Vpnc
本文档适用于希望在家中或旅行期间连接到其办公网络的用户。许多公司使用 Cisco 3000 VPN 集中器来满足他们的 VPN 需求,我敢打赌,大多数 Linux 新手认为他们只能使用 Windows 来接入。本文档解释了使用 Linux 连接到 Cisco VPN 绝对是可能的,并且有望使用 Gentoo 工作站或笔记本电脑来设置工作隧道。
VPNC is a VPN client compatible with Cisco's EasyVPN equipment. It supports IPSec (ESP) with Mode Configuration and Xauth. Supports only shared-secret IPSec authentication with: Xauth, AES (256, 192, 128), 3DES, 1DES, MD5, SHA1, DH1/2/5 and IP tunneling. VPNC runs entirely in userspace. Only universal TUN/TAP device driver support is needed in kernel.
介绍
This guide describes basic workings of vpnc client. It includes handling IP routing and DNS configuration. The connection terminates on a vendor specific IPSec concentrator Cisco/Juniper.
安装
内核
为了使 Linux 能够打开 VPN 连接,必须在内核中启用 Universal TUN/TAP device driver support。它是什么,为什么需要它?以下是内核配置对话框中相对直接的解释:
要验证内核是否支持 TUN/TAP,grep 内核的配置文件:
root #grep "TUN" /usr/src/linux/.configCONFIG_INET_TUNNEL=m # CONFIG_INET6_TUNNEL is not set # CONFIG_IPV6_TUNNEL is not set (TUN/TAP enabled as a module) CONFIG_TUN=m # CONFIG_8139TOO_TUNE_TWISTER is not set
As can be seen above, CONFIG_TUN=m is compiled as a module. If it is disabled in the setup, enable it in the kernel of choice, rebuild, install, reboot and return to this document before continuing with the next steps.
Device Drivers --->
Network device support --->
[*] Universal TUN/TAP device driver support
如果内核中直接内置了 TUN/TAP 支持,则 dmesg 输出应如下所示:
root #dmesg | grep TUNUniversal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Emerge
现在工作内核的设置已完成,接下来安装 net-misc/vpnc 包:
root #emerge --ask net-misc/vpnc配置
In order to make the following sections more clear, we need an example setup to work from. Example assumes that the home network computers are on the 192.0.2.0/24 network. The VPN client in question is run by a Gentoo computer client1using an private IP address it receives from local connected router.
Environment variables
Configuration:
- dev -
tun0ortap0device
IP address table:
| Hostname | Interface | IP address | Gateway | Network description |
|---|---|---|---|---|
| client1 | eth0 | 192.0.2.10/24 |
192.0.2.1 |
Private or Public |
| tun0 | 192.168.255.10/24
|
tun0 |
VPN | |
| vpngw.example.org | 203.0.113.2 |
Public - internet | ||
| dns1.example.org | 192.168.100.100
|
VPN |
This is a example IP scenario used in this document. For real world usage, change the according IP networking entries.
我们的示例工作站配置如下所示:
root #netstat -rKernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 loopback desktop 255.0.0.0 UG 0 0 0 lo default router 0.0.0.0 UG 0 0 0 eth0
root #ifconfig -aeth0 Link encap:Ethernet HWaddr 00:11:2F:8D:08:08
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::211:2fff:fe8d:808/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3657889 errors:0 dropped:0 overruns:0 frame:0
TX packets:2305893 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2193722103 (2092.0 Mb) TX bytes:1415104432 (1349.5 Mb)
Interrupt:185 Memory:fac00000-0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:35510 errors:0 dropped:0 overruns:0 frame:0
TX packets:35510 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:16023838 (15.2 Mb) TX bytes:16023838 (15.2 Mb)
/etc/resolv.confnameserver 192.168.0.1
vpnc
- /etc/conf.d/vpnc - Gentoo's config file for vpnc daemon.
