If you're reading this, then you likely need to connect to your office network from home or during travel. Many companies utilize Cisco 3000 VPN concentrators for their VPN needs, and I am willing to bet that most Linux newbies think that they are forced to use Windows to connect to them. Well this document informs you that connecting to a Cisco VPN is very possible and will hopefully enable you to setup a working tunnel using your Gentoo workstation or laptop.
The assumptions made at this point are:
In order for Linux to be able to open a VPN connection
TUN/TAP provides packet reception and transmission for user space programs. It can be viewed as a simple Point-to-Point or Ethernet device, which instead of receiving packets from a physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program. When a program opens /dev/net/tun, driver creates and registers corresponding net device tunX or tapX. After a program closed above devices, driver will automatically delete tunXX or tapXX device and all routes corresponding to it.
You can verify if your kernel has TUN/TAP support with the following command:
# cat /usr/src/linux/.config | grep TUN CONFIG_INET_TUNNEL=m # CONFIG_INET6_TUNNEL is not set # CONFIG_IPV6_TUNNEL is not set CONFIG_TUN=m # CONFIG_8139TOO_TUNE_TWISTER is not set
As you can see above,
Device Drivers ---> Networking support ---> [*] Universal TUN/TAP device driver support
If you already have TUN/TAP support built in your kernel, or you just booted your computer after a fresh kernel build, then you need to verify that the kernel has the appropriate code initialized.
If you built TUN/TAP support directly into the kernel, you should see
information from
# dmesg | grep TUN Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
If you build TUN/TAP support as a module, you first must load the
# modprobe tun # lsmod Module Size Used by tun 7296 0 nvidia 4050204 12
Now that the
# dmesg | grep TUN Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Now that you have a working kernel setup, you need to install
# emerge net-misc/vpnc
In order to make the following sections more clear, we need an example setup to work from. For the purposes of this exercise, we will assume that you have a home network of several computers. All computers are on the 192.168.0.0 / 255.255.255.0 network. The LAN in question is run by a Gentoo box using an iptables firewall, DHCP, caching DNS, etc ... and it masquerades the LAN behind the public IP address it receives from an ISP. You also have a workstation on the LAN from which you want to be able to VPN into your office with.
Our example workstation configuration looks like the following:
(Name server configuration) # cat /etc/resolv.conf nameserver 192.168.0.1(Network configuration) # cat /etc/hosts 127.0.0.1 desktop localhost 192.168.0.1 router 192.168.2.2 mediacenter(Interface configuration) # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:11:2F:8D:08:08 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::211:2fff:fe8d:808/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3657889 errors:0 dropped:0 overruns:0 frame:0 TX packets:2305893 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2193722103 (2092.0 Mb) TX bytes:1415104432 (1349.5 Mb) Interrupt:185 Memory:fac00000-0 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:35510 errors:0 dropped:0 overruns:0 frame:0 TX packets:35510 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:16023838 (15.2 Mb) TX bytes:16023838 (15.2 Mb)(Routing information) # netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 loopback desktop 255.0.0.0 UG 0 0 0 lo default router 0.0.0.0 UG 0 0 0 eth0
Now that you have vpnc installed and we have an example to work from, let's
discuss the basics of setting up vpnc. The configuration file for vpnc
connection settings can be located in a couple places, depending on how many
profiles you want to setup. By default, vpnc looks first for
# cat /etc/vpnc.conf IPSec gateway vpngateway.domain.org IPSec ID group_id IPSec secret group_password Xauth username network_signon Xauth password network_password
The configuration file example above should be modified to reflect the
appropriate values for your setup. The gateway option
If you are forced to export your profile from a Windows machine, then what you
will likely have is a file ending in
# cat example.pcf [main] Description= Host=VPNGATEWAY.DOMAIN.ORG AuthType=1 GroupName=group_id GroupPwd= enc_GroupPwd=F3256220AA200A1D532556024F4F314B0388D48B0FBF2DB12 EnableISPConnect=0 ISPConnectType=0 ISPConnect=FOOBAR ISPCommand= Username= SaveUserPassword=0 UserPassword= enc_UserPassword= NTDomain= EnableBackup=0 BackupServer= EnableMSLogon=1 MSLogonType=0 EnableNat=1 TunnelingMode=0 TcpTunnelingPort=10000 CertStore=0 CertName= CertPath= CertSubjectName= CertSerialHash=00000000000000000000000000000000 SendCertChain=0 VerifyCertDN= DHGroup=2 ForceKeepAlives=0 PeerTimeout=90 EnableLocalLAN=0 EnableSplitDNS=1 ForceNetLogin=0
