Virtual Private Network (vpn) is a means of securely connecting networks using the Internet.
Installation of the Cisco vpn client is simple, unpack the software and, as root, run
vpn_install
Nb. At the time of writing this, the official release was 4.0.3.B-k9, this did not work for 2.6 kernels. However, a patched version exists which does. Download this patched version or the official release supporting 2.6 kernels when available.
As of May-2004 the vpnclient software (vpnclient-linux-4.0.4.A-k9 onwards supports 2.6.6 kernels and onwards.)
This does all that is required; building and installing the cisco ipsec module, installing the executables and the rc scripts.
To ensure all is correctly installed it is only necessary to use the rc script: -
/etc/init.d/vpnclient_init startto install the kernel modules and
/etc/init.d/vpnclient_init statusto determine the status. Whereby, listing of the cisco_ipsec module and the interface device is sufficient to determine correct installation. Configure the routing table to route your client's IP addresses through the interface providing your Internet connection. This will be automatic if you only have the one interface, as the default route will be that interface.
Configuration of a suitable profile is up to the user and highly specific to each location. Full details of the server setup for your account/client will be necessary. The sample profile is: -
[main] Description=sample user profile
Host=10.212.20.52
AuthType=1
GroupName=monkeys
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=chimchim
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0
Obvioulsy the details will vary according to requirements. For modem connections, i.e. direct to connection to ISP, use: -
EnableNat=0
EnableLocalLAN=0
Whereas for a LAN based connection to your ISP use: -
EnableNat=1
EnableLocalLAN=1
My set-up also uses one time passwords provided by a RSA SecurID card. Setting up this vpn required the card to be synchronised with the SecurID server before vpn connections would work. This synchronisation was simply achieved by a second attempted connection. After that vpn connections work first time and are initialised by: -
vpnclient connect client_profileThen connect to a client's host using telnet, ftp, ssh or whatever. N.b. packets passed over the Internet using the vpn are encrypted, and so are safe from snooping whilst in transit, however on route to the vpn connection and once the packets arrive at the client's network they are decrypted, so ssh or other secure connection protocol, should still be used to prevent snooping of passwords or sensitive information whilst the packets are within the client's (and your own) network. Finally, to close the vpn connection; -
vpnclient disconnect