From Gentoo Wiki
Jump to:navigation Jump to:search
This page contains changes which are not marked for translation.

VPNC is a IPsec (Cisco/Juniper) VPN concentrator client to manage secure connections, for users needing to connect to office network from home or during travel. Connecting to a Cisco and Juniper VPN concentrator is possible using Linux, and it should be possible setup a working tunnel using a Gentoo workstation or laptop.

VPNC is a VPN client compatible with Cisco's EasyVPN equipment. It supports IPSec (ESP) with Mode Configuration and Xauth. Supports only shared-secret IPSec authentication with: Xauth, AES (256, 192, 128), 3DES, 1DES, MD5, SHA1, DH1/2/5 and IP tunneling. VPNC runs entirely in userspace. Only universal TUN/TAP device driver support is needed in kernel.

About this guide

What this document is

  • A guide to the basic workings of vpnc
  • A discussion of DNS and routing issues that relate to VPNs
  • Examples of managing VPN sessions
  • Useful tips and tricks (hopefully)

What this document is not

  • An in-depth guide to VPN/encryption technologies
  • A feature by feature explanation of vpnc


The assumptions made at this point are:

  • Gentoo is installed
  • Internet access is available and configured
  • The connection is towards a Cisco 3000 VPN concentrator - vendor EOL announcement 2012
  • The conneciton is towards a Cisco Firewall or more generic vendor specific IPsec concentrator
  • Configuring, building, and installing a new kernel is not a daunting task for the reader



In order for Linux to be able to open a VPN connection Universal TUN/TAP device driver support must be enabled in the kernel. What is it and why is it needed? Below is a relatively straight forward explanation from the kernel configuration dialog:

To verify that the kernel has TUN/TAP support, grep the kernel's configuration file:

root #grep TUN= /usr/src/linux/.config

As can be seen above, CONFIG_TUN=m is compiled as a module. If it is disabled in the setup, enable it in the kernel of choice, rebuild, install, reboot and return to this document before continuing with the next steps.

KERNEL Configuration location in the kernel configuration dialog
Device Drivers  --->
    [*] Network device support  --->
        [*] Network core driver support
        <*>   Universal TUN/TAP device driver support

If TUN/TAP support is built directly into the kernel, dmesg output should look like the following:

root #dmesg | grep TUN
[    1.027934] tun: Universal TUN/TAP device driver, 1.6


Now that a working kernel setup is completed, install the net-misc/vpnc package:

root #emerge --ask net-misc/vpnc


In order to make the following sections more clear, we need an example setup to work from. Example assumes that the home network computers are on the network. The VPN client in question is run by a Gentoo computer client1using an private IP address it receives from local connected router.

Environment variables


  • dev - tun0 or tap0 device

IP address table:

Hostname Interface IP address Gateway Network description
client1 eth0 Private or Public
tun0 tun0 VPN
vpngw.example.org Public - internet
dns1.example.org VPN
This is a example IP scenario used in this document. For real world usage, change the according IP networking entries.

The state of the current DNS and IP setup on the gentoo client1 before the vpnc connection has been established:

user $ip route
default via dev eth0 proto dhcp src metric 1002 dev eth0 proto dhcp scope link src metric 1002
user $ip add show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0c:cf:f4:fb:00:00 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute eth0
       valid_lft 82782sec preferred_lft 71982sec
    inet6 fe80::ecf:f4ff:fefb:0/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
user $more /etc/resolv.conf
# Generated by dhcpcd


  • /etc/conf.d/vpnc - Gentoo's config file for vpnc daemon.
  • /etc/vpnc/vpnc.conf - Global (system wide) configuration file.
  • /etc/vpnc/work.conf - Conventional filename for additional configuration rules.

The configuration file for vpnc connection settings can be located in a couple places, depending on how many profiles need to be configured. By default, vpnc looks for /etc/vpnc/vpnc.conf for its connection settings. This setup will only address a single profile example and will use the configuration file location /etc/vpnc/vpnc.conf .

FILE /etc/vpnc.conf
IPSec gateway vpngw.example.org
IPSec ID tunnel-split
IPSec secret gentoo-linux-rocks
Xauth username larry
Xauth password gentoo-linux-rocks-and-I-am-a-cow

The configuration file example above should be modified to reflect the appropriate values for the local setup. The gateway option vpngw.example.org can be a fully qualified domain name or an IP address The ID and secret options should be given by a network administrator.

Windows profile .pcf

If the authentication credentials cannot be obtained but a working setup on a Windows box is available which utilizes the official Cisco VPN client, then it suffices to export the profile. The user name and password options are for the normal network sign-on, such as a Windows NT domain account. When the profile is exported from a Windows machine, then the result is most likely a file ending in .pcf . This file will have all the necessary information. Below is an example:

FILE profile.pcf

In the above example, we can see entries for

  • Host,
  • GroupName
  • enc_GroupPwd.

The user credentials may or may not be exported depending on the setup:

  • Username
  • UserPassword

To generate a working vpnc configuration out of it, use pcf2vpnc, included with vpnc.

