User Tools

Site Tools


auth:howto:linux:vpnclient

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
auth:howto:linux:vpnclient [2007/04/12 16:39] kohoferauth:howto:linux:vpnclient [2022/06/20 11:40] (current) kohofer
Line 1: Line 1:
-===== VPN (Virtual Private Network) at the Free University of Bolzano/Bozen =====+====== VPN (Virtual Private Network) at the Free University of Bolzano/Bozen and EURAC ======
  
-==== Infos regarding the usage of VPN ====+===== Infos regarding the usage of VPN =====
  
-http://www.unibz.it/ict/vpn/index.html?LanguageID=EN+https://knowledge.scientificnet.org/workspace/#nd=ab7442f9-c4d0-4ffc-a4f7-1e0d84515cc9&ld=17f4d8ce-edff-4d42-ad33-d98e2cdebc35&ln=it
  
 +==== Instructions for MacOS X ====
  
-==== Instructions for Windows 98, ME, NT 4.0, 2000 and XP ==== +We recommend to download and install [[https://itunes.apple.com/en/app/cisco-anyconnect/id392790924?mt=8|Cisco AnyConnect]] from Apple Store for iOS and connect via Browser to https://vpn.scientificnet.org for Mac OSX
-http://www.unibz.it/ict/vpn/win/index.html?LanguageID=EN+
  
-===Instructions for MacOS X 10.2-10.4 ==== +=== Unsupported Instructions for MacOS X  and iOS use at own risk! ===
-http://www.unibz.it/ict/vpn/mac/index.html?LanguageID=EN+
  
-==== Instructions for Linux ====+Download, unpack (doubleclick), then doupleclick the unpacked file to install it:
  
-1. Download and install the kernel headers corresponding to the kernel in use. Some distributions name this package kernel-headers, others name it linux-headers:+{{:auth:howto:linux:vpn-scientificnet.org.networkconnect.zip|}}
  
-    # sudo apt-get install kernel-headers-X.X.XX-X-XXX +Under Network settings a new item should appear:
-or +
-    # sudo apt-get install linux-headers-X.X.XX-XXX+
  
-Substitute the notation X.X.XX with the actual version of your kernel. +  * VPN (IPSec) 
-You can get the version of your kernel by issuing the following command:+  * change username to your username 
 +  * click Connect and enter your password
  
-    # uname -a+=== Uninstalling if installation is corrupt in MacOSx ===
  
-A valid version number could be, for example, 2.6.12-9-386.+Uninstallation has to be done by running this command on terminal:
  
-2Download and install the vpnclient:+sudo /opt/cisco/vpn/bin/vpn_uninstall.sh
  
-Substitute the notation X Z with your university network's username and password:+Should the uninstallation or reinstallation be corrupt, run this command on terminal
  
-wget --no-check-certificate --http-user=X --http-password=Z  +sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn
-https://pro.unibz.it/vpn/client/common/linux/vpnclient-linux-x86_64-4.8.00.0490-k9.tar.gz+
  
  
-3. Untar the source of vpnclient and install it. +=== Instructions for iOS 9 ===
-   Depending on the Linux Distribution you might need to install ''make'' and ''gcc-3.4'' +
-   apt-get install make gcc-3.4+
  
-    # tar xfz vpnclient-linux-4.7.00.0640-k9.tar.gz +  Press Settings 
-      +  - Choose General 
-    # cd vpnclient +  - Nearly at the end, click VPN 
-     +  Next click: Add VPN Configuration... 
-    # ./vpn_install+    - **Type:** IPSec 
 +    - **Description:** VPN Scientificnet 
 +    **Server:** vpn.scientificnet.org 
 +    - **Account:** <your-unibz-username> 
 +    - **Password:** <your-unibz-password> or leave empty to ask every time! 
 +    - **Group Name:** Unibz 
 +    - **Secret:** <file> 
 +NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL 
 +</file> 
 +  - Press Done in upper right corner of window 
 +  - Status: Slide Button to the right to connect 
 +  - Enter Password if not already entered above
  
-You will get some messages and you will be requested to answer to some questions:+=== Instructions for Android 7 ===
  
-    Directory where binaries will be installed [/usr/local/bin]+  - Press Settings 
 +  - Find VPN Settings, depends on Model  
 +  - Next click: Add VPN Configuration... 
 +    - **Name:** Unibz VPN 
 +    - **Type:** IPSec Xauth PSK 
 +    - **Server-Address:** vpn.scientificnet.org 
 +    - **IPSec Identifier:** Unibz 
 +    - **IPSec Pre-shared Key:** NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL 
 +    - **Account:** <your-unibz-username> 
 +    - **Password:** <your-unibz-password> or leave empty to ask every time!
          
