vpnclient at ETHZ
Installing a VPNclient on SuSE 7.3, 8.x, and 9.0 (encrypted connection)
Debian Linux users: see our installation guide for Debian Linux for the vpnclient of the ETHZ.
This web-page is not maintained anymore since 6Jun2004. However, it may
still contain important information for users of SuSE Linux.
For updated information please also have a look at
installation guide for Debian Linux for
the vpnclient of the ETHZ, where several topics are explained in more
detail - also useful for users of SuSE and other Linux distros!
This page is possibly useful for students and staff of the ETHZ only.
If you are using either
DialUp or
DialUp800 to connect to
the domain ethz.ch, you may use VPN, but probably your connection is quite
secure.
However, if you connect to the domain ethz.ch via the public internet,
e.g. while working outside the ETH (e.g. scientific meeting) or if you
work at home and have an internet connection through ADSL or TV-cable, I
highly recommend to use a secure VPN tunnel; otherwise all data transfer
(passwords, e-mails, etc.) must be regarded as insecure!
This page is divided in six parts:
- Part 1: Install Kernel-Sources
- Part 2: Install vpnclient
- Part 3: Running and Configuring vpnclient
- Part 4: Create Icons on KDE-Desktop
- Part 5: Useful Links
- Part 6: Comments received
Please be aware of the following: If you have a router with a 'firewall'
connected to your PC or your internal LAN at home, once you have established a
VPN-connection to the ETHZ, your machine may be reached by any user of the
public internet, who tries to reach the IP-number that you have got
with the VPN-connection. Therefore I strongly recommend that you install
and configure the SuSEfirewall or SuSEfirewall2
and if you like also an appropriate monitoring-tool, e.g.
SFIRESCAN.
If you decide to use the SuSEfirewall or SuSEfirewall2 (actually packet filters)
please note, that you have to include the IP-addresses of the security gateways
129.132.99.162, 129.132.99.163 and 129.132.99.171 in the line FW_TRUSTED_NETS=
of the file /etc/rc.config.d/firewall.rc.config (SuSE7.3) or
/etc/sysconfig/SuSEfirewall2 (SuSE8.x).
We now use picoFIREWALL and put the three IP
addresses (129.132.99.162, 129.132.99.163 and 129.132.99.171) into the file
/etc/picofirewall/open_log.cfg . As analyzing tool for the firewall we use since
2003 picoFIRESCAN.
'vpnclient' needs the kernel sources in order to build a module; therefore these kernel sources must be installed first.
1. Install Kernel-Sources
- YaST2 Control Center - Software - Install/Remove Software
(Install DVD should be in DVD drive)
* Search 'kernel-source'
* double-click on kernel-source
* OK
(this takes a while...)
* Close the YaST control Center Window
- Optionally read the comments in file /usr/include/linux/version.h
- SuSE 7.3: cp /boot/vmlinuz.version.h /lib/modules/2.4.10-4GB/build/include/linux/version.h
- SuSE 8.0: cp /boot/vmlinuz.version.h /lib/modules/2.4.18-4GB/build/include/linux/version.h
- SuSE 8.1 and later: This step is not necessary anymore
2. Install vpnclient
- https://n.ethz.ch/software/vpn
(enter username & password when asked for it)
--> If you have difficulties with your n.ethz account (Username/Password)
contact http://m.ethz.ch/administration_m_kunde.html
or call 2 7100.
- Click on 'Linux' directory
- Click on 'vpnclient-linux-4.0.3.B-k9.tar.gz' and download it
--> there may now a newer versions available; take the newest one provided!
- right-click on 'ethz.pcf' and download it (Save link as...)
- If you have a local LAN at your home, and want to access your local machines
while the tunnel is up, you should download another *.pcf file instead of the
ethz.pcf described above. You can get it on page https://n.ethz.ch/software/vpn/.
There, right-click on ETHZ-LocalLan.pcf, download it, and rename it to
ethz.pcf and continue as described below.
- these two files are now in your_download_dir
- cd /app (or any other directory, where you want to have you applications)
- su -
- (root password)
- cp /your_download_dir/vpnclient-linux-4.0.3.B-k9.tar.gz .
- gunzip vpnclient-linux-4.0.3.B-k9.tar.gz
- tar -xvf vpnclient-linux-4.0.3.B-k9.tar
- chown -R root:root vpnclient
- cd vpnclient
- cp /your_download_dir/ethz.pcf .
- ./vpn_install
- (Carriage-Return) # /usr/local/bin is ok
- no # do *not* automatically start vpnclient at boot time
(does not work properly on SuSE Linux 7.3 and 8.0 & 8.1
- if you want to do this, see further below)
- (Carriage-Return) # is now correct since Version 3.7.2...
# should be ok for newer vpnclient-versions...
# must be /lib/modules/2.4.21-99-default/build (SuSE 9.0)
# must be /lib/modules/2.4.19-4GB/build (SuSE 8.1)
# must be /lib/modules/2.4.18-4GB/build (SuSE 8.0)
# must be /lib/modules/2.4.10-4GB/build (SuSE 7.3)
- (Carriage-Return) # if you are satisfied with all the parameters
- You will get several warning messages - don't care about them
- In order to stop SuSEconfig from renaming the links in the rc-directories, edit file /etc/init.d/vpnclient_init and add the following line in the header of the script (about at line 15 or so - including the '#'!): # Required-Start: splash_late
- If you want to start the vpnclient at boot time, enter these commands:
ln -s /etc/init.d/vpnclient_init /etc/init.d/rc3.d/S85vpnclient_init
ln -s /etc/init.d/vpnclient_init /etc/init.d/rc5.d/S85vpnclient_init
(Note: the install-script wants to create a link for run-level 4, but this
run-level is not used on the SuSE distribution of Linux).
3. Running and Configuring vpnclient
- /etc/init.d/vpnclient_init start
(start vpnclient now; must be run after each boot before using the client
if you did not create the two links as described above)
- vpnclient connect ethz
( the profile is read from /etc/CiscoSystemsVPNClient/Profiles/ethz.pcf ,
where vpn_install has moved the ethz.pcf file)
--> you will be prompted for the Username and the Password
--> say 'y' when asked to save the password
... and the connection will be established, the window will be 'blocked'
! Sometimes you are *not* asked, whether you want to save the password or not.
! In such a case enter "vpnclient disconnect" from another window and
start vpnclient again. Usually it then asks you to save the password.
- In another, new, window start any TCP-IP connection (ssh, telnet, etc.)
and you will be 'seen' by the ETH-machine as e.g. vpn-global-dhcp-nnn.ethz.ch 129.132.210.nnn
(You may of course also connect to any other machine than one in the ethz.ch domain)
You may also enter further commands:
- vpnclient stat # gives status information
- vpnclient disconnect # disconnects your IPSec link
(when doing this, make sure, you are logged out from any remote host)
Once you have connected and disconnected, you may edit the file
/etc/CiscoSystemsVPNClient/Profiles/ethz.pcf
and modify the value ForceKeepAlives from 0 to 1 - I would be glad to hear
about your experience!
4. Create Icons on Desktop (KDE-Desktop)
- Right-Click on the desktop and select 'New' and 'Link with Program'
- Under 'General' write 'VPN ethz ON'
- Under 'Execute' write 'vpnclient connect ethz'
- OK
- Right-Click on the desktop and select 'New' and 'Link with Program'
- Under 'General' write 'VPN ethz OFF'
- Under 'Execute' write 'vpnclient disconnect'
- OK
- Right-Click on the desktop and select 'New' and 'Link with Program'
- Under 'General' write 'VPN status'
- Under 'Execute' write 'wterm -geometry 80x35 -e /usr/local/bin/vpnstatus.sh
- OK
- Create a file /usr/local/bin/vpnstatus.sh with the following content:
#!/bin/bash
#
# vpnstatus.sh 6.4.2002/uk modified 18.10.2002
#
ps -ef | grep vpnclient | grep -v grep
if test $? -ne 0 ; then
echo ""
echo "vpnclient not running..."
echo ""
echo ""
else
myIP=`vpnclient stat | grep "Client address:" | cut -d: -f 2`
vpnclient stat
echo " "
echo "Your IP is: $myIP"
fi
echo " "
echo "Hit CR to exit"
read answer
#
- chmod a+x /usr/local/bin/vpnstatus.sh
(in order to make this script executable for everyone)
Now you have three icons on your deskop, allowing you to establish, disconnect, or view the status of a secure VPN tunnel with a single click on the appropriate icon.
5. Useful Links
- http://www.id.ethz.ch/Dienste/VPN/
- http://www.kom.id.ethz.ch/datkom/vpn/was_ist_vpn.html
- http://n.ethz.ch/dialup_vpn.html
- http://www.kom.id.ethz.ch/datkom/vpn/tipps_zu_vpn.htm
- http://wireless.ethz.ch/wlansupp.html How to connect to the WLAN of the ETHZ
6. Comments received
On 13 January 2004 I got a report from Jonas Buchli (EPFL), that he experienced
difficulties when using gcc-3.3.2 for compiling vpnclient; with version
gcc-3.3.1 the problems disappeared.
On 9 May 2002 I received the following comment from Florian Helbing
Hallo,
ich habe den VPN client ausprobiert und bin unter 2.4.18 auf ein
kleines dependency-problem gestossen: Die funktion get_fast_time
gibt's in 2.4.18 nicht mehr. anscheinend kann man sie aber durch
do_gettimeofday ersetzen. Wenn man das im source des VPN clients
macht (in der datei linuxcniapi.c) funktionierts.
Ein kleiner patch ist unten angehaengt (patch < patchfile).
Ansonsten wollte ich die ID noch loben dass sie nun so ein schoenes
'richtiges' VPN protokoll implementiert haben.
Schoene Gruesse,
Florian Helbing
--- linuxcniapi.c Thu May 9 02:01:02 2002
+++ linuxcniapi.c_new Thu May 9 02:00:53 2002
@@ -1282,7 +1282,7 @@
rc = CNI_W_OUT_OF_DESCRIPTORS;
} else {
/* move the data into the packet */
- get_fast_time(&skb->stamp);
+ do_gettimeofday(&skb->stamp);
pIP = skb_put(skb, lpPacketDescriptor->uiPacketSize);
@@ -1400,7 +1400,7 @@
lpMacFragment->uiFragmentDataSize);
}
- get_fast_time(&skb->stamp);
+ do_gettimeofday(&skb->stamp);
skb->dev = pBinding->pDevice;
--
Last Update: 16Mar2005 uk - Created: 06Apr2002