Installing the Cisco VPN client for Fedora Linux 3.0

Updated 3-February-2005

Acquiring the client software

Because the Cisco VPN software is under export control, it must be requested by the end-user from Greg Woods (woods@ucar.edu). Simply send an email to Greg, and he will open up a time-limited ftp connection during which you can download the client software. You must be a UCAR employee, visitor, or collaborator to acquire the software. You must also not be a citizen of an export restricted country and may not take the software into an export restricted country. You'll be able to read the full legal agreement when you go to download the software.

If you use Fedora Core Linux, I am recommending that you acquire version 4.6-6 or greater of the Cisco VPN software for 2.6 kernels.

Problem: client software fails to compile

This was brought up at the 2/2/05 CSAC meeting. The current client (as of 2/2) fails to compile under the most recent Fedora Core kernels (and various other distributions which use 2.6 kernels). The bug has been documented internally by Cisco and involves compiler errors in the interceptor.c function.

Workaround: The workaround is to remove all occurences of the word "inline" from the interceptor.c file. There are only 2 occurrences in this file.

Another workaround is to upgrade or change the version of gcc that is installed on your Linux installation.

Keep in the mind that your system may already support the Cisco client by the time you read this (either due to the compiler version or an updated/patched release of the Cisco VPN client software). So try a standard compile first.

Installation

The following should be done as root or with commands prefixed by sudo...
  1. Untar the client software
    [Screen Shot]
  2. Fix the interceptor.c file, editing it to remove occurances of "inline".
    [Screen Shot (before)]  [Screen Shot (after)]
    [Screen Shot (before)]  [Screen Shot (after)]
    Note: This step may not be necessary if a newer version of the VPN software exists, you have a patched version, or you are using a newer version of GCC. See the note on the compilation problem above.
  3. Run "./vpn_install"
    [Screen Shot]
  4. Choose the defaults for these questions:
  5. Let the compilation procede
    [Screen Shot]
  6. Run "service vpnclient_init start" (starting up /etc/init.d/vpnclient_init) and "chkconfig --level 345 vpnclient_init on" to make sure the service starts with each reboot. Note that starting the service doesn't make a VPN connection. That's done with the "vpnclient connect" command (see below).

Creating a client pcf file

A "Profile" (PCF file) tells the Cisco VPN client to which host it should connect and allows you to set settings for that host. As of the 4.6 version of the software, the directory /etc/opt/cisco-vpn-client is used for those profiles.
  1. cd to /etc/opt/cisco/vpn-client/Profiles
  2. Copy the following code into the file ucar.pcf.
  3. Edit the ucar.pcf file and change the Username field to the username of the user who will be invoking the VPN client.
    [Screen Shot]
  4. Other values in the file should be set:
Most of these settings are there for security purposes defined by the policies of UCAR, the CSAC committee, and our divisions and programs. You should be okay if you use the downloaded "ucar.pcf" file above.

Note: The same ucar.pcf file can be used in Windows. It goes in the Profiles directory within the Cisco VPN client directory under C:\Program Files.

Invoking VPN client

When you connect with the VPN client to the UCAR network, other network connections (such as to other machines on your network or through your ISP) are in effect turned off. It will be as if your machine is connected directly to the UCAR network.

For this reason it is very important that your machine follows the same security policies as for machines connected internally. Those policies are defined by your division or program within UCAR, by CSAC, and by UCAR policy. For instance, in ACD we require a current version of the Fedora series of Linux, patches applied at least weekly, patches required by the Security administrator immediately, and so forth. Check with Garth or myself if you are uncertain about how best to manage your portable or home Linux system.

That said, the way to invoke the client is simply the following command: 

vpnclient connect ucar
You should see something like this: 
acd-fredricknote:/home/fredrick> sudo vpnclient connect ucar
Cisco Systems VPN Client Version 4.6.00 (0045)
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.9-1.724_FC3 #1 Sun Jan 2 15:43:49 EST 2005 i686
Config file directory: /etc/opt/cisco-vpnclient

Initializing the VPN connection.
Contacting the gateway at 192.43.244.230
User Authentication for ucar...

Enter Username and Password.

Username [fredrick]: 
Password []: 
Authenticating user.
Negotiating security policies.
Securing communication channel.

You are connected to the NCAR Cisco VPN! --Authorized use only--
Do you wish to continue? (y/n): y

Your VPN connection is secure.

VPN tunnel information.
Client address: 128.117.65.43
Server address: 192.43.244.230
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 10000
Local LAN Access is disabled

acd-fredricknote:/home/fredrick>

When the kernel changes (due to yum updates)

The Fedora kernel changes frequently as yum does it's job to keep patch levels current. Whenever the kernel changes, and you boot from the new kernel, it is necessary to cd into the VPN installer directory and run "./vpn_install" again. Choose all of the defaults for subsequent installs.

I have even considered placing this in a startup script for Fedora since the actual compile time is minimal, and vpn_install doesn't overwrite the profile (ucar.pcf) file.

References