-    Automatically start the VPN service at boot time [yes] +  - Press Done 
-     +  Status: Slide Button to the right to connect 
-    Directory containing linux kernel source code [/lib/modules/X.X.XX-X-XXX/build]+  Enter Password if not already entered above
  
-You only have to modify the predefined answers if they do not correspond to your actual situation. +===== Instructions for Linux using openconnect Client (recommended) =====
-If everything works, you will see some compilation messages and then the installation program will stop.+
  
-4. Download the unibz.pcf configuration file from the site of the university. +Run this command to install openconnect client and OpenConnect plugin GNOME GUI 
-Substitute the notation XXX ZZZ with your university network's username and password:+
  
-    # wget --no-check-certificate --http-user=XXX --http-password=ZZZ https://pro.unibz.it/vpn/Configuration/unibz.zip+  sudo apt install openconnect network-manager-openconnect network-manager-openconnect-gnome
  
-5. Unzip the configuration file and copy it to the correct location:+Once installed open Settings and go to Network, press + right of the VPN section.
  
-    unzip unibz.zip +{{:auth:howto:linux:network_vpn.png?400|}} 
-     + 
-    cp unibz.pcf /etc/opt/cisco-vpnclient/Profiles/.+Select **Cisco AnyConnect Compatible VPN (openconnect)** and fill out as shown below: 
 + 
 +{{:auth:howto:linux:add_vpn_openconnect.png?400|}} 
 + 
 +{{:auth:howto:linux:details_vpn.png?300|Details}} {{:auth:howto:linux:identity_vpn.png?300|Identity}}  
 + 
 +{{:auth:howto:linux:ipv4_vpn.png?300|IPv4}} {{:auth:howto:linux:ipv6_vpn.png?300|IPv6}}  
 + 
 +**Details** 
 +  - Make available to other users: tick if you want to allow other users on your system to use the VPN 
 + 
 +**Identity** 
 +  - Name: VPN work (use a descriptive name) 
 +  - VPN Protocol: Cisco AnyConnect 
 +  - Gateway: vpn.scientificnet.org 
 +  - CA Certificate: download from {{ :auth:howto:linux:vpn-scientificnet-org.pem |here}}, not really necessary! 
 + 
 +The rest can be left as it is. 
 + 
 +**IPv4/IPv6** 
 +  - IPv4 Method: Automatic (DHCP) 
 +  - DNS: ON 
 +  - Routes: ON 
 + 
 +Press <color #22b14c>Apply</color> 
 + 
 +Now you can enable the VPN connection! 
 + 
 +Move the slider from OFF to ON, a small window should open, 
 + 
 +{{:auth:howto:linux:enable_vpn.png?400|Enable VPN}} 
 + 
 +make sure that for VPN Host you select: **vpn.scientificnet.org** 
 + 
 +Enter your unibz Username, without @unibz.it and your unibz Password. 
 + 
 +{{:auth:howto:linux:connect_vpn.png?400|Connect VPN}} 
 + 
 +Press **Login** 
 + 
 +If all goes well the slider should remain in ON position, if not check the Log. 
 +To verify launch this command in a terminal: 
 + 
 +  ifconfig | grep 172* 
 + 
 +You should get a new interface --> vpn0: with an IP Address: 172.21.66.xxx 
 + 
 +===== Instructions for Linux vpnc Client ===== 
 + 
 +1. Install vpnc 
 + 
 +  sudo apt-get install vpnc 
 + 
 +2. For Unibz: 
 + 
 +  * Create configuration file unibz.conf. Download from here: {{:auth:howto:linux:unibz.conf|}} 
 + 
 +2.a For Eurac: 
 + 
 +   * Create configuration file eurac.conf. Download from here: {{:auth:howto:linux:eurac.conf|}} 
 +    
 +<note important>IPSec obfuscated secret needs to be on a single line.</note> 
 +    
 +<note important>Replace <your-windows-login> with your username.</note> 
 + 
 + 
 +For Unibz: 
 + 
 +  sudo vi /etc/vpnc/unibz.conf 
 + 
 +<code> 
 +####################################### 
 +IPSec gateway vpn.unibz.it 
 +IPSec ID Unibz 
 +IPSec obfuscated secret 06294C134E0BEBDA4B449B56BFD305D35D12DABF4044EDB6794926C2CA6D5AEDFE6342DF190E566EB11215DDC1591D5CB6ABEBEB593693C6D0B2077D78034B6AFEEA3221E77F4C9858DD711AA8DE58F6 
 +Xauth username your-windows-login 
 +# e.g. Xauth username fmoser (not fmoser@unibz.it) 
 +####################################### 
 +</code> 
 + 
 +apply this rights: 
 + 
 +  sudo chmod 600 /etc/vpnc/unibz.conf 
 +   
 +  sudo chown root.root /etc/vpnc/unibz.conf 
 + 
 +<code> 
 +sudo ls -l /etc/vpnc/unibz.conf 
 +-rw------- 1 root root 250 2009-05-02 15:54 /etc/vpnc/unibz.conf 
 +</code> 
 + 
 +For Eurac: 
 + 
 +  sudo vi /etc/vpnc/eurac.conf 
 + 
 +<code> 
 +####################################### 
 +IPSec gateway vpn.scientificnet.org  
 +IPSec ID Eurac 
 +IPSec obfuscated secret 56A1CD68CC3AD33B48DB0F727ADDBC0A354DE3287D15C8526ED4CEDE4BC2ACDD1BB2460BC2354671A405F6150EA7C294C4DBC4CF9FFE45873BECAD3A2A738C5053BE34F709D592B50AD5BC472CDFF350 
 +Xauth username your-windows-login 
 +# e.g. Xauth username fmoser (not fmoser@eurac.edu) 
 +####################################### 
 +</code> 
 + 
 +apply this rights: 
 + 
 +  sudo chmod 600 /etc/vpnc/eurac.conf 
 +   
 +  sudo chown root.root /etc/vpnc/eurac.conf 
 + 
 +<code> 
 +sudo ls -l /etc/vpnc/eurac.conf 
 +-rw------- 1 root root 250 2009-05-02 15:54 /etc/vpnc/eurac.conf 
 +</code> 
 + 
 +3. Start vpnc 
 + 
 +For Unibz: 
 + 
 +  sudo vpnc-connect --domain unibz unibz 
 + 
 +This will first ask for your sudo password and then 
 +your <unibz-password> 
 + 
 +For Eurac: 
 + 
 +  sudo vpnc-connect --domain eurac eurac 
 + 
 +This will first ask for your sudo password and then 
 +your <eurac-password> 
 + 
 + 
 +4. Stop vpnc 
 + 
 +  sudo vpnc-disconnect 
 + 
 + 
 +==== Possible errors ==== 
 + 
 +If you get the following error:  **vpnc-connect: no response from target**\\ 
 +try adding the line below to your configuration file (unibz.conf) 
 + 
 +**NAT Traversal Mode cisco-udp** 
 + 
 +---- 
 + 
 +When one attempts to connect to their VPN after installing and configuring vpnc on Ubuntu Oneiric,\\ 
 +the following error occurs: 
 + 
 +<code> 
 +root@ubuntu:~# vpnc-connect 
 +Error: either "to" is duplicate, or "ipid" is a garbage. 
 +</code> 
 + 
 +It appears that the Ubuntu package vpnc comes with an old version of vpnc-script.\\ 
 +This script is what sets up all the addresses and routes for you. The OpenConnect project\\ 
 +provides an updated / revised release of this script. Download the latest copy from [[http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script|here]].\\ 
 +Replace the vpnc-script script that comes with the Ubuntu vpnc package: /etc/vpnc/vpnc-script 
 + 
 +---- 
 + 
 +Access via ssh not possible, MTU value to high! 
 + 
 +In some cases the MTU value is too high, which results in an very strange 
 +situation: ping works, but ssh hangs at this point: 
 + 
 +... 
 +debug1: sending SSH2_MSG_KEX_ECDH_INIT 
 +debug1: expecting SSH2_MSG_KEX_ECDH_REPLY  
 + 
 + 
 +There are 2 bug reports for this:\\ 
 + 
 +https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1110787\\ 
 +https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1254085 
 + 
 +and a possible solution/workaround for Linux Mint: 
 + 
 +https://community.hide.me/threads/setup-problem-on-linux-mint-17.1839/ 
 + 
 +Check the current MTU value: 
 + 
 +  ip link | grep mtu 
 + 
 +Set MTU value on interface eth0 to 1392 
 + 
 +  /sbin/ifconfig eth0 mtu 1392 
 + 
 +---- 
 + 
 +Allow local (LAN) access when using VPN (MacOS) 
 + 
 + 
 +{{:auth:howto:linux:allow-local-lan-access-with-vpn.png?400|VPN preferences}} 
 + 
 + 
 +==== Decode Group Password ==== 
 + 
 +[[https://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode|cisco vpnclient password decoder]] 
 + 
 + 
 +===== Instructions for Linux Cisco AnyConnect Client ===== 
 + 
 +=== Installation === 
 + 
 +1. Open with your browser (tested with firefox 11.0) the following URL: 
 + 
 +https://vpn.scientificnet.org 
 + 
 +2. Enter your Username and password, then press **Login** 
 + 
 +3. A "Warning - Security" Windows opens: This will install the Cisco AnyConnect Client \\ 
 +in /opt/cisco of your Platform. 
 + 
 +4. Press **Run** on the "Warning - Security" Window 
 + 
 +{{:auth:howto:linux:cisco-anyconnect_1.png?direct&200}} 
 + 
 +5. In order to install Cisco AnyConnect, Admin (sudo) rights are required; a Window opens,\\ 
 +enter your local password. 
 + 
 +{{:auth:howto:linux:cisco-anyconenct_2.png?direct&200|}} 
 + 
 +6. The Cisco AnyConnect is installed and running, you can close the URL. 
 + 
 +{{:auth:howto:linux:cisco-anyconnect_3.png?direct&200|}} 
 + 
 +=== Launching Cisco AnyConnect GUI === 
 + 
