|
»
»
« Return to Thread: vpnc or openvpn
Re: vpnc or openvpn
by Robert G. Brown
::
Rate this Message:
On Mon, 10 Mar 2008, Nadeem Kolia wrote:
> I've (just) gotten both Cisco's vpnclient and vpnc to work on my laptop at
> home. I use Gentoo, but I know most others on this list don't, so I'll try to
> leave the Gentoo specific stuff out.
>
> ($ commands are run as root, # as user)
>
> VPNC
>
> 1) Kernel Configuration
>
> Make sure the kernel has Universal TUN/TAP device driver support built in or
> loaded as a module. You probably already have this, but just to make sure you
> can check if its built in with:
> # dmesg | grep TUN
> tun: Universal TUN/TAP device driver, 1.6
>
> or as a module with:
> $ modprobe tun
> $ lsmod
> Module Size Used by
> tun 7296 0
>
> 2) Install VPNC
>
> VPNC must be installed with support for hybrid authentication (I belive
> vpnc-0.5.0+ have this option). Most distributions should install vpnc with
> this enabled.
Actually, fedora does not because (as noted on the vpnc primary site)
they are in yet another snit about whether openssl's license is GPL
compatible. So they won't/can't build openssl hybrid support into vpnc
and distribute it, probably more won't than can't.
SO, I went and got the 0.5.1 sources and built them with openssl
support, perfectly legal and all that. I then precisely followed your
path below.
> 3) Generate a root certificate from OIT's rootcert:
> $ openssl x509 -in rootcert -inform der -out /etc/ssl/certs/duke.pem
This failed on the rootcert in the windows VPN zipfile, but succeeded on
the rootcert in my last functioning vpnclient download. I had to create
the /etc/ssl/certs path. The vpnc documentation says that Sean's method
should work as well.
> 4) Generate vpnc configuration file from OIT's profile:
> $ pcf2vpnc duke-broadband.pcf /etc/vpnc/default.conf
Already had done this.
> 5) Edit the configuration file so vpnc knows where to find the certificate
> you generated in step 3:
> $ echo "CA-File /etc/ssl/certs/duke.pem" >> /etc/vpnc/default.conf
Did this.
> 6) Start vpnc:
> $ vpnc
Sure, although I had to do it as root. It refused to bind to the
network otherwise. It then went off to duke-vpn-public.netcom.duke.edu,
gave me exactly the same prompts as before and failed, exactly as
before. So now I've failed with two builds -- Sean's and my own, with
my own being the very latest. Unfortunately, I get absolutely no
diagnostics beyond:
rgb@cain|B:1042#./vpnc --auth-mode hybrid
Enter username for duke-vpn-public.netcom.duke.edu: rgb
Enter password for rgb@...:
./vpnc: no response from target
(after what feels like a short timeout of 20 seconds or so).
Conclusion: vpnc does not like me. And yes, one more hour down the
drain. The only thing I haven't tried is grabbing an even more recent
copy of a duke vpnclient to see if their rootcert has changed or the
like.
> Cisco's VPN Client
>
> 1) Compile/install vpnclient.
>
> As mentioned previously on the list, don't use OIT's version, rather get the
> latest version offered/supported by your distribution. I wasn't able to
> download the client directly from cisco's website, though I was under the
> impression that it was free, but was able to find the version portage
> (Gentoo's package manager) wanted with a quick google search.
It isn't free. That's why you can't download it directly.
In fact, if one actually reads its license.txt (which is quite
humorous):
4. You may not transfer the Software to any third party without the
express written permission of Cisco Systems. For permitted transfers,
you may not export the Software to any country for which the United
States requires any export license or other governmental approval at the
time of export without first obtaining the requisite license and/or
approval. Furthermore, you may not export the Software in violation of
any export control laws of the United States or any other country.
5. You may not modify, translate, decompile, disassemble, use for any
competitive analysis, reverse engineer, distribute, or create derivative
works from, the Software or any accompanying documentation or any copy
thereof, in whole or in part.
SO, your source was violating the license provision 4 by redistributing
it, unless he or she had written permission which I doubt. If it
actually worked, they were violating license provision 5.
That's the humorous part. Read it like this:
4. You may not have this software. Only we can distribute it, and we
won't. Unless you make us, are willing to pay us on the side, have a
service contract with us, or something, we'd really you rather not.
Also, don't even THINK about carrying your laptop overseas once it is
installed.
5. If you ignore our advice in 4, and actually pester us to the point
where we give you a copy of our sources, which have to be built against
your kernel, well, it won't work. We guarantee it, because we
outsourced the maintenance of the entire package to a bunch of
incompetent clowns -- we don't want OUR systems engineers to be saddled
with actually making sure our VPN will build against any particular
kernel in linux. That's too much like work. So when you are forced to
hack the sources to make it work, well, you've violated the software
license and have to give it back. Especially if you are a systems
administrator capable of fixing the software who is building it to
redistribute it to all your users. Did you get permission in writing?
