Cisco VPN Client – remote connection to the resources on your intranet. Part Three – the official Cisco VPN client for Linux

The last part of this series will examine the use of closed source Cisco VPN client for Linux. In contrast to the VPNC, this client is not distributed in the form of package for Linux and the only way to install it is installation from source code.

1. Installation

The installation of Cisco VPN client for Linux depends very much on the kernel version of the system. In this article we will look at installation with kernel 2.6.35 or newer.To install the client you must first download it from the Cisco’s site. Client is available after site registration. In addition, you’ll need to patch the client, without which it is impossible to complete the installation. You can find the patch, attached to the end of this article. Although this patch is for kernel version 2.6.35, it can be used for newer versions.To install the client, it is necessary to do the following:

1. Unzip the client

tar-xzvf vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz

2. Unzip the patch

unzip vpnclient-linux-2.6.35.patch.zip

3. Apply the patch

ivailo@voyager:~/Downloads/vpn> cd vpnclient/
ivailo@voyager:~/Downloads/vpn/vpnclient> patch -p1 \
--dry-run < ../vpnclient-linux-2.6.35.patch
patching file frag.c
patching file interceptor.c
patching file IPSecDrvOS_linux.c
patching file linuxcniapi.c
ivailo@voyager:~/Downloads/vpn/vpnclient> patch -p1 < ../vpnclient-linux-2.6.35.patch
patching file frag.c
patching file interceptor.c
patching file IPSecDrvOS_linux.c
patching file linuxcniapi.c
ivailo@voyager:~/Downloads/vpn/vpnclient>

Use the –dry-run keyВ  to test the patch, without changing the source code of the application. If subsequent messages contain errors, you need to find the correct patch for the specific version of the client.4. Install clientAfter applying the patch, it is necessary to execute the installation script of the program as a system administrator (root):

ivailo@voyager:~/Downloads/vpn/vpnclient> su
Password:
voyager:/home/ivailo/Downloads/vpn/vpnclient # ./vpn_install
Cisco Systems VPN Client Version 4.8.02 (0030) Linux Installer
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms. 

Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.

Directory containing linux kernel source code [/lib/modules/2.6.38.5-1-desktop/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.38.5-1-desktop/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.38.5-1-desktop/build" will be \
used to build the module.

Is the above correct [y]y

Making module
make -C /lib/modules/2.6.38.5-1-desktop/build \
SUBDIRS=/home/ivailo/Downloads/vpn/vpnclient modules
make[1]: Entering directory `/usr/src/linux-2.6.38.5'
 CC [M]  /home/ivailo/Downloads/vpn/vpnclient/linuxcniapi.o
 CC [M]  /home/ivailo/Downloads/vpn/vpnclient/frag.o
 CC [M]  /home/ivailo/Downloads/vpn/vpnclient/IPSecDrvOS_linux.o
 CC [M]  /home/ivailo/Downloads/vpn/vpnclient/interceptor.o
 CC [M]  /home/ivailo/Downloads/vpn/vpnclient/linuxkernelapi.o
 LD [M]  /home/ivailo/Downloads/vpn/vpnclient/cisco_ipsec.o
 Building modules, stage 2.
 MODPOST 1 modules
WARNING: could not find /home/ivailo/Downloads/vpn/vpnclient/.libdriver.so.cmd for \
/home/ivailo/Downloads/vpn/vpnclient/libdriver.so
 CC      /home/ivailo/Downloads/vpn/vpnclient/cisco_ipsec.mod.o
 LD [M]  /home/ivailo/Downloads/vpn/vpnclient/cisco_ipsec.ko
make[1]: Leaving directory `/usr/src/linux-2.6.38.5'
Create module directory "/lib/modules/2.6.38.5-1-desktop/CiscoVPN".
Copying module to directory "/lib/modules/2.6.38.5-1-desktop/CiscoVPN".
Already have group 'bin'

Creating start/stop script "/etc/init.d/vpnclient_init".
 /etc/init.d/vpnclient_init
insserv: warning: script 'S14smfpd' missing LSB tags and overrides
insserv: warning: script 'vpnclient_init' missing LSB tags and overrides
insserv: warning: script 'vpnclient_init' missing LSB tags and overrides
insserv: Default-Start undefined, assuming default start runlevel(s) for \
script `vpnclient_init'
insserv: warning: script 'smfpd' missing LSB tags and overrides
vpnclient_init            0:off  1:off  2:off  3:off  4:off  5:off  6:off
Enabling start/stop script for run level 3,4 and 5.
insserv: warning: script 'S14smfpd' missing LSB tags and overrides
insserv: warning: script 'vpnclient_init' missing LSB tags and overrides
insserv: warning: script 'vpnclient_init' missing LSB tags and overrides
insserv: Default-Start undefined, assuming default start runlevel(s) for \
script `vpnclient_init'
insserv: warning: script 'smfpd' missing LSB tags and overrides
insserv: Service syslog is missed in the runlevels 4 to use service vboxdrv
vpnclient_init            0:off  1:off  2:off  3:on   4:off  5:on   6:off
Creating global config /etc/opt/cisco-vpnclient

Installing license.txt (VPN Client license) in "/opt/cisco-vpnclient/":
 /opt/cisco-vpnclient/license.txt

Installing bundled user profiles in "/etc/opt/cisco-vpnclient/Profiles/":
* New Profiles     : sample 

Copying binaries to directory "/opt/cisco-vpnclient/bin".
Adding symlinks to "/usr/local/bin".
 /opt/cisco-vpnclient/bin/vpnclient
 /opt/cisco-vpnclient/bin/cisco_cert_mgr
 /opt/cisco-vpnclient/bin/ipseclog
Copying setuid binaries to directory "/opt/cisco-vpnclient/bin".
 /opt/cisco-vpnclient/bin/cvpnd
Copying libraries to directory "/opt/cisco-vpnclient/lib".
 /opt/cisco-vpnclient/lib/libvpnapi.so
Copying header files to directory "/opt/cisco-vpnclient/include".
 /opt/cisco-vpnclient/include/vpnapi.h

Setting permissions.
 /opt/cisco-vpnclient/bin/cvpnd (setuid root)
 /opt/cisco-vpnclient (group bin readable)
 /etc/opt/cisco-vpnclient (group bin readable)
 /etc/opt/cisco-vpnclient/Profiles (group bin readable)
 /etc/opt/cisco-vpnclient/Certificates (group bin readable)
* You may wish to change these permissions to restrict access to root.
* You must run "/etc/init.d/vpnclient_init start" before using the client.
* This script will be run AUTOMATICALLY every time you reboot your computer.
voyager:/home/ivailo/Downloads/vpn/vpnclient #
Р’ горните листинги използвам знака “\\” Р·Р° РґР° обознача, че реда продължава. Можете РґР° използвате целите редове СЃ команди директно РїРѕ този начин, това Рµ стандартен начин Р·Р° разделяне РЅР° команда РЅР° редове РїРѕРґ bash. След приключване РЅР° последната команда, VPN клиентът Рµ инсталиран. Р—Р° РґР° РіРѕ стартирате обаче, Рµ необходимо РґР° стартирате Рё системния процес, управляващ VPN връзките Рё инсталиран РѕС‚ клиента. Р—Р° целта изпълнете командата:

In the above listings I am using the “\\” to indicate that the line continues. You can use all lines of the commands directly in this way, because this is the standard way of dividing the command line under bash. After the last command, VPN client is installed. To run it, it is necessary to run the system process, managing VPN connections and installed by the set-up program. To do run the following command:

voyager:/home/ivailo/Downloads/vpn/vpnclient # /etc/init.d/vpnclient_init start
Starting /opt/cisco-vpnclient/bin/vpnclient: Done
voyager:/home/ivailo/Downloads/vpn/vpnclient #

NOTE: If you use Debian or Ubuntu, after rebooting the system it is possible the system service to not be started automatically. By default, the process is set to start in runlevel 3 and 5, and in Debian and Ubuntu, graphical environment is started in runlevel 2. To change this, it is necessary to use the program update-rc.d (more on how to use this program can be found at this address – http://www.debuntu.org/how-to-manage-services-with -Update-rc.d ) or to add a link to /etc/rc2.d:

su
cd /etc/rc2.d
ln -s /etc/init.d/vpnclient_init S01vpnclient_init
ln -s /etc/init.d/vpnclient_init K01vpnclient_init

The subject for the management of processes in Linux based systems will be discussed in a later post.

2. How to use the client

The official Cisco VPN client for Linux uses only existing pcf files. For this purpose it is necessary to copy pcf in the directory /etc/opt/cisco-vpnclient/Profiles/:

cp sample.pcf /etc/opt/cisco-vpnclient/Profiles/

2.1. Connection

Connection is done by the command ‘vpnclient connect’, followed by the name of the user without adding extension pcf. Implementation of all types of command vpnclient be made as user root.

vpnclient connect sample

Upon request, enter your username and password.

2.2. Disconnect

To disconnect it is necessary to run the following command:

vpnclient disconnect

Since the client can only support one connection is not necessary to specify which link is broken.

For other keys applicable to the command, run

vpnclient --help

3. Advantages and disadvantages

The main advantage of this client is that it supports connection over TCP tunnel. If the connection is of this type, VPNC will not work.

In my experience with this program, I found two main drawbacks. First, Cisco does not make new versions of the client often enough. This explains the need to use the patch during installation. This entails that if the client has a problem, it has been removed in recent years.

Such a problem is the second flaw. If you use this client machine to a wireless network and want to use the client to transfer X11 connection from the remote network to the local machine (X11 Forwarding), it can not use the wireless network. If you try to use X11 Forwarding in Cisco VPN for Linux and wireless networking, graphic server on your system (the machine from which you connect through Cisco VPN client)В  will reset or stop working altogether. To avoid this problem, use the X11 Forwarding in the Cisco VPN client only when connected via cable. This problem does not affect the VPNC.

vpnclient-linux-2.6.35.patch

Website translation

Hello,

we have started to translate this website to English language. In time, all existing publications will be translated. Also the new publications will be available on both languages – Bulgarian and English.

Best regards from the MM Business Consult team.

Cisco VPN Client – remote connection to the resources on your intranet. Part Two – Linux open source client

In this part of this series of articles, we will examine the use of Linux open source client. The clients are two types – command line interface (vpnc) and graphical user interface (the most common are kvpnc and NetworkManager)

1. VPNC

VPNC is a project, which aims to provide the ability to connect to Cisco VPN server. Also, graphical clients for Linux relay on VPNC installation, so they can create the connection. VPNC can be seen as a terminal application and a library for various GUI tools. VPNC might be installed on the system already but also it might not be. This depends on the choice of packages during installation. To check whether the system has VPNC installed, open any terminal emulator (eg xterm, konsole, gnome-terminal), then run the following commands:

ivailo@voyager:~> su
Password:
voyager:/home/ivailo # vpnc --version
vpnc version 0.5.3
Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others
vpnc comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of vpnc under the terms of the GNU General
Public License.  For more information about these matters, see the files
named COPYING.
Built with certificate support.

Supported DH-Groups: nopfs dh1 dh2 dh5
Supported Hash-Methods: md5 sha1
Supported Encryptions: null des 3des aes128 aes192 aes256
Supported Auth-Methods: psk psk+xauth hybrid(rsa)
voyager:/home/ivailo #

In the different Linux distributions there is possibility, that the commands might be slightly different. For example in Ubuntu and its derivatives rather than su can use sudo, to execute the “vpnc –version”. Sudo is a tool that provides temporary administrative rights to the user. Basically, this command is present in all Linux distributions, but some of them (eg Fedora), users are not able to use it without explicit configuration, performed by the administrator. In some cases, it is even possible to run a “vpnc –version” without having administrative rights. For others like openSuSE, it is impossible. If, instead of detailed information, such as above, you get a message like

bash: vpnc: command not found

then the system does not have VPNC installes. To install the client use the packet manager of the system or download the source code package from the project site ( http://www.unix-ag.uni-kl.de/ massar ~ / vpnc / ), then compile and install it. VPNC uses two ways to be configured and to create a connection – manually entering the configuration information when you start the program or use existing pcf file. With the first method, when you run the program, it asks you a series of questions:

  1. Enter IPSec gateway address – this is the address of the server you are trying to connect
  2. Enter IPSec ID for <ip address> – the name of the VPN group
  3. Enter IPSec secret for <group name> @ <ip address> – password for VPN group
  4. Enter username for <ip address> – user assigned by your network administrator
  5. Enter password for <username> @ <ip address> – your password

The program can be started by issuing the following commands:

ivailo@voyager:~> su
Password:
voyager:/home/ivailo # vpnc

The program must be started as Administrator (root), because when a connection is created, the application makes configuration changes to the system, that require administrative rights. After entering the requested information, the program connects to the VPN concentrator and then goes in background mode. To disconnect, as administrator run:

voyager:/home/ivailo # vpnc-disconnect
Terminating vpnc daemon (pid: 4872)

The second method is to first convert pcf file to a format, that can be used by VPNC. To do this use the tool pcf2vpnc:

/usr/bin/pcf2vpnc converts VPN-config files from pcf to vpnc-format.
Usage: /usr/bin/pcf2vpnc  [vpnc file]
voyager:/home/ivailo #

The program is bundled with VPNC. However, you may have installed VPNC, but do not have pcf2vpnc. In this case, download the program from the project site – http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc

wget http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc
chmod +x pcf2vpnc
mv pcf2vpnc /usr/local/bin/

The program relies on another tool, to decrypt passwords stored in the pcf file:

wget http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)
mv cisco-decrypt /usr/local/bin

To compile this program, the system must be installed libraries development and libgcrypt-dev libgpg-error-dev. To convert pcf file, do the following:

pcf2vpnc test.pcf > test.conf
cp client.conf /etc/vpnc

To make a connection using the configuration file, run VPNC, after the name of the program add the account name:

vpnc test

2. KVpnc

KVpnc is a GUI for VPNC, Cisco VPN client for Linux, OpenVPN and some other VPN services. This means that in order to create a connection, it relays on VPNC or Cisco VPN client for Linux (which is discussed in detail in the next part of the series). Usually KVpnc is not installed with the system and it is necessary to install it manually additional, by using the packet manager of the distribution, or by compile it from source code. If you want to download the latest version, but it is not available from the repositories of the distribution you are using, you can do it from the project site – http://home.gna.org/kvpnc/en/index.html The program itself is created for KDE, so in order to be able to use it, you need to have installed certain parts of KDE, even if you use another desktop environment. If you install the program from distribution repositories, the packet manager will make sure that you will install all the dependencies you need. If you compile the program from source code, look at the dependencies on the following page: http://home.gna.org/kvpnc/en/documentation.html Here is the main window of KVpnc: KVpnc – Основен прозорецAs with the Cisco VPN client for Windows, there are buttons for making a connection, disconnect and management of the profiles. All these features and others are also available in the menus of the program. The program can directly import pcf files, so if you already have made pcf file, you can simply import it into the program. In the menu “Profile”, select the item “Import Cisco pcf file”. If you do not have pcf file, you can use the wizard to create a new connection, which is located in the menu “Profile”, item “New profile (Wizard)” KVpnc – помощник Р·Р° създаване РЅР° РЅРѕРІ профилAs seen from the above image, the program is able to create multiple profiles for different VPN services. To create an account for use with VPNC, select the Cisco (free) item. The next step allows you to import existing pcf file or to proceed with creating a new profile. KVpnc – РёР·Р±РѕСЂ РЅР° типа РЅР° съществуващ или РЅРѕРІ профилIn the next few screen enter the information that you used to create the profile in the client for Windows. Once you have created a profile, in order to connect, select the account from the drop-down menu “Profile” in the main window and press “Connect”. In the main window a bunch of messages will appear informing you of different information for the connection, including its duration. Once you’re done, to disconnect, press the “Disconnect” button. It is important to note that work KVpnc needs administrator privileges on the machine in order to run.

3. NetworkManager

Unlike KVpnc, NetowkrManager is a program written for KDE and not a program, made only to manage VPN connections. NetworkManager is a program designed to facilitate the management of network connections in Linux distributions, using profiles, and does not require administrative privileges to change network settings on the machine. These things make it the preferred program for managing network connections and in particular the VPN connections. Like KVpnc, NetworkManager needs installed VPNC, but can not manage connections, using Cisco VPN client for Linux. To use NetworkManager to create VPNC connection, it is necessary to install some plugin:

  1. NetworkManager-vpnc – this is a basic plugin. It is binding because in practice he managed the construction of the link
  2. NetworkManager-vpnc-kde4 – graphical interface for KDE
  3. NetworkManager-vpnc-gnome – GUI for Gnome

Depending on this, what desktop environment you use, install the second or the third plugin. After installation in the main interface of NetworkManager appears an additional element – VPN. Since I use KDE, explanations will be for this environment. Gnome settings under similar names such as layout and interface.

KDE NetworkManager - Управление РЅР° VPN връзкитеFrom the “Add” drop-down button, select the VPNC, then enter the details for the connection in the window that appears. NetworkManager is not able to use pcf files, so you need to enter all the information manually.

