Cisco VPN client under Ubuntu 6.06 (LTS) Linux

One of my customers has a VPN which I'd like to access. They provided me with a copy of the Cisco VPN client for Linux, and a "pcf" configuration file for the client. Here's what i had to do to get the Cisco VPN client working in Linux - and it does work just fine.

First we make a directory to put the bits and bobs in

alan@hactar:~$ mkdir ciscoalan@hactar:~$ cd cisco/

I then downloaded the Cisco VPN client from my customers intranet and saved it in the cisco directory I just created. I then unpacked it which makes a directory called vpnclient and unpacks the files into it.

alan@hactar:~/cisco$ tar zxvf vpnclient-linux-4.6.02.0030-k9.tar.gzvpnclient/vpnclient/libvpnapi.sovpnclient/vpnapi.hvpnclient/cisco_cert_mgrvpnclient/vpnclientvpnclient/ipseclogvpnclient/cvpndvpnclient/vpn_installvpnclient/vpnclient_initvpnclient/vpn_uninstallvpnclient/driver_build.shvpnclient/sample.pcfvpnclient/vpnclient.inivpnclient/license.txtvpnclient/license.rtfvpnclient/interceptor.cvpnclient/linuxcniapi.cvpnclient/linuxcniapi.hvpnclient/vpn_ioctl_linux.hvpnclient/IPSecDrvOS_linux.cvpnclient/linux_os.hvpnclient/frag.hvpnclient/frag.cvpnclient/GenDefs.hvpnclient/mtu.hvpnclient/IPSecDrvOSFunctions.hvpnclient/IPSecDrvOS_linux.hvpnclient/Cniapi.hvpnclient/unixcniapi.hvpnclient/config.hvpnclient/libdriver.sovpnclient/Makefile

Dive into the directory and check all the files are there

alan@hactar:~/cisco/vpnclient$ ls -ltotal 4580-rwxr-xr-x 1 alan alan 1149812 2005-03-11 22:43 cisco_cert_mgr-rw-r--r-- 1 alan alan   15974 2005-03-11 22:43 Cniapi.h-rw-r--r-- 1 alan alan    4474 2005-03-11 22:43 config.h-rwxr-xr-x 1 alan alan 1943604 2005-03-11 22:43 cvpnd-rwxr-xr-x 1 alan alan    1430 2005-03-11 22:43 driver_build.sh-rw-r--r-- 1 alan alan    6301 2005-03-11 22:43 frag.c-rw-r--r-- 1 alan alan     227 2005-03-11 22:43 frag.h-rw-r--r-- 1 alan alan    4500 2005-03-11 22:43 GenDefs.h-rw-r--r-- 1 alan alan   21952 2005-03-11 22:43 interceptor.c-rw-r--r-- 1 alan alan    2524 2005-03-11 22:43 IPSecDrvOSFunctions.h-rw-r--r-- 1 alan alan    5138 2005-03-11 22:43 IPSecDrvOS_linux.c-rw-r--r-- 1 alan alan    1249 2005-03-11 22:43 IPSecDrvOS_linux.h-rwxr-xr-x 1 alan alan  205464 2005-03-11 22:43 ipseclog-rwxr-xr-x 1 alan alan  516924 2005-03-11 22:43 libdriver.so-rwxr-xr-x 1 alan alan  356756 2005-03-11 22:43 libvpnapi.so-rw-r--r-- 1 alan alan    4449 2005-03-11 22:43 license.rtf-rw-r--r-- 1 alan alan    4130 2005-03-11 22:43 license.txt-rw-r--r-- 1 alan alan   16856 2005-03-11 22:43 linuxcniapi.c-rw-r--r-- 1 alan alan    1291 2005-03-11 22:43 linuxcniapi.h-rw-r--r-- 1 alan alan    1852 2005-03-11 22:43 linux_os.h-rw-r--r-- 1 alan alan     908 2005-03-11 22:43 Makefile-rw-r--r-- 1 alan alan    1926 2005-03-11 22:43 mtu.h-rw-r--r-- 1 alan alan     349 2005-03-11 22:43 sample.pcf-rw-r--r-- 1 alan alan     946 2005-03-11 22:43 unixcniapi.h-rw-r--r-- 1 alan alan   24385 2005-03-11 22:43 vpnapi.h-rwxr-xr-x 1 alan alan  263264 2005-03-11 22:43 vpnclient-rw-r--r-- 1 alan alan     172 2005-03-11 22:43 vpnclient.ini-rwxr-xr-x 1 alan alan    2961 2005-03-11 22:43 vpnclient_init-rwxr-xr-x 1 alan alan   13826 2005-03-11 22:43 vpn_install-rw-r--r-- 1 alan alan    1008 2005-03-11 22:43 vpn_ioctl_linux.h-rwxr-xr-x 1 alan alan    5992 2005-03-11 22:43 vpn_uninstall

