Cisco VPN Client

[synack1337]

othrer than a workaround, sadly no.


I was able to get proper checksum'd udp packets by compiling iptables into the kernel and doing an any any outbound rule. and everything works now.

I guess this should be mentioned to one of the maintainers for either the net code or driver code for 3c59x on 2.6.x. Not sure of the best way to go about it..


-"snizack"

[kamilian]

On the topic of the Cisco VPN Client, has anyone else had this problem show up? Better yet, anyone know how to fix it? (The best I could find for something similar was to install lib-compat and I have lib-compat-1.3 installed).

Code: Select all

Cobra root # vpnclient connect ic
Cisco Systems VPN Client Version 4.0.3 (B)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.3-gentoo-r1 #1 Sun Feb 22 16:29:28 GMT 2004 i686

cvpnd: relocation error: cvpnd: symbol _res, version GLIBC_2.0 not defined in file libc.so.6 with link time reference

Could this be an issue with 2.6 kernel headers? NPTL? Other?
I have both 2.6 kernel headers installed and nptl enabled in glibc.

Code: Select all

Cobra root # etcat -v linux-headers
*  sys-kernel/linux-headers-2.6.0 :
        [  I] 2.6.0 (0) OVERLAY

Code: Select all

Cobra root # etcat -u glibc
 U I [ Found these USE variables in : sys-libs/glibc-2.3.2-r3 ]
 + + nls   : unknown
 - - pic   : unknown
 - - build : !!internal use only!! ....
 + + nptl  : unknown

My relevant emerge info:

Code: Select all

Cobra root # emerge --info
Portage 2.0.50-r1 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r3, 2.6.3-gentoo-r1)
=================================================================
System uname: 2.6.3-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz
Gentoo Base System version 1.4.3.13
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.7.7
CFLAGS="-march=pentium4 -mmmx -msse -msse2 -mfpmath=sse -Os -pipe"

[X-Frog]

othrer than a workaround, sadly no.


I was able to get proper checksum'd udp packets by compiling iptables into the kernel and doing an any any outbound rule. and everything works now.

I guess this should be mentioned to one of the maintainers for either the net code or driver code for 3c59x on 2.6.x. Not sure of the best way to go about it..


-"snizack"

And it works!
Thank you!

I didn't have iptables installed (kernel modules, yes, but not iptables itself) and my DNS resolution wasn't working as well as my connections to our KVM IP (all UDP).

Now everything is ok!

[synack1337]

Glad it worked for you.

Now we need to get this in front of of a maintainer so we dont need iptables.

[blscreen]

Because of the problems with the Cisco VPN client and recent kernels I switched to the opensource client vpnc. It uses the kernel TUN/TAP device and works great for me.

[theche]

where's the option for enabling the TUN/TAP device driver??

[blscreen]

In 2.6.x:
Device Drivers -> Networking support -> Network device support -> Universal TUN/TAP device driver support

[theche]

Code: Select all

root@marco mac # vpnc
vpnc: error while loading shared libraries: libgcrypt.so.1: cannot open shared object file: No such file or directory

what am i doing wrong??

I did

ACCEPT_KEYWORDS="~x86" emerge vpnc, edited the /etc/vpnc.conf to fit to my university's vpn network...

[blscreen]

Seems like some dependency problem. Try to first emerge sync, reemerge dev-libs/libgcrypt and then net-misc/vpnc.

libgcrypt should have been merged together with vpnc though.

[theche]

exactly...

didn't work

same error.

should I start vpnc as root or as an user? whe doing so:

Code: Select all

bash-2.05b$ vpnc
Secure memory is not locked into core
vpnc: IKE DH Group "dh2 " unsupported

don't know how to interprete this

my vpnc.conf:

Code: Select all

more /etc/vpnc.conf
Interface name vpn0
IKE DH Group dh2
Perfect Forward Secrecy nopfs
IPSec gateway vpn.uni-mannheim.de
IPSec ID <+++>
IPSec secret <+++>
Xauth username<+++>

IKEDHGroup: what values are possible??

[blscreen]

This doesn't seem to be related to any of the errors you receive, but I just tried vpnc on a gentoo box the first time (the other was debian), and devfsd made a wrong symlink /dev/net/tun->/dev/net/misc/net/tun which doesn't exist and should be /dev/misc/net/tun instead.

