Cisco VPN with VPNC

My University, FH Köln Campus Gummersbach, use CISCO VPN to protect the WLAN traffic with private tunnels. Unfortunatly the original Cisco Client (especially the Linux version) isn’t very stable, likes to disconnect while browsing and - most important for some people - isn’t free code.

There are several gui-tools to use the free vpnc package in such cases, but that didn’t work out of the box with the given network. Several people figured out the needed parameter for the vpnc client, but the automation of the process with the NetworkManager package did not work on my openSUSE, so I have to modify some parts and - as well - did some cosmetics to the connection script.

First thing after installing the vpnc package via your distributions own softwaremanagement is, placing a config file for vpnc as shown below. Make sure you have root-rights for all editing actions, calling vpnc later is done as user.

IPSec gateway vpn.fh-koeln.de
IPSec ID FHK-VPN
IPSec secret KoelnerDom
Xauth username YOURVPNNAME
Xauth password YOURVPNPASSWORD
Application Version Cisco Systems VPN Client 4.8.0:Linux

If you need MORE than one Cisco connection for your system, simply change the name from default.conf to anything-else.conf. Oh, and don’t forget to replace the username and password with yours.

Simply hacking vpnc in your command line should already do the trick and show the connection message from the vpn-service. That way the connection is also useable from foreign networks, so if you need to have a look on internal pages, use this before connecting to the webpage.

chmod 600 /etc/vpnc/default.conf

The second and a bit more complicating thing (at least for me) was the automatic connection to the vpn service when connecting to the FH WLAN, which is the common usecase.

The NetworkManager has a special configuration folder /etc/NetworkManager/dispatcher.d, which contains scripts executed everytime a network ist disabled AND enabled.

#!/bin/bash
# automatic vpnc connection for networkmanager based linux systems
#
# (c) 2008 Sebastian Janzen - initial Version www.janzen.it
# (c) 2009 Manuel Krischer  - modified to work with opensuse 11.1
#
# Modified (2009-01-15)
# - some more debug output in /var/log/messages
# - modified the if-test to work (for me)
# - change the ESSID grab to work with more drivers/cards
# Modified (2009-01-24)
# - added the dbus xorg notifications for all users
# Modified (2009-02-09)
# - added a search for iwconfig, as at least ubuntu and opensuse handle
# it in different locations.
 
#General Options for every Dispatcher Script
INTERFACE=$1
ACTION=$2
 
## ESSID needed to activate connection
ESSID_VPN="PUBLIC-CIT.FH-Koeln.DE"
 
#where is IWCONFIG, maybe search for binary as root if this doesn't work
#
# ARCH-Linux Users have to use the complete binary path like
# IW_TOOL=/usr/sbin/iwconfig
 
IW_TOOL=$(which iwconfig)
 
## PING ADRESSES, uncomment your needed one
PINGIP="139.6.1.130" # Campus Gummersbach
#PINGIP="139.6.1.2"   #IWZ Deutz
#PINGIP="139.6.1.66"  #GWZ Südstadt
 
#Logging stuff
PROGNAME=$(basename $0)
 
#Logfunction
log() {
        echo -e $* | logger -t $PROGNAME
}
 
 
# THIS SEEMS NOT TO WORK RIGHT NOW, BUT SHOULD NOT HARM, TOO
ping_it() {
  #inform only the first user. this is pretty quick&dirty, but most systems are only
  # with one user beside root, so it should work
  USER_TMP="$(users | tr -s " " "\n" | sort | grep -v root --max-count=1)"
  # start xterm window with running ping
  su $USER_TMP -c 'XAUTHORITY=/home/$USER_TMP/.Xauthority DISPLAY=:0 xterm -e "ping $PINGIP"'
}
 
 
notify_me() {
  ALL_USER="$(users | sort)"
  echo Desktop-Message to: $ALL_USER
        for USER_TMP in $ALL_USER; do
                if [ "$USER_TMP" = "$USER_LAST" ]; then
                        #if user already notified, continue
                        continue
                fi
                su $USER_TMP -c "XAUTHORITY=/home/$USER_TMP/.Xauthority DISPLAY=:0 notify-send $1 $2"
                #save last username to avoid double notification
                USER_LAST=$USER_TMP
        done
}
 
## grab the current ESSID
ESSID=$($IW_TOOL $INTERFACE | grep ESSID | cut -d'"' -f2)
 
## which case?
case "$2" in
up)
        log "FHK-VPN service"
        log "ESSID needed: $ESSID_VPN"
        log "ESSID found : $ESSID"
 
#check for matching ESSID
if [ $ESSID = $ESSID_VPN ]; then
     log "ESSID matching, proceding."
     #disconnect all running vpnc
     log "Close all VPN-connections first.."
     log "$(/usr/sbin/vpnc-disconnect)"
     #kick the pieces out of the system
     log "kill all running vpnc instances..."
     log "$(killall vpnc)"
     #wait for 2 before reestablish the connection
     sleep 2
     log "Try to restart vpnc"
     log "$(/usr/sbin/vpnc)"
     #check for errorlevel and notify user
     if [[ $? = "0" ]]; then
                notify_me '"FHK-VPNC Service"' '"Du bist jetzt mit dem VPN der FH Köln verbunden..."'
                notify_me '"FHK-VPNC Service"' '"Starte Ping-Verbindungs-Workaround"'
                ping_it
     else
                notify_me '"FHK-VPNC Service"' '"ESSID gefunden, aber ein VPNC Fehler trat auf!"'
                log "Error 3: vpnc failed!"
                exit 3
     fi
else
     #if the ESSID don't match, we're probably in another network and only notify the user about that.
     #This Part maybe kicked out if someone gets annoyed of the message
     log "Needed ESSID not found, do nothing!"
       notify_me '"FHK-VPNC Service"' '"ESSID stimmt nicht überein, VPN nicht gestartet"'
     exit 0
 
fi
;;
 
down)
        if [ "$(pidof vpnc)" ]; then
                log "$(/usr/sbin/vpnc-disconnect)"
                log "$(killall vpnc)"
        fi
;;
 
pre-up)
        if [ "$(pidof vpnc)" ]; then
                #I think we don't need that anymore
                log "$(/usr/sbin/vpnc-disconnect)"
                #log "$(killall vpnc)"
        fi
;;
 
post-down)
        if [ "$(pidof vpnc)" ]; then
                #I think we don't need that anymore
                log "$(/usr/sbin/vpnc-disconnect)"
                # log "$(killall -9 vpnc)"
        fi
;;
 
*)
        echo "Usage: $0 <DEVICE> {up|down|pre-up|post-down}"
        exit 1
esac

Don’t forget to make this one executable with chmod +x /etc/NetworkManager/dispatcher.d/fhk-vpnc

Now try to connect to the network and see if something happens in /var/log/messages. If everything works you should see the vpn greetings in this logfile.

New: You should now also be notficated within your Desktop enviroment via Dbus

Open the UDP port 500 and 4500 in your firewall, possibly only for 139.6.0.0/255.255.255.0, Check if the connection stays open without interuption especially in high-traffic times around noon. Please report back if it works you or not.

• Some drivers force the iwconfig output to have a „Nickname“ field in the same line with the ESSID, so the grep&cut didn’t work. I tried to fix it with an slightly modified codeline and hope this did not cause other problems now. That fix also made the call to sed deprecreated. — Manuel 2009/01/19 22:42

• In the last version, users were notified for every login. This is now fixed in notify_me(). — Manuel 2009/01/26 13:48

• The latest „workaround“ from the campus-it gives the hint, to open a „ping console“ to avoid disconnection. I try to automate it for now, maybe I’ll drop it later again — Manuel 2009/01/29 00:21

• Ubuntu stores iwconfig in a different directory than opensuse, so i try to avoid problems with a „which“.

• notify-send is not available in standard ubuntu, added note on top of the page

• The which command does not work in some systems. Please use the /path/to/iwconfig line instead — Manuel 2009/02/25 16:37

• http://wp.janzen.it/2008/11/08/vpn-an-der-fh-koln-untained
• http://leszekllelectronics.blogspot.com/2008/06/vpnc-der-fh-kln.html

and some hints from Lubomir.