testing a remote access VPN setup, hopefully soon to deploy. I've noticed that the encrypted group password in the .pcf files are different (for the same password) for Linux and Windows. I don't have a Mac or Solaris test box, but will be supporting those clients as well. I'd like to have pre-built .pcf files for each distribution, rather than giving the actual preshared key to all of my users. Does anybody know if the Solaris and Mac versions use the same encryption as the Linux (or even Windows), or whether they are different?

5 REPLIES
Silver

Re: enc_GroupPwd on different platforms (client 4.6)

Hi,

AFAIK each platform uses the same algorithm. Part of the encryption of the group password uses a hash based on the time of profile creation - so unless you generate all your profiles in the same second, they will appear to be different keys - but they will decrypt to the same thing.

HTH

Kind Regards

Cathy

New Member

Re: enc_GroupPwd on different platforms (client 4.6)

So it seems like I can't create one profile (with the group password already encrypted) on one machine and then import it to others, but need to create a profile with a clear-text group password, that gets encrypted upon first use by each client?

Silver

Re: enc_GroupPwd on different platforms (client 4.6)

Hi,

Not so.

The hashes created (based on the date) are used as the crypto key for the group password. The key is stored at the front of the value you have in the file. So creating one file will be sufficient.

If you think about it, the client has to be able to decrypt the password before transmitting it to the concentrator. To do this, it must be reversible. The process with the hashes is little more than obfuscation - or a way of generating a random crypto key.

HTH

Cathy

New Member

Re: enc_GroupPwd on different platforms (client 4.6)

Thanks for the clarification and an explanation of some of the guts underneath the hood. However, I can't get the profiles I've created in Windows to work in Linux. Can you look at my basic process and tell me what I did wrong? (note: I'm not in front of my test box so path names and such are from memory, and are not likely correct).

1) Create the policy in Windows.

2) Connect (success).

3) Copy the C:\PATH\policy.pcf to a cdrom

4) place policy.pcf into /etc/CiscoSystemsVPNClient/Profiles/.

5) Apply dos2unix to the .pcf file to take care of EOL issues.

6) Attempt to connect (fail).

7) Erase the enc_GroupPwd in /etc/CiscoSystemsVPNClient/Profiles/policy.pcf

8) type a clear text group password into the group password field

9) Connect (success).

10) See that the clear text password is gone, and enc_GroupPwd is populated.

Thanks,

dg

Silver

Re: enc_GroupPwd on different platforms (client 4.6)

Hi,

On further investigation I think that there are platform-specific entries in the .pcf files. You will have to generate a unique file for each platform - but you should be able to copy/paste the enc_* values. You should be able to compare a working profile from Linux and Windows and see what the differences are.

Kind Regards

Cathy

1247
Views
0
Helpful
5
Replies
CreatePlease login to create content