auth:howto:linux:vpnclient
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
auth:howto:linux:vpnclient [2012/04/05 16:35] – kohofer | auth:howto:linux:vpnclient [2022/05/06 16:22] – [Install openconnect-sso macOS with SAML] kohofer | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== VPN (Virtual Private Network) at the Free University of Bolzano/ | + | ====== VPN (Virtual Private Network) at the Free University of Bolzano/ |
===== Infos regarding the usage of VPN ===== | ===== Infos regarding the usage of VPN ===== | ||
- | http://www.unibz.it/en/ict/ | + | https://knowledge.scientificnet.org/workspace/# |
- | ==== Instructions for Windows 2000, XP, VISTA and 7 - 32bit and 64bit ==== | + | ==== Instructions for MacOS X ==== |
- | http://www.unibz.it/en/ict/ComputerInternet/network/vpn/InstallationWindows.html | + | We recommend to download and install [[https://itunes.apple.com/en/app/cisco-anyconnect/id392790924? |
- | ==== Instructions for MacOS X 10.4 ==== | + | === Unsupported |
- | http:// | + | |
- | ==== Instructions for MacOS X 10.6 ==== | + | Download, unpack (doubleclick), |
- | There is no need to install a Client, simply download and install (doubleclick) the\\ | + | {{:auth: |
- | following file: | + | |
- | {{:auth: | + | Under Network settings a new item should appear: |
- | ===== Instructions for Linux vpnc Client (recommended) ===== | + | * VPN (IPSec) |
+ | * change username to your username | ||
+ | * click Connect and enter your password | ||
+ | |||
+ | === Uninstalling if installation is corrupt in MacOSx === | ||
+ | |||
+ | Uninstallation has to be done by running this command on terminal: | ||
+ | |||
+ | sudo / | ||
+ | |||
+ | Should the uninstallation or reinstallation be corrupt, run this command on terminal: | ||
+ | |||
+ | sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn | ||
+ | |||
+ | |||
+ | === Instructions for iOS 9 === | ||
+ | |||
+ | - Press Settings | ||
+ | - Choose General | ||
+ | - Nearly at the end, click VPN | ||
+ | - Next click: Add VPN Configuration... | ||
+ | - **Type:** IPSec | ||
+ | - **Description: | ||
+ | - **Server:** vpn.scientificnet.org | ||
+ | - **Account: | ||
+ | - **Password: | ||
+ | - **Group Name:** Unibz | ||
+ | - **Secret:** < | ||
+ | NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL | ||
+ | </ | ||
+ | - Press Done in upper right corner of window | ||
+ | - Status: Slide Button to the right to connect | ||
+ | - Enter Password if not already entered above | ||
+ | |||
+ | === Instructions for Android 7 === | ||
+ | |||
+ | - Press Settings | ||
+ | - Find VPN Settings, depends on Model | ||
+ | - Next click: Add VPN Configuration... | ||
+ | - **Name:** Unibz VPN | ||
+ | - **Type:** IPSec Xauth PSK | ||
+ | - **Server-Address: | ||
+ | - **IPSec Identifier: | ||
+ | - **IPSec Pre-shared Key:** NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL | ||
+ | - **Account: | ||
+ | - **Password: | ||
+ | |||
+ | - Press Done | ||
+ | - Status: Slide Button to the right to connect | ||
+ | - Enter Password if not already entered above | ||
+ | |||
+ | ===== Instructions for Linux using openconnect | ||
+ | |||
+ | Run this command to install openconnect client and OpenConnect plugin GNOME GUI | ||
+ | |||
+ | sudo apt install openconnect network-manager-openconnect network-manager-openconnect-gnome | ||
+ | |||
+ | Once installed open Settings and go to Network, press + right of the VPN section. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Select **Cisco AnyConnect Compatible VPN (openconnect)** and fill out as shown below: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | **Details** | ||
