auth:howto:linux:vpnclient
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
auth:howto:linux:vpnclient [2006/08/21 16:06] – kohofer | auth:howto:linux:vpnclient [2022/05/06 09:41] – [Install openconnect-sso macOS with SAML] kohofer | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== VPN (Virtual Private Network) at the Free University of Bolzano/ | + | ====== VPN (Virtual Private Network) at the Free University of Bolzano/ |
- | ==== Infos regarding the usage of VPN ==== | + | ===== Infos regarding the usage of VPN ===== |
- | http://www.unibz.it/ict/vpn/ | + | https://knowledge.scientificnet.org/workspace/#nd=ab7442f9-c4d0-4ffc-a4f7-1e0d84515cc9& |
+ | ==== Instructions for MacOS X ==== | ||
- | ==== Instructions for Windows 98, ME, NT 4.0, 2000 and XP ==== | + | We recommend to download |
- | http://www.unibz.it/ict/vpn/win/index.html?LanguageID=EN | + | |
- | ==== Instructions for MacOS X 10.2-10.4 ==== | + | === Unsupported |
- | http:// | + | |
- | ==== Instructions for Linux ==== | + | Download, unpack (doubleclick), |
- | 1. Download and install the kernel headers corresponding to the kernel in use. Some distributions name this package kernel-headers, | + | {{: |
- | # sudo apt-get install kernel-headers-X.X.XX-X-XXX | + | Under Network settings a new item should appear: |
- | or | + | |
- | # sudo apt-get install linux-headers-X.X.XX-XXX | + | |
- | Substitute the notation X.X.XX with the actual version of your kernel. | + | * VPN (IPSec) |
- | You can get the version of your kernel by issuing the following command: | + | * change username to your username |
+ | * click Connect and enter your password | ||
- | # uname -a | + | === Uninstalling if installation is corrupt in MacOSx === |
- | A valid version number could be, for example, 2.6.12-9-386. | + | Uninstallation has to be done by running this command on terminal: |
- | 2. Download and install the vpnclient: | + | sudo / |
- | Substitute | + | Should |
- | wget --no-check-certificate --http-user=X --http-password=Z https://pro.unibz.it/ | + | sudo pkgutil |
- | 3. Untar the source of vpnclient and install it. | + | === Instructions for iOS 9 === |
- | | + | |
- | | + | |
- | # tar xfz vpnclient-linux-4.7.00.0640-k9.tar.gz | + | |
- | | + | - Choose General |
- | | + | - Nearly at the end, click VPN |
- | + | | |
- | | + | - **Type:** IPSec |
+ | - **Description: | ||
+ | | ||
+ | - **Account: | ||
+ | | ||
+ | | ||
+ | | ||
+ | NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL | ||
+ | </file> | ||
+ | - Press Done in upper right corner of window | ||
+ | - Status: Slide Button to the right to connect | ||
+ | - Enter Password if not already entered above | ||
- | You will get some messages and you will be requested to answer to some questions: | + | === Instructions for Android 7 === |
- | Directory where binaries will be installed [/ | + | - Press Settings |
+ | - Find VPN Settings, depends on Model | ||
+ | - Next click: Add VPN Configuration... | ||
+ | - **Name:** Unibz VPN | ||
+ | - **Type:** IPSec Xauth PSK | ||
+ | - **Server-Address: | ||
+ | - **IPSec Identifier: | ||
+ | - **IPSec Pre-shared Key:** NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL | ||
+ | - **Account: | ||
+ | - **Password: | ||
| | ||
- | Automatically start the VPN service at boot time [yes] | + | - Press Done |
- | + | - Status: Slide Button to the right to connect | |
- | Directory containing linux kernel source code [/ | + | |
- | You only have to modify the predefined answers if they do not correspond to your actual situation. | + | ===== Instructions for Linux using openconnect Client (recommended) ===== |
- | If everything works, you will see some compilation messages and then the installation program will stop. | + | |
