Friday, January 12, 2007

Migration to Linux - Cisco VPN Client


The Cisco VPN Client; definitely a necessary tool for most workstations. More detailed instructions can be found here. This was my install process:

Make sure I have the kernel headers:
dustin@dustino:~$ uname -r
dustin@beulah:~$ ls /usr/src/linux-headers-2.6.17-10-generic/
arch block crypto drivers firmware fs include init ipc kernel lib Makefile mm modules Module.symvers net scripts security sound usr

Looks good. (Note: the documentation linked to above had patching and compiling (make), I found this unnecessary)
dustin@dustino:~$ /cisco_vpn/vpnclient$ sudo ./vpn_install
Password:
Cisco Systems VPN Client Version 4.8.00 (0490) Linux Installer
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms.


Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.


Directory containing linux kernel source code [/lib/modules/2.6.17-10-generic/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.17-10-generic/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.17-10-generic/build" will be used to build the module.

Is the above correct [y]

Making module
make -C /lib/modules/2.6.17-10-generic/build SUBDIRS=/home/dustin/cisco_vpn/vpnclient modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.17-10-generic'
Building modules, stage 2.
MODPOST
WARNING: /home/dustin/cisco_vpn/vpnclient/cisco_ipsec.o - Section mismatch: reference to .init.text: from .data between 'interceptor_dev' (at offset 0xb4) and 'interceptor_notifier'
WARNING: could not find /home/dustin/cisco_vpn/vpnclient/.libdriver.so.cmd for /home/dustin/cisco_vpn/vpnclient/libdriver.so
make[1]: Leaving directory `/usr/src/linux-headers-2.6.17-10-generic'
Create module directory "/lib/modules/2.6.17-10-generic/CiscoVPN".
Copying module to directory "/lib/modules/2.6.17-10-generic/CiscoVPN".
Already have group 'bin'

Creating start/stop script "/etc/init.d/vpnclient_init".
/etc/init.d/vpnclient_init
Enabling start/stop script for run level 3,4 and 5.
Creating global config /etc/opt/cisco-vpnclient

Installing license.txt (VPN Client license) in "/opt/cisco-vpnclient/":

Installing bundled user profiles in "/etc/opt/cisco-vpnclient/Profiles/":
* New Profiles : sample

Copying binaries to directory "/opt/cisco-vpnclient/bin".
Adding symlinks to "/usr/local/bin".
/opt/cisco-vpnclient/bin/vpnclient
/opt/cisco-vpnclient/bin/cisco_cert_mgr
/opt/cisco-vpnclient/bin/ipseclog
Copying setuid binaries to directory "/opt/cisco-vpnclient/bin".
/opt/cisco-vpnclient/bin/cvpnd
Copying libraries to directory "/opt/cisco-vpnclient/lib".
/opt/cisco-vpnclient/lib/libvpnapi.so
Copying header files to directory "/opt/cisco-vpnclient/include".
/opt/cisco-vpnclient/include/vpnapi.h

Setting permissions.
/opt/cisco-vpnclient/bin/cvpnd (setuid root)
/opt/cisco-vpnclient (group bin readable)
/etc/opt/cisco-vpnclient (group bin readable)
/etc/opt/cisco-vpnclient/Profiles (group bin readable)
/etc/opt/cisco-vpnclient/Certificates (group bin readable)
* You may wish to change these permissions to restrict access to root.
* You must run "/etc/init.d/vpnclient_init start" before using the client.
* This script will be run AUTOMATICALLY every time you reboot your computer.

Sometimes a manual start of the VPN kernel module is required as seen here:

Could not attach to driver. Is kernel module loaded?
The application was unable to communicate with the VPN sub-system.

dustin@dustino:~$ /etc/init.d/vpnclient_init start

Next, I copied my existing PCF files into:

/etc/opt/cisco-vpnclient/Profiles

Then modified permissions on each PCF file:
dustin@dustino:~$ chmod o+rw /etc/opt/cisco-vpnclient/Profiles/*

That's it, now I can establish a tunnel:
dustin@dustino:~$ sudo /usr/local/bin/vpnclient connect work_vpn

Now, what if you want to create a new profile? First copy an existing pcf, then edit it:
[main]
Description=
Host=VPN.NET
AuthType=1
GroupName=VPNGROUP
GroupPwd=
enc_GroupPwd=C475174D2582A73B30FB9F647285460BE94339E0AFDD9ADC06F1504284521FE34B723FC29D7C0955F82DBA2152DB5F06D854CB12A0F56B4D

Modify the Host, GroupName, then clear the encrypted password next to "enc_GroupPwd=", and add the new group next to "GroupName=". Like so:
[main]
Description=
Host=TEST.VPN.NET
AuthType=1
GroupName=VPNTESTGROUP
GroupPwd=NEWPASS
enc_GroupPwd=

Now, connect using the new profile:
dustin@beulah:~$ sudo /usr/local/bin/vpnclient connect test

Then disconnect, and check the profile. Notice that the group password is now encrypted:
[main]
Description=
Host=TEST.VPN.NET
AuthType=1
GroupName=VPNTESTGROUP
GroupPwd=NEWPASS
enc_GroupPwd=xxxxx

No comments: