Open Source

Believe it or not: A Linux VPN without kernel recompilation

Those of you who have been struggling to get a Linux VPN client to connect to your company's VPN no longer have to struggle. Cisco has released its vpnclient application for Linux, and Jack Wallen, Jr., shows you how simple it can be to use.


You read correctly. Until today, I would never have believed it myself. Having dealt with the likes of FreeS/WAN and PoPToP, I know how difficult it can be to have to recompile a kernel, attempt to load in the proper modules, and then (and only then) hope the application will work with both your client and your VPN server.

Just when you thought it was unsafe to tread the VPN waters, along comes Cisco to save the day for Linux client users. The new Cisco vpnclient is not only amazingly simple to use, but it's also secure and reliable. In this Daily Feature, I’ll install, configure, and run an instance of Cisco's new vpnclient for Linux.

How to obtain and install vpnclient
This VPN client package is included in the VPN Solutions package and supports the Intel version of Red Hat Linux 6.2 (or glibc >= 2.1.1-6 libraries) using kernel >= 2.2.12. Unfortunately, you can’t get this package without buying the VPN Solutions package, but it’s well worth the purchase if you want both a rock-solid VPN server and a killer client application.

The first step of the installation is to unpack the package. The release I tested was vpnclient-linux-3.0.8-k9.tar .gz. To unpack this file, run the command:
tar xvzf vpnclient-linux-3.0.8-k9.tar.gz

which will create a new directory called, simply enough, vpnclient.

The next step is to cd into the newly created directory with the command:
cd vpnclient

Now you're ready to run the install. The installation of this package is quite simple. As root, run the command:
vpnclient_init

You'll be asked a few questions regarding the location of your kernel source, where you would like the executable binary file to be placed, and whether you'd like the VPN service to start at boot time. It's that simple.

Once you've installed the application, start the VPN service with this command:
/etc/rc.d/init.d/vpnclient_init start

Configuration
Configuring Cisco's vpnclient can be tricky if you're not sure where to put the configuration. When you install the application, you’ll notice a sample.pcf file in the vpnclient directory. (All user profiles must have the .pcf format.) This file is what you’ll base your configuration on and is also mirrored in the /etc/CiscoSystemsVPNClient/Profiles/ directory. The latter file is the one that the application actually uses. The file is laid out in the MS Windows .ini format, which is similar to other Linux configuration formats, such as smb.conf. It looks like this:
[main]
Description=sample user profile
Host=10.7.44.1
AuthType=1
GroupName=monkeys
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=chimchim
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=0
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0


The minimum configurations you’ll need in your .pcf file are [main], Host, AuthType, GroupName, and Username. The [main] configuration simply demarcates the main section of the configuration file. The Host option sets the IP address (or URL) of the VPN server. The AuthType configuration is set to either 1 (preshared keys) or 3 (digital certificate that uses an RSA signature). The GroupName is the name of the IPSec group used on the VPN server. The Username is the string that identifies the individual user.

Other configuration options that can be added are:
  • UserPassword: This is the password used for authentication.
  • SaveUserPassword: A 0 means the password is displayed in clear text in the profile, and a 1 means the password is encrypted within the profile.
  • EnableNAT: A 0 disables NAT, and a 1 enables NAT.

Once you've changed these configurations, save the file and you’ll be ready to start up the application.

Establishing a connection
Establishing a connection with Cisco's vpnclient is very simple. Let's say you’re using the profile named Mooch.pcf. To bring up a connection with this profile, you’d run the command (as root):
vpnclient connect Mooch

Depending on your profile configuration, you may be asked for the following:
  • Group Password
  • User Name
  • User Password
  • Domain

Eventually, your client will establish a connection with the server, and your command prompt will not come back to you.

You can kill this running connection in two ways. The first method is to open another console, su to root, and run this command:
vpnclient disconnect

The second method is to press [Ctrl]C. This assumes the console window running the command has focus. If that particular window does not have focus, put your cursor in the window and click the left mouse button. The client will disconnect from the server with either of these methods.

Client statistics
The vpnclient application comes with a statistics command that allows you to view information about your connection. The command syntax is:
vpnclient stat [reset] [traffic] [tunnel] [route] [repeat]

The arguments offer the following information:
  • reset: Restarts all connection counts from zero
  • traffic: Displays a summary of bytes
  • tunnel: Displays IPSec information
  • route: Displays configured routes
  • repeat: Keeps a visible, continuously refreshing display of various statistics, including reset, traffic, tunnel, route, and repeat

Hurdles
What would a network administrator’s job be without hurdles? Actually, Cisco's vpnclient tool has only one small hurdle to get over. When running any sort of security protocol, such as ipchains or iptables, the vpnclient can cause the Linux kernel to lock up tight. A couple of situations cause this problem. The first is when you have CONFIG_NETFILTER enabled in your kernel. If you have this enabled, you’ll have to recompile your kernel and disable CONFIG_NETFILTER. If you're not sure whether CONFIG_NETFILTER is set, you can run the following commands:
cd /usr/src/linux-2.4.2/arch/i386
grep CONFIG_NETFILTER defconfig


If you see this line:
# CONFIG_NETFILTER is not set

then you are good to go.

The second situation arises when you’re running any sort of firewall on the client machine. For stability’s sake, you’ll want to shut down your firewall, flush both the input and the output chains, change your input policy to ACCEPT if it’s set to DENY, and then start your connection.

To make this task quicker, I whipped up a shell script that, when run as root, drops the firewall, changes the input policy, and starts the VPN connection. The script looks like this (using the Mooch connectionconfiguration):
#!/bin/sh
/sbin/ipchains –F
/sbin/ipchains -P input ACCEPT
vpnclient connect Mooch


I saved the file in the /etc/rc.d/ directory with the name vpn_connect. To start the VPN connection, I ran this command:
/etc/rc.d/vpn_connect

The connection started up without locking up the machine. Simple.

After your connection is made, you won't have to bring your firewall back up until the session is over. This assumes that you trust everyone on your VPN network. If you do not trust everyone on your VPN network, use caution when trying to start a firewall on the host machine of the vpnclient application. After gaining a secure connection to TechRepublic's Cicso VPN server, I ran my ip_chains_script, only to watch the machine soundly lock up after the first few packets passed through. The takeaway? Don't worry about your firewall while you're using Cisco's vpnclient; it will only leave you rebooting your machine over and over.

Conclusion
It's about time Linux found itself with a simple-to-use VPN solution. I've used this vpnclient to connect to TechRepublic’s Cisco VPN server, and it works like a charm. Other than the one firewalling issue, it performs flawlessly. Kudos to Cisco for finally offering a multiplatform VPN solution that any midlevel computer user can set up and run.

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks