# VPN connection to Cisco firewall

## Supermule

Hi,

In the past, I connected to various sites via Ciscos VPN software for Windows. I think the software connected to a Cisco 501, but Im not sure about this...Anyways, the windows software fired up a 128bit VPN and let me access the serveres on the other side...

Can I do this from Gentoo? I'd prefer something graphical...I need to connect and typically remote control W2000 servers thru rdesktop.

I have seached portage but havent found what I need yet...anyone?

regards,

Supermule

----------

## caffiend

well if it's just using IPSEC then try FreeSwan....

----------

## Plaz

It may depend on what model of firewall is running at the remote site, but Cisco supports a Linux client for at least their most popular model(s).  You should be able to get one from them if you got your Windows client that way.  There's no ebuild that I'm aware of.

I've found a few places that you can download Cisco VPN client software.  I'm not sure if they're legit or if they're supposed to be access controlled, but if you do some Google 'cisco linux vpn client' searches and dig a little, you can find them.

Here's a link that looks promising:

http://vpn.mednet.ucla.edu/downloads.htm

A few months ago, I was able to download one from a .edu in Oklahoma somewhere.  It wasn't difficult to configure, but it isn't graphical.  It simply makes your system seem like it's behind the firewall so you can reach the other systems via the network.  You would still need a Linux rdesktop client to control the W2k servers.

----------

## bretts5964

Okay, I've given up on deciphering the FreeSWAN configuration, and gone with the Cisco VPN for Linux.  It's working for me.  Here's how I did it...

I'm connecting to a Cisco VPN 3000 series concentrator from my home PC to make a secure connection that inserts my PC into the LAN at work.  So I can use my browser, terminal apps, etc. to do various admin on the servers at work.  The names have been changed for confidentiality reasons, so my public Cisco server is "zep" and my PC is "led".

Download the Cisco VPN client from your licensed distribution point, (perhaps make friends with your network admin at work).  My file is:  vpnclient-linux-3.7.2.Rel-k9.tar.gz

Follow the instruction in this document:  CiscoVPNClientUserGuideforLinuxandSolaris.pdf

My system is running Gentoo Linux 2.4.20-gentoo-r5 sources.  So these steps worked for me.

Run the install script, accept the defaults except for the runlevel directories question, where the response is "/etc/init.d":

```
led vpnclient # ./vpn_install

Cisco Systems VPN Client Version 3.7.2 (Rel) Linux Installer

Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the

license.txt file (The VPN Client license) and will comply with

its terms.

Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]

In order to build the VPN kernel module, you must have the

kernel headers for the version of the kernel you are running.

For RedHat 6.x users these files are installed in /usr/src/linux by default

For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default

For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by default

Directory containing linux kernel source code [/lib/modules/2.4.20-gentoo-r5/build]

Directory containing runlevel directories (rcX.d): /etc/init.d

* Binaries will be installed in "/usr/local/bin".

* Modules will be installed in "/lib/modules/2.4.20-gentoo-r5/CiscoVPN".

* The VPN service will be started AUTOMATICALLY at boot time.

* Kernel source from "/lib/modules/2.4.20-gentoo-r5/build" will be used to build the module.

* Runlevels will be set in "/etc/init.d".

Is the above correct [y]

Making module

Create module directory "/lib/modules/2.4.20-gentoo-r5/CiscoVPN".

Copying module to directory "/lib/modules/2.4.20-gentoo-r5/CiscoVPN".

Creating start/stop script "/etc/init.d/vpnclient_init".

Enabling start/stop script for run level 3,4 and 5.

ln: creating symbolic link `/etc/init.d/rc3.d/S85vpnclient_init' to `/etc/init.d/vpnclient_init': No such file or directory

ln: creating symbolic link `/etc/init.d/rc4.d/S85vpnclient_init' to `/etc/init.d/vpnclient_init': No such file or directory

ln: creating symbolic link `/etc/init.d/rc5.d/S85vpnclient_init' to `/etc/init.d/vpnclient_init': No such file or directory

Creating VPN configuration file "/etc/CiscoSystemsVPNClient/vpnclient.ini".

Installing license.txt (VPN Client license) in "/etc/CiscoSystemsVPNClient/":

Installing bundled user profiles in "/etc/CiscoSystemsVPNClient/Profiles/":

* New Profiles     : sample

Copying binaries to directory "/usr/local/bin".

Setting permissions.

/usr/local/bin/cvpnd (setuid root)

/etc/CiscoSystemsVPNClient (world writeable)

/etc/CiscoSystemsVPNClient/Profiles (world writeable)

/etc/CiscoSystemsVPNClient/Certificates (world writeable)

* You may wish to change these permissions to restrict access to root.

* You must run "/etc/init.d/vpnclient_init start" before using the client.

* This script will be run AUTOMATICALLY every time you reboot your computer.
```

I cheated a bit by copying the contents of my Cisco configuration from the previously configured and working Windows directories, (but you can refer to the Cisco docs to create your certs and profiles if you don't have a prior config):

FROM: c:\Program Files\Cisco Systems\VPN Client\Certificates\*

TO:   /etc/CiscoSystemsVPNClient/Certificates/*

FROM: c:\Program Files\Cisco Systems\VPN Client\Profiles\*

TO:   /etc/CiscoSystemsVPNClient/Profiles/*

These files total to about 17k, so they should all fit on a DOS formatted floppy and can be copied to Linux from there.  I used MCOPY which is just a short download with "emerge mtools".  Then after coping, set the permissions so that they are writable by all users.

