Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Cisco VPNClient stops working after a few seconds - [SOLVED]
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jasn
Guru
Guru


Joined: 05 May 2005
Posts: 439
Location: Maryland, US

PostPosted: Thu May 05, 2005 4:36 pm    Post subject: Cisco VPNClient stops working after a few seconds - [SOLVED] Reply with quote

Hi All,

I've moved over to a X86 Gentoo Linux machine for my work laptop. Most everyone at work uses a Win2K or XP desktop, and there are a very few who use Mac OSX as their desktops. I've used the Cisco VPN client on both platforms and it works well. I even have the company provided .pcf Profiles for both platforms.

My problem is now with getting my Gentoo laptop into our corporate intranet (mostly for email), I've emerged the Cisco VPN client successfully, (after searching the threads here and finding a public spot to download the latest client from, 4.6.02.0030), and I can connect using either the Windows or Mac .pcf Profiles. I pull up our internal webpage and it works. I can click on links and surf our intranet, for about 30 seconds.. Afterwards I can't find any internal webpages anymore, and if I had clicked on something during this period when the connection stops, I get timeouts.. I'm a little curious as to whether or not our IT department's configuration of the VPN server "kicks" any "unauthorized" Linux boxes off of the net, after a set amount of time. When I asked our IT group about supporting a Linux laptop, they mentioned that they don't suggest it, as they require all Linux boxes at HQ, (I'm in the field), to have root access, (and to explicitly deny the person using the box root access), at least for now.

I'm curious if anyone has any experience with the Cisco VPN client, and whether or not this "kicking off" scenario makes sense. Is there something I can try editing my .pcf profile with to try and stay connected? I looked at both the Windows and OSX .pcf files, and I can't notice anything especially different between them. I tried the ForceKeepAlives=1 option as another thread here suggested, but it did nothing for me. The reason I did this is because while the Windows client connect, the connection process checks to see if they have the IT supplied Firewall software running. If it doesn't, then in the notification message, they alert you that you should have it running, but they don't stop the connection. For the OSX platform, there is no check, and no notification, beyond the standard VPN message. (That's why I thought I could make this connection using the Mac .pcf..)

Thanks


Last edited by jasn on Fri Jul 08, 2005 6:03 pm; edited 1 time in total
Back to top
View user's profile Send private message
Praxxus
Apprentice
Apprentice


Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US

PostPosted: Thu May 05, 2005 8:54 pm    Post subject: Suggestion: Reply with quote

Jasn,

I recommend you experiment with ditching the Cisco client entirely. In my experience, their Linux client has been like unto a pile of garbage. I use the "vpnc" client for Cisco 3000 VPN Concentrators, and it has been working really well for me. Its one big flaw right now is that it doesn't support rekeying, but our concentrator at work is set to rekey every 8 hours (the Cisco default). That's a lot better than 30 seconds! VPNC has the added bonus of letting you access the rest of the internet while you've got a VPN session going with work.

I had to write some scripts around it to make sure that traffic got sent to the right place, but that's easy to do, and I'd be glad to help you if you need it. There is also a decent front-end for KDE, kvpnc. Both of these apps are in Portage.

Note that you'll need your "Group" password to use vpnc. Fortunately, the vpnc homepage has a link to a password decoder(!) that can get that out of the way for you.

As for the kicking, I don't remember off the top of my head if you can configure the concentrators to do that. I'll have to double check. But my initial hunch is that the Linux client is junk. :-P
_________________
My glaucoma just got worse!
Back to top
View user's profile Send private message
[Lx]-=Mystify=-
Apprentice
Apprentice


Joined: 16 Mar 2004
Posts: 180

PostPosted: Thu May 05, 2005 9:54 pm    Post subject: Reply with quote

Code:

 In my experience, their Linux client has been like unto a pile of garbage.

that's exactly my experience, but the windows version is not better...
I do tutoring for about 60 people in our hostel at university... all windows, and the cisco VPN client makes a lot of problems...

Code:

VPNC has the added bonus of letting you access the rest of the internet while you've got a VPN session going with work.

the cisco VPN client lets you do this too, but you have to modify the profile, cause the default profile delivered by cisco disables the LAN access...

with vpnc I haven't had any problems until now... maybe rekeying will be implemented if enough people ask for it... the mail adress of the gui who is developing it is vpnc (at) unix-ag.uni-kl.de...


I call everyone who uses vpnc to write him an email with he please to implement rekeying...
Back to top
View user's profile Send private message
Praxxus
Apprentice
Apprentice


Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US

PostPosted: Fri May 06, 2005 1:44 pm    Post subject: Reply with quote

[Lx]-=Mystify=- wrote:
I call everyone who uses vpnc to write him an email with he please to implement rekeying...

