Vpnc/zh-cn

本文档详细介绍了如何使用 vpnc 将工作站连接到 Cisco VPN 集中器来管理连接.

介绍
本文档适用于希望在家中或旅行期间连接到其办公网络的用户. 许多公司使用 Cisco 3000 VPN 集中器来满足他们的 VPN 需求，我敢打赌，大多数 Linux 新手认为他们只能使用 Windows 来接入. 本文档解释了使用 Linux 连接到 Cisco VPN 绝对是可能的，并且有望使用 Gentoo 工作站或笔记本电脑来设置工作隧道.

这个文档是什么

 * vpnc 基本工作指南
 * 讨论与 VPN 相关的 DNS 和路由问题
 * 管理 VPN 会话的示例
 * 有用的提示和技巧（希望如此）

这个文档不是什么

 * VPN /加密技术的深入指南
 * vpnc 的逐个功能说明

假设
此时所做的假设是：


 * Gentoo 已安装
 * Internet 访问可用并已配置
 * 连接指向 Cisco 3000 VPN 集中器
 * 配置、构建和安装新内核对读者来说并不是一项艰巨的任务

内核
为了使 Linux 能够打开 VPN 连接，必须在内核中启用 Universal TUN/TAP device driver support. 它是什么，为什么需要它？以下是内核配置对话框中相对直接的解释：

要验证内核是否支持 TUN/TAP， 内核的配置文件：

As can be seen above,  is compiled as a module. If it is disabled in the setup, enable it in the kernel of choice, rebuild, install, reboot and return to this document before continuing with the next steps.

如果内核中直接内置了 TUN/TAP 支持，则 输出应如下所示：

If TUN/TAP support is built as a module, then first load the  module:

Now that the  module is loaded, check  output. Something like the following should show up:

Emerge
Now that a working kernel setup is completed, install the package:

Make sure to check the supported USE flag combinations and see if they apply to the environment. When encountering a problem later with the following error, enable the  USE flag:

Configuration
In order to make the following sections more clear, we need an example setup to work from. For the purpose of this exercise, we will assume that the home network consists out of several computers. All computers are on the 192.168.0.0 / 255.255.255.0 network. The LAN in question is run by a Gentoo box using an iptables firewall, DHCP, caching DNS, etc ... and it masquerades the LAN behind the public IP address it receives from an ISP. A workstation is also on the LAN from which the VPN into the office will be configured.

Our example workstation configuration looks like the following:

vpnc
Now that vpnc is installed and we have an example to work from, let's discuss the basics of setting up vpnc. The configuration file for vpnc connection settings can be located in a couple places, depending on how many profiles need to be configured. By default, vpnc looks for for its connection settings. This setup will only address a single profile example and will use the configuration file location.

The configuration file example above should be modified to reflect the appropriate values for the local setup. The gateway option  can be a fully qualified domain name or an IP address. The ID and secret options should be given by a network administrator. If this information cannot be obtained but a working setup on a Windows box is available which utilizes the official Cisco VPN client, then it suffices to export the profile. The user name and password options are for the normal network sign-on, such as a Windows NT domain account.

When the profile is exported from a Windows machine, then the result is most likely a file ending in. This file will have all the necessary information. Below is an example:

In the above example, we can see entries for,  , and. The  and   may or may not be exported depending on the setup. To generate a working vpnc configuration out of it, use, included with vpnc.

Testing the setup
Now that a configuration is in place it is time to test the setup. To start do the following:

The above command output shows that, once (as root) is executed, a prompt comes up asking for a password. After entering the password (which will not be echoed to the terminal), the process will automatically become a background process.

As can be seen from the above command output(s), has done the following:


 * Created the tun0 network interface, a virtual interface to handle the traffic across the VPN tunnel
 * Obtained the IP address for the tun0 device from the VPN provider
 * Set the default route to the VPN gateway

At this point, the workstation is capable of communicating with hosts via the VPN. Because sets the default route to the VPN gateway, all network traffic will travel across the VPN, even if it destined for the Internet or elsewhere not specifically specified by additional routes. For some, this basic type of connection may be satisfactory, but for most, additional steps need to be taken.

Additional things that might be interesting to have:


 * DNS for the VPN
 * A routing setup that will only send traffic destined for the VPN down the virtual tunnel. This way, browsing the Internet will originate directly from the local network even when connected to the VPN, without the personal web/p2p etc. traffic going across the tunnel.
 * A script to manage all this, because just doesn't do enough by default.

To end the VPN session, execute. An example is shown below.

Set up DNS
Unfortunately, doesn't handle the setup and management of DNS for the newly established tunnel. The user is left to decide how DNS should be handled. Although can be written during the connection, that would utilize the VPN DNS for all DNS queries regardless of whether or not the traffic is destined for the VPN tunnel. This is a very functional solution and if all that is needed is to connect to the tunnel, work, and then disconnect, read no further. But, to be able to leave the tunnel connected for lengthy periods of time without the work DNS servers handling requests for the personal traffic, read on.

The ideal setup would allow users to separate the DNS queries into two categories: VPN-related and other. Under this setup, all VPN-related DNS queries would be answered by DNS servers located at the other end of the VPN tunnel and all other queries would continue to be answered by local or ISP supplied DNS servers. This is the setup that will be demonstrated here.

So how to make sure that requests made to hosts on the example.org domain get sent to VPN supplied DNS servers? Well, first install a local DNS server, but don't worry, it's much easier than it sounds. There are several software packages that can handle the type of setup we desire, but for the purposes of this demonstration, will be utilized. Let's emerge it now:

Next add an option to 's startup options. Edit the following option and substitute .example.org with the appropriate domain and the IP address with a valid DNS server that belongs to the VPN tunnel.

Next, make sure that the first entry in is the local host , followed by the location of the backup DNS servers that should handle the DNS traffic in case  fails to start, or if it needs to forward a DNS query it doesn't currently have in its cache. An example is shown below.

Now that a rule is setup for the VPN tunnel DNS, start.

The routing table
The ideal scenario would be if only the traffic destined for the VPN tunnel would travel across the link. At this point, a VPN tunnel setup exists and all traffic will travel across the tunnel, unless additional routes are specified. In order to fix this situation, know what networks are available on the VPN. The easiest way to find out the needed information is to ask a network administrator, but sometimes they are reluctant to answer such questions. If the local network admin doesn't provide the needed information, some trial and error experiments will be required.

When the VPN tunnel was started, vpnc set the default route to the tunnel. So set the default route back to normal, so that things work as expected.

Earlier, when DNS services were being configured for the VPN, a DNS server was specified to handle the example.org domain. Add a route for the 192.168.125.0 subnet so that DNS queries will work:

At this point, any additional routes for known networks (such as for the subnet 192.168.160.0, which includes the IP address received by the TUN/TAP virtual device) should be added. If a friendly network administrator gave the required info, great. Otherwise, start pinging hosts that will be connected to frequently, to give an idea about what the routing table should look like.

As seen from the above example, the ping probes to  were unsuccessful. So we need to add a route for that subnet.

A few ping and route commands later, and the system should be well on its way to a well working routing table.

Calling vpnc when needed
Next is an example script to manage the VPN connection. Execute it (as root) from an xterm to start a connection to the VPN. Then all that is left to do is to press return to disconnect the VPN. Obviously this needs to be modified on the current setup, remembering to add all the additional routes that may be necessary.

Start vpnc on boot
Version 0.4.0-r1 of vpnc contains an init script which can handle multiple configurations. The default script looks for, but as many configurations as can be imagined are possible. Before and after shutdown and start-up custom-made scripts can be executed that are connected by their name to the corresponding init script (since version 0.5.1-r1). Their names end in, , and , stored in the  directory. The general naming scheme is sketched in the following table.

Add vpnc to default runlevel with the following commands (in this case for the standard configuration). Do not forget to add the  module (if built that way) to the kernel's autoload mechanism at startup.

To not have to save the password in the configuration file, tell the init script to show all output and prompts on standard output by editing. Set the VPNCOUTPUT variable to  or , where its default is to not display screen output.

Graphical remote access
When looking for a Linux application that supports RDP (Remote Desktop Protocol) then give a try. It is a GUI app written in GTK+ that fits in well with a Gnome desktop, but doesn't require it. As an alternative to the GUI configuration dialog that grdesktop provides, just install. Ultimately, grdesktop is just a frontend for rdesktop.

KDE users might want to try out. It appears to be a very mature VPN management GUI.

To connect to a Windows machine which doesn't have a DNS entry, but for which the address of an available WINS server is known, use a tool called to query the WINS server for the host name of the machine to connect to. Unfortunately, needs to be installed to get it, but when working with boxes running Windows installing samba is usually a given, because it includes several other useful tools.

When samba and its tools are installed, test by asking the WINS server at IP address 192.168.125.11 about a host named wintelbox1.

Custom scripts on boot
The custom-made scripts for the file can be used to setup a user-defined routing for the vpnc connection. The examples below show how to setup the routing table so that only connections to 123.234.x.x are routed over the VPN and all other connections use the default gateway. The example uses to save the current default gateway before starting vpnc (which resets the default gateway using the VPN connection). Once vpnc has been started, deletes this new default gateway, restores the old default gateway and sets the route for all connections to 123.234.x.x to use the vpnc connection.

The example scripts assume that the vpnc connection uses tun1 as tun device. Set the device name in the connection's configuration file.

External resources

 * vpnc 主页
 * kvpnc 主页
 * grdesktop 主页