In the above example, we can see entries for
Now that you have a configuration in place, it's time to test your setup. To
start
# vpnc-connect Enter password for username@vpngateway.domain.org: VPNC started in background (pid: 14788)...
As you can see from the above command output, once you type
# ifconfig -a eth1 Link encap:Ethernet HWaddr 00:11:2F:8D:08:08 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::211:2fff:fe8d:808/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2101119 errors:0 dropped:0 overruns:0 frame:0 TX packets:1577559 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1757862627 (1676.4 Mb) TX bytes:732200131 (698.2 Mb) Interrupt:177 Memory:faa00000-0 sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.160.42 P-t-P:192.168.160.42 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:60 (60.0 b) TX bytes:616 (616.0 b)
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface vpn01.domain.or router 255.255.255.255 UGH 1500 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 loopback desktop 255.0.0.0 UG 0 0 0 lo default * 0.0.0.0 U 0 0 0 tun0
As you can see from the above command output(s), vpnc has done the following:
At this point, your workstation is capable of communicating with hosts via the
VPN, but only by IP address. As you might have noticed, vpnc did not alter
your
Additional things you might want to have:
When you are ready to end the VPN session, execute
# vpnc-disconnect Terminating vpnc daemon (pid: 26250)
Unfortunately,
The ideal setup would allow you to separate your DNS queries into two categories: VPN-related and other. Under this setup, all VPN-related DNS queries would be answered by DNS servers located at the other end of your VPN tunnel and all other queries would continue to be answered by local or ISP supplied DNS servers. This is the setup that will be demonstrated here.
So how do you set things up, so that only requests made to hosts on the
example.org domain get sent to VPN supplied DNS servers? Well, you're going to
need to install a local DNS server, but don't worry, it's much easier than you
think. There are several software packages that can handle the type of setup
we desire, but for the purposes of this demonstration,
# emerge dnsmasq
Now you need to add an option to your
# Config file for /etc/init.d/dnsmasq # See the dnsmasq(8) man page for possible options to put here. DNSMASQ_OPTS="-S /.example.org/192.168.125.10"
Next, make sure that the first entry in
nameserver 127.0.0.1 nameserver 192.168.0.1
Now that you have setup a rule for your VPN tunnel DNS, you need to start
# /etc/init.d/dnsmasq start # rc-update add dnsmasq default
The ideal scenario would be if only the traffic destined for VPN tunnel would travel across the link. At this point, you have a VPN tunnel setup and all traffic will travel across the tunnel, unless you specify additional routes. In order to fix this situation you need to know what networks are available to you on your VPN. The easiest way to find out the needed information is to ask a network administrator, but sometimes they are reluctant to answer such questions. If your local network admin wont provide the needed information, some trial and error experiments will be required.
When the VPN tunnel was started, vpnc set the default route to the tunnel. So you must set your default route back to normal, so that things work as expected.
# route add default gw 192.168.0.1
Earlier, when DNS services were being configured for your VPN, you specified a DNS server to handle your example.org domain. You need to add a route for the 192.168.125.0 subnet so that DNS queries will work.
# route add -net 192.168.160.0 netmask 255.255.255.0 dev tun0
At this point, you should add any additional routes for known networks. If your friendly network administrator gave you the required info, great. Otherwise, you might need to ping hosts you will be connecting to frequently, to give yourself an idea about what your routing table should look like.
# ping intranet1.example.org PING intranet1.example.org (172.25.230.29) 56(84) bytes of data. --- intranet.example.org ping statistics --- 18 packets transmitted, 0 received, 100% packet loss, time 16997ms
As you can see from the above example, the ping probes to intranet1.example.org were unsuccessful. So we need to add a route for that subnet.
# route add -net 172.25.230.0 netmask 255.255.255.0 dev tun0
A few ping and route commands later, you should be well on your way to a well working routing table.
Next is an example script to manage the VPN connection. You could execute it (as root) from an xterm to start a connection to your VPN. Then all you have to do is press return to disconnect the VPN. Obviously you will need to modify this for your setup, remembering to add all the additional routes that you may need.
#!/bin/bash source /sbin/functions.sh ebegin "Connecting to the VPN" vpnc-connect eend ebegin "Modifying the routing table" route add default gw 192.168.0.1 route add -net 172.25.230.0 netmask 255.255.255.0 dev tun0 route add -net 192.168.160.0 netmask 255.255.255.0 dev tun0 route add -net 192.168.125.0 netmask 255.255.255.0 dev tun0 eend einfo "Press any key to disconnect ..." read $disconnect ebegin "Disconnecting from the VPN" vpnc-disconnect eend ebegin "Reconfiguring the default routing table" route add default gw 192.168.0.1 eend einfo "VPN should now be disconnected"
If you are looking for a linux application that supports RDP (Remote Desktop
Protocol) then give
If you are a KDE user, you might want to try
If you need to connect to a windows machine which doesn't have a DNS entry, and
you know the address of an available WINS server, you can use a tool called
# emerge samba
When you have samba and its tools installed, test
# nmblookup -U 192.168.125.11 -R 'wintelbox1' querying wintelbox1 on 192.168.125.11 172.25.230.76 wintelbox1
Hopefully by now you have been able to connect to your VPN on choice and are
well on your way to remote office work. Feel free to file a bug at