Docs/SysAdmin/Networking/VPN/Cisco
From Mandriva Community Wiki
Cisco itself does not make the client publicly available, and if you are like me, the IS dudes at work do not want to hear anything about linux. If you are in a more modern environment, the client can apparently be fetched there (requires Cisco.com login with encryption entitlement): http://www.cisco.com/kobayashi/sw-center/vpn/client/
Fortunately, numerous universities have the linux client on their ftp site, A quick visit to your favorite search engine should allow you to locate a few of them. I have no idea of the legal issues, so make sure you have the right to use this software.
Please be careful since you are going to use this software to connect private networks. At least get the files from several independent places and compare them to check that they are the same. A binary comparison with cmp should not return any difference.
The main VPN client page is at http://www.cisco.com/go/vpnclient
Contents |
Current version
As of today (Mar 06, 2005) the file you need is vpnclient-linux-4.6.00.0045-k9.tar.gz
Just a few links where you can get it:
- http://www.rsmas.miami.edu/support/rcf/vpn/linux/
- http://rz-obrian.rz.uni-karlsruhe.de/vpnclient/
- http://www.filesearching.com/cgi-bin/s?t=n&l=en&q=ftp.dou.dk/pub/Cisco
- ftp://ftp.dou.dk/pub/Cisco
- http://vpn.doit.wisc.edu/download/test/
Available documentation
There are obviously many people using this client, but since there is no official support, it is rather difficult to sort out web search results.
The official documentation is available and I would recommend to read this first in case of troubles:
- User's guide: http://cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_book09186a00802aa59f.html
- Administrator's guide: http://cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_book09186a00802d5d97.html
Installation and first problems
This client works well with recent 2.4 and brand new 2.6.10 kernels, but many people are reporting troubles with 2.6.8. Successfully tested versions should be added to Appendix A of this document.
Since you will install a new module, you will also need the kernel-source-2.6 or kernel-source-stripped-2.6 rpm.
Step by step installation:
- You will need to be root, so be careful.
- Get kernel sources: # urpmi kernel-source-stripped-2.6
- Get the tarball (e.g. vpnclient-linux-4.6.00.0045-k9.tar.gz) from somewhere
- Decompress it: # tar xzf vpnclient-linux-4.6.00.0045-k9.tar.gz
- cd vpnclient and copy the patch there.
- apply the patch: patch < vpn-2.6.10-interceptor.patch
- install (you can accept the default, but I prefer starting the service manually, so I answer no to the second question) : ./vpn_install
The kernel module can now be inserted and removed with the /etc/init.d/vpnclient_init init script.
Configuration
Configuration files are saved in /etc/opt/cisco-vpnclient/Profiles. There are three possible ways to authenticate with the vpn server:
- With a username and password
- Using digital certificate with an RSA signature.
- Mutual group authentication
Configuration with user name and password
This is apparently the most commonly used way of authentication and the easiest way to configure.
Create a new configuration (myprofile.pcf) file using sample.pcf
Description=My VPN connection Host=myvpn.server.com AuthType=1 GroupName=MyGroup GroupPwd= EncGroupPwd=yes enc_GroupPwd= Username=MyUserName UserPassword= enc_UserPassword= SaveUserPassword=0
That should be sufficient.
Configuration with a digital certificate
This is where things are getting a bit harder since it is difficult to find information. I will just describe how I got my connection working, and other users will hopefully fill the blanks.
My company sent me a root certificate called cacert.crt that I had to register in Internet Explorer to fetch my user certificate called usercert.p12 at a certain url. I should have taken note of that url but I did not. It looks like it is possible to get the certificate from the server using cisco_cert_mgr with enroll.
However, I saved the two files and copied them in /etc/opt/cisco-vpnclient/Certificates/
Then I registered them (one as root, one as user) with the very unfriendly tool called cisco_cert_mgr
# cisco_cert_mgr -R -op import
Cisco Systems VPN Client Version 4.6.00 (0045)
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.10-3mdk #1 Tue Feb 22 01:32:42 CET 2005 i686
[ Importing Certificate ]
Enter filename: /etc/opt/cisco-vpnclient/Certificates/cacert.crt
Success: certificate imported from path: /etc/opt/cisco-vpnclient/Certificates/cacert.crt
# cisco_cert_mgr -U -op import
Cisco Systems VPN Client Version 4.6.00 (0045)
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.10-3mdk #1 Tue Feb 22 01:32:42 CET 2005 i686
[ Importing Certificate ]
Enter filename: /etc/opt/cisco-vpnclient/Certificates/usercert.p12
Import Password:
Enter a password to protect your certificate.
Choose a password that you can remember.
Password:
Confirm Password:
Success: certificate imported from path: /etc/opt/cisco-vpnclient/Certificates/usercert.p12
Finally, I checked the content of the user certificate:
# cisco_cert_mgr -U -op view
Cisco Systems VPN Client Version 4.6.00 (0045)
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.10-3mdk #1 Tue Feb 22 01:32:42 CET 2005 i686
Cert # Common Name
------- ------------
0 Quel Qun (vpnclient)
Enter Certificate #: 0
Common Name: Quel Qun (vpnclient)
Department: 1-1234
Company: A Wonderful World
State: California
Country: US
Email: Quel_Qun@WonderWorld.com
Thumb Print: xxxxxxxxxxxxxxxxxxxxxxxx
Key Size: 1024
Subject: e=Quel_Qun@WonderWorld.com,cn=Quel Qun (vpnclient),ou=1-1234,o=A Wonderful World,l=Sunnyvale,st=California,c=US
Serial #: xxxx
Issuer: e=Wonder-CA@ww.com, etc.
Not before: some day
Not after: the end
The Subject line is important since it has to be reproduced in the configuration file:
AuthType=3 CertStore=1 CertName=usercert.p12 CertPath=/etc/opt/cisco-vpnclient/Certificates/ CertSubjectName=e=Quel_Qun@WonderWorld.com,cn=Quel Qun (vpnclient),ou=1-1234,o=A Wonderful World,l=Sunnyvale,st=California,c=US
Telecommute - Connecting
First you need to start the service if it is not already started:
# service vpnclient_init start
This will load the cisco_ipsec kernel module. you can check with /sbin/lsmod
Then connect to the server:
# vpnclient connect myprofile Cisco Systems VPN Client Version 4.6.00 (0045) Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.6.10-3mdk #1 Tue Feb 22 01:32:42 CET 2005 i686 Config file directory: /etc/opt/cisco-vpnclient Enter Certificate password: Initializing the VPN connection. Contacting the gateway at 40.30.20.19 User Authentication for myprofile... Enter Username and Password. Username [MyUserName]: Password []: Authenticating user. Negotiating security policies. Securing communication channel. Cool VPN Gateway - Unauthorized Access is Prohibited Do you wish to continue? (y/n): y Your VPN connection is secure. VPN tunnel information. Client address: 10.20.30.42 Server address: 40.30.20.19 Encryption: 168-bit 3-DES Authentication: HMAC-MD5 IP Compression: None NAT passthrough is active on port UDP 1200 Local LAN Access is disabled
You're in!
Disconnecting
To terminate the connection, use
# vpnclient disconnect
To remove the kernel module, use
# service vpnclient_init stop
Successfully tested versions
- 2.4.28-0.rc1.1.1mdk
- 2.6.10-3mdk
- 2.6.11-1mdk
