This document details how to connect a workstation to a Cisco VPN concentrator utilizing vpnc to manage the connection.
This document is meant for users who want to connect to their office network from home or during travel. Many companies utilize Cisco 3000 VPN concentrators for their VPN needs, and I am willing to bet that most Linux newbies think that they are forced to use Windows to connect to them. Well, this document explains that connecting to a Cisco VPN is definitely possible and will hopefully enable to setup a working tunnel using a Gentoo workstation or laptop.
이 문서에서 취급하는 내용
- A guide to the basic workings of vpnc
- A discussion of DNS and routing issues that relate to VPNs
- Examples of managing VPN sessions
- Useful tips and tricks (hopefully)
이 문서에서 취급하지 않는 내용
- An in-depth guide to VPN/encryption technologies
- A feature by feature explanation of vpnc
여기서 가정할 사항은:
- Gentoo is installed
- Internet access is available and configured
- The connection is towards a Cisco 3000 VPN concentrator
- Configuring, building, and installing a new kernel is not a daunting task for the reader
In order for Linux to be able to open a VPN connection Universal TUN/TAP device driver support must be enabled in the kernel. What is it and why is it needed? Below is a relatively straight forward explanation from the kernel configuration dialog:
TUN/TAP provides packet reception and transmission for user space programs. It can be viewed as a simple Point-to-Point or Ethernet device, which instead of receiving packets from a physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program. When a program opens /dev/net/tun, driver creates and registers corresponding net device tunX or tapX. After a program closed above devices, driver will automatically delete tunXX or tapXX device and all routes corresponding to it.
When a program opens /dev/net/tun, driver creates and registers corresponding net device tunX or tapX. After a program closed above devices, driver will automatically delete tunXX or tapXX device and all routes corresponding to it. }}
To verify that the kernel has TUN/TAP support, grep the kernel's configuration file:
grep "TUN" /usr/src/linux/.config
CONFIG_INET_TUNNEL=m # CONFIG_INET6_TUNNEL is not set # CONFIG_IPV6_TUNNEL is not set (TUN/TAP enabled as a module) CONFIG_TUN=m # CONFIG_8139TOO_TUNE_TWISTER is not set
As can be seen above,
CONFIG_TUN=m is compiled as a module. If it is disabled in the setup, enable it in the kernel of choice, rebuild, install, reboot and return to this document before continuing with the next steps.
Device Drivers ---> Network device support ---> [*] Universal TUN/TAP device driver support
If TUN/TAP support is built directly into the kernel, dmesg output should look like the following:
dmesg | grep TUN
Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
If TUN/TAP support is built as a module, then first load the
Module Size Used by tun 7296 0
Now that the
tun module is loaded, check dmesg output. Something like the following should show up:
dmesg | grep TUN
Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
필요 프로그램 설치
Now that a working kernel setup is completed, install the net-misc/vpnc package:
emerge --ask net-misc/vpnc
Make sure to check the supported USE flag combinations and see if they apply to the environment. When encountering a problem later with the following error, enable the
hybrid-auth USE flag:
vpnc was built without openssl: Can't do hybrid or cert mode.
In order to make the following sections more clear, we need an example setup to work from. For the purpose of this exercise, we will assume that the home network consists out of several computers. All computers are on the 192.168.0.0 / 255.255.255.0 network. The LAN in question is run by a Gentoo box using an iptables firewall, DHCP, caching DNS, etc ... and it masquerades the LAN behind the public IP address it receives from an ISP. A workstation is also on the LAN from which the VPN into the office will be configured.
예제에서 워크스테이션 설정은 다음과 같습니다:
127.0.0.1 desktop localhost 192.168.0.1 router 192.168.2.2 mediacenter
eth0 Link encap:Ethernet HWaddr 00:11:2F:8D:08:08 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::211:2fff:fe8d:808/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3657889 errors:0 dropped:0 overruns:0 frame:0 TX packets:2305893 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2193722103 (2092.0 Mb) TX bytes:1415104432 (1349.5 Mb) Interrupt:185 Memory:fac00000-0 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:35510 errors:0 dropped:0 overruns:0 frame:0 TX packets:35510 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:16023838 (15.2 Mb) TX bytes:16023838 (15.2 Mb)
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 loopback desktop 255.0.0.0 UG 0 0 0 lo default router 0.0.0.0 UG 0 0 0 eth0
Now that vpnc is installed and we have an example to work from, let's discuss the basics of setting up vpnc. The configuration file for vpnc connection settings can be located in a couple places, depending on how many profiles need to be configured. By default, vpnc looks for /etc/vpnc/vpnc.conf for its connection settings. This setup will only address a single profile example and will use the configuration file location /etc/vpnc/vpnc.conf .
