LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-22-2007, 08:30 PM   #1
depam
Member
 
Registered: Sep 2005
Posts: 824

Rep: Reputation: 30
Cisco VPN Client for Ubuntu


Hi,

I was able to successfully use the Cisco VPN Client for Linux on my Ubuntu machine. I have obtained a private IP address from our corporate LAN. Though I find it really ironic to deactivate eth0 for it to run. I always issue the command "ifconfig eth0 down" for it to work. I spent hours and hours to make it work and only that trick did the job.

Now, here's my question. Everytime I connect to my corporate LAN, my internet connection is already controlled by my corporate network. When I tried to visit www.whatismyip.com, I see the proxy IP of the corporate LAN instead of my ISP provider. Is there a way to join the corporate network without using their proxy? I had experiences before on OpenVPN and this is called "push-gateway". I usually turn this thing off to allow me to surf the web, chat, email using my ISP connection and not our corporate networks proxy. I am hoping there's a flag on the .pcf to turn this off. Hope someone can help me out. Thanks.
 
Old 10-23-2007, 12:46 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
the official cisco client will rigidly use the policy handed to it by the easyvpn peer. you can't get away from what the network admins want you to do. however if you use vpnc instead you can define your own local behaviour.
 
Old 10-24-2007, 09:38 AM   #3
depam
Member
 
Registered: Sep 2005
Posts: 824

Original Poster
Rep: Reputation: 30
Hi acid_kewpie,

I really find Cisco VPN Client for linux quite buggy. I also tried to installed vpnc using the ubuntu repo but I can't seem to make it work connecting to our network. I've read from one of the forum that I should convert the .pcf to the something that the vpnc could understand. I know you know exactly what I wanted to do. Simple thing as connecting to our corporate network while using my ISP's proxy for internet browsing, P2P, etc. If you can just help me out on how to do this on vpnc if you believe this is an answer to my problem. Thanks.
 
Old 10-24-2007, 09:41 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
vpnc contains a script, pcf2vpnc, which does just that.
 
Old 10-26-2007, 06:55 AM   #5
depam
Member
 
Registered: Sep 2005
Posts: 824

Original Poster
Rep: Reputation: 30
Hi acid_kewpie,

I am getting this error when I issue the command:

$ sudo ./pcf2vpnc VPN.pcf > VPN.conf

Can't exec "cisco-decrypt": No such file or directory at ./pcf2vpnc line 29.
cisco-decrypt not in search path,
adding passwords in obfuscated form

What do you think I am missing here?

Also, whenever this becomes successful, how do i bypass my corporate network as proxy? Thanks.
 
Old 10-26-2007, 07:18 AM   #6
depam
Member
 
Registered: Sep 2005
Posts: 824

Original Poster
Rep: Reputation: 30
Hi,

Yiiihaa...VPNC now working. Acid, please tell me how I can bypass my corporate network's proxy and let me use my ISP's proxy. COrporate network proxy has a lot of filtering which restricts me from visiting my favorite websites at home. I want to use my ISP's proxy while being connected to the corporate network. How can this be done? Thanks.
 
Old 10-26-2007, 07:44 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
if you have a split tunnel then everything else follows. as for the configuration, you need that tool that's not found, it apparently comes with the vpnc source code, but there are plenty of links to it from google.

i assume in all this you don't actually *know* what the password is?
 
Old 10-26-2007, 10:44 AM   #8
depam
Member
 
Registered: Sep 2005
Posts: 824

Original Poster
Rep: Reputation: 30
Hi acid,

Do you mean I can access my wireless local lan while being connected to the corporate network even if the corporate's network has restricted that? So which is more secure split-tunneling enabled or not? For a newbie like me, it will be difficult to have this setup. I have searched thru google and find no specific config for this. Hope you can point me to a link which could help me. Thanks.
 
