vpnclient at ETHZ for Debian Linux
Installing a VPNclient on Debian Linux (encrypted connection)
This page is possibly useful for students and staff of the ETHZ only.
If you are using either
DialUp or
DialUp800 to connect to
the domain ethz.ch, you may use VPN, but probably your connection is quite
secure.
However, if you connect to the domain ethz.ch via the public internet,
e.g. while working outside the ETH (e.g. at a scientific meeting) or if you
work at home and have an internet connection through ADSL or TV-cable, I
highly recommend to use a secure VPN tunnel; otherwise all data transfer
(passwords, e-mails, etc.) must be regarded as insecure!
Although there are specific Debian-packages available at ETH-sites, they
are often for specific Debian versions only (e.g. woody) and also often
the newest versions (e.g. for Linux kernel 2.6) are not available as packages.
The following HOWTO explains on how to install the vpnclient from
Cisco for secure and encrypted connections to the ETHZ. It is used and has
been tested by us under the current testing release of Debian (Sarge) with
newer 2.4 or 2.6 kernels.
This page is divided into six parts:
- Part 1: Install Kernel-Sources
- Part 2: Install vpnclient
- Part 3: Running and Configuring vpnclient
- Part 4: Create Icons on KDE-Desktop
- Part 5: Avoiding and solving problems
- Part 6: Useful Links
Please be aware of the following: If you have a router with a 'firewall'
connected to your PC or your internal LAN at home, once you have established a
VPN-connection to the ETHZ, your machine may be reached by any user of the
public internet, who tries to reach the IP-number that you have got
with the VPN-connection. Therefore I strongly recommend that you install
and configure a firewall on your Linux machine.
We use picoFIREWALL and put the three IP
addresses (129.132.99.162, 129.132.99.163 and 129.132.99.171) into the file
/etc/picofirewall/open_log.cfg . As analyzing tool for the firewall we use since
2003 picoFIRESCAN.
1. Install Kernel-Sources'vpnclient' needs the kernel sources in order to build a module; therefore these kernel sources must be installed first. - Find out, what kernel version you have installed: uname -r In this example, we get 2.6.10-1-686 and will use this as example in the following description; you will have to substitue this with your own version. - Become root (su -) - apt-get install kernel-source-2.6.10 kernel-headers-2.6.10-1-686 - cd /usr/src - ln -s kernel-headers-2.6.10 linux 2. Install vpnclient - Goto https://n.ethz.ch/software/vpn (enter username & password when asked for it) --> If you have difficulties with your n.ethz account (Username/Password) contact http://m.ethz.ch/administration_m_kunde.html or call 2 7100. - Click on 'Linux' directory - Do *not* click on 'Debian Linux' (this is old stuff) ! - Click on 'Cisco Client' - Click on 'vpnclient-linux-4.6.00.45-k9.tar.gz' and download it --> there may now a newer versions available; take the newest one provided! - Click on 'ethz.pcf' and download it - If you have a local LAN at your home, and want to access your local machines while the tunnel is up, you should download another *.pcf file instead of the ethz.pcf described above. You can get it on page https://n.ethz.ch/software/vpn/. There, click on ETHZ-LocalLan.pcf, download it, and rename it to ethz.pcf and continue as described below (mv ETHZ-LocalLan.pcf ethz.pcf) - These two files vpnclient-linux-4.6.00.45-k9.tar.gz and ethz.pcf are now in your_download_dir - cd /app (or any other directory, where you want to have you applications) - su - - (root password) - cp /your_download_dir/vpnclient-linux-4.6.00.45-k9.tar.gz . - gunzip vpnclient-linux-4.6.00.45-k9.tar.gz - tar -xvf vpnclient-linux-4.6.00.45-k9.tar - chown -R root:root vpnclient - cd vpnclient - cp /your_download_dir/ethz.pcf . - ./vpn_install - (Carriage-Return) # /usr/local/bin is ok - yes # Automatically start the VPN service at boot time - (Carriage-Return) # is /lib/modules/2.6.10-1-686/build - (Carriage-Return) # if you are satisfied with all the parameters - Attention: the current version of vpn_install does not install a link for runlevel 2; therefore we do the following: - cd /etc/rc2.d - ln -s ../init.d/vpnclient_init S85vpnclient_init 3. Running and Configuring vpnclient - /etc/init.d/vpnclient_init start (must be done now; will be done automatically after next re-boot) - vpnclient connect ethz ( the profile is read from /etc/CiscoSystemsVPNClient/Profiles/ethz.pcf , where vpn_install has moved the ethz.pcf file) --> you will be prompted for the Username and the Password --> say 'y' when asked to save the password ... and the connection will be established, the window will be 'blocked' ! Sometimes you are *not* asked, whether you want to save the password or not. ! In such a case enter "vpnclient disconnect" from another window and ! start vpnclient again. Usually it then asks you to save the password. ! The password *must* be saved if you want to use the icons described below. - In another, new, window start any TCP-IP connection (e.g. ssh) and you will be 'seen' by the ETH-machine as e.g. vpn-global-dhcpXXXX.ethz.ch (You may of course also connect to any other machine than one in the ethz.ch domain) You may also enter further commands: - vpnclient stat # gives status information - vpnclient disconnect # disconnects your IPSec link (when doing this, make sure, you are logged out from any remote host) Once you have connected and disconnected, you may edit the file /etc/CiscoSystemsVPNClient/Profiles/ethz.pcf and modify the value ForceKeepAlives from 0 to 1 - I would be glad to hear about your experience! 4. Create Icons on Desktop (KDE-Desktop) - Right-Click on the desktop and select 'New' and 'Link with Program' - Under 'General' write 'VPN ethz ON' - Under 'Execute' write 'vpnclient connect ethz' - As icon I recommend the one for 'encrypted' - OK - Right-Click on the desktop and select 'New' and 'Link with Program' - Under 'General' write 'VPN ethz OFF' - Under 'Execute' write 'vpnclient disconnect' - As icon I recommend the one for 'decrypted' - OK - Right-Click on the desktop and select 'New' and 'Link with Program' - Under 'General' write 'VPN status' - Under 'Execute' write 'wterm -geometry 80x35 -bg skyblue -e /usr/local/bin/vpnstatus.sh (should 'wterm' not be installed, enter as root: apt-get install wterm ) - As icon I recommend the one for 'messagebox_warning' - OK - Make sure you have installed 'wterm': dpkg -l | grep wterm If not: apt-get install wterm - Create a file /usr/local/bin/vpnstatus.sh with the following content: #!/bin/bash # # vpnstatus.sh 6.4.2002/uk modified 18.10.2002 # ps -ef | grep vpnclient | grep -v grep if test $? -ne 0 ; then echo "" echo " vpnclient not running..." echo "" echo "" echo "" let n=7 echo -n "(This window will disappear in $n seconds)" while test $n -gt 0 ; do sleep 1 let n=n-1 echo -n -e "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b(This window will disappear in $n seconds)" done exit else myIP=`vpnclient stat | grep "Client address:" | cut -d: -f 2` vpnclient stat echo " " echo "Your IP is: $myIP" fi echo " " echo "Hit CR to exit" read answer # - chmod a+x /usr/local/bin/vpnstatus.sh (in order to make this script executable for everyone)
Now you have three icons on your deskop, allowing you to establish, disconnect, or view the status of a secure VPN tunnel with a single click on the appropriate icon.
5. Avoiding and solving problems
Attention: If you later upgrade to a newer kernel, (we upgraded
to kernel-image-2.6.10-1-686) then you should also download the kernel-sources
and the headers. So you best do a
apt-get install kernel-image-2.6.10-1-686 kernel-source-2.6.10 kernel-headers-2.6.10-1-686
Then you should of course also do the following:
cd /usr/src tar xjvf kernel-source-2.6.10.tar.bz2 rm linux ln -s kernel-source-2.6.10 linuxThen you are ready to enter the directory with the new vpnclient code and may enter ./vpn_install
Should you receive errors such as...
... include/linux/ip.h:145: error: storage size of `fl' isn't known make[2]: *** [/app/vpnclient/linuxcniapi.o] Error 1 make[1]: *** [_module_/app/vpnclient] Error 2 make[1]: Leaving directory `/usr/src/kernel-source-2.6.7' make: *** [default] Error 2 Failed to make module "cisco_ipsec.ko".... then you probably did not download both the sources and the headers of your new kernel (see above)!
After having installed your vpnclient, unfortunately, you still have to establish the connection manually at least twice, before you get the question, whether you want to save your password or not. From then on (if you have answered 'Y'), you may use the icon on your desktop (described in part 4 above) to establish the VPN-connection.
When travelling, it may happen that you are not able to establish a
VPN-connection. This is e.g. the case at the UN in Vienna: A site-wide
firewall does not allow 500/udp (isakmp) packets to enter any internal network
from the outside (such packdets are used for, I believe, key exchange during
the establishment of the vpn-connection. In our case it helped, to modify the
file
/etc/CiscoSystemsVPNClient/Profiles/ethz.pcf
and setting the value of the parameter TunnelingMode=0 from 0 to 1.
With this, we are using IPSec over TCP and this works at this site.
And: we noticed, that sometimes vpnclient does not work properly, should you 'untar' a new version of vpnclient in an existing directory 'vpnclient', with older code in it. It then helps, to remove the existing vpnclient directory completely and to untar the tar-file again, followed by cd vpnclient; ./vpn_install .
6. Useful Links
- http://www.id.ethz.ch/services/list/vpn/
- http://www.kom.id.ethz.ch/datkom/vpn/was_ist_vpn.html
- http://n.ethz.ch/dialup_vpn.html
- http://n.ethz.ch/dialup_vpn_ipsec.html