Vpnc
Este documento está orientado a usuarios que quieren conectarse a la red de su oficina desde casa o durante un viaje. Muchas compañías utilizan concentradores VPN Cisco 3000 para las necesidades de VPN, y estoy dispuesto a apostar que los novatos de Linux piensan que están forzados a usar Windows para conectarse a ellas. Bueno, este documento explica que la conexión a las VPN de Cisco es definitivamente posible y seguramente podrá configurar un túnel productivo usando una estación de trabajo o portátil con Gentoo.
VPNC is a VPN client compatible with Cisco's EasyVPN equipment. It supports IPSec (ESP) with Mode Configuration and Xauth. Supports only shared-secret IPSec authentication with: Xauth, AES (256, 192, 128), 3DES, 1DES, MD5, SHA1, DH1/2/5 and IP tunneling. VPNC runs entirely in userspace. Only universal TUN/TAP device driver support is needed in kernel.
Introducción
This guide describes basic workings of vpnc client. It includes handling IP routing and DNS configuration. The connection terminates on a vendor specific IPSec concentrator Cisco/Juniper.
Instalación
Núcleo
Para que Linux sea capaz de abrir una conexión VPN se debe habilitar en el núcleo la opción "Universal TUN/TAP device driver". ¿Que es y por que se necesita?. A continuación se muestra una explicación relativamente sencilla desde la opción de configuración del núcleo.
Para verificar que el núcleo dispone de soporte TUN/TAP, hacer grep en el fichero de configuración del núcleo:
root #grep "TUN" /usr/src/linux/.configCONFIG_INET_TUNNEL=m # CONFIG_INET6_TUNNEL is not set # CONFIG_IPV6_TUNNEL is not set (TUN/TAP enabled as a module) CONFIG_TUN=m # CONFIG_8139TOO_TUNE_TWISTER is not set
Como se puede ver arriba, Config_TUN=m está compilado como módulo. Si estuviera deshabilitado en la configuración, habilitar la opción en el núcleo, reconstruir, instalar, reiniciar y volver a este documento antes de continuar con los siguientes pasos.
Device Drivers --->
Network device support --->
[*] Universal TUN/TAP device driver support
Si se construye el soporte TUN/TAP directamente en el núcleo, la salida de la orden dmesg debería ser similar a la siguiente:
root #dmesg | grep TUNUniversal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Emerge
Ahora que se ha completado la configuración de un núcleo que funciona, instalar el paquete net-misc/vpnc:
root #emerge --ask net-misc/vpncConfiguración
In order to make the following sections more clear, we need an example setup to work from. Example assumes that the home network computers are on the 192.0.2.0/24 network. The VPN client in question is run by a Gentoo computer client1using an private IP address it receives from local connected router.
Environment variables
Configuration:
- dev -
tun0ortap0device
IP address table:
| Hostname | Interface | IP address | Gateway | Network description |
|---|---|---|---|---|
| client1 | eth0 | 192.0.2.10/24 |
192.0.2.1 |
Private or Public |
| tun0 | 192.168.255.10/24
|
tun0 |
VPN | |
| vpngw.example.org | 203.0.113.2 |
Public - internet | ||
| dns1.example.org | 192.168.100.100
|
VPN |
This is a example IP scenario used in this document. For real world usage, change the according IP networking entries.
The state of the current DNS and IP setup on the gentoo client1 before the vpnc connection has been established:
root #netstat -rKernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 loopback desktop 255.0.0.0 UG 0 0 0 lo default router 0.0.0.0 UG 0 0 0 eth0
root #ifconfig -aeth0 Link encap:Ethernet HWaddr 00:11:2F:8D:08:08
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::211:2fff:fe8d:808/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3657889 errors:0 dropped:0 overruns:0 frame:0
TX packets:2305893 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2193722103 (2092.0 Mb) TX bytes:1415104432 (1349.5 Mb)
Interrupt:185 Memory:fac00000-0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:35510 errors:0 dropped:0 overruns:0 frame:0
TX packets:35510 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:16023838 (15.2 Mb) TX bytes:16023838 (15.2 Mb)
/etc/resolv.confnameserver 192.168.0.1
vpnc
- /etc/conf.d/vpnc - Gentoo's config file for vpnc daemon.
