This HOWTO explains connecting to a VPN gateway over IPSec in "cert auth mode" utilizing the Cisco VPN client. The "cert auth mode" refers to the terms used in the vpnc man page, i.e. server + client certificates. The "cert auth mode" has not been implemented for vpnc, otherwise we would just use vpnc and avoid the headache that follows. openconnect is another alternative, but it does not support IPSec, only HTTPS/SSL. This HOWTO is written with the aim to provide a single document to describe all the steps required, instead of having to search many different things on the Internet.
This HOWTO was written from the perspective of an openSUSE 12.1 user, running a 3.1.10-1.9-desktop x86_64 kernel. The author does not claim to be an expert on any terms used, so if you find a mistake then please submit a patch.
The company we are trying to connect to should provide us with some sort of a certificate, e.g. certificate.pfx. This type of certificate is a PKCS12 certificate which bundles the CA certificate for server authentication, the client/user certificate as well as the primary key. Save it somewhere on disk, e.g.:
/tmp/certificate.pfx
In order to "compile" (Cisco calls it "install") the Cisco IPSec kernel module (see later section) we need the kernel sources for our distro. In openSUSE 12.1 do the following:
sudo zypper install kernel-source
Make sure the version that will be installed is the same as the version we are currently running:
uname -r
When the kernel-source has been installed, execute the following as root:
cd /usr/src/linux-<kernel-version>
make cloneconfig scripts prepare
ln -s /usr/src/linux-<kernel-version>-obj/x86_64/desktop/Module.symvers
Now that the kernel-source has been installed we can download, patch and install the Cisco VPN client with the following steps (as root):
cd /usr/local
wget http://hlavki.eu/download/vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz
tar -xvzf vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz
cd vpnclient
wget http://www.fseitz.de/download/vpnclient.patch-2.6.38
wget https://nowhere.dk/files/vpnclient_linux3.0.diff
patch < vpnclient.patch-2.6.38
patch < vpnclient_linux3.0.diff
./vpn_install
Remember to specify the kernel-source directory as /usr/src/linux-<kernel-version>.
The module will be installed to /lib/modules/<kernel-version>/CiscoVPN/cisco_ipsec.ko.
See http://blog.hlavki.eu/2011/12/cisco-vpn-client-on-opensuse-121.html. Thanks a lot for that Michal Hlaváč!
The Cisco VPN client installation suggests starting the vpncclient_init service, so do it:
sudo /etc/init.d/vpnclient_init start
If we get errors such as:
insmod: error inserting '/lib/modules/<kernel-version>/CiscoVPN/cisco_ipsec.ko': -1 Invalid module format
then (1) we compiled/linked the module with the wrong kernel-source or (2) we forgot to symlink the Module.symvers file. We will have to repeat some of the steps above.
See http://forums.fedoraforum.org/showpost.php?p=405087&postcount=19.
The provided PKCS12 certificate should now be imported. The following commands can be used (as root):
cd /opt/cisco-vpnclient/bin
./cisco-cert-mgr -U -op import
Supply the certificate filename, e.g. /tmp/certificate.pfx as well as the password with which the certificate is locked/encrypted. Next, enter a password that we will easily remember.
View the imported certificate:
./cisco_cert_mgr -U -op view
and provide the number of the corresponding certificate when asked. The certificate information will be displayed. Take note of the "Subject" and "Serial #" fields as they will be required in the next step.
Configure a profile for connecting to CompanyA. Let's call the profile "CompanyA". As root:
cp /etc/opt/cisco-vpnclient/Profiles/sample.pcf /etc/opt/cisco-vpnclient/Profiles/CompanyA.pcf
and change the following properties as follows:
Description=<Our fitting description>
Host=<VPN gateway of CompanyA>
AuthType=3
CertStore=1
CertSubjectName=<Noted subject in previous step>
CertSerialHash=<Noted Serial # in previous step>
Save the file.
The moment of truth has arrived. To connect to the VPN of CompanyA, simply execute:
vpnclient connect CompanyA
assuming /usr/local/bin is in our PATH.
When prompted, provide the certificate password we chose in a previous step as well as our unique username and password that should also have been provided by CompanyA. We should now be connected.
Still had issues with SCP / SFTP working properly (it would hang as soon as I attempt to copy a file), until i found this bug: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1254085
Turns out its an issue with the VPN Client
Setting the cisco vpn network tunnel interface MTU to 1200 simply solves the issue:
sudo ip li set mtu 1200 dev cipsec0