# Cisco VPN Client

## jon.d@c2internet.net

Hi

Has anyone managed to get the Cisco VPN Client 4.0.3.B-k9 working on kernel 2.6.1?  

Kind Regards

Jonathan C2

----------

## mikjik

.

Yes, I got it working on kernel 2.6.0 and 2.6.1.  But it broke when I went to 2.6.2.  I dropped back to 2.6.1 and it works again.

When Googling the topic, I'm learned that it's not a Gentoo issue per se, but something in 2.6.2.

If someone knows how to make it work on 2.6.2+, let me know!    :Wink: 

-MJ

.

----------

## cpdsaorg

is this working on 2.6.3??

----------

## hanzotutu

oops, my cisco-vpnclient-3des-4.0.3b-r2 works

```

scimd files # /etc/init.d/vpnclient start

 * Starting Cisco VPN Client...                                           [ ok ]

scimd files # lsmod

Module                  Size  Used by

cisco_ipsec           391884  - 

fglrx                 197348  -

...

scimd files # vpnclient

Cisco Systems VPN Client Version 4.0.3 (B)

Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.6.2-gentoo #2 Sun Feb 8 13:18:58 PST 2004 i686

```

----------

## sigSEGV2003

I had it working on 2.6.0-2.6.2, but for some reason DNS resolution wouldn't work.  Might have been a UDP only problem.  I can't get it do anything but lock up my box with 2.6.3.  If I have time, I'll open a TAC case with Cisco tomorrow and see 1) are they going to support 2.6 anytime soon and 2) who should fix this, kernel team or Cisco.

----------

## mikjik

.

So what you doing in 2.6.2+ that I'm not doing?  I had it working fine in 2.6.0/1, but it broke for me in 2.6.2/3.  I used the same .config file across my kernel builds.

I can do a /etc/init.d/vpnclient start just fine and the module loads, but when I go to connect, it hangs.  I'm never prompted for my username and password.

I've tweaked my kernel config to death trying to shake it loose.

-mikjik

.

----------

## zeky

 *cpdsaorg wrote:*   

> is this working on 2.6.3??

 

Not for me  :Sad: 

Does anyone have a solution?

----------

## leszcz

Found on google :

http://tinyurl.com/2uaa8

I haven't tried it yet.

----------

## Berni

I have the exact same problem with "/etc/init.d/vpnclient start" working properly but "vpnclient connect" locking up the pc...I'm currently using gentoo-dev-sources 2.6.3_r1 and got everything else working fine on my notebook (stage1-install on a 450Mhz PIII rocks  :Laughing: ) . 

Did anyone try the "solution" linked by leszcz? I didn't understand what to do exactly (I'm german and didn't really understand what Pa6trick Toal said in this mailing list...) but if someone could tell me what to do I could try it...

----------

## leszcz

OK, I can confirm that solution found on google actually works for me (kernel 2.6.3).

What you have to do is to _reverse_ patch attached by Patric Toal :

net/core/dev.c

@@ -946,11 +996,29 @@

  *     The notifier passed is linked into the kernel structures and must

  *     not be reused until it has been unregistered. A negative errno code

  *     is returned on a failure.

+ *

+ *     When registered all registration and up events are replayed

+ *     to the new notifier to allow device to have a race free

+ *     view of the network device list.

  */

 int register_netdevice_notifier(struct notifier_block *nb)

 {

-       return notifier_chain_register(&netdev_chain, nb);

+       struct net_device *dev;

+       int err;

+

+       rtnl_lock();

+       err = notifier_chain_register(&netdev_chain, nb);

+       if (!err) {

+               for (dev = dev_base; dev; dev = dev->next) {

+                       nb->notifier_call(nb, NETDEV_REGISTER, dev);

+

+                       if (dev->flags & IFF_UP)

+                               nb->notifier_call(nb, NETDEV_UP, dev);

+               }

+       }

+       rtnl_unlock();

+       return err;

 }

 /**

so my dev.c now is :

 *      Register a notifier to be called when network device events occur.

 *      The notifier passed is linked into the kernel structures and must

 *      not be reused until it has been unregistered. A negative errno code

 *      is returned on a failure.

 */

int register_netdevice_notifier(struct notifier_block *nb)

{

        return notifier_chain_register(&netdev_chain, nb);

}

WARNING : I am completly unaware how this change affects kernel functionality.

----------

## Berni

Thanks a lot! It works perfectly now and i didn't experience any drawbacks from this change yet.

I have a rather offtopic-question and would be glad if someone could help me:

The vpn-connection shall be started automatically by a shell script. However, this doesn't work fully automatically because of the following:

```
bash# vpnclient connect internet

Cisco Systems VPN Client Version 4.0.3 (B)

Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.6.3-gentoo-r1 #9 SMP Mon Feb 23 21:09:18 CET 2004 i686

Initializing the VPN connection.

Contacting the gateway at xxxxxxxxxx

Authenticating user.

Negotiating security policies.

Securing communication channel.

Internet connection ready to use.

Do you wish to continue? (y/n): 
```

Isn't it possible to automatically answer this question with "y" or something like that? I did not find an option for that in the profile-file...

----------

## joemc91

Thanks so much for the post.  This fix worked for the ck-2.6.1 source too.

----------

## rcast

Hello,

Just read an article which had a patch to the cisco client instead of the linux kernel and thought it may be of some use:

http://marc.theaimsgroup.com/?l=linux-kernel&m=107765601402527&w=2

Rene

----------

## wwc210

What is the kernel or the cisco client supposed to look like at the end of the process? I have the 2.6.3 kernel. Can someone tell me how to apply the patch to either the kernel or the cisco client?

----------

## Berni

I have patched the kernel and I think that leszcz described it quite good. Open your net/core/dev.c file and search for "int register_netdevice_notifier(struct notifier_block *nb)". Then just delete these lines (alternatively you could also use a diff-file, but editing the file directly is better/easier/safer here I think...)

```
struct net_device *dev; 

int err; 

rtnl_lock(); 

err = notifier_chain_register(&netdev_chain, nb); 

if (!err) { 

for (dev = dev_base; dev; dev = dev->next) { 

nb->notifier_call(nb, NETDEV_REGISTER, dev); 

if (dev->flags & IFF_UP) 

nb->notifier_call(nb, NETDEV_UP, dev); 

} 

} 

rtnl_unlock(); 

return err; 
```

and add this one instead

```
return notifier_chain_register(&netdev_chain, nb); 
```

Rebuild your kernel and the Cisco Client works just fine  :Very Happy: 

-------------------------------------------------------------------------

The other alternative is what is mentioned in rcasts post. Copy the code

```
diff -u --recursive vpnclient/interceptor.c vpnclient-new/interceptor.c

--- vpnclient/interceptor.c   2003-10-30 02:27:34.000000000 +0100

+++ vpnclient-new/interceptor.c   2004-02-24 21:26:36.000000000 +0100

@@ -364,11 +364,6 @@

         error = VPNIFUP_FAILURE;

         goto error_exit;

     }

-    error = register_netdevice_notifier(&interceptor_notifier);

-    if (error)

-    {

-        goto error_exit;

-    }

 

     vpn_is_up = TRUE;

     return error;

@@ -388,8 +383,6 @@

 {

     int i;

 

-    unregister_netdevice_notifier(&interceptor_notifier);

-

     cleanup_frag_queue();

     /*restore IP packet handler */

     if (original_ip_handler.pt != NULL)

@@ -436,6 +429,9 @@

 {

     struct net_device *dev = (struct net_device *) val;

 

+    if (!vpn_is_up)

+   return 1;

+

     switch (event)

     {

     case NETDEV_REGISTER:

@@ -853,6 +849,8 @@

         CNICallbackTable = *PCNICallbackTable;

         CniPluginDeviceCreated();

 

+        register_netdevice_notifier(&interceptor_notifier);

+

         if ((status = register_netdev(&interceptor_dev)) != 0)

         {

             printk(KERN_INFO "%s: error %d registering device \"%s\".\n",

@@ -876,6 +874,9 @@

     CniPluginUnload();

 

     unregister_netdev(&interceptor_dev);

+

+    unregister_netdevice_notifier(&interceptor_notifier);

+

     return;

 }
```

into a diff-file and apply the diff to your CISCO-VPN-Client-Sources (note: for changes to take effect, you have to copy the newly created file vpnclient-new/interceptor.c to vpnclient/interceptor.c and you should backup your old vpnclient/interceptor.c!). After recompiling the Cisco VPN Client, this should also work, but i didn't try this on my own as the first patch worked just fine. 

There's also a already patched version available here http://www.anomalistic.org/vpnclient/vpnclient-linux-4.0.3.B-k9.tar.gz which includes also some other cleanups for Debian installation but it should also work with gentoo I think!

However, patches to kernel files should be avoided whenever it is possible and so technically, the second solution is a lot better and I would recommend to try patching the CISCO-Client first and only patch the kernel if it didn't work!

----------

## ponds

Does anyone know if there is a way to get the new version other than through your VPN provider?  I know that portage used make you fetch it manually from their site, and I assume it still does (I am computerless at the moment, waiting for ibm to ship my new laptop). 

My university requires VPN client, and has some old version (like 3.2 or something), which definately does not work with 2.6, and getting them to get the new version for us is going to be an uphill battle.

----------

## denniruz

When I have something interactive that I need to start, I use a perl script and the expect perl module to do it-- It's not an elegant solution, but it works.

--Dennis

 *Berni wrote:*   

> 
> 
> I have a rather offtopic-question and would be glad if someone could help me:
> 
> The vpn-connection shall be started automatically by a shell script. However, this doesn't work fully automatically because of the following:
> ...

 

----------

## Berni

Yeah thanks. I already figured that out (but I'm just using "normal" expect and not the perl expect). My script to answer looks like that

```
#!/usr/bin/expect

# \

timeout -1

spawn vpnclient connect wlan

expect "(y/n):"

send "y\n"

wait

expect "Your VPN connection has been terminated."

exit 0
```

----------

## denniruz

hehe-- Slick. Thanks for the info.

 *Berni wrote:*   

> Yeah thanks. I already figured that out (but I'm just using "normal" expect and not the perl expect). My script to answer looks like that
> 
> ```
> #!/usr/bin/expect
> 
> ...

 

----------

## tbender

Hi

I downloaded and compiled ( on my linux2.6.3-system) the modiefied vpn-client( which was linked above).  This new client, now does not lock my comp and i can connect normally to the vpn-gateway... It seems, that i can do everything normal, EXCEPT of dns-resolution!

The second solution posted, has the same problems....

Has anybody made similar experiences?

Thanx in advance,

   Tobias.

----------

## joyman

I can confirm that the patch-version mentioned as second solution from Berni works for me (I didn't download the patched vpn-client-file, but ran the patch myself). I used a kernel 2.6.4-rc1.

I didn't have any problems with DNS-Resolution so far.

Try it again with that one. If you need more details please ask.

----------

## synack1337

I emerged the -r3 ebuild for the cisco vpn client and it works great w/ gentoo-dev sources for 2.6.4....except for dns resolution.

i am able to ping/ssh/http to devices across the tunnel, but dns does not work.  This includes direct dig/nslookup against the servers.   The correct servers are listed in resolv.conf.

other udp traffic doesnt appear to work either (snmp queries)

i've verified that my traffic is reaching the other side, but its not coming back to me.  I will do more reserach on this.  my windows client works fine.

if anyone has any info, please contribute.

----------

## synack1337

so check this out;

I was doing some snoops on the destination dns server.  As I was looking through the packet details of my captured dns query, I see that the UDP checksum was incorrect.

I stepped back to the egress port of the last firewall the packets cross before hitting the dns server and did a capture, and again, incorrect udp checksum.

I took another step back and captured on the ingress port of this firewall, and again, incorrect udp checksum.

To eliminate the vpn tunnel, i did a local dns query w/ my local dns server and guess what...incorrect udp checksum.  But I at least got a response from my query.  (local dns server is a windows box, dns server across vpn is solaris/bind)

Is it a dns thing?  I did a snmpwalk...and again incorrect udp checksum.   

so either ethereal/libpcap has problems capturing udp packets, or something is broke elsewhere.