An excellent suggestion! Will do.
_________________
My glaucoma just got worse!
Back to top
View user's profile Send private message
jasn
Guru
Guru


Joined: 05 May 2005
Posts: 439
Location: Maryland, US

PostPosted: Fri May 06, 2005 2:34 pm    Post subject: Re: Suggestion: Reply with quote

Praxxus wrote:
Jasn,

I recommend you experiment with ditching the Cisco client entirely. In my experience, their Linux client has been like unto a pile of garbage. I use the "vpnc" client for Cisco 3000 VPN Concentrators, and it has been working really well for me.


Thanks for this. I actually have been trying to get vpnc to work for me. I find that the documentation is almost non-existent though. But through googling, this is what I have done;

1) Rebuilt kernel (2.6.11 r7) with TUN module support
2) modprobe tun
3) edited /etc/vpnc.conf to include just; VPN server IP, Groupname, GroupPW, and Username
4) ran vpnc-connect. It asks me for my password and then connects me..

My problem is that my routing doesn't seem to be working. I gather I may need to do a "route add" command. But I'm lost on exactly what I should type. I read somewhere and tried "route add -net default dev tun0" but it didn't work. A route -n shows that I have a route for eth0 that has as its destination my VPN server IP, but my local LAN gateway IP. That can't be right. Can anyone help?
Back to top
View user's profile Send private message
Praxxus
Apprentice
Apprentice


Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US

PostPosted: Fri May 06, 2005 2:55 pm    Post subject: Reply with quote

Here are my vpnc scripts, which I hacked up from the ones that came with vpnc. I set it up so that ONLY the traffic for my work subnet ($vpn_subnet) goes over the tunnel. You'll need the "iproute" package to get "ip" installed.

Connect:
Code:
#!/bin/bash

tun_num=`echo $TUNDEV| cut -d n -f 2`
defr=/var/run/vpnc/default_route
gate=/var/run/vpnc/gateway
pid=/var/run/vpnc/pid
mytun=/var/run/vpnc/tundev
myconf=/etc/vpnc.conf
vpnc=/usr/bin/vpnc
vpn_subnet="xxx.xxx.xxx.0/20"
extra_ip="xxx.xxx.xxx.xxx/32"
iptables="/sbin/iptables"

PID="$(cat "$pid" 2> /dev/null)"

fix_ip_get_output () {
        sed 's/cache//;s/metric[0-9]\+ [0-9]\+//g' | xargs echo
}

if [ -z "$VPNGATEWAY" ] ; then
        if [ "$PID" ] ; then
                if kill -0 "$PID" > /dev/null 2>&1; then
                        echo "vpnc found running (pid: $PID, pidfile: $pid)"
                        exit 1
                fi
        fi

        exec "$vpnc" --pid-file "$pid" --script "$0" "$@" $myconf || exit 1
fi

ifconfig $TUNDEV inet $INTERNAL_IP4_ADDRESS \
        pointopoint $INTERNAL_IP4_ADDRESS \
        netmask 255.255.255.255 mtu 1412 up
ip route add $(ip route get $VPNGATEWAY | fix_ip_get_output)
ip route | grep '^default' | fix_ip_get_output > "$defr"
ip route add to "${vpn_subnet}" dev $TUNDEV
ip route add to ${extra_ip} dev $TUNDEV
ip route flush cache
echo "$VPNGATEWAY" > "$gate"
echo "$TUNDEV" > $mytun

$iptables -A FORWARD -i $TUNDEV -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i eth1 -o $TUNDEV -j ACCEPT
$iptables -t nat -A POSTROUTING -o $TUNDEV -j MASQUERADE
exit 0


Note that in addition to my work subnet, there is an extra IP address routed through the tunnel. That's because work has a subscription to Safari, and it's nice to have access to that from home. :wink:

I also have some iptables rules at the end (optional), since I run the VPN from my firewalled gateway machine at home.