- /etc/vpnc/vpnc.conf - Global (system wide) configuration file.
- /etc/vpnc/work.conf - Conventional filename for additional configuration rules.
The configuration file for vpnc connection settings can be located in a couple places, depending on how many profiles need to be configured. By default, vpnc looks for /etc/vpnc/vpnc.conf for its connection settings. This setup will only address a single profile example and will use the configuration file location /etc/vpnc/vpnc.conf.
/etc/vpnc.confIPSec gateway vpngateway.domain.org
IPSec ID group_id
IPSec secret group_password
Xauth username network_signon
Xauth password network_password
The configuration file example above should be modified to reflect the appropriate values for the local setup. The gateway option vpngw.example.org can be a fully qualified domain name or an IP address. The ID and secret options should be given by a network administrator.
Windows profile .pcf
If the authentication credentials cannot be obtained but a working setup on a Windows box is available which utilizes the official Cisco VPN client, then it suffices to export the profile. The user name and password options are for the normal network sign-on, such as a Windows NT domain account. When the profile is exported from a Windows machine, then the result is most likely a file ending in .pcf. This file will have all the necessary information. Below is an example:
profile.pcf[main]
Description=
Host=VPNGATEWAY.DOMAIN.ORG
AuthType=1
GroupName=group_id
GroupPwd=
enc_GroupPwd=F3256220AA200A1D532556024F4F314B0388D48B0FBF2DB12
EnableISPConnect=0
ISPConnectType=0
ISPConnect=FOOBAR
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
VerifyCertDN=
DHGroup=2
ForceKeepAlives=0
PeerTimeout=90
EnableLocalLAN=0
EnableSplitDNS=1
ForceNetLogin=0
In the above example, we can see entries for
Host,GroupNameenc_GroupPwd.
The user credentials may or may not be exported depending on the setup:
UsernameUserPassword
To generate a working vpnc configuration out of it, use pcf2vpnc, included with vpnc.
The password can be decrypted with the help from the cisco-decrypt program, shipped with the latest vpnc.
Converting the ~/profile.pcf file into a /etc/vpnc/vpnc.conf working configuration using the pcf2vpnc tool:
user $pcf2vpnc profile.pcf## generated by pcf2vpnc IKE Authmode psk IKE DH Group dh2 IPSec secret ASD1v5J.a&H.tkfJ IPSec gateway VPNGW.EXAMPLE.ORG IPSec ID group_id ## To add your username and password, ## use the following lines: # Xauth username <your username> # Xauth password <your password>
Service
vpnc contains an init script (/etc/init.d/vpnc) to handle multiple configurations at same time. The default script looks for /etc/vpnc/vpnc.conf, but additional configurations are possible. Before and after shutdown and start-up custom-made scripts can be executed that are connected by their name to the corresponding init script. Script names end in -preup.sh, -postup.sh, -predown.sh and -postdown.sh, stored in the /etc/vpnc/scripts.d/ directory. The general naming scheme is sketched in the shown table.
| Nombre del guión de inicio | Fichero de configuración necesario | Nombre del guión de pre-inicio |
|---|---|---|
| /etc/init.d/vpnc | /etc/vpnc/vpnc.conf | /etc/vpnc/scripts.d/vpnc-preup.sh |
| /etc/init.d/vpnc.work | /etc/vpnc/work.conf | /etc/vpnc/scripts.d/work-preup.sh |
OpenRC
Añadir vpnc al nivel de ejecución por defecto con las siguientes órdenes (en este caso para la configuración estándar). No se debe olvidar añadir el módulo tun (si se ha construido de esta forma) al mecanismo de autocarga del núcleo en el inicio.
root #rc-update add vpnc defaultTo show all output and prompts on standard output edit the /etc/conf.d/vpnc configuration file.
Set the VPNCOUTPUT variable to yes to all output and promts for the authentication, entering password on the prompt.
