Howto: Cisco 3000 VPN Gateway Connectivity on Linux - vpnc
I had to connect to a Cisco 3000 VPN gateway for establishing a VPN with my office network. Cisco provides VPN clients for Microsoft Windows and RPMs for Linux. I am basically a Debian user. When I tried alien for converting the RPM into deb file and installing it, the installation succeded. But there was some problem with the configuration files and locations. I was too lazy to figure out what is happening. So I did googled for an alternative solution. This post describes what I have found and may be helpful for others as well.
The alternate for the official Cisco VPN client is an Open Source VPN client known as vpnc. As a first step we need to install the vpnc. On debian this can be done using the following command.
# sudo apt-get install vpnc
For other distributions supporting RPMs, you can search for this
package's RPM and install it. If RPM is not supported, you can get the
source tarball of vpnc and compile it. It should be noted that
libgcrypt is a mandatory dependancy for vpnc I will also suggest you
to install the package
resolvconf as it takes care of tweaking your
/etc/resolv.conf while connecting/disconnecting to/from VPN.
Now you need to create the configuration file for vpnc. The default
locations for the configuration file are
A typical vpnc configuration file should look like this.
IPSec gateway ip_address_or_host_name_of_your_vpn_gateway IPSec ID your_group_name IPSec secret your_group_password Xauth username your_username
One can obtain all these information from their netadmins. One thing the user should note here is that the group password that you use for IPSec secret should be the plain password and not the encrypted one as you see in Cisco profile files. Normally you should get the plain password from your netadmin. If you have any issues in it and you end up with only the encypted password, you can decode it here. Please don't abuse this service.
There are other optional parameters that can be present in the
configuration file like
DNSUpdate No. This will make vnc not to
/etc/resolv.conf. For other options please look into the
man page of vpnc.
Please note that you need tun kernel module (or builtin). If it is not already loaded, load it with the following command before invoking vpnc.
# sudo modprobe tun
Once you create a working configuration file and place it in
/etc/vpnc/default.conf, you can connect to
your VPN gateway using the following command.
# sudo vpnc Enter password for your_username@your_vpn_gateway: **********
You should know what password to enter here ;-) Mostly it is the passphrase generted by your secure token card. If the authentication is successful, you will see the message announce by your VPN gateway if any. You can also verify the connection by issuing the following command.
# /sbin/ifconfig (Output ignored here)
In the output of this command, you will see that a tun interface is
configured. Also you will find that your
/etc/resolv.conf file is
updated if you have opt for it and the routes have chaged. You can
verify these things as well as follows.
# cat /etc/resolv.conf (Output ignored here) # /sbin/route (Output ignored here)
The most common problem after connecting is that the user being not able
to establish a connection with any of the hosts in the VPN. This is due
to the firewall policies. If you are running firestarter, then add the
following lines to the
/etc/firestarter/user-pre file. When using
firestarter, the iptables service should be turned off. The firestarter
inbound policy is to deny all. Users can open ports as need. Users are
given a choice of two outbound policies: permissive and restrictive. I
am currently using the permissive policy. Users can close ports as
desired. The current firestarter version does not support VPN but users
can add iptables rules to
VPNGATEWAY=your_vpn_gateway TUNDEV=tun0 iptables -A INPUT -j ACCEPT -s $VPNGATEWAY -p esp iptables -A INPUT -j ACCEPT -s $VPNGATEWAY -p udp -m multiport --sports isakmp,10000 iptables -A INPUT -j ACCEPT -i $TUNDEV iptables -A OUTPUT -j ACCEPT -d $VPNGATEWAY -p esp iptables -A OUTPUT -j ACCEPT -d $VPNGATEWAY -p udp -m multiport --dports isakmp,10000 iptables -A OUTPUT -j ACCEPT -o $TUNDEV
One more difficulty that an user may face is that swapping the proxy configuration of Firefox between corporate proxy and local (or none) proxy. I would recommed SwitchProxy extension for making life easier.
Now you are in your VPN! Happy tunneling :-)
Disclaimer: I am neither against Cisco VPN client nor recommending anyone to use vpnc. I personaly liked the simplicity of vpnc and I have just explained about the usage of it. I take no responsiblity for the consequences of using vpnc or the actions mentioned above whatsoever.