The password can be decrypted with the help from the cisco-decrypt program, shipped with the latest vpnc.

Converting the ~/profile.pcf file into a /etc/vpnc/vpnc.conf working configuration using the pcf2vpnc tool:

user $pcf2vpnc profile.pcf
## generated by pcf2vpnc
IKE Authmode psk
IKE DH Group dh2
IPSec secret ASD1v5J.a&H.tkfJ

IPSec ID group_id

## To add your username and password,
## use the following lines:
# Xauth username <your username>
# Xauth password <your password>


vpnc contains an init script (/etc/init.d/vpnc) to handle multiple configurations at same time. The default script looks for /etc/vpnc/vpnc.conf, but additional configurations are possible. Before and after shutdown and start-up custom-made scripts can be executed that are connected by their name to the corresponding init script. Script names end in -preup.sh, -postup.sh, -predown.sh and -postdown.sh, stored in the /etc/init.d/scripts.d/ directory. The general naming scheme is sketched in the shown table.

Init script name Needed configuration file Pre-up script name
/etc/init.d/vpnc /etc/vpnc/vpnc.conf /etc/vpnc/scripts.d/vpnc-preup.sh
/etc/init.d/vpnc.work /etc/vpnc/work.conf /etc/vpnc/scripts.d/work-preup.sh


Add vpnc to default runlevel with the following commands (in this case for the standard configuration). Add the tun module (if built that way) to the kernel's autoload mechanism at startup.

root #rc-update add vpnc default

To show all output and prompts on standard output edit the /etc/conf.d/vpnc configuration file.

Set the VPNCOUTPUT variable to yes to all output and promts for the authentication, entering password on the prompt.

Or leave it at the default setting no, where its default is to not display screen output. This way the saved password Xauth password in the global configuration file /etc/vpnc/vpnc.conf is used.




Now that a configuration is in place it is time to test the setup. To start vpnc do the following:

root #service vpnc start
 * Starting VPNC: vpnc ...                                                [ ok ]

The above command output shows that, once vpnc (as root) is executed, a prompt comes up asking for a password. After entering the password (which will not be echoed to the terminal), the vpnc process will automatically become a background process.

If the Xauth password option is specified in the vpnc config file, then at vpnc startup no password will be asked. Additionally, if vpnc needs some extra options not specified in the configuration file, or if something is forgotten, don't worry, it will ask for it.
user $ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0c:cf:f4:fb:00:00 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute eth0
       valid_lft 82974sec preferred_lft 72174sec
    inet6 fe80::ecf:f4ff:fefb:0/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1412 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::4d36:4f9:735f:ee44/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever
user $ip route
default via dev eth0 proto dhcp src metric 1002 dev eth0 proto dhcp scope link src metric 1002 dev tun0 scope link dev tun0 scope link via dev eth0 src
user $more /etc/resolv.conf
#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
# Generated by dhcpcd
search example.org

Verify the vpn configured DNS server is reachable:

user $ping dns1
PING dns1.example.org ( 56(84) bytes of data.
64 bytes from dns1.example.org ( icmp_seq=1 ttl=64 time=2.40 ms
64 bytes from dns1.example.org ( icmp_seq=2 ttl=64 time=3.44 ms
64 bytes from dns1.example.org ( icmp_seq=3 ttl=64 time=3.20 ms

--- dns1.example.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.404/3.013/3.441/0.442 ms

As can be seen from the above command output(s), vpnc has done the following:

  • Created the tun0 network interface, a virtual interface to handle the traffic across the VPN tunnel
  • Obtained the IP address for the tun0 device from the VPN provider
  • Set routes to route VPN related traffic only to the VPN gateway
  • Set DNS server for the VPN

At this point, the workstation is capable of communicating with hosts via the VPN. Because vpnc sets the default route to the local gateway, and only the VPN network intersting traffic will be routed to the IPSec concentrator appliance.

To end the curren vpnc session use service vpnc stop command. An example is shown below:

root #service vpnc stop
* Stopping VPNC: vpnc ...                                                [ ok ]


Configuration debugging

Use the --debug n running option to get more verbose output. Following options are available:

user $vpnc --help
--debug <0/1/2/3/99>
     Show verbose debug messages
      *  0: Do not print debug information.
      *  1: Print minimal debug information.
      *  2: Show statemachine and packet/payload type information.
      *  3: Dump everything exluding authentication data.
      * 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
 conf-variable: Debug<0/1/2/3/99>

Example output of configuration debugging --debug 1 a not working connection session:

root #vpnc --debug 1 /etc/vpnc/vpnc.conf

vpnc version 0.5.3
response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)

Optionally enable debug output in the /etc/vpnc/vpnc.conf configuration file add follwing line at the last line:

Xauth username larry
debug 2

See also

  • OpenVPN — software that enables the creation of secure point-to-point or site-to-site connections.
  • WireGuard — a modern, simple, and secure VPN that utilizes state-of-the-art cryptography.
  • VPN services

External resources

This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: David H. Askew, Christian Faulhammer, Thomas Fischer, nightmorph
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.