Cisco VPN Client
From HotDec
Contents |
Introduction
!! NOTE !! - The campus VPN system performs so poorly that we have given up the idea of using it for wireless networking. The VPN client takes far too long to connect to the VPN server, and often times it never makes a successful connection. The school will be replacing the Cisco VPN server, so maybe then VPN will once again be a viable option.
To use the CITES UIUC campus network the SBC needs the Cisco VPN client. The VPN client package can be downloaded from [1] This package comes with a program (vpn_install) to automagically install and setup the VPN Client. Unfortunately this program does not work with the SBC, so we must compile, install, and configure the package by hand. VPN Client setup:
- compile and install vpn client kernel module
- compile and install vpn libraries
- compile and install vpn user-land programs
- setup user profile
- create init script
Kernel Module
To compile the vpn kernel modules, we must first know that directory the kernel source code resides in. The 'driver_build.sh' script attempts to use the linux source-code directory for the version of the linux kernel that is currently running on the computer, which is not correct. Currently (May 18 2006) we keep the source code for the linux kernel that is running on the SBC in "/usr/local/src/linux-2.6.15.3-rtai". The following command for compiling the linux kernel must be modified if the source tree for the linux kernel is placed somewhere else.
From the vpnclient folder, run:
make KERNEL_SOURCES=/usr/local/src/linux-2.6.15.3-rtai
This should produce the kernel module "cisco_ipsec.ko". Copy the new modules to the modules directory on the SBC
mkdir /sbc/modules/2.6.15.3-sbc-apr13-rtai/CiscoVPN cp cisco_ipsec.ko /sbc/modules/2.6.15.3-sbc-apr13-rtai/CiscoVPN
You will need to run depmod on the cisco_ipsec module so modprobe will for it. Since depmod is not installed on the SBC you will need to run depmod on the on the SBC's files while they are on the HOST machine. Running depmod on host
Programs
The cisco VPN client also has some user programs that it install by hand or a it can be installed on a host machine (which BASH) and then the files and directories can be copied over. For the SBC we put the programs in /opt/cisco-vpnclient/bin
Cisco VPN Programs:
- vpnclient
- cisco_cert_mgr
- ipseclog
- cvpnd
You need to copy these programs to somewhere on the PATH
You set uid bit on cvpnd
chmod u+s cvpnd
Configuration
The Cisco VPN client seems to need the configuration files to be located in /etc/opt/cisco-vpnclient. Once again the files can be moved over by hand or installed on a host machine and then copied over.
Configuration Files:
- vpnclient.ini
- internal.ini
- Profiles (directory)
- Certificates (directory)
Profiles
The SBC will need the 'UIUCnet-oncampus.pcf' profile from the cites website put in the /etc/opt/cisco-vpnclient/Profiles directory. The 'UIUCnet-oncampus.pcf' profile should be modified so that it will include a encrypted user password so that the vpnclient program will not promt for a password when it is started. To setup a encryted password:
- in the UIUCnet-oncampus.pcf file change the line:
Notes
- The cisco VPN client reqires that a loopback interface be setup for the VPN system to work.
- The cisco VPN client will write to the profile used for connecting, even when the file is non-writable. To only way to prevent this is to have the drive mounted as read only. Our work-around for the problem is to make a copy of the profile we want to use to /tmp and have a softlink from /etc/opt/cisco-vpnclient/Profiles to the copied file in /tmp.
- The cisco VPN client doesn't seem to save a cleartext password in encrypted form. We have gotten lucky once or twice, but we don't know why sometimes it will save the encyrpted password, but other times it will not.
