http://devel.oclug.on.ca/wiki/OneGuysExperienceWithCarletonUniversityVNP2011
I just pasted the text below onto the page. Feel free to edit it.
bjb
On Wed, Oct 05, 2011 at 11:50:29AM -0400, Michael Walma wrote:
> Quoting "Stephen Gregory" <oc...@kernelpanic.ca>:
>
> > On 04/10/11 04:42 PM, Michael Walma wrote:
> >
> >>> My wife needs access applications through the Carleton University VPN.
> >>> The documentation I've seen suggests that one would use a Cisco VPN
> >
> >> Thanks Singer, I did exactly this and it worked just fine.
> >
> > This VPN question gets asked every other year. Could you do a quick
> > write up of what you did and add it to oclug wiki? I am guessing that
> > most important bit is how to get the PCF file and any Carleton specific
> > stuff.
> >
> > --
> > sg
> > _______________________________________________
> > Linux mailing list
> > Linux@lists.oclug.on.ca
> > http://oclug.on.ca/mailman/listinfo/linux
> >
>
> I'd be happy to do so, if someone would create an empty page in the
> right place, I would populate it, with the following:
>
> 1. Use your distro's package manager to install 'vpnc'.
>
> 2. Download the WindowsXP CISCO client from the website provided by
> Carleton, using the username and password supplied by Carleton. The
> file is a self-extracting ZIP file with an .exe extension.
>
> 3. Use 'unzip' to extract the files to a handy directory. Look for
> the ".pcf" file, in my case, it was "CarletonIntranetVPN.pcf". Using
> information from that file, you will need to populate the vpnc config
> file. In Ubuntu Natty, that is "/etc/vpnc/default.conf". (Ubuntu
> created an 'example.conf' that you can copy and edit. Other distros
> may do similar or different things.) Copy the values for the fields
> "Host" and "GroupName" in the .pcf file to the "IPSec gateway" and
> "IPSec ID" fields of the vpnc config file. For the "Xauth username"
> and "Xauth password" fields, use the information supplied to you by
> Carleton, the same info as you used to download the Windows client
> from the Carleton web site.
>
> 4. The "IPSec secret" field is the only slightly tricky bit. The
> .pcf will include a hash of the required value in the "enc_GroupPwd"
> field, but vpnc needs the unhashed value. Luckily, this hash can be
> decoded easily, and there is a web page that will do it for you:
>
> http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
>
> Decode the value of the "enc_GroupPwd" of the .pcf file and use that
> for the "IPSec secret" field in the vpnc config file. I understand
> that you can install a utility (it may even be a part of the vpnc
> package) to do the decoding locally if you prefer.
>
> 5. You are good to go. Use some variant of 'sudo vpnc-connect' to
> connect (root privileges are required) and 'sudo vpnc-disconnect' to
> disconnect. These commands will build the connection, create the
> /dev/tun0 device, modify the routing tables properly and then tear it
> all down again afterward. There are also KDE and Gnome helper apps,
> but I did not investigate or install them.
>
> Caveats:
>
> 1. The tiny bit of investigation I did suggested that the routing
> table changes were clever enough to keep the local subnet traffic
> routed locally, but all other traffic would be routed through the vpn.
> I understand that you can do more clever routing so that you could
> keep, say, your web surfing, through your own connection while still
> routing other traffic through the vpn, but I have not investigated this.
>
> 2. The Carleton set-up seems to use password-based authentication.
> Superficial googling suggests that vpnc may not work so well if
> certificate-based authentication is required. I have not investigated.
>
> 3. The command-line approach described here may wreak havoc or
> otherwise not work with boxes running networkmanager's. My box
> doesn't, so I don't know. Installing and using the helper apps I
> alluded to might help in this respect.
>
> 4. Your mileage may vary.
>
> Credits: I used the following general guide from Linux Planet:
>
> http://www.linuxplanet.com/linuxplanet/tutorials/6773/1
>
> Thanks also to Singer for the encouragement to 'just do it.'
>
> Hoping this helps,
>
> Michael
>
>
> _______________________________________________
> Linux mailing list
> Linux@lists.oclug.on.ca
> http://oclug.on.ca/mailman/listinfo/linux
---end quoted text---
_______________________________________________
Linux mailing list
Linux@lists.oclug.on.ca
http://oclug.on.ca/mailman/listinfo/linux