Even though I managed to installCisco VPN client 4.8 on my Ubuntu (Lucid Lynx) workstation, I was not successful at troubleshooting the connection attempt to our corporate Cisco VPN concentrator. Each attempt of mine to establish VPN connection, ended in greeting with the error message:
I almost gave up my hopes to use Ubuntu for VPN, fortunately, I recently met an Oracle DBA (Igor@3Gen), who told me that he’s is successfully using vpnc to connect to the same Cisco VPN concentrator as I am.
He was kind (thanks Igor!) to share his notes on the subject. This is my resume of steps that I followed to install and configure vpnc (of course, some technical details are obfuscated).
Step 1) Install vpnc and Gnome GUI plugin for network manager
Step 2) Extract group password from Cisco client pcf file
Until now, I was using Cisco VPN client on Windows 7, that was packed and delivered to me by our corporate VPN support team. My Cisco VPN client (v5.0.02.0090) already included the necessary profiles (*.pcf files) with the configuration data. Profile configuration files are usually located in C:Program FilesCisco SystemsVPN ClientProfiles.
If you open your pcf file you’ll find (among other data) encrypted group password in the field !enc_GroupPwd. This is a pre-shared secret that we first need to decrypt it and then use it in our vpnc configuration file. Hopefully, this is not hard with the tools that exists on the net.
The site-to-site VPN architecture enables network services that mirror those available on the corporate office network. Users connect at the field office and are 'always on' to corporate services.Refer URL 0. Cisco AnyConnect Secure Mobility Client Setup Wizard will appear. Follow the steps to finish the installation. Connecting to the VPN. Once the installation has finished, click the. Button beside the. Button and type. Cisco AnyConnect.
At this stage we have decrypted group password in acme-vpnc.conf.
[Note: there is a site that can decrypt Cisco group password for you. Personally, I prefer relying on my own tools, that’s why I compiled my own decryption tool.]
Threats can occur through a variety of attack vectors. You need secure connectivity and always-on protection for your endpoints. Deploy Cisco endpoint security clients on Mac, PC, Linux, or mobile devices to give your employees protection on wired, wireless, or VPN. When plist is loaded it will restart vpnc and reconnect as long as network is available start/stop shell scripts go in /usr/local/bin (or somewhere in path) with +x bit set. Vpnc.conf goes in /etc/newsyslog.d.
Step 3) Setup vpnc configuration file (/etc/vpnc/ACME-vpn.conf)
Use your favorite editor to create your vpnc configuration file…
Then add the following lines:
Where:
- nnn.nnn.nnn.nnn — is IP address of VPN gateway (!Host variable in pcf file). It’s recommended that you use IP instead of fully qualified domain name for the gateway, to avoid problem of resolving DNS to IP!
- IPSec ID — is group name (!GroupName variable in pcf file)
- IPSec secret — is group password, originally encrypted in pcf file as !enc_GroupPwd variable. You must enter decrypted version of the password that you’ll find in vpnc configuration file generated in step 2.5
- Xauth username — username for authentication (Username variable in pcf file)
Step 3) Modify firewall rules to allow VPN connection
Use your favorite editor to edit firestarter user-pre file to add some iptables rules:
Add the following lines (replace nnn.nnn.nnn.nnn with the Cisco VPN gateway IP):
Restart your firewall:
Step 4) Test vpnc connection
You can start VPN connection either on the command line or with a GUI (Networker). To start VPN on a command line open Terminal and run:
You’ll be first asked to provide password for the sudo, then you’ll be asked for the VPN password. After that you should see the standard welcome banner from your VPN provider. From this point onwards you have working VPN connection, you can open Terminal Service client and connect to your Windows workstation at work or whatever you want to do.
When you wish to close VPN connection simply run the following command in terminal window:
Configuring VPN connection with GUI using Network Manager:
If you prefer to work with a GUI network manager you can setup vpnc connection with plugin that was installed in step 1. Here are some screenshots (let’s say I want to configure ACME-vpn-2 connection):
1) Open network manager (up and down arrow at the left)
2) Select “VPN connections”, then “Configure VPN”
* Don’t be confused by existing ACME-vpn, this is vpn that I already created.
3) Click on Add button to setup new VPN connection
4) From combo box select “Cisco Compatible VPN (vpnc)”
5) Fill the VPN tab with VPN data according to your setup
6) Also select IP4 tab and select “Automatic (VPN) addresses only
* Optionally enter (internal – inside VPN) DNS addresses.
Now, you can connect/disconnect from VPN by simply selecting VPN connection from Network Manager GUI.
Cisco Vpn Linux
April 1st, 2020Linux
- Package requirement You will first need to get the vpnc package and install it. Fire up a terminal and enter this command:
- Configuration file
- Usage
- Connecting to a VPN
If you get error:
vpnc: response was invalid [2]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
, it is because you false settings of authentication (hybrid
instead ofpsk
) so you have to change your .conf file as above meantioned. [1] - Disconnecting from a VPN
Other platforms
More on decrypting the Group password [2]
http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode provides the source code use to decrypt the group password.
Vpnc Cisco Debian
New VPN
- Please refer to the following link. VPN User Guide