KDE NetworkManager - Създаване на нова VPN връзка After establishing the connection, it appears in the menu of NetworkManager, which can be accessed by the system toolbar. Activation of the link is by selecting the item (the name of the link) from the menu. Disabling the link is from the same place.

4. Advantages and disadvantages of VPNC

The main advantage of using VPNC (open source client for Cisco VPN) and its GUI interfaces is, that because the program is open source, it develops much faster than the official client from Cisco, and if it has errors, they are removed very quickly. It also integrates well with Linux distributions and is very easy to use. As a disadvantage I can say that to date, it does not support Cisco VPN connection over TCP protocol. According to the official site of the project, that is possible to change, but when – it is not clear. So if your VPN connection requires TCP, it is necessary to use the official Cisco VPN client for Linux, which will examine in the next part of the series.

Cisco VPN Client – remote connection to the resources on your intranet. Part One – Windows

Many companies allow remote access to resources in their internal network, using VPN (Virtual Private Networks). The key part in using VPN is, that during the VPN connection, all the data between the host and the client’s computer is encrypted. This way, the security integrity of the information is kept intact.

One of the most used methods for building a VPN infrastructure is to use Cisco VPN. There are clients for Windows, Linux and Mac OS. In this series of publications, I am going to discuss the version of Cisco VPN client for Windows and Linux.

Where is the Cisco VPN Client in the Windows start ment

Using Cisco VPN client under Windows is very easy. First, you need to download the client from the Cisco site – cisco.com. After the client download finishes, install the application, by following the instructions of the installer. Then, when asked, reboot the computer in order for installation of virtual network device to finish. This virtual adapter is needed by the client to create the connection.

As shown in the image, the installation program creates a new program group in the Windows start menu, named “Cisco Systems VPN Client”. The item “VPN Client” starts the program. Once launched, the client offers two different ways of configuring the connection – through manual entry of data in a wizard or by using an existing Profile Configuration File (pcf file).

Configuring a new connection

To create a new connection is needed, starts from customer to select the “Connection Entries”, then select “New …”To create a link, it is necessary to enter the following data:

    1. Connection Entry – This is the name of the new connection. This will aslo be the name of the link which will appear in the list of main program window.
      Cisco VPN Client - create new profile
    2. Description – Brief description of the link.
    3. Host – host name or IP address, which is the VPN server. This is the address you will be contacted.
    4. Authentication – Select the method of identification to the server counterpart. The most commonly used is the Group Authentication. To use this method it is necessary to know the following parameters:
      • Group Name
      • Password of the group. Enter twice for confirmation in order to avoid input errors.
    5. Transport – Sets the method of transporting information across the link. Possible choices are
      • IPSec over UDP (NAT / PAT)
      • IPSec over TCP – in this setting may be a specific TCP port for establishing the connection
      • Allow Local LAN Access – this setting is very important if you want unless you can access remote resources, have access to the local network where you are. If you check this setting, you will have access to both remote and local resources to.Cisco VPN Client - Transport method
    6. Backup Servers – here you can enter a list of servers that can be contacted in the event that the primary server is unavailable

Cisco VPN Client - Backup servers

  • Dial-Up – Cisco VPN client is able to communicate using the modem, even if such a connection is not active when you open the application. If you want to configure the client to make such a connection, you can do it at this step.

 

Cisco VPN Client - Dial-Up connection

Import an existing profile

To use a profile already configured, you need a pcf file. This file can be made by first setting a new connection using the wizard from the previous point or it may be provided by the network administrator of the company.To get a pcf file from an existing connection is required to open the file manager system (Windows Explorer) and go to the directory “C:\Program Files\Cisco Systems\VPN Client\Profiles”. Inside you will find pcf file with the name of the already established connection.To import a pcf file into the program is necessary to push the “Import” from the toolbar or open the “Connection Entries” and select “Import …”. Then select file dialog box and confirm.

Making a connection

To make a connection it is necessary to select a link from the list of the main program window and then click “Connect” toolbar buttons. Then enter your username and password provided by your network administrator of the company. If the connection is successful the system tray of Windows system tray icon will appear – padlock.

Disconnect

To disconnect, right-click on the icon of the program in the system tray of Windows system tray and select “Disconnect”

Delete link

To delete an existing contact, select it from the list in the main application window and click the “Delete” from the toolbar.