# Cisco VPN client and 2.6.7

## cuban

Hello, I just upgraded from 2.6.5 to 2.6.7 and now my Cisco VPN client won't work. 

The client and module recompiled fine, but when I do a 

```
/etc/init.d/vpnclient start 
```

 I get  

```

calculon cisco-vpnclient-3des # /etc/init.d/vpnclient start

 * Starting Cisco VPN Client...

 * Failed to load module cisco_ipsec

```

dmesg shows:

```
No module found in object
```

And finally:

```

calculon CiscoVPN # insmod -f cisco_ipsec

insmod: error inserting 'cisco_ipsec': -1 Invalid module format
```

Anyone have this client working? If not I'll have to downgrade to 2.6.5

TIA guys.

----------

## the_sphynx

I am getting that "Invalid Module Format" error as well on it with that same kernel.  Any ideas would be helpful.

----------

## cuban

This bites, I'd hate to go back to an insecure Kernel but I may have to.

I guess the latest gentoo-sources is backpatched

----------

## jlward4th

A bug has been reported:

https://bugs.gentoo.org/show_bug.cgi?id=54204

----------

## jlward4th

BTW: I just posted a fix in the bug report.  If you upgrade to cisco-vpnclient-3des-4.0.4a everything works in kernel 2.6.7.

----------

## R!tman

 *jlward4th wrote:*   

> BTW: I just posted a fix in the bug report. If you upgrade to cisco-vpnclient-3des-4.0.4a everything works in kernel 2.6.7.

 

This is not in portage, yet.

----------

## jlward4th

Nope.  But you can create a portage overlay dir.   :Smile: 

BTW: There is a better ebuild here:

https://bugs.gentoo.org/show_bug.cgi?id=52733

----------

## cuban

Just make sure you use /etc/portage/packages.keywords instead of ACCEPT_KEYWORDS.

----------

## R!tman

I tried both 4.0.4a and 4.0.4b ebuilds in an overlay dir. a did not work, b did not compile. Seems I will have to wait for the real portage version.

----------

## jlward4th

Try the new ebuild here: https://bugs.gentoo.org/show_bug.cgi?id=54204

If it doesn't work, let me know what errors you get.

----------

## Deejam

Whats going on people? 

I know you guys are talking about the 2.6.7 kernel but I tried this ebuild on a 2.6.5-gentoo-dev-r1

and got the following errors.

i typed the following 2 commands

```

root@jam-box deejam # ebuild /usr/portage/net-misc/cisco-vpnclient-3des/cisco-vpnclient-3des-4.0.4b.ebuild digest

>>> Generating digest file...

<<< vpnclient-linux-4.0.4.B-k9.tar.gz

>>> Generating manifest file...

<<< cisco-vpnclient-3des-4.0.3b-r3.ebuild

<<< cisco-vpnclient-3des-4.0.4b.ebuild

<<< cisco-vpnclient-3des-4.0.3b-r4.ebuild

<<< ChangeLog

<<< cisco-vpnclient-3des-4.0.1a-r1.ebuild

<<< metadata.xml

<<< files/atheros.patch

<<< files/4.0.1a-linux26-gentoo.patch

<<< files/register_netdevice.patch

<<< files/digest-cisco-vpnclient-3des-4.0.4b

<<< files/digest-cisco-vpnclient-3des-4.0.1a-r1

<<< files/digest-cisco-vpnclient-3des-4.0.3b-r3

<<< files/digest-cisco-vpnclient-3des-4.0.3b-r4

<<< files/vpnclient.rc

<<< files/driver_build_CC.patch

>>> Computed message digests.

