VPN Tunnel Between an Ubuntu Linux Machine and a Cisco ASA Firewall

Cloned from: https://www.tunnelsup.com/vpn-tunnel-between-an-ubuntu-linux-machine-and-a-cisco-asa-firewall/

Config on the Cisco ASA (running 8.4) side

This config is identical to a normal remote access VPN:

! Create the general crypto statements
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
crypto dynamic-map MAP-DYNAMIC 200 set ikev1 transform-set ESP-AES128-SHA
crypto map MAP-VPN 300 ipsec-isakmp dynamic MAP-DYNAMIC
crypto map MAP-VPN interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

! Define where the remote user can get to.
access-list ACL-RA-SPLIT standard permit host 

! Create the group policy
group-policy GRP-MYVPN internal
group-policy GRP-MYVPN attributes
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-RA-SPLIT

! Create the tunnel group
tunnel-group TG-MYVPN type remote-access
tunnel-group TG-MYVPN general-attributes
 address-pool POOL-RA-SPLIT
 default-group-policy GRP-MYVPN
tunnel-group TG-KRONOLOGY ipsec-attributes
 ikev1 pre-shared-key suPerSeKret

! Create a username
username myUser password passw0rd privilege 1

Config setup on the Ubuntu Linux side:

Download the Cisco VPN client
sudo apt-get install vpnc

Configure the VPN settings
sudo vi /etc/vpnc/my-vpn.conf

IPSec gateway
IPSec secret suPerSeKret
Xauth username myUser
Xauth password passw0rd

starting vpn:
sudo vpnc-connect my-vpn

stopping vpn:
sudo vpnc-disconnect

This VPN configuration will time out every now and then and won’t kick on again until you issue the above command to start it up again. In order to make this an always on VPN use a cron job. This example will check every 10 mins to see if tun0 exists if not, start connection):

sudo contab -e
*/10 * * * * [[ -d /sys/devices/virtual/net/tun0 ]] || /usr/sbin/vpnc /etc/vpnc/my-vpn.conf

Cloned from: http://www.linuxplanet.com/linuxplanet/tutorials/6773/1

Linux VPN Client for Cisco VPNs: vpnc

The Cisco VPN client, vpnc, enables your Linux workstation to connect to a Cisco 3000 series VPN concentrator PIX firewall. Until vpnc existed, corporate employees were often relegated to connecting to their company’s network via a Windows machine or with Cisco’s problematic VPN client for Linux. Thankfully, those days are over, but not without slight configuration effort. In this article we show you how to get it up and running.

Before you can connect, you will likely need to know the following information. If you do not have it, now is a good time to gather:

  • IPSEC gateway: the hostname or IP of the VPN server
  • IPSEC ID: the groupname
  • IPSEC secret: the shared password for the group
  • your username
  • your password

The group name and shared password is the most often used method for connecting to the Cisco IPSEC VPN. In lieu of certificates, this pre-shared key enables the forming of an IPSEC tunnel based on the shared secret.

Install Options

Depending on your Linux distribution, you will need to install the vpnc program before we can begin. Fedora, by default, now installs vpnc, so Fedora users can skip to the next section. Ubuntu users can run apt-get install vpnc as root.

You will likely want to use NetworkManager to enable quick VPN connections with a mouse-click in GNOME. Fedora’s NetworkManager is already prepared, but in Ubuntu you will need to install the network-manager-vpnc package.

Configuring vpnc Manually

If you are short on time, or the “just make it work” type, this section is optional, so feel free to skip ahead to the NetworkManager section below.

Now that vpnc is installed, you will notice an /etc/vpnc/ directory. This is where we will be working for a bit. Creating a configuration file is optional, but without it, you will enter all the necessary information manually every time you wish to connect to the VPN. If you wish to test your IP, group information, and user credentials, go ahead and manually run ‘vpnc’ as root.

The configuration file for vpnc is quite simple. Create a file named after the network you wish to connect to, for example: /etc/vpnc/enp.conf

Inside, you need to enter the information we talked about in the beginning of this article. Replace the example values with your information:

  • IPSec gateway: vpn17.example.com
  • IPSec ID: groupa
  • IPSec secret: groupapassword
  • Xauth username: charlie
  • Xauth password: passw0rd

Except, the group password needs to be decoded before handing it to vpnc. This is the major pain point for most users, and vpnc should automatically do this, but it does not. Enter the group password you were given by the VPN administrator into this Web page, and use the result as your group password: http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

If you enter your username and password into the configuration file, ensure the permissions do not allow world-read access, especially if other user accounts exist on your workstation or laptop. In fact, you should think twice about storing this password at all, just in case your machine is ever compromised. If your password is not stored in the configuration file, you will be prompted for it when connecting.

Now that the configuration file exists, you can simply run sudo vpnc enp.conf (or leave off the .conf). You will now be connected to the VPN. If everything worked, and you will notice a new ‘tun’ interface in the ‘ifconfig’ output.

To disconnect from the VPN, simply run sudo vpnc-disconnect

Do note that the default route gets replaced with the VPN router (so all traffic goes through the VPN) when you are connected. See the vpnc man page for help changing this behavior, or simply remember to disconnect from the VPN when you are done.

Pro Tip: if you have established SSH connections, they will drop when you connect to the VPN. To avoid this, do not let vpnc change your default route. Configure vpnc to add just the routes to the networks you wish to access via the VPN, ensuring you specify tun0 as the interface. All your normal traffic will survive VPN connects and disconnects, including your existing SSH sessions (assuming they are not to IPs within the range of the VPN network).

Using NetworkManager

To create a new VPN connection using GNOME’s NetworkManager, click the network icon in the upper-right hand corner of the screen, then select VPN Connections -> Configure VPN. Click “Add” to create a new VPN connection.

If the NetworkManager vpnc plug-in is installed, you will be able to select the Cisco VPN option. The next screen will require that you enter the above mentioned information for the VPN connection. The GUI also presents you with the option to save your password.

After you click Apply, you’re done. To connect to the VPN, simply select the VPN name you entered via the NetworkManager Gnome applet under VPN Connections, and it will connect automatically.

Leave a Reply

Your email address will not be published. Required fields are marked *