Installing & Configuring the Client, Debian, Cyber Security, Information Technology Division, ITD, debian

ITD Home

Cyber Security Links

Cyber Security Home

Network Access

Antivirus Measures

SSH Gateways

VPN / Cryptocards

Need Help?

Call the Helpdesk for 24x7 support
Bus: 631.344.5522
Fax: 631-344-2140
Email: itdhelp@bnl.gov

Cyber Security

Installing & Configuring the Client

Desktop Client Home | VPN Home

Since Most Distributions of Linux are command line driven, the following procedure describes the steps necessary to install and configure your Debian system to access the Cisco VPN server at BNL.

Linux clients must have installed the kernel source code, either kernel 2.2 or 2.4. Kernels earlier than 2.2 or the development series 2.5 are NOT supported with the Cisco VPN client application.

Users must have configured and generated the kernel modules for the VPN client installation process to complete. Lastly, you must have loadable kernel module support configured on your system. By default, most Linux distributions have this capability configured.

Installation Instructions

From the root prompt create a directory to hold the vpn software application

haller:/root# mkdir -p /usr/local/vpn
Enter the newly created directory.

haller:/root# cd /usr/local/vpn
Extract the VPN Software archive

haller:/usr/local/vpn# tar -zxf vpnclient-linux-3.7.2.Rel-k9.tar.gz

After a few seconds, the tar extraction will complete. Check that the vpnclient directory was created.

haller:/usr/local/vpn# ls

vpnclient vpnclient-linux-3.7.2.Rel-k9.tar.gz

Enter the VPN installation directory

haller:/usr/local/vpn# cd vpnclient
Check for the existance of the VPN application files.
- haller:/usr/local/vpn/vpnclient# ls
  Cniapi.h cvpnd license.txt vpn_install
  GenDefs.h driver_build.sh linux_os.h vpn_ioctl_linux.h
  IPSecDrvOSFunctions.h frag.c linuxcniapi.c vpn_uninstall
  IPSecDrvOS_linux.c frag.h linuxcniapi.h vpnclient
  IPSecDrvOS_linux.h interceptor.c mtu.h vpnclient.ini.in
  cisco_cert_mgr ipseclog sample.pcf vpnclient_init
  config.h libdriver.so typescript
Start the installation script
- haller:/usr/local/vpn/vpnclient# ./vpn_install
- Cisco Systems VPN Client Version 3.7.2 (Rel) Linux Installer
  Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.
  By installing this product you agree that you have read the
  license.txt file (The VPN Client license) and will comply with
  its terms.

Directory where binaries will be installed [/usr/local/bin]
This is the default and recommended.

Automatically start the VPN service at boot time [yes] no
The preference would be to start the VPN manually.

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.

For RedHat 6.x users these files are installed in /usr/src/linux by default
For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default
For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by default

Directory containing linux kernel source code [/lib/modules/2.4.18/build] /usr/src/linux
This is the normal Debian location for the kernel source code.

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.4.18/CiscoVPN".
* The VPN service will *NOT* be started automatically at boot time.
* Kernel source from "/usr/src/linux" will be used to build the module.

Is the above correct [y]

If satisified enter return or n to exit the installation.

Making module

Create module directory "/lib/modules/2.4.18/CiscoVPN".
Copying module to directory "/lib/modules/2.4.18/CiscoVPN".
Creating start/stop script "/etc/init.d/vpnclient_init".
Creating VPN configuration fill
"/etc/CiscoSystemsVPNClient/vpnclient.ini".

Installing license.txt (VPN Client license) in
"/etc/CiscoSystemsVPNClient/":

Installing bundled user profiles in
"/etc/CiscoSystemsVPNClient/Profiles/":
* New Profiles : sample

Copying binaries to directory "/usr/local/bin".

Setting permissions.
/usr/local/bin/cvpnd (setuid root)
/etc/CiscoSystemsVPNClient (world writeable)
/etc/CiscoSystemsVPNClient/Profiles (world writeable)
/etc/CiscoSystemsVPNClient/Certificates (world writeable)

* You can change these permissions to restrict access to root.

* You must run "/etc/init.d/vpnclient_init start" before using the client.
* You will need to run this script every time you reboot your computer.

haller:/usr/local/vpn/vpnclient#

At this point the application software is installed, next is the configuration to get the VPN circuit operational.

Configuration of the VPN

Copy the sample configuration into the profiles directory.

haller:/usr/local/vpn/vpnclient# cp
sample.pcf /etc/CiscoSystemsVPNClient/Profiles/root.pcf
Edit the new root profile and enter the appropriate information.

haller:/usr/local/vpn/vpnclient#
vi /etc/CiscoSystemsVPNClient/Profiles/root.pcf [main]

Description=BNL VPN Pix
Enter a descriptive name for the connection
Host=130.199.3.27 or vpngateway.bnl.gov if you have a DNS service provider
AuthType=1
GroupName= Enter your VPN group name here
GroupPwd= Enter your VPN password here

* Note: After the first succesfull VPN connection the encrypted version will be entered in enc_GroupPwd below.

Username= Enter your Crypto Card username here
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=0
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0
enc_GroupPwd=
UserPassword=
enc_UserPassword=
Username=
NTDomain=
EnableMSLogon=1
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
SendCertChain=0
VerifyCertDN=
PeerTimeout=90
EnableLocalLAN=0
EnableSplitDNS=1

:<esc>wq to exit vi

haller:/usr/local/vpn#
Establish a VPN connection into BNL

haller:/usr/local/vpn# /etc/init.d/vpnclient_init start

Starting /usr/local/bin/vpnclient: Warning:
loading /lib/modules/2.4.18/CiscoVPN/cisco_ipsec will taint the kernel: no license

See http://www.tux.org/lkml/#export-tainted for information about tainted modules

Module cisco_ipsec loaded, with warnings

Done
Authenticate for the VPN connection

haller:/usr/local/vpn# vpnclient connect root
Cisco Systems VPN Client Version 3.7.2 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.18 #1 Tue Jan 7 13:34:18 EST 2003 i686

Initializing the IPSec link.
Contacting the gateway at 130.199.3.27
User Authentication for root...

The server has requested the following information to complete the user authentication:

Username [your Crypto Card Username]

Password []:
Authenticating user.
User Authentication for root...

Challenge: 18560403
Response:

Username: [your Crypto Card Username]
Password []: Enter the Crypto Card Response to the Challenge above
Check the status of the VPN connection

From another command window on your Linux system

haller:/usr/local/vpn# vpnclient stat

Cisco Systems VPN Client Version 3.7.2 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.18 #1 Tue Jan 7 13:34:18 EST 2003 i686

IPSec tunnel information.
Connection Entry: root
Client address: 130.199.158.1
Server address: 130.199.3.27
Encryption: 56-bit DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is inactive
Local LAN Access is disabled

VPN traffic summary.
Time connected: 0 day(s), 00:11.23
Bytes in: 10956
Bytes out: 13336
Packets encrypted: 88
Packets decrypted: 89
Packets bypassed: 24
Packets discarded: 49

Configured routes.
Secured Network Destination Netmask Bytes
* 130.199.3.27 255.255.255.255 0
* 0.0.0.0 0.0.0.0 19679 >

Last Modified: May 11, 2009
Please forward all questions about this site to: Web Services