2.6.4-gentoo

libpcap 0.8

ethereal 10.2

3c59x.0 

I'm not sure where I'm going to head next.  I did some captures of a dnsquery on my windows box w/ winpcap 3.0 and ethereal 10.2 and the udp checksum is valid.  Is this a known bug? maybe its cosmetic and there is something else wrong.   not sure, but  i'll poke around the libpcap/ethereal site.   

if you have any suggestions, lets hear'em

----------

## synack1337

the goal is to keep finding stuff out till someone just posts and tells me what the specific problem is  :Smile:  (and how to fix it)

so, 2.4.22-r7's udp packets pass checksum.  same ver of all other utils.

this also means that dns worked for me across the tunnel (read as: the dns server accepted the packets becuase the had a correct checksum)

2.6.5-rc1 does not.  (i thoguht it was worth a shot with all those network driver udpates )

so, something broke in 2.6.4+ w/ the net drivers/stack it seems.  I'm guessing here, but what else is there?

----------

## d33k

Any update snizack?

----------

## synack1337

othrer than a workaround, sadly no.

I was able to get proper checksum'd udp packets by compiling iptables into the kernel and doing an any any outbound rule.  and everything works now.

I guess this should be mentioned to one of the maintainers for either the net code or driver code for 3c59x on 2.6.x.  Not sure of the best way to go about it..

-"snizack"

----------

## kamilian

On the topic of the Cisco VPN Client, has anyone else had this problem show up? Better yet, anyone know how to fix it? (The best I could find for something similar was to install lib-compat and I have lib-compat-1.3 installed).

```
Cobra root # vpnclient connect ic

Cisco Systems VPN Client Version 4.0.3 (B)

Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.6.3-gentoo-r1 #1 Sun Feb 22 16:29:28 GMT 2004 i686

cvpnd: relocation error: cvpnd: symbol _res, version GLIBC_2.0 not defined in file libc.so.6 with link time reference
```

Could this be an issue with 2.6 kernel headers? NPTL? Other?

I have both 2.6 kernel headers installed and nptl enabled in glibc.

```
Cobra root # etcat -v linux-headers

*  sys-kernel/linux-headers-2.6.0 :

        [  I] 2.6.0 (0) OVERLAY
```

```
Cobra root # etcat -u glibc

 U I [ Found these USE variables in : sys-libs/glibc-2.3.2-r3 ]

 + + nls   : unknown

 - - pic   : unknown

 - - build : !!internal use only!! ....

 + + nptl  : unknown
```

My relevant emerge info:

```
Cobra root # emerge --info

Portage 2.0.50-r1 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r3, 2.6.3-gentoo-r1)

=================================================================

System uname: 2.6.3-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz

Gentoo Base System version 1.4.3.13

Autoconf: sys-devel/autoconf-2.58-r1

Automake: sys-devel/automake-1.7.7

CFLAGS="-march=pentium4 -mmmx -msse -msse2 -mfpmath=sse -Os -pipe"
```

----------

## X-Frog

 *synack1337 wrote:*   

> othrer than a workaround, sadly no.
> 
> I was able to get proper checksum'd udp packets by compiling iptables into the kernel and doing an any any outbound rule.  and everything works now.
> 
> I guess this should be mentioned to one of the maintainers for either the net code or driver code for 3c59x on 2.6.x.  Not sure of the best way to go about it..
> ...

 

And it works!

Thank you!

I didn't have iptables installed (kernel modules, yes, but not iptables itself)  and my DNS resolution wasn't working as well as my connections to our KVM IP (all UDP).

Now everything is ok!

----------

## synack1337

Glad it worked for you.

Now we need to get this in front of of a maintainer so we dont need iptables.

----------

## blscreen

Because of the problems with the Cisco VPN client and recent kernels I switched to the opensource client vpnc. It uses the kernel TUN/TAP device and works great for me.

----------

## theche

where's the option for enabling the TUN/TAP device driver??

----------

## blscreen

In 2.6.x:

Device Drivers -> Networking support -> Network device support -> Universal TUN/TAP device driver support

----------

## theche

```
root@marco mac # vpnc

vpnc: error while loading shared libraries: libgcrypt.so.1: cannot open shared object file: No such file or directory

```

what am i doing wrong??

I did

ACCEPT_KEYWORDS="~x86" emerge vpnc, edited the /etc/vpnc.conf to fit to my university's vpn network...

----------

## blscreen

Seems like some dependency problem. Try to first emerge sync, reemerge dev-libs/libgcrypt and then net-misc/vpnc. 

libgcrypt should have been merged together with vpnc though.

----------

## theche

exactly...

didn't work

same error.

should I start vpnc as root or as an user? whe doing so:

```
bash-2.05b$ vpnc

Secure memory is not locked into core

vpnc: IKE DH Group "dh2 " unsupported

```

don't know how to interprete this

my vpnc.conf:

```

more /etc/vpnc.conf

Interface name vpn0

IKE DH Group dh2

Perfect Forward Secrecy nopfs

IPSec gateway vpn.uni-mannheim.de

IPSec ID <+++>

IPSec secret <+++>

Xauth username<+++>

```

IKEDHGroup: what values are possible??Last edited by theche on Sun Apr 18, 2004 12:23 pm; edited 1 time in total

----------

## blscreen

This doesn't seem to be related to any of the errors you receive, but I just tried vpnc on a gentoo box the first time (the other was debian), and devfsd made a wrong symlink /dev/net/tun->/dev/net/misc/net/tun which doesn't exist and should be /dev/misc/net/tun instead. 

If this is true for you, you should add the following lines early in your /etc/devfsd.conf end send a SIGHUP to devfsd:

```
REGISTER   ^misc/net/tun$  CFUNCTION GLOBAL unlink   net/tun

REGISTER   ^misc/net/tun$  CFUNCTION GLOBAL symlink  /dev/$devname net/tun

UNREGISTER ^misc/net/tun$  CFUNCTION GLOBAL unlink   net/tun
```

 *theche wrote:*   

> should I start vpnc as root or as an user?

  Definitely as root.

Sorry, can't help you with the IKE DH problem... possible values are dh1,dh2 and dh5.

Here is my config:

```
Interface name tun0

IKE DH Group dh2

Perfect Forward Secrecy nopfs

IPSec gateway ipsec-rz.vpn.uni-freiburg.de

IPSec ID <blanked>

IPSec secret <blanked>

Xauth username <blanked>

```

As for the libgcrypt problem: maybe

```
strace vpnc &> /root/vpnc-strace
```

 can give you a hint about what's going on there.

----------

## theche

eigentlich könnten wir deutsch reden...oder?

I dont't know whether there is a symlink...the directory net in /dev/ doesn't exist...and in /dev/misc/ there is no directory net...perhaps I messed something up with the TUN/TAP device driver??

```

output strace: (ausschnitt)

open("/lib/i686/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/lib/i686/mmx", 0xbfffed58)     = -1 ENOENT (No such file or directory)

open("/lib/i686/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/lib/i686", 0xbfffed58)         = -1 ENOENT (No such file or directory)

open("/lib/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/lib/mmx", 0xbfffed58)          = -1 ENOENT (No such file or directory)

open("/lib/libgcrypt.so.1", O_RDONLY)   = -1 ENOENT (No such file or directory)

stat64("/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

open("/usr/lib/i686/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/i686/mmx", 0xbfffed58) = -1 ENOENT (No such file or directory)

open("/usr/lib/i686/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/i686", 0xbfffed58)     = -1 ENOENT (No such file or directory)

open("/usr/lib/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/mmx", 0xbfffed58)      = -1 ENOENT (No such file or directory)

open("/usr/lib/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

```

stimmt schon die verzeichnisse sind in dieser weise wirklich nicht da...

```

find / -name *libgcrypt*:

/usr/bin/libgcrypt-config

/usr/lib/libgcrypt.so.11

/usr/lib/libgcrypt.so

/usr/lib/libgcrypt.so.7

/usr/lib/libgcrypt-pthread.so.11

/usr/lib/libgcrypt.la

/usr/lib/libgcrypt.a

/usr/lib/libgcrypt.so.11.0.0

/usr/lib/libgcrypt-pthread.so.11.0.0

/usr/lib/libgcrypt-pthread.so

/usr/lib/libgcrypt-pthread.so.7

/usr/lib/libgcrypt-pthread.la

/usr/lib/libgcrypt-pthread.a

```

sind wohl woanders und libgcrypt.so.1 seh ich auch nicht.

'are somewhere else and libgcrypt.so.1 doesn't appear

what shall I do?

symlinks?

----------

## blscreen

 *theche wrote:*   

> eigentlich könnten wir deutsch reden...oder?

  I think we should stick to english, as some users searching the forum might have similar problems  :Wink: 

 *theche wrote:*   

> I dont't know whether there is a symlink...the directory net in /dev/ doesn't exist...and in /dev/misc/ there is no directory net...perhaps I messed something up with the TUN/TAP device driver??

  Is the module loaded? Are you using devfs? Otherwise you have to create the node. Check dmesg for a line 

```
Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
```

 Without the propper character device, which is major 10 and minor 200, nothing is going to work.

I can give you some info about my setup, hope it helps:

```
# qpkg -l vpnc

net-misc/vpnc-0.2_pre7 *

CONTENTS:

/usr

/usr/bin

/usr/bin/vpnc

/usr/bin/vpnc-connect

/usr/bin/vpnc-disconnect

/usr/share

/usr/share/doc

/usr/share/doc/vpnc-0.2_pre7

/usr/share/doc/vpnc-0.2_pre7/ChangeLog.gz

/usr/share/doc/vpnc-0.2_pre7/README.gz

/usr/share/doc/vpnc-0.2_pre7/TODO.gz

/usr/share/doc/vpnc-0.2_pre7/VERSION.gz

/etc

/etc/vpnc.conf

# ldd /usr/bin/vpnc

        linux-gate.so.1 =>  (0xffffe000)

        libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x4002a000)

        libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x40084000)

        libc.so.6 => /lib/libc.so.6 (0x40088000)

        libnsl.so.1 => /lib/libnsl.so.1 (0x401b4000)

        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

# qpkg -l libgcrypt

dev-libs/libgcrypt-1.1.92 *

CONTENTS:

/usr

/usr/bin

/usr/bin/libgcrypt-config

/usr/lib

/usr/lib/libgcrypt.so.11.0.0

/usr/lib/libgcrypt.so.11 -> libgcrypt.so.11.0.0 1082225985

/usr/lib/libgcrypt.so -> libgcrypt.so.11.0.0 1082225985

/usr/lib/libgcrypt.la

/usr/lib/libgcrypt.a

/usr/lib/libgcrypt-pthread.so.11.0.0

/usr/lib/libgcrypt-pthread.so.11 -> libgcrypt-pthread.so.11.0.0 1082225985

/usr/lib/libgcrypt-pthread.so -> libgcrypt-pthread.so.11.0.0 1082225985

/usr/lib/libgcrypt-pthread.la

/usr/lib/libgcrypt-pthread.a

/usr/lib/libgcrypt.so.7 -> libgcrypt.so.11 1082225985

/usr/lib/libgcrypt-pthread.so.7 -> libgcrypt-pthread.so.11 1082225985

/usr/include

/usr/include/gcrypt.h

/usr/include/gcrypt-module.h

/usr/share

/usr/share/aclocal

/usr/share/aclocal/libgcrypt.m4

/usr/share/info

/usr/share/info/gcrypt.info.gz

/usr/share/doc

/usr/share/doc/libgcrypt-1.1.92

<snip some more docs here>

/usr/lib/libgcrypt-pth.so.7 -> libgcrypt-pth.so.11 1082225985

<snip strace output>

open("/usr/lib/libgcrypt.so.11", O_RDONLY) = 3   <- This is how it should be ;)

<snip>

USE="X aalib alsa apm arts avi berkdb cdr crypt cups directfb dvd encode esd fbcon foomaticdb gdbm gif gphoto2 gpm gtk gtk2 imlib java jpeg libg++ libwww mad matrox mikmod motif mozilla mpeg nas ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sasl scanner sdl slang spell ssl stroke svga tcltk tcpd tetex truetype usb video_cards_matrox x86 xinerama xml2 xmms xv zlib"

```

For some reason your vpnc is compiled with the wrong library versions. You could file a bugreport or try to compile it from the original package manually.

----------

## theche

Universal TUN TAP driver is in the kernel (no module)

in dmesg appears the corresponding entry

yes, I do use devfs

 *Quote:*   

> 
> 
> Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky	
> 
> Without the propper character device, which is major 10 and minor 200, nothing is going to work.
> ...

 

??

I dont have crypt in USE <--?

and the rest is silence 'cause I don't know what to do with this kind of information

how do I 'file' a bug report?

----------

## LostControl

Has anyone tried to use cisco-vpnclient-3des-4.0.3b-r3 with kernel 2.6.6-rc1 ?

Everything works using kernel 2.6.5 but no success with 2.6.6-rc1  :Sad:  Maybe something changes in the new kernel which brokes cisco-vpnclient-3des !? As for 2.6.2...

----------

## Corpse2

I managed to get the vpnclient-linux-4.0.3.B-k9.tar.gz working on my 2.6.5-rc1 kernel.  :Very Happy:   I think it's the patched version metioned before.

Only one problem, I don't know why it works all of a sudden while it wouldn't work at first.  :Embarassed:   I've been fooling around first with a few different versions and vpnc without luck. But there is one thing I remember that I did: I found somewhere in another tread  something about which things are needed in the kernel, some things in cryptography that are needed by IPsec and some other things. 

 *Quote:*   

> In order to make the IPsec work with the 2.6 Kernel, you need PF Key, AHS Transformations, ESP Transformations, IPsec user config interface, and all the cryptos... 

 

Concerning the crypto's, the help of these items mention a few times  something about IPSec, those are the ones you need I think. I don't think I chose any others.

Altough I still have one problem   :Evil or Very Mad:  , when connected I can't figure out how to define routes (for the client). when you do a 

```
vpnclient stat
```

 it ends with the configured routes, containing only zeroes  :Confused: 

Or is it possible to route traffic to the hidden cipsec0? (ifconfig -a shows it)

----------

## vdp

 *Corpse2 wrote:*   

> I managed to get the vpnclient-linux-4.0.3.B-k9.tar.gz working on my 2.6.5-rc1 kernel.   I think it's the patched version metioned before.
> 
> ...
> 
> Altough I still have one problem   , when connected I can't figure out how to define routes (for the client). when you do a 
> ...

 

This is the normal behavior - I have version 4.0.1a working on another machine with kernel 2.4.x and it does the same thing.

I have slightly different problem - when I use eth0, the vpn client works fine; when I try to use the wlan0 interface, i cannot exchange large amounts of data, and rdesktop times out. This is with wlan-ng 0.2.1-pre20 and kernel 2.6.5-rc1

----------

## kevin_barsby

Firstly I'm a noob to Gentoo forums so please forgive any lapses of netiquette.

I've just emerged the latest (4.0.3.B) ebuild of vpnclient and apart from having to rebuild the digest it compiled and installed ok.

I seem to be having the DNS problem some people have mentioned, i.e. I can run the module and connect quite happily, but couldn't get anywhere on the network, I tried pinging the machine I was connected to and that seemd ok, I guess if I'd tried going elsewhere on the network by ip address only that would have worked too.

How have people got around this problem? I read somewhere compiling in IP tables and creating an ANY->ANY rule would fix this, is this still people's favoured solution.

Cheers

Kev

----------

## kevin_barsby

I spent a frustrating morning trying various solutions on this and other forums. The upshot is everything I tried seemed to take a step back from where I am currently.

I have:

Kernel - 2.6.5

vpnclient - 4.0.3-B-K9 (vanilla patched via the Gentoo ebuild)

It starts, connects quite happily but DNS seems to be broken. Everything is fine by IP address.

Current workaround is to lob all the servers I need into /etc/hosts

The solutions / workarounds I've tried are:

- Compiling in iptables and setting up ANY->ANY OUTPUT rule: This resulted in the situation where the module would load, but any attempt to connect failed, module seems to hang for a bit then times out

- Various Kernel switches (I didn't have the IPSEC stuff in the kernel, I do now) : Made no difference

- Regressing to Kernel 2.6.1: No difference

I haven't tried a 2.4 kernel yet, but that is going to require a system rebuild which I don't really have time for ATM.

Has anyone got any suggestions?

----------

## AlterEgo

I'm trying to get net-misc/cisco-vpnclient-3des-4.0.3b-r4

working on 2.6.6. 

i get stuck at: /etc/init.d/vpnclient start

 * Starting Cisco VPN Client...