 +This allows you to connect and disconnect the VPN service. 
 + 
 +  /opt/cisco/anyconnect/bin/vpnui 
 + 
 +Please note the vpnagentd must be running for this 
 + 
 +  * ps auxww | grep vpn 
 +<code> 
 +root      1759  0.0  0.3  17984  7644 ?        S    12:58   0:00 /opt/cisco/anyconnect/bin/vpnagentd 
 +</code> 
 + 
 +=== Launching Cisco AnyConnect NON-GUI === 
 + 
 +This allows you to connect and disconnect the VPN service. 
 + 
 +  * /opt/cisco/anyconnect/bin/vpn 
 + 
 +<code> 
 +Cisco AnyConnect Secure Mobility Client (version 3.0.5080) . 
 + 
 +Copyright (c) 2004 - 2011 Cisco Systems, Inc. 
 +All Rights Reserved. 
 + 
 + 
 +  >> state: Disconnected 
 +  >> state: Disconnected 
 +  >> notice: Ready to connect. 
 +  >> registered with local VPN subsystem. 
 +VPN> connect vpn.unibz.it 
 +connect vpn.unibz.it 
 +  >> contacting host (vpn.unibz.it) for login information... 
 +  >> notice: Contacting vpn.unibz.it. 
 +VPN>  
 +  >> Please enter your username and password. 
 +    0) clientless 
 +    1) scientificnetwork 
 +Group: [clientless]  
 + 
 +Username: <your-username> 
 +Password:  
 +  >> state: Connecting 
 +  >> notice: Establishing VPN session... 
 +  >> notice: Checking for profile updates... 
 +  >> notice: Checking for product updates... 
 +  >> notice: Checking for customization updates... 
 +  >> notice: Performing any required updates... 
 +  >> state: Connecting 
 +  >> notice: Establishing VPN session... 
 +  >> notice: Establishing VPN - Initiating connection... 
 +  >> notice: Establishing VPN - Examining system... 
 +  >> notice: Establishing VPN - Activating VPN adapter... 
 +  >> notice: Establishing VPN - Configuring system... 
 +  >> notice: Establishing VPN... 
 +  >> state: Connected 
 +  >> notice: Connected to vpn.unibz.it. 
 +VPN>exit 
 + 
 + 
 +</code> 
 + 
 +=== Uninstalling the AnyConnect Client === 
 + 
 +The client comes with an uninstallation script 
 + 
 +  * sudo /opt/cisco/vpn/bin/vpn_uninstall.sh 
 + 
 +However it doesn't actually uninstall everything properly, it removes files but leaves behind directories.\\ 
 +You can clean up what it leaves behind by deleting the directory /opt/cisco/ and /opt/.cisco/ 
 + 
 +  * sudo rm -r /opt/cisco /opt/.cisco 
 + 
 +Per-user configuration is stored in your home directory in a file called .anyconnect 
 + 
 +====== Install openconnect-sso macOS with SAML ====== 
 + 
 +If you don't want to use Cisco Anyconnect on the Apple Mac, you can install openconnect 
 +and openconnect-sso for using SAML! 
 + 
 +**Requirements**: Python3 
 + 
 +Install brew 
 +  /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" 
 + 
 +Install openconnect and pipx 
 +  brew install openconnect pipx 
 +  pipx ensurepath 
 + 
 +Install pipx 
 +  pip install --user pipx 
 + 
 +Install openconnect-sso 
 +  pipx install "openconnect-sso[full]" 
 +  pipx ensurepath 
 + 
 +Launch openconnect-sso 
 +  /Users/user/.local/bin/openconnect-sso --server vpn.scientificnet.org/saml 
 + 
 +<code> 
 +... 
 +... 
 +[info     ] Loading page                   [webengine] url=https://vpn.scientificnet.org/+CSCOE+/saml/sp/login?tgname=ScientificNetworkSouthTyrol-SAML&acsamlcap=v2 
 +[info     ] Terminate requested.           [webengine]  
 +[info     ] Exiting browser                [webengine]  
 +[info     ] Browser exited                 [openconnect_sso.browser.browser]  
 +[info     ] Response received              [openconnect_sso.authenticator] id=success message= 
 +[sudo] password for <local-username>: 
 + 
 +Connected to 193.106.xxx.xxx:443 
 +SSL negotiation with vpn.scientificnet.org 
 +Server certificate verify failed: signer not found 
 +Connected to HTTPS on vpn.scientificnet.org 
 +Got CONNECT response: HTTP/1.1 200 OK 
 +CSTP connected. DPD 30, Keepalive 20 
 +Connected as 172.xx.xx.xx + 2a02:27e8:10:741:0:dacc:0:2/64, using SSL, with DTLS in progress 
 +Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM). 
 +Error: any valid prefix is expected rather than "dev"
 + 
 +</code> 
 + 
 +A browser-window will ask for your username and password, next it will ask for the PIN which you need 
 +to generate with an Authenticator!
  