```

and 

```

root@jam-box deejam # emerge /usr/portage/net-misc/cisco-vpnclient-3des/cisco-vpnclient-3des-4.0.4b.ebuild

Calculating dependencies ...done!

>>> emerge (1 of 1) net-misc/cisco-vpnclient-3des-4.0.4b to /

>>> md5 src_uri ;-) vpnclient-linux-4.0.4.B-k9.tar.gz

>>> Unpacking source...

>>> Unpacking vpnclient-linux-4.0.4.B-k9.tar.gz to /var/tmp/portage/cisco-vpnclient-3des-4.0.4b/work

>>> Source unpacked.

make -C /lib/modules/2.6.5-gentoo-r1/build SUBDIRS=/var/tmp/portage/cisco-vpnclient-3des-4.0.4b/work/vpnclient modules

make[1]: Entering directory `/usr/src/linux-2.6.5-gentoo-r1'

*** Warning: Overriding SUBDIRS on the command line can cause

***          inconsistencies

make[2]: `arch/i386/kernel/asm-offsets.s' is up to date.

  CC [M]  /var/tmp/portage/cisco-vpnclient-3des-4.0.4b/work/vpnclient/linuxcniapi.o

  CC [M]  /var/tmp/portage/cisco-vpnclient-3des-4.0.4b/work/vpnclient/frag.o

  CC [M]  /var/tmp/portage/cisco-vpnclient-3des-4.0.4b/work/vpnclient/IPSecDrvOS_linux.o

  CC [M]  /var/tmp/portage/cisco-vpnclient-3des-4.0.4b/work/vpnclient/interceptor.o

  LD [M]  /var/tmp/portage/cisco-vpnclient-3des-4.0.4b/work/vpnclient/cisco_ipsec.o

ACCESS DENIED  open_wr:   /usr/src/linux-2.6.5-gentoo-r1/.tmp_versions/cisco_ipsec.mod

/bin/sh: line 1: .tmp_versions/cisco_ipsec.mod: Permission denied

  Building modules, stage 2.

/usr/src/linux-2.6.5-gentoo-r1/scripts/Makefile.modpost:17: Trouble: /var/tmp/portage/nvidia-kernel-1.0.5336-r4/work/NVIDIA-Linux-x86-1.0-5336-p kg1/usr/src/nv/nvidia.ko

/usr/src/linux-2.6.5-gentoo-r1/scripts/Makefile.modpost:18: *** Uh-oh, you have stale module entries. You messed with SUBDIRS,

/usr/src/linux-2.6.5-gentoo-r1/scripts/Makefile.modpost:19: do not complain if something goes wrong.

make[1]: Leaving directory `/usr/src/linux-2.6.5-gentoo-r1'

 

!!! ERROR: net-misc/cisco-vpnclient-3des-4.0.4b failed.

!!! Function src_compile, Line 43, Exitcode 0

!!! Failed to make module 'cisco_ipsec'

 

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------

LOG FILE = "/tmp/sandbox-net-misc_-_cisco-vpnclient-3des-4.0.4b-6877.log"

 

open_wr:   /usr/src/linux-2.6.5-gentoo-r1/.tmp_versions/cisco_ipsec.mod

--------------------------------------------------------------------------------

```

I am going to upgrade to the new kernel and see what happens, but i thought i would post these errors for you to see.

Deejam

----------

## Deejam

I upgraded to linux-2.6.7-gentoo-r6 and it compiled fine, but I could not load the module. modprobe says that it couldn't find the module.  I noticed that the ebuild names the init script vpnclient. Instead of trying to troubleshoot and fix the problem I unmerged it.  I then extracted vpnclient-linux-4.0.4.B-k9.tar.gz and ran the vpn_install script. 

I installed it to /usr/bin 

init files were placed in /etc/init.d

told it where the source was /lib/modules/2.6.7-gentoo-r6/build/

told it not to start up at boot (personal pref, and might not have worked)

Everything seemed to go OK. I noticed that the cicso installer created an init script called vpnclient_init (instead of vpnclient from ebuild)

when i ran /etc/init.d/vpnclient_init start it loaded the module perfectly and vpn now works fine for me

sorry I was no help working with the ebuild, i needed to get some work done

take care

deejam

----------

## jlward4th

As noted in bug:

https://bugs.gentoo.org/show_bug.cgi?id=54204

The init script had to be slightly altered with the new version of the vpn client.

Thanks for giving it a try.

----------

## K-Dawg

A quick question.  Does the cisco-vpnclient-3des client support logging into Nortel Contivity VPN's?

----------

## b0fh

I compiled the 4.0.4b-ebuild with 2.6.7, although it doesn load automatically when executing "vpnclient start", I can insmod it manually:

```
cisco_ipsec: module license 'Proprietary' taints kernel.

Cisco Systems VPN Client Version 4.0.4 (B) kernel module loaded

```

But I can't connect to my vpn (worked until 2.6.5):

```
Initializing the VPN connection.

Secure VPN Connection terminated locally by the Client

Reason: Failed to establish a VPN connection.

There are no new notification messages at this time.

```

Any ideas?

----------

## graadz

I am quite interrested in the kernel settings from people who got the vpnclient working with kernel 2.6.7 (Please PM me).

I can connect to my VPN server, telnet/ftp etc. to servers/workstations on the other side using the IP numbers, but name lookups does not work. DNS is on the other side of the VPN and I do have a correct resolv.conf.

