yellowpigs.net

VPNC, Linux VPN client for Cisco VPNs

These instructions are known to work (with a few minor tweaks) on both 2.4 and 2.6 series kernels on a variety of distributions and platforms, including:

Debian Sarge
Debian Woody PPC
Ubuntu Warty PPC
Knoppix
Fedora Core 2
Red Hat Enterprise 3.0
SUSE 9

In short, they probably work on any current Linux system. If you're comfortable with your Linux system, you can probably get working VPN with just three brief instructions:

Make sure you have the tun module.
Install the vpnc package.
Run vpnc-connect.

If you need more detailed instructions, read on.

Kernel support (`tun`)

You may already have the tun module loaded. Check with lsmod | grep tun. If it is not loaded, you'll need to install it:

The Debian way: Use modconf or modprobe to load the tun module.
Or manually:
- echo tun >> /etc/modules
- echo alias char-major-10-200 tun >> /etc/modules.conf

To get tun for RHEL 3.0, you may need to install the kernel-unsupported package.

Check to make sure you have the device node for tun with ls -l /dev/net/tun. If not, you'll need to create the node:

mkdir /dev/net
mknod /dev/net/tun c 10 200

Install VPN client (`vpnc`)

This is a user-space program which implements IPSEC VPN. It is installed in Knoppix by default and is available in Debian sarge and Ubuntu warty (run apt-get install vpnc to install ). RPMs and Debian woody backports are available somewhere.

You can also install vpnc from source Source is available from http://www.unix-ag.uni-kl.de/~massar/vpnc/. It depends on libgcrypt.

Place source in /usr/local/src
Un-tar source (tar xzvf)
cd to source directory
make
su -
cp vpnc /usr/local/sbin

Configure your VPN connection

You can run vpnc-connect or vpnc with no config file. You will be prompted for configuration information interactively. However, you probably want to have a config file (/etc/vpnc/default.conf on some systems). All lines are optional; you will be prompted for any information which is excluded.

Example file:

 IPSec gateway ip.of.vpn.con
 IPSec ID GROUPID
 IPSec secret GROUPPASS
 Xauth username YOURID
 Xauth password YOURPASS

ip.of.vpn.con should be replaced with the IP of your VPN concentrator; GROUPID, GROUPPASS, YOURID, and YOURPASS should be replaced with your login credentials.

Connect

Recent versions of vpnc come with vpn-connect and vpn-disconnect scripts. Run these (as root or using sudo) to connect and disconnect.

If you do not have vpn-connect, you'll need to use vpnc to connect and then bring up the routes manually. Put this in script, since you'll need to execute it every time you connect:

 /usr/local/sbin/vpnc /etc/vpnc/default.conf
 route del -net 0.0.0.0 dev eth1
 route add -host ip.of.vpn.con gw gateway.to.vpn.con dev eth1
 route add default gw `ifconfig tun0 | grep inet | awk '{print $2}' | cut -d : -f 2` dev tun0

You'll need to substitute in the IP of the VPN concentrator and the IP of your gateway.

That's it! The process vpnc should be running in the background. (Check with ps aux | grep vpnc.)

Debugging

For troubleshooting, make sure you have an network connection and can ping the IP address of the VPN concentrator before connecting. If the VPN connection is established, but you still do not have network access, check your routing tables with route -n or ip route show. Try pinging hosts by IP as well as by hostname to determine if you have a DNS problem (e.g., if you need to change the nameservers listed in /etc/resolv.conf upon establishing a connection). If you are running a firewall or packet filter (e.g., iptables), you may need to modify or temporarily disable it for testing.

Here's what my interfaces and routes look like when I'm connected. (My IP is 192.168.0.10; the IP of the concentrator is 10.128.250.17.)

 $ ifconfig

 eth1      Link encap:Ethernet  HWaddr 00:30:65:16:44:AA
           inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
           inet6 addr: fe80::230:65ff:fe16:4dad/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:2455 errors:0 dropped:0 overruns:0 frame:0
           TX packets:3716 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:457690 (446.9 KiB)  TX bytes:543490 (530.7 KiB)
           Interrupt:57


 tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-0E-BA-00-00-00-00-00-00-00-00
           inet addr:10.128.17.5  P-t-P:10.128.17.5 Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:10
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

 $ route -n

 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
 10.128.250.17   192.168.0.1     255.255.255.255 UGH   0      0        0 eth1
 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
 0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0

 $ ip route show

 10.128.250.17 via 192.168.0.1 dev eth1  src 192.168.0.10  mtu 1500 advmss 1460
 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.10
 default dev tun0  scope link