cisco vpn because of ipsec over tcp

[Lucas]

On 11/16/2011 04:49 PM, David Woodhouse wrote:
> On Mon, 2011-11-14 at 21:08 +0400, Lucas wrote:
>>
>> I am talking about ipsec over TCP.
>>
>> Everything can do ipsec over UDP, but none over TCP. But on my job for
>> the security reason UDP is blocked, cisco vpn can do ipsec over tcp.
>
> That's entirely stupid. The Cisco "IPsec over TCP" is basically the
> *same* as UDP, except it fakes a TCP header on each packet in order to
> make it pass through crappy firewalls and NAT which only supports TCP.
>
> If your IT department think that UDP needs to be blocked "for the
> security reason", then it sounds like they are incompetent and should be
> fired. Or just taken out back and shot.
>
> We *have* had Cisco's IPSec over TCP working; it's not particularly
> difficult. However, we never really worked out how to make it work
> nicely on Linux; the kernel really *really* wants to eat all TCP packets
> and will give a TCP RST to any connection it doesn't think is open. Any
> mechanism to effectively operate TCP in userspace, which is what we need
> to do, would be very much frowned upon.
>
>
>
>

Dear All.

The question was not how good or bad is Cisco IPSec over TCP, personally I do not like politics of 
that company. I also can't complain to our IT, because they just do not want to forward any udp port 
to internal network. They are just happy that cisco manages to wrap udp to tcp, and cisco vpn works 
on windows. That is all.

The problem is that it looks like I can't compile it under F16, and can't find any normal manual in 
internet.
So my question was - if anyone has done it under Fedora16 32bit, and if yes, please share with me 
your experience.

Of course, I can install winxp on virtualbox, and I can use windows version, BUT I do not like it.