Micro and Nano Mechanics Group

How to set up the Cisco VPN client on a Linux computer

William Cash and Keonwook Kang


Contents


Updates

4/28/09 - This guide has been around in different forms for nearly two years and has generated a good deal of interest. The basic steps are still exactly the same, but many of the compilation errors listed in the subsections have been resolved in newer versions of the Cisco VPN client (v4.8.02.0030) and Linux kernel (2.6.28). I'm still actively updating this site for my own sake, so please contact me (William Cash) with any mistakes or suggestions.

4/29/09 - Added a section on vpnc in Ubuntu, because I now feel that it's integrated into the OS well-enough to be superior to the Cisco VPN client.

Introduction

Cisco VPN is required to connect to many of Stanford's computer resources because of some past security lapses. Unlike the Windows and Mac OS clients, Cisco's Linux VPN requires use of the terminal and comparatively little documentation from the company. This guide will show you how to install and use the Linux client. In addition, it addresses some of the most common problems encountered during this problem.

As an alternative to using the Cisco VPN client, vpnc is an open-source program available on many *NIX systems that is compatible with Cisco VPNs. A general guide for vpnc is not included here. However, instructions for using it with Ubuntu's Network Manager are discussed at the end of this document. This is a more elegant and useful way to connect to Cisco VPNs, and I encourage Ubuntu users to try this before they install the Cisco VPN client.

Installing the VPN client

Note: most of the following steps require superuser access.

  1. Download the v4.8 VPN client from http://vpn.stanford.edu.
  2. Extract the downloaded file.
# mv vpnclient-linux-4.8.tar.gz /usr/local/src
# cd /usr/local/src
# tar -zxvf vpnclient-linux-4.8.tar.gz
  1. Install the VPN client
# cd vpnclient
# ./vpn_install
  1. Answer the following questions during the installation (the defaults should be fine)
# ./vpn_install 
Cisco Systems VPN Client Version 4.8.00 (0490) Linux Installer
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms. 

Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]yes

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.

Directory containing linux kernel source code 
                      [/lib/modules/2.6.18-8.1.8.el5/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.18-8.1.8.el5/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.18-8.1.8.el5/build" 
  will be used to build the module.

Is the above correct [y]y
  1. Note that you need to reinstall the VPN client whenever your kernel is upgraded. Before reinstalling it, first run:
# ./vpn_uninstall
    to clean files and directories previously installed.

If you're receiving errors during installation

Most common error

With the newer Linux kernels that are incompatible with the Cisco VPN you may receive an errors similiar to these:

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.24-19-generic/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.24-19-generic/build"
 will be used to build the module.

Is the above correct [y]y

Making module
make -C /lib/modules/2.6.24-19-generic/build SUBDIRS=/usr/local/src/vpnclient modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.24-19-generic'
  CC [M]  /usr/local/src/vpnclient/linuxcniapi.o
In file included from /usr/local/src/vpnclient/Cniapi.h:15,
                 from /usr/local/src/vpnclient/linuxcniapi.c:31:
/usr/local/src/vpnclient/GenDefs.h:113: error: conflicting types for ‘uintptr_t’
include/linux/types.h:40: error: previous declaration of ‘uintptr_t’ was here
make[2]: *** [/usr/local/src/vpnclient/linuxcniapi.o] Error 1
make[1]: *** [_module_/usr/local/src/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.24-19-generic'
make: *** [default] Error 2
Failed to make module "cisco_ipsec.ko".

This is a fairly well known problem with numerous websites and forum postings on the topic. The website http://projects.tuxx-home.at has been releasing patches for the installation files of the Cisco VPN client for all the latest Linux kernels.

Instead of using the VPN client provided by Stanford, download the latest one from there (currently v4.8.02.0030) and the patch file for the linux kernel you are running. Update: Stanford has finally decided to upgrade its download to v4.8.02.0030 , as well. If you aren't sure which you have run:

# uname -a
Linux cmoney 2.6.24-19-generic #1 SMP Fri Jul 11 23:41:49 UTC 2008 i686 GNU/Linux

Assuming you've already performed steps 1-2 of installation procedure for the new client, you will now place your patch file in the vpnclient directory and patch the installation:

# patch < vpnclient-linux-2.6.24-final.diff 
patching file GenDefs.h
patching file interceptor.c

Then follow steps 3 and 4 as before.