+ | - Make available to other users: tick if you want to allow other users on your system to use the VPN | ||
+ | |||
+ | **Identity** | ||
+ | - Name: VPN work (use a descriptive name) | ||
+ | - VPN Protocol: Cisco AnyConnect | ||
+ | - Gateway: vpn.scientificnet.org | ||
+ | - CA Certificate: | ||
+ | |||
+ | The rest can be left as it is. | ||
+ | |||
+ | **IPv4/ | ||
+ | - IPv4 Method: Automatic (DHCP) | ||
+ | - DNS: ON | ||
+ | - Routes: ON | ||
+ | |||
+ | Press <color # | ||
+ | |||
+ | Now you can enable the VPN connection! | ||
+ | |||
+ | Move the slider from OFF to ON, a small window should open, | ||
+ | |||
+ | {{: | ||
+ | |||
+ | make sure that for VPN Host you select: **vpn.scientificnet.org** | ||
+ | |||
+ | Enter your unibz Username, without @unibz.it and your unibz Password. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Press **Login** | ||
+ | |||
+ | If all goes well the slider should remain in ON position, if not check the Log. | ||
+ | To verify launch this command in a terminal: | ||
+ | |||
+ | ifconfig | grep 172* | ||
+ | |||
+ | You should get a new interface --> vpn0: with an IP Address: 172.21.66.xxx | ||
+ | |||
+ | ===== Instructions for Linux vpnc Client | ||
1. Install vpnc | 1. Install vpnc | ||
- | sudo aptitude | + | sudo apt-get |
+ | |||
+ | 2. For Unibz: | ||
+ | |||
+ | * Create configuration file unibz.conf. Download from here: {{: | ||
+ | |||
+ | 2.a For Eurac: | ||
+ | |||
+ | * Create configuration file eurac.conf. Download from here: {{: | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | <note important> | ||
- | 2. Create configuration file unibz.conf. | + | For Unibz: |
- | | + | |
sudo vi / | sudo vi / | ||
Line 34: | Line 152: | ||
IPSec gateway vpn.unibz.it | IPSec gateway vpn.unibz.it | ||
IPSec ID Unibz | IPSec ID Unibz | ||
- | IPSec obfuscated secret | + | IPSec obfuscated secret |
- | C9858DD711AA8DE58F6 | + | Xauth username your-windows-login |
- | Xauth username | + | # e.g. Xauth username fmoser (not fmoser@unibz.it) |
####################################### | ####################################### | ||
</ | </ | ||
Line 49: | Line 167: | ||
sudo ls -l / | sudo ls -l / | ||
-rw------- 1 root root 250 2009-05-02 15:54 / | -rw------- 1 root root 250 2009-05-02 15:54 / | ||
+ | </ | ||
+ | |||
+ | For Eurac: | ||
+ | |||
+ | sudo vi / | ||
+ | |||
+ | < | ||
+ | ####################################### | ||
+ | IPSec gateway vpn.scientificnet.org | ||
+ | IPSec ID Eurac | ||
+ | IPSec obfuscated secret 56A1CD68CC3AD33B48DB0F727ADDBC0A354DE3287D15C8526ED4CEDE4BC2ACDD1BB2460BC2354671A405F6150EA7C294C4DBC4CF9FFE45873BECAD3A2A738C5053BE34F709D592B50AD5BC472CDFF350 | ||
+ | Xauth username your-windows-login | ||
+ | # e.g. Xauth username fmoser (not fmoser@eurac.edu) | ||
+ | ####################################### | ||
+ | </ | ||
+ | |||
+ | apply this rights: | ||
+ | |||
+ | sudo chmod 600 / | ||
+ | | ||
+ | sudo chown root.root / | ||
+ | |||
+ | < | ||
+ | sudo ls -l / | ||
+ | -rw------- 1 root root 250 2009-05-02 15:54 / | ||
</ | </ | ||
3. Start vpnc | 3. Start vpnc | ||
+ | |||
+ | For Unibz: | ||
sudo vpnc-connect --domain unibz unibz | sudo vpnc-connect --domain unibz unibz | ||
This will first ask for your sudo password and then | This will first ask for your sudo password and then | ||
- | you <windows-password> | + | your <unibz-password> |
+ | |||
+ | For Eurac: | ||
+ | |||
+ | sudo vpnc-connect --domain eurac eurac | ||
+ | |||
+ | This will first ask for your sudo password and then | ||
+ | your < | ||
4. Stop vpnc | 4. Stop vpnc | ||
sudo vpnc-disconnect | sudo vpnc-disconnect | ||
+ | |||
+ | |||
+ | ==== Possible errors ==== | ||
+ | |||
+ | If you get the following error: | ||