If this is true for you, you should add the following lines early in your /etc/devfsd.conf end send a SIGHUP to devfsd:

Code: Select all

REGISTER   ^misc/net/tun$  CFUNCTION GLOBAL unlink   net/tun
REGISTER   ^misc/net/tun$  CFUNCTION GLOBAL symlink  /dev/$devname net/tun
UNREGISTER ^misc/net/tun$  CFUNCTION GLOBAL unlink   net/tun

should I start vpnc as root or as an user?

Definitely as root.

Sorry, can't help you with the IKE DH problem... possible values are dh1,dh2 and dh5.

Here is my config:

Code: Select all

Interface name tun0
IKE DH Group dh2
Perfect Forward Secrecy nopfs
IPSec gateway ipsec-rz.vpn.uni-freiburg.de
IPSec ID <blanked>
IPSec secret <blanked>
Xauth username <blanked>

As for the libgcrypt problem: maybe

Code: Select all

strace vpnc &> /root/vpnc-strace

can give you a hint about what's going on there.

[theche]

eigentlich könnten wir deutsch reden...oder?

I dont't know whether there is a symlink...the directory net in /dev/ doesn't exist...and in /dev/misc/ there is no directory net...perhaps I messed something up with the TUN/TAP device driver??

Code: Select all

output strace: (ausschnitt)
open("/lib/i686/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/mmx", 0xbfffed58)     = -1 ENOENT (No such file or directory)
open("/lib/i686/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686", 0xbfffed58)         = -1 ENOENT (No such file or directory)
open("/lib/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/mmx", 0xbfffed58)          = -1 ENOENT (No such file or directory)
open("/lib/libgcrypt.so.1", O_RDONLY)   = -1 ENOENT (No such file or directory)
stat64("/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/usr/lib/i686/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686/mmx", 0xbfffed58) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686", 0xbfffed58)     = -1 ENOENT (No such file or directory)
open("/usr/lib/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/mmx", 0xbfffed58)      = -1 ENOENT (No such file or directory)
open("/usr/lib/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stimmt schon die verzeichnisse sind in dieser weise wirklich nicht da...

Code: Select all

find / -name *libgcrypt*:

/usr/bin/libgcrypt-config
/usr/lib/libgcrypt.so.11
/usr/lib/libgcrypt.so
/usr/lib/libgcrypt.so.7
/usr/lib/libgcrypt-pthread.so.11
/usr/lib/libgcrypt.la
/usr/lib/libgcrypt.a
/usr/lib/libgcrypt.so.11.0.0
/usr/lib/libgcrypt-pthread.so.11.0.0
/usr/lib/libgcrypt-pthread.so
/usr/lib/libgcrypt-pthread.so.7
/usr/lib/libgcrypt-pthread.la
/usr/lib/libgcrypt-pthread.a

sind wohl woanders und libgcrypt.so.1 seh ich auch nicht.
'are somewhere else and libgcrypt.so.1 doesn't appear

what shall I do?

symlinks?

[blscreen]

eigentlich könnten wir deutsch reden...oder?

I think we should stick to english, as some users searching the forum might have similar problems

I dont't know whether there is a symlink...the directory net in /dev/ doesn't exist...and in /dev/misc/ there is no directory net...perhaps I messed something up with the TUN/TAP device driver??

Is the module loaded? Are you using devfs? Otherwise you have to create the node. Check dmesg for a line

Code: Select all

Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky

Without the propper character device, which is major 10 and minor 200, nothing is going to work.

I can give you some info about my setup, hope it helps:

Code: Select all

# qpkg -l vpnc
net-misc/vpnc-0.2_pre7 *
CONTENTS:
/usr
/usr/bin
/usr/bin/vpnc
/usr/bin/vpnc-connect
/usr/bin/vpnc-disconnect
/usr/share
/usr/share/doc
/usr/share/doc/vpnc-0.2_pre7
/usr/share/doc/vpnc-0.2_pre7/ChangeLog.gz
/usr/share/doc/vpnc-0.2_pre7/README.gz
/usr/share/doc/vpnc-0.2_pre7/TODO.gz
/usr/share/doc/vpnc-0.2_pre7/VERSION.gz
/etc
/etc/vpnc.conf

