1.下载vpnclient-linux-4.8.00.0490-k9.tar.gz
文件: vpnclient-linux-4.8.00.0490-k9.tar.gz
大小: 1772KB
下载: 下载
2.tar -zxvf vpnclient-linux-4.8.00.0490-k9.tar.gz cd vpnclient ./vpn_install 3.启动 /etc/init.d/vpnclient_init start 4.配置: /etc/opt/cisco-vpnclient/Profiles/***.pcf(***为你任意命名的vpn的名字) [root@localhost vpnclient]# cat /etc/opt/cisco-vpnclient/Profiles/cisco.pcf
[main]
Host=
AuthType=1
GroupName=
Username= 5.连接VPN: vpnclient connect cisco(***.pcf 前面的名字,这里以cisco为例) 6.参考资料: http://zed.cisco.com/confluence/display/LINUX/VPN+Client 1. GETTING THE SOFTWARE
I downloaded the latest version fromhttp://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-3des(log in required). At the time, version 4.0.1(A) was the latest. 2. UNINSTALLING PREVIOUS VERSIONS
You are NOT required to uninstall an old VPN client for LINUX before you install a new VPN client, but if you want to: # cd {distribution}/vpnclient
# ./vpn_uninstall
3. SYSTEM REQUIREMENTS
The VPN client for Linux officially supports Red Hat Version 6.2 Linux (Intel), but should compile correctly on any Linux kernel Versions 2.2.12 or later with glibc Version 2.1.1-6 or later. It does not currently support 2.5 Linux kernels or SMP (multiprocessor kernels). If you are running any host-based firewall such as ipchains or iptables, be sure to allow the following traffic through: UDP port 500
IP protocol 50 (ESP)
TCP port configured for IPSec/TCP (such as 443)
Note: you most likely have some firewall rules like this in /etc/sysconfig/ipchains or similar file -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
If you do, be sure to insert a rule like this ABOVE them. -A input -p udp -s 0/0 -d 0/0 500 -j ACCEPT
4. INSTALLING THE SOFTWARE
Unpack the Gzipped tarball into a temporary directory. This will create a subdirectory called vpnclient with a bunch of files in it. > tar -zxvf vpnclient-linux-3.7.2.Rel-k9.tar.gz
Become the super-user > su -
Make sure any pre-existing Cisco VPN daemon is stopped # /etc/rc.d/init.d/vpnclient_init stop
-or-
# /etc/rc.d/init.d/vpn stop
Change to your temporary directory and change to the subdirectory vpnclient
# cd /tmp/vpnclient
Run the install script and follow the prompts # ./vpn_install
5. CONFIGURING THE SOFTWARE
The Cisco VPN Client uses a "profile" to store the collection of properties for each connection. Each profile is stored in a text file with a .pcf extension. NOTE: the format of this file is the same as the VPN client for Windows. If you have Windows .pcf files handy, you can simply copy them over. The default location for these files will be /etc/CiscoSystemsVPNClient/Profiles/. If you don't have them, you can download them here. A sample profile is provided. Copy the sample profile to a new file name and modify the new file to configure your connection. > cp sample.pcf cisco.pcf
> vi cisco.pcf
At a minimum, the following attributes must exist in the pcf file. [main]
Host
AuthType
GroupName
Username
Here is an example: [main]
Host=1.7.7.132
AuthType=1
GroupName=groupiegroup
Username=jetson_g
EnableNat=1
TunnelingMode=1
TcpTunnelingPort=443
The last three lines are necessary for transparent TCP tunneling to port tcp/443. To enable UDP tunneling, change the TunnelingMode to a value of 2 and remove the TcpTunnelingPort attribute. 6. RUNNING THE SOFTWARE
If the vpn client daemon is not running, start it. > sudo /etc/rc.d/init.d/vpnclient_init start
Once the daemon is running, launch the vpn client. > vpnclient connect cisco
The vpnclient executable takes a command parameter (connect|disconnect|stat|notify) followed by a profile name. The profile name is the file name of a .pcf file WITHOUT the .pcf extension. In the example above, the profile is "cisco" and it is stored in a file named cisco.pcf. So the command is "vpnclient connect cisco" not "vpnclient connect cisco.pcf". It's a small detail, but it can trip you up. During the connection process you may be prompted for any combination of the following information. Make sure you know these bits before you launch a new connection: Group Name (For Cisco employees, this must come from the pre-configured .pcf files. Get them from a Windows client or contact TRC)
2. Group Password (For Cisco employees, this must come from the pre-configured .pcf files. Get them from a Windows client or contact TRC)
3. User Name (CEC Username)
4. User Password (One-Time-Password)
Once connected, the vpn client will remain in the forground to support any re-keying required during your session. Here is the explanation from the Cisco User Guide: "When the connection is established, the VPN Client window stays in the foreground to allow the VPN client to be reauthenticated during a rekey by the VPN device. To send the VPN client window to the background, press Ctrl-Z followed by the bg command at the command line prompt. If the VPN device you are connecting to is configured to support rekeying and you send the VPN client window to the background, the tunnel disconnects when the first rekey occurs. The VPN client responds to rekey triggers based on time not data. If you want VPN client connections rekeyed, you must configure the concentrator so that the IKE proposal is set to rekey every 1800 seconds and IPSec parameters are set to rekey every 600 seconds." During your session, open another terminal window or type "Ctl+Z", followed by "bg" in the current window. Then, play with the "vpnclient stat" command to display various information about your session. > vpnclient stat [reset][traffic][tunnel][route][repeat]