64-bit operating system errors

If you are still receiving errors after using the previous patch and are using a 64-bit OS, you should also patch the installer with cisco_skbuff_offset.patch from http://projects.tuxx-home.at.

# patch < cisco_skbuff_offset.patch 
patching file frag.c
patching file interceptor.c
Hunk #1 succeeded at 684 (offset 54 lines).
Hunk #2 succeeded at 723 (offset 54 lines).
Hunk #3 succeeded at 845 (offset 54 lines).
patching file linuxcniapi.c
patching file linuxkernelapi.c

Then follow steps 3 and 4 as before.

CFLAGS / EXTRA_CFLAGS error

Finally, if you've tried the last two patches and are receiving the following error when compiling:

Making module
make -C /lib/modules/2.6.24-19-generic/build SUBDIRS=/usr/local/src/vpnclient modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.24-19-generic'
scripts/Makefile.build:46: *** CFLAGS was changed in "/usr/local/src/vpnclient/Makefile". Fix it to use EXTRA_CFLAGS.  Stop.
make[1]: *** [_module_/usr/local/src/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.24-19-generic'
make: *** [default] Error 2
Failed to make module "cisco_ipsec.ko".

you need to do exactly what the compiler error is telling you and change CFLAGS to EXTRA_CFLAGS in the makefile. First, open the file Makefile in the installer directory with your preferred text editor.

# nano Makefile

Then, change CFLAGS to EXTRA_CFLAGS in line 15. The line should read:

EXTRA_CFLAGS += -mcmodel=kernel -mno-red-zone

Now try compiling once more.

Configuring the VPN Client

Note: As an alternative to the steps below, Stanford now provides a working configuration file that can simply be placed in the Profile directory (/etc/opt/cisco-vpnclient/Profiles). A line to store your user name can be added to the profile (see Step 2). This profile is not included in the supplied VPN client and must be downloaded separately from http://vpn.stanford.edu.

  1. A sample configuration file is: /etc/opt/cisco-vpnclient/Profiles/sample.pcf.
# cd /etc/opt/cisco-vpnclient/Profiles
# ls -l sample.pcf
-rw-rw-rw- 1 root bin  560 Sep 18 08:34 sample.pcf
  1. Copy and edit the configuration file.
# cp -p sample.pcf stanford.pcf
# vi stanford.pcf
    The edited configuration file should look similar to this:
[main]
Description=sample user profile
Host=su-vpn.stanford.edu
AuthType=1
GroupName=Stanford_Public_VPN
GroupPwd=
enc_GroupPwd=
Username=john.doe
SaveUserPassword=0
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0
UserPassword=
enc_UserPassword=
ISPPhonebook=
NTDomain=
EnableMSLogon=1
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=1
  1. Start VPN service.
# /etc/init.d/vpnclient_init start
    Note that VPN service will be started automatically at boot time. If you want to stop VPN service, use the option stop instead. Also, You may use status, restart or reload in addition to start and stop.
  1. For a detailed description of each keyword in configuration file, refer to Cisco's guide.

VPN service still does not start automatically after rebooting

If you issued the previously mentioned command to start the VPN service at boot but are receiving the error message:

Could not attach to driver. Is kernel module loaded?
The application was unable to communicate with the VPN sub-system.

after rebooting, your operating system is not actually starting the service. A temporary, but somewhat annoying fix, is to continue issuing the command:

# /etc/init.d/vpnclient_init start

each time you reboot the system. To actually remedy the problem, you need to create symbolic links for the VPN client at different run-levels. The Cisco VPN client, only creates one in runlevel 4, but many Linux OS's don't run at this level. For example, Ubuntu commonly uses runlevel 2. To have the client start at boot for runlevel 2, issue the command:

ln -s /etc/init.d/vpnclient_init /etc/rc2.d/S85vpnclient_init

To have the client run at a different runlevel boot simply replace rc2 in the previous command with the appropriate number. If you are unsure which runlevel to choose, you could place links in all seven.