 * Failed to load module cisco_ipsec

Can someone give me a lsmod of the modules needed?

[edit]

Just tested in 2.6.5: it does work there   :Question: Last edited by AlterEgo on Tue May 11, 2004 9:48 pm; edited 1 time in total

----------

## Berni

What does dmesg tell (or your syslog)? Did you enable the crypt modules+tun modules in your kernel config?

----------

## kevin_barsby

I noticed in the new 2.6.6 kernel changelog there are some patches to crc related stuff from people whose email address reads (@cisco.com).

I haven't tried it yet, but I'll post here if it fixes the dns problem

----------

## enkil

@AlterEgo: I had the same problems using Kernel 2.6.6, too, but I use vpnclient-version 4.0.4(A).

Problem seems to be the following code in the init-script:

```

/sbin/insmod ${PC}/${VPNMOD} >/dev/null 2>&1

```

I looked at cisco's original init-script that was packed with the client and modified the gentoo-init-script (cisco's doesn't look nice  :Wink: ). I'm not sure about licensing-stuff concerning init-scripts, so i don't post a patch here...

You just have to do a insmod this way:

${VPNMOD} is mostly cisco_ipsec, just change it to cisco_ipsec.ko

Works fine for me...

My .diff would do a better job  :Wink: 

----------

## AlterEgo

That did not help me   :Crying or Very sad: 

/lib/modules/2.6.6/CiscoVPN/cisco_vpn is not a .ko file after emerging.

I also cannot get the modules insmodded manually.

I use the same config as 2.6.5, where it works flawlessly.

----------

## enkil

I think it should be a .ko-file...

```

ls /lib/modules/2.6.6/CiscoVPN/               

cisco_ipsec.ko

```

I would suggest, that you try to install the vpnclient manually... Just unpack it and run the vpn_install-script...

<edit>

almost forgot: If you use Kernel 2.6.x and vpnclient < 4.0.4(A) and install it manually, don't forget to patch the interceptor.c using:

/usr/portage/net-misc/cisco-vpnclient-3des/files/register_netdevice.patch

----------

## handsomepete

Replying to bookmark - just ignore me.

----------

## infirit

 *handsomepete wrote:*   

> Replying to bookmark - just ignore me.

 

I will   :Wink: 

For all of you having problems with kernel 2.6.6 and vpnclient see this thread.

----------

## whschwartz

How do I fix the digest?

```

schwartz@gentoo schwartz $ sudo emerge cisco-vpnclient-3des Calculating dependencies ...done!

>>> emerge (1 of 1) net-misc/cisco-vpnclient-3des-4.0.3b-r4 to /

 

!!! File is corrupt or incomplete. (Digests do not match)

>>> our recorded digest: 0f5cc298818b311b3a2b7cdc7430eda8

>>>  your file's digest: 9b91f828a4df744fb67421a0a4b29401

!!! File does not exist: /usr/portage/distfiles//vpnclient-linux-4.0.3.B-k9.tar.gz

 

schwartz@gentoo schwartz $

```

----------

## kevin_barsby

 *whschwartz wrote:*   

> How do I fix the digest?
> 
> 

 

Like this:

```

cd /usr/portage/net-misc/cisco-vpnclient-3des

ebuild cisco-vpnclient-3des-4.0.3b-r4.ebuild digest

```

Then try the emerge again.

This will get broken each time you do an emerge sync though, I'm sure it's cleaner to make your own ebuild and keep it in /usr/local/portage but this is quicker.

----------

## kevin_barsby

Update: Kernel 2.6.7 breaks things more!

I've just tried the kernel 2.6.7 with vpnclient 4.0.4b and not only do dns packets not get through, but you only seem to be able to ping the machine you're connected too.

Dropping back to kernel 2.6.5-r1 means I can see the world via IP address, just not by DNS name.

Anyone with any helpful config ideas that haven't been mentioned in this thread...?

----------

## R!tman

What about 4.0.4a? Why isn't it in portage already? Somewhere I read, it should work with kernels >=2.6.7.

----------

## danii

Hi I'm using my University's VPN and I want to use it only for HTTP and still be able to connect to Peer2Peer networks using my normal internet connection, because the VPN doesn't allow access to such networks.

Is it possible???

Thanks

----------

