Tuesday, March 8, 2011

Cisco VPN Without A Cisco Client

A while ago I posted a blog outlining Cisco VPN Installation. This entry is how to get a VPN connection up and running without that software using vpnc instead.

Step one is to get vpnc. Most distributions seem to have a pre-built package so have a look around. For SuSE or RedHat it looks like this:
SuSE
# zypper install vpnc
RedHat
# yum install vpnc
Step two is to get a copy of your .pcf file. If you are using the Cisco VPN client, it is located under /etc/opt/cisco-vpnclient/Profiles/.pcf. This has three important pieces of information.
  • The host you are connecting to (Host=)
  • A group name (GroupName=)
  • An encoded group password (enc_GroupPwd=)
Now, vpnc won't take an encoded password file so you will need to decrypt it first. There is a handy utility for this which should have come in your vpnc package, aptly named cisco-decrypt. If its not included you can download it from here. To run it you will need to either cut and paste the hideously long HEX string after enc_GroupPwd= or just run the command below.
# grep enc_GroupPwd name.pcf | awk -F= '{print $2}' | xargs cisco_decrypt
Once you have this you can create a vpnc.conf file like this one
# vi /etc/vpnc/vpnc.conf
IPSec gateway host_or_ip_from_Host=
IPSec ID group_from_GroupName=
IPSec secret output_from_cisco_decrypt

e.g.
IPSec gateway 44.24.21.2
IPSec ID IPSec-Grp
IPSec secret mysecret
Xauth username myID
If you don't have a group name you should be able to use 'General' instead. You can also add Xauth username your_ID and Xauth password your_password as shown in the example. However, this file is stored in clear text so it is probably best to leave the password option out. VPNC will prompt you for any values not present.

Once that is all done, you can connect and disconnect like this
# vpnc /etc/vpnc/vpnc.conf
  Enter username for _host_: _id_
  Enter password for _id_@_host_: 
  Connect Banner:
  | 
  | Secure VPN Server
  | Authorized Users Only
  | Successfully Authenticated
  | 

  VPNC started in background (pid: 7726)...

# ifconfig
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:ip  P-t-P:ip  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

When you're done
# vpnc-disconnect
Terminating vpnc daemon (pid: 7726)
Nice and simple. Since it uses built in kernel modules, no more messing about with compiling, kernel versions or outdated code from Cisco.

1 comment:

  1. Michael,

    First, thanks a million for your posts on building cisco vpnclient on linux. They helped me to get it running on opensuse 11.2 (kernel 2.6.31.5 or .12) without spending inordinate time on it. (I also had to start 'cvpnd' in a script to get it running)

    Unfortunately my issue now is with getting it to run on the new kernels in opensuse 11.4 (or 11.3). I can build it successfully, but as soon as 'vpnclient connect x.pcf' is run, I lose connection with the wireless gateway (cant ping anyone). Connection with gateway is restored immediately after vpn connection is closed (which happens in a few minutes). Ipseclog doesnt reveal much but a security association being dropped. Also the routing table looks essentially identical to when it was working in opensuse 11.2.

    I've tried vpnc, but our cisco vpn uses certificates, no group passwords and I've never been able to connect.

    If you have any advice I'd love to hear it. Hoping to get the client running on opensuse 11.4.

    ReplyDelete