I finally got this going, and with a pure Linux solution, mind you, but
I had to go 90 degrees in another direction.
First, I'd like to undo some of the posts I've seen regarding some
hardware that I also happen to have too -- the USR 8000A-02. This NAT
router and firewall, in addition to Verizon DSL, can still work with
Linux over VPN without issue. I managed to get it working. Others may
claim it cannot, but I claim that it can and I was able to get on my
office resources.
Note that in my case, my office used an RSA SecureID keyfob with the
VPN. In your case, you may not. These intructions below are for a Cisco
3000 connection with RSA SecurID keyfob and Linux.
To begin, you're going to need the 2.4 kernel, and the latest one at
that. You can get this with apt if you have installed it and have
learned to use it. (Speaking to you newbies (like me) out there.) You
might be able to get this going with the 2.6 kernel, but you'll
probably need a special version of the Linux Cisco driver. That's what
I read.
Okay, so once you are booted on the 2.4 kernel, go to some search
engine and download a file that begins with this in the name:
vpnclient-linux
You may see it as vpnclient-linux-distro-version.tar.gz, or perhaps
just vpnclient-linux.tar.gz. Find the one that works best for you.
Once you expand this into a directory, do this as root:
../vpn_install
It should prompt you a bunch of things and the defaults will likely
work if you are running at least the 2.4 kernel. If you're running
something else, you'll need a completely different install.
Now you're ready to fire this thing up...
/etc/init.d/vpnclient_init start
It will say something like:
Starting /usr/local/bin/vpnclient:
Warning: loading /lib/modules/2.4.18-14/CiscoVPN/cisco_ipsec will taint
the kernel: no license
See
http://www.tux.org/lkml/#export-tainted for information about
tainted modules Module cisco_ipsec loaded, with warnings
Done
Now you have the major part of it loaded. The Cisco client daemon is
loaded. The same thing happens on Windows -- you need the Cisco service
running before the client tool can work.
Now cd to this path:
/etc/CiscoSystemsVPNClient/Profiles/
In there, you can find a sample.pcf profile, but I recommend something
like this:
[main]
; save me as corp.pcf
Description=corp user profile
Host=<YOUR INTERNET-PINGABLE VPN GATEWAY HOST GOES HERE>
AuthType=1
EnableISPConnect=0
ISPConnectType=0
SaveUserPassword=0
EnableBackup=0
EnableNat=0
TunnelingMode=0
TcpTunnelingPort=443
CertStore=0
CertSerialHash=00000000000000000000000000000000
PeerTimeout=400
EnableLocalLAN=0
EnableMSLogon=1
MSLogonType=0
SendCertChain=0
; end of file - erase this line
Now if you have a local Linux firewall, it may be a hinderence while
you troubleshoot this. I recommend turning it off until you get this
going, then turn it back on again after you disconnect VPN (later on
below), then figure out what the iptables statements are to keep you
secure in addition to doing VPN, and retest again.
Now you can connect with vpnclient connect corp
It will prompt you for some information that your VPN administrator
should have given you, including group username, group password, your
username, and your passcode. Often your passcode with the SecurID
device will be some 4 digit PIN code + whatever is on the SecurID
keyfob.
It should return with this result:
Authenticating user.
Negotiating security policies.
Securing communication channel.
...Reminder...
It is a good practice and added security to disconnect from the VPN
concentrator if you are not actively using the system!
Maximum idle time = 30 min
Maximum connect time = 10 hrs
Do you wish to continue? (y/n): y
Your VPN connection is secure.
VPN tunnel information.
Client address: 10.12.150.15
Server address: 196.200.212.14
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is inactive
Local LAN Access is disabled
....and just sit here. That's actually a GOOD THING. That means you're
connected and it's holding your connection, waiting for you to do
CTRL+C to kill it.
Now you can establish your connection to your LAN resources by IP
address.
Don't know the IP address but do know the IP address or fully-qualified
computer name of the DNS server that applies to your LAN in the
corporate WAN? No problem! Just do this step with Linux:
nslookup(press Enter here)
Now type "server <YOUR DNS IP OR HOSTNAME GOES HERE>".
You'll get a response.
Now type the server name you are interested in finding the IP address
for in FQDN format.
Repeat this last step as many times as you need to get all the IP
addresses you need.
Now you can disconnect from nslookup by doing "exit". Note that you can
record these short computer names now in /etc/hosts so that next time
you can reach a LAN resource by host name rather than remembering all
these IP addresses.
Now you are ready to use your web browser, vnc, tsclient (rdesktop), or
other tools in Linux to connect to your local LAN resources.
To disconnect your VPN, just do CTRL+C in the window you had open for
the vpnclient command line. No further commands necessary.
If you have your local Linux firewall down, I recommend turning it back
on again and testing this. It's highly likely you'll need to tweak your
firewall settings for the VPN connection so that you're secure and yet
you can get through.
Similar Threads
Linear Mode