Contents of my connection profile file (the destination "Host" is replaced with zeros, and other proper names changed):

/etc/CiscoSystemsVPNClient/Profiles/office.pcf

```
[main]

Description=Office VPN

Host=0.0.0.0

AuthType=1

GroupName=troika

GroupPwd=

enc_GroupPwd=147CDC9CEB3C76E701299432D8F2894724821A75999921A5E6228D6ED5A082E4F9A9F4A5DEEBF4AC97ACC4C1031017DAF9E18C2195E24457

EnableISPConnect=0

ISPConnectType=0

ISPConnect=

ISPCommand=

Username=bretsm01

SaveUserPassword=0

UserPassword=

enc_UserPassword=

NTDomain=

EnableBackup=0

BackupServer=

EnableMSLogon=1

MSLogonType=0

EnableNat=1

TunnelingMode=0

TcpTunnelingPort=10000

CertStore=0

CertName=

CertPath=

CertSubjectName=

CertSerialHash=00000000000000000000000000000000

SendCertChain=0

VerifyCertDN=

DHGroup=2

ForceKeepAlives=0

PeerTimeout=90

EnableLocalLAN=0

EnableSplitDNS=1

ForceNetLogin=-1
```

Recompile your kernel. (I left all my FreeSWAN/IPSEC modules enabled but not loaded, but perhaps it doesn't matter?):

```
led linux # cd /usr/src/linux

led linux # make menuconfig

led linux # make dep

led linux # make clean bzImage modules modules_install

led linux # mv /boot/bzImage /boot/bzImage.orig

led linux # cp /usr/src/linux/arch/i386/boot/bzImage /boot
```

Test the VPN module load:

```
led linux # /etc/init.d/vpnclient_init start

Starting /usr/local/bin/vpnclient: Warning: loading /lib/modules/2.4.20-gentoo-r5/CiscoVPN/cisco_ipsec will taint the kernel: no license

  See http://www.tux.org/lkml/#export-tainted for information about tainted modules

Module cisco_ipsec loaded, with warnings

Done
```

Run this command to load the VPN module on every startup:

```
led linux # rc-update add vpnclient_init default

 * vpnclient_init added to runlevel default...

 * Caching service dependencies...                                        [ ok ]

 * rc-update complete.
```

After rebooting with the new kernel and module, check the status:

```
led root # /etc/init.d/vpnclient_init status

Module                  Size  Used by    Tainted: P

cisco_ipsec           377024   0  (unused)

cipsec0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00

          BROADCAST MULTICAST  MTU:1400  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
```

Notice that the MTU of the VPN defaults to 1400.  Since my connection is via cable modem, my connection's MTU is set to 1500 which allows some overhead for the security headers in each network packet, (somewhere under 100 in length apparently).

Finally, connect with this command, (I created a desktop shortcut with terminal enabled):

```
led root # vpnclient connect zep

Cisco Systems VPN Client Version 3.7.2 (Rel)

Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.4.20-gentoo-r5 #3 SMP Fri Jul 11 07:57:09 PDT 2003 i686

Initializing the IPSec link.

Contacting the gateway at 0.0.0.0

User Authentication for zep...

Enter Username and Password.

Username [jimmyp]: jimmyp

Password []:

Authenticating user.

Negotiating security policies.

Securing communication channel.

Your link is secure.

IPSec tunnel information.

Client address: 0.0.0.0

Server address: 0.0.0.0

Encryption: 168-bit 3-DES

Authentication: HMAC-MD5

IP Compression: None

NAT passthrough is active on port UDP 10000

Local LAN Access is disabled
```

You may now move about the office LAN freely...

Disconnect with this command, (another desktop shortcut):

```
led root # vpnclient disconnect

Cisco Systems VPN Client Version 3.7.2 (Rel)

Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.4.20-gentoo-r5 #3 SMP Fri Jul 11 07:57:09 PDT 2003 i686

Disconnecting the IPSEC link.

Your IPSec link has been disconnected.
```

It's not a pretty GUI, but then it's just a username and password that needs to be entered from here on out.

Enjoy!

----------

## bretts5964

UPDATE:  I recently upgraded my kernel to 2.4.22, (I didn't upgrade to the 2.6 kernel yet), and this broke my Cisco VPN client, so I thought I'd post my solution, (which may have been an omission from the original steps I posted anyway).  If you don't have a license to use the latest VPN client version, or it's not supported where you work, then this will still be relevant to you.  Otherwise, there's a new ebuild net-misc/cisco-vpnclient-3des-4.0.3b-r2 in ports.

Just follow the original steps, noting during the install script that your new kernel version is displayed.  This will copy the VPN module file into your new kernel directory (/lib/modules/2.4.22-gentoo-r5/CiscoVPN).  Skip the certificates & profiles copy section since these files should be there from the previous install.  Then do the rest of the steps, and add the following at the end:

NEW:  Edit /etc/modules.autoload (this is really a symlink to /etc/modules.autoload.d/kernel-2.4) and put "cisco_ipsec" (without quotes) at the end of the file.  This will load the module automatically during boot.

----------

## Supermule

My apologies...I havent been following the forums (not actively anyways) the past 5-6 months....

Thanks for your suggestions though..Ill try out your success on my newly installed 2004.1  :Smile: 

----------

