Wednesday 29 October 2008

VPNC with certificates on asus eee 900 @ UCL

This is an exercise in frustration

Well it was for me, hopefully this will help it not be so for you.

Thanks - this is the accumulation of much distilled knowledge - these are the forums/blogs that have helped me and I have to pass on my thanks to them - they know a lot more than me about this so if you have any problems you can comment here and I'll see if I can help but these are worth a look for more information (that being said you probably found them before this)

http://linos.wordpress.com/2007/11/23/vpnc-instead-of-ciscos-vpnclient-authtype5/


http://ubuntuforums.org/showthread.php?p=5957882

http://www.spiration.co.uk/post/1335/vpnc:%20no%20response%20from%20target%20-%20ubuntu%20linux%20VPN

Note 1 : First this is what I have 'solved':
Installing and running vpnc on an asus eee 900 running ubuntu Intrepid Ibex (with a madwifi wireless wrapper). With vpnc the final hurdle was getting it to access the UCL roamNet.

Note2 : Ibex network manager does come with vpn compatibility installed - this doesn't work if your vpn needs certificate files to work. The pcf file given to you by your uni/ work etc will have the following lines in it if some form of cert is used:
AuthType=5
CertStore=1


Note 3 : as of yet I haven't got the network-manager-vpnc client to work with this (will give it another go soon and post a how-to if i succeed)

so to work:

1. Download the vpnc source files by typing in a terminal:
sudo apt-get source vpnc
This will download and unpack the vpnc source files in your current directory - I recommend you use your home dir.

2. Install openssl and openssl-dev - at the moment these are available from the synaptic package manager (or similar) search for them and they should be available (certainly in ubuntu) install them and then open up a terminal

3. Get all the other dependencies needed by vpnc, type:
sudo apt-get build-dep vpnc
in the folder that the step 1 created (called something like vpnc-0.5xxxxx)

4. Stop synaptic and update manager killing your custom version of vpnc
cd vpnc-05xxxx/debian
sudo vim control

Use which ever text editor you want but you need to change the version number - I recommened just putting a '-1' after the last digit.

5. Edit Makefile to allow use of ssl
cd ../
sudo vim Makefile

you need to uncomment the two lines that read
OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
OPENSSLLIBS = -lcrypto

you do this by removing the leading '#' characters. These two lines are the key to using certificates - due to licensing issues they can't package binaries of vpnc with openssl support but you can build them with it

6. Build still in the vpnc-05xxxx folder type the following:
sudo dpkg-buildpackage
This will create several move files and hopefully not display any errors. Once its built you may want to hide this folder and the 4 files that will now be cluttering up your home dir - you can do this by putting a '.' at the start of their file name. These are the files:
- The folder vpnc-0.5xxxxxx
- vpnc_0.5xxxxx.tar.gz -This is the original source package
- vpnc_0.5xxxxx.diff.gz -this is the latest patch
- vpnc_0.5xxxxx.deb - the debian package
- vpnc_0.5xxxx.changes - I think this is the update as to what you've done

7. Install your custom package, still in the vpnc folder type:
dpkg -i vpnc
This step actually installs the packaged (if you now go to synaptic package manager and search for vpnc you should see that its checked with a little star in the box and the version number is the one you set it to)

Thats the installation over - now the configuration (deep joy)

This part is relativly painless...

8. Download this very helpful script to the same file as the .pcf that you will have been given by your uni or work (right click and select save link as and call it pcf2vpnc.pl)
http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc

9. now make it executable
chmod u+x pcf2vpnc.pl

10. now execute it thus (still in the folder containing it and your .pcf):
./pcf2vpnc < the pcf > < the name you want to output>
The profile name should be something simple and easy to remember as you'll have to type it in every time you use the vpn - if you want use default as the output name and it will load when ever you use vpnc

The odds are that this stage will complain about not being able to crypt/ decrypt some passwords - don't worry

11. now move your config file to the vpnc folder
sudo mv default /etc/vpnc/default.conf
This should move it to where vpnc can access it

12. to run vpnc just type
sudo vpnc
if you do that at this stage most likely you'll get an error message so read on to check you've got a properly configured file

you should now want to have a default.conf file that looks something like this:

IPSec ID < foo>
IPSec obfuscated secret <234feab34b45b3446.........................>
IPSec gateway < 1.2.3.4>
Xauth username < username>
Xauth password < password>
IKE Authmode hybrid
CA-File < /etc/vpnc/rootcert.pem>
< NAT Traversal Mode cisco-udp>

if not then some things need to be changed (the bits in <> are custom to you).

First the ID should be what ever your is next to the 'group name' in the pcf file that you were given.

The obfuscated secret may just be called secret - in which case go here http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode?enc=&.submit=decode! and copy the secret into the box and you should get a long string of hexedecimal code (numbers and the letters a-f) this can be put back into your conf file and 'secret' changed to 'obfuscated secret'

The gateway can be found next to 'host' in the pcf - this is the IP to connect via

The username/password bit is optional - if you want get rid of them, you will be asked to supply them every time you run vpnc - I keep just the username as un-ecrypted passwords aren't a good idea.

The 'ca-file' is the location of the certificate that you were given - this is best put in /etc/vpnc along with the conf file for ease of location and change

the Nat traversal bit is if you see the error ' vpnc: no response from target' - I can't guarentee it will work but it did for me

****There may be other things that are included depending on your pcf file****

6 comments:

  1. Thanks for this. It helped me get up and running.

    Small point...step #3 code should read:

    sudo apt-get build-dep vpnc

    ReplyDelete
  2. Thanks for the typo checking.

    glad I could help.

    ReplyDelete
  3. Thanks for your help... I think I am almost there.
    i got to step 7 but on step 7 I get :


    user@seacaptin:~/vpnc-0.5.1r275$ sudo dpkg -i vpnc
    dpkg-deb: `vpnc' is not a debian format archive
    dpkg: error processing vpnc (--install):
    subprocess dpkg-deb --control returned error exit status 2
    Errors were encountered while processing:
    vpnc
    user@seacaptin:~/vpnc-0.5.1r275$


    I am sure this means I screwed something up earlier in the process, but I don't really know my way around dpkg very well... Any chance you could help?

    ReplyDelete
  4. @ John

    In all honesty I'm not sure what to do about that other than check for typos in names etc.

    It maybe google reveals something (if you find a cure please post here in case someone else has the same problems)

    I'm not very good with dpkg myself this guide was the sum of knowledge I got from trawling google for a while.

    Sorry

    ReplyDelete
  5. I just happened to figure it out... there was another file in the parent directory that was named vpnc_[version]_ubuntu1_i386.deb that one I could install...

    now I just need to figure out how to get my certificate chain in order...

    ReplyDelete
  6. glad you sorted it out!

    Hope the certificate goes well, good luck!

    ReplyDelete