IPSec gateway vpngateway.domain.org IPSec ID group_id IPSec secret group_password Xauth username network_signon Xauth password network_password
The configuration file example above should be modified to reflect the appropriate values for the local setup. The gateway option
vpngateway.domain.org can be a fully qualified domain name or an IP address. The ID and secret options should be given by a network administrator. If this information cannot be obtained but a working setup on a Windows box is available which utilizes the official Cisco VPN client, then it suffices to export the profile. The user name and password options are for the normal network sign-on, such as a Windows NT domain account.
When the profile is exported from a Windows machine, then the result is most likely a file ending in .pcf . This file will have all the necessary information. Below is an example:
[main] Description= Host=VPNGATEWAY.DOMAIN.ORG AuthType=1 GroupName=group_id GroupPwd= enc_GroupPwd=F3256220AA200A1D532556024F4F314B0388D48B0FBF2DB12 EnableISPConnect=0 ISPConnectType=0 ISPConnect=FOOBAR ISPCommand= Username= SaveUserPassword=0 UserPassword= enc_UserPassword= NTDomain= EnableBackup=0 BackupServer= EnableMSLogon=1 MSLogonType=0 EnableNat=1 TunnelingMode=0 TcpTunnelingPort=10000 CertStore=0 CertName= CertPath= CertSubjectName= CertSerialHash=00000000000000000000000000000000 SendCertChain=0 VerifyCertDN= DHGroup=2 ForceKeepAlives=0 PeerTimeout=90 EnableLocalLAN=0 EnableSplitDNS=1 ForceNetLogin=0
In the above example, we can see entries for
UserPassword may or may not be exported depending on the setup. To generate a working vpnc configuration out of it, use
pcf2vpnc, included with vpnc.
The password can be decrypted with the help from the cisco-decrypt program, shipped with the latest vpnc.
이제 제 위치에 설정을 저장했으니 설정을 시험해 볼 차례입니다. vpnc를 시작하려면 다음을 따르십시오:
Enter password for email@example.com: VPNC started in background (pid: 14788)...
The above command output shows that, once vpnc (as root) is executed, a prompt comes up asking for a password. After entering the password (which will not be echoed to the terminal), the vpnc process will automatically become a background process.
Xauth passwordoption is specified in the vpnc config file, then at vpnc startup no password will be asked. Additionally, if vpnc needs some extra options not specified in the configuration file, or if something is forgotten, don't worry, it will ask for it.
eth1 Link encap:Ethernet HWaddr 00:11:2F:8D:08:08 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::211:2fff:fe8d:808/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2101119 errors:0 dropped:0 overruns:0 frame:0 TX packets:1577559 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1757862627 (1676.4 Mb) TX bytes:732200131 (698.2 Mb) Interrupt:177 Memory:faa00000-0 sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.160.42 P-t-P:192.168.160.42 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:60 (60.0 b) TX bytes:616 (616.0 b)
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface vpn01.domain.or router 255.255.255.255 UGH 1500 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 loopback desktop 255.0.0.0 UG 0 0 0 lo default * 0.0.0.0 U 0 0 0 tun0
As can be seen from the above command output(s), vpnc has done the following:
- Created the tun0 network interface, a virtual interface to handle the traffic across the VPN tunnel
- Obtained the IP address for the tun0 device from the VPN provider
- Set the default route to the VPN gateway
At this point, the workstation is capable of communicating with hosts via the VPN. Because vpnc sets the default route to the VPN gateway, all network traffic will travel across the VPN, even if it destined for the Internet or elsewhere not specifically specified by additional routes. For some, this basic type of connection may be satisfactory, but for most, additional steps need to be taken.
붙여볼만한 추가 기능은:
- DNS for the VPN
- A routing setup that will only send traffic destined for the VPN down the virtual tunnel. This way, browsing the Internet will originate directly from the local network even when connected to the VPN, without the personal web/p2p etc. traffic going across the tunnel.
- A script to manage all this, because vpnc just doesn't do enough by default.
To end the VPN session, execute vpnc-disconnect. An example is shown below.
