I’ve spent quite some time trying to make Cisco’s “vpnclient” work under Ubuntu. I’ve seen a lot of posts on the Internet about it, but not a single one with a comprehensive solution. I’ll try to summarize (in a nutshell) what I’ve been through, hoping it will help the next guy (or girl).
First, it’s important to remember that Cisco’s VPNClient is not an open source solution — it just integrates with open source. The installation procedure needs to compile a module that matches the current Linux kernel configuration, and that usually needs a properly configured kernel source under “/usr/src/linux”.
As a practice, I always keep a compiled version of my current kernel under “/usr/src/linux”. This is helpful, as many important configuration files and headers are generated during this process. You’ll need a configured kernel to install most “semi-open” Linux modules.
There are lots of references on how to compile a kernel on Debian (or Ubuntu), and I assume if you’re installing a VPN client, you know how to find your way around. Just remember that your kernel source must match your currently running kernel and you must compile the Cisco client using the same version of gcc that was used to compile the kernel (Hint: “cat /proc/version” will tell you what was used to compile the current kernel, and “gcc -v” will tell you what is your current version of gcc).
Another source of confusion is that changes have been made to the 2.6 kernel series that make it impossible to compile the Cisco VPN client. Fortunately, Cisco already adapted to the ever-changing 2.6 kernel and released version 4.8 of their Cisco VPN software. Make sure you have version 4.8, or you’ll need to patch your VPN Client source.
Once all that is at hand, just unpack the Cisco VPN tarball, enter the VPN directory and, as root, execute “./vpn_install”. Answer the script’s questions (the default is usually fine) and the installer will do everything for you. Make sure you have some profiles under “/etc/CiscoSystemsVPNClient/Profiles” to play with.
One unexplained source of headaches for me was the VPN Certificate Store. I’ve installed older versions of the Cisco VPN Client literally dozens of times, and I usually copy the “/etc/CiscoSystemsVPNClient/Certificates” directory freely from one computer to another. Interestingly enough, and for some unexplained reason, this did not work for the current version of vpnclient. If your vpnclient works without certificates but always fails when you try a connection using certificates, you may want to “export” your certificates on a computer where it is running and re-import them into your Linux box. You can do this type “ciscocertmgr -U -op import” to import the user’s certificate. Substitute the “-U” in the previous command by “-R” to import the root certificate (usually your firewall’s certificate).
A final word: The logging facilities of the Cisco VPN client for Linux are not intuitive at all. By reading the documentation, you’re left with the impression that turning logging alone in the “vpnclient.ini” file is enough to get some kind of “binary” logs, which are then translated by “ipseclog” into something readable. This is not true. In reality, you must be running “ipseclog filename” to get logs. The VPN client will connect to the “ipseclog” program, which generates the physical log files.
I hope this will help you spend less time configuring your VPN client than I had to. :)
[Permalink] |
![[Digg Me]](/images/digg.png)
|
![[Add to del.icio.us]](/images/delicious.png)
|
![[Submit to reddit]](/images/reddit.png)
|
![[Submit to ma.gnolia.com]](/images/magnoliacom.png)
|
![[Submit to FURL]](/images/furl.png)
