|
1. Install the Cisco VPN
Client from
- Download the
Cisco Virtual Private Network(VPN) software which establishes
a secure connection between your laptop and Penn State's VPN
server and enables you to connect wirelessly to network.
- Click on Linux appropriate version
and enter your Penn State user ID and password.
- Save to a convenient location such as your Desktop.
Before you Begin...
This software and guide is unsupported by Computing & Information
Services. This means that the installation and software has been
tested by CIS, but no telephone support is available.
The VPN client consists of a kernel module and a few command-line
executables.
The kernel module is not pre-compiled, so you will need to make
sure that kernel sources for each kernel version that you are intending
to use with this client are properly installed. Please refer to
the Kernel-HOWTO for instructions on how to do that.
The module is not an Open Source Software, so after it's loaded
into your Linux kernel, the kernel will become tainted, and will
issue a warning.
After successfully establishing a secure connection to the server,
the client will listen for packets from the VPN server on 2 ports,
UDP 500 and UDP 4500, by default. This means you have to punch a
hole in your ipchains/iptables firewall for it. The module will
also use IP protocol 50 (ESP) to communicate with the VPN server.
That protocol is not filtered by most Linux firewall configurations,
however.
The CISCO documentation mentions several other ports, quoting:
* UDP port 500
* UDP port 10000 and 500 (or any other port number being used for
IPSec/UDP)
* IP protocol 50 (ESP)
* NAT-T port 4500 UDP
Allow these ports through your firewall if you don't want any surprises.
Installation and Configuration Commands, Step by Step
Below are step by step quick-start instructions. Be sure to connect
to your ISP before starting.
Become super user (root):
[user@vpnclient]$ su -
Password:
[root@vpnclient root]#
Change directory to /usr/src:
[root@vpnclient root]# cd /usr/src
Download the tar ball from the University web site:
[root@localhost root]# wget http://netman.mcmaster.ca/vpn/vpnclient-linux.tar.gz
--23:20:09-- http://netman.mcmaster.ca/vpn/vpnclient-linux.tar.gz
=> `vpnclient-linux.tar.gz'
Resolving netman.mcmaster.ca... done.
Connecting to netman.mcmaster.ca[130.113.220.37]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,316,843 [application/x-tar]
100%[====================================================>]
1,316,843 318.15K/s ETA 00:00
23:20:14 (318.15 KB/s) - `vpnclient-linux.tar.gz' saved [1316843/1316843]
Decompress and extract it:
[root@vpnclient src]# tar xzvf vpnclient-linux.tar.gz
Change directory to /usr/src/vpnclient:
[root@vpnclient src]# cd vpnclient
Execute the installer script and answer the prompts:
[root@localhost vpnclient]# ./vpn_install
Cisco Systems VPN Client Version 4.0.3 (B) Linux Installer
Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.
By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms.
Directory where binaries will be installed [/usr/local/bin]
Automatically start the VPN service at boot time [yes]
In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.
For RedHat 6.x users these files are installed in /usr/src/linux
by default
For RedHat 7.x users these files are installed in /usr/src/linux-2.4
by default
For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE
by default
Directory containing linux kernel source code [/lib/modules/2.4.18-14/build]
* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.4.18-14/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.4.18-14/build"
will be used to build the module.
Is the above correct [y] y
Making module
Create module directory "/lib/modules/2.4.18-14/CiscoVPN".
Copying module to directory "/lib/modules/2.4.18-14/CiscoVPN".
Creating start/stop script "/etc/init.d/vpnclient_init".
Enabling start/stop script for run level 3,4 and 5.
Creating VPN configuration file "/etc/CiscoSystemsVPNClient/vpnclient.ini".
Installing license.txt (VPN Client license) in "/etc/CiscoSystemsVPNClient/":
Installing bundled user profiles in "/etc/CiscoSystemsVPNClient/Profiles/":
* New Profiles : MacConnect McMasterVPN
Copying binaries to directory "/usr/local/bin".
Setting permissions.
/usr/local/bin/cvpnd (setuid root)
/etc/CiscoSystemsVPNClient (world writeable)
/etc/CiscoSystemsVPNClient/Profiles (world writeable)
/etc/CiscoSystemsVPNClient/Certificates (world writeable)
* You may wish to change these permissions to restrict access
to root.
* You must run "/etc/init.d/vpnclient_init start" before
using the client.
* This script will be run AUTOMATICALLY every time you reboot
your computer.
[root@localhost vpnclient]#
Remove the world-writable permission from the files in /etc/CiscoSystemsVPNClient:
[root@vpnclient vpnclient]# chmod -R o-w /etc/CiscoSystemsVPNClient/
Load the VPN client's module into the running kernel:
[root@localhost vpnclient]# /etc/init.d/vpnclient_init start
Starting /usr/local/bin/vpnclient:
Warning: loading /lib/modules/2.4.18-14/CiscoVPN/cisco_ipsec will
taint the kernel: no license
See http://www.tux.org/lkml/#export-tainted for information about
tainted modules
Module cisco_ipsec loaded, with warnings
Done
McMaster VPN requires a profile to connect. Two are provided,
one for off campus users (McMasterVPN) and one for on campus MacConnect
users (MacConnect).
The profiles are already installed in /etc/CiscoSystemsVPNClient/Profiles/:
To connect, enter your user name and password when prompted:
[root@localhost Profiles]# vpnclient connect McMasterVPN {or MacConnect
for on Campus}
Cisco Systems VPN Client Version 4.0.3 (B)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686
Initializing the VPN connection.
Contacting the gateway at 130.113.69.99
User Authentication for McMasterVPN...
Enter Username and Password.
Username []: johndoe
Password []:******************
Authenticating user.
Negotiating security policies.
Securing communication channel.
McMaster Authorized Use Only!
Idle sessions are disconnected after 30 minutes of inactivity.
All sessions are disconnected after 24 hours of continuous use.
For assistance, please contact the CIS Helpline at (905)-525-9140
Ext. 24357.
Do you wish to continue? (y/n): y
Your VPN connection is secure.
VPN tunnel information.
Client address: 130.113.90.1
Server address: 130.113.69.99
Encryption: 56-bit DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 4500
Local LAN Access is disabled
You should now be connected to the McMaster network. If the connection
fails, suspect your firewall first. Try disabling it completely
then try the connection again! If the firewall interferes with
the VPN, you will need to adjust its configuration.
Un-installing the Client
Use the vpn_uninstall script that comes with the client (/usr/src/vpnclient/vpn_uninstall
in our example) to remove the client.
|
