# Cisco VPNClient stops working after a few seconds - [SOLVED]

## jasn

Hi All,

I've moved over to a X86 Gentoo Linux machine for my work laptop. Most everyone at work uses a Win2K or XP desktop, and there are a very few who use Mac OSX as their desktops. I've used the Cisco VPN client on both platforms and it works well. I even have the company provided .pcf Profiles for both platforms.

My problem is now with getting my Gentoo laptop into our corporate intranet (mostly for email), I've emerged the Cisco VPN client successfully, (after searching the threads here and finding a public spot to download the latest client from, 4.6.02.0030), and I can connect using either the Windows or Mac .pcf Profiles. I pull up our internal webpage and it works. I can click on links and surf our intranet, for about 30 seconds.. Afterwards I can't find any internal webpages anymore, and if I had clicked on something during this period when the connection stops, I get timeouts.. I'm a little curious as to whether or not our IT department's configuration of the VPN server "kicks" any "unauthorized" Linux boxes off of the net, after a set amount of time. When I asked our IT group about supporting a Linux laptop, they mentioned that they don't suggest it, as they require all Linux boxes at HQ, (I'm in the field), to have root access, (and to explicitly deny the person using the box root access), at least for now.

I'm curious if anyone has any experience with the Cisco VPN client, and whether or not this "kicking off" scenario makes sense. Is there something I can try editing my .pcf profile with to try and stay connected? I looked at both the Windows and OSX .pcf files, and I can't notice anything especially different between them. I tried the ForceKeepAlives=1 option as another thread here suggested, but it did nothing for me. The reason I did this is because while the Windows client connect, the connection process checks to see if they have the IT supplied Firewall software running. If it doesn't, then in the notification message, they alert you that you should have it running, but they don't stop the connection. For the OSX platform, there is no check, and no notification, beyond the standard VPN message. (That's why I thought I could make this connection using the Mac .pcf..)

ThanksLast edited by jasn on Fri Jul 08, 2005 6:03 pm; edited 1 time in total

----------

## Praxxus

Jasn,

I recommend you experiment with ditching the Cisco client entirely.  In my experience, their Linux client has been like unto a pile of garbage.  I use the "vpnc" client for Cisco 3000 VPN Concentrators, and it has been working really well for me.  Its one big flaw right now is that it doesn't support rekeying, but our concentrator at work is set to rekey every 8 hours (the Cisco default).  That's a lot better than 30 seconds!  VPNC has the added bonus of letting you access the rest of the internet while you've got a VPN session going with work.

I had to write some scripts around it to make sure that traffic got sent to the right place, but that's easy to do, and I'd be glad to help you if you need it.  There is also a decent front-end for KDE, kvpnc.  Both of these apps are in Portage.

Note that you'll need your "Group" password to use vpnc.  Fortunately, the vpnc homepage has a link to a password decoder(!) that can get that out of the way for you.

As for the kicking, I don't remember off the top of my head if you can configure the concentrators to do that.  I'll have to double check.  But my initial hunch is that the Linux client is junk.   :Razz: 

----------

## [Lx]-=Mystify=-

```

 In my experience, their Linux client has been like unto a pile of garbage.
```

that's exactly my experience, but the windows version is not better...

I do tutoring for about 60 people in our hostel at university... all windows, and the cisco VPN client makes a lot of problems...

```

VPNC has the added bonus of letting you access the rest of the internet while you've got a VPN session going with work.
```

the cisco VPN client lets you do this too, but you have to modify the profile, cause the default profile delivered by cisco disables the LAN access...

with vpnc I haven't had any problems until now... maybe rekeying will be implemented if enough people ask for it... the mail adress of the gui who is developing it is vpnc (at) unix-ag.uni-kl.de...

I call everyone who uses vpnc to write him an email with he please to implement rekeying...

----------

## Praxxus

 *[Lx]-=Mystify=- wrote:*   

>  I call everyone who uses vpnc to write him an email with he please to implement rekeying...

 

An excellent suggestion!  Will do.

----------

## jasn

 *Praxxus wrote:*   

> Jasn,
> 
> I recommend you experiment with ditching the Cisco client entirely.  In my experience, their Linux client has been like unto a pile of garbage.  I use the "vpnc" client for Cisco 3000 VPN Concentrators, and it has been working really well for me.

