Using vpnc — a open source client for Cisco VPN
Thomas. R. Shemanske, Šar
nas Burdulis
nas BurdulisJuly 19, 2005
nas Burdulis
Build your Linux kernel to include TUN/TAP device support. That is in your config file for the kernel, either CONFIG TUN=m or CONFIG TUN=y.
Basic Information on TUN (from Linux kernel documentation):
Universal TUN/TAP device driver support (TUN)
TUN/TAP provides packet reception and transmission for user space programs. It can be viewed as a simple Point-to-Point or Ethernet device, which instead of receiving packets from a physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program. When a program opens /dev/net/tun, driver creates and registers corresponding net device tunX or tapX. After a program closed above devices, driver will automatically delete tunXX or tapXX device and all routes corresponding to it.
Firewalls have to allow UDP traffic on port 500 for vpnc to work. For example, the following iptables rule allows all new outgoing connections:
iptables -A OUTPUT -m state --state NEW -j ACCEPT
|
For Debian (Sarge or newer) just do as root:
# apt-get install vpnc
|
Source code can be downloaded from http://www.unix-ag.uni-kl.de/~massar/vpnc/. Other packages may be required such as: iproute, libc6, libgcrypt7, libgpg-error0.
Configuration file should be /etc/vpnc.conf. Create a minimal vpnc.conf for connections to the Dartmouth VPN:
Interface name tun0
IKE DH Group dh2 IPSec gateway 129.170.3.10 IPSec ID <secret> IPSec secret <secret> Xauth username <your DND Name here> |
Note: 129.170.3.10 is just one of the hosts from the Dartmouth VPN server pool. We have to choose a host explicitly, because vpnc seems to have a problem connecting to the load balancing server vpn.dartmouth.edu.
To obtain secrets for IPSec ID and IPSec secret, go to http://www.dartmouth.edu/comp/support/library/safecomputing/defenses/network/transit/vpn/win/authen-dnd.html and look for Name and Password. You will need a Kerberos ticket to access this page.
# vpnc-connect
|
You will be prompted for your DND password.
If you are prompted for something else, that indicates either missing or incomplete configuration file. By the way, it is possible to vpnc-connect without the config file, but you will be prompted for all the necessary data, every time.
Upon successful connection the routing table will be automatically adjusted.
Note: Some applications which were open before initiating the vpnc-connect (e.g. some IMAP mail clients) may have to be restarted after the routing tables are rewritten.
# vpnc-disconnect
|
Routing table should be restored to the initial state.