+ | try adding the line below to your configuration file (unibz.conf) | ||
+ | |||
+ | **NAT Traversal Mode cisco-udp** | ||
+ | |||
+ | ---- | ||
+ | |||
+ | When one attempts to connect to their VPN after installing and configuring vpnc on Ubuntu Oneiric,\\ | ||
+ | the following error occurs: | ||
+ | |||
+ | < | ||
+ | root@ubuntu: | ||
+ | Error: either " | ||
+ | </ | ||
+ | |||
+ | It appears that the Ubuntu package vpnc comes with an old version of vpnc-script.\\ | ||
+ | This script is what sets up all the addresses and routes for you. The OpenConnect project\\ | ||
+ | provides an updated / revised release of this script. Download the latest copy from [[http:// | ||
+ | Replace the vpnc-script script that comes with the Ubuntu vpnc package: / | ||
+ | |||
+ | ---- | ||
+ | |||
+ | Access via ssh not possible, MTU value to high! | ||
+ | |||
+ | In some cases the MTU value is too high, which results in an very strange | ||
+ | situation: ping works, but ssh hangs at this point: | ||
+ | |||
+ | ... | ||
+ | debug1: sending SSH2_MSG_KEX_ECDH_INIT | ||
+ | debug1: expecting SSH2_MSG_KEX_ECDH_REPLY | ||
+ | |||
+ | |||
+ | There are 2 bug reports for this:\\ | ||
+ | |||
+ | https:// | ||
+ | https:// | ||
+ | |||
+ | and a possible solution/ | ||
+ | |||
+ | https:// | ||
+ | |||
+ | Check the current MTU value: | ||
+ | |||
+ | ip link | grep mtu | ||
+ | |||
+ | Set MTU value on interface eth0 to 1392 | ||
+ | |||
+ | / | ||
+ | |||
+ | ---- | ||
+ | |||
+ | Allow local (LAN) access when using VPN (MacOS) | ||
+ | |||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | ==== Decode Group Password ==== | ||
+ | |||
+ | [[https:// | ||
Line 164: | Line 381: | ||
Per-user configuration is stored in your home directory in a file called .anyconnect | Per-user configuration is stored in your home directory in a file called .anyconnect | ||
- | ===== Shrew Soft VPN Client Instructions for 32 or 64 bit version of Windows 2000, XP, Vista and 7 (recommened) | + | ====== Install openconnect-sso macOS with SAML ====== |
- | 1. Go to http:// | + | If you don't want to use Cisco Anyconnect on the Apple Mac, you can install openconnect |
+ | and openconnect-sso | ||
- | 2. Download unibz profile (need to login with unibz login& | + | **Requirements**: Python3 |
- | https:// | + | |
- | 3. Install | + | Install brew |
+ | /bin/bash -c " | ||
+ | |||
+ | Install | ||
+ | brew install openconnect pipx | ||
+ | pipx ensurepath | ||
+ | |||
+ | Install pipx | ||
+ | pip install --user pipx | ||
+ | |||
+ | Install openconnect-sso | ||
+ | pipx install " | ||
+ | pipx ensurepath | ||
+ | |||
+ | Launch openconnect-sso | ||
+ | / | ||
+ | |||
+ | < | ||
+ | ... | ||
+ | ... | ||
+ | [info ] Loading page | ||
+ | [info ] Terminate requested. | ||
+ | [info ] Exiting browser | ||
+ | [info ] Browser exited | ||
+ | [info ] Response received | ||
+ | [sudo] password | ||
+ | |||
+ | Connected to 193.106.xxx.xxx: | ||
+ | SSL negotiation with vpn.scientificnet.org | ||
+ | Server certificate verify failed: signer not found | ||
+ | Connected to HTTPS on vpn.scientificnet.org | ||
+ | Got CONNECT response: HTTP/1.1 200 OK | ||
+ | CSTP connected. DPD 30, Keepalive 20 | ||
+ | Connected as 172.xx.xx.xx + 2a02: | ||
+ | Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM). | ||
+ | Error: any valid prefix is expected rather than " | ||
+ | |||
+ | </ | ||
- | 4. Start Shrew Soft VPN Client, unzip unibz profile | + | A browser-window will ask for your username |
+ | to generate with an Authenticator! | ||
+ | Last thing to enter is the sudo password to enable the network interface. | ||
/data/www/wiki.inf.unibz.it/data/pages/auth/howto/linux/vpnclient.txt · Last modified: 2022/06/20 11:40 by kohofer