- /etc/vpnc/vpnc.conf - Global (system wide) configuration file.
- /etc/vpnc/work.conf - Conventional filename for additional configuration rules.
The configuration file for vpnc connection settings can be located in a couple places, depending on how many profiles need to be configured. By default, vpnc looks for /etc/vpnc/vpnc.conf for its connection settings. This setup will only address a single profile example and will use the configuration file location /etc/vpnc/vpnc.conf.
/etc/vpnc/vpnc.confIPSec gateway vpngw.example.org
IPSec ID tunnel-split
IPSec secret gentoo-linux-rocks
Xauth username larry
Xauth password gentoo-linux-rocks-and-I-am-a-cow
The configuration file example above should be modified to reflect the appropriate values for the local setup. The gateway option vpngw.example.org can be a fully qualified domain name or an IP address. The ID and secret options should be given by a network administrator.
Windows profile .pcf
If the authentication credentials cannot be obtained but a working setup on a Windows box is available which utilizes the official Cisco VPN client, then it suffices to export the profile. The user name and password options are for the normal network sign-on, such as a Windows NT domain account. When the profile is exported from a Windows machine, then the result is most likely a file ending in .pcf. This file will have all the necessary information. Below is an example:
profile.pcf[main]
Description=
Host=vpngw.example.org
AuthType=1
GroupName=tunnel-split
GroupPwd=
enc_GroupPwd=F3256220AA200A1D532556024F4F314B0388D48B0FBF2DB12
EnableISPConnect=0
ISPConnectType=0
ISPConnect=FOOBAR
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
VerifyCertDN=
DHGroup=2
ForceKeepAlives=0
PeerTimeout=90
EnableLocalLAN=0
EnableSplitDNS=1
ForceNetLogin=0
In the above example, we can see entries for
Host,GroupNameenc_GroupPwd.
The user credentials may or may not be exported depending on the setup:
UsernameUserPassword
To generate a working vpnc configuration out of it, use pcf2vpnc, included with vpnc.
The password can be decrypted with the help from the cisco-decrypt program, shipped with the latest vpnc.
Converting the ~/profile.pcf file into a /etc/vpnc/vpnc.conf working configuration using the pcf2vpnc tool:
user $pcf2vpnc profile.pcf## generated by pcf2vpnc IKE Authmode psk IKE DH Group dh2 IPSec secret ASD1v5J.a&H.tkfJ IPSec gateway VPNGW.EXAMPLE.ORG IPSec ID group_id ## To add your username and password, ## use the following lines: # Xauth username <your username> # Xauth password <your password>
Service
vpnc contains an init script (/etc/init.d/vpnc) to handle multiple configurations at same time. The default script looks for /etc/vpnc/vpnc.conf, but additional configurations are possible. Before and after shutdown and start-up custom-made scripts can be executed that are connected by their name to the corresponding init script. Script names end in -preup.sh, -postup.sh, -predown.sh and -postdown.sh, stored in the /etc/vpnc/scripts.d/ directory. The general naming scheme is sketched in the shown table.
| Init script name | Needed configuration file | Pre-up script name |
|---|---|---|
| /etc/init.d/vpnc | /etc/vpnc/vpnc.conf | /etc/vpnc/scripts.d/vpnc-preup.sh |
| /etc/init.d/vpnc.work | /etc/vpnc/work.conf | /etc/vpnc/scripts.d/work-preup.sh |
OpenRC
Add vpnc to default runlevel with the following commands (in this case for the standard configuration). Add the tun module (if built that way) to the kernel's autoload mechanism at startup.
root #rc-update add vpnc defaultTo show all output and prompts on standard output edit the /etc/conf.d/vpnc configuration file.
Set the VPNCOUTPUT variable to yes to all output and promts for the authentication, entering password on the prompt.
Or leave it at the default setting no, where its default is to not display screen output.
