This document was written for Daemonnews and published in the Sep/2004 issue.
See below for updates!


Open-Source based access to Cisco VPNs
Using vpnc on NetBSD and Linux
Hubert Feyrer <hubert@feyrer.de>, September 2004

1. Background

My local university uses a Cisco 3000 VPN Concentrator for their Virtual Private Network, with clients being available only for various binary platforms like Windows, MacOS X and Linux, but none as an open source solution. This text describes how to use the program "vpnc", developed by Geoffrey Keating and Maurice Massar, which is available in source, and which was successfully used on Linux (Intel and PowerPC) as well as NetBSD so far. The following examples describe configuration of "vpnc" on NetBSD and Linux, as the (binary only) client software provided by Cisco doesn't work with 2.6 kernels. Tested operating systems were NetBSD 2.0_BETA/i386 and Gentoo Linux 1.4.16 as of september 2004, vpnc version tested was 0.2-rm+zomb.1.

2. Software

As client software, you need "vpnc", which is available at the http://www.unix-ag.uni-kl.de/~massar/vpnc/. For NetBSD, there's a package in pkgsrc-wip/vpnc, an older version of the package can be found here.

3. Configuration

3.1 Preparations

We'll use the University of Regensburg's VPN setup as an example. They offer three ways to access their network via VPN, depending if one's already in the "internal" network, if someone comes from "outside" via some ISP, or if someone is within the university's wireless network.

Necessary configuration on the operating system level for NetBSD includes availability of the "tun" pseudo device in the kernel, which is the default in the GENERIC kernel. In the Linux kernel, it can be enabled as "Universal tun/tap Device Driver" under "Network Device Support".

Another thing to note is that with vpnc version 0.2 and later, IPSEC support should not be included in the kernel, as vpnc does all the processing in userland. For NetBSD, the "IPSEC" and "IPSEC_ESP" options should be removed from the kernel config file. Again, this is already the case in the NetBSD's GENERIC kernel, so no change is needed. Aparently this problem does not arise in Linux, and IPSEC can stay in your kernel.

On Linux, /dev/net/tun has to exist, which should be the case if the tun device is loaded or enabled in the kernel and devfsd is used. Under NetBSD, the corresponding device is already included in the default installation, so no special steps are necessary. On both systems, the "Interface name" is "tun0".

The example vpnc configuration file for both NetBSD and Linux assumes the Novell/NDS-based account names of the University of Regensburg. Instead of the account name "abc12345.5.stud" (not including any NDS context like "uni-regensburg.de" or "fh-regensburg.de") use your own login. Use your own password instead of SECRET. The "IPSec secret" acts as sort of a group password, it can be retrieved from your VPN administrator. For the University of Regensburg, it can be learned by telephone (+49 941 943 4848) from Karl Wuerfl, or by looking at the (access restricted!) online documentation of the VPN setup at https://www-soft.uni-regensburg.de/dist/cisco/vpn/client/. Last, before firing up your VPN, you may want to make sure you have decent internet connectivity, either through via some ethernet or wavelan. In the latter case, you may want to set your wireless LAN network ID first, and grab an IP number from your DHCP server. To do that on NetBSD for the University of Regensburg's WaveLAN, run

	# ifconfig wi0 ssid unifunk1
	# dhclient
to do the same on Linux, try:
	# iwconfig eth1 essid unifunk1
	# dhcpcd -D eth1
Exact parameters may depend on your network configuration and Linux distribution, the above example goes for Gentoo Linux.

3.2 Access via Internet

For accessing the VPN via Internet, e.g. from a T-Online/T-DSL dialup account, the following data is needed in /usr/pkg/etc/vpnc.conf:
	Interface name tun0
	IKE DH Group dh2
	Perfect Forward Secrecy nopfs
	IPSec gateway vpngate-internet.uni-regensburg.de
	IPSec ID internet
	IPSec secret PhoneKarlWuerflAt4848
	Xauth username abc12345.5.stud
	Xauth password SECRET

3.3 Access via the Wireless LAN of the Uni Regensburg

Use the following in /usr/pkg/etc/vpnc.conf for access from the wireless network available on the University of Regensburg's campus:
	Interface name tun0
	IKE DH Group dh2
	Perfect Forward Secrecy nopfs
	IPSec gateway vpngate-wlan.uni-regensburg.de
	IPSec ID wlan
	IPSec secret PhoneKarlWuerflAt4848
	Xauth username abc12345.5.stud
	Xauth password SECRET

4. Start

After the software was installed successfully, the system was prepared and the config file was created, the "vpnc" program can be started as root:
	# vpnc
	VPNC started in background (pid: 16196)...
The following command can be used to determine the IP-number which is used to access the VPN:
	# ifconfig tun0
	tun0: flags=51 mtu 1412
		inet 132.199.212.1 -> 132.199.212.1 netmask 0xffffffff
The IP-number here is 132.199.212.1 - this can change for every new start of of the vpnc client, and will most likely be very different for your site's VPN setup.

5. Setting up routing

5.1 Via Internet - Accessing the University Machines from at Home

If the university's machines should be accessed via the VPN, routing must be setup to do so. The command for NetBSD is:
	route add -net 132.199.0.0 -interface 132.199.212.1
On Linux, you use:
	route add -net 132.199.0.0 netmask 255.255.0.0 dev tun0
That way, machines at the university can be reached using the "short" way via the VPN. 132.199.0.0 is the network of the University of Regensburg, 132.199.212.1 is the IP number assigned to the tun0 interface by vpnc. Adjust as necessary!

5.2 Source-based Routing - Accessing the Home Machine from University

If a service offered on the own machine should be accessed via the VPN, care must be taken that answers to incoming requests are sent out via the VPN, not the system's "normal" uplink (which may be firewalled at the VPN site). The following works for NetBSD:
	route delete -net 132.199.0.0
	echo "pass out on ppp0 to tun0 from 132.199.212.1 to any" | ipf -f
Again, 132.199.212.1 is the IP-number assigned to the local tun0 interface by vpnc, and ppp0 is the outgoing local network interface (may be wi0 for wireless LAN).

5.3 In the Wireless LAN Network of the University of Regensburg

Similar to VPN access from at home, care must be taken that packets aren't sent directly but via the VPN. To do this, the command for NetBSD is:

	route add -net default -interface 132.199.212.1
On Linux, use:
	route add -net default dev tun0
As before, 132.199.212.1 is the IP-number assigned to the tun0 interface by vpnc, please adjust as necessary.

6. Links

7. Authors

These instructions were compiled by Hubert Feyrer <hubertf@NetBSD.org> with lots of support by Harold Gutch <logix@foobar.franken.de> and Holger Amann <keeney@fehu.org>.

Updates


This page has been accessed 61460 times.
Copyright (c) 2003-2007 Hubert Feyrer <hubert@feyrer.de>
$Id: vpnc-howto.html,v 1.20 2007/05/09 13:04:56 feyrer Exp feh39068 $