Re: [SLUG] vpn problems at usyd

[Glen Turner <gdt@xxxxxxxxx>]

On Mon, 2007-08-27 at 13:50 +1000, Antonio Cosimo Costantino wrote:
> It's the first time I write here since I came here in Sydney from Italy six 
> weeks ago so... let's start with a canonical (!) greeting... ciaociao 
> everybody!
> 
> When I started studying at usyd, the staff told us we (students) have access 
> to web resources via wireless connection. It's true, except discovering few 
> weeks later we need a  (cisco) vpn client and linux kernel 2.6 is not 
> supported!

I run vnpc with no dramas to a Cisco VPN concentrator. Maybe using
that rather than some GUIified front end will show the issue more
readily.

A lightly edited copy of an internal wiki for using a Cisco VPN
from Linux follows:


VPN

1. INTRODUCTION

Use the virtual private network where: you wish to use internal
computing systems from outside of the Example network; you do
not have unfiltered access to the Internet and wish to run a
protocol which is being filtered; from eduroam access points
which only allow VPN connections so the eduroam provider can
limit costs.

Example uses a Cisco VPN concentrator. This requires client software
which is peculiar to Cisco's IPsec VPN implementation. Other VPN
software will not work, including PPTP, L2PT and SSL.

...

3. LINUX

There is a choice of client software: Cisco Systems and VPNC. VPNC is
simpler to install and use.


3.1 VPNC INSTALLATION

For Red Hat or Fedora have the Extras repository enabled and

  # yum install vpnc

For Debian and Ubuntu have the Universe repository enabled and

  # apt-get update
  # apt-get install vpnc

VPNC's home page is

  <http://www.unix-ag.uni-kl.de/~massar/vpnc/>

You need VPNC 0.4.0 or later. Don't even bother with earlier versions.


3.2 VPNC CONFIGURATION

Create the "Example" configuration file

  # (umask 077; touch /etc/vpnc/example.conf)

then edit it to add this text

  IPSec gateway ....example.edu.au
  IPSec ID Example
  IPSec secret ...
  NAT-Keepalive packet interval 290
  Rekeying interval 0
  Xauth username fab

replacing fab with your username.

Similarly, create the "Example always" configuration file

  # (umask 077; touch /etc/vpnc/example-always.conf)

then edit it to add this text

  IPSec gateway ....example.edu.au
  IPSec ID Example always
  IPSec secret ...
  NAT-Keepalive packet interval 290
  Rekeying interval 0
  Xauth username fab

again replacing fab with your username.

Most of the parameters come directly from those used to configure the
VPN endpoint and are discussed above. The rekeying interval is set to
0 to disable rekeying, as connections from laptops are not held up
long enough for discovery of the session key to be a concern. Versions
of VPNC before 0.4 had difficulty with rekeying. The NAT keep-alive
packet interval is set to 290 seconds. Most NAT boxes time out a
connection after 10 minutes of inactivity, so using a value just short
of 5 minutes presents two opportunities to re-start the NAT router's
inactivity timer for this connection.


3.3 VPNC USE

Bring up the VPN with

  # vpnc example.conf

  Enter password for fab@xxxxxxxxxxxxxxxxxx: *********
  VPNC started in background (pid: 123)...

You can check the results by looking for routes to the tun0 interface
reported by

  $ route -n

or by checking the input and output counters on the tun0 interface

  $ ifconfig tun0

Bring down the VPN with

  # vpnc-disconnect


3.4 VPNC EXPERT USE

If you want the default route to be at the VPN endpoint then use

  # vpnc example-always.conf

  Enter password for fab@xxxxxxxxxxxxxxxxxx: *********
  VPNC started in background (pid: 666)...


3.5 FAULT FINDING

Check your firewall settings. Ubuntu's firestarter (its recommended
firewall) blocks traffic from interfaces it does not know of when
configured.

"dmesg" will show errors related to the configuration of the kernel
module. "ifconfig" and "iproute" show network configuration.
"vpnc --no-detach --debug 1" will show detailed progress.

The VPN Concentrator sends messages to the Example central
syslog facility at ...