After two days of trying to get access to JStor via Duke’s Cisco VPN from my Linux box, I almost gave up. I battled both the open source vpnc program and the Cisco VPN client. Then, I figured it out. I’m running Ubuntu Gutsy, but I assume it would work on other distributions and versions. Here’s what you’ll need.
First, you will need to install your kernel headers and to remove any existing vpnc. Type: sudo apt-get install linux-headers-`uname -r`
and sudo apt-get remove vpnc
Then, go to OIT’s website, and download the OIT VPN Client for Linux from here. Extract the archive using the standard tar zxvf command. This will create a vpnclient folder. Rename it to vpnclient_old.
Then, download the latest version of the Cisco VPN client from this site. You will need to extract the archive again by the usual tar zxvf command. This will create a vpnclient directory, with the latest VPN client in it.
Now, you will need to copy OIT’s profile files and certificate to the new VPN client. The files you need are duke-broadband.pcf, duke-dialup.pcf, duke-wireless.pcf, and rootcert. Copy all four of these files from the vpnclient_old directory to the vpnclient directory.
You can delete the vpnclient_old directory, because OIT’s client doesn’t compile anyway.
Now, go to the vpnclient directory, and run sudo ./vpn_install
It will ask you for the location of you kernel headers. Mine are at /usr/src/linux-headers-2.6.22-14-generic
After you feed it that information, it will compile the client. After compiling it MUST say that * The packaged Root Certificate was imported successfully.
That means that it found OIT’s certificate.
The installer does not properly set up startup options and permissions, so you may want to run the following:
sudo chmod 0777 /etc/opt/cisco-vpnclient/Profiles
sudo chmod 0777 /etc/opt/cisco-vpnclient/Certificates
sudo chmod 0666 /etc/opt/cisco-vpnclient/Profiles/*.pcf
sudo chmod 4755 /opt/cisco-vpnclient/bin/cvpnd
And then set it up to start on boot by:
sudo update-rc.d -f vpnclient_init remove
sudo update-rc.d -f vpnclient_init defaults
Then, start the service by running:
sudo /etc/init.d/vpnclient_init start
You can then run the VPN client by typing:
vpnclient connect duke-broadband
It will ask you for a username and password. The username is your Duke NetID. The password is your Duke password.
That should be it. Now if only someone at OIT would provide support for this issue.
I have searched long and hard for this solution! Thanks for publishing/providing this. I can now return to the cisco client (vpnc worked for many, many months, but lately has been flaky)
Again: Thanks!
rq
There is a problem getting the recent version of VPN Client working on Ubuntu Hardy Heron. However, it is solved with a simple patch. For more details, see this link: http://www.blog.arun-prabha.com/2008/05/01/cisco-vpn-installation-issue-with-ubuntu-804-hardy-heron/
This site was instrumental in helping me to get VPN to install. The other good place is linked below: There’s a patch for 64-bit systems plus the other patch mentioned above.
http://www.lamnk.com/blog/domain/how-to-install-cisco-vpn-client-on-ubuntu-hardy-heron-804/
Information from Duke OIT …
worked perfectly on Xubuntu 9.04
(1) download …
http://www.duke.edu/~kjr10/vpn/vpn-4.8.02.tar.gz
(2) gunzip vpn-4.8.02.tar.gz
(3) tar -xvf vpn-4.8.02.tar
(4) cd vpn
(5) sudo ./vpn_install
answer “yes” for source code path
answer “no” for start VPN on boot
(6) /opt/cisco-vpnclient/bin/cisco_cert_mgr -R -op import
enter “ThawteServerCA.509″ when prompted
(7) sudo /etc/init.d/vpnclient_init start
(8) vpnclient connect duke-broadband
enter username and password
… voila! …
[Editor's note: Just tried on Ubuntu Jaunty 64-bit AMD, and it crashed with a seg fault.]
Brent Perdue
09/02/2009
2.6.28-15-generic #49-Ubuntu SMP x86_64 GNU/Linux
Here are the steps I followed in getting vpnc installed
and working with the Duke VPN server.
