Differences

This shows you the differences between two versions of the page.

--- auth:howto:linux:vpnclient [2007/08/22 11:17] – kohofer
+++ auth:howto:linux:vpnclient [2022/05/06 16:22] – [Install openconnect-sso macOS with SAML] kohofer
@@ Line 1: / Line 1: @@
-===== VPN (Virtual Private Network) at the Free University of Bolzano/Bozen =====
+====== VPN (Virtual Private Network) at the Free University of Bolzano/Bozen and EURAC ======
-==== Infos regarding the usage of VPN ====
+===== Infos regarding the usage of VPN =====
-http://www.unibz.it/ict/vpn/index.html?LanguageID=EN
+https://knowledge.scientificnet.org/workspace/#nd=ab7442f9-c4d0-4ffc-a4f7-1e0d84515cc9&ld=17f4d8ce-edff-4d42-ad33-d98e2cdebc35&ln=it
+==== Instructions for MacOS X ====
-==== Instructions for Windows 98, ME, NT 4.0, 2000 and XP ====
+We recommend to download and install [[https://itunes.apple.com/en/app/cisco-anyconnect/id392790924?mt=8|Cisco AnyConnect]] from Apple Store for iOS and connect via Browser to https://vpn.scientificnet.org for Mac OSX
-http://www.unibz.it/ict/vpn/win/index.html?LanguageID=EN
-==== Instructions for MacOS X 10.2-10.4 ====
+=== Unsupported Instructions for MacOS X  and iOS - use at own risk! ===
-http://www.unibz.it/ict/vpn/mac/index.html?LanguageID=EN
+Download, unpack (doubleclick), then doupleclick the unpacked file to install it:
-==== Instructions for Linux ====
+{{:auth:howto:linux:vpn-scientificnet.org.networkconnect.zip|}}
-. Download and install the kernel headers corresponding to the kernel in use. Some distributions name this package kernel-headers, others name it linux-headers:
+Under Network settings a new item should appear:
-    # sudo apt-get install kernel-headers-`uname -r`
+  * VPN (IPSec)
-or
+  * change username to your username
-    # sudo apt-get install linux-headers-`uname -r`
+  * click Connect and enter your password
-You can get the version of your kernel by issuing the following command:
+=== Uninstalling if installation is corrupt in MacOSx ===
-    # uname -a
+Uninstallation has to be done by running this command on terminal:
-A valid version number could be, for example, 2.6.12-9-386.
+sudo /opt/cisco/vpn/bin/vpn_uninstall.sh
-. Download and install the vpnclient via Web:
+Should the uninstallation or reinstallation be corrupt, run this command on terminal:
-https://pro.unibz.it/vpn/client/common/linux/vpnclient-linux-x86_64-4.8.00.0490-k9.tar.gz
+sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn
-.1 Download and install the vpnclient via wget:
-Substitute the notation X Z with your university network's username and password:
+=== Instructions for iOS 9 ===
-   wget --no-check-certificate --http-user=X --http-password=Z https://pro.unibz.it/vpn/client/common/linux/vpnclient-linux-x86_64-4.8.00.0490-k9.tar.gz
+  - Press Settings
+  - Choose General
+  - Nearly at the end, click VPN
+  - Next click: Add VPN Configuration...
+    - **Type:** IPSec
+    - **Description:** VPN Scientificnet
+    - **Server:** vpn.scientificnet.org
+    - **Account:** <your-unibz-username>
+    - **Password:** <your-unibz-password> or leave empty to ask every time!
+    - **Group Name:** Unibz
+    - **Secret:** <file>
+NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL
+</file>
+  - Press Done in upper right corner of window
+  - Status: Slide Button to the right to connect
+  - Enter Password if not already entered above
+=== Instructions for Android 7 ===
-. Untar the source of vpnclient and install it.
+  - Press Settings
-   Depending on the Linux Distribution you might need to install ''make'' and ''gcc-3.4''
+  - Find VPN Settings, depends on Model
-   apt-get install make gcc-3.4
+  - Next click: Add VPN Configuration...
+    - **Name:** Unibz VPN
-    # tar xfz vpnclient-linux-x86_64-4.8.00.0490-k9.tar.gz
+    - **Type:** IPSec Xauth PSK
+    - **Server-Address:** vpn.scientificnet.org
-    # cd vpnclient
+    - **IPSec Identifier:** Unibz
+    - **IPSec Pre-shared Key:** NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL
+    - **Account:** <your-unibz-username>
+    - **Password:** <your-unibz-password> or leave empty to ask every time!
