This document was written for Daemonnews and published in the Sep/2004 issue.
See below for updates!

Open-Source based access to Cisco VPNs
Using vpnc on NetBSD and Linux
Hubert Feyrer <hubert@feyrer.de>, September 2004

1. Background

My local university uses a Cisco 3000 VPN Concentrator for their Virtual Private Network, with clients being available only for various binary platforms like Windows, MacOS X and Linux, but none as an open source solution. This text describes how to use the program "vpnc", developed by Geoffrey Keating and Maurice Massar, which is available in source, and which was successfully used on Linux (Intel and PowerPC) as well as NetBSD so far. The following examples describe configuration of "vpnc" on NetBSD and Linux, as the (binary only) client software provided by Cisco doesn't work with 2.6 kernels. Tested operating systems were NetBSD 2.0_BETA/i386 and Gentoo Linux 1.4.16 as of september 2004, vpnc version tested was 0.2-rm+zomb.1.

2. Software

As client software, you need "vpnc", which is available at the http://www.unix-ag.uni-kl.de/~massar/vpnc/. For NetBSD, there's a package in pkgsrc-wip/vpnc, an older version of the package can be found here.

3. Configuration

3.1 Preparations

We'll use the University of Regensburg's VPN setup as an example. They offer three ways to access their network via VPN, depending if one's already in the "internal" network, if someone comes from "outside" via some ISP, or if someone is within the university's wireless network.

Necessary configuration on the operating system level for NetBSD includes availability of the "tun" pseudo device in the kernel, which is the default in the GENERIC kernel. In the Linux kernel, it can be enabled as "Universal tun/tap Device Driver" under "Network Device Support".

Another thing to note is that with vpnc version 0.2 and later, IPSEC support should not be included in the kernel, as vpnc does all the processing in userland. For NetBSD, the "IPSEC" and "IPSEC_ESP" options should be removed from the kernel config file. Again, this is already the case in the NetBSD's GENERIC kernel, so no change is needed. Aparently this problem does not arise in Linux, and IPSEC can stay in your kernel.

On Linux, /dev/net/tun has to exist, which should be the case if the tun device is loaded or enabled in the kernel and devfsd is used. Under NetBSD, the corresponding device is already included in the default installation, so no special steps are necessary. On both systems, the "Interface name" is "tun0".

The example vpnc configuration file for both NetBSD and Linux assumes the Novell/NDS-based account names of the University of Regensburg. Instead of the account name "abc12345.5.stud" (not including any NDS context like "uni-regensburg.de" or "fh-regensburg.de") use your own login. Use your own password instead of SECRET. The "IPSec secret" acts as sort of a group password, it can be retrieved from your VPN administrator. For the University of Regensburg, it can be learned by telephone (+49 941 943 4848) from Karl Wuerfl, or by looking at the (access restricted!) online documentation of the VPN setup at https://www-soft.uni-regensburg.de/dist/cisco/vpn/client/. Last, before firing up your VPN, you may want to make sure you have decent internet connectivity, either through via some ethernet or wavelan. In the latter case, you may want to set your wireless LAN network ID first, and grab an IP number from your DHCP server. To do that on NetBSD for the University of Regensburg's WaveLAN, run

	# ifconfig wi0 ssid unifunk1
	# dhclient

to do the same on Linux, try:

	# iwconfig eth1 essid unifunk1
	# dhcpcd -D eth1

Exact parameters may depend on your network configuration and Linux distribution, the above example goes for Gentoo Linux.

3.2 Access via Internet

For accessing the VPN via Internet, e.g. from a T-Online/T-DSL dialup account, the following data is needed in /usr/pkg/etc/vpnc.conf:

	Interface name tun0
	IKE DH Group dh2
	Perfect Forward Secrecy nopfs
	IPSec gateway vpngate-internet.uni-regensburg.de
	IPSec ID internet
	IPSec secret PhoneKarlWuerflAt4848
	Xauth username abc12345.5.stud
	Xauth password SECRET

3.3 Access via the Wireless LAN of the Uni Regensburg

Use the following in /usr/pkg/etc/vpnc.conf for access from the wireless network available on the University of Regensburg's campus:

	Interface name tun0
	IKE DH Group dh2
	Perfect Forward Secrecy nopfs
	IPSec gateway vpngate-wlan.uni-regensburg.de
	IPSec ID wlan
	IPSec secret PhoneKarlWuerflAt4848
	Xauth username abc12345.5.stud
	Xauth password SECRET

4. Start

After the software was installed successfully, the system was prepared and the config file was created, the "vpnc" program can be started as root:

	# vpnc
	VPNC started in background (pid: 16196)...

The following command can be used to determine the IP-number which is used to access the VPN:

	# ifconfig tun0
	tun0: flags=51 mtu 1412
		inet 132.199.212.1 -> 132.199.212.1 netmask 0xffffffff

The IP-number here is 132.199.212.1 - this can change for every new start of of the vpnc client, and will most likely be very different for your site's VPN setup.