# ldd /usr/bin/vpnc
        linux-gate.so.1 =>  (0xffffe000)
        libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x4002a000)
        libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x40084000)
        libc.so.6 => /lib/libc.so.6 (0x40088000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x401b4000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

# qpkg -l libgcrypt
dev-libs/libgcrypt-1.1.92 *
CONTENTS:
/usr
/usr/bin
/usr/bin/libgcrypt-config
/usr/lib
/usr/lib/libgcrypt.so.11.0.0
/usr/lib/libgcrypt.so.11 -> libgcrypt.so.11.0.0 1082225985
/usr/lib/libgcrypt.so -> libgcrypt.so.11.0.0 1082225985
/usr/lib/libgcrypt.la
/usr/lib/libgcrypt.a
/usr/lib/libgcrypt-pthread.so.11.0.0
/usr/lib/libgcrypt-pthread.so.11 -> libgcrypt-pthread.so.11.0.0 1082225985
/usr/lib/libgcrypt-pthread.so -> libgcrypt-pthread.so.11.0.0 1082225985
/usr/lib/libgcrypt-pthread.la
/usr/lib/libgcrypt-pthread.a
/usr/lib/libgcrypt.so.7 -> libgcrypt.so.11 1082225985
/usr/lib/libgcrypt-pthread.so.7 -> libgcrypt-pthread.so.11 1082225985
/usr/include
/usr/include/gcrypt.h
/usr/include/gcrypt-module.h
/usr/share
/usr/share/aclocal
/usr/share/aclocal/libgcrypt.m4
/usr/share/info
/usr/share/info/gcrypt.info.gz
/usr/share/doc
/usr/share/doc/libgcrypt-1.1.92
<snip some more docs here>
/usr/lib/libgcrypt-pth.so.7 -> libgcrypt-pth.so.11 1082225985

<snip strace output>
open("/usr/lib/libgcrypt.so.11", O_RDONLY) = 3   <- This is how it should be ;)
<snip>

USE="X aalib alsa apm arts avi berkdb cdr crypt cups directfb dvd encode esd fbcon foomaticdb gdbm gif gphoto2 gpm gtk gtk2 imlib java jpeg libg++ libwww mad matrox mikmod motif mozilla mpeg nas ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sasl scanner sdl slang spell ssl stroke svga tcltk tcpd tetex truetype usb video_cards_matrox x86 xinerama xml2 xmms xv zlib"

For some reason your vpnc is compiled with the wrong library versions. You could file a bugreport or try to compile it from the original package manually.

[theche]

Universal TUN TAP driver is in the kernel (no module)

in dmesg appears the corresponding entry

yes, I do use devfs

Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Without the propper character device, which is major 10 and minor 200, nothing is going to work.

??

I dont have crypt in USE <--?

and the rest is silence 'cause I don't know what to do with this kind of information

how do I 'file' a bug report?

[LostControl]

Has anyone tried to use cisco-vpnclient-3des-4.0.3b-r3 with kernel 2.6.6-rc1 ?

Everything works using kernel 2.6.5 but no success with 2.6.6-rc1 Maybe something changes in the new kernel which brokes cisco-vpnclient-3des !? As for 2.6.2...

[Corpse2]

I managed to get the vpnclient-linux-4.0.3.B-k9.tar.gz working on my 2.6.5-rc1 kernel. I think it's the patched version metioned before.
Only one problem, I don't know why it works all of a sudden while it wouldn't work at first. I've been fooling around first with a few different versions and vpnc without luck. But there is one thing I remember that I did: I found somewhere in another tread something about which things are needed in the kernel, some things in cryptography that are needed by IPsec and some other things.

In order to make the IPsec work with the 2.6 Kernel, you need PF Key, AHS Transformations, ESP Transformations, IPsec user config interface, and all the cryptos...

Concerning the crypto's, the help of these items mention a few times something about IPSec, those are the ones you need I think. I don't think I chose any others.

Altough I still have one problem , when connected I can't figure out how to define routes (for the client). when you do a

Code: Select all

vpnclient stat

it ends with the configured routes, containing only zeroes
Or is it possible to route traffic to the hidden cipsec0? (ifconfig -a shows it)

[vdp]

I managed to get the vpnclient-linux-4.0.3.B-k9.tar.gz working on my 2.6.5-rc1 kernel. I think it's the patched version metioned before.
...
Altough I still have one problem , when connected I can't figure out how to define routes (for the client). when you do a

Code: Select all

vpnclient stat

it ends with the configured routes, containing only zeroes
Or is it possible to route traffic to the hidden cipsec0? (ifconfig -a shows it)

This is the normal behavior - I have version 4.0.1a working on another machine with kernel 2.4.x and it does the same thing.