 

Thanks for this. I actually have been trying to get vpnc to work for me. I find that the documentation is almost non-existent though. But through googling, this is what I have done;

1) Rebuilt kernel (2.6.11 r7) with TUN module support

2) modprobe tun

3) edited /etc/vpnc.conf to include just; VPN server IP, Groupname, GroupPW, and Username

4) ran vpnc-connect. It asks me for my password and then connects me..

My problem is that my routing doesn't seem to be working. I gather I may need to do a "route add" command. But I'm lost on exactly what I should type. I read somewhere and tried "route add -net default dev tun0" but it didn't work. A route -n shows that I have a route for eth0 that has as its destination my VPN server IP, but my local LAN gateway IP. That can't be right. Can anyone help?

----------

## Praxxus

Here are my vpnc scripts, which I hacked up from the ones that came with vpnc.  I set it up so that ONLY the traffic for my work subnet ($vpn_subnet) goes over the tunnel.  You'll need the "iproute" package to get "ip" installed.

Connect:

```
#!/bin/bash

tun_num=`echo $TUNDEV| cut -d n -f 2`

defr=/var/run/vpnc/default_route

gate=/var/run/vpnc/gateway

pid=/var/run/vpnc/pid

mytun=/var/run/vpnc/tundev

myconf=/etc/vpnc.conf

vpnc=/usr/bin/vpnc

vpn_subnet="xxx.xxx.xxx.0/20"

extra_ip="xxx.xxx.xxx.xxx/32"

iptables="/sbin/iptables"

PID="$(cat "$pid" 2> /dev/null)"

fix_ip_get_output () {

        sed 's/cache//;s/metric[0-9]\+ [0-9]\+//g' | xargs echo

}

if [ -z "$VPNGATEWAY" ] ; then

        if [ "$PID" ] ; then

                if kill -0 "$PID" > /dev/null 2>&1; then

                        echo "vpnc found running (pid: $PID, pidfile: $pid)"

                        exit 1

                fi

        fi

        exec "$vpnc" --pid-file "$pid" --script "$0" "$@" $myconf || exit 1

fi

ifconfig $TUNDEV inet $INTERNAL_IP4_ADDRESS \

        pointopoint $INTERNAL_IP4_ADDRESS \

        netmask 255.255.255.255 mtu 1412 up

ip route add $(ip route get $VPNGATEWAY | fix_ip_get_output)

ip route | grep '^default' | fix_ip_get_output > "$defr"

ip route add to "${vpn_subnet}" dev $TUNDEV

ip route add to ${extra_ip} dev $TUNDEV

ip route flush cache

echo "$VPNGATEWAY" > "$gate"

echo "$TUNDEV" > $mytun

$iptables -A FORWARD -i $TUNDEV -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables -A FORWARD -i eth1 -o $TUNDEV -j ACCEPT

$iptables -t nat -A POSTROUTING -o $TUNDEV -j MASQUERADE

exit 0
```

Note that in addition to my work subnet, there is an extra IP address routed through the tunnel.  That's because work has a subscription to Safari, and it's nice to have access to that from home.   :Wink: 

I also have some iptables rules at the end (optional), since I run the VPN from my firewalled gateway machine at home.

Disconnect:

```
#!/bin/bash

defr=/var/run/vpnc/default_route

gateway=/var/run/vpnc/gateway

pid=/var/run/vpnc/pid

mytun=/var/run/vpnc/tundev

VPN_SUBNET="xxx.xxx.xxx.0/20"

extra_ip="xxx.xxx.xxx.xxx/32"

iptables="/sbin/iptables"

if [ $# -ne 0 ]; then

        echo "Usage: $0" 1>&2

        exit 1

fi

PID=`cat $pid`

TUNDEV=`cat $mytun`

if [ "${PID}" == "" ]; then

        echo "no vpnc found running"

        exit 1

fi

if ! kill -0 "$PID" > /dev/null 2>&1; then

        echo "no vpnc found running"

        exit 1

fi

echo "Terminating vpnc daemon (pid: $PID)"

kill $PID

if [ -r "$defr" ]; then

        if [ -r "$gateway" ] ; then

                ip route del `cat $gateway`

        fi

        ip route flush cache

fi

rm -f -- "$defr" "$pid"

$iptables -D FORWARD -i $TUNDEV -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables -D FORWARD -i eth1 -o $TUNDEV -j ACCEPT

$iptables -t nat -D POSTROUTING -o $TUNDEV -j MASQUERADE

exit 0
```

Note the removal of the iptables rules.