추가로 시험해봐야 할 건이 있으니 아직은 끊지 마십시오. 아래 예제는 그냥 알려주는 목적일 뿐입니다.
Terminating vpnc daemon (pid: 26250)
Unfortunately, vpnc doesn't handle the setup and management of DNS for the newly established tunnel. The user is left to decide how DNS should be handled. Although /etc/resolv.conf can be written during the connection, that would utilize the VPN DNS for all DNS queries regardless of whether or not the traffic is destined for the VPN tunnel. This is a very functional solution and if all that is needed is to connect to the tunnel, work, and then disconnect, read no further. But, to be able to leave the tunnel connected for lengthy periods of time without the work DNS servers handling requests for the personal traffic, read on.
The ideal setup would allow users to separate the DNS queries into two categories: VPN-related and other. Under this setup, all VPN-related DNS queries would be answered by DNS servers located at the other end of the VPN tunnel and all other queries would continue to be answered by local or ISP supplied DNS servers. This is the setup that will be demonstrated here.
VPN 관련 DNS 요청은 host1.example.org 또는 server1.example.org 와 같은 example.org 도메인의 요청으로 간주합니다.
So how to make sure that requests made to hosts on the example.org domain get sent to VPN supplied DNS servers? Well, first install a local DNS server, but don't worry, it's much easier than it sounds. There are several software packages that can handle the type of setup we desire, but for the purposes of this demonstration, dnsmasq will be utilized. Let's emerge it now:
This DNS server software will not be available to the network, and will only answer requests from localhost,
emerge --ask net-dns/dnsmasq
Next add an option to dnsmasq's startup options. Edit the following option and substitute .example.org with the appropriate domain and the IP address with a valid DNS server that belongs to the VPN tunnel.
# See the dnsmasq(8) man page for possible options to put here. DNSMASQ_OPTS="-S /.example.org/192.168.125.10"
Next, make sure that the first entry in /etc/resolv.conf is the local host
127.0.0.1, followed by the location of the backup DNS servers that should handle the DNS traffic in case dnsmasq fails to start, or if it needs to forward a DNS query it doesn't currently have in its cache. An example /etc/resolv.conf is shown below.
nameserver 127.0.0.1 nameserver 192.168.0.1
Now that a rule is setup for the VPN tunnel DNS, start dnsmasq.
rc-update add dnsmasq default
The ideal scenario would be if only the traffic destined for the VPN tunnel would travel across the link. At this point, a VPN tunnel setup exists and all traffic will travel across the tunnel, unless additional routes are specified. In order to fix this situation, know what networks are available on the VPN. The easiest way to find out the needed information is to ask a network administrator, but sometimes they are reluctant to answer such questions. If the local network admin doesn't provide the needed information, some trial and error experiments will be required.
When the VPN tunnel was started, vpnc set the default route to the tunnel. So set the default route back to normal, so that things work as expected.
route add default gw 192.168.0.1
Earlier, when DNS services were being configured for the VPN, a DNS server was specified to handle the example.org domain. Add a route for the 192.168.125.0 subnet so that DNS queries will work:
route add -net 192.168.125.0 netmask 255.255.255.0 dev tun0
At this point, any additional routes for known networks (such as for the subnet 192.168.160.0, which includes the IP address received by the TUN/TAP virtual device) should be added. If a friendly network administrator gave the required info, great. Otherwise, start pinging hosts that will be connected to frequently, to give an idea about what the routing table should look like.
Due to the setup, when using VPN network services by name, specify the fully qualified domain name, for instance: webserver1.example.org
PING intranet1.example.org (172.25.230.29) 56(84) bytes of data. --- intranet1.example.org ping statistics --- 18 packets transmitted, 0 received, 100% packet loss, time 16997ms
As seen from the above example, the ping probes to
intranet1.example.org were unsuccessful. So we need to add a route for that subnet.
route add -net 172.25.230.0 netmask 255.255.255.0 dev tun0
A few ping and route commands later, and the system should be well on its way to a well working routing table.
필요할 때 vpnc 호출
Next is an example script to manage the VPN connection. Execute it (as root) from an xterm to start a connection to the VPN. Then all that is left to do is to press return to disconnect the VPN. Obviously this needs to be modified on the current setup, remembering to add all the additional routes that may be necessary.