Disconnect:
Code:
#!/bin/bash

defr=/var/run/vpnc/default_route
gateway=/var/run/vpnc/gateway
pid=/var/run/vpnc/pid
mytun=/var/run/vpnc/tundev
VPN_SUBNET="xxx.xxx.xxx.0/20"
extra_ip="xxx.xxx.xxx.xxx/32"
iptables="/sbin/iptables"

if [ $# -ne 0 ]; then
        echo "Usage: $0" 1>&2
        exit 1
fi

PID=`cat $pid`
TUNDEV=`cat $mytun`

if [ "${PID}" == "" ]; then
        echo "no vpnc found running"
        exit 1
fi

if ! kill -0 "$PID" > /dev/null 2>&1; then
        echo "no vpnc found running"
        exit 1
fi

echo "Terminating vpnc daemon (pid: $PID)"
kill $PID

if [ -r "$defr" ]; then

        if [ -r "$gateway" ] ; then
                ip route del `cat $gateway`
        fi

        ip route flush cache
fi

rm -f -- "$defr" "$pid"

$iptables -D FORWARD -i $TUNDEV -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -D FORWARD -i eth1 -o $TUNDEV -j ACCEPT
$iptables -t nat -D POSTROUTING -o $TUNDEV -j MASQUERADE


exit 0


Note the removal of the iptables rules.

When tun0 is taken down by killing vpnc, all the associated routing info gets cleared when you flush the cache.

Hope these help!
_________________
My glaucoma just got worse!
Back to top
View user's profile Send private message
jasn
Guru
Guru


Joined: 05 May 2005
Posts: 439
Location: Maryland, US

PostPosted: Fri May 06, 2005 11:50 pm    Post subject: Reply with quote

Praxxus wrote:
Here are my vpnc scripts, which I hacked up from the ones that came with vpnc.


Praxxus,

Thanks for all the help. I'm sure that in the hands of someone more knowledgeable, it would have been sufficient. Unfortunately I wasn't able to get vpnc to work. I get a connection but my routing doesn't seem to work correctly. I tried both the installed vpnc-connect script and yours, but I just don't know enough about the networking configuration in Linux to know how to setup the routing. So until someone knows what the Cisco client may be doing and can offer a suggestion with that software here, or I spend some time learning enough to be able to configure vpnc to work (maybe someone will come up with a clear vpnc HowTo), I'm back to using the XP Cisco client, and Outlook for now..
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Sat May 07, 2005 2:46 am    Post subject: Reply with quote

Hi!

I didn't want binary crap in my Gentoo, so I started using vpnc. I put together an init script and a watchdog in case the connection somehow breaks. Here we go:

/etc/init.d/vpn:
Code:
#!/sbin/runscript
depend() {
        need net.eth0
}

start() {
        ebegin "Starting VPN"
        sleep 2
        /usr/bin/vpnc-connect
        ifconfig vpnlink mtu 1330
        eend $?
}

stop() {
        ebegin "Stopping VPN"
        /usr/bin/vpnc-disconnect
        sleep 2
        eend $?
}


/etc/init.d/vpnwatchdog:
Code:
#!/sbin/runscript

depend() {
        after shorewall
}

start() {
        ebegin "Starting vpnwatchdog"
        start-stop-daemon       --start \
                                --background \
                                --make-pidfile \
                                --pidfile /var/run/vpnwatchdog.pid \
                                --exec $WATCHDOG
        eend $? "Failed to start vpnwatchdog."
}

stop() {
        ebegin "Stopping vpnwatchdog"
        start-stop-daemon --stop --pidfile /var/run/vpnwatchdog.pid
        eend $? "Failed to stop vpnwatchdog."
}


/etc/conf.d/vpnwatchdog:
Code:
# Path to the VPN watchdog shellscript:
WATCHDOG="/usr/local/bin/vpnwatchdog.sh"


vpnwatchdog.sh:
Code:
#!/bin/bash
while sleep 60; do

        ping www.xxx.yyy.zzz -c 1 -w 40 >/dev/null && RUN=1

        if [ -z $RUN ]; then
                 logger -i -t vpnwatchdog -p local0.info "initializing full internet connection restart"
                /etc/init.d/net.eth0 stop 2>&1 >/dev/null
                /etc/init.d/shorewall start 2>&1 >/dev/null
        fi
        unset RUN
done

The watchdog sends one ping to an internet machine (www.xxx.yyy.zzz) every 60 seconds to see if the connection is alive. If that's not the case the whole internet stuff is shutdown and afterwards restarted.
Maybe you can use it, too. The watchdog script is derived by a watchdog for VDR. There's an ebuild from which I got it.

Cheers

mic
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 6:19 pm    Post subject: Reply with quote

does it work when u add scripts in /etc/init.d/..
to default runlevels?

and where is that file vpnwatchdog.sh located?
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 6:56 pm    Post subject: Reply with quote

and also i did exactly the same as you did
in vpn script: /usr/bin/vpnc-connect /usr/net/xyz.conf #my vpnc config file

and deleted the line with ifconfig since i have no idea what is that - and it writes
/etc/init.d/vpnwatchdog start
* ERROR: "/etc/init.d/vpnwatchdog" has syntax errors in it; not executing...

and same for vpn script

any idea why?
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Wed Jun 01, 2005 7:19 pm    Post subject: Reply with quote

Slavo wrote:
does it work when u add scripts in /etc/init.d/..
to default runlevels?

and where is that file vpnwatchdog.sh located?