I didn't think so.
Give it back, right now! No vpn for you!
I mean, seriously -- the Cisco VPN isn't a product, it is a joke. They
sell you the VPN, but then won't provide you with working software to
actually use it. They won't make it work, but will prohibit you from
making it work.
This is the work of some demented systems engineer who used to work at
Cisco and got really pissed off. He carefully crafted this some seven
or eight years ago after making several bets with friends about how long
it would take Cisco to notice. Now he does standup comedy routines in
taverns in the southwest, working behind a cage so he doesn't get cut by
the glass from thrown bottles -- and considers himself more fortunate
than he was working at Cisco. He's long since drunk all the proceeds
from his well-won wagers.
> 2) After installation, make sure the installed modules have been loaded.
>
> 3) Download OIT's vpnclient for Linux:
> http://www.oit.duke.edu/network/remote/vpn/linux.html
>
> 4) Import the root certificate:
> # /opt/cisco-vpnclient/bin/cisco_cert_mgr -R -op import
>
> 5) Copy the .pcf files to cisco vpnclient configuration directory:
> $ cp duke*.pcf /etc/opt/cisco-vpnclient/Profiles/
>
> 6) Run vpnclient
> # vpnclient connect duke-broadband
Yeah, yeah -- been there, done that, patching the vpnclient myself
(starting from a hard-won legally downloaded client that I got by
spending several hours working on the cisco site until I finally got it
to acknowledge that I might -- just might -- be entitled to download a
copy).
I'm done with it. I might grab the current OIT package just to get the
rootcert to be absolutely certain that it is correct, since openssl
barfed on the windows package rootcert when I tried to use it to
generate the pem, but honestly I'm so sick of the whole thing I can't
see straight. I want to just use openvpn from inside network manager.
Even vpnc alleges that one has to set up routing, nameservice, and so on
by hand even if you get it to work, although I have yet to get it to
work to the point where I can find out. At least vpnclient managed all
of that for you, once you hacked it to where it would work.
I'm not interested. I want to click a button in userspace, have my
authentication tokens retrieved automagically from my keyring, connect
to the vpn transparently with all routing etc. invisibly handled, and
exit back to my primary network just as gracefully.
Thanks, though -- I appreciate the response and help even though it
didn't work.
rgb
>
> - Nadeem
>
> _______________________________________________
> Dulug mailing list
> Dulug@...
> https://lists.dulug.duke.edu/mailman/listinfo/dulug
>
--
Robert G. Brown Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug
> I've (just) gotten both Cisco's vpnclient and vpnc to work on my laptop at
> home. I use Gentoo, but I know most others on this list don't, so I'll try to
> leave the Gentoo specific stuff out.
>
> ($ commands are run as root, # as user)
>
> VPNC
>
> 1) Kernel Configuration
>
> Make sure the kernel has Universal TUN/TAP device driver support built in or
> loaded as a module. You probably already have this, but just to make sure you
> can check if its built in with:
> # dmesg | grep TUN
> tun: Universal TUN/TAP device driver, 1.6
>
> or as a module with:
> $ modprobe tun
> $ lsmod
> Module Size Used by
> tun 7296 0
>
> 2) Install VPNC
>
> VPNC must be installed with support for hybrid authentication (I belive
> vpnc-0.5.0+ have this option). Most distributions should install vpnc with
> this enabled.
Actually, fedora does not because (as noted on the vpnc primary site)
they are in yet another snit about whether openssl's license is GPL
compatible. So they won't/can't build openssl hybrid support into vpnc
and distribute it, probably more won't than can't.
SO, I went and got the 0.5.1 sources and built them with openssl
support, perfectly legal and all that. I then precisely followed your
path below.
> 3) Generate a root certificate from OIT's rootcert:
> $ openssl x509 -in rootcert -inform der -out /etc/ssl/certs/duke.pem
This failed on the rootcert in the windows VPN zipfile, but succeeded on
the rootcert in my last functioning vpnclient download. I had to create
the /etc/ssl/certs path. The vpnc documentation says that Sean's method
should work as well.
> 4) Generate vpnc configuration file from OIT's profile:
> $ pcf2vpnc duke-broadband.pcf /etc/vpnc/default.conf
Already had done this.
> 5) Edit the configuration file so vpnc knows where to find the certificate
> you generated in step 3:
> $ echo "CA-File /etc/ssl/certs/duke.pem" >> /etc/vpnc/default.conf
Did this.
> 6) Start vpnc:
> $ vpnc
Sure, although I had to do it as root. It refused to bind to the
network otherwise. It then went off to duke-vpn-public.netcom.duke.edu,
gave me exactly the same prompts as before and failed, exactly as
before. So now I've failed with two builds -- Sean's and my own, with
my own being the very latest. Unfortunately, I get absolutely no
diagnostics beyond:
rgb@cain|B:1042#./vpnc --auth-mode hybrid
Enter username for duke-vpn-public.netcom.duke.edu: rgb
Enter password for rgb@...:
./vpnc: no response from target
(after what feels like a short timeout of 20 seconds or so).
