TThier/UNIXtips/ciscoVPN/

TThier/UNIXtips/ciscoVPN/
Dan Bikle


This page contains a few random notes about a product named: "Cisco VPN 5000".

I typed these notes up while installing the product on my Linux box.

Some documentation about this product may be found here:
http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/client/

The product relies on a configuration file: /etc/vpn_config
And a start/stop script: /etc/rc.d/init.d/vpn 
We have links to the start/stop script:
/etc/rc3.d/S85vpn and /etc/rc5.d/S85vpn

The installation script is called: vpn_install

The doc says this:

"To switch between Ethernet and PPP connections, you must reinstall the VPN client and select the appropriate interface."

Once installed, a key shell command is: open_tunnel

Syntax from the manual:
open_tunnel [-e] [-n[port]] [-E] [-D] [-d eth0] [-h] vpn_server user_name

This product has a concept called "Login Method".
I specify which Login Method I want to use.
The options are listed below:

Shared Key
Manual
User
Entrust

This concept has a corresponding key-value pair in the configuration file.

So, the valid key-value pairs are listed below:

LoginMethod SharedKey
LoginMethod Manual
LoginMethod User
LoginMethod Entrust

If LoginMethod is Manual,
I need root certificate (in the configuration file).

I specify the root certificate in the file via the key named: "CertName"

Also I might have a manual certificate.
Manual certificates are stored in the /etc/Intraport Client/certificates/root directory.

If LoginMethod is User,
I need root certificate (in the configuration file)
and I need server certificate (in the configuration file).
So, it looks like LoginMethod=User might be associated with a tighter security policy than
the LoginMethod=Manual security policy.

Again, I specify the root certificate in the file via the key named: "CertName".
I specify user certificate in the file via the key named: "UserCertLocation".

I have two ways to disconnect from the VPN server:

1. ^c the open_tunnel session.
2. issue the close_tunnel shell command.

Here are some key-value pair demos I pulled out of the documentation:

[VPN General Section] 
EncryptPasswords = 1 
[VPN Partner Aliases] 
Alias Name = 2.2.2.2 
[VPN Root Cert] 
CertName = keonroot.txt 
[VPN User] 
UserName = zulu 
IPPrimary = 1.0.0.0 
IPSecondary = 
SharedKey = 
RADIUSPassword = 
PAPAuthSecret = 
IPEnabled = 1 
ExcludeLocalLAN = 0 
UseFTCP = 0 
LoginMethod = SharedKey 
[VPN User] 
UserName = John@whatever.com 
IPPrimary = 1.1.1.1 
IPSecondary = 
SharedKey = 
RADIUSPassword = 
PAPAuthSecret = 
IPEnabled = 1 
ExcludeLocalLAN = 0 
UsefTCP = 0 
LoginMethod = User 
UserCertLocation = my12.p12

Here are some other notes I wrote which may or may not be true:

In the config file,
I may have more than one [VPN User] section for each defined vpn gateway.

IPPrimary =vpn gateway to connect to

IPEnabled = True Enables IP tunneling

ExcludeLocalLAN = False Prevents your Linux box from communicating
  with other systems on your local LAN, thus limiting the potential of
  break-ins from unsecured systems.
  You can override this directive with the "-e" option on the command line.

ExcludeDHCP = True Prevents DHCP requests from being sent through the tunnel.

UseFTCP =Specifies whether to use NAT Transparency Mode when connecting 
  via a VPN tunnel to mother ship (Set to True on RedHat Linux systems!). 
  "True" enables NAT Transparency mode;  False disables it. 
  NAT transparency can also be enabled from the commmand line with the the "-n" option.


FTCPDestinationPort = 80 Specifies FTCP port when UseFTCP = True

LoginMethod = Shared Key Specifies that your vpn connection will use a shared key password to authenticate.

Another config file demo:


[VPN User]
UserName = jamesBond@hmss.007
IPPrimary = mothership1
IPEnabled = True
ExcludeLocalLAN = False
ExcludeDHCP = True
UseFTCP = True
FTCPDestinationPort = 80
LoginMethod = Shared Key

[VPN User]
UserName = jamesBond@hmss.007
IPPrimary = mothership2
IPEnabled = True
ExcludeLocalLAN = False
ExcludeDHCP = True
UseFTCP = True
FTCPDestinationPort = 80
LoginMethod = Shared Key

[VPN User]
UserName = jamesBond@hmss.007
IPPrimary = mothership3
IPEnabled = True
ExcludeLocalLAN = False
ExcludeDHCP = True
UseFTCP = True
FTCPDestinationPort = 80
LoginMethod = Shared Key

Here is a screen dump of me running /etc/init.d/vpn start:


[root@localhost bin]# /etc/init.d/vpn start
Starting VPN services: modulesWarning: loading /lib/modules/2.4.18-14/COMPvpn/vpnmod will taint the kernel: no license
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Module vpnmod loaded, with warnings
 enable/configure Done
[root@localhost bin]#

Here is a screen dump of me running open_tunnel:

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
[root@localhost bin]# /dan/vpnLinux/bin/open_tunnel -d eth0 -n mothership1 jamesBond@hmss.007
Enter the Shared Key for jamesBond@hmss.007 : vpn4james

Couldn't get IP address for device "eth0" (status 1).
open_tunnel: get_host_ip failed
[root@localhost bin]# 
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


oops! 
I'm connected via phone not ethernet; I'll get my device name from ifconfig:
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
[root@localhost bin]# 
[root@localhost bin]# ifconfig -a
ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:A0:CC:DE:00:00
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:10 Base address:0xcc00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1028 (1.0 Kb)  TX bytes:1028 (1.0 Kb)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:69.11.77.77  P-t-P:69.11.77.88  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1524  Metric:1
          RX packets:81 errors:0 dropped:0 overruns:0 frame:0
          TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:23287 (22.7 Kb)  TX bytes:5368 (5.2 Kb)

vpn0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1400  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root@localhost bin]# 
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo




I can see from ifconfig that my device name is: "ppp0"

I retried open_tunnel:
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
[root@localhost bin]# /dan/vpnLinux/bin/open_tunnel -d ppp0 -n mothership1 jamesBond@hmss.007

Enter the Shared Key for jamesBond@hmss.007 : vpn4james

Enter the PAP Authentication Secret for jamesBond@hmss.007 : vpn4james

Enter the RADIUS Password for jamesBond@hmss.007 : seanc

Tunnel open for "jamesBond@hmss.007" as "9.11.19.187" to "9.11.42.74".
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



Notice that it did not give me my shell prompt back.
I then tried to ssh to a Linux box that was inside and it worked!