home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] CarletonU VPN?

I have found two issues with vpnc, and they seem to be:

1) the certificate mode isn't fully operable with the Cisco VPN client

2) if the Cisco VPN client is also using RSA Token for authentication, it
has something called the 'Next Token Mode'. This mode is used to initialised
tokens, create PINs, and resync tokens.  This is not at all available with
the Cisco VPN client.

S

On Wed, Oct 5, 2011 at 11:50, Michael Walma <michael [ at ] walma [ dot ] org> wrote:

> Quoting "Stephen Gregory" <oclug [ at ] kernelpanic [ dot ] ca>:
>
> > On 04/10/11 04:42 PM, Michael Walma wrote:
> >
> >>> My wife needs access applications through the Carleton University VPN.
> >>> The documentation I've seen suggests that one would use a Cisco VPN
> >
> >> Thanks Singer, I did exactly this and it worked just fine.
> >
> > This VPN question gets asked every other year. Could you do a quick
> > write up of what you did and add it to oclug wiki? I am guessing that
> > most important bit is how to get the PCF file and any Carleton specific
> > stuff.
> >
> > --
> > sg
> > _______________________________________________
> > Linux mailing list
> > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
> > http://oclug.on.ca/mailman/listinfo/linux
> >
>
> I'd be happy to do so, if someone would create an empty page in the
> right place, I would populate it, with the following:
>
> 1.  Use your distro's package manager to install 'vpnc'.
>
> 2.  Download the WindowsXP CISCO client from the website provided by
> Carleton, using the username and password supplied by Carleton.  The
> file is a self-extracting ZIP file with an .exe extension.
>
> 3.  Use 'unzip' to extract the files to a handy directory.  Look for
> the ".pcf" file, in my case, it was "CarletonIntranetVPN.pcf".  Using
> information from that file, you will need to populate the vpnc config
> file.  In Ubuntu Natty, that is "/etc/vpnc/default.conf". (Ubuntu
> created an 'example.conf' that you can copy and edit.  Other distros
> may do similar or different things.)  Copy  the values for the fields
> "Host" and "GroupName" in the .pcf file to the "IPSec gateway" and
> "IPSec ID" fields of the vpnc config file.   For the "Xauth username"
> and "Xauth password" fields, use the information supplied to you by
> Carleton, the same info as you used to download the Windows client
> from the Carleton web site.
>
> 4.  The "IPSec secret" field is the only slightly tricky bit.  The
> .pcf will include a hash of the required value in the "enc_GroupPwd"
> field, but vpnc needs the unhashed value.  Luckily, this hash can be
> decoded easily, and there is a web page that will do it for you:
>
> http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
>
> Decode the value of the "enc_GroupPwd" of the .pcf file and use that
> for the "IPSec secret" field in the vpnc config file.  I understand
> that you can install a utility (it may even be a part of the vpnc
> package) to do the decoding locally if you prefer.
>
> 5.  You are good to go.  Use some variant of 'sudo vpnc-connect' to
> connect (root privileges are required) and 'sudo vpnc-disconnect' to
> disconnect.  These commands will build the connection, create the
> /dev/tun0 device, modify the routing tables properly and then tear it
> all down again afterward.  There are also KDE and Gnome helper apps,
> but I did not investigate or install them.
>
> Caveats:
>
> 1.  The tiny bit of investigation I did suggested that the routing
> table changes were clever enough to keep the local subnet traffic
> routed locally, but all other traffic would be routed through the vpn.
>  I understand that you can do more clever routing so that you could
> keep, say, your web surfing, through your own connection while still
> routing other traffic through the vpn, but I have not investigated this.
>
> 2.  The Carleton set-up seems to use password-based authentication.
> Superficial googling suggests that vpnc may not work so well if
> certificate-based authentication is required.  I have not investigated.
>
> 3.  The command-line approach described here may wreak havoc or
> otherwise not work with boxes running networkmanager's.  My box
> doesn't, so I don't know.  Installing and using the helper apps I
> alluded to might help in this respect.
>
> 4.  Your mileage may vary.
>
> Credits:  I used the following general guide from Linux Planet:
>
> http://www.linuxplanet.com/linuxplanet/tutorials/6773/1
>
> Thanks also to Singer for the encouragement to 'just do it.'
>
> Hoping this helps,
>
> Michael
>
>
> _______________________________________________
> Linux mailing list
> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
> http://oclug.on.ca/mailman/listinfo/linux
>

--
Pythian proud winner of Oracle North America Titan Award for Exadata Solution... Read more & see us at OpenWorld bit.ly/pythianoow11

message navigation