-    # ./vpn_install
+  - Press Done
+  - Status: Slide Button to the right to connect
+  - Enter Password if not already entered above
-You will get some messages and you will be requested to answer to some questions:
+===== Instructions for Linux using openconnect Client (recommended) =====
-    Directory where binaries will be installed [/usr/local/bin]
+Run this command to install openconnect client and OpenConnect plugin GNOME GUI
-    Automatically start the VPN service at boot time [yes]
-    Directory containing linux kernel source code [/lib/modules/X.X.XX-X-XXX/build]
-You only have to modify the predefined answers if they do not correspond to your actual situation.
+  sudo apt install openconnect network-manager-openconnect network-manager-openconnect-gnome
-If everything works, you will see some compilation messages and then the installation program will stop.
-. Download the unibz.pcf configuration file from the site of the university via web:
+Once installed open Settings and go to Network, press + right of the VPN section.
-https://pro.unibz.it/vpn/profiles/unibz/Free%20University%20of%20Bozen-Bolzano.zip
+{{:auth:howto:linux:network_vpn.png?400|}}
-.1 Download the unibz.pcf configuration file from the site of the university via wget:
+Select **Cisco AnyConnect Compatible VPN (openconnect)** and fill out as shown below:
-Substitute the notation XXX ZZZ with your university network's username and password:
+{{:auth:howto:linux:add_vpn_openconnect.png?400|}}
-    wget --no-check-certificate --http-user=XXX --http-password=ZZZ https://pro.unibz.it/vpn/profiles/unibz/Free%20University%20of%20Bozen-Bolzano.zip
+{{:auth:howto:linux:details_vpn.png?300|Details}} {{:auth:howto:linux:identity_vpn.png?300|Identity}}
-. Unzip the configuration file and copy it to the correct location:
+{{:auth:howto:linux:ipv4_vpn.png?300|IPv4}} {{:auth:howto:linux:ipv6_vpn.png?300|IPv6}}
-    # unzip "Free University of Bozen-Bolzano.zip"
+**Details**
+  - Make available to other users: tick if you want to allow other users on your system to use the VPN
-    # cp "Free University of Bozen-Bolzano.pcf" /etc/opt/cisco-vpnclient/Profiles/unibz.pcf
+**Identity**
+  - Name: VPN work (use a descriptive name)
+  - VPN Protocol: Cisco AnyConnect
+  - Gateway: vpn.scientificnet.org
+  - CA Certificate: download from {{ :auth:howto:linux:vpn-scientificnet-org.pem |here}}, not really necessary!
+The rest can be left as it is.
+**IPv4/IPv6**
+  - IPv4 Method: Automatic (DHCP)
+  - DNS: ON
+  - Routes: ON
+Press <color #22b14c>Apply</color>
+Now you can enable the VPN connection!
+Move the slider from OFF to ON, a small window should open,
+{{:auth:howto:linux:enable_vpn.png?400|Enable VPN}}
+make sure that for VPN Host you select: **vpn.scientificnet.org**
+Enter your unibz Username, without @unibz.it and your unibz Password.
+{{:auth:howto:linux:connect_vpn.png?400|Connect VPN}}
+Press **Login**
+If all goes well the slider should remain in ON position, if not check the Log.
+To verify launch this command in a terminal:
+  ifconfig | grep 172*
+You should get a new interface --> vpn0: with an IP Address: 172.21.66.xxx
+===== Instructions for Linux vpnc Client =====
+. Install vpnc
+  sudo apt-get install vpnc
+. For Unibz:
+  * Create configuration file unibz.conf. Download from here: {{:auth:howto:linux:unibz.conf|}}
+.a For Eurac:
+   * Create configuration file eurac.conf. Download from here: {{:auth:howto:linux:eurac.conf|}}
+<note important>IPSec obfuscated secret needs to be on a single line.</note>
+<note important>Replace <your-windows-login> with your username.</note>
+For Unibz:
+  sudo vi /etc/vpnc/unibz.conf
+<code>
+#######################################
+IPSec gateway vpn.unibz.it
+IPSec ID Unibz
+IPSec obfuscated secret 06294C134E0BEBDA4B449B56BFD305D35D12DABF4044EDB6794926C2CA6D5AEDFE6342DF190E566EB11215DDC1591D5CB6ABEBEB593693C6D0B2077D78034B6AFEEA3221E77F4C9858DD711AA8DE58F6
+Xauth username your-windows-login
+# e.g. Xauth username fmoser (not fmoser@unibz.it)
+#######################################
+</code>
+apply this rights:
+  sudo chmod 600 /etc/vpnc/unibz.conf
+  sudo chown root.root /etc/vpnc/unibz.conf
+<code>
+sudo ls -l /etc/vpnc/unibz.conf
+-rw------- 1 root root 250 2009-05-02 15:54 /etc/vpnc/unibz.conf
+</code>
+For Eurac:
+  sudo vi /etc/vpnc/eurac.conf
+<code>
+#######################################
+IPSec gateway vpn.scientificnet.org
+IPSec ID Eurac
+IPSec obfuscated secret 56A1CD68CC3AD33B48DB0F727ADDBC0A354DE3287D15C8526ED4CEDE4BC2ACDD1BB2460BC2354671A405F6150EA7C294C4DBC4CF9FFE45873BECAD3A2A738C5053BE34F709D592B50AD5BC472CDFF350
+Xauth username your-windows-login
+# e.g. Xauth username fmoser (not fmoser@eurac.edu)
+#######################################
+</code>
+apply this rights:
+  sudo chmod 600 /etc/vpnc/eurac.conf
+  sudo chown root.root /etc/vpnc/eurac.conf
+<code>
+sudo ls -l /etc/vpnc/eurac.conf
+-rw------- 1 root root 250 2009-05-02 15:54 /etc/vpnc/eurac.conf
+</code>
+. Start vpnc
+For Unibz:
+  sudo vpnc-connect --domain unibz unibz
+This will first ask for your sudo password and then
+your <unibz-password>
+For Eurac:
+  sudo vpnc-connect --domain eurac eurac
+This will first ask for your sudo password and then
+your <eurac-password>
+. Stop vpnc
+  sudo vpnc-disconnect
+==== Possible errors ====
+If you get the following error:  **vpnc-connect: no response from target**\\
+try adding the line below to your configuration file (unibz.conf)
+**NAT Traversal Mode cisco-udp**
+----
+When one attempts to connect to their VPN after installing and configuring vpnc on Ubuntu Oneiric,\\
+the following error occurs:
+<code>
+root@ubuntu:~# vpnc-connect
+Error: either "to" is duplicate, or "ipid" is a garbage.
+</code>
+It appears that the Ubuntu package vpnc comes with an old version of vpnc-script.\\
+This script is what sets up all the addresses and routes for you. The OpenConnect project\\
+provides an updated / revised release of this script. Download the latest copy from [[http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script|here]].\\
+Replace the vpnc-script script that comes with the Ubuntu vpnc package: /etc/vpnc/vpnc-script
+----
+Access via ssh not possible, MTU value to high!
+In some cases the MTU value is too high, which results in an very strange
+situation: ping works, but ssh hangs at this point:
+...
+debug1: sending SSH2_MSG_KEX_ECDH_INIT
+debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
+There are 2 bug reports for this:\\
+https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1110787\\
+https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1254085
+and a possible solution/workaround for Linux Mint:
+https://community.hide.me/threads/setup-problem-on-linux-mint-17.1839/
+Check the current MTU value:
+  ip link | grep mtu
+Set MTU value on interface eth0 to 1392
+  /sbin/ifconfig eth0 mtu 1392
+----
+Allow local (LAN) access when using VPN (MacOS)
+{{:auth:howto:linux:allow-local-lan-access-with-vpn.png?400|VPN preferences}}
+==== Decode Group Password ====
+[[https://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode|cisco vpnclient password decoder]]
+===== Instructions for Linux Cisco AnyConnect Client =====
+=== Installation ===
+. Open with your browser (tested with firefox 11.0) the following URL:
+https://vpn.scientificnet.org
+. Enter your Username and password, then press **Login**
+. A "Warning - Security" Windows opens: This will install the Cisco AnyConnect Client \\
+in /opt/cisco of your Platform.
+. Press **Run** on the "Warning - Security" Window
+{{:auth:howto:linux:cisco-anyconnect_1.png?direct&200}}
+. In order to install Cisco AnyConnect, Admin (sudo) rights are required; a Window opens,\\
+enter your local password.
+{{:auth:howto:linux:cisco-anyconenct_2.png?direct&200|}}
+. The Cisco AnyConnect is installed and running, you can close the URL.
+{{:auth:howto:linux:cisco-anyconnect_3.png?direct&200|}}
+=== Launching Cisco AnyConnect GUI ===
+This allows you to connect and disconnect the VPN service.
+  /opt/cisco/anyconnect/bin/vpnui
+Please note the vpnagentd must be running for this
+  * ps auxww | grep vpn
+<code>
+root      1759  0.0  0.3  17984  7644 ?        S    12:58   0:00 /opt/cisco/anyconnect/bin/vpnagentd
+</code>
+=== Launching Cisco AnyConnect NON-GUI ===
+This allows you to connect and disconnect the VPN service.
+  * /opt/cisco/anyconnect/bin/vpn
+<code>
+Cisco AnyConnect Secure Mobility Client (version 3.0.5080) .
+Copyright (c) 2004 - 2011 Cisco Systems, Inc.
+All Rights Reserved.
+  >> state: Disconnected
+  >> state: Disconnected
+  >> notice: Ready to connect.
+  >> registered with local VPN subsystem.
+VPN> connect vpn.unibz.it
+connect vpn.unibz.it
+  >> contacting host (vpn.unibz.it) for login information...
+  >> notice: Contacting vpn.unibz.it.
+VPN>
+  >> Please enter your username and password.
+) clientless
+) scientificnetwork
+Group: [clientless]
+Username: <your-username>
+Password:
+  >> state: Connecting
+  >> notice: Establishing VPN session...
+  >> notice: Checking for profile updates...
+  >> notice: Checking for product updates...
+  >> notice: Checking for customization updates...
+  >> notice: Performing any required updates...
+  >> state: Connecting
+  >> notice: Establishing VPN session...
+  >> notice: Establishing VPN - Initiating connection...
+  >> notice: Establishing VPN - Examining system...
+  >> notice: Establishing VPN - Activating VPN adapter...
+  >> notice: Establishing VPN - Configuring system...
+  >> notice: Establishing VPN...
+  >> state: Connected
+  >> notice: Connected to vpn.unibz.it.
+VPN>exit
+</code>
+=== Uninstalling the AnyConnect Client ===
+The client comes with an uninstallation script
+  * sudo /opt/cisco/vpn/bin/vpn_uninstall.sh
+However it doesn't actually uninstall everything properly, it removes files but leaves behind directories.\\
+You can clean up what it leaves behind by deleting the directory /opt/cisco/ and /opt/.cisco/
+  * sudo rm -r /opt/cisco /opt/.cisco
+Per-user configuration is stored in your home directory in a file called .anyconnect
+====== Install openconnect-sso macOS with SAML ======
-. Initialize the vpnclient:
+If you don't want to use Cisco Anyconnect on the Apple Mac, you can install openconnect
+and openconnect-sso for using SAML!
-    # sudo /etc/init.d/vpnclient_init start
+**Requirements**: Python3
-. You can now start the vpnclient using sudo:
+Install brew
+  /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
-    $ sudo vpnclient connect unibz
+Install openconnect and pipx
+  brew install openconnect pipx
+  pipx ensurepath
-You will see some messages and then you will be requested to insert your username and password:
+Install pipx
+  pip install --user pipx
-    Cisco Systems VPN Client Version 4.8.00 (0490)
+Install openconnect-sso
-    Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
+  pipx install "openconnect-sso[full]"
-    Client Type(s): Linux
+  pipx ensurepath
-    Running on: Linux 2.6.15-26-686 #1 SMP PREEMPT Thu Aug 3 03:13:28 UTC 2006 i686
-    Config file directory: /etc/opt/cisco-vpnclient
-    Initializing the VPN connection.
+Launch openconnect-sso
-    Contacting the gateway at 193.206.186.111
+  /Users/user/.local/bin/openconnect-sso --server vpn.scientificnet.org/saml
-    User Authentication for unibz...
-    Enter Username and Password.
+<code>
+...
+...
+[info     ] Loading page                   [webengine] url=https://vpn.scientificnet.org/+CSCOE+/saml/sp/login?tgname=ScientificNetworkSouthTyrol-SAML&acsamlcap=v2
+[info     ] Terminate requested.           [webengine]
+[info     ] Exiting browser                [webengine]
+[info     ] Browser exited                 [openconnect_sso.browser.browser]
+[info     ] Response received              [openconnect_sso.authenticator] id=success message=
+[sudo] password for <local-username>:
-    Username []: X
+Connected to 193.106.xxx.xxx:443
-    Password []: Z
+SSL negotiation with vpn.scientificnet.org
-    Authenticating user.
+Server certificate verify failed: signer not found
-    Negotiating security policies.
+Connected to HTTPS on vpn.scientificnet.org
-    Securing communication channel.
+Got CONNECT response: HTTP/1.1 200 OK
+CSTP connected. DPD 30, Keepalive 20
+Connected as 172.xx.xx.xx + 2a02:27e8:10:741:0:dacc:0:2/64, using SSL, with DTLS in progress
+Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
+Error: any valid prefix is expected rather than "dev".
-    Your VPN connection is secure.
+</code>
-    VPN tunnel information.
+A browser-window will ask for your username and password, next it will ask for the PIN which you need
-    Client address: 172.21.204.1
+to generate with an Authenticator!
-    Server address: 193.206.186.111
-    Encryption: 128-bit AES
-    Authentication: HMAC-SHA
-    IP Compression: None
-    NAT passthrough is active on port UDP 4500
-    Local LAN Access is disabled
-Please notice that you will have to leave the console open in order to have the VPN running.
+Last thing to enter is the sudo password to enable the network interface.