I was trying to access my company’s Oracle Application and Unix box from my laptop at home using Cisco VPN. I installed Cisco VPN and started it. It asked for my login information and after I entered the username and password, it got connected to my office server, but when I tried to access the Application, I got an error saying page not found. I couldn’t access the Unix box and my Internet connection was also not working. It could be due to my Firestarter firewall setting, but I’m not sure how to get that to work. I then installed VPNC and set the firewall to allow access to VPNC and got connected to my office network successfully. Here are the steps I followed. I’ll tell you how to install and start Cisco VPN first and then install VPNC. VPNC needs some server information including the server IP address. I got the server IP address by starting the Cisco VPN and the rest of the information from the .pcf file (profile file) I downloaded from my company’s website to use with Cisco VPN. I also downloaded the VPN software from my company’s website and the version I used was 4.8.
Update: If you don’t want to go through this messy back end work and would rather prefer GUI, check this link.
Installing Cisco VPN:
Download the VPN software from your company’s website (TAR file). Untar it in your home folder. It’ll create a folder named vpnclient and it’ll extract all the files under that folder. Open a terminal and move to that folder.
cd vpnclient
You need to install the kernel header before you install the vpn client. Check your kernel version number by typing the following command in the terminal.
uname -r
It’ll give something like 2.6.30-xx. If your kernel version is 2.6.24-xx, then see the Hardy section below for the patch.
Issue the following command in the terminal to install the kernel header
sudo apt-get install linux-headers-`uname -r`
Once installed, the header information should be there under /usr/src/linux-header-version number/
If you are using VPN version 4.8.x and Ubuntu 9.10 and kernel version 2.6.30+
Enter the following command in a terminal (make sure you are in vpnclient directory)
wget http://www.arun-prabha.com/images/vpnclient-linux-2.6.31-final.diff
patch < ./vpnclient-linux-2.6.31-final.diff
If you don’t have the patch program installed, then type
sudo apt-get install patch
and then try the patch command.
You have to then edit the kernel source file. Copy and paste the command below into the terminal window.
sudo sed -i ‘s/const\ struct\
net_device_ops\ \*netdev_ops;/struct\
net_device_ops\ \*netdev_ops;/’ `find
/usr/src -name netdevice.h`
Now compile the VPN client with the following command.
sudo ./vpn_install
(Thanks to LAMNK for the patch information.)
If you are using VPN version 4.7, You have to install a patch. Download the patch from here. Issue the following command to install the patch
patch -p0 < vpnclient-linux-4.7.patch.txt
You don’t have to use the patch if you are using VPN version 4.8.
Make sure you are in vpnclient directory and issue the following command:
make
This will compile the vpn client in your system.
Once that is successful, enter the following command in the terminal
sudo ./vpn_install
*****************************************************************
If you are using Ubuntu 8.04 Hardy Heron and if your kernel version is 2.6.24.x, then you may have to install a patch before you install VPN. If you are using a fresh install of Ubuntu 8.10 Intrepid Ibex, you still have to install this patch to get VPN to compile.
Important note: Read this post before you continue, if you have all the latest kernel updates in Hardy Heron.
Go to the vpnclient folder in a terminal (If you are already there you are fine) and enter
wget http://projects.tuxx-home.at/ciscovpn/patches/vpnclient-linux-2.6.24-final.diff
Once downloaded, enter patch < ./vpnclient-linux-2.6.24-final.diff
If you don’t have the patch program installed, then type
sudo apt-get install patch
and then try the patch command. Once the patch is installed, you can install VPN with the following command.
sudo ./vpn_install
You don’t have to use the make command. For usage, continue with the steps below.
(Thanks to LAMNK for the patch information.)
*******************************************************************
For all Ubuntu versions:
This will install the vpn client. Go with the default options. Press enter whenever it asks you for information. Once the installation is complete, download the <filename>.pcf file from your company. .pcf file has the profile information that helps you to connect to your company’s server. Move the downloaded .pcf file to /etc/opt/cisco-vpnclient/Profiles/ with the command
cp *.pcf /etc/opt/cisco-vpnclient/Profiles/
Start the vpn client with the following command:
sudo /etc/init.d/vpnclient_init start
Ubuntu is supposed to start the VPN during the boot process, but it doesn’t do so. I have to manually start it. You have to issue the above command each time you want to start the process.
Once started issue the following command to connect to your company’s server:
sudo vpnclient connect <pcf filename without .pcf extension>
Replace <pcf filename without .pcf extension> with the filename of the .pcf file. (Don’t use parenthesis “<”">” while entering the filename). The above command will initiate the connection to your company’s server. It’ll ask for username and password. Enter your office login information and it’ll then connect to the server. Once connected you should be able to access your company’s applications etc.
When I started it as above and entered my login information, I got the following information in my terminal:
Initializing the VPN connection.
Contacting the gateway at xxx.xxx.xx.xxx
Contacting the gateway at xxx.xxx.xx.xxx (balancing)
User Authentication for XXXXX…
Enter Username and Password.
Username []: xxx
Password []:
Authenticating user.
Negotiating security policies.
Securing communication channel.
Your VPN connection is secure.
VPN tunnel information.
Client address: xxx.xxx.xx.xx
Server address: xxx.xxx.xx.xxx
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 4500
Local LAN Access is disabled
This shows that my login information were authenticated and connected to my company’s server, but I couldn’t access anything. My doubt is that it could be due to the firewall (Firestarter) in my laptop. Update: It is due to Firestarter. I reinstalled Ubuntu and didn’t install Firestarter. Cisco VPN worked fine and I could access my office applications.
Since I wasn’t sure how to get the firewall to work, I tried VPNC. VPNC is an alternate VPN client for Cisco servers. Here are the steps I followed to install VPNC and got it to work.
Installing VPNC:
Enter the following command in the terminal
sudo apt-get install vpnc resolvconf
This will install vpnc in your system. Once installed, you have to create a <filename>.conf file in /etc/vpnc/ where <filename> is the name you give (without the <>). Enter the following command to create a file called myoffice.conf
sudo gedit /etc/vpnc/myoffice.conf
and copy and paste the following in that file.
IPSec gateway xxx.xxx.xx.xxx
IPSec ID <group name>
IPSec secret <group password>
Xauth username <username>
Enter the IP address of your company’s server under IPSec gateway. I got the IP address when I started the Cisco VPN client (see the output above. It’ll be under server address). I got the group name by opening the .pcf file I got from my company’s website. Replace <group name> with that group name. I got the group password also from that file. The password will be encrypted with lots of characters. Copy those characters, go to this page and paste those characters in the password box and click the Decode button. It’ll give you the password. Copy that password and paste it under the IPSec secret by replacing the <group password>. Enter your username for <username>. Save the file and close.
Enter this command to start vpnc
sudo vpnc myoffice (name of the conf file you created)
It’ll ask you to enter the password and once entered, it’ll connect to your office’s server.
If you want to disconnect, issue the following command
sudo vpnc-disconnect
If you have firestarter installed, you may not be able to connect or even if you connect, you may not be able to access the server. Follow the steps below to make it work:
You have to edit user-pre file under /etc/firestarter/. First make the file writable by issuing the command
sudo chmod 600 /etc/firestarter/user-pre
Then edit the file
sudo gedit /etc/firestarter/user-pre
Copy and paste the following lines in that file:
iptables -A INPUT -j ACCEPT -s xxx.xxx.xx.xxx -p esp
iptables -A INPUT -j ACCEPT -s xxx.xxx.xx.xxx -p udp -m multiport –sports isakmp,10000
iptables -A INPUT -j ACCEPT -i tun+
iptables -A OUTPUT -j ACCEPT -d xxx.xxx.xx.xxx -p esp
iptables -A OUTPUT -j ACCEPT -d xxx.xxx.xx.xxx -p udp -m multiport –dports isakmp,10000
iptables -A OUTPUT -j ACCEPT -o tun+
Enter your company server’s IP address in place of xxx.xxx.xx.xxx. Save and close the file. Restart the firestarter using
sudo /etc/init.d/firestarter restart
Now try connecting using sudo vpnc myoffice. It should work. I didn’t try connecting the Cisco VPN client after I modified the firestarter setting. I’ll give that a try and update here. Once I disconnected from vpnc, I wasn’t able to access my internet. I had to reboot to access the web. You can still access the web when you are connected through VPN or VPNC.
Update: The firewall changes for vpnc didn’t help to make Cisco vpn to work.
Thanks to popey and Ubuntu forums for the guide.
Technorati tags: Cisco VPN, VPNC, Ubuntu, Firestarter, firewall, gedit
To be frank, I have never tried without a pcf file nor do I posses the knowledge to create a pcf file. I hope people reading/following this post might help you.
I’ve set up SSH tunnels between two Linux systems before, but now I’m trying to create a VPN to a client’s network from my Ubuntu system. They have a Cisco PIX that has been working for their Windows users, and I’ve also been able to connect when my system is running Windows. But when I try to connect from Ubuntu (using either vpnc or Cisco’s vpn client as documented here), I get a password failure.
I don’t have a .pcf file. The admin at the client site only gave me a username and password – no group name or secret. As I mentioned, when I use the username and password from Windows I can connect, but no matter what combination I use with vpnc, it fails. I did a packet trace with wireshark, and I do see one packet being sent to the client and one coming back, so I know that I can at least pass data back and forth, and when I run vpnc with verbose debugging turned on, it tells me that the hash does not match, indicating a bad password.
So without a .pcf, are there any thoughts on how to configure vpnc with just the username and password that he gave me? Or maybe some pointers to give the admin on how to generate a .pcf?
I’m using VPN for past several months, so I’m not sure if the certificate password is same as the group password I have mentioned in the post above. Did you try entering the group password?
Why do you use KVPNC? Why not use the Cisco VPN provided by Oracle?
I have the Cisco client for my Ubutnu provided by Oracle. I am following the steps provided by Orcl to connect to their network. Using KVPNC I am being prompted to enter a certificate password. I am not sure what I need to provide here nor how to bypass this. Please help, I have spent hours going through many suggestions to connect to vpn but none working.
Thank you JustMe for the update.
Arun wrote in his article you have to edit the user-pre file the following way:
iptables -A INPUT -j ACCEPT -s xxx.xxx.xxx.xxx -p esp
iptables -A INPUT -j ACCEPT -s xxx.xxx.xxx.xxx -p udp -m multiport -sports isakmp,10000
iptables -A INPUT -j ACCEPT -i tun+
iptables -A OUTPUT -j ACCEPT -d xxx.xxx.xxx.xxx -p esp
iptables -A OUTPUT -j ACCEPT -d xxx.xxx.xxx.xxx -p udp -m multiport -dports isakmp,10000
iptables -A OUTPUT -j ACCEPT -o tun+
The parameters ‘-sports’ and ‘-dports’ are not supported by the iptables version Ubuntu version 8.04.1 LTS is using.
Instead of ‘-sports’ and ‘-dports’ you have to use ‘–sport’ aka ‘–source-port’ and ‘–dport’ aka ‘–destination-port’
=> http://manpages.ubuntu.com/manpages/hardy/man8/iptables.html
Try this:
http://ubuntuforums.org/showthread.php?p=5725544&posted=1#post5725544
Sorry, actually my gateway IP was wrong. After correcting it everything worked fine. The person who verified my IP was wrong.
Anyhow, thanks for your reply.
Moihan, See if this help
http://linos.wordpress.com/2007/11/23/vpnc-instead-of-ciscos-vpnclient-authtype5/
I get this error message when using vpnc –
vpnc: no response from target
I don’t have firestarter installed and all my configuration is correct. I’m using ubuntu 8.04 and kernel is 2.6.24-19-generic. Please help.
John, Did you try this?
http://www.blog.arun-prabha.com/2008/05/01/cisco-vpn-installation-issue-with-ubuntu-804-hardy-heron/
When I tried to run the process, I get this message. Any help on this would be appreciated.
make[1]: Entering directory `/usr/src/linux-headers-2.6.24-19-generic’
CC [M] /home/john/Desktop/vpnclient/linuxcniapi.o
In file included from /home/john/Desktop/vpnclient/Cniapi.h:15,
from /home/john/Desktop/vpnclient/linuxcniapi.c:31:
/home/john/Desktop/vpnclient/GenDefs.h:113: error: conflicting types for ‘uintptr_t’
include/linux/types.h:40: error: previous declaration of ‘uintptr_t’ was here
make[2]: *** [/home/john/Desktop/vpnclient/linuxcniapi.o] Error 1
make[1]: *** [_module_/home/john/Desktop/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.24-19-generic’
make: *** [default] Error 2
Failed to make module “cisco_ipsec.ko”.
I do have the same problem. I’m not sure how to fix it.
thanks for the tips!
I’ve still got one problem though: I loose my internet connection when connected to my vpn server. I tried both cisco client and vpnc, but same pb…
Any suggestion?
thx again
jul
Wow!!
It worked!!
Thanks a lot.
Works like a charm. Thanks so much. I was struggling hard to find a solution for this problem in ubuntu
Hi Tamas,
thanks for the help with
vpnc –natt-mode cisco-udp your_config.conf
That worked for me.
You are welcome Chris!!!
Arun, thanks for the help. Firestarter was keeping vpnc from working, and your sections on user-pre did the trick.
can someone help me with the package files.. i only have the windows installer with me not the linux one.. you can mail it to me at kushang.moorthy at gmail dot com or provide me with a link to download it.
If vpnc is not working with your vpn server, try this (there are double dashes (–) before :
vpnc --natt-mode cisco-udp your_config.conf
Cisco Please fix your half-working buggy Client to work with the PIX and Vista, I was told to use ANYCONNECT, when I only have a Pix 506e. How dare they say that to me, and give me a suttle hint to buy an ASA, that is VERY RUDE. I do want SBL, because I need to log onto the domain before I log into my PC, which required SBL. There is a bug number bug ID CSCse47544, which I told to contact the manager LAKHDEEP who just blew me off. The TAC engineer first told me it should be fixed, then later they say it wouldn’t be fixed. As you can see, calling TAC did not do me any good.
I can not believe a company with this many PIX firewalls would be blowing us all off like this. To make matters worse they blamed Microsoft for the issue, see this post which I found on Cisco’s website…
Start Before Logon and Microsoft Certificate with Private Key Protect Fails
Trying to connect the VPN client using Start Before Logon (SBL) and
Microsoft Machine-based certificates fails. This is a Microsoft issue, not a
VPN Client problem
Cisco, instead of taking all the energy to point the fingers at other Software vendors, why not get your programmers off their chairs and write a few lines of code? You can’t just drop everyone who bought a pix just because you came out with a new product line at the same time. If you made friends with Microsoft, instead of making an enemy perhaps they would help you out with your code writing.
Thank all of you who posted about this, I hope Cisco managment sees that we are not going to let them off the hook with this buggy production software they made. Shame on them!
They keep saying they are going to forward my concerns to the design team, yet I hear nothing back. Only lip service from them. In fact, they tried to close my case without giving me any kind of help whatsoever. I am SO happy I bought the most expensive smartnet contract.. NOT…
Myself and my vendor (CDW) have sent many email to this manager about the subject of the bugfix. MR. LAKHDEEP, with no email back from him. HELLO LAKHDEEP AT CISCO PLEASE RESPOND TO MY EMAILS ABOUT THE BUGS IN YOUR SOFTWARE!!!
Wasn’t there something in the support contract for Cisco that if something isnt fixed in 7 days it goes to the CEO? Yea, I am sure that is the case.. Read the small print. I was giving a fix, and that fix was to go buy another firewall, and ASA.
I was planning on buying more ASAs for my other sites, but I am not starting to seriously consider other vendors. I am sick of Cisco and their service which has gone WAY downhill since 1999.
You are welcome!!!
Excellent!! I was trying to use the cisco vpn client but it kept crashing my box, completely freezed! After following your steps I can now connect my office!!
Thanks!!
Hi Brian,
I found this information in the web for the vpnc error you are getting. Apparently, it’s a bug due to incompatibility between iproute and vpnc.
Edit /usr/share/vpnc/vpn-script and replace
sed ‘s/cache//;s/metric[0-9]\+ [0-9]\+//g’
with:
sed ‘s/cache//;s/metric[0-9]\+ [0-9]\+//g;s/hoplimit[ 0-9]\+//g’
I’m not sure why Cisco didn’t work for you. It could be something to do with the version? Some versions need patches to be applied except for the most recent one.
Thanks for the info!
I was getting compile errors when trying to install the cisco vpn client on Suse 10.3 with kernel 2.6.22.5-31. I followed your instructions on installing vpnc and got it working on the first try! I do get this strange error upon startup but it seems to work regardless:
Enter password for brian@123.456.123.456:
Error: either “to” is duplicate, or “hoplimit” is a garbage.
VPNC started in background (pid: 23185)…
You sure saved me a lot of time!
BTW, chmod the cvpnd so you don’t need to run vpnclient as root:
chmod 4111 /opt/cisco-vpnclient/bin/cvpndThanks for the tip Ky Lam Ngo.
Alexander, I don’t know how to solve your problem.
To start Cisco VPN module when booting Ubuntu do the following:
ln -s /etc/inid.d/vpnclient_init /etc/rc2.d/S85vpnclient_init
The Cisco install script creates startup script in rc5.d and rc3.d, but Ubuntu’s run level is in another level rc2.d
Hi everybody,
I tried to use vpnc and firestarter as well, but encountered the following problem. After setting up /etc/firestarter/user-pre as described above I get the following error message (when the firestarter GUI is launched):
iptables v1.3.6: multiple -s flags not allowed
Try `iptables -h’ or ‘iptables –help’ for more information.
Does anybody have an idea. Thank you very much in advance for your assistance.
Kind regards
Alexander
You are welcome TTA!!!
Thanks for the decode link !
Thank you very much Sharma for sharing the information. I really appreciate it.
Hi Arun,
This is what I have done by learning a little bit more of linux today. I have created a script with following lines:
#!/bin/bash
sudo ifconfig eth0 down
sudo /etc/init.d/vpnclient_init start
sudo vpnclient connect OfficeVPN
I did this in gedit and then saved this file as OfficeVPN.sh
Opened up terminal while in my home directory and changed file permissions, sudo chmod 755 OfficeVPN.
Now I created a launcher on the desktop (right click, create launcher, selected application in terminal, specified the command to be sudo sh /home/dpsharma/OfficeVPN.sh. Selected suitable icon. Saved it and it creates an icon on the desktop. Dragged icon to the Gnome panel at the top (and then deleted icon from desktop to remove clutter). So now, when I start my computer, after making sure that I can surf via wireless, I press this VPN button at top panel and it does the trick. Just wanted to share just in case someone else wants an easy one click button to launch Cisco VPN.
Thanks and keep us good work.
I’m sorry Sharma, I’m not sure how to fix that.
My laptop has a wireless and wired interface as is usual and I can not VPN unless I disable wired interface when I am home, using wireless. Further I always need to start the VPN client manually while this is supposed to start up itself as per installation script. Arun, could you advise as to what can be done to resolve these issues?
Thanks
Cool. Congrats.
OK. Problem fixed. I was using version 4.8 but still had to apply the patch and then client was installed successfully.
Hi Arun,
Very good work. I am trying to move from windows to linux on my home machine but need to connect to office
via Cisco VPN. I am trying to install Cisco VPN client and am running into following problem:
dpsharma@dpsharma-laptop:~/Desktop/vpnclient$ make
make -C /lib/modules/2.6.20-16-generic/build SUBDIRS=/home/dpsharma/Desktop/vpnclient modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.20-16-generic’
CC [M] /home/dpsharma/Desktop/vpnclient/linuxcniapi.o
/home/dpsharma/Desktop/vpnclient/linuxcniapi.c:12:26: error: linux/config.h: No such file or directory
make[2]: *** [/home/dpsharma/Desktop/vpnclient/linuxcniapi.o] Error 1
Appreciate any guidance to fix this?
Thanks
make[1]: *** [_module_/home/dpsharma/Desktop/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.20-16-generic’
make: *** [default] Error 2
I didn’t encounter the problem since I never stayed connected for more than 5-10 mins.
Has anyone had problems with disconnects? I start vpnc (using Steve’s script) and I get a vpn connection. However, after 5-10min I loose my vpn connection (regardless if I’m working or leaving it idle) and I now cannot connect to anything. If I run vpnc-disconnect, vpnc is shut down and I get my network connection back. I can then start vpnc again. This is VERY annoying.
You are welcome.
Wow, thanks! I was up and connected in no-time.
I didn’t install VPN or VPNC after I installed Feisty. I’ll give this a try sometime during this weekend or next week.
Thanks for the tip.
I wrote a script that tests if the vpncd is running. If it is not, then the script starts it. If it is then the script starts it.
1. i think you need to be root
sudo su
password
2. use vim to create a new file. I put it in usr/local/bin so it would be in my path:
vim /usr/local/bin/vpn
3. Add the following lines then save and close the file:
if ps -e | grep vpn
then echo “Stopping VPN”
vpnc-disconnect
else echo “Starting VPN”
vpnc
fi
4. Make it executable for superuser:
chmod 700 /usr/local/bin/vpn
5. Now as superuser, whenever you run vpn if vpnc is not running it will connect your vpn. If vpnc is running it will disconnect it.
Works very nice.
I even added a button on my tool bar for it
Good to know it worked.
Thanks for this! I did exactly what you said for vpnc, including decoding the group password and it connected and I can ping a server on my company network.
Now I can use my Kubuntu laptop for work and home. Very cool!
Pingback: Notes —
Pingback: L.A.M.N.K
Pingback: Andy Explains It All