Vpnc/ko

이 문서는 연결 관리 프로그램 vpnc를 활용하는 시스코 VPN 집중화 장비에 워크스테이션을 연결하는 방법을 자세히 다룹니다.

도입부
If you're reading this, then you likely need to connect to your office network from home or during travel. Many companies utilize Cisco 3000 VPN concentrators for their VPN needs, and I am willing to bet that most Linux newbies think that they are forced to use Windows to connect to them. Well, this document informs you that connecting to a Cisco VPN is very possible and will hopefully enable you to setup a working tunnel using your Gentoo workstation or laptop.

이 문서는 무엇인가

 * A guide to the basic workings of
 * A discussion of DNS and routing issues that relate to VPNs
 * Examples of managing VPN sessions
 * Useful tips and tricks (hopefully)

이 문서에서 취급하지 않는 내용

 * VPN/암호화 기술 심층 안내
 * 에 대한 기능별 설명

가정
여기서 가정할 사항은:


 * 젠투를 설치했음
 * 인터넷에 연결했음
 * Cisco 3000 VPN 집중화 장비에 연결했음
 * 새 커널을 설정, 빌드, 설치하는 방법을 이미 알고 있음

커널 설정
리눅스에서 VPN 연결을 개방할 수 있으려면 커널에서 Universal TUN/TAP device driver support 항목을 활성화해야합니다. 이게 뭐고 왜 필요할까요? 아래에 커널 설정 상자에서 비교적 간단한 설명을 보여드리겠습니다:

다음 명령을 활용하면 커널에서 TUN/TAP을 지원하는지 확인할 수 있습니다:

위에서 보신 바와 같이  설정을 통해 모듈로 컴파일합니다. 설정에서 비활성화했다면 커널 항목 선택에서 활성화하고, 다시 빌드하고, 설치하고, 다시 부팅한 후 다음 단계로 넘어가기 전에 여기로 다시 돌아오십시오.

TUN/TAP 기능을 커널에서 바로 지원하도록 빌드했다면, 다음과 같이 출력에서 내용을 살펴볼 수 있습니다.

TUN/TAP 지원 기능을 모듈로 빌드했다면,  모듈을 먼저 불러와야합니다:

이제 모듈을 불러왔으니  출력을 확인해보겠습니다. 다음과 같은 내용을 볼 수 있어야합니다:

필요 프로그램 설치
이제 커널 설정을 동작하게 했으니, 를 설치해야합니다:

지원하는 여러 USE 플래그를 확인하시고 환경에 제대로 적용했는지 살펴보십시오. 다음 오류로 나중에 몇가지 문제가 생긴다면 hybrid-auth USE 플래그를 활성화해야합니다:

예제 설정
In order to make the following sections more clear, we need an example setup to work from. For the purposes of this exercise, we will assume that you have a home network of several computers. All computers are on the 192.168.0.0 / 255.255.255.0 network. The LAN in question is run by a Gentoo box using an iptables firewall, DHCP, caching DNS, etc ... and it masquerades the LAN behind the public IP address it receives from an ISP. You also have a workstation on the LAN from which you want to be able to VPN into your office with.

Our example workstation configuration looks like the following:

vpnc 설정
Now that you have  installed and we have an example to work from, let's discuss the basics of setting up. The configuration file for  connection settings can be located in a couple places, depending on how many profiles you want to setup. By default,  looks first for  for its connection settings. If it doesn't find that file, then it looks for. This setup will only address a single profile example and will use the configuration file location. Make sure you do not have a file.

The configuration file example above should be modified to reflect the appropriate values for your setup. The gateway option  can be a fully qualified domain name or an IP address. The ID and secret options should be given to you by a network administrator. If you cannot obtain this information but you currently have a working setup on a Windows box which utilizes the official Cisco VPN client, then all you have to do is export your profile. The user name and password options are for your normal network sign-on, such as a Windows NT domain account.

If you are forced to export your profile from a Windows machine, then what you will likely have is a file ending in. This file will have all the information you need. Below is an example:

In the above example, we can see entries for ,   and. Your  and   may or may not be exported depending on the setup. To generate a working vpnc configuration out of it, you can use , included with vpnc.

설정 시험
Now that you have a configuration in place, it's time to test your setup. To start  you do the following:

As you can see from the above command output, once you type  (as root), you are prompted for your password. After entering your password, which will not be echoed back to you, the  process will automatically become a background process.

As you can see from the above command output(s),  has done the following:


 * Created the tun0 network interface, a virtual interface to handle the traffic across your VPN tunnel
 * Obtained the IP address for the tun0 device from your VPN provider
 * Set the default route to your VPN gateway

At this point, your workstation is capable of communicating with hosts via the VPN. Because  sets your default route to your VPN gateway, all network traffic will travel across the VPN, even if it destined for the Internet or elsewhere not specifically specified by additional routes. For some, this basic type of connection may be satisfactory, but for most, additional steps need to be taken.

붙여볼만한 추가 기능은:


 * DNS for the VPN
 * A routing setup that will only send traffic destined for the VPN down the virtual tunnel. This way, you can browse the Internet while connected to the VPN, without your personal web/p2p etc. traffic going across the tunnel.
 * A script to manage all this, because  just doesn't do enough by default.

When you are ready to end the VPN session, execute. An example is shown below.

DNS 설정
Unfortunately,  doesn't handle the setup and management of DNS for your newly established tunnel. The user is left to decide how DNS should be handled. You could just overwrite when you connect, but that would utilize your VPN DNS for all DNS queries regardless of whether or not the traffic is destined for your VPN tunnel. This is a very functional solution and if you simply need to connect to the tunnel, do your work, and then disconnect, read no further. But, if you want to be able to leave your tunnel connected for lengthy periods of time and don't want your work DNS servers handling requests for your personal traffic, read on.

The ideal setup would allow you to separate your DNS queries into two categories: VPN-related and other. Under this setup, all VPN-related DNS queries would be answered by DNS servers located at the other end of your VPN tunnel and all other queries would continue to be answered by local or ISP supplied DNS servers. This is the setup that will be demonstrated here.

So how do you set things up, so that only requests made to hosts on the example.org domain get sent to VPN supplied DNS servers? Well, you're going to need to install a local DNS server, but don't worry, it's much easier than you think. There are several software packages that can handle the type of setup we desire, but for the purposes of this demonstration,  will be utilized. Let's emerge it now:

Now you need to add an option to your  startup options. Edit the following option to suit your needs. Substitute .example.org with the appropriate domain and the IP address with a valid DNS server that belongs to the VPN tunnel.

Next, make sure that the first entry in is your local host  , followed by the location of the backup DNS servers that should handle the DNS traffic in case dnsmasq fails to start, or if it needs to forward a DNS query it doesn't currently have in its cache. An example is shown below.

Now that you have setup a rule for your VPN tunnel DNS, you need to start.

라우팅 테이블 설정
The ideal scenario would be if only the traffic destined for VPN tunnel would travel across the link. At this point, you have a VPN tunnel setup and all traffic will travel across the tunnel, unless you specify additional routes. In order to fix this situation you need to know what networks are available to you on your VPN. The easiest way to find out the needed information is to ask a network administrator, but sometimes they are reluctant to answer such questions. If your local network admin won't provide the needed information, some trial and error experiments will be required.

When the VPN tunnel was started,  set the default route to the tunnel. So you must set your default route back to normal, so that things work as expected.

Earlier, when DNS services were being configured for your VPN, you specified a DNS server to handle your example.org domain. You need to add a route for the 192.168.125.0 subnet so that DNS queries will work.

At this point, you should add any additional routes for known networks (such as for the subnet 192.168.160.0, which includes the IP address received by the TUN/TAP virtual device). If your friendly network administrator gave you the required info, great. Otherwise, you might need to ping hosts you will be connecting to frequently, to give yourself an idea about what your routing table should look like.

As you can see from the above example, the ping probes to  were unsuccessful. So we need to add a route for that subnet.

A few ping and route commands later, you should be well on your way to a well working routing table.

필요할 때 vpnc 호출
Next is an example script to manage the VPN connection. You could execute it (as root) from an xterm to start a connection to your VPN. Then all you have to do is press return to disconnect the VPN. Obviously you will need to modify this for your setup, remembering to add all the additional routes that you may need.

부팅할 때 vpnc 시작하기
Version 0.4.0-r1 of vpnc contains an init script which can handle multiple configurations. The default script looks for, but as many configurations as can be imagined are possible. Before and after shutdown and start-up custom-made scripts can be executed that are connected by their name to the corresponding init script (since version 0.5.1-r1). Their names end in,  ,  and  , stored in the  directory. The general naming scheme is sketched in the following table.

Add vpnc to default runlevel with the following commands (in this case for the standard configuration). Don't forget to add the tun module (if you have built it that way) to the kernels autoload mechanism at startup.

If you don't want to save your password in the configuration file, you can tell the init script to show all output and prompts on standard output by editing. Set the variable  to yes or no, where its default is to not display screen output.

Graphical remote access
If you are looking for a Linux application that supports RDP (Remote Desktop Protocol) then give  a try. It's a GUI app written in GTK+ that fits in well with a Gnome desktop, but doesn't require it. If you don't want the GUI configuration dialogs that grdesktop provides, then just install. Ultimately, grdesktop is just a frontend for rdesktop.

If you are a KDE user, you might want to try. It a appears to be a very mature VPN management GUI.

If you need to connect to a Windows machine which doesn't have a DNS entry, and you know the address of an available WINS server, you can use a tool called  to query the WINS server for the host name of the machine you want to connect to. Unfortunately, you have to install  to get it, but if you are going to be working with boxes running Windows you might as well want to install samba, because it includes several other useful tools.

When you have samba and its tools installed, test  by asking the WINS server at IP address 192.168.125.11 about a host named wintelbox1.

Custom scripts on boot
The custom-made scripts for the file can be used to setup a user-defined routing for the vpnc connection. The examples below show how to setup the routing table so that only connections to 123.234.x.x are routed over the VPN and all other connections use the default gateway. The example uses work-preup.sh to save the current default gateway before starting vpnc (which resets the default gateway using the VPN connection). Once vpnc has been started, deletes this new default gateway, restores the old default gateway and sets the route for all connections to 123.234.x.x to use the vpnc connection.

The example scripts assume that the vpnc connection uses tun1 as tun device. You can set the device name in the connection's configuration file.

Useful Links

 * vpnc homepage
 * kvpnc homepage
 * grdesktop homepage

Final Notes
Hopefully by now you have been able to connect to your VPN of choice and are well on your way to remote office work. Feel free to file a bug at bugs.gentoo.org should you find a mistake or wish to make an addition or recommendation regarding this document.