Or leave it at the default setting no, where its default is to not display screen output.
This way the saved password Xauth password in the global configuration file /etc/vpnc/vpnc.conf is used.
runit
systemd
Usage
Now that a configuration is in place it is time to test the setup. To start vpnc do the following:
root #vpncEnter password for username@vpngateway.domain.org: VPNC started in background (pid: 14788)...
The above command output shows that, once vpnc (as root) is executed, a prompt comes up asking for a password. After entering the password (which will not be echoed to the terminal), the vpnc process will automatically become a background process.
If the
Xauth password option is specified in the vpnc config file, then at vpnc startup no password will be asked. Additionally, if vpnc needs some extra options not specified in the configuration file, or if something is forgotten, don't worry, it will ask for it.root #ifconfig -aeth1 Link encap:Ethernet HWaddr 00:11:2F:8D:08:08
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::211:2fff:fe8d:808/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2101119 errors:0 dropped:0 overruns:0 frame:0
TX packets:1577559 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1757862627 (1676.4 Mb) TX bytes:732200131 (698.2 Mb)
Interrupt:177 Memory:faa00000-0
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.160.42 P-t-P:192.168.160.42 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:60 (60.0 b) TX bytes:616 (616.0 b)
root #netstat -rKernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface vpn01.domain.or router 255.255.255.255 UGH 1500 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 loopback desktop 255.0.0.0 UG 0 0 0 lo default * 0.0.0.0 U 0 0 0 tun0
user $more /etc/resolv.conf#@VPNC_GENERATED@ -- this file is generated by vpnc # and will be overwritten by vpnc # as long as the above mark is intact # Generated by dhcpcd nameserver 192.168.100.100 search example.org
Verify the vpn configured DNS server is reachable:
user $ping dns1PING dns1.example.org (192.168.100.100) 56(84) bytes of data. 64 bytes from dns1.example.org (192.168.100.100): icmp_seq=1 ttl=64 time=2.40 ms 64 bytes from dns1.example.org (192.168.100.100): icmp_seq=2 ttl=64 time=3.44 ms 64 bytes from dns1.example.org (192.168.100.100): icmp_seq=3 ttl=64 time=3.20 ms </div> <div lang="en" dir="ltr" class="mw-content-ltr"> --- dns1.example.org ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 2.404/3.013/3.441/0.442 ms
As can be seen from the above command output(s), vpnc has done the following:
- Created the tun0 network interface, a virtual interface to handle the traffic across the VPN tunnel
- Obtained the IP address for the tun0 device from the VPN provider
- Set routes to route VPN related traffic only to the VPN gateway
- Set DNS server for the VPN
At this point, the workstation is capable of communicating with hosts via the VPN. Because vpnc sets the default route to the local gateway, and only the VPN network intersting traffic will be routed to the IPSec concentrator appliance.
To end the current vpnc session use service vpnc stop command. An example is shown below:
root #vpnc-disconnectTerminating vpnc daemon (pid: 26250)
Troubleshooting
Configuration debugging
Use the --debug n running option to get more verbose output. Following options are available:
user $vpnc --help--debug <0/1/2/3/99>
Show verbose debug messages
* 0: Do not print debug information.
* 1: Print minimal debug information.
* 2: Show statemachine and packet/payload type information.
* 3: Dump everything exluding authentication data.
* 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
conf-variable: Debug<0/1/2/3/99>
Example output of configuration debugging --debug 1 a not working connection session:
root #vpnc --debug 1 /etc/vpnc/vpnc.conf</div> <div lang="en" dir="ltr" class="mw-content-ltr"> vpnc version 0.5.3 response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
Optionally enable debug output in the /etc/vpnc/vpnc.conf configuration file add follwing line at the last line:
...
Xauth username larry debug 2
See also
- OpenVPN — software that enables the creation of secure point-to-point or site-to-site connections.
- WireGuard — a modern, simple, and secure VPN that utilizes state-of-the-art cryptography.
- VPN services
Recursos externos
This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: David H. Askew, Christian Faulhammer, Thomas Fischer, nightmorph
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.