To make this you need the kernel headers for your current running kernel version. uname -r tells us the kernel version number:

alan@hactar:~$ uname -r2.6.15-23-686

Using that information we can (in Ubuntu and other Debian based distributions) easily download the kernel headers with a command like this:

alan@hactar:~$ sudo apt-get install linux-headers-`uname -r`Reading package lists... DoneBuilding dependency tree... Donelinux-headers-2.6.15-23-686 is already the newest version.0 upgraded, 0 newly installed, 0 to remove and 66 not upgraded.

Looks like I already have it. Lets double check:

alan@hactar:~/cisco/vpnclient$ ls /usr/src/linux-headers-2.6.15-23-686/arch     crypto   include  kernel    mm              scripts   usrblock    drivers  init     lib       Module.symvers  securitycluster  fs       ipc      Makefile  net             sound

That all looks sane. Now we need to patch the client because it won't compile otherwise.
Get the patch from here:

• http://www.victortrac.com/cisco_vpn_patch

Here is a direct link:

• http://www.victortrac.com/system/files/vpnclient-linux-4.7.patch.txt

Save it in the vpnclient directory then apply it:

alan@hactar:~/cisco/vpnclient$ patch -p0 < vpnclient-linux-4.7.patch.txtpatching file linuxcniapi.cHunk #1 succeeded at 296 (offset 20 lines).Hunk #2 succeeded at 311 (offset 20 lines).Hunk #3 succeeded at 414 (offset 20 lines).Hunk #4 succeeded at 456 (offset 20 lines).

Do a quick make to see if it compiles sanely.

alan@hactar:~/cisco/vpnclient$ makemake -C /lib/modules/2.6.15-23-686/build SUBDIRS=/home/alan/cisco/vpnclient modulesmake[1]: Entering directory `/usr/src/linux-headers-2.6.15-23-686'  CC [M]  /home/alan/cisco/vpnclient/linuxcniapi.o  CC [M]  /home/alan/cisco/vpnclient/frag.o  CC [M]  /home/alan/cisco/vpnclient/IPSecDrvOS_linux.o  CC [M]  /home/alan/cisco/vpnclient/interceptor.o/home/alan/cisco/vpnclient/interceptor.c: In function ‘handle_vpnup’:/home/alan/cisco/vpnclient/interceptor.c:312: warning: assignment from incompatible pointer type/home/alan/cisco/vpnclient/interceptor.c:336: warning: assignment from incompatible pointer type/home/alan/cisco/vpnclient/interceptor.c:337: warning: assignment from incompatible pointer type/home/alan/cisco/vpnclient/interceptor.c: In function ‘do_cleanup’:/home/alan/cisco/vpnclient/interceptor.c:380: warning: assignment from incompatible pointer type  LD [M]  /home/alan/cisco/vpnclient/cisco_ipsec.o  Building modules, stage 2.  MODPOSTWarning: could not find /home/alan/cisco/vpnclient/.libdriver.so.cmd for /home/alan/cisco/vpnclient/li bdriver.so  CC      /home/alan/cisco/vpnclient/cisco_ipsec.mod.o  LD [M]  /home/alan/cisco/vpnclient/cisco_ipsec.komake[1]: Leaving directory `/usr/src/linux-headers-2.6.15-23-686'

That looks good. Now lets do it for real with the vpn_install script supplied by Cisco.

alan@hactar:~/cisco/vpnclient$ sudo ./vpn_installCisco Systems VPN Client Version 4.6.02 (0030) Linux InstallerCopyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.By installing this product you agree that you have read thelicense.txt file (The VPN Client license) and will comply withits terms.Directory where binaries will be installed [/usr/local/bin]Automatically start the VPN service at boot time [yes]In order to build the VPN kernel module, you must have thekernel headers for the version of the kernel you are running.Directory containing linux kernel source code [/lib/modules/2.6.15-23-686/build]* Binaries will be installed in "/usr/local/bin".* Modules will be installed in "/lib/modules/2.6.15-23-686/CiscoVPN".* The VPN service will be started AUTOMATICALLY at boot time.* Kernel source from "/lib/modules/2.6.15-23-686/build" will be used to build the module.Is the above correct [y]Making modulemake -C /lib/modules/2.6.15-23-686/build SUBDIRS=/home/alan/cisco/vpnclient modulesmake[1]: Entering directory `/usr/src/linux-headers-2.6.15-23-686'  Building modules, stage 2.  MODPOSTWarning: could not find /home/alan/cisco/vpnclient/.libdriver.so.cmd for /home/alan/cisco/vpnclient/li bdriver.somake[1]: Leaving directory `/usr/src/linux-headers-2.6.15-23-686'Create module directory "/lib/modules/2.6.15-23-686/CiscoVPN".Copying module to directory "/lib/modules/2.6.15-23-686/CiscoVPN".Already have group 'bin'Creating start/stop script "/etc/init.d/vpnclient_init".    /etc/init.d/vpnclient_initEnabling start/stop script for run level 3,4 and 5.Creating global config /etc/opt/cisco-vpnclientInstalling license.txt (VPN Client license) in "/opt/cisco-vpnclient/":Installing bundled user profiles in "/etc/opt/cisco-vpnclient/Profiles/":* New Profiles     : sampleCopying binaries to directory "/opt/cisco-vpnclient/bin".Adding symlinks to "/usr/local/bin".    /opt/cisco-vpnclient/bin/vpnclient    /opt/cisco-vpnclient/bin/cisco_cert_mgr    /opt/cisco-vpnclient/bin/ipseclogCopying setuid binaries to directory "/opt/cisco-vpnclient/bin".    /opt/cisco-vpnclient/bin/cvpndCopying libraries to directory "/opt/cisco-vpnclient/lib".    /opt/cisco-vpnclient/lib/libvpnapi.soCopying header files to directory "/opt/cisco-vpnclient/include".    /opt/cisco-vpnclient/include/vpnapi.hSetting permissions.    /opt/cisco-vpnclient/bin/cvpnd (setuid root)    /opt/cisco-vpnclient (group bin readable)    /etc/opt/cisco-vpnclient (group bin readable)    /etc/opt/cisco-vpnclient/Profiles (group bin readable)    /etc/opt/cisco-vpnclient/Certificates (group bin readable)* You may wish to change these permissions to restrict access to root.* You must run "/etc/init.d/vpnclient_init start" before using the client.* This script will be run AUTOMATICALLY every time you reboot your computer.

Yay! That all looks pretty good. There is a sample profile supplied with the client which lives by default in /etc/opt/cisco-vpnclient/Profiles/, lets see:

alan@hactar:~/cisco/vpnclient$ ls /etc/opt/cisco-vpnclient/Profiles/sample.pcf

Now I will copy the configuration file supplied by my customer to that location so the software can find it:

alan@hactar:~/cisco/vpnclient$ sudo cp *.pcf /etc/opt/cisco-vpnclient/Profiles/

Lets check they're there.

alan@hactar:~/cisco/vpnclient$ ls /etc/opt/cisco-vpnclient/Profiles/XXX-XXX_XXX-VPN.pcf  YYY-YYY_YYY-VPN.pcf  ZZZ-ZZZ-ZZZ-1.pcf  sample.pcf

(Note I've changed the names of the files to hide some info.)
The next bit will be started when I reboot, but as I don't want to reboot right now I'll start it myself:

alan@hactar:~/cisco/vpnclient$ sudo /etc/init.d/vpnclient_init startStarting /opt/cisco-vpnclient/bin/vpnclient: Done

I'll now start the client to see if it starts.

alan@hactar:~/cisco/vpnclient$ ./vpnclientCisco Systems VPN Client Version 4.6.02 (0030)Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.Client Type(s): LinuxRunning on: Linux 2.6.15-23-686 #1 SMP PREEMPT Tue May 23 14:03:07 UTC 2006 i686Config file directory: /etc/opt/cisco-vpnclientUsage: vpnclient connect  [user ] [eraseuserpwd | pwd ]                             [nocertpwd] vpnclient disconnect vpnclient stat [reset] [traffic] [tunnel] [route] [repeat] vpnclient notify vpnclient verify [autoinitconfig] vpnclient autoinit

Now we actually start the client and connect. Note that I start the client with the word "connect" and the name of the pcf file (without the pcf extension) as a parameter.

alan@hactar:~/cisco/vpnclient$ sudo vpnclient XXX-XXX_XXX-VPNCisco Systems VPN Client Version 4.6.02 (0030)Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.Client Type(s): LinuxRunning on: Linux 2.6.15-23-686 #1 SMP PREEMPT Tue May 23 14:03:07 UTC 2006 i686Config file directory: /etc/opt/cisco-vpnclientInitializing the VPN connection.Contacting the gateway at XXX.X.XX.XXXUser Authentication for XXX-XXX-XXXX-1...Enter Username and Password.Username [DOMAIN/username]:Password []:Authenticating user.Negotiating security policies.

I then get my customers standard welcome message and am connected.

 http://www.popey.com/node/62 學習紀錄。thanks for the author of this article