Conclusion: vpnc does not like me. And yes, one more hour down the
drain. The only thing I haven't tried is grabbing an even more recent
copy of a duke vpnclient to see if their rootcert has changed or the
like.
> Cisco's VPN Client
>
> 1) Compile/install vpnclient.
>
> As mentioned previously on the list, don't use OIT's version, rather get the
> latest version offered/supported by your distribution. I wasn't able to
> download the client directly from cisco's website, though I was under the
> impression that it was free, but was able to find the version portage
> (Gentoo's package manager) wanted with a quick google search.
It isn't free. That's why you can't download it directly.
In fact, if one actually reads its license.txt (which is quite
humorous):
4. You may not transfer the Software to any third party without the
express written permission of Cisco Systems. For permitted transfers,
you may not export the Software to any country for which the United
States requires any export license or other governmental approval at the
time of export without first obtaining the requisite license and/or
approval. Furthermore, you may not export the Software in violation of
any export control laws of the United States or any other country.
5. You may not modify, translate, decompile, disassemble, use for any
competitive analysis, reverse engineer, distribute, or create derivative
works from, the Software or any accompanying documentation or any copy
thereof, in whole or in part.
SO, your source was violating the license provision 4 by redistributing
it, unless he or she had written permission which I doubt. If it
actually worked, they were violating license provision 5.
That's the humorous part. Read it like this:
4. You may not have this software. Only we can distribute it, and we
won't. Unless you make us, are willing to pay us on the side, have a
service contract with us, or something, we'd really you rather not.
Also, don't even THINK about carrying your laptop overseas once it is
installed.
5. If you ignore our advice in 4, and actually pester us to the point
where we give you a copy of our sources, which have to be built against
your kernel, well, it won't work. We guarantee it, because we
outsourced the maintenance of the entire package to a bunch of
incompetent clowns -- we don't want OUR systems engineers to be saddled
with actually making sure our VPN will build against any particular
kernel in linux. That's too much like work. So when you are forced to
hack the sources to make it work, well, you've violated the software
license and have to give it back. Especially if you are a systems
administrator capable of fixing the software who is building it to
redistribute it to all your users. Did you get permission in writing?
I didn't think so.
Give it back, right now! No vpn for you!
I mean, seriously -- the Cisco VPN isn't a product, it is a joke. They
sell you the VPN, but then won't provide you with working software to
actually use it. They won't make it work, but will prohibit you from
making it work.
This is the work of some demented systems engineer who used to work at
Cisco and got really pissed off. He carefully crafted this some seven
or eight years ago after making several bets with friends about how long
it would take Cisco to notice. Now he does standup comedy routines in
taverns in the southwest, working behind a cage so he doesn't get cut by
the glass from thrown bottles -- and considers himself more fortunate
than he was working at Cisco. He's long since drunk all the proceeds
from his well-won wagers.
> 2) After installation, make sure the installed modules have been loaded.
>
> 3) Download OIT's vpnclient for Linux:
> http://www.oit.duke.edu/network/remote/vpn/linux.html
>
> 4) Import the root certificate:
> # /opt/cisco-vpnclient/bin/cisco_cert_mgr -R -op import
>
> 5) Copy the .pcf files to cisco vpnclient configuration directory:
> $ cp duke*.pcf /etc/opt/cisco-vpnclient/Profiles/
>
> 6) Run vpnclient
> # vpnclient connect duke-broadband
Yeah, yeah -- been there, done that, patching the vpnclient myself
(starting from a hard-won legally downloaded client that I got by
spending several hours working on the cisco site until I finally got it
to acknowledge that I might -- just might -- be entitled to download a
copy).
I'm done with it. I might grab the current OIT package just to get the
rootcert to be absolutely certain that it is correct, since openssl
barfed on the windows package rootcert when I tried to use it to
generate the pem, but honestly I'm so sick of the whole thing I can't
see straight. I want to just use openvpn from inside network manager.
Even vpnc alleges that one has to set up routing, nameservice, and so on
by hand even if you get it to work, although I have yet to get it to
work to the point where I can find out. At least vpnclient managed all
of that for you, once you hacked it to where it would work.
I'm not interested. I want to click a button in userspace, have my
authentication tokens retrieved automagically from my keyring, connect
to the vpn transparently with all routing etc. invisibly handled, and
exit back to my primary network just as gracefully.
Thanks, though -- I appreciate the response and help even though it
didn't work.
rgb
>
> - Nadeem
>
> _______________________________________________
> Dulug mailing list
> Dulug@...
> https://lists.dulug.duke.edu/mailman/listinfo/dulug
>
--
Robert G. Brown Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug
« Return to Thread: vpnc or openvpn
| Free embeddable forum powered by Nabble | Forum Help |
