Cisco VPN with VPNC
My University, FH Köln Campus Gummersbach, use CISCO VPN to protect the WLAN traffic with private tunnels. Unfortunatly the original Cisco Client (especially the Linux version) isn't very stable, likes to disconnect while browsing and - most important for some people - isn't free code.
There are several gui-tools to use the free vpnc package in such cases, but that didn't work out of the box with the given network. Several people figured out the needed parameter for the vpnc client, but the automation of the process with the NetworkManager package did not work on my openSUSE, so I have to modify some parts and - as well - did some cosmetics to the connection script.
Installing VPNC instead of the Cisco-BLOB
First thing after installing the vpnc package via your distributions own softwaremanagement is, placing a config file for vpnc as shown below. Make sure you have root-rights for all editing actions, calling vpnc later is done as user.
/etc/vpnc/default.conf
IPSec gateway vpn.fh-koeln.de IPSec ID FHK-VPN IPSec secret KoelnerDom Xauth username YOURVPNNAME Xauth password YOURVPNPASSWORD Application Version Cisco Systems VPN Client 4.8.0:Linux
If you need MORE than one Cisco connection for your system, simply change the name from default.conf to anything-else.conf. Oh, and don't forget to replace the username and password with yours.
Simply hacking vpnc in your command line should already do the trick and show the connection message from the vpn-service. That way the connection is also useable from foreign networks, so if you need to have a look on internal pages, use this before connecting to the webpage.
/etc/vpnc/default.conf is not readable by any other user than root with: chmod 600 /etc/vpnc/default.conf
If you named the file other than default.conf all skript calls of vpnc must have the name as parameter (without the .conf).
Automatic Connection within the University
The second and a bit more complicating thing (at least for me) was the automatic connection to the vpn service when connecting to the FH WLAN, which is the common usecase.
The NetworkManager has a special configuration folder /etc/NetworkManager/dispatcher.d, which contains scripts executed everytime a network ist disabled AND enabled.
libnotify-bin package for a notification message on their desktop.
/etc/NetworkManager/dispatcher.d/fhk-vpnc
#!/bin/bash # automatic vpnc connection for networkmanager based linux systems # # (c) 2008 Sebastian Janzen - initial Version www.janzen.it # (c) 2009 Manuel Krischer - modified to work with opensuse 11.1 # # Modified (2009-01-15) # - some more debug output in /var/log/messages # - modified the if-test to work (for me) # - change the ESSID grab to work with more drivers/cards # Modified (2009-01-24) # - added the dbus xorg notifications for all users # Modified (2009-02-09) # - added a search for iwconfig, as at least ubuntu and opensuse handle # it in different locations. #General Options for every Dispatcher Script INTERFACE=$1 ACTION=$2 ## ESSID needed to activate connection ESSID_VPN="PUBLIC-CIT.FH-Koeln.DE" #where is IWCONFIG, maybe search for binary as root if this doesn't work # # ARCH-Linux Users have to use the complete binary path like # IW_TOOL=/usr/sbin/iwconfig IW_TOOL=$(which iwconfig) ## PING ADRESSES, uncomment your needed one PINGIP="139.6.1.130" # Campus Gummersbach #PINGIP="139.6.1.2" #IWZ Deutz #PINGIP="139.6.1.66" #GWZ Südstadt #Logging stuff PROGNAME=$(basename $0) #Logfunction log() { echo -e $* | logger -t $PROGNAME } # THIS SEEMS NOT TO WORK RIGHT NOW, BUT SHOULD NOT HARM, TOO ping_it() { #inform only the first user. this is pretty quick&dirty, but most systems are only # with one user beside root, so it should work USER_TMP="$(users | tr -s " " "\n" | sort | grep -v root --max-count=1)" # start xterm window with running ping su $USER_TMP -c 'XAUTHORITY=/home/$USER_TMP/.Xauthority DISPLAY=:0 xterm -e "ping $PINGIP"' } notify_me() { ALL_USER="$(users | sort)" echo Desktop-Message to: $ALL_USER for USER_TMP in $ALL_USER; do if [ "$USER_TMP" = "$USER_LAST" ]; then #if user already notified, continue continue fi su $USER_TMP -c "XAUTHORITY=/home/$USER_TMP/.Xauthority DISPLAY=:0 notify-send $1 $2" #save last username to avoid double notification USER_LAST=$USER_TMP done } ## grab the current ESSID ESSID=$($IW_TOOL $INTERFACE | grep ESSID | cut -d'"' -f2) ## For Raspberry PI and Fedora Remix (maybe others, too) use this line # ESSID=`nmcli con | grep 802-11-wireless | cut -d' ' -f1` ## which case? case "$2" in up) log "FHK-VPN service" log "ESSID needed: $ESSID_VPN" log "ESSID found : $ESSID" #check for matching ESSID if [ $ESSID = $ESSID_VPN ]; then log "ESSID matching, proceding." #disconnect all running vpnc log "Close all VPN-connections first.." log "$(/usr/sbin/vpnc-disconnect)" #kick the pieces out of the system log "kill all running vpnc instances..." log "$(killall vpnc)" #wait for 2 before reestablish the connection sleep 2 log "Try to restart vpnc" log "$(/usr/sbin/vpnc)" #check for errorlevel and notify user if [[ $? = "0" ]]; then notify_me '"FHK-VPNC Service"' '"Du bist jetzt mit dem VPN der FH Köln verbunden..."' notify_me '"FHK-VPNC Service"' '"Starte Ping-Verbindungs-Workaround"' ping_it else notify_me '"FHK-VPNC Service"' '"ESSID gefunden, aber ein VPNC Fehler trat auf!"' log "Error 3: vpnc failed!" exit 3 fi else #if the ESSID don't match, we're probably in another network and only notify the user about that. #This Part maybe kicked out if someone gets annoyed of the message log "Needed ESSID not found, do nothing!" notify_me '"FHK-VPNC Service"' '"ESSID stimmt nicht überein, VPN nicht gestartet"' exit 0 fi ;; down) if [ "$(pidof vpnc)" ]; then log "$(/usr/sbin/vpnc-disconnect)" log "$(killall vpnc)" fi ;; pre-up) if [ "$(pidof vpnc)" ]; then #I think we don't need that anymore log "$(/usr/sbin/vpnc-disconnect)" #log "$(killall vpnc)" fi ;; post-down) if [ "$(pidof vpnc)" ]; then #I think we don't need that anymore log "$(/usr/sbin/vpnc-disconnect)" # log "$(killall -9 vpnc)" fi ;; *) echo "Usage: $0 <DEVICE> {up|down|pre-up|post-down}" exit 1 esac
Don't forget to make this one executable with
chmod +x /etc/NetworkManager/dispatcher.d/fhk-vpnc
Now try to connect to the network and see if something happens in /var/log/messages. If everything works you should see the vpn greetings in this logfile.
New: You should now also be notficated within your Desktop enviroment via Dbus
Avoid the permanent ping (to be veryfied!)
Open the UDP port 500 and 4500 in your firewall, possibly only for 139.6.0.0/255.255.255.0, Check if the connection stays open without interuption especially in high-traffic times around noon. Please report back if it works you or not.
Reported Errors
- Some drivers force the
iwconfigoutput to have a „Nickname“ field in the same line with the ESSID, so the grep&cut didn't work. I tried to fix it with an slightly modified codeline and hope this did not cause other problems now. That fix also made the call toseddeprecreated. — Manuel 2009/01/19 22:42
- In the last version, users were notified for every login. This is now fixed in
notify_me(). — Manuel 2009/01/26 13:48
- The latest „workaround“ from the campus-it gives the hint, to open a „ping console“ to avoid disconnection. I try to automate it for now, maybe I'll drop it later again — Manuel 2009/01/29 00:21
- Ubuntu stores iwconfig in a different directory than opensuse, so i try to avoid problems with a „which“.
- notify-send is not available in standard ubuntu, added note on top of the page
- The
whichcommand does not work in some systems. Please use the/path/to/iwconfigline instead — Manuel 2009/02/25 16:37 - I had trouble finding the ESSID on the Raspberry PI with the Fedora 14 Remix and had to use an alternative command (added as comment) — bearbeitet von Manuel Krischer B. Sc. am 2012/07/12 16:34