#!/bin/bash source /sbin/functions.sh ebegin "Connecting to the VPN" vpnc eend ebegin "Modifying the routing table" route add default gw 192.168.0.1 route add -net 172.25.230.0 netmask 255.255.255.0 dev tun0 route add -net 192.168.160.0 netmask 255.255.255.0 dev tun0 route add -net 192.168.125.0 netmask 255.255.255.0 dev tun0 eend einfo "Press any key to disconnect ..." read $disconnect ebegin "Disconnecting from the VPN" vpnc-disconnect eend ebegin "Reconfiguring the default routing table" route add default gw 192.168.0.1 eend einfo "VPN should now be disconnected"
부팅할 때 vpnc 시작하기
vpnc 0.4.0-r1에는 다중 설정을 처리하는 초기화 스크립트 파일( /etc/init.d/vpnc )이 있습니다. 기본 스크립트는 /etc/vpnc/vpnc.conf 파일을 찾지만 대부분의 설정에서는 가능한 생각만큼 많은 설정을 보유합니다. 서비스를 내리고 시작하기 전에 별도로 만든 스크립트는 각각의 초기화 스크립트(0.5.1-r1 부터)의 이름과 연동하여 실행할 수 있습니다. 이름은 -preup.sh , -postup.sh , -predown.sh , -postdown.sh로 끝나며, /etc/init.d/scripts.d/ 디렉터리에 들어있습니다. 일반 이름 형식은 다음 표에 적어두었습니다.
|초기화 스크립트 이름||필요한 설정 파일||사전 가동 스크립트 이름|
다음 명령으로 vpnc를 기본 런레벨에 추가하십시오(이 경우 표준 설정에 한합니다). 잊지 말고 시작시 커널 모듈 자동 적재 기반에(모듈 기반으로 빌드했을 경우) tun 모듈을 추가하십시오.
rc-update add vpnc default
설정 파일에 암호를 저장하지 않게 하려면, /etc/conf.d/vpnc 파일을 편집하여 초기화 스크립트에서 모든 출력 및 프롬프트를 표준 출력으로 내보내게 하십시오. 기본으로 디스플레이 화면 출력을 하지 않는 VPNCOUTPUT 변수를
초기화 스크립트에서는 DNS 분리를 처리하지 않지만, 개별 스크립트를 활용할 수 있습니다.
그래픽 원격 접근
When looking for a Linux application that supports RDP (Remote Desktop Protocol) then give net-misc/grdesktop a try. It is a GUI app written in GTK+ that fits in well with a Gnome desktop, but doesn't require it. As an alternative to the GUI configuration dialog that grdesktop provides, just install net-misc/rdesktop. Ultimately, grdesktop is just a frontend for rdesktop.
KDE users might want to try out net-misc/kvpnc. It appears to be a very mature VPN management GUI.
To connect to a Windows machine which doesn't have a DNS entry, but for which the address of an available WINS server is known, use a tool called nmblookup to query the WINS server for the host name of the machine to connect to. Unfortunately, net-fs/samba needs to be installed to get it, but when working with boxes running Windows installing samba is usually a given, because it includes several other useful tools.
emerge --ask net-fs/samba
When samba and its tools are installed, test nmblookup by asking the WINS server at IP address 192.168.125.11 about a host named wintelbox1.
nmblookup -U 192.168.125.11 -R 'wintelbox1'
querying wintelbox1 on 192.168.125.11 172.25.230.76 wintelbox1
부팅시 활용하는 개별 정의 스크립트
The custom-made scripts for the init.d file can be used to setup a user-defined routing for the vpnc connection. The examples below show how to setup the routing table so that only connections to 123.234.x.x are routed over the VPN and all other connections use the default gateway. The example uses work-preup.sh to save the current default gateway before starting vpnc (which resets the default gateway using the VPN connection). Once vpnc has been started, work-postup.sh deletes this new default gateway, restores the old default gateway and sets the route for all connections to 123.234.x.x to use the vpnc connection.
#!/bin/sh route -n | grep -E '^0.0.0.0 ' | cut -c 17-32 >/var/tmp/defaultgw
#!/bin/sh route del -net 0.0.0.0 netmask 0.0.0.0 dev tun1 route add default gw $(cat /var/tmp/defaultgw) route add -net 220.127.116.11 netmask 255.255.0.0 dev tun1
The example scripts assume that the vpnc connection uses tun1 as tun device. Set the device name in the connection's configuration file.
Interface name tun1 IPSec gateway vpn.mywork.com Pidfile /var/run/vpnc.work.pid
This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: David H. Askew, Christian Faulhammer, Thomas Fischer, nightmorph
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.