Its location must be what you write down in /etc/conf.d/vpnwatchdog (look above).
In case you don't use shorewall (a firewall) you have to change a line in vpnwatchdog.sh:
Code:
/etc/init.d/shorewall start 2>&1 >/dev/null

to
Code:
/etc/init.d/vpn start 2>&1 >/dev/null


And yes, add both vpn and vpnwatchdog to your default runlevel.


Last edited by micmac on Wed Jun 01, 2005 7:23 pm; edited 2 times in total
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 7:21 pm    Post subject: Reply with quote

got that one :)
any idea why it writes me syntax error?
i just pasted the source code and did chmod 700 /etc/init.d/vpn
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Wed Jun 01, 2005 7:26 pm    Post subject: Reply with quote

Code:
ifconfig vpnlink mtu 1330
just changes the MTU of your vpn device.
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 7:27 pm    Post subject: Reply with quote

i have no idea what is that
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Wed Jun 01, 2005 7:28 pm    Post subject: Reply with quote

Oh, and because you apparently don't use shorewall, you have to edit /etc/init.d/vpnwatchdog:
Code:
after shorewall

to
Code:
after vpn


That may get rid of the "syntax error" message. MTU = Maximum Transfer Unit. 1300 is pretty standard for vpn afaik. Your VPN provider should be able to tell you the proper number. If the MTU is too big you should see messages about "too many packets" or "too large packets" in your syslog and the connection should become unstable.
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 7:36 pm    Post subject: Reply with quote

still same
here is the code:

#!/sbin/runscript
depend() {
need net.eth0
}

start() {
ebegin "Starting VPN"
sleep 2
/usr/bin/vpnc-connect /usr/net/xyz.conf
ifconfig vpnlink mtu 1330
eend $?
}

stop() {
ebegin "Stopping VPN"
/usr/bin/vpnc-disconnect
sleep 2
eend $?
}

and after i type:
#/etc/init.d/vpn start
* ERROR: "/etc/init.d/vpn" has syntax errors in it; not executing...

why is that????
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Wed Jun 01, 2005 7:42 pm    Post subject: Reply with quote

I don't know. I checked and I have exactly the same script and it totally works. The permissions are correct, right? Can you see any additional info in dmesg after the error occurs?

Last edited by micmac on Wed Jun 01, 2005 7:44 pm; edited 1 time in total
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 7:43 pm    Post subject: Reply with quote

this i dont know i habvent worked with that just copied chmod 700 from somewhere :P
what are yours ?
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Wed Jun 01, 2005 7:45 pm    Post subject: Reply with quote

Slavo wrote:
this i dont know i habvent worked with that just copied chmod 700 from somewhere :P
what are yours ?


Same perms as the other scripts have.
Code:
ls -lh /etc/init.d
will tell you.
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 7:46 pm    Post subject: Reply with quote

yeah you are right thats probably the error:
btw why do u have in watchdog also net.eth0 restart?
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 7:47 pm    Post subject: Reply with quote

so now the problem how to change permissions but thats probably another topics .....
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Wed Jun 01, 2005 7:49 pm    Post subject: Reply with quote

Slavo wrote:
yeah you are right thats probably the error:
btw why do u have in watchdog also net.eth0 restart?

Either your vpn connection or your dhcp connection can break. That's why I restart both in order to be sure that it works after the restart.
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Wed Jun 01, 2005 7:51 pm    Post subject: Reply with quote

Slavo wrote:
so now the problem how to change permissions but thats probably another topics .....

:)

Code:
chmod 755 /etc/init.d/vpn

Code:
chmod 755 /etc/init.d/vpnwatchdog
Back to top
View user's profile Send private message
Slavo
Apprentice
Apprentice


Joined: 26 May 2005
Posts: 229

PostPosted: Wed Jun 01, 2005 7:56 pm    Post subject: Reply with quote

thatnks it helped but i still have the same error :(
Back to top
View user's profile Send private message
micmac
l33t
l33t


Joined: 28 Nov 2003
Posts: 996

PostPosted: Wed Jun 01, 2005 8:08 pm    Post subject: Reply with quote

Slavo wrote:
thatnks it helped but i still have the same error :(


Grab it from here:

Code:
w/vpn

Put it in /etc/init.d, change perms and try again. Maybe you just messed up the lines in your script.

Cheers
mic


Last edited by micmac on Wed Jun 01, 2005 8:28 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum