Revision as of 15:54, 26 July 2008 (view source) Wcash (Talk) (added LAN access and superuser section) ← Older edit

Revision as of 15:58, 26 July 2008 (view source) Wcash (Talk) (added references) Newer edit →

---

Revision as of 15:58, 26 July 2008

How to setup the Cisco VPN client on a Linux computer

Keonwook Kang and William Cash

---

Contents 1 How to setup the Cisco VPN client on a Linux computer 1.1 Introduction 1.2 Installing the VPN client 1.2.1 If you're receiving errors during installation 1.3 Configuring the VPN Client 1.4 Connecting to the VPN Host 1.4.1 If you are unable to connect without superuser privileges 1.4.2 If you are unable to browse the internet, check email, etc. after connecting to the VPN 1.5 References

Introduction

Cisco VPN is required to connect to many of Stanford's computer resources because of some past security lapses. Unlike the Windows and Mac OS clients, Cisco's Linux VPN requires use of the terminal and has very little documentation from the company. This guide will show you how to install and use the Linux client.

The outdated client has also become incompatible with newer Linux kernels and requires patches created by the Linux community. If you are using kernel 2.6.22, 2.6.24, or beyond, you will probably have to download a newer Cisco VPN client than Stanford provides as outlined in this guide.

Installing the VPN client

Note: most of the following steps require superuser access.

1. Download the v4.8 VPN client from http://vpn.stanford.edu.
2. Extract the downloaded file.

# mv vpnclient-linux-4.8.tar.gz /usr/local/src
# cd /usr/local/src
# tar -zxvf vpnclient-linux-4.8.tar.gz

3. Install the VPN client

# cd vpnclient
# ./vpn_install

4. Answer the following questions during the installation (the defaults should be fine)

# ./vpn_install 
Cisco Systems VPN Client Version 4.8.00 (0490) Linux Installer
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms. 

Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]yes

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.

Directory containing linux kernel source code 
                      [/lib/modules/2.6.18-8.1.8.el5/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.18-8.1.8.el5/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.18-8.1.8.el5/build" 
  will be used to build the module.

Is the above correct [y]y

5. Note that you need to reinstall the VPN client whenever your kernel is upgraded. Before reinstalling it, first run:

# ./vpn_uninstall

to clean files and directories previously installed.

If you're receiving errors during installation

With the newer Linux kernels that are incompatible with the Cisco VPN you may receive an errors similiar to these:

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.24-19-generic/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.24-19-generic/build"
 will be used to build the module.

Is the above correct [y]y

Making module
make -C /lib/modules/2.6.24-19-generic/build SUBDIRS=/usr/local/src/vpnclient modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.24-19-generic'
  CC [M]  /usr/local/src/vpnclient/linuxcniapi.o
In file included from /usr/local/src/vpnclient/Cniapi.h:15,
                 from /usr/local/src/vpnclient/linuxcniapi.c:31:
/usr/local/src/vpnclient/GenDefs.h:113: error: conflicting types for ‘uintptr_t’
include/linux/types.h:40: error: previous declaration of ‘uintptr_t’ was here
make[2]: *** [/usr/local/src/vpnclient/linuxcniapi.o] Error 1
make[1]: *** [_module_/usr/local/src/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.24-19-generic'
make: *** [default] Error 2
Failed to make module "cisco_ipsec.ko".

This is a fairly well known problem with numerous websites and forum postings on the topic. The website projects.tuxx-home.at has been releasing patches for the installation files of the Cisco VPN client for all the latest Linux kernels.

Instead of using the VPN client provided by Stanford, download the latest one from there (currently v4.8.01) and the patch file for the linux kernel you are running. If you aren't sure which you have run:

# uname -a
Linux cmoney 2.6.24-19-generic #1 SMP Fri Jul 11 23:41:49 UTC 2008 i686 GNU/Linux

Assuming you've already performed steps 1-2 of installation procedure for the new client, you will now place your patch file in the vpnclient directory and patch the installation:

# patch < vpnclient-linux-2.6.24-final.diff 
patching file GenDefs.h
patching file interceptor.c

Then follow steps 3 and 4 as before.

