Additional Documentation
Below is a quick installation and configuration guide for the Linux Cisco VPN client. For more in depth instructions, please refer to the Cisco documentation linked below.
Before you Begin...
- This software and guide is unsupported by Computing & Information Services. This means that the installation and software has been tested by CIS, but no telephone support is available.
- The VPN client consists of a kernel module and a few command-line executables.
- The kernel module is not pre-compiled, so you will need to make sure that kernel sources for each kernel version that you are intending to use with this client are properly installed.
- To do this, find either the kernel source or header RPM from your installation cdroms. The most likely location is one of the RPMxx directories on one of the installation CD's. On Mandrake 9.2, it's called kernel-source-2.4.22-10mdk.i586.rpm, on Redhat 9.0 it's called kernel-source-2.4.20-8.i386.rpm. The kernel revision numbers change but you get the idea. Older versions of Linux may have just the kernel-header RPM.
- Install the RPM (rpm -i kernel-source-xxxxxx.rpm)
- The module is not Open Source Software, so after it's loaded into your Linux kernel, the kernel will become tainted, and will issue a warning.
- After successfully establishing a secure connection to the server, the client will listen for packets from the VPN server on 2 ports,UDP 500 and UDP 4500, by default. This means you have to punch a hole in your ipchains/iptables firewall for it. The module will also use IP protocol 50 (ESP) to communicate with the VPN server. That protocol is not filtered by most Linux firewall configurations, however.
- The CISCO documentation mentions several other ports, quoting:
- UDP port 500
- UDP port 10000 and 500 (or any other port number being used for IPSec/UDP)
- IP protocol 50 (ESP)
- NAT-T port 4500 UDP
Installation and Configuration Commands, Step by Step
Below are step by step quick-start instructions. Be sure to connect to your ISP before starting.
- Become super user (root):[user@vpnclient]$ su -
Password: {root's password}
[root@vpnclient root]# - Change directory to /usr/src:[root@vpnclient root]# cd /usr/src
- Download the tar ball from the University web site:[root@localhost root]# wget http://www.mcmaster.ca/cis/network/software/vpnclient-linux.tar.gz --23:20:09-- http://www.mcmaster.ca/cis/network/software/vpnclient-linux.tar.gz => vpnclient-linux.tar.gz
Resolving www.mcmaster.ca... done.
Connecting to www.mcmaster.ca[130.113.64.65]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,316,843 [application/x-tar]
100%[===========================================================>] 1,316,843 ETA 00:00 23:20:14 (318.15 KB/s) - `vpnclient-linux.tar.gz' saved [1316843/1316843] - Decompress and extract it:[root@vpnclient src]# tar xzvf vpnclient-linux.tar.gz
- Change directory to /usr/src/vpnclient:[root@vpnclient src]# cd vpnclient
- Execute the installer script and answer the prompts:[root@localhost vpnclient]# ./vpn_install
Cisco Systems VPN Client Version 4.6.00 (0045) Linux Installer
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms.
Directory where binaries will be installed [/usr/local/bin]
Automatically start the VPN service at boot time [yes]
In order to build the VPN kernel module, you must have the kernel headers for the version of the kernel you are running.
For RedHat 6.x users these files are installed in /usr/src/linux by default
For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default
For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by default
Directory containing linux kernel source code [/lib/modules/2.4.18-14/build]
Note: If the vpn installer can't find the kernel source code, you don't have it installed and the installation will fail. Refer to the instructions under "Before you begin".
* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.4.18-14/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.4.18-14/build" will be used to build the module.
Is the above correct [y] y
Making module
Create module directory "/lib/modules/2.4.18-14/CiscoVPN".
Copying module to directory "/lib/modules/2.4.18-14/CiscoVPN".
Creating start/stop script "/etc/init.d/vpnclient_init".
Enabling start/stop script for run level 3,4 and 5.
Creating VPN configuration file "/etc/CiscoSystemsVPNClient/vpnclient.ini".
Installing license.txt (VPN Client license) in "/etc/CiscoSystemsVPNClient/":
Installing bundled user profiles in "/etc/CiscoSystemsVPNClient/Profiles/":
* New Profiles : MacConnect McMasterVPN
Copying binaries to directory "/usr/local/bin".
Setting permissions.
/usr/local/bin/cvpnd (setuid root)
/etc/CiscoSystemsVPNClient (world writeable)
/etc/CiscoSystemsVPNClient/Profiles (world writeable)
/etc/CiscoSystemsVPNClient/Certificates (world writeable)
* You may wish to change these permissions to restrict access to root.
* You must run "/etc/init.d/vpnclient_init start" before using the client.
* This script will be run AUTOMATICALLY every time you reboot your computer.
[root@localhost vpnclient]# - Remove the world-writable permission from the files in /etc/CiscoSystemsVPNClient:
[root@vpnclient vpnclient]# chmod -R o-w /etc/CiscoSystemsVPNClient/ - Load the VPN client's module into the running kernel:
[root@localhost vpnclient]# /etc/init.d/vpnclient_init start
Starting /usr/local/bin/vpnclient:
Warning: loading /lib/modules/2.4.18-14/CiscoVPN/cisco_ipsec will taint the kernel: no license
See http://www.tux.org/lkml/#export-tainted for information about tainted modules Module cisco_ipsec loaded, with warnings Done - McMaster VPN requires a profile to connect. Two are provided, one for off campus users (McMasterVPN) and one for on campus MacConnect users (MacConnect).
- The profiles are already installed in /etc/CiscoSystemsVPNClient/Profiles/:
- To connect, enter your user name and password when prompted:
[root@localhost Profiles]# vpnclient connect McMasterVPN {or MacConnect for on Campus}
Cisco Systems VPN Client Version 4.6.00 (0045)
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i68
Config file directory: /etc/opt/cisco-vpnclient
Initializing the VPN connection.
Contacting the gateway at 130.113.69.99
User Authentication for McMasterVPN...
Enter Username and Password.
Username []: johndoe
Password []:******************
Authenticating user.
Negotiating security policies.
Securing communication channel.
McMaster Authorized Use Only!
Idle sessions are disconnected after 30 minutes of inactivity.
All sessions are disconnected after 24 hours of continuous use.
For assistance, please contact the CIS Helpline at (905)-525-9140 Ext. 24357.
Do you wish to continue? (y/n): y
Your VPN connection is secure.
VPN tunnel information.
Client address: 130.113.90.1
Server address: 130.113.69.99
Encryption: 56-bit DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 4500
Local LAN Access is disabled
- You should now be connected to the McMaster network. If the connection fails, suspect your firewall first. Try disabling it completely then try the connection again! If the firewall interferes with the VPN, you will need to adjust its configuration.
Un-installing the Client
- Use the vpn_uninstall script that comes with the client (/usr/src/vpnclient/vpn_uninstall in our example) to remove the client.
==================
<출처: http://www.mcmaster.ca/cis/network/vpn/vpnclient_linux.htm >