OK, so I have a minimal Debian Lenny install at home and I want to access my box inside the Uni Network. I'm sure it's possible to get things working with a bloated distribution such as Ubuntu, but, I want to maintain a minimal Debian distribution. The best lightweight solution I have found comes from Maurice Massar's vpnc - a small application which works with minimal fuss. The sources are downloadable from this page: http://www.unix-ag.uni-kl.de/~massar/vpnc/ However, since I can be such a lazy sod (I gave up running linux-from-scratch eons ago) I'm going to resort to package management again.
aptitude install vpnc
Now, while the software is installed, it doesn't work until we get a config setup so that we can connect to Utas. Where does this information come from? If we walk down to the IT help desk, they will most likely tell us that this software isn't supported under Linux and that we should use the cisco client under windows or try installing it under linux... The Cisco VPN client for linux, like a lot of other software which has been written to be cross platform, and as such, it has a few major flaws - firstly installation may cause hemorrhoids - this is extremely evident on distros such as Ubuntu - the software may or may not require that a specific kernel version, it's modules, source and headers be present. This goes a long way to defeating the purpose of repository based package management. If you don't believe me, let me assure you, sleepless nights do ensue, I have had many a 48 hour marathon.
Now if we continue to push the help desk staff they will tell us that there are some files and links on the ITR website, helpful, but really, just a short sharp RTFM... and who can blame them. There is a pile of information available for setting up Windows and Mac, loads and loads of screenshots... meh... When I looked at these I felt a little bamboozled, but, after a bit of hunting around, the important settings leap out. Luckily for us, the Cisco VPN client keeps a profile description file called a .pcf file for every connection profile. All we need to do is locate the .pcf file and use it. Luckily this can be obtained from:
This pcf file will give us the vpn gateway hostname, the Group ID and the group 'secret'. Unfortunately the group secret is a crazy string of characters - it's actually a hexadecimal representation of the key, (which is itself formed from a mix of all sorts of messy SHA-1 hashing and triple-DES blah blah blah - google will present the details if it's your cup of tea). While this is partially what we are after, it's not quite there... we require the original plain text version of this password as an setting in our vpnc config. Again, lucky for us, there are cool people who wrote some code to decipher this password. More installations are required, we need to install the libgcrypt-dev package:
sudo aptitude install libgcrypt-dev
The cisco-decrypt.c code is downloadable and will need to be compiled (hopefully you will already have the build essentials installed). the code can be obtained from here:
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)
Now we need to decrypt the cipher string from the .pcf file and paste that into our default.conf file. Here's just one way that it can be done:
grep enc_GroupPwd UniofTas.pcf | awk -F= '{print $2 }' | xargs ./cisco-decrypt
Of course I've changed some sections to protect the innocent, but no doubt it's sorta obvious.
vim /etc/vpnc/default.confIPSec gateway vpn.utas.edu.auIPSec ID VPNClientIPSec secret UTasVPN42Xauth username usernameXauth password passwordTarget networks 131.217.0.0/16
If the username and/or password are omitted, then vpnc will prompt for them at run time. As the config file stores your credentials in plain text it is sorta recommend to omit them.
Now all you need to do is fire up the connection like this:
sudo vpnc
and to stop it:
sudo vpnc-disconnect
VPN is now working. I'm not sure about the 131.217.0.0/16 network for UTas, but, it seems to work for now. If you are reading this sometime in the future, please feel free to let me know what the UTas network address should be... again, I'm to lazy to walk up to the help desk and poke them for more info.
No comments:
Post a Comment