Using vpnc

Although Cisco supplies a vpn client for Linux, it can become a nuisance to compile on 64 bit or SMP systems. Fortunately, there is an opensource client, vpnc.

Most systems have their own port or package for it. The documentation is pretty straightforward, but the hope is that this page might save people a little bit of googling and reading.

One can download the source code and install it manually or, in most cases, use their system's package management. Each system seems to do it differently, so we'll start with doing it from source.

From source

Download the latest version from the vpncsite.
tar zxvf vpnc-<version_number>tar.gz
cd vpn-<version_number>

To build the package, you will need to have libgcrypt and the libcgrypt development libraries. (In RH and Ubuntu based distributions, the package is called libgcrypt-dev or libgcrypt-devel. The first is Ubuntu's, the second RH based systems, I think.)

The default is for a /usr/local/prefix. If you prefer to keep it in /usr/bin, rather than /usr/local/bin, then then change the line reading PREFIX=/usr/local to read PREFIX=/usr. (For newcomers, don't put a period after /usr, that simply signifies the end of the sentence.)

make install

This will install, aside from the vpnc program itself, a vpnc-disconnect script, the cisco-decrypt program and a perl script called pcf2vpnc. It will also install an /etc/vpnc directory, containing a file called defaults.conf and a script called vpnc-script. Both files are owned by root with default permissions of 700 for defaults.conf and 755 for vpnc-script

Note that most of the necessary file and programs are owned by root, so for most of the commands below, you will either need to be root or use sudo.

Your company should have provided you with a pcf file, giving the VPN server address, group name and group password. The group passwd is the long alpha-numeric string after enc_GroupPwd= in the file.

Create a usable vpnc.conf file. If the file is called company.pcf
pcf2vpnc company.pcf vpnc.conf

You will see a message saying that the file has been written with permissions 100664 and to please take care of permissions.

The vpnc.conf file will look something like
IPSec ID Mygroup
IPSec secret ourpassword

IPSec gateway <XX.XX.XX.XX>
IKE Authmode psk

## To add your username and password,
## use the following lines:
# Xauth username <your username>
# Xauth password <your password>

The IKE Authmode line may be missing entirely or have a different mode. The default (if one looks at the supplied sample default.conf) is hybrid.

Note that the long encrypted password has been converted to plain text. If you would prefer that it remains encrypted, rename or remove /usr/local/bin (if you've accepted defaults--/usr/bin if you edited the makefile) to put it in /usr) cisco-decrypt. Then it will give an error message that it can't find cisco-decrypt and that the password has been added in obfuscated form. The file will still work.

The information in the file will vary, depending upon what information was in the pcf file. For example, some provide a username and password, the majority don't. If the pcf file does provide either or both, the comment hash (#) will be removed from the Xauth username and password lines and the username and/or password will be there.

By default, vpnc first looks for /etc/vpnc/default.conf. To avoid conflict, rename the file.
mv /etc/vpnc/default.conf /etc/vpnc/default.conf.bak

The other option is to give your custom vpnc.conf its own name, such as company.conf, move it to /etc/vpnc and then, when running vpnc, call the file (without the .conf suffix) with
vpnc company

The reader can choose their own method. Doing it the way I describe, putting your customized vpnc.conf into /etc saves having to type the name of the configuration file, but either way works.

As warned by the pcf2vpnc program, change the permissions on the vpnc.conf file that was created. It should be owned and only readable by root.
chown root vpnc.conf
chmod 600 vpnc.conf

Now that the file has proper permissions, move it to /etc.
mv vpnc.conf /etc

Now you should be able to run the program. Either as root or with sudo

Depending upon what information is in your /etc/vpnc.conf, you will probably be asked for your username and password. After that, you should be logged into your VPN network.

Depending upon how your VPN switch was set up by the VPN administrator, you may, after putting in your username, get a message like
vpnc: peer selected (single) DES as "encryption" method.
This algorithm is considered too weak today
If your vpn concentrator admin still insists on using DES
use the "--enable-1des" option.

If this is the case, follow the instructions and try again, with
vpnc --enable-1des

As an aside, a gentleman named Ken has informed me that if one is using the Ubuntu Network Connections GUI, choosing Weak Encryption in the VPN configuration will have the same effect as using --enable-1des with vpnc.

Many (most?) Cisco VPNs will also allow name resolution within your company. The vpnc-script will, when working properly, back up your /etc/resolv.conf and temporarily replace it with a new one, listing your company's name servers. Then, when using vpnc-disconnect, at the end of the session, it will restore the original resolv.conf

As this doesn't always work perfectly, it's always good to have made a copy of your /etc/resolv.conf. A simple "cp resolv.conf resolv.conf.orig" (without the quotes) will work.

Depending upon the nature of your work, there's a good chance that you're going to be running this in X. If that is the case, don't log into X as root. Log in as normal user, open an xterminal and use sudo or su. When finished, always remember to disconnect.

Many companies prohibit more than one VPN connection. If you forget to disconnect, then try to connect again later, you might find yourself unable to log in. In addition, as mentioned, many Cisco VPNs provide their own nameserver. When starting vpnc, your /etc/resolv.conf will be altered. Remembering to do vpnc-disconnect will replace the altered version with your original /etc/resolv.conf. (In practice, this sometimes doesn't work. It's always good to doublecheck after disconnecting.) Therefore, if you forget to disconnect, and your connection eventually times out, you will find that name resolution has stopped working as /etc/resolv.conf will have the IPs, probably internal, of your company's name servers.

System Differences

CentOS (as of version 5.2)
There is a CentOS specific article on the CentOS wiki.

CentOS 5.2 has a package available in the 3rd party rpmforge repos.

First enable the rpmforge repo.

After this is done
yum -y install vpnc

The rpmforge rpm creates the /etc/vpncfile as described above, but there are slight differences.

There will be two files in there, the vpnc-script and, rather than defaults.conf a file called vpnc.conf. This saves you the trouble of renaming default.conf. The vpnc-script file, however, has default permissions of 600, so permissions should be changed. As mentioned, the program should be run as root or with sudo, so changing permissions to 700 should be sufficient.
chmod 700 /etc/vpnc/vpnc-script

Once this is done, create your custom vpnc.conf as described above. However, this version of pcf2vpnc doesn't include the cisco-decrypt program. Therefore, when running pcf2vpnc mycompany.pcf vpnc.conf you will get a message saying that it can't exec cisco-decrypt so it is adding passwords in obfuscated form. When looking at the newly created vpnc.conf file, you will see that rather than IPSec secret mypassword, the line will read IPSec obfuscated secret and have the long alphanumeric string that was supplied with your .pcf file.

Once the file has been created, change ownership and permissions as described above (owner root, permissions 600) and move it into /etc/.

After that, the program can be run as previously described.

Note that SELinux, at least as of CentOS 6.x, disables vpnc. If using SELinux, Dan Walsh, the SELinux guru (who will usually VERY quickly fix SELinux issues reported on bugzilla), recommends editing default.conf, which should be allowed to run. The other quick option is to run
grep vpnc /var/log/audit/audit.log | audit2allow -m myvpnc; semodule -i

Fedora, CentOS 6, Ubuntu, and FreeBSD
Although all three of these systems provide cisco-decrypt, they may not, depending upon version, supply the pcf2vpnc script. If this is the case, the script can be downloaded from with fetch (FreeBSD) or wget.

Once it's downloaded just run it with
perl pcf2vpnc mycompany.pcf vpnc.conf

In Fedora and CentOS 6 the pcf2vpnc script has been getting put into /usr/share/vpnc-<version_number>

In FreeBSD, the files will be in /usr/local and /usr/local/etc. The vpnc-script file may be in a different location, but with all three of these systems, no chmod is necessary and it will do what it's supposed to do.