This way the saved password Xauth password in the global configuration file /etc/vpnc/vpnc.conf is used.
runit
systemd
Usage
Now that a configuration is in place it is time to test the setup. To start vpnc do the following:
root #service vpnc start* Starting VPNC: vpnc ... [ ok ]
The above command output shows that, once vpnc (as root) is executed, a prompt comes up asking for a password. After entering the password (which will not be echoed to the terminal), the vpnc process will automatically become a background process.
If the
Xauth password option is specified in the vpnc config file, then at vpnc startup no password will be asked. Additionally, if vpnc needs some extra options not specified in the configuration file, or if something is forgotten, don't worry, it will ask for it.user $ip add1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 0c:cf:f4:fb:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.10/24 brd 192.0.2.255 scope global dynamic noprefixroute eth0
valid_lft 82974sec preferred_lft 72174sec
inet6 fe80::ecf:f4ff:fefb:0/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1412 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 192.168.255.10/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::4d36:4f9:735f:ee44/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
user $ip routedefault via 192.0.2.1 dev eth0 proto dhcp src 192.0.2.10 metric 1002 192.0.2.0/24 dev eth0 proto dhcp scope link src 192.0.2.10 metric 1002 192.168.100.100 dev tun0 scope link 192.168.255.0/24 dev tun0 scope link 203.0.113.2 via 192.0.2.1 dev eth0 src 192.0.2.10
user $more /etc/resolv.conf#@VPNC_GENERATED@ -- this file is generated by vpnc # and will be overwritten by vpnc # as long as the above mark is intact # Generated by dhcpcd nameserver 192.168.100.100 search example.org
Verify the vpn configured DNS server is reachable:
user $ping dns1PING dns1.example.org (192.168.100.100) 56(84) bytes of data. 64 bytes from dns1.example.org (192.168.100.100): icmp_seq=1 ttl=64 time=2.40 ms 64 bytes from dns1.example.org (192.168.100.100): icmp_seq=2 ttl=64 time=3.44 ms 64 bytes from dns1.example.org (192.168.100.100): icmp_seq=3 ttl=64 time=3.20 ms </div> <div lang="en" dir="ltr" class="mw-content-ltr"> --- dns1.example.org ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 2.404/3.013/3.441/0.442 ms
As can be seen from the above command output(s), vpnc has done the following:
- Created the tun0 network interface, a virtual interface to handle the traffic across the VPN tunnel
- Obtained the IP address for the tun0 device from the VPN provider
- Set routes to route VPN related traffic only to the VPN gateway
- Set DNS server for the VPN
At this point, the workstation is capable of communicating with hosts via the VPN. Because vpnc sets the default route to the local gateway, and only the VPN network intersting traffic will be routed to the IPSec concentrator appliance.
To end the current vpnc session use service vpnc stop command. An example is shown below:
root #service vpnc stop* Stopping VPNC: vpnc ... [ ok ]
Troubleshooting
Configuration debugging
Use the --debug n running option to get more verbose output. Following options are available:
user $vpnc --help--debug <0/1/2/3/99>
Show verbose debug messages
* 0: Do not print debug information.
* 1: Print minimal debug information.
* 2: Show statemachine and packet/payload type information.
* 3: Dump everything exluding authentication data.
* 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
conf-variable: Debug<0/1/2/3/99>
Example output of configuration debugging --debug 1 a not working connection session:
root #vpnc --debug 1 /etc/vpnc/vpnc.conf</div> <div lang="en" dir="ltr" class="mw-content-ltr"> vpnc version 0.5.3 response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
Optionally enable debug output in the /etc/vpnc/vpnc.conf configuration file add follwing line at the last line:
...
Xauth username larry debug 2
See also
- OpenVPN — software that enables the creation of secure point-to-point or site-to-site connections.
- WireGuard — a modern, simple, and secure VPN that utilizes state-of-the-art cryptography.
- VPN services
外部资源
This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: David H. Askew, Christian Faulhammer, Thomas Fischer, nightmorph
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.