Old 10-26-2007, 11:23 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
wireless? use of a vpn client has nothing whatsoever to do with wireless. you need to overlay the generic functions a vpn client can perform onto the infrastrcuture in question...

you want to be able to reach whatever you want on the net from a remote location whilst also being connected to your corporate LAN right? well that's blatantly going to be agaisnt any security policy they have but is technically fine if you have a client you can require to use a split tunnel. that is where vpnc comes in as it will allow you to bypass the security policies which should be enforced without choice by the cisco client...

is it me or have we just taken a huge step backwards?
 
Old 10-26-2007, 12:01 PM   #10
depam
Member
 
Registered: Sep 2005
Posts: 824

Original Poster
Rep: Reputation: 30
Forgive me for my ignorance acid_kewpie. I'm stil digesting what you are saying but I know this is possible. I just don't know how to do that in vpnc. I've found this one on google:

vpnc /etc/vpnc/default.conf
route del default
route add default gw x.x.x.x (use your old default gateway ip here)
route add -net 10.0.0.0 netmask 255.0.0.0 tun0 (in my case, "work" network uses the 10.x.x.x subnet)

but that isn't working for me. I have no intention of violating security policies. What I just want to do is to use my ISP's proxy. I used to connect to VPN from my home. My intention is for me to use my ISP proxy so that it won't waste my corporate's network bandwidth while I'm surfing the net but still being connected to the corporate network.

Is it the vpnc version I'm using that prohibits me to do this "split tunneling"? I know it's just a matter of routing but I really don't know where to start. This is also my first time to hear that this would actually work. I used to configure OpenVPN before and I also enforce pushing the corporate's gateway but not once did I learn that this can be done. This is really cool and I wanted to know how to make this work. Though I am connecting to the corporate network, my home connection isn't owned by them so I also have the right to use it even if I'm connected with the corporate network. Does it make sense?
 
Old 10-26-2007, 12:34 PM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
your employers provide content filtering, logging, av, ids etc..
your ISP proxy contains no content filtering, logging, av, ids etc...
if you use your ISP's proxy whilst connected to their network you can see all sorts of stuff they don't want you to. you install spyware, trojans or whatever, and that then attacks your companies network.
whether you have a malicious / devious intention or not, you *ARE* going to be violating the company policy. just admit it.

you need to define within the vpnc-script file what the split policy is. copy the default one to /etc/vpnc/ and edit away. it's fully commented at the top.
 
Old 10-27-2007, 06:49 AM   #12
depam
Member
 
Registered: Sep 2005
Posts: 824

Original Poster
Rep: Reputation: 30
I am very much cautious about my system. And aside from using Linux as my OS, I also have active firewall. I doubt it that I do have viruses/trojans even if I'm not using an AV. There is a very slight chance that I'll be able to infect any computer on my corporate LAN.

I already made some routing and was able to make this thing work. Thanks a lot for the help acid_kewpie.
 
Old 11-02-2007, 08:01 PM   #13
ronaldo1
LQ Newbie
 
Registered: Nov 2007
Posts: 2
Blog Entries: 1

Rep: Reputation: 0
Question

i have a bunch of PCF files from my network admin
the group password is a hash
does the vpnc software accept the hash for the group password or do i need the original password?
 
Old 11-03-2007, 03:00 AM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
please read the above... use the cisco-decrypt tool.
 
Old 11-04-2007, 09:30 AM   #15
ronaldo1
LQ Newbie
 
Registered: Nov 2007
Posts: 2
Blog Entries: 1

Rep: Reputation: 0
i still only get the hash and the program asks for the group password
then it kills my network
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco VPN Client rgbeard Linux - Software 12 04-02-2008 11:44 PM
cisco vpn 4.6 client mnauta Linux - General 6 12-04-2005 06:03 PM
Cisco VPN-Client nodream Linux - Networking 3 12-23-2003 04:36 PM
Connect to Cisco VPN w/o Cisco VPN Client gboutwel Linux - Networking 4 02-07-2003 12:46 PM
cisco vpn client aqoliveira Linux - Networking 4 07-19-2002 08:09 AM


All times are GMT -5. The time now is 09:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration