One of my customers has a VPN which I 'd like to access. they provided me with a copy of the Cisco VPN Client for Linux, and a "PCF" configuration file for the client. here's what I had to do to get the Cisco VPN Client working in Linux-and it does work just fine.
First we make a directory to put the bits and bobs in
alan@hactar:~$ mkdir ciscoalan@hactar:~$ cd cisco/
I then downloaded the Cisco VPN Client from my customers Intranet and saved it incisco
Directory I just created. I then unpacked it which makes a directory calledvpnclient
And unpacks the files into it.
alan@hactar:~/cisco$ tar zxvf vpnclient-linux-4.6.02.0030-k9.tar.gzvpnclient/vpnclient/libvpnapi.sovpnclient/vpnapi.hvpnclient/cisco_cert_mgrvpnclient/vpnclientvpnclient/ipseclogvpnclient/cvpndvpnclient/vpn_installvpnclient/vpnclient_initvpnclient/vpn_uninstallvpnclient/driver_build.shvpnclient/sample.pcfvpnclient/vpnclient.inivpnclient/license.txtvpnclient/license.rtfvpnclient/interceptor.cvpnclient/linuxcniapi.cvpnclient/linuxcniapi.hvpnclient/vpn_ioctl_linux.hvpnclient/IPSecDrvOS_linux.cvpnclient/linux_os.hvpnclient/frag.hvpnclient/frag.cvpnclient/GenDefs.hvpnclient/mtu.hvpnclient/IPSecDrvOSFunctions.hvpnclient/IPSecDrvOS_linux.hvpnclient/Cniapi.hvpnclient/unixcniapi.hvpnclient/config.hvpnclient/libdriver.sovpnclient/Makefile
Dive into the Directory and check all the files are there
alan@hactar:~/cisco/vpnclient$ ls -ltotal 4580-rwxr-xr-x 1 alan alan 1149812 2005-03-11 22:43 cisco_cert_mgr-rw-r--r-- 1 alan alan 15974 2005-03-11 22:43 Cniapi.h-rw-r--r-- 1 alan alan 4474 2005-03-11 22:43 config.h-rwxr-xr-x 1 alan alan 1943604 2005-03-11 22:43 cvpnd-rwxr-xr-x 1 alan alan 1430 2005-03-11 22:43 driver_build.sh-rw-r--r-- 1 alan alan 6301 2005-03-11 22:43 frag.c-rw-r--r-- 1 alan alan 227 2005-03-11 22:43 frag.h-rw-r--r-- 1 alan alan 4500 2005-03-11 22:43 GenDefs.h-rw-r--r-- 1 alan alan 21952 2005-03-11 22:43 interceptor.c-rw-r--r-- 1 alan alan 2524 2005-03-11 22:43 IPSecDrvOSFunctions.h-rw-r--r-- 1 alan alan 5138 2005-03-11 22:43 IPSecDrvOS_linux.c-rw-r--r-- 1 alan alan 1249 2005-03-11 22:43 IPSecDrvOS_linux.h-rwxr-xr-x 1 alan alan 205464 2005-03-11 22:43 ipseclog-rwxr-xr-x 1 alan alan 516924 2005-03-11 22:43 libdriver.so-rwxr-xr-x 1 alan alan 356756 2005-03-11 22:43 libvpnapi.so-rw-r--r-- 1 alan alan 4449 2005-03-11 22:43 license.rtf-rw-r--r-- 1 alan alan 4130 2005-03-11 22:43 license.txt-rw-r--r-- 1 alan alan 16856 2005-03-11 22:43 linuxcniapi.c-rw-r--r-- 1 alan alan 1291 2005-03-11 22:43 linuxcniapi.h-rw-r--r-- 1 alan alan 1852 2005-03-11 22:43 linux_os.h-rw-r--r-- 1 alan alan 908 2005-03-11 22:43 Makefile-rw-r--r-- 1 alan alan 1926 2005-03-11 22:43 mtu.h-rw-r--r-- 1 alan alan 349 2005-03-11 22:43 sample.pcf-rw-r--r-- 1 alan alan 946 2005-03-11 22:43 unixcniapi.h-rw-r--r-- 1 alan alan 24385 2005-03-11 22:43 vpnapi.h-rwxr-xr-x 1 alan alan 263264 2005-03-11 22:43 vpnclient-rw-r--r-- 1 alan alan 172 2005-03-11 22:43 vpnclient.ini-rwxr-xr-x 1 alan alan 2961 2005-03-11 22:43 vpnclient_init-rwxr-xr-x 1 alan alan 13826 2005-03-11 22:43 vpn_install-rw-r--r-- 1 alan alan 1008 2005-03-11 22:43 vpn_ioctl_linux.h-rwxr-xr-x 1 alan alan 5992 2005-03-11 22:43 vpn_uninstall
To make this you need the kernel headers for your current running kernel version.uname -r
Tells us the kernel version number:
alan@hactar:~$ uname -r2.6.15-23-686
Using that information we can (in Ubuntu and other Debian based distributions) easily download the kernel headers with a command like this:
alan@hactar:~$ sudo apt-get install linux-headers-`uname -r`Reading package lists... DoneBuilding dependency tree... Donelinux-headers-2.6.15-23-686 is already the newest version.0 upgraded, 0 newly installed, 0 to remove and 66 not upgraded.
Looks like I already have it. Lets double check:
alan@hactar:~/cisco/vpnclient$ ls /usr/src/linux-headers-2.6.15-23-686/arch crypto include kernel mm scripts usrblock drivers init lib Module.symvers securitycluster fs ipc Makefile net sound
That all looks sane. Now we need to patch the client because it won't compile otherwise.
Get the patch from here:
- Http://www.victortrac.com/cisco_vpn_patch
Here is a direct link:
- Http://www.victortrac.com/system/files/vpnclient-linux-4.7.patch.txt
Save it invpnclient
Directory then apply it:
alan@hactar:~/cisco/vpnclient$ patch -p0 < vpnclient-linux-4.7.patch.txtpatching file linuxcniapi.cHunk #1 succeeded at 296 (offset 20 lines).Hunk #2 succeeded at 311 (offset 20 lines).Hunk #3 succeeded at 414 (offset 20 lines).Hunk #4 succeeded at 456 (offset 20 lines).
Do a quickmake
To see if it compiles sanely.
alan@hactar:~/cisco/vpnclient$ makemake -C /lib/modules/2.6.15-23-686/build SUBDIRS=/home/alan/cisco/vpnclient modulesmake[1]: Entering directory `/usr/src/linux-headers-2.6.15-23-686' CC [M] /home/alan/cisco/vpnclient/linuxcniapi.o CC [M] /home/alan/cisco/vpnclient/frag.o CC [M] /home/alan/cisco/vpnclient/IPSecDrvOS_linux.o CC [M] /home/alan/cisco/vpnclient/interceptor.o/home/alan/cisco/vpnclient/interceptor.c: In function ‘handle_vpnup’:/home/alan/cisco/vpnclient/interceptor.c:312: warning: assignment from incompatible pointer type/home/alan/cisco/vpnclient/interceptor.c:336: warning: assignment from incompatible pointer type/home/alan/cisco/vpnclient/interceptor.c:337: warning: assignment from incompatible pointer type/home/alan/cisco/vpnclient/interceptor.c: In function ‘do_cleanup’:/home/alan/cisco/vpnclient/interceptor.c:380: warning: assignment from incompatible pointer type LD [M] /home/alan/cisco/vpnclient/cisco_ipsec.o Building modules, stage 2. MODPOSTWarning: could not find /home/alan/cisco/vpnclient/.libdriver.so.cmd for /home/alan/cisco/vpnclient/li bdriver.so CC /home/alan/cisco/vpnclient/cisco_ipsec.mod.o LD [M] /home/alan/cisco/vpnclient/cisco_ipsec.komake[1]: Leaving directory `/usr/src/linux-headers-2.6.15-23-686'
That looks good. Now lets do it for real withvpn_install
Script supplied by Cisco.
alan@hactar:~/cisco/vpnclient$ sudo ./vpn_installCisco Systems VPN Client Version 4.6.02 (0030) Linux InstallerCopyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.By installing this product you agree that you have read thelicense.txt file (The VPN Client license) and will comply withits terms.Directory where binaries will be installed [/usr/local/bin]Automatically start the VPN service at boot time [yes]In order to build the VPN kernel module, you must have thekernel headers for the version of the kernel you are running.Directory containing linux kernel source code [/lib/modules/2.6.15-23-686/build]* Binaries will be installed in "/usr/local/bin".* Modules will be installed in "/lib/modules/2.6.15-23-686/CiscoVPN".* The VPN service will be started AUTOMATICALLY at boot time.* Kernel source from "/lib/modules/2.6.15-23-686/build" will be used to build the module.Is the above correct [y]Making modulemake -C /lib/modules/2.6.15-23-686/build SUBDIRS=/home/alan/cisco/vpnclient modulesmake[1]: Entering directory `/usr/src/linux-headers-2.6.15-23-686' Building modules, stage 2. MODPOSTWarning: could not find /home/alan/cisco/vpnclient/.libdriver.so.cmd for /home/alan/cisco/vpnclient/li bdriver.somake[1]: Leaving directory `/usr/src/linux-headers-2.6.15-23-686'Create module directory "/lib/modules/2.6.15-23-686/CiscoVPN".Copying module to directory "/lib/modules/2.6.15-23-686/CiscoVPN".Already have group 'bin'Creating start/stop script "/etc/init.d/vpnclient_init". /etc/init.d/vpnclient_initEnabling start/stop script for run level 3,4 and 5.Creating global config /etc/opt/cisco-vpnclientInstalling license.txt (VPN Client license) in "/opt/cisco-vpnclient/":Installing bundled user profiles in "/etc/opt/cisco-vpnclient/Profiles/":* New Profiles : sampleCopying binaries to directory "/opt/cisco-vpnclient/bin".Adding symlinks to "/usr/local/bin". /opt/cisco-vpnclient/bin/vpnclient /opt/cisco-vpnclient/bin/cisco_cert_mgr /opt/cisco-vpnclient/bin/ipseclogCopying setuid binaries to directory "/opt/cisco-vpnclient/bin". /opt/cisco-vpnclient/bin/cvpndCopying libraries to directory "/opt/cisco-vpnclient/lib". /opt/cisco-vpnclient/lib/libvpnapi.soCopying header files to directory "/opt/cisco-vpnclient/include". /opt/cisco-vpnclient/include/vpnapi.hSetting permissions. /opt/cisco-vpnclient/bin/cvpnd (setuid root) /opt/cisco-vpnclient (group bin readable) /etc/opt/cisco-vpnclient (group bin readable) /etc/opt/cisco-vpnclient/Profiles (group bin readable) /etc/opt/cisco-vpnclient/Certificates (group bin readable)* You may wish to change these permissions to restrict access to root.* You must run "/etc/init.d/vpnclient_init start" before using the client.* This script will be run AUTOMATICALLY every time you reboot your computer.
Yay! That all looks pretty good. There is a sample profile supplied with the client which lives by default in/etc/opt/cisco-vpnclient/Profiles/
, Lets see:
alan@hactar:~/cisco/vpnclient$ ls /etc/opt/cisco-vpnclient/Profiles/sample.pcf
Now I will copy the configuration file supplied by my customer to that location so the software can find it:
alan@hactar:~/cisco/vpnclient$ sudo cp *.pcf /etc/opt/cisco-vpnclient/Profiles/
Lets check they're there.
alan@hactar:~/cisco/vpnclient$ ls /etc/opt/cisco-vpnclient/Profiles/XXX-XXX_XXX-VPN.pcf YYY-YYY_YYY-VPN.pcf ZZZ-ZZZ-ZZZ-1.pcf sample.pcf
(Note I 've changed the names of the files to hide some info .)
The next bit will be started when I reboot, but as I don't want to reboot right now I'll start it myself:
alan@hactar:~/cisco/vpnclient$ sudo /etc/init.d/vpnclient_init startStarting /opt/cisco-vpnclient/bin/vpnclient: Done
I'll now start the client to see if it starts.
alan@hactar:~/cisco/vpnclient$ ./vpnclientCisco Systems VPN Client Version 4.6.02 (0030)Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.Client Type(s): LinuxRunning on: Linux 2.6.15-23-686 #1 SMP PREEMPT Tue May 23 14:03:07 UTC 2006 i686Config file directory: /etc/opt/cisco-vpnclientUsage: vpnclient connect
[user
] [eraseuserpwd | pwd
] [nocertpwd] vpnclient disconnect vpnclient stat [reset] [traffic] [tunnel] [route] [repeat] vpnclient notify vpnclient verify [autoinitconfig] vpnclient autoinit
Now we actually start the client and connect. Note that I start the client with the word "Connect" and the name of the PCF file (without the PCF extension) as a parameter.
alan@hactar:~/cisco/vpnclient$ sudo vpnclient XXX-XXX_XXX-VPNCisco Systems VPN Client Version 4.6.02 (0030)Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.Client Type(s): LinuxRunning on: Linux 2.6.15-23-686 #1 SMP PREEMPT Tue May 23 14:03:07 UTC 2006 i686Config file directory: /etc/opt/cisco-vpnclientInitializing the VPN connection.Contacting the gateway at XXX.X.XX.XXXUser Authentication for XXX-XXX-XXXX-1...Enter Username and Password.Username [DOMAIN/username]:Password []:Authenticating user.Negotiating security policies.
I then get my customers standard welcome message and am connected.
Http://www.popey.com/node/62 learning records. Thanks for the author of this article