Thanks Brenda! Rob >________________________________ >From: Brenda J. Butler <bjb [ at ] sourcerer [ dot ] ca> >To: Michael Walma <michael [ at ] walma [ dot ] org> >Cc: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca >Sent: Wednesday, October 5, 2011 3:21:28 PM >Subject: Re: [OCLUG-Tech] CarletonU VPN? > > > > >http://devel.oclug.on.ca/wiki/OneGuysExperienceWithCarletonUniversityVNP2011 > >I just pasted the text below onto the page. Feel free to edit it. > >bjb > > >On Wed, Oct 05, 2011 at 11:50:29AM -0400, Michael Walma wrote: >> Quoting "Stephen Gregory" <oclug [ at ] kernelpanic [ dot ] ca>: >> >> > On 04/10/11 04:42 PM, Michael Walma wrote: >> > >> >>> My wife needs access applications through the Carleton University VPN. >> >>> The documentation I've seen suggests that one would use a Cisco VPN >> > >> >> Thanks Singer, I did exactly this and it worked just fine. >> > >> > This VPN question gets asked every other year. Could you do a quick >> > write up of what you did and add it to oclug wiki? I am guessing that >> > most important bit is how to get the PCF file and any Carleton specific >> > stuff. >> > >> > -- >> > sg >> > _______________________________________________ >> > Linux mailing list >> > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca >> > http://oclug.on.ca/mailman/listinfo/linux >> > >> >> I'd be happy to do so, if someone would create an empty page in the >> right place, I would populate it, with the following: >> >> 1. Use your distro's package manager to install 'vpnc'. >> >> 2. Download the WindowsXP CISCO client from the website provided by >> Carleton, using the username and password supplied by Carleton. The >> file is a self-extracting ZIP file with an .exe extension. >> >> 3. Use 'unzip' to extract the files to a handy directory. Look for >> the ".pcf" file, in my case, it was "CarletonIntranetVPN.pcf". Using >> information from that file, you will need to populate the vpnc config >> file. In Ubuntu Natty, that is "/etc/vpnc/default.conf". (Ubuntu >> created an 'example.conf' that you can copy and edit. Other distros >> may do similar or different things.) Copy the values for the fields >> "Host" and "GroupName" in the .pcf file to the "IPSec gateway" and >> "IPSec ID" fields of the vpnc config file. For the "Xauth username" >> and "Xauth password" fields, use the information supplied to you by >> Carleton, the same info as you used to download the Windows client >> from the Carleton web site. >> >> 4. The "IPSec secret" field is the only slightly tricky bit. The >> .pcf will include a hash of the required value in the "enc_GroupPwd" >> field, but vpnc needs the unhashed value. Luckily, this hash can be >> decoded easily, and there is a web page that will do it for you: >> >> http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode >> >> Decode the value of the "enc_GroupPwd" of the .pcf file and use that >> for the "IPSec secret" field in the vpnc config file. I understand >> that you can install a utility (it may even be a part of the vpnc >> package) to do the decoding locally if you prefer. >> >> 5. You are good to go. Use some variant of 'sudo vpnc-connect' to >> connect (root privileges are required) and 'sudo vpnc-disconnect' to >> disconnect. These commands will build the connection, create the >> /dev/tun0 device, modify the routing tables properly and then tear it >> all down again afterward. There are also KDE and Gnome helper apps, >> but I did not investigate or install them. >> >> Caveats: >> >> 1. The tiny bit of investigation I did suggested that the routing >> table changes were clever enough to keep the local subnet traffic >> routed locally, but all other traffic would be routed through the vpn. >> I understand that you can do more clever routing so that you could >> keep, say, your web surfing, through your own connection while still >> routing other traffic through the vpn, but I have not investigated this. >> >> 2. The Carleton set-up seems to use password-based authentication. >> Superficial googling suggests that vpnc may not work so well if >> certificate-based authentication is required. I have not investigated. >> >> 3. The command-line approach described here may wreak havoc or >> otherwise not work with boxes running networkmanager's. My box >> doesn't, so I don't know. Installing and using the helper apps I >> alluded to might help in this respect. >> >> 4. Your mileage may vary. >> >> Credits: I used the following general guide from Linux Planet: >> >> http://www.linuxplanet.com/linuxplanet/tutorials/6773/1 >> >> Thanks also to Singer for the encouragement to 'just do it.' >> >> Hoping this helps, >> >> Michael >> >> >> _______________________________________________ >> Linux mailing list >> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca >> http://oclug.on.ca/mailman/listinfo/linux >---end quoted text--- >_______________________________________________ >Linux mailing list >Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca >http://oclug.on.ca/mailman/listinfo/linux > > >