- | 4. Download the unibz.pcf configuration file from the site of the university. | + | Run this command to install openconnect client |
- | Substitute the notation XXX ZZZ with your university network' | + | |
- | # wget --no-check-certificate | + | sudo apt install openconnect network-manager-openconnect network-manager-openconnect-gnome |
- | 5. Unzip the configuration file and copy it to the correct location: | + | Once installed open Settings |
- | | + | {{: |
- | + | ||
- | # cp unibz.pcf /etc/opt/ | + | Select **Cisco AnyConnect Compatible VPN (openconnect)** and fill out as shown below: |
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | **Details** | ||
+ | - Make available to other users: tick if you want to allow other users on your system to use the VPN | ||
+ | |||
+ | **Identity** | ||
+ | - Name: VPN work (use a descriptive name) | ||
+ | - VPN Protocol: Cisco AnyConnect | ||
+ | - Gateway: vpn.scientificnet.org | ||
+ | - CA Certificate: | ||
+ | |||
+ | The rest can be left as it is. | ||
+ | |||
+ | **IPv4/ | ||
+ | - IPv4 Method: Automatic (DHCP) | ||
+ | - DNS: ON | ||
+ | - Routes: ON | ||
+ | |||
+ | Press < | ||
+ | |||
+ | Now you can enable the VPN connection! | ||
+ | |||
+ | Move the slider from OFF to ON, a small window should open, | ||
+ | |||
+ | {{: | ||
+ | |||
+ | make sure that for VPN Host you select: **vpn.scientificnet.org** | ||
+ | |||
+ | Enter your unibz Username, without @unibz.it and your unibz Password. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Press **Login** | ||
+ | |||
+ | If all goes well the slider should remain in ON position, if not check the Log. | ||
+ | To verify launch this command in a terminal: | ||
+ | |||
+ | ifconfig | grep 172* | ||
+ | |||
+ | You should get a new interface --> vpn0: with an IP Address: 172.21.66.xxx | ||
+ | |||
+ | ===== Instructions for Linux vpnc Client ===== | ||
+ | |||
+ | 1. Install vpnc | ||
+ | |||
+ | sudo apt-get install vpnc | ||
+ | |||
+ | 2. For Unibz: | ||
+ | |||
+ | * Create configuration file unibz.conf. Download from here: {{: | ||
+ | |||
+ | 2.a For Eurac: | ||
+ | |||
+ | * Create configuration file eurac.conf. Download from here: {{: | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | |||
+ | For Unibz: | ||
+ | |||
+ | sudo vi / | ||
+ | |||
+ | < | ||
+ | ####################################### | ||
+ | IPSec gateway vpn.unibz.it | ||
+ | IPSec ID Unibz | ||
+ | IPSec obfuscated secret 06294C134E0BEBDA4B449B56BFD305D35D12DABF4044EDB6794926C2CA6D5AEDFE6342DF190E566EB11215DDC1591D5CB6ABEBEB593693C6D0B2077D78034B6AFEEA3221E77F4C9858DD711AA8DE58F6 | ||
+ | Xauth username your-windows-login | ||
+ | # e.g. Xauth username fmoser (not fmoser@unibz.it) | ||
+ | ####################################### | ||
+ | </ | ||
+ | |||
+ | apply this rights: | ||
+ | |||
+ | sudo chmod 600 /etc/vpnc/unibz.conf | ||
+ | |||
+ | sudo chown root.root / | ||
+ | |||
+ | < | ||
+ | sudo ls -l / | ||
+ | -rw------- 1 root root 250 2009-05-02 15:54 / | ||
+ | </ | ||
+ | |||
+ | For Eurac: | ||
+ | |||
+ | sudo vi / | ||
+ | |||
+ | < | ||
+ | ####################################### | ||
+ | IPSec gateway vpn.scientificnet.org | ||
+ | IPSec ID Eurac | ||
+ | IPSec obfuscated secret 56A1CD68CC3AD33B48DB0F727ADDBC0A354DE3287D15C8526ED4CEDE4BC2ACDD1BB2460BC2354671A405F6150EA7C294C4DBC4CF9FFE45873BECAD3A2A738C5053BE34F709D592B50AD5BC472CDFF350 | ||
+ | Xauth username your-windows-login | ||
+ | # e.g. Xauth username fmoser (not fmoser@eurac.edu) | ||
+ | ####################################### | ||
+ | </ | ||
+ | |||
+ | apply this rights: | ||
+ | |||
+ | sudo chmod 600 / | ||
+ | |||
+ | sudo chown root.root / | ||
+ | |||
+ | < | ||
+ | sudo ls -l / | ||
+ | -rw------- 1 root root 250 2009-05-02 15:54 / | ||
+ | </ | ||
+ | |||
+ | 3. Start vpnc | ||
+ | |||
+ | For Unibz: | ||
+ | |||
+ | sudo vpnc-connect --domain unibz unibz | ||
+ | |||
+ | This will first ask for your sudo password and then | ||
+ | your < | ||
+ | |||
+ | For Eurac: | ||
+ | |||
+ | sudo vpnc-connect --domain eurac eurac | ||
+ | |||
+ | This will first ask for your sudo password and then | ||
+ | your < | ||
+ | |||
+ | |||
+ | 4. Stop vpnc | ||
+ | |||
+ | sudo vpnc-disconnect | ||
+ | |||
+ | |||
+ | ==== Possible errors ==== | ||
+ | |||
+ | If you get the following error: | ||
+ | try adding the line below to your configuration file (unibz.conf) | ||
+ | |||
+ | **NAT Traversal Mode cisco-udp** | ||
+ | |||
+ | ---- | ||
+ | |||
+ | When one attempts to connect to their VPN after installing and configuring vpnc on Ubuntu Oneiric, | ||
+ | the following error occurs: | ||
+ | |||
+ | < | ||
+ | root@ubuntu: | ||
+ | Error: either " | ||
+ | </ | ||
+ | |||
+ | It appears that the Ubuntu package vpnc comes with an old version of vpnc-script.\\ | ||
+ | This script is what sets up all the addresses and routes for you. The OpenConnect project\\ | ||
+ | provides an updated / revised release of this script. Download the latest copy from [[http:// | ||
+ | Replace the vpnc-script script that comes with the Ubuntu vpnc package: / | ||
+ | |||
+ | ---- | ||
+ | |||
+ | Access via ssh not possible, MTU value to high! | ||
+ | |||
+ | In some cases the MTU value is too high, which results in an very strange | ||
+ | situation: ping works, but ssh hangs at this point: | ||
+ | |||
+ | ... | ||
+ | debug1: sending SSH2_MSG_KEX_ECDH_INIT | ||
+ | debug1: expecting SSH2_MSG_KEX_ECDH_REPLY | ||
+ | |||
+ | |||
+ | There are 2 bug reports for this:\\ | ||
+ | |||
+ | https:// | ||
+ | https:// | ||
+ | |||
+ | and a possible solution/ | ||
+ | |||
+ | https:// | ||
+ | |||
+ | Check the current MTU value: | ||
+ | |||
+ | ip link | grep mtu | ||
+ | |||
+ | Set MTU value on interface eth0 to 1392 | ||
+ | |||
+ | / | ||
+ | |||
+ | ---- | ||
+ | |||
+ | Allow local (LAN) access when using VPN (MacOS) | ||
+ | |||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | ==== Decode Group Password ==== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | |||
+ | ===== Instructions for Linux Cisco AnyConnect Client ===== | ||
+ | |||
+ | === Installation === | ||
+ | |||
+ | 1. Open with your browser (tested with firefox 11.0) the following URL: | ||
+ | |||
+ | https://vpn.scientificnet.org | ||
+ | |||
+ | 2. Enter your Username and password, then press **Login** | ||
+ | |||
+ | 3. A " | ||
+ | in /opt/cisco of your Platform. | ||
+ | |||
+ | 4. Press **Run** on the " | ||
+ | |||
+ | {{: | ||
+ | |||
+ | 5. In order to install Cisco AnyConnect, Admin (sudo) rights are required; a Window opens,\\ | ||
+ | enter your local password. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | 6. The Cisco AnyConnect is installed and running, you can close the URL. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | === Launching Cisco AnyConnect GUI === | ||
+ | |||
+ | This allows you to connect and disconnect the VPN service. | ||
+ | |||
+ | / | ||
+ | |||
+ | Please note the vpnagentd must be running for this | ||
+ | |||
+ | * ps auxww | grep vpn | ||
+ | < | ||
+ | root 1759 0.0 0.3 17984 7644 ? S 12:58 0:00 / | ||
+ | </ | ||
+ | |||
+ | === Launching Cisco AnyConnect NON-GUI === | ||
+ | |||
+ | This allows you to connect and disconnect the VPN service. | ||
+ | |||
+ | * / | ||
+ | |||
+ | < | ||
+ | Cisco AnyConnect Secure Mobility Client (version 3.0.5080) . | ||
+ | |||
+ | Copyright (c) 2004 - 2011 Cisco Systems, Inc. | ||