I have slightly different problem - when I use eth0, the vpn client works fine; when I try to use the wlan0 interface, i cannot exchange large amounts of data, and rdesktop times out. This is with wlan-ng 0.2.1-pre20 and kernel 2.6.5-rc1

[kevin_barsby]

Firstly I'm a noob to Gentoo forums so please forgive any lapses of netiquette.

I've just emerged the latest (4.0.3.B) ebuild of vpnclient and apart from having to rebuild the digest it compiled and installed ok.

I seem to be having the DNS problem some people have mentioned, i.e. I can run the module and connect quite happily, but couldn't get anywhere on the network, I tried pinging the machine I was connected to and that seemd ok, I guess if I'd tried going elsewhere on the network by ip address only that would have worked too.

How have people got around this problem? I read somewhere compiling in IP tables and creating an ANY->ANY rule would fix this, is this still people's favoured solution.

Cheers
Kev

[kevin_barsby]

I spent a frustrating morning trying various solutions on this and other forums. The upshot is everything I tried seemed to take a step back from where I am currently.

I have:
Kernel - 2.6.5
vpnclient - 4.0.3-B-K9 (vanilla patched via the Gentoo ebuild)

It starts, connects quite happily but DNS seems to be broken. Everything is fine by IP address.

Current workaround is to lob all the servers I need into /etc/hosts

The solutions / workarounds I've tried are:
- Compiling in iptables and setting up ANY->ANY OUTPUT rule: This resulted in the situation where the module would load, but any attempt to connect failed, module seems to hang for a bit then times out
- Various Kernel switches (I didn't have the IPSEC stuff in the kernel, I do now) : Made no difference
- Regressing to Kernel 2.6.1: No difference

I haven't tried a 2.4 kernel yet, but that is going to require a system rebuild which I don't really have time for ATM.

Has anyone got any suggestions?

[AlterEgo]

I'm trying to get net-misc/cisco-vpnclient-3des-4.0.3b-r4
working on 2.6.6.
i get stuck at: /etc/init.d/vpnclient start
* Starting Cisco VPN Client...
* Failed to load module cisco_ipsec

Can someone give me a lsmod of the modules needed?

[edit]
Just tested in 2.6.5: it does work there

[Berni]

What does dmesg tell (or your syslog)? Did you enable the crypt modules+tun modules in your kernel config?

[kevin_barsby]

I noticed in the new 2.6.6 kernel changelog there are some patches to crc related stuff from people whose email address reads (@cisco.com).

I haven't tried it yet, but I'll post here if it fixes the dns problem

[enkil]

@AlterEgo: I had the same problems using Kernel 2.6.6, too, but I use vpnclient-version 4.0.4(A).
Problem seems to be the following code in the init-script:

Code: Select all

/sbin/insmod ${PC}/${VPNMOD} >/dev/null 2>&1

I looked at cisco's original init-script that was packed with the client and modified the gentoo-init-script (cisco's doesn't look nice ). I'm not sure about licensing-stuff concerning init-scripts, so i don't post a patch here...
You just have to do a insmod this way:
${VPNMOD} is mostly cisco_ipsec, just change it to cisco_ipsec.ko
Works fine for me...
My .diff would do a better job

[AlterEgo]

That did not help me
/lib/modules/2.6.6/CiscoVPN/cisco_vpn is not a .ko file after emerging.
I also cannot get the modules insmodded manually.
I use the same config as 2.6.5, where it works flawlessly.

[enkil]

I think it should be a .ko-file...

Code: Select all

ls /lib/modules/2.6.6/CiscoVPN/               
cisco_ipsec.ko

I would suggest, that you try to install the vpnclient manually... Just unpack it and run the vpn_install-script...

<edit>
almost forgot: If you use Kernel 2.6.x and vpnclient < 4.0.4(A) and install it manually, don't forget to patch the interceptor.c using:
/usr/portage/net-misc/cisco-vpnclient-3des/files/register_netdevice.patch