When tun0 is taken down by killing vpnc, all the associated routing info gets cleared when you flush the cache.  

Hope these help!

----------

## jasn

 *Praxxus wrote:*   

> Here are my vpnc scripts, which I hacked up from the ones that came with vpnc.

 

Praxxus,

Thanks for all the help. I'm sure that in the hands of someone more knowledgeable, it would have been sufficient. Unfortunately I wasn't able to get vpnc to work. I get a connection but my routing doesn't seem to work correctly. I tried both the installed vpnc-connect script and yours, but I just don't know enough about the networking configuration in Linux to know how to setup the routing. So until someone knows what the Cisco client may be doing and can offer a suggestion with that software here, or I spend some time learning enough to be able to configure vpnc to work (maybe someone will come up with a clear vpnc HowTo), I'm back to using the XP Cisco client, and Outlook for now..

----------

## micmac

Hi!

I didn't want binary crap in my Gentoo, so I started using vpnc. I put together an init script and a watchdog in case the connection somehow breaks. Here we go:

/etc/init.d/vpn:

```
#!/sbin/runscript

depend() {

        need net.eth0

}

start() {

        ebegin "Starting VPN"

        sleep 2

        /usr/bin/vpnc-connect

        ifconfig vpnlink mtu 1330

        eend $?

}

stop() {

        ebegin "Stopping VPN"

        /usr/bin/vpnc-disconnect

        sleep 2

        eend $?

}
```

/etc/init.d/vpnwatchdog:

```
#!/sbin/runscript

depend() {

        after shorewall

}

start() {

        ebegin "Starting vpnwatchdog"

        start-stop-daemon       --start \

                                --background \

                                --make-pidfile \

                                --pidfile /var/run/vpnwatchdog.pid \

                                --exec $WATCHDOG

        eend $? "Failed to start vpnwatchdog."

}

stop() {

        ebegin "Stopping vpnwatchdog"

        start-stop-daemon --stop --pidfile /var/run/vpnwatchdog.pid

        eend $? "Failed to stop vpnwatchdog."

}
```

/etc/conf.d/vpnwatchdog:

```
# Path to the VPN watchdog shellscript:

WATCHDOG="/usr/local/bin/vpnwatchdog.sh"
```

vpnwatchdog.sh:

```
#!/bin/bash

while sleep 60; do

        ping www.xxx.yyy.zzz -c 1 -w 40 >/dev/null && RUN=1

        if [ -z $RUN ]; then

                 logger -i -t vpnwatchdog -p local0.info "initializing full internet connection restart"

                /etc/init.d/net.eth0 stop 2>&1 >/dev/null

                /etc/init.d/shorewall start 2>&1 >/dev/null

        fi

        unset RUN

done
```

The watchdog sends one ping to an internet machine (www.xxx.yyy.zzz) every 60 seconds to see if the connection is alive. If that's not the case the whole internet stuff is shutdown and afterwards restarted.

Maybe you can use it, too. The watchdog script is derived by a watchdog for VDR. There's an ebuild from which I got it.

Cheers

mic

----------

## Slavo

does it work when u add scripts in /etc/init.d/..

to default runlevels?

and where is that file vpnwatchdog.sh located?

----------

## Slavo

and also i did exactly the same as you did 

in vpn script:  /usr/bin/vpnc-connect /usr/net/xyz.conf  #my vpnc config file

and deleted the line with ifconfig since i have no idea what is that - and it writes 

/etc/init.d/vpnwatchdog start

* ERROR:  "/etc/init.d/vpnwatchdog" has syntax errors in it; not executing...

and same for vpn script

any idea why?

----------

## micmac

 *Slavo wrote:*   

> does it work when u add scripts in /etc/init.d/..
> 
> to default runlevels?
> 
> and where is that file vpnwatchdog.sh located?

 

Its location must be what you write down in /etc/conf.d/vpnwatchdog (look above).

In case you don't use shorewall (a firewall) you have to change a line in vpnwatchdog.sh:

```
/etc/init.d/shorewall start 2>&1 >/dev/null
```

to

```
/etc/init.d/vpn start 2>&1 >/dev/null
```

And yes, add both vpn and vpnwatchdog to your default runlevel.Last edited by micmac on Wed Jun 01, 2005 7:23 pm; edited 2 times in total

----------

## Slavo

got that one  :Smile: 

any idea why it writes me syntax error?

i just pasted the source code and did chmod 700 /etc/init.d/vpn

----------

## micmac

```
ifconfig vpnlink mtu 1330
```

 just changes the MTU of your vpn device.

----------

## Slavo

i have no idea what is that

----------

## micmac

Oh, and because you apparently don't use shorewall, you have to edit /etc/init.d/vpnwatchdog:

```
after shorewall
```

to

```
after vpn
```

That may get rid of the "syntax error" message. MTU = Maximum Transfer Unit. 1300 is pretty standard for vpn afaik. Your VPN provider should be able to tell you the proper number. If the MTU is too big you should see messages about "too many packets" or "too large packets" in your syslog and the connection should become unstable.

----------

## Slavo

still same 

here is the code:

#!/sbin/runscript

depend() {

        need net.eth0

}

start() {

        ebegin "Starting VPN"

        sleep 2

        /usr/bin/vpnc-connect /usr/net/xyz.conf

	ifconfig vpnlink mtu 1330

	eend $?

}

stop() {

        ebegin "Stopping VPN"

        /usr/bin/vpnc-disconnect

        sleep 2

        eend $?

}

and after i type:

#/etc/init.d/vpn start

 * ERROR:  "/etc/init.d/vpn" has syntax errors in it; not executing...

why is that????

----------

## micmac

I don't know. I checked and I have exactly the same script and it totally works. The permissions are correct, right? Can you see any additional info in dmesg after the error occurs?Last edited by micmac on Wed Jun 01, 2005 7:44 pm; edited 1 time in total

----------

## Slavo

this i dont know i habvent worked with that just copied chmod 700 from somewhere  :Razz: 

what are yours ?

----------

## micmac

 *Slavo wrote:*   

> this i dont know i habvent worked with that just copied chmod 700 from somewhere 
> 
> what are yours ?

 

Same perms as the other scripts have.

```
ls -lh /etc/init.d
```

 will tell you.

----------

## Slavo

yeah you are right thats probably the error:

btw why do u have in watchdog also net.eth0 restart?

----------

## Slavo

so now the problem how to change permissions but thats probably another topics .....

----------

## micmac

 *Slavo wrote:*   

> yeah you are right thats probably the error:
> 
> btw why do u have in watchdog also net.eth0 restart?

 

Either your vpn connection or your dhcp connection can break. That's why I restart both in order to be sure that it works after the restart.

----------

## micmac

 *Slavo wrote:*   

> so now the problem how to change permissions but thats probably another topics .....

 

 :Smile: 

```
chmod 755 /etc/init.d/vpn
```

```
chmod 755 /etc/init.d/vpnwatchdog
```

----------

## Slavo

thatnks it helped but i still have the same error  :Sad: 

----------

## micmac

 *Slavo wrote:*   

> thatnks it helped but i still have the same error 

 

Grab it from here:

```
w/vpn
```

Put it in /etc/init.d, change perms and try again. Maybe you just messed up the lines in your script.

Cheers

micLast edited by micmac on Wed Jun 01, 2005 8:28 pm; edited 1 time in total

----------

## Slavo

i have no idea why it works now

thank you,

can you please gimme watchdog scripts  :Smile: 

----------

## Slavo

hehe ok thank you so much anyway

- gentoo is great - the best support ever

- i will compare the files and try to find error

prost

----------

## micmac

If you need anything drop me a private message.

----------

## Slavo

so now i tracked the problem with watchdog 

- somehow it always puts the number of process 9083 in pid-file

- thats why it doesnt work

- i assume the pid has to be vpnc-connect pid or?

and i also tracked that the correct pid is in file /var/run/vpnc/pid

-  any idea how to modify the script so that it will work?

----------

## jasn

My original problem (the Cisco VPN Client losing its DNS or routing after a few seconds), was solved by using an updated version of the client. I'm now on 4.6.03.0190 and everything is fine with my VPN connections..

----------

## Kraymer

Maybe one of you folks is still interested in a howto? There's a draft for an official VPN howto.

It doesn't solve the issue with the need to reconnect after the rekeying interval though  :Sad: 

edit: PS: The cisco vpn client sucks indeed. Instead of reconnecting every 30, my system froze several times!   :Evil or Very Mad:  So many people would celebrate if vpnc would support rekeying, complaints about the proprietary driver/client are found all over the net. However, rekeying is officially in the vpnc TODO.

----------

