I’ve spent quite some time trying to make Cisco’s “vpnclient” work under Ubuntu. I’ve seen a lot of posts on the Internet about it, but not a single one with a comprehensive solution. I’ll try to summarize (in a nutshell) what I’ve been through, hoping it will help the next guy (or girl).

First, it’s important to remember that Cisco’s VPNClient is not an open source solution — it just integrates with open source. The installation procedure needs to compile a module that matches the current Linux kernel configuration, and that usually needs a properly configured kernel source under “/usr/src/linux”.

As a practice, I always keep a compiled version of my current kernel under “/usr/src/linux”. This is helpful, as many important configuration files and headers are generated during this process. You’ll need a configured kernel to install most “semi-open” Linux modules.

There are lots of references on how to compile a kernel on Debian (or Ubuntu), and I assume if you’re installing a VPN client, you know how to find your way around. Just remember that your kernel source must match your currently running kernel and you must compile the Cisco client using the same version of gcc that was used to compile the kernel (Hint: “cat /proc/version” will tell you what was used to compile the current kernel, and “gcc -v” will tell you what is your current version of gcc).

Another source of confusion is that changes have been made to the 2.6 kernel series that make it impossible to compile the Cisco VPN client. Fortunately, Cisco already adapted to the ever-changing 2.6 kernel and released version 4.8 of their Cisco VPN software. Make sure you have version 4.8, or you’ll need to patch your VPN Client source.

Once all that is at hand, just unpack the Cisco VPN tarball, enter the VPN directory and, as root, execute “./vpn_install”. Answer the script’s questions (the default is usually fine) and the installer will do everything for you. Make sure you have some profiles under “/etc/CiscoSystemsVPNClient/Profiles” to play with.

One unexplained source of headaches for me was the VPN Certificate Store. I’ve installed older versions of the Cisco VPN Client literally dozens of times, and I usually copy the “/etc/CiscoSystemsVPNClient/Certificates” directory freely from one computer to another. Interestingly enough, and for some unexplained reason, this did not work for the current version of vpnclient. If your vpnclient works without certificates but always fails when you try a connection using certificates, you may want to “export” your certificates on a computer where it is running and re-import them into your Linux box. You can do this type “ciscocertmgr -U -op import” to import the user’s certificate. Substitute the “-U” in the previous command by “-R” to import the root certificate (usually your firewall’s certificate).

A final word: The logging facilities of the Cisco VPN client for Linux are not intuitive at all. By reading the documentation, you’re left with the impression that turning logging alone in the “vpnclient.ini” file is enough to get some kind of “binary” logs, which are then translated by “ipseclog” into something readable. This is not true. In reality, you must be running “ipseclog filename” to get logs. The VPN client will connect to the “ipseclog” program, which generates the physical log files.

I hope this will help you spend less time configuring your VPN client than I had to. :)

[Permalink] | | | | |

Let’s face it: Everyone has something to hide. Be it your bank and credit card PINs, business trade secrets or other, let’s say, “sensitive information” [wink wink], there’s a big chance you have files in your hard-drive you’d rather keep hidden from curious eyes.

The answer to the problem is strong cryptography, and in this article, we’ll discuss a way to not only encrypt individual files, but whole filesystems.

Like many other Linux articles in this site, this one is a little “Debian centric”. The procedures should be applicable to other distributions without many modifications. Make sure you have the equivalent packages if you use a different distribution of Linux.

For our purposes, we’ll be using the AES encryption and a modified version of the “loop” module with AES support. We’ll also be using modified versions of mount, umount and losetup.

What you need

You’ll need the following packages (again, if you’re not using Debian, your mileage may vary):

1. loop-aes-utils: This package contains modified versions of mount(8), umount(8), swapon(8), swapoff(8) and losetup(8) from util-linux. Installing it should create a diversion from your ‘util-linux’ packages.

2. loop-aes-source: This package contains a version of the ‘loop’ device with embedded AES cryptography.

3. The source code for your kernel installed and properly configured.

Installation

The first step is to create the appropriate modules.

The loop-aes-source package will install a tar.gz file under /usr/src containing the source code for the AES crypto module. Unpack this file under /usr/src. This will create a new module directory under /usr/src/modules.

It’s now time to create a new kernel module. Change your directory to /usr/src/linux and type make-kpkg modules_image. If everything works well, you’ll end up with a “.deb” file for the AES module under your /usr/src directory. Install this file with “dpkg -i filename.deb”.

Usage

The first step is to create a “container” for our encrypted filesystem. In our example, we’ll create it as a file inside your regular filesystem. You can also use a partition, if your hard-drive has unallocated space.

To create a 10MB AES encrypted file:

dd if=/dev/urandom of=/tmp/crypto.img bs=1k count=10k
losetup -e aes /dev/loop0 /tmp/crypto.img
mke2fs /dev/loop0
losetup -d /dev/loop0

Enter a 20 character password to protect this encrypted volume. This is an annoying limitation, and we’ll discuss a better way to do things further down.

The steps above should be executed only once. Note that executing these steps on a file or partition containing data will cause loss of information. Be careful!

Once the encrypted container has been created, we need to mount it before we can use it. In our case, let’s use /mnt/crypt:

losetup -e aes /dev/loop0 /tmp/crypto.img
mount /dev/loop0 /mnt/crypt

Note that losetup only establishes the algorithm and password used to access the loop device. If you supply the incorrect password and try to mount the device, bad things will happen. No checking is done.

To “turn off” your encrypted device:

umount /dev/loop0
losetup -d /dev/loop0

Using GPG to store the keys

Instead of typing a long password every time you start the program, you can instruct losetup to read the password from a file encrypted to you using GPG. This allows you to use a bigger and safer password for your volume, and eliminates the need to remember one more password.

The first step in that direction is to create a GPG encrypted file containing the password for your volume. As you won’t need to type this password, you can use the following trick to create a “random” password that is very difficult to guess:

ls -l /tmp | md5sum | awk '{ print $1 }' | 
    gpg -er 'youremail@yourdomain.com' >/tmp/crypto.img.gpg

And then, pass the “-K” command line option to losetup, such as:

losetup -e aes -K /tmp/crypto.img.gpg /dev/loop0 /tmp/crypto.img

Note that the “Password:” prompt from “losetup” looks exactly the same as before, but this time losetup is requesting your private GPG passphrase, not the encrypted volume password as before.

For a more “permanent” setup, you may wish to use a disk partition instead of a file, and mount the filesystem automatically after boot. Be careful not to mount this filesystem automatically from /etc/fstab, as you first need to run losetup to activate the encrypted volume!

Keywords: Linux, aes, encrypted, cryptography, filesystem

[Permalink] | | | | |

Retrieving the current time under Unix is easy. Just use the date command:

$ date
Fri Apr  1 16:27:14 EST 2005

You can also use date formats to output the date in a specific way (so it can be used in scripts, or to form filenames):

$ date '+%Y%m%d-%H%M%S'
20050401-162855

But what happens if you want to see the GMT time, not the localtime? Just manipulate the TZ variable to fool date into believing we’re sitting on the GMT line:

$ TZ=GMT0 date
Fri Apr  1 21:30:21 GMT 2005

Another very frequent problem in scripts (specially log rotation scripts) is how to get yesterday’s date. Again, we can solve the problem by cleverly manipulating the TZ variable:

$ TZ=GMT24 date '+%Y%m%d'
20050331

Keywords: date, time, linux, yesterday, GMT, timezone, TZ

[Permalink] | | | | |

What good is a system clock if you can’t keep it synchronized to the rest of the world? Well, hopefully, this is an easy task using the NTP daemon.

You’ll first need to install the NTP or XNTP packages, depending on your Linux/Unix version. Then, just create a file named /etc/ntp.conf with the following contents:

driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/

authenticate no

server time.nist.gov
server ntp-1.cso.uiuc.edu
server sundial.columbia.edu
server timex.cs.columbia.edu

This assumes you are connected to the internet.

Restart your NTP package and monitor the synchronization progress with the ntpq -p command:

$ ntpq -p

remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*time.nist.gov   .ACTS.           1 u  485  512  377   69.062  -43.727   1.954
+ntp-1.gw.uiuc.e truechimer.cso.  2 u  513  512  377   63.117  -49.113   1.767
+hickory.cc.colu navobs1.wustl.e  2 u   40  512  377   44.482  -47.185   2.675
-cs.columbia.edu clepsydra.dec.c  2 u   33  512  377   44.732  -51.191   3.245

Pay special attention to the “tally code”, the caracter to the left of the hostnames. You’ll want to see “*” and “+” there. No signs or minus signs only mean your system is not properly synchronized. Also, your system may not be too far from the “reference” clock. If that’s the case, ntpd will panic and exit. To prevent this, set your clock manually to something close to the reference time or use “ntpdate” to do it for you automatically.

Keywords: time sync, ntp, ntpd, linux, unix, example

[Permalink] | | | | |