-6. Initialize the vpnclient:+Last thing to enter is the sudo password to enable the network interface.
  
-    # sudo /etc/init.d/vpnclient_init start+====== Install openconnect-sso Ubuntu with SAML ======
  
-7. You can now start the vpnclient using sudo:+Requirements:
  
-    $ sudo vpnclient connect unibz+  sudo apt install python3.8-venv openconnect
  
-You will see some messages and then you will be requested to insert your username and password:+  pip install --user pipx 
 +  pipx install "openconnect-sso[full]" 
 +  pipx ensurepath
  
-    Cisco Systems VPN Client Version 4.8.00 (0490) +Launch openconnect-sso
-    Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved. +
-    Client Type(s): Linux +
-    Running on: Linux 2.6.15-26-686 #1 SMP PREEMPT Thu Aug 3 03:13:28 UTC 2006 i686 +
-    Config file directory: /etc/opt/cisco-vpnclient+
  
-    Initializing the VPN connection. +  openconnect-sso --server vpn.scientificnet.org/saml
-    Contacting the gateway at 193.206.186.111 +
-    User Authentication for unibz...+
  
-    Enter Username and Password.+A browser window will open, where it might ask for your 2FA/MFA, 
 +then it will ask for your sudo password to get the VPN interface up. 
 +Leave the command running as long as you need VPN.
  
-    Username []: X +You can also add an ampersand (&) and the end of the command to put the command 
-    Password []+into background:
-    Authenticating user. +
-    Negotiating security policies. +
-    Securing communication channel.+
  
-    Your VPN connection is secure.+  openconnect-sso --server vpn.scientificnet.org/saml &
  
-    VPN tunnel information. 
-    Client address: 172.21.204.1 
-    Server address: 193.206.186.111 
-    Encryption: 128-bit AES 
-    Authentication: HMAC-SHA 
-    IP Compression: None 
-    NAT passthrough is active on port UDP 4500 
-    Local LAN Access is disabled 
  
-Please notice that you will have to leave the console open in order to have the VPN running. 
  
/data/www/wiki.inf.unibz.it/data/attic/auth/howto/linux/vpnclient.1176388761.txt.gz · Last modified: 2019/01/16 10:03 (external edit)