Connecting to the VPN Host

  1. Once the VPN client service starts, you are ready to connect to the VPN Concentrator. Enter the group password and your SUNet ID/Pass to activate the connection. The group password is given in the file REAME-Stanford. Note: If you don't want to keep entering that terrible group password, you can store it under GroupPwd= in the configuration file. The first time the client connects with the host it will remove the plain-text password and replace it with an encrypted one under enc_GroupPwd=.
# vpnclient connect stanford
Cisco Systems VPN Client Version 4.8.00 (0490)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.18-8.1.8.el5 #1 SMP Tue Jul 10 06:50:22 EDT 2007 i686
Config file directory: /etc/opt/cisco-vpnclient

Enter a group password:
Initializing the VPN connection.
Contacting the gateway at XXX.XX.X.XXX
User Authentication for stanford...

Enter Username and Password.

Username [john.doe]:      
Password []: 
Authenticating user.
Negotiating security policies.
Securing communication channel.

Welcome to the Stanford public VPN Service.

Unauthorized use is prohibited.
Do you wish to continue? (y/n): y

Your VPN connection is secure.

VPN tunnel information.
Client address: XXX.XX.XX.XX
Server address: XXX.XX.X.XXX
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 10000
Local LAN Access is disabled
  1. Press ctrl + z and type bg to run vpnclient in the background. Now you can do ssh or scp to other machines.
  2. To disconnect, type:
# vpnclient disconnect

If you are unable to connect without superuser privileges

When trying to connect to the VPN host as a regular user you may encounter the following error:

vpnclient connect stanford
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-19-generic #1 SMP Fri Jul 11 23:41:49 UTC 2008 i686
Config file directory: /etc/opt/cisco-vpnclient

The profile specified could not be read.

This is because you don't have the correct privileges to read the profile file.

# cd /etc/opt/cisco-vpnclient/Profiles/
# ls -l
-rwx------ 1 root root 722 2008-07-26 15:32 stanford.pcf

To change its permissions run:

# chmod 755 stanford.pcf

as the superuser. If you are still not able to use the VPN without being root, type:

# chmod 4111 /opt/cisco-vpnclient/bin/cvpnd

If you are unable to browse the internet, check email, etc. after connecting to the VPN

Another common problem with the Cisco VPN client for linux is that it disables your local LAN access once you connect to the host, even if the host is not set to disable local LAN access. This can be remedied with the override-local-lan-access.diff patch from projects.tuxx-home.at. You will first have to uninstall your VPN client and move the patch to vpnclient source code directory. If you had to use the aforementioned kernel patch, apply that first. Then apply the LAN access patch and install as usual.

# patch < override-local-lan-access.diff 
patching file interceptor.c
Hunk #1 succeeded at 727 (offset 16 lines).
Hunk #2 succeeded at 859 (offset 16 lines).

Additional LAN access issues due to Firestarter firewall

Firestarter is a popular desktop firewall tool used by many Linux users. However, it can also restrict internet access when the Cisco VPN is active. A quick temporary fix is to open the Firestarter utility and simply stop the firewall. A safer and permanent fix is to add the following code to /etc/firestarter/user-pre (for many users this file will be empty beforehand):

iptables -A INPUT -j ACCEPT -s xxx.xxx.xxx.xxx -p esp
iptables -A INPUT -j ACCEPT -s xxx.xxx.xxx.xxx -p udp -m multiport –sports isakmp,10000
iptables -A INPUT -j ACCEPT -i cipsec0
iptables -A OUTPUT -j ACCEPT -d xxx.xxx.xxx.xxx -p esp
iptables -A OUTPUT -j ACCEPT -d xxx.xxx.xxx.xxx -p udp -m multiport –dports isakmp,10000
iptables -A OUTPUT -j ACCEPT -o cipsec0

Where xxx.xxx.xxx.xxx is the IP address of the VPN server (you can find this from the Server Address given when starting the VPN), and cipsec0 is the common name for the VPN network device on your computer. You can verify if cipsec0 is the correct name by running:

# ifconfig
cipsec0   Link encap:Ethernet  HWaddr ff:ff:ff:ff:ff:ff  
          inet addr:XXX.XXX.XXX.XXX  Mask:XXX.XXX.XXX.XXX
          inet6 addr: blah:blah::blah:blah Scope:Link
          UP RUNNING NOARP  MTU:1356  Metric:1
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:6 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:17531 (17.1 KB)  TX bytes:3848 (3.7 KB)

ifconfig will also display the names of your network and/or wireless cards.

For the changes to take effect, you will need to restart the firewall by running:

# /etc/init.d/firestarter restart
 * Stopping the Firestarter firewall...                  [ OK ] 
 * Starting the Firestarter firewall...                  [ OK ]

vpnc Integration with Network Manager in Ubuntu 9.04

Ubuntu's Network Manager is the way Ubuntu organizes all your wired and wireless networks. It's the icon in the task bar you're always clicking to view all the available wifi signals, because it always seems to connect to the wrong network. It used to suck (e.g. 7.04), but it has improved greatly in recent releases. In version 9.04, I finally feel that it is reliable enough to warrant a section in this guide - especially since more of us at Stanford seem to be using Ubuntu these days.

  1. To allow Network Manager to manage your Cisco VPN connection you will first need to install the vpnc plugin. You will need to get the packages network-manager-vpnc and vpnc from the Ubuntu repositories using either the Synaptic Package Manager or apt-get. If this is over your head, you can also find it in Add/Remove Programs if you search for 'vpnc' in all available applications.
  2. Click the Network Manager icon in your task bar and there should now be an option labeled "VPN Connections". Expand this option and select Configure VPN, as shown below (my desktop and task bar probably look different than yours because I was on my netbook).
    Vpnc 1.png
  3. The Network Connections window should open with the VPN tab selected. Choose the "Add" option to create a new VPN connection, or you can import an existing .pcf configuration file using the "Import" button. A window like the one below will open. Gateway is the URL or IP address of the VPN host (this is called "Host" in the Cisco .pcf configuration file). Group name, user name, and their passwords are all self-explanatory and can be permanently stored if you prefer. These should be the only options most users should have to change.
    Vpnc 2.png
  4. Apply the changes and now try to connect to the VPN by returning to Network Manager in the task bar and selecting your newly created VPN.Stanfprd _Public_VPN .pcf configuration file
    Vpnc 3.png
  5. It may ask you for access to your network security key ring. You should select "Always Allow" unless you want the window to continually pop up.
  6. If it successfully finds the server it will either ask or verify your passwords. Assuming these are correct you should receive a confirmation message such as the one below. I'm not sure if this message is specific to the Stanford VPN, but it asks you to click the "Continue Button". I have no idea where this so-called button is, but the VPN works fine anyway. You will know your VPN connection is active if there is a gold padlock on top of your Network Manager icon.
    Vpnc 4.png
  7. Actually, Stanford offers a very convenient way to set the VPN parameter in Ubuntu. After installing the packages vpnc, network-manager-vpnc and network-manager-vpnc-gnome, you can directly download the Stanford _Public_VPN .pcf configuration file from https://itservices.stanford.edu/service/vpn/downloads. Next, you should select VPN Connections > Configure VPN from the GNOME notification area and import the .pcf file you have downloaded. Finally, you may edit this VPN connection configuration by entering your SUNet ID in the User name field and entering your SUNet password in the password field.

References

  1. https://www.stanford.edu/group/hpcc/support/linux.html
  2. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094673.shtml
  3. http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/linux_solaris/user/guide/vcugls3.html
  4. http://www.linuxforums.org/forum/linux-security/60089-vpnclient-suid.html
  5. http://projects.tuxx-home.at/?id=cisco_vpn_client
  6. http://ubuntuforums.org/archive/index.php/t-77035.html
  7. https://itservices.stanford.edu/service/vpn/linux_builtin