Config on the Cisco ASA (running 8.4) side
This config is identical to a normal remote access VPN:
! Create the general crypto statements crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac crypto dynamic-map MAP-DYNAMIC 200 set ikev1 transform-set ESP-AES128-SHA crypto map MAP-VPN 300 ipsec-isakmp dynamic MAP-DYNAMIC crypto map MAP-VPN interface OUTSIDE crypto ikev1 enable OUTSIDE crypto ikev1 policy 5 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! Define where the remote user can get to. access-list ACL-RA-SPLIT standard permit host 172.16.200.200 ! Create the group policy group-policy GRP-MYVPN internal group-policy GRP-MYVPN attributes vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-RA-SPLIT ! Create the tunnel group tunnel-group TG-MYVPN type remote-access tunnel-group TG-MYVPN general-attributes address-pool POOL-RA-SPLIT default-group-policy GRP-MYVPN tunnel-group TG-KRONOLOGY ipsec-attributes ikev1 pre-shared-key suPerSeKret ! Create a username username myUser password passw0rd privilege 1
Config setup on the Ubuntu Linux side:
Download the Cisco VPN client
sudo apt-get install vpnc
Configure the VPN settings
sudo vi /etc/vpnc/my-vpn.conf
IPSec gateway 184.108.40.206 IPSec ID TG-MYVPN IPSec secret suPerSeKret Xauth username myUser Xauth password passw0rd
sudo vpnc-connect my-vpn
This VPN configuration will time out every now and then and won’t kick on again until you issue the above command to start it up again. In order to make this an always on VPN use a cron job. This example will check every 10 mins to see if tun0 exists if not, start connection):
sudo contab -e */10 * * * * [[ -d /sys/devices/virtual/net/tun0 ]] || /usr/sbin/vpnc /etc/vpnc/my-vpn.conf
Linux VPN Client for Cisco VPNs: vpnc
The Cisco VPN client, vpnc, enables your Linux workstation to connect to a Cisco 3000 series VPN concentrator PIX firewall. Until vpnc existed, corporate employees were often relegated to connecting to their company’s network via a Windows machine or with Cisco’s problematic VPN client for Linux. Thankfully, those days are over, but not without slight configuration effort. In this article we show you how to get it up and running.
Before you can connect, you will likely need to know the following information. If you do not have it, now is a good time to gather:
- IPSEC gateway: the hostname or IP of the VPN server
- IPSEC ID: the groupname
- IPSEC secret: the shared password for the group
- your username
- your password
The group name and shared password is the most often used method for connecting to the Cisco IPSEC VPN. In lieu of certificates, this pre-shared key enables the forming of an IPSEC tunnel based on the shared secret.
Depending on your Linux distribution, you will need to install the vpnc program before we can begin. Fedora, by default, now installs vpnc, so Fedora users can skip to the next section. Ubuntu users can run
apt-get install vpnc as root.
You will likely want to use NetworkManager to enable quick VPN connections with a mouse-click in GNOME. Fedora’s NetworkManager is already prepared, but in Ubuntu you will need to install the network-manager-vpnc package.
Configuring vpnc Manually
If you are short on time, or the “just make it work” type, this section is optional, so feel free to skip ahead to the NetworkManager section below.
Now that vpnc is installed, you will notice an
/etc/vpnc/ directory. This is where we will be working for a bit. Creating a configuration file is optional, but without it, you will enter all the necessary information manually every time you wish to connect to the VPN. If you wish to test your IP, group information, and user credentials, go ahead and manually run ‘vpnc’ as root.
The configuration file for vpnc is quite simple. Create a file named after the network you wish to connect to, for example:
Inside, you need to enter the information we talked about in the beginning of this article. Replace the example values with your information:
- IPSec gateway: vpn17.example.com
- IPSec ID: groupa
- IPSec secret: groupapassword
- Xauth username: charlie
- Xauth password: passw0rd
Except, the group password needs to be decoded before handing it to vpnc. This is the major pain point for most users, and vpnc should automatically do this, but it does not. Enter the group password you were given by the VPN administrator into this Web page, and use the result as your group password: http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
If you enter your username and password into the configuration file, ensure the permissions do not allow world-read access, especially if other user accounts exist on your workstation or laptop. In fact, you should think twice about storing this password at all, just in case your machine is ever compromised. If your password is not stored in the configuration file, you will be prompted for it when connecting.
Now that the configuration file exists, you can simply run
sudo vpnc enp.conf (or leave off the .conf). You will now be connected to the VPN. If everything worked, and you will notice a new ‘tun’ interface in the ‘ifconfig’ output.
To disconnect from the VPN, simply run
Do note that the default route gets replaced with the VPN router (so all traffic goes through the VPN) when you are connected. See the vpnc man page for help changing this behavior, or simply remember to disconnect from the VPN when you are done.
Pro Tip: if you have established SSH connections, they will drop when you connect to the VPN. To avoid this, do not let vpnc change your default route. Configure vpnc to add just the routes to the networks you wish to access via the VPN, ensuring you specify tun0 as the interface. All your normal traffic will survive VPN connects and disconnects, including your existing SSH sessions (assuming they are not to IPs within the range of the VPN network).
To create a new VPN connection using GNOME’s NetworkManager, click the network icon in the upper-right hand corner of the screen, then select VPN Connections -> Configure VPN. Click “Add” to create a new VPN connection.
If the NetworkManager vpnc plug-in is installed, you will be able to select the Cisco VPN option. The next screen will require that you enter the above mentioned information for the VPN connection. The GUI also presents you with the option to save your password.
After you click Apply, you’re done. To connect to the VPN, simply select the VPN name you entered via the NetworkManager Gnome applet under VPN Connections, and it will connect automatically.