Quoting "Stephen Gregory" <oclug [ at ] kernelpanic [ dot ] ca>:
On 04/10/11 04:42 PM, Michael Walma wrote:
My wife needs access applications through the Carleton University VPN.
The documentation I've seen suggests that one would use a Cisco VPN
Thanks Singer, I did exactly this and it worked just fine.
This VPN question gets asked every other year. Could you do a quick
write up of what you did and add it to oclug wiki? I am guessing that
most important bit is how to get the PCF file and any Carleton specific
stuff.
--
sg
_______________________________________________
Linux mailing list
Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
http://oclug.on.ca/mailman/listinfo/linux
I'd be happy to do so, if someone would create an empty page in the
right place, I would populate it, with the following:
1. Use your distro's package manager to install 'vpnc'.
2. Download the WindowsXP CISCO client from the website provided by
Carleton, using the username and password supplied by Carleton. The
file is a self-extracting ZIP file with an .exe extension.
3. Use 'unzip' to extract the files to a handy directory. Look for
the ".pcf" file, in my case, it was "CarletonIntranetVPN.pcf". Using
information from that file, you will need to populate the vpnc config
file. In Ubuntu Natty, that is "/etc/vpnc/default.conf". (Ubuntu
created an 'example.conf' that you can copy and edit. Other distros
may do similar or different things.) Copy the values for the fields
"Host" and "GroupName" in the .pcf file to the "IPSec gateway" and
"IPSec ID" fields of the vpnc config file. For the "Xauth username"
and "Xauth password" fields, use the information supplied to you by
Carleton, the same info as you used to download the Windows client
from the Carleton web site.
4. The "IPSec secret" field is the only slightly tricky bit. The
.pcf will include a hash of the required value in the "enc_GroupPwd"
field, but vpnc needs the unhashed value. Luckily, this hash can be
decoded easily, and there is a web page that will do it for you:
http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
Decode the value of the "enc_GroupPwd" of the .pcf file and use that
for the "IPSec secret" field in the vpnc config file. I understand
that you can install a utility (it may even be a part of the vpnc
package) to do the decoding locally if you prefer.
5. You are good to go. Use some variant of 'sudo vpnc-connect' to
connect (root privileges are required) and 'sudo vpnc-disconnect' to
disconnect. These commands will build the connection, create the
/dev/tun0 device, modify the routing tables properly and then tear it
all down again afterward. There are also KDE and Gnome helper apps,
but I did not investigate or install them.
Caveats:
1. The tiny bit of investigation I did suggested that the routing
table changes were clever enough to keep the local subnet traffic
routed locally, but all other traffic would be routed through the vpn.
I understand that you can do more clever routing so that you could
keep, say, your web surfing, through your own connection while still
routing other traffic through the vpn, but I have not investigated this.
2. The Carleton set-up seems to use password-based authentication.
Superficial googling suggests that vpnc may not work so well if
certificate-based authentication is required. I have not investigated.
3. The command-line approach described here may wreak havoc or
otherwise not work with boxes running networkmanager's. My box
doesn't, so I don't know. Installing and using the helper apps I
alluded to might help in this respect.
4. Your mileage may vary.
Credits: I used the following general guide from Linux Planet:
http://www.linuxplanet.com/linuxplanet/tutorials/6773/1
Thanks also to Singer for the encouragement to 'just do it.'
Hoping this helps,
Michael