5. Setting up routing

5.1 Via Internet - Accessing the University Machines from at Home

If the university's machines should be accessed via the VPN, routing must be setup to do so. The command for NetBSD is:

	route add -net 132.199.0.0 -interface 132.199.212.1

On Linux, you use:

	route add -net 132.199.0.0 netmask 255.255.0.0 dev tun0

That way, machines at the university can be reached using the "short" way via the VPN. 132.199.0.0 is the network of the University of Regensburg, 132.199.212.1 is the IP number assigned to the tun0 interface by vpnc. Adjust as necessary!

5.2 Source-based Routing - Accessing the Home Machine from University

If a service offered on the own machine should be accessed via the VPN, care must be taken that answers to incoming requests are sent out via the VPN, not the system's "normal" uplink (which may be firewalled at the VPN site). The following works for NetBSD:

	route delete -net 132.199.0.0
	echo "pass out on ppp0 to tun0 from 132.199.212.1 to any" | ipf -f

Again, 132.199.212.1 is the IP-number assigned to the local tun0 interface by vpnc, and ppp0 is the outgoing local network interface (may be wi0 for wireless LAN).

5.3 In the Wireless LAN Network of the University of Regensburg

Similar to VPN access from at home, care must be taken that packets aren't sent directly but via the VPN. To do this, the command for NetBSD is:

	route add -net default -interface 132.199.212.1

On Linux, use:

	route add -net default dev tun0

As before, 132.199.212.1 is the IP-number assigned to the tun0 interface by vpnc, please adjust as necessary.

6. Links

VPN page of the University of Regensburg: https://www-soft.uni-regensburg.de/dist/cisco/vpn/client/
Free, non-proprietary VPN client for Linux & NetBSD (and probably others): http://www.unix-ag.uni-kl.de/~massar/vpnc/
NetBSD Multiplatform Operating System: http://www.NetBSD.org/
German language version of this article: http://www.feyrer.de/NetBSD/netbsd-vpn-howto.html

7. Authors

These instructions were compiled by Hubert Feyrer <hubertf@NetBSD.org> with lots of support by Harold Gutch <logix@foobar.franken.de> and Holger Amann <keeney@fehu.org>.

Updates

As of Sep 2005, the University of Regensburg will switch to another proprietary Cisco authentication protocol (hybrid; used to be xauth), which cannot be used with vpnc. A backward compatible access is available via the PDA access, a possible vpnc config file for that is:
```
Interface name tun0
IKE DH Group dh2
Perfect Forward Secrecy nopfs
IPSec gateway vpngate-wlan.uni-regensburg.de
IPSec ID pda
IPSec secret PhoneKarlWuerflAt4848
Xauth username abc12345.5
Xauth password SECRET 
```
When using vpnc 0.3.3, make sure to have a seperate route going to the VPN server, before setting the default route to the VPN tunnel. Else you won't be able to reach the VPN server. :)
May 2007: For WLAN, I've switched from vpnc to using WPA-based authentication via wpa_supplicant at the campus of the FH and Uni Regensburg. Here is the relevant part of my wpa-supplicant.conf file that I use for roaming on both sites:
```
network={
        ssid="802.11i"
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="abc12345" 
        password="MyNovellNDSPassword"
        phase2="auth=PAP"
} 
```
For this to work, the network card must be registered once. This can be done online by joining the "unifunk1" WLAN and accessing a random site.
After starting wpa_supplicant(8) with the above config file and some waiting (check ifconfig output!), running dhclient(8) gives an IP number etc. No additional software needed, tested with NetBSD 4.0_BETA2/i386.

This page has been accessed 62919 times.

Copyright (c) 2003-2007 Hubert Feyrer <hubert@feyrer.de>
$Id: vpnc-howto.html,v 1.20 2007/05/09 13:04:56 feyrer Exp feh39068 $