Praveen's Blog

An Eternal Quest for Incremental Improvement

Howto: Cisco 3000 VPN Gateway Connectivity on Linux - vpnc

I had to connect to a Cisco 3000 VPN gateway for establishing a VPN with my office network. Cisco provides VPN clients for Microsoft Windows and RPMs for Linux. I am basically a Debian user. When I tried alien for converting the RPM into deb file and installing it, the installation succeded. But there was some problem with the configuration files and locations. I was too lazy to figure out what is happening. So I did googled for an alternative solution. This post describes what I have found and may be helpful for others as well.

The alternate for the official Cisco VPN client is an Open Source VPN client known as vpnc. As a first step we need to install the vpnc. On debian this can be done using the following command.

# sudo apt-get install vpnc

For other distributions supporting RPMs, you can search for this package's RPM and install it. If RPM is not supported, you can get the source tarball of vpnc and compile it. It should be noted that libgcrypt is a mandatory dependancy for vpnc I will also suggest you to install the package resolvconf as it takes care of tweaking your /etc/resolv.conf while connecting/disconnecting to/from VPN.

Now you need to create the configuration file for vpnc. The default locations for the configuration file are /etc/vpnc.conf and /etc/vpnc/default.conf

A typical vpnc configuration file should look like this.

IPSec gateway ip_address_or_host_name_of_your_vpn_gateway
IPSec ID your_group_name
IPSec secret your_group_password
Xauth username your_username

One can obtain all these information from their netadmins. One thing the user should note here is that the group password that you use for IPSec secret should be the plain password and not the encrypted one as you see in Cisco profile files. Normally you should get the plain password from your netadmin. If you have any issues in it and you end up with only the encypted password, you can decode it here. Please don't abuse this service.

There are other optional parameters that can be present in the configuration file like DNSUpdate No. This will make vnc not to update the /etc/resolv.conf. For other options please look into the man page of vpnc.

Please note that you need tun kernel module (or builtin). If it is not already loaded, load it with the following command before invoking vpnc.

# sudo modprobe tun

Once you create a working configuration file and place it in /etc/vpnc.conf or /etc/vpnc/default.conf, you can connect to your VPN gateway using the following command.

# sudo vpnc
Enter password for your_username@your_vpn_gateway: **********

You should know what password to enter here ;-) Mostly it is the passphrase generted by your secure token card. If the authentication is successful, you will see the message announce by your VPN gateway if any. You can also verify the connection by issuing the following command.

# /sbin/ifconfig
(Output ignored here)

In the output of this command, you will see that a tun interface is configured. Also you will find that your /etc/resolv.conf file is updated if you have opt for it and the routes have chaged. You can verify these things as well as follows.

# cat /etc/resolv.conf
(Output ignored here)
# /sbin/route
(Output ignored here)

The most common problem after connecting is that the user being not able to establish a connection with any of the hosts in the VPN. This is due to the firewall policies. If you are running firestarter, then add the following lines to the /etc/firestarter/user-pre file. When using firestarter, the iptables service should be turned off. The firestarter inbound policy is to deny all. Users can open ports as need. Users are given a choice of two outbound policies: permissive and restrictive. I am currently using the permissive policy. Users can close ports as desired. The current firestarter version does not support VPN but users can add iptables rules to user-pre and user-post files.

iptables -A INPUT -j ACCEPT -s $VPNGATEWAY -p esp
iptables -A INPUT -j ACCEPT -s $VPNGATEWAY -p udp -m multiport --sports isakmp,10000
iptables -A INPUT -j ACCEPT -i $TUNDEV
iptables -A OUTPUT -j ACCEPT -d $VPNGATEWAY -p esp
iptables -A OUTPUT -j ACCEPT -d $VPNGATEWAY -p udp -m multiport --dports isakmp,10000
iptables -A OUTPUT -j ACCEPT -o $TUNDEV

One more difficulty that an user may face is that swapping the proxy configuration of Firefox between corporate proxy and local (or none) proxy. I would recommed SwitchProxy extension for making life easier.

Now you are in your VPN! Happy tunneling :-)

Disclaimer: I am neither against Cisco VPN client nor recommending anyone to use vpnc. I personaly liked the simplicity of vpnc and I have just explained about the usage of it. I take no responsiblity for the consequences of using vpnc or the actions mentioned above whatsoever.