Quoting "Stephen Gregory" <oc...@kernelpanic.ca>: > On 04/10/11 04:42 PM, Michael Walma wrote: > >>> My wife needs access applications through the Carleton University VPN. >>> The documentation I've seen suggests that one would use a Cisco VPN > >> Thanks Singer, I did exactly this and it worked just fine. > > This VPN question gets asked every other year. Could you do a quick > write up of what you did and add it to oclug wiki? I am guessing that > most important bit is how to get the PCF file and any Carleton specific > stuff. > > -- > sg > _______________________________________________ > Linux mailing list > Linux@lists.oclug.on.ca > http://oclug.on.ca/mailman/listinfo/linux >
I'd be happy to do so, if someone would create an empty page in the right place, I would populate it, with the following: 1. Use your distro's package manager to install 'vpnc'. 2. Download the WindowsXP CISCO client from the website provided by Carleton, using the username and password supplied by Carleton. The file is a self-extracting ZIP file with an .exe extension. 3. Use 'unzip' to extract the files to a handy directory. Look for the ".pcf" file, in my case, it was "CarletonIntranetVPN.pcf". Using information from that file, you will need to populate the vpnc config file. In Ubuntu Natty, that is "/etc/vpnc/default.conf". (Ubuntu created an 'example.conf' that you can copy and edit. Other distros may do similar or different things.) Copy the values for the fields "Host" and "GroupName" in the .pcf file to the "IPSec gateway" and "IPSec ID" fields of the vpnc config file. For the "Xauth username" and "Xauth password" fields, use the information supplied to you by Carleton, the same info as you used to download the Windows client from the Carleton web site. 4. The "IPSec secret" field is the only slightly tricky bit. The .pcf will include a hash of the required value in the "enc_GroupPwd" field, but vpnc needs the unhashed value. Luckily, this hash can be decoded easily, and there is a web page that will do it for you: http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode Decode the value of the "enc_GroupPwd" of the .pcf file and use that for the "IPSec secret" field in the vpnc config file. I understand that you can install a utility (it may even be a part of the vpnc package) to do the decoding locally if you prefer. 5. You are good to go. Use some variant of 'sudo vpnc-connect' to connect (root privileges are required) and 'sudo vpnc-disconnect' to disconnect. These commands will build the connection, create the /dev/tun0 device, modify the routing tables properly and then tear it all down again afterward. There are also KDE and Gnome helper apps, but I did not investigate or install them. Caveats: 1. The tiny bit of investigation I did suggested that the routing table changes were clever enough to keep the local subnet traffic routed locally, but all other traffic would be routed through the vpn. I understand that you can do more clever routing so that you could keep, say, your web surfing, through your own connection while still routing other traffic through the vpn, but I have not investigated this. 2. The Carleton set-up seems to use password-based authentication. Superficial googling suggests that vpnc may not work so well if certificate-based authentication is required. I have not investigated. 3. The command-line approach described here may wreak havoc or otherwise not work with boxes running networkmanager's. My box doesn't, so I don't know. Installing and using the helper apps I alluded to might help in this respect. 4. Your mileage may vary. Credits: I used the following general guide from Linux Planet: http://www.linuxplanet.com/linuxplanet/tutorials/6773/1 Thanks also to Singer for the encouragement to 'just do it.' Hoping this helps, Michael _______________________________________________ Linux mailing list Linux@lists.oclug.on.ca http://oclug.on.ca/mailman/listinfo/linux