+ | All Rights Reserved. | ||
+ | |||
+ | |||
+ | >> state: Disconnected | ||
+ | >> state: Disconnected | ||
+ | >> notice: Ready to connect. | ||
+ | >> registered with local VPN subsystem. | ||
+ | VPN> connect vpn.unibz.it | ||
+ | connect vpn.unibz.it | ||
+ | >> contacting host (vpn.unibz.it) for login information... | ||
+ | >> notice: Contacting vpn.unibz.it. | ||
+ | VPN> | ||
+ | >> Please enter your username and password. | ||
+ | 0) clientless | ||
+ | 1) scientificnetwork | ||
+ | Group: [clientless] | ||
+ | |||
+ | Username: < | ||
+ | Password: | ||
+ | >> state: Connecting | ||
+ | >> notice: Establishing VPN session... | ||
+ | >> notice: Checking for profile updates... | ||
+ | >> notice: Checking for product updates... | ||
+ | >> notice: Checking for customization updates... | ||
+ | >> notice: Performing any required updates... | ||
+ | >> state: Connecting | ||
+ | >> notice: Establishing VPN session... | ||
+ | >> notice: Establishing VPN - Initiating connection... | ||
+ | >> notice: Establishing VPN - Examining system... | ||
+ | >> notice: Establishing VPN - Activating VPN adapter... | ||
+ | >> notice: Establishing VPN - Configuring system... | ||
+ | >> notice: Establishing VPN... | ||
+ | >> state: Connected | ||
+ | >> notice: Connected to vpn.unibz.it. | ||
+ | VPN> | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | === Uninstalling the AnyConnect Client === | ||
+ | |||
+ | The client comes with an uninstallation script | ||
- | 6. Initialize the vpnclient: | + | * sudo / |
- | # sudo /etc/init.d/vpnclient_init start | + | However it doesn' |
+ | You can clean up what it leaves behind by deleting the directory /opt/cisco/ and /opt/.cisco/ | ||
- | 7. You can now start the vpnclient using sudo: | + | * sudo rm -r /opt/cisco /opt/.cisco |
- | $ sudo vpnclient connect unibz | + | Per-user configuration is stored in your home directory in a file called .anyconnect |
- | You will see some messages and then you will be requested to insert your username and password: | + | ====== Install openconnect-sso macOS with SAML ====== |
- | | + | If you don't want to use Cisco Anyconnect on the Apple Mac, you can install openconnect |
- | Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved. | + | and openconnect-sso for using SAML! |
- | Client Type(s): Linux | + | |
- | Running on: Linux 2.6.15-26-686 #1 SMP PREEMPT Thu Aug 3 03:13:28 UTC 2006 i686 | + | |
- | | + | |
- | Initializing the VPN connection. | + | **Requirements**: |
- | Contacting the gateway at 193.206.186.111 | + | |
- | User Authentication for unibz... | + | |
- | Enter Username and Password. | + | Install brew |
+ | /bin/bash -c " | ||
- | Username []: X | + | Install openconnect and pipx |
- | | + | brew install openconnect pipx |
- | | + | pipx ensurepath |
- | Negotiating security policies. | + | |
- | Securing communication channel. | + | |
- | Your VPN connection is secure. | + | Install pipx |
+ | pip install --user pipx | ||
- | VPN tunnel information. | + | Install openconnect-sso |
- | Client address: 172.21.204.1 | + | pipx install " |
- | Server address: 193.206.186.111 | + | pipx ensurepath |
- | Encryption: 128-bit AES | + | |
- | | + | |
- | IP Compression: | + | |
- | NAT passthrough is active on port UDP 4500 | + | |
- | Local LAN Access is disabled | + | |
- | Please notice that you will have to leave the console open in order to have the VPN running. | + | Launch openconnect-sso |
+ | / | ||
+ | |||
+ | A browser-window | ||
+ | to generate with an Authenticator! | ||
+ | Last thing to enter is the sudo password to enable the network interface. |
/data/www/wiki.inf.unibz.it/data/pages/auth/howto/linux/vpnclient.txt · Last modified: 2022/06/20 11:40 by kohofer