# using cisco vpnclient!!!

## diff

Hi 

Wondering if there are someone out there that have tried the cisco vpnclient on gentoo. 

I have quite some problems with it  :Sad: 

/Rene

----------

## rojaro

well, i dont know about the cisco vpn client, but i've been messing around with FreeS/WAN for some time now and actually found out that it works perfectly with all kind of VPN's. I got it successfully running with Nokia IP330, Cisco PIX and other Firewall / VPN Solutions. So, if you don't get the Cisco Client working, try FreeS/WAN.

anyway, instead of asking if someone has the client in use, you just should tell us your problem with it :)

----------

## diff

well i' think it's a kernel problem. I'm using the 2.4.19-gentoo-r5 kernel. 

When I try to load the cisco-vpn modul i get the following error :

preslap vpnclient # insmod /lib/modules/2.4.19-gentoo-r5/CiscoVPN/cisco_ipsec

/lib/modules/2.4.19-gentoo-r5/CiscoVPN/cisco_ipsec: unresolved symbol _mmx_memcpy

/lib/modules/2.4.19-gentoo-r5/CiscoVPN/cisco_ipsec: unresolved symbol get_fast_time

/lib/modules/2.4.19-gentoo-r5/CiscoVPN/cisco_ipsec: 

Hint: You are trying to load a module without a GPL compatible license

      and it has unresolved symbols.  Contact the module supplier for

      assistance, only they can help you.

Maybe you can see what might be the problem  :Wink: 

/Rene

----------

## klieber

 *diff wrote:*   

> Hint: You are trying to load a module without a GPL compatible license and it has unresolved symbols.  Contact the module supplier for assistance, only they can help you.

 

These kinds of errors usually indicate that the program you're trying to install requires a kernel module.  What do the cisco docs say about kernel requirements?  Anything about modules?

--kurt

----------

## bigcheese

I've used the Cisco VPN client (3.5) successfully on several occasions, so I have a couple of questions for you.

1.) Since you installed the VPN client, have you recompiled the kernel?

2.) If you have recompiled the kernel, have you "reinstalled" the vpn client by running the vpn_install script?

-michael

----------

## diff

I have just tryed to recompile my and got the following error :

```
make[1]: Leaving directory `/usr/src/linux-2.4.19-gentoo-r5/arch/i386/lib'

cd /lib/modules/2.4.19-gentoo-r5; \

mkdir -p pcmcia; \

find kernel -path '*/pcmcia/*' -name '*.o' | xargs -i -r ln -sf ../{} pcmcia

if [ -r System.map ]; then /sbin/depmod -ae -F System.map  2.4.19-gentoo-r5; fi

depmod: *** Unresolved symbols in /lib/modules/2.4.19-gentoo-r5/CiscoVPN/cisco_ipsec

depmod:         get_fast_time

make: *** [_modinst_post] Error 1

preslap linux # 

```

It's after I have installed the cisco-vpnclient   :Sad: [/quote]

----------

## Denman120

Yes yes yes, it's possible to use linux (gentoo) with vpnclient and works fine.

The only thing youre missing is a patch for kernels newer than 2.4.18 so after

that the kernel-mod will be build correctly. (see below)

Cant remember how I've added this but should be straightforward using the

standard patch-tools.

I don't know if your company have provided any profiles, these can be copied

to /etc/CiscoSystemsVPNClient/Profiles 

Good luck!

diff -u -r vpnclient.orig/linuxcniapi.c vpnclient/linuxcniapi.c

--- vpnclient.orig/linuxcniapi.c	Mon Nov 26 02:19:26 2001

+++ vpnclient/linuxcniapi.c	Thu Mar  7 20:43:36 2002

@@ -1282,8 +1282,11 @@

         rc = CNI_W_OUT_OF_DESCRIPTORS;

     } else {

         /* move the data into the packet */

+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,1 :Cool: 

         get_fast_time(&skb->stamp);

-

+#else

+        do_gettimeofday(&skb->stamp);

+#endif

         pIP = skb_put(skb, lpPacketDescriptor->uiPacketSize);

         CniGetPacketData(Packet, 0, lpPacketDescriptor->uiPacketSize, pIP);

@@ -1400,7 +1403,11 @@

                    lpMacFragment->uiFragmentDataSize);

         }

+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,1 :Cool: 

         get_fast_time(&skb->stamp);

+#else

+        do_gettimeofday(&skb->stamp);

+#endif

         skb->dev = pBinding->pDevice;

----------

## Denman120

These smiles shouldnt be there offcourse   :Confused: 

These should be 

```
2.4.18)
```

----------

## diff

Thanks Denman120  :Wink: 

I won't try it before monday, but I'll report back then

/Rene

----------

## Denman120

Before I forget, also change the dirnames in the first lines of 

the patch-script, otherwise it wont patch, but you can figure that

out yourselves....  :Smile: 

----------

## diff

OK thankz  :Wink: 

Well just wondering, now that I'm using the gentoo kernel 2.4.19 should I also make changes in the the diff for that ? 

/Rene

----------

## Denman120

If you are refering to the line with 

```

+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,18)

```

 then you do NOT  have to change anything. I'm using 2.4.19 as well.

Just run the patch over the vpnclient-code and run the installation-script.

Then you'll see something like:

Starting /usr/local/bin/vpnclient...

Using /lib/modules/2.4.19-gentoo-r7/CiscoVPN/cisco_ipsec

Warning: loading /lib/modules/2.4.19-gentoo-r7/CiscoVPN/cisco_ipsec will taint the kernel: no license

 * Running iptables firewall and NAT protocol...

 * Resetting built-in chains to the default ACCEPT policy:...

access control disabled, clients can connect from any host

Cisco Systems VPN Client Version 3.5 (Rel)

Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.4.19-gentoo-r7 #6 SMP Sun Jun 23 20:01:05 CEST 2002 i686

Initializing the IPSec link.

Contacting the security gateway at 1.2.3.4

Authenticating user.

User Authentication for blabla...

Enter Username and Password.

Username [someone]:

password

etc

etc

etc

As you can see, Ive also disabled my iptables-script because I use

xwindow-software on some of the machines on the domain Im logging

in to as well as other things that should open ports. 

Also a thing to notice is that when you are using this client, all other traffic

is blocked so no need to protect your ports since the connection to the

internet is rescricted to the vpn-server on the other side. (Ive tried all the tricks

in the book to go around this, but sofar no success). Also bear in mind that

if your internet provider is blocking ports, you do need port 500 (outgoing) for

authentication to the VPN-client. ( my provider IS blocking everything outgoing below the 1024 range) but I got around it using postrouting with iptables : - )

----------

