I was trying to access my company’s Oracle Application and Unix box from my laptop at home using Cisco VPN. I installed Cisco VPN and started it. It asked for my login information and after I entered the username and password, it got connected to my office server, but when I tried to access the Application, I got an error saying page not found. I couldn’t access the Unix box and my Internet connection was also not working. It could be due to my Firestarter firewall setting, but I’m not sure how to get that to work. I then installed VPNC and set the firewall to allow access to VPNC and got connected to my office network successfully. Here are the steps I followed. I’ll tell you how to install and start Cisco VPN first and then install VPNC. VPNC needs some server information including the server IP address. I got the server IP address by starting the Cisco VPN and the rest of the information from the .pcf file (profile file) I downloaded from my company’s website to use with Cisco VPN. I also downloaded the VPN software from my company’s website and the version I used was 4.8.
Update: If you don’t want to go through this messy back end work and would rather prefer GUI, check this link.
Installing Cisco VPN:
Download the VPN software from your company’s website (TAR file). Untar it in your home folder. It’ll create a folder named vpnclient and it’ll extract all the files under that folder. Open a terminal and move to that folder.
cd vpnclient
You need to install the kernel header before you install the vpn client. Check your kernel version number by typing the following command in the terminal.
uname -r
It’ll give something like 2.6.30-xx. If your kernel version is 2.6.24-xx, then see the Hardy section below for the patch.
Issue the following command in the terminal to install the kernel header
sudo apt-get install linux-headers-`uname -r`
Once installed, the header information should be there under /usr/src/linux-header-version number/
If you are using VPN version 4.8.x and Ubuntu 9.10 and kernel version 2.6.30+
Enter the following command in a terminal (make sure you are in vpnclient directory)
wget http://www.arun-prabha.com/images/vpnclient-linux-2.6.31-final.diff
patch < ./vpnclient-linux-2.6.31-final.diff
If you don’t have the patch program installed, then type
sudo apt-get install patch
and then try the patch command.
You have to then edit the kernel source file. Copy and paste the command below into the terminal window.
sudo sed -i ‘s/const\ struct\
net_device_ops\ \*netdev_ops;/struct\
net_device_ops\ \*netdev_ops;/’ `find
/usr/src -name netdevice.h`
Now compile the VPN client with the following command.
sudo ./vpn_install
(Thanks to LAMNK for the patch information.)
If you are using VPN version 4.7, You have to install a patch. Download the patch from here. Issue the following command to install the patch
patch -p0 < vpnclient-linux-4.7.patch.txt
You don’t have to use the patch if you are using VPN version 4.8.
Make sure you are in vpnclient directory and issue the following command:
make
This will compile the vpn client in your system.
Once that is successful, enter the following command in the terminal
sudo ./vpn_install
*****************************************************************
If you are using Ubuntu 8.04 Hardy Heron and if your kernel version is 2.6.24.x, then you may have to install a patch before you install VPN. If you are using a fresh install of Ubuntu 8.10 Intrepid Ibex, you still have to install this patch to get VPN to compile.
Important note: Read this post before you continue, if you have all the latest kernel updates in Hardy Heron.
Go to the vpnclient folder in a terminal (If you are already there you are fine) and enter
wget http://projects.tuxx-home.at/ciscovpn/patches/vpnclient-linux-2.6.24-final.diff
Once downloaded, enter patch < ./vpnclient-linux-2.6.24-final.diff
If you don’t have the patch program installed, then type
sudo apt-get install patch
and then try the patch command. Once the patch is installed, you can install VPN with the following command.
sudo ./vpn_install
You don’t have to use the make command. For usage, continue with the steps below.
(Thanks to LAMNK for the patch information.)
*******************************************************************
For all Ubuntu versions:
This will install the vpn client. Go with the default options. Press enter whenever it asks you for information. Once the installation is complete, download the <filename>.pcf file from your company. .pcf file has the profile information that helps you to connect to your company’s server. Move the downloaded .pcf file to /etc/opt/cisco-vpnclient/Profiles/ with the command
cp *.pcf /etc/opt/cisco-vpnclient/Profiles/
Start the vpn client with the following command:
sudo /etc/init.d/vpnclient_init start
Ubuntu is supposed to start the VPN during the boot process, but it doesn’t do so. I have to manually start it. You have to issue the above command each time you want to start the process.
Once started issue the following command to connect to your company’s server:
sudo vpnclient connect <pcf filename without .pcf extension>
Replace <pcf filename without .pcf extension> with the filename of the .pcf file. (Don’t use parenthesis “<”">” while entering the filename). The above command will initiate the connection to your company’s server. It’ll ask for username and password. Enter your office login information and it’ll then connect to the server. Once connected you should be able to access your company’s applications etc.
When I started it as above and entered my login information, I got the following information in my terminal:
Initializing the VPN connection.
Contacting the gateway at xxx.xxx.xx.xxx
Contacting the gateway at xxx.xxx.xx.xxx (balancing)
User Authentication for XXXXX…
Enter Username and Password.
Username []: xxx
Password []:
Authenticating user.
Negotiating security policies.
Securing communication channel.
Your VPN connection is secure.
VPN tunnel information.
Client address: xxx.xxx.xx.xx
Server address: xxx.xxx.xx.xxx
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 4500
Local LAN Access is disabled
This shows that my login information were authenticated and connected to my company’s server, but I couldn’t access anything. My doubt is that it could be due to the firewall (Firestarter) in my laptop. Update: It is due to Firestarter. I reinstalled Ubuntu and didn’t install Firestarter. Cisco VPN worked fine and I could access my office applications.
Since I wasn’t sure how to get the firewall to work, I tried VPNC. VPNC is an alternate VPN client for Cisco servers. Here are the steps I followed to install VPNC and got it to work.
Installing VPNC:
Enter the following command in the terminal
sudo apt-get install vpnc resolvconf
This will install vpnc in your system. Once installed, you have to create a <filename>.conf file in /etc/vpnc/ where <filename> is the name you give (without the <>). Enter the following command to create a file called myoffice.conf
sudo gedit /etc/vpnc/myoffice.conf
and copy and paste the following in that file.
IPSec gateway xxx.xxx.xx.xxx
IPSec ID <group name>
IPSec secret <group password>
Xauth username <username>
Enter the IP address of your company’s server under IPSec gateway. I got the IP address when I started the Cisco VPN client (see the output above. It’ll be under server address). I got the group name by opening the .pcf file I got from my company’s website. Replace <group name> with that group name. I got the group password also from that file. The password will be encrypted with lots of characters. Copy those characters, go to this page and paste those characters in the password box and click the Decode button. It’ll give you the password. Copy that password and paste it under the IPSec secret by replacing the <group password>. Enter your username for <username>. Save the file and close.
Enter this command to start vpnc
sudo vpnc myoffice (name of the conf file you created)
It’ll ask you to enter the password and once entered, it’ll connect to your office’s server.
If you want to disconnect, issue the following command
sudo vpnc-disconnect
If you have firestarter installed, you may not be able to connect or even if you connect, you may not be able to access the server. Follow the steps below to make it work:
You have to edit user-pre file under /etc/firestarter/. First make the file writable by issuing the command
sudo chmod 600 /etc/firestarter/user-pre
Then edit the file
sudo gedit /etc/firestarter/user-pre
Copy and paste the following lines in that file:
iptables -A INPUT -j ACCEPT -s xxx.xxx.xx.xxx -p esp
iptables -A INPUT -j ACCEPT -s xxx.xxx.xx.xxx -p udp -m multiport –sports isakmp,10000
iptables -A INPUT -j ACCEPT -i tun+
iptables -A OUTPUT -j ACCEPT -d xxx.xxx.xx.xxx -p esp
iptables -A OUTPUT -j ACCEPT -d xxx.xxx.xx.xxx -p udp -m multiport –dports isakmp,10000
iptables -A OUTPUT -j ACCEPT -o tun+
Enter your company server’s IP address in place of xxx.xxx.xx.xxx. Save and close the file. Restart the firestarter using
sudo /etc/init.d/firestarter restart
Now try connecting using sudo vpnc myoffice. It should work. I didn’t try connecting the Cisco VPN client after I modified the firestarter setting. I’ll give that a try and update here. Once I disconnected from vpnc, I wasn’t able to access my internet. I had to reboot to access the web. You can still access the web when you are connected through VPN or VPNC.
Update: The firewall changes for vpnc didn’t help to make Cisco vpn to work.
Thanks to popey and Ubuntu forums for the guide.
Technorati tags: Cisco VPN, VPNC, Ubuntu, Firestarter, firewall, gedit
Pingback: [ubuntu] Lucid Lynx, 10.04 Cisco VPN « Edward's Take
Thank you so much for this information.
I connect to the vpn concentrator, but my session is terminated because my OS is linux. The admins say only Windows and Mac are permitted. Is there a way to make vpnc look like it is running on Windows or Mac?
I have no idea. Sorry.
Im running Ubuntu 10.04. When I run patch vpnclient-linux-2.6.31-final.diff I receive this output. Any help would be appreciated.
Hunk #1 succeeded at 168 (offset 48 lines).
Hunk #2 FAILED at 128.
Hunk #3 FAILED at 271.
Hunk #4 FAILED at 299.
3 out of 4 hunks FAILED — saving rejects to file interceptor.c.rej
I believe you get that error if there is a version mismatch between the version of the VPN client you are using and the patch, which is for a certain version of the client.
Hey Arun thank for information…
i have installed ubuntu 10.04 and kernel version 2.6.32-22-generic , i m getting errors on Start, can you help
Making module
make -C /lib/modules/2.6.32-22-generic/build SUBDIRS=/home/anitha/vpnclient modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-22-generic’
CC [M] /home/anitha/vpnclient/linuxcniapi.o
CC [M] /home/anitha/vpnclient/frag.o
CC [M] /home/anitha/vpnclient/IPSecDrvOS_linux.o
CC [M] /home/anitha/vpnclient/interceptor.o
/home/anitha/vpnclient/interceptor.c: In function ‘interceptor_init’:
/home/anitha/vpnclient/interceptor.c:132: error: ‘struct net_device’ has no member named ‘hard_start_xmit’
/home/anitha/vpnclient/interceptor.c:133: error: ‘struct net_device’ has no member named ‘get_stats’
/home/anitha/vpnclient/interceptor.c:134: error: ‘struct net_device’ has no member named ‘do_ioctl’
/home/anitha/vpnclient/interceptor.c: In function ‘add_netdev’:
/home/anitha/vpnclient/interceptor.c:271: error: ‘struct net_device’ has no member named ‘hard_start_xmit’
/home/anitha/vpnclient/interceptor.c:272: error: ‘struct net_device’ has no member named ‘hard_start_xmit’
/home/anitha/vpnclient/interceptor.c: In function ‘remove_netdev’:
/home/anitha/vpnclient/interceptor.c:294: error: ‘struct net_device’ has no member named ‘hard_start_xmit’
make[2]: *** [/home/anitha/vpnclient/interceptor.o] Error 1
make[1]: *** [_module_/home/anitha/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-22-generic’
make: *** [default] Error 2
Failed to make module “cisco_ipsec.ko”.
anitha@anitha-laptop:~/vpnclient$ sudo /etc/init.d/vpnclient_init start
It might get solved if you follow the steps under If you are using VPN version 4.8.x and Ubuntu 9.10 and kernel version 2.6.30+. I didn’t install cisco vpn in the new version of Ubuntu. I’m planning to use KVPNC which is easier to configure. If you want to try that, check the link at the top of the post.
What happens when my cisco equipment do not require an ipsec user name and pass, only group name and pass.
I have had very bad experiences, where VPNC wont allow any connection unless ther is a user and pass
I’m not sure how to do that.
hi thanks for your helpful post i am getting stuck though wen i need to update kernel it says the following
f3091236@f3091236-laptop:~$ sudo sed -i ’s/const\ structnet_device_ops\ \*netdev_ops;/structnet_device_ops\ \*netdev_ops;/’ `find
/usr/src -name netdevice.h`
sed: -e expression #1, char 1: unknown command: `�’
bash: /structnet_device_ops *netdev_ops: No such file or directory
bash: /usr/src: is a directory
bash: /’: No such file or directory
f3091236@f3091236-laptop:~$
I’m sure it’s something to do with copy/paste or my blog prints it differently. I’m trying to paste the command here again. Copy everything inside the “”.
“sudo sed -i ‘s/const\ struct\
net_device_ops\ \*netdev_ops;/struct\
net_device_ops\ \*netdev_ops;/’ `find /usr/src -name netdevice.h`
“
Don’t copy the start and end “.
anyone have any isakmp key refresh problems with vpnc on 9.04?
vpnc used to work great on 8.10, but on 9.04, (1) the gui does not correctly update resolv.conf, so you have to launch from cmd line and (2) isakmp key refresh seems to not work, so the connection drops at key refresh time.
any advice would be much appreciated!
cheers.
Thanks for your post, it is really helpful
Thanks so much. VPNC works well on my Ubuntu 9.04 laptop. The Cisco Vpn client that I had installed initially always dropped the connection after a few minutes and it didn’t work with dual cores. Vpnc seems to be working fine.
Thanks Vlastikw.
after vpnc
If you get error:
vpnc was built without openssl: Can’t do hybrid or cert mode
It is because you are probably using copy of example.conf which has IKE Authmode Hybrid
The right option is
IKE Authmode psk
which is default choice so you can delete this row.
vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
It is because you false settings of authentication (hybrid instead of psk) so you have to change your .conf file as above meantioned.
I hope this helps.
If you try install open-ssl support for vpnc you get error
You sir, are a saint. This worked great! Nice to get away from Cisco’s VPN that crashes my system every time.
@Dwight
Probably a bit late, but on your Windows install with the Cisco client, you should be able to locate the .pcf for his network either under Program Files where the client is installed or in your Documents and Settings directory under one of the application settings directories.