(1) Start by downloading the tarball of the Cisco VPN client
for Linux from Duke OIT:
http://www.oit.duke.edu/net-security/network/remote/vpn/index.php
Notes: This tarball also includes the Cisco VPN configuration files for the Duke network. These are really the files needed. A NetID username and password is required to download software from Duke OIT.
(2) Extract the contents of the tarball somewhere, and copy the Cisco VPN config files to another directory. I did all the following steps in /usr/local/src, but it is not crucial to put everything there.
mkdir duke-vpn-files
tar xzvf vpn_client_linux_460.tar.gz
cp -v vpnclient/duke-*.pcf duke-vpn-files/
mv -v vpn_client_linux_460.tar.gz duke-vpn-files/
rm -vr vpnclient/
(3) Download the security certificate from Duke OIT, and put it in the duke-vpn-files/ directory:
http://www.oit.duke.edu/net-security/network/remote/vpn/certificate.php
The name of the certificate file upon writing this HOWTO
was ThawteServerCA.509.
(4) By default, vpnc is not compiled with openssl support. To use vpnc with the Duke VPN, openssl is needed. The version of vpnc available in the repositories will not work with the Duke VPN. So, download the source code for vpnc (0.5.3 was the lastest version upon writing this HOWTO):
http://www.unix-ag.uni-kl.de/~massar/vpnc/
(5) Dependencies:
– To get vpnc to compile the following packages need to be installed, if they aren’t already. I used synaptic to install the packages that were not already installed.
libgcrypt11
libgcrypt11-dev
libgpg-error0
libgpg-error-dev
openssl
libcurl4-openssl-dev
(6) Compiling and installation:
– Extract the contents of the vpnc tarball somewhere. Again, I put it in /usr/local/src.
tar xzvf vpnc-0.5.3.tar.gz
cd vpnc-0.5.3
– If all the dependencies have been fulfilled by installing the above packages, then the code is ready to compile with one additional step. The Makefile needs to be edited to enable openssl support. Open Makefile in a text editor (I use nano), and uncomment the following lines:
OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
OPENSSLLIBS = -lcrypto
– Save the Makefile, close the editor, compile, and install the program:
make
make install
(7) Configuration:
– Now that vpnc is installed, it is time to set up its configuration files to be able to connect to the Duke VPN. This is done by converting the Cisco .pcf configuration files provided by Duke into vpnc configuration files using the ‘pcf2vpnc’ script included in the vpnc distribution. In addition, the Duke security certificate needs to be converted to a form that vpnc can understand by using ‘openssl’.
cd duke-vpn-files/
pcf2vpnc duke-broadband.pcf duke-broadband.conf
openssl x509 -in ThawteServerCA.509 -inform DER -out ThawteServerCA.pem -outform PEM
– The config file needs to be edited to tell vpnc to use the certificate. Open duke-broadband.conf in a text editor, and add the following line at the end:
CA-File /etc/vpnc/ThawteServerCA.pem
– Now copy both the configuration file and the certificate to /etc/vpnc:
sudo cp -v duke-broadband.conf /etc/vpnc
sudo chmod 600 /etc/vpnc/duke-broadband.conf
sudo cp -v ThawteServerCA.pem /etc/vpnc
– Notes: This step (7) can be repeated for any of the other .pcf files: duke-wireless.pcf, duke-dialup.pcf, if needed.
(8) Running the program:
sudo vpnc duke-broadband
Final Notes: I was at a friend’s house when I got this working. He has cable internet. I have Verizon DSL at my apartment and a Westell Versalink 327W modem/router. It turns out that the Westell router can’t handle VPN connections. So, I am out of luck with using this at home unless I change my ISP.
(8) Import the Duke security certificate for both root and user:
For root:
sudo cisco_cert_mgr -R -op import
When prompted for “Enter filename:”, input
/usr/local/src/duke-vpn-files/ThawteServerCA.509
For user:
cisco_cert_mgr -U -op import
Enter filename:
/usr/local/src/duke-vpn-files/ThawteServerCA.509
Import Password:
Password:
Confirm Password:
(9) Connect to the Duke VPN server:
vpnclient connect duke-broadband
Once connected:
ctrl-z
bg
Note: To check IP addresses, type “ifconfig”.
(10) Disconnect from server:
vpnclient disconnect