October 20, 2010

Connecting to a Cisco IPSEC VPN from Linux — without the Cisco client

So, let’s say your workplace uses a Cisco IPSEC VPN solution. Many places do. Let’s also say you at home have a Linux machine. Being the good Linux user that you are, you keep your system well patched and run a recent kernel release.

You download the Cisco VPN client — from your corporate website since, of course. Cisco would never make such a thing publicly downloadable.. who does that anyway?

You extract the tarball, run the vpn_install script as instructed and BAM. The whole thing bombs! Why? Because your system is too cutting edge for the guys at Cisco to keep up (clearly!). So, your possible solutions are:

1. Dig through a bunch of random internet forums, searching for the right combination of patches and command incantations that will make the damn thing work on your particular OS and kernel version.
2. Ditch the piece of junk altogether and install something nicer.

So which should we do? Alright.. let’s go with option 1… just kidding, I mean 2.

Enter a wonderful piece of software called vpnc. Now, I’ll be the first to admit I don’t know much about how this particular piece of software works. And that’s the great thing. Getting the VPN connection up and going was just that simple. So here’s how:

1. I presume your company uses a PCF file along-side their Cisco VPN client. If not, you have to figure out how to enter the settings yourself. Download this .pcf file and put it somewhere. Say ~/mycompany.pcf
2. Download http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc
3. Install vpnc. If you use Ubuntu, this means aptitude install vpnc. Yes, that is all.
3. Run pcf2vpnc mycompany.pcf mycompany.conf
4. cp mycompany.conf /etc/vpnc/
5. sudo vpnc mycompany
6. There is no step 6!

Oh yeah, at some point you want to disconnect and go do something else other than work. For that use sudo vpnc-disconnect.

I tested this on Ubuntu 10.04, results may vary between distributions.

When running pcf2vpnc you may receive the following message:

Can't exec "cisco-decrypt": No such file or directory at ./pcf2vpnc line 30.
cisco-decrypt not in search path,
adding passwords in obfuscated form

This just means that your vpn configuration will contain your password in obfuscated form instead of plaintext, it does not mean the conversion failed.

Update Oct 19, 2010:
If you receive an error message such as
vpnc: no response from target

you need to add the line

NAT Traversal Mode cisco-udp

to your mycompany.conf file.