To disconnect, issue the command: vpnclient disconnect
7. SIMPLIFYING
I wanted to make the vpnclient a single click or single command operation in Linux/Xwindow/Gnome. This can be used with X Window and your favorite window manager, or from a comfy CLI. 7.1 WHAT
This shell script will check to see if the vpnclient is already running. If so, it sends a disconnect request. If not, it sends a connect request and leaves the terminal window open so you can type in your credentials. So, the script can be used to toggle the tunnel on and off. Once connected, the Cisco VPN client will leave it's process in the foreground to allow for re-keying and notifications. I generally just minimize this window as a visual reminder that the tunnel is up (although you CAN close it if you like). Since I leave it minimized and visible in my tasklist on my GNOME panel, my script changes the window title to "VPN UP". This makes it easy to tell at a glance when I am connected to the VPN. 7.2 HOW
I created a file called go-vpnclient with the following contents. I placed it somewhere in my path and made it executable. > chmod +x go-vpnclient
7.3 GNOME
I use Gnome as my window manager so I also tied a panel button to this script. If you do so, there is no need to tell the panel button to run this in a terminal window unless you need to debug it. 7.4 THE BITS
----------- #! /bin/bash mypath="/home/kevin/.CiscoVPN"
vpnpath="/usr/local/bin"
vpnstart="$vpnpath/vpnclient connect cisco"
vpnstop="$vpnpath/vpnclient disconnect"
vpnstat="$mypath/stat.temp" $vpnpath/vpnclient stat | grep "Time connected" | awk '{print $2}' >
$vpnstat if [ "`cat $vpnstat`" == "connected:" ]; then
$vpnstop &
sleep 2
else
/usr/bin/gnome-terminal --title "VPN UP" --command $vpnstart &
# or swap above line with this if you are not using X
# $vpnstart &
sleep 2
fi
----------- 7.5 NOTES
1. The silly sleep commands are required because the Cisco vpnclient needs to percolate a (friendly|annoying) message to the console before it actually connects or disconnects. If you don't allow that message time to surface, the client will halt. I don't have time to investigate. 2. If you are not using gnome, change the command 'gnome-terminal' to 'xterm' or your favorite terminal. Xterm can also set the window title with -T and launch a dedicated command with -e. man xterm. Investigate your favorite terminal for similar functions. If you are not using X at all, just swap the lines under the else clause. 3. Of course, you might need to adjust the variables at the top to match your paths and your *.pcf file name (mine is cisco.pcf in the example). You can also specify $1 and pass the profile name to this script on the command-line or within your panel button or desktop shortcut. Many ways to skin that cat. 4. Before launching the script the first time do: > mkdir ~/.CiscoVPN ; touch ~/.CiscoVPN/stat.temp
5. Ugh. Many linux distros have a "helpful" feature of setting the terminal window to your current working directory. I prefer to specify what is in the terminal window title since I tend to have several of them in my tasklist. To make the --title trick work, I commented the following lines out of /etc/bashrc: case $TERM in
xterm*)
#if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
# PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
#else
# PROMPT_COMMAND='echo -ne "/033]0;${USER}@${HOSTNAME%%.*}:${PWD/$HOME/~}/007"'
#fi
;;
--------
8 User Experiences 1. Copying the Windows .pcf file as is works, so one does not need to set the TCPTunnelingPort or change any values. 2. If you get the following error: Initializing the VPN connection.
Secure VPN Connection terminated locally by the Client
Reason: The Connection Manager was unable to read the connection entry, or the connection entry has missing or incorrect information.
There are no new notification messages at this time.
Then you need to run the command 'chmod +r *.pcf' on your config file. Also note that I could only get it to work as 'root' with the latest version which is dangerous. UPDATE, if you set the sticky bit on cvpnd (chmod +s cvpnd) you can do 'vpnclient connect cisco' as non-privileged user. 3. If you get the following error: privsep: unable to drop privileges: group set failed.
The application was unable to communicate with the VPN sub-system.
You should either set the sticky bit (chmod +s cvpnd) or, run the command 'vpnclient connect cisco' as root. 4. FC5 issues: Issue:
insmod fails and the /var/log/messages file has the following error: kernel: cisco_ipsec: disagrees about version of symbol struct_module
Solution:
If this happens, run /sbin/demod -e -v <kernel-version) and change your vpnclient_init file (/etc/init.d/vpnclient_init) to use the command /sbin/modprobe --force cisco_ipsec
instead of insmod. Issue:
shared library loading error - vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Perm
|
