home | pop3spam | mutt | brainfuck | exprt | vpn | gpg key | deutsch | qwerty | no disclaimer
vpn ]
Note: As of October 2004 I moved to the University of the Saarland,
hence some information provided here may have become obsolete.
Introduction
  On the 1st of September 2002 I began studying Angewandte Informatik at Fachhochschule Zweibrücken. Since I already had a Laptop equipped with a Wireless LAN card I wanted to take advantage of the available WLAN. The FH uses VPN software from Cisco. Unfortunately, the description of how to setup the Cisco VPN client was only available for Windows and since I didn't want to use Windows I had to do it on my own. During the installation and configuration process I encountered some pitfalls one might be faced with. To make it somewhat easier for other Linux users I decided to write this manual which covers the installation and configuration of the Cisco VPN client for Linux for use with Wireless LAN and Wired LAN at Fachhochschule Zweibrücken.

Note: The following description applies to the Cisco VPN client version 3.6.2, but should be applicable for other versions as well.

Update: In order to use version 4.0.3 with 2.6.x kernels, you have to apply a small patch.

Overview
 
  • prerequisites
  • installation
  • configuration for Wireless LAN
  • configuration for Wired LAN
  • connect via Wireless LAN
  • connect via Wired LAN
  • links
    		•
    Prerequisites 
     

    You need to download the Cisco VPN client for Linux. Notice that if the interface name of your WLAN card doesn't start with "eth" or "ppp" (you can check this with ifconfig) you will not be able to use this program. The reason is a comparison in interceptor.c which explicitly allows only these two names even though this is kind of futile. Furthermore your system will be crashing if you're trying it though. This is even more futile. Unfortunately, Cisco doesn't grant legal permission for people to modify their source code. That's the reason why I don't provide a patch on this homepage. They told me that this issue has been filed as a bug and that it will be fixed. Maybe your current version > 3.6.2 has already been fixed.

    Update: In fact, this has been fixed in some version > 3.6.2. However, I don't know the exact version.

    You need a Linux distribution with

    • kernel >= 2.2.12
    • glibc >= 2.1.1-6
    This should always be the case with newer distributions. If you're not sure try
    • ls -l /lib/libc-*
    to obtain the glibc version and
    • uname -r
    for the kernel version. Note that Cisco doesn't support current hacker kernels, i.e. all versions starting with 2.5. Furthermore you need the source code of the kernel you're running. This can be achieved either by installing the according packets shipped with your distribution or if you have built your own kernel, the source tree of that one. Note that you need exactly the kernel source tree you built your kernel with. The mere source code of the kernel version you're running won't suffice.

    If you're using a packet filter (ipchains for 2.2.x or iptables for 2.4.x) make sure that the following types of traffic are allowed to pass through:

    For Wireless LAN:

    • TCP, port 68   (for BOOTP/DHCP)
    • UDP, port 500
    • UDP, port 4500
    For Wired LAN:
    • TCP, port 14711
    • UDP, port 500
    • UDP, port 4500
    If you need help with ipchains/iptables you might want to take a look at the Ipchains Howto, Iptables Howto, and the Firewall Howto.

    In case you're already running some VPN software you might have to disable it first in order to use the Cisco VPN client correctly.

    If you want to use the VPN client in conjunction with Wireless LAN you, of course, need a Wireless LAN card. If you don't know how to set it up try the Wireless LAN Howto, which offers lots of information, and the Linux-wlan homepage.

    Installation 
      The installation process is a rather simple task. Change to the directory with the tarball you've downloaded and unpack it with tar.
    • tar xzvf vpnclient-linux-3.6.2.tar.gz   (for gzip)
    • tar xjvf vpnclient-linux-3.6.2.tar.bz2   (for bzip2)
    Note that "j" for bzip2 might differ depending on your distribution. If you're not sure read the man page (man tar).

      Update: If you want to use version 4.0.3 with kernel 2.6.x, you need to apply a patch in order to get the vpnclient working. Have a look at this patch, that homepage which provides further links, and an (apparently) already patched version.

    Now change to the newly created directory and become root. Enter the following command:

    • ./vpn_install
    Accept the default values by pressing Enter or, if you know what you're doing, use some other values.

    If you chose to start the VPN service automatically at boot time the installation script vpn_install normally creates three symlinks in the System V init directories /etc/rc{3,4,5}.d pointing to /etc/init.d/vpnclient_init (directory names might differ with your distribution). But since some distributions use runlevel 2 as the default (for example, Debian GNU/Linux) you will have to create the symlink yourself. So to create the necessary symlink under Debian use the following line.

    • cd /etc/rc2.d && ln -s ../init.d/vpnclient_init S85vpnclient_init
    Configuration for Wireless LAN 
      At this point you need to create a profile with the appropriate data for use with Wireless LAN. First make a copy of the sample configuration file /etc/CiscoSystemsVPNClient/Profiles/sample.pcf. For example:
    • cd /etc/CiscoSystemsVPNClient/Profiles && cp sample.pcf fh-wlan.pcf
    Now edit the newly created config file fh-wlan.pcf with your favorite editor to make the necessary changes. The needed entries are:
    • Host=172.17.0.1
    • GroupName=studenten
    • Username=FNSNXXXX
    • EnableNAT=1
    "FNSNXXXX" is the first part of your FH email address. It consists of the first two letters of your forename followed by the first two letters of your surname followed by a number like "0003".

    If you don't want to enter the group and user password each time you connect to the VPN you might insert the following entries.

    • SaveUserPassword=1
    • GroupPwd=GPW
    • UserPassword=UPW
    The option "SaveUserPassword=1" tells the program to encrypt the user password and delete the cleartext password from the configuration file. "GPW" is the password for the IPSec group you are in. If you don't know it contact the "Rechenzentrum". "UPW" is the same password as for your mail account.
    Configuration for Wired LAN 
      As with Wireless LAN you need to setup a new profile. First make a copy of the sample configuration file /etc/CiscoSystemsVPNClient/Profiles/sample.pcf. For example:
    • cd /etc/CiscoSystemsVPNClient/Profiles && cp sample.pcf fh.pcf
    Now edit the newly created config file fh.pcf with your favorite editor to make the necessary changes. These are:
    • Host=143.93.17.220
    • GroupName=studenten
    • Username=FNSNXXXX
    • EnableNAT=1
    • TunnelingMode=1
    • TCPTunnelingPort=14711
    "FNSNXXXX" is the first part of your FH email address. It consists of the first two letters of your forename followed by the first two letters of your surname followed by a number like "0003".

    If you don't want to enter the group and user password each time you connect to the VPN you might insert the following entries.

    • SaveUserPassword=1
    • GroupPwd=GPW
    • UserPassword=UPW
    The option "SaveUserPassword=1" tells the program to encrypt the user password and delete the cleartext password from the configuration file. "GPW" is the password for the IPSec group you are in. If you don't know it contact the "Rechenzentrum". "UPW" is the same password as for your mail account.
    Connect via Wireless LAN 
      If you want to connect to the VPN via Wireless LAN first make sure that your SSID is set appropriately. The SSID of the Fachhochschule Zweibrücken is "ssidrzfhzw". You can use iwconfig or some equivalent tool to check whether you receive a signal from the access point. Now you need to get your dynamic IP and routing information via DHCP. You can use a program like "pump" for this.
    • pump -d -i XXX
    "XXX" is the interface name of your WLAN card. For instance, "ppp". (The parameter "-d" tells pump not to update/overwrite your current /etc/resolv.conf.) After that the IP address of the WLAN interface should have been changed as you can verify with
    • ifconfig XXX
    Additionally your default gateway should be 10.0.83.254 as you can verify with
    • route -n
    The rest of the procedure is the same as with Wired LAN. So read on there.
    Connect via Wired LAN 
      At this time you have to load the module "cisco_ipsec". If you rebooted since the installation of the VPN client the module should already be loaded (unless you chose "VPN service will not be started automatically at boot time"). Check this with
    • lsmod
    Otherwise you need to load it manually with
    • /etc/init.d/vpnclient_init start
    A warning appears that the module will taint the kernel. You can just ignore this message since it's harmless. The Linux Kernel Mailing List has more information about tainted modules.

    Finally start the Cisco VPN client and connect to the VPN:

    • vpnclient connect XXX
    "XXX" is the name of the profile created above without the trailing ".pcf" ("fh-wlan" or "fh" in the example). The connection should be established and will exist until you terminate the process with CTRL-C, kill, etc. Congratulations, that's it!
    Links 
      This is a collection of links mentioned in this document:
     
    Michael Velten <w3@michnet.de>Last change: Sun Jan 31 20:57:06 2010