I tried resetting the MTU sizes to 1500 for eth0 and cipsec0, but that did not work for me. Also tried to use plain vanilla 2.6.7 sources (I am on the mm-sources tree) but also no solution. I tried both the 4.0.4.A and 4.0.4.B versions of the client.

Anyone else experiences the same problem and have the solution?

BTW, when I use kernel 2.4 with the same configuration everything works fine.

GraadZ

 *Deejam wrote:*   

> I upgraded to linux-2.6.7-gentoo-r6 and it compiled fine, 
> 
> but I could not load the module. modprobe says that it couldn't find the module.  I noticed that the ebuild names the init script vpnclient. Instead of trying to troubleshoot and fix the problem I unmerged it.  I then extracted vpnclient-linux-4.0.4.B-k9.tar.gz and ran the vpn_install script. 
> 
> I installed it to /usr/bin 
> ...

 

----------

## sigSEGV2003

Graadz:  Try setting your tunneling protocol to TCP -- change TunnelingMode to 1 (I think) in your .pcf file.  I ran into the same problem (all UDP wasn't working), and IIRC this fixed it.

----------

## graadz

Thanks, for your suggestion. Unfortunately it was in TCP mode all the time. This is one of my profiles:

[main]

!Description=Holland VPN 3000 gateway

!Host=**********

!AuthType=1

!GroupName=vpn

!GroupPwd=

Username=********

SaveUserPassword=0

EnableBackup=1

BackupServer=***********

EnableNat=1

TunnelingMode=1

TCPTunnelingPort=90

EnableLocalLAN=1

DHGroup=2

ForceKeepAlives=0

!enc_GroupPwd=***********************

PeerTimeout=90

UserPassword=

enc_UserPassword=

EnableISPConnect=0

ISPConnectType=0

ISPConnect=

ISPPhonebook=

ISPCommand=

NTDomain=

EnableMSLogon=1

MSLogonType=0

CertStore=0

CertName=

CertPath=

CertSubjectName=

CertSerialHash=00000000000000000000000000000000

SendCertChain=0

... and  here here you can find the kernel config I use

I use a HW firewall. Removing my firewall also did not help.... and... it works with kernel 2.4 also with firewall.

G

 *sigSEGV2003 wrote:*   

> Graadz:  Try setting your tunneling protocol to TCP -- change TunnelingMode to 1 (I think) in your .pcf file.  I ran into the same problem (all UDP wasn't working), and IIRC this fixed it.

 [url][/url]

----------

## theone

Where do I get vpnclient-linux-4.0.4.B-k9.tar.gz ?

I do have a Version of 4.0.4A, but not for gentoo (incompatible init-Scripts...)

theone

----------

## wizzzard

You can either download it directly from Cisco, the URL is in den ebuild, but you'll have to register first at Cisco.

Or you could let Google give it a try, just search for the archive name you want, as far as I remember it's the fifth or sixth link.

Happy Huntin'  :Wink: 

P.S.: What do you mean with 'incompatible init-skripts'?

----------

## graadz

Registering at the Cisco site is not enough to download the software. You need to have some sort of $$$$upport contract apparently  :Sad: . Yet another reason to go for vpnc instead? 

BTW, the most recent Linux version is 4.0.4.B.

BTW2, the name lookup problem has probably something to do with the way kernel 2.6.7 (or actually post 2.6.1 kernels?) handles UDP. nslookup and dig in UDP mode don't work, however, if I force dig to use TCP then names are resolved:

```

# dig +tcp <fqdn>

```

or

```

# dig +tcp -x <ip_number>

```

I hope a new version of the cisco client will address the UDP issue.

GraadZ

 *theone wrote:*   

> Where do I get vpnclient-linux-4.0.4.B-k9.tar.gz ?
> 
> I do have a Version of 4.0.4A, but not for gentoo (incompatible init-Scripts...)
> 
> theone

 

----------

## ssj3strife

 *b0fh wrote:*   

> I compiled the 4.0.4b-ebuild with 2.6.7, although it doesn load automatically when executing "vpnclient start", I can insmod it manually:
> 
> ```
> cisco_ipsec: module license 'Proprietary' taints kernel.
> 
> ...

 

I had the same problem - I don't know if my fix will work for you but I'll post it anyways just in case. I installed the 4.0.4.B vpnclient using ./vpn_install and copied the /lib/modules/2.6.7-gentoo-r8/CiscoVPN/cisco_ipsec.ko module to another folder that wouldn't be effected by uninstalling the client. Then I uninstalled 4.0.4.B with ./vpn_uninstall and installed 4.0.3.B again using ./vpn_install. When that finished, I deleted the faulty cisco_ipsec module it generated and instead linked to the cisco_ipsec module I previously backed up (although I'm sure that replacing the new file with the old one would've worked just as well, chopping off the .ko extension). After that, it worked like a charm. Hope that helps  :Smile: 

----------

## lpetersen

Thanks, ssj3strife, I am happy to confirm your solution: The kernel module from 4.0.4b combined with the other stuff from 4.0.3b-r4 works perfectly on my 2.6.7-gentoo-r8 kernel. Not exactly an elegant solution  :Rolling Eyes: , but, hey, I can connect again!  :Smile: 

Cheers, 

Lars

----------

## graadz

ASUS A7N8X users.  The VPN client does not work properly with your 3C59x card and kernel 2.6.x. It seems that it has something to do with the implementation - or lack of implementation - of the zero copy protocol in the 3C59x network driver. In any case, the Cisco vpnclient  does work with the build-in nForce card. Since nforce-net does not compile with kernel 2.6.x you need to compile the kernel driver for that. It can be found in your kernel config at:

Device Drivers -> Networking Support -> Ethernet 10 or 100 Mbit -> Reverse Engineered nForce Ethernet support (EXPERIMENTAL)

I have compiled it as a module. The module is called forcedeth. To auto load it i have put it in /etc/modules.autoload.d/kernel-2.6 and removed the 3c59x one. Now the nForce interface will be eth0 and everything works like a charm also nslookups / UDP works like it used to on 2.4  :Wink: 

BTW; people who are using the e100 module and are struggeling with lookups / UDP issues as well... try using the eepro100 module. 

Details:

Vpnclient version : 4.0.4.B

Kernel version     : 2.6.7-mm6

NIC                     : nForce2 (forcedeth module)

GraadZ

 *graadz wrote:*   

> Registering at the Cisco site is not enough to download the software. You need to have some sort of $$$$upport contract apparently . Yet another reason to go for vpnc instead? 
> 
> BTW, the most recent Linux version is 4.0.4.B.
> 
> BTW2, the name lookup problem has probably something to do with the way kernel 2.6.7 (or actually post 2.6.1 kernels?) handles UDP. nslookup and dig in UDP mode don't work, however, if I force dig to use TCP then names are resolved:
> ...

 Last edited by graadz on Mon Oct 04, 2004 9:44 am; edited 2 times in total

----------

## X-Frog

graadz, if it's not too late, the solution for this is quite easy:

https://forums.gentoo.org/viewtopic.php?t=137394

Just install iptables (emerge iptables)

iptables-restore (to have 0 rule)

iptables-save

/etc/init.d/iptables start

and it works!

As for the problem with 2.6.7+, I'll try what's said here, with 2.6.8 it still don't work, invalid module format!

----------

## X-Frog

ok, the bug is fixed with vpnclient-linux-4.0.5.Rel-k9.tar.gz, in the unstable tree.

Suggestion: it should be put on the stable tree, quite more stable than the 4.03B!  :Wink: 

----------

## graadz

 *graadz wrote:*   

> ASUS A7N8X users.  The VPN client does not work properly with your 3C59x card and kernel 2.6.x. It seems that it has something to do with the implementation - or lack of implementation - of the zero copy protocol in the 3C59x network driver. In any case, the Cisco vpnclient  does work with the build-in nForce card. Since nforce-net does not compile with kernel 2.6.x you need to compile the kernel driver for that. It can be found in your kernel config at:
> 
> Device Drivers -> Networking Support -> Ethernet 10 or 100 Mbit -> Reverse Engineered nForce Ethernet support (EXPERIMENTAL)
> 
> I have compiled it as a module. The module is called forcedeth. To auto load it i have put it in /etc/modules.autoload.d/kernel-2.6 and removed the 3c59x one. Now the nForce interface will be eth0 and everything works like a charm also nslookups / UDP works like it used to on 2.4 
> ...

 

----------

## graadz

My own solution using the nForce NIC i.s.o the 3COM one worked perfectly for me. I did not use iptables since I have a HW firewall. 

Cisco, however,  has resolved the zero-copy issue in release 4.6.0 of vpnclient. So, with that release namelookups should work again with 3COM and e100 NICs.

Invalid module format usually is caused by compiling the module with a different version of the compiler as with which the kernel was build. Rebuilding the kernel and its modules (including the vpnclient module) should fix your problem.

G

 *X-Frog wrote:*   

> graadz, if it's not too late, the solution for this is quite easy:
> 
> https://forums.gentoo.org/viewtopic.php?t=137394
> 
> Just install iptables (emerge iptables)
> ...

 

----------