Configuring the VPN Client

1. A sample configuration file is: /etc/opt/cisco-vpnclient/Profiles/sample.pcf.

# cd /etc/opt/cisco-vpnclient/Profiles
# ls -l sample.pcf
-rw-rw-rw- 1 root bin  560 Sep 18 08:34 sample.pcf

2. Copy and edit the configuration file.

# cp -p sample.pcf stanford.pcf
# vi stanford.pcf

The edited configuration file should look similar to this:

Description=Stanford Profile
Host=su-vpn.stanford.edu
AuthType=1
GroupName=Stanford_Public_VPN
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=john.doe
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=1
UserPassword=
enc_UserPassword=
GroupPwd=
enc_GroupPwd=
ISPPhonebook=
NTDomain=
EnableMSLogon=1
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=1

1. Start VPN service.

# /etc/init.d/vpnclient_init start

Note that VPN service will be started automatically at boot time. If you want to stop VPN service, use the option stop instead. Also, You may use status, restart or reload in addition to start and stop.
3. For a detailed description of each keyword in configuration file, refer to Cisco's guide.

Connecting to the VPN Host

1. Once the VPN client service starts, you are ready to connect to the VPN Concentrator. Enter the group password and your SUNet ID/Pass to activate the connection. The group password is given in the file REAME-Stanford. Note: If you don't want to keep entering that terrible group password, you can store it under GroupPwd= in the configuration file. The first time the client connects with the host it will remove the plain-text password and replace it with an encrypted one under enc_GroupPwd=.

# vpnclient connect stanford
Cisco Systems VPN Client Version 4.8.00 (0490)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.18-8.1.8.el5 #1 SMP Tue Jul 10 06:50:22 EDT 2007 i686
Config file directory: /etc/opt/cisco-vpnclient

Enter a group password:
Initializing the VPN connection.
Contacting the gateway at XXX.XX.X.XXX
User Authentication for stanford...

Enter Username and Password.

Username [john.doe]:      
Password []: 
Authenticating user.
Negotiating security policies.
Securing communication channel.

Welcome to the Stanford public VPN Service.

Unauthorized use is prohibited.
Do you wish to continue? (y/n): y

Your VPN connection is secure.

VPN tunnel information.
Client address: XXX.XX.XX.XX
Server address: XXX.XX.X.XXX
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 10000
Local LAN Access is disabled

2. Press ctrl + z and type bg to run vpnclient in the background. Now you can do ssh or scp to other machines.
3. To disconnect, type:

# vpnclient disconnect

If you are unable to connect without superuser privileges

When trying to connect to the VPN host as a regular user you may encounter the following error:

vpnclient connect stanford
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-19-generic #1 SMP Fri Jul 11 23:41:49 UTC 2008 i686
Config file directory: /etc/opt/cisco-vpnclient

The profile specified could not be read.

This is because you don't have the correct privileges to read the profile file.

# cd /etc/opt/cisco-vpnclient/Profiles/
# ls -l
-rwx------ 1 root root 722 2008-07-26 15:32 stanford.pcf

To change its permissions run:

# chmod 755 stanford.pcf

as the superuser. If you are still not able to use the VPN without being root, type:

# chmod 4111 /opt/cisco-vpnclient/bin/cvpnd

If you are unable to browse the internet, check email, etc. after connecting to the VPN

Another common problem with the Cisco VPN client for linux is that it disables your local LAN access once you connect to the host, even if the host is not set to disable local LAN access. This can be remedied with the override-local-lan-access.diff patch from projects.tuxx-home.at. You will first have to uninstall your VPN client and move the patch to vpnclient source code directory. If you had to use the aforementioned kernel patch, apply that first. Then apply the LAN access patch and install as usual.

# patch < override-local-lan-access.diff 
patching file interceptor.c
Hunk #1 succeeded at 727 (offset 16 lines).
Hunk #2 succeeded at 859 (offset 16 lines).

References

1. https://www.stanford.edu/group/hpcc/support/linux.html
2. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094673.shtml
3. http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/linux_solaris/user/guide/vcugls3.html
4. http://www.linuxforums.org/forum/linux-security/60089-vpnclient-suid.html
5. http://projects.tuxx-home.at/?id=cisco_vpn_client