Connecting Opensolaris to a Cisco VPN

I finally got my Opensolaris box hooked up to a Cisco VPN:


1. Get the tun/tap driver from Kazuyoshi. This driver is used for creating a using between the client and the Cisco VPN router.

2. Compile and install the driver:


pkg install sunstudioexpress
export CC=/opt/SunStudioExpress/bin/cc
./configure
make
make install



3. Download the vpnc client. This program handels the vpn connection. I've used the version 0.5.1.

4. Get gmake

pkg install SUNWgmake


5. Adjust installation paths (my personal preferences):

Makefile:

PREFIX=/opt/vpnc
ETCDIR=/opt/vpnc/etc

config.c (hardcoded locations):

Line 250: return "/opt/vpnc/etc/ssl/certs";
Line 270: return "/opt/vpnc/etc/vpnc-script";
Line 275: return "/var/run/vpnc.pid";
Line 541: ... : /opt/vpnc/etc/", ...
Line 760: ... "/opt/vpnc/etc/default.conf" ...
Line 761: ... "/opt/vpnc/etc/vpnc.conf" ...

gmake
gmake install


6. Convert the pcf file into vpnc format using /opt/vpnc/pcf2vpnc. Store the file in /opt/vpnc/etc

7. Now comes the tricky part. Create the /opt/vpnc/etc/vpnc-script -script. The script opens the connection and sets up the appropriate routing.

My target was to just have a couple of connections go through the tunnel instead of all.

Attention! If you want to have a default route set into the tunnel, be sure to add some direct routes to your vpn gateway before the default route points to the tunnel. Otherwise the vpn gateway will become unreachable and the tunnel goes down. Your remote gateway can be found in your conf file ("IPSec gateway" line).

Depending on what you want to achieve, you have to configure your DNS servers in /etc/resolv.conf manually.

Here is my sample /opt/vpnc/etc/vpnc-script :

#!/bin/sh
#* reason -- why this script was called, one of: pre-init connect disconnect
#* VPNGATEWAY -- vpn gateway address (always present)
#* TUNDEV -- tunnel device (always present)
#* INTERNAL_IP4_ADDRESS -- address (always present)
#* INTERNAL_IP4_NETMASK -- netmask (often unset)
#* INTERNAL_IP4_DNS -- list of dns serverss
#* INTERNAL_IP4_NBNS -- list of wins servers
#* CISCO_DEF_DOMAIN -- default domain name
#* CISCO_BANNER -- banner from server
#* CISCO_SPLIT_INC -- number of networks in split-network-list
#* CISCO_SPLIT_INC_%d_ADDR -- network address
#* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0)
#* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24)
#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0)
#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0)
#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0)

# =========== script (variable) setup ====================================

PATH=/sbin:/usr/sbin:$PATH

FULL_SCRIPTNAME=/usr/local/sbin/vpnc
SCRIPTNAME=`basename $FULL_SCRIPTNAME`

# =========== tunnel interface handling ====================================

do_ifconfig() {

ifconfig "$TUNDEV" inet "$INTERNAL_IP4_ADDRESS" "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu 1412 up
}

# =========== route handling ====================================

get_default_gw() {
# isn't -n supposed to give --numeric output?
# apperently not...
# Get rid of lines containing IPv6 addresses (':')
netstat -r -n | sed 's/default/0.0.0.0/' | sed 's/^.*:.*$//' | grep '^0.0.0.0' | awk '{print $2}'
}

do_pre_init() {
echo "do_pre_init"
}

do_connect() {
if [ -n "$CISCO_BANNER" ]; then
echo "Connect Banner:"
echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done
echo
fi

do_ifconfig
if [ -n "$CISCO_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
i=`expr $i + 1`
done

fi

# Hosts 1&2 & 3
add_host_route "xx.xx.xx.xx"
add_host_route "xx.xx.xx.xy"
add_host_route "xx.xx.xx.xz"

for i in $INTERNAL_IP4_DNS ; do
add_host_route "$i"
done
}

do_disconnect() {
if [ -n "$CISCO_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
i=`expr $i + 1`
done
fi

# Delete all routes again
del_host_route "xx.xx.xx.xx"
del_host_route "xx.xx.xx.xy"
del_host_route "xx.xx.xx.xy"


for i in $INTERNAL_IP4_DNS ; do
del_host_route "$i"
done
}

add_host_route() {
HOST="$1"
route add "$HOST" "$INTERNAL_IP4_ADDRESS" -interface
}

del_host_route() {
HOST="$1"
route delete "$HOST" "$INTERNAL_IP4_ADDRESS" -interface
}


#### Main

if [ -z "$reason" ]; then
echo "this script must be called from vpnc" 1>&2
exit 1
fi

case "$reason" in
pre-init)
do_pre_init
;;
connect)
do_connect
;;
disconnect)
do_disconnect
;;
*)
echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
exit 1
;;
esac

exit 0



8. Now you should be able to connect to your vpn:

/opt/vpnc/sbin/vpnc myvpn.conf


9.The output should look like this:


/usr/local/sbin/vpnc cia.conf
Enter password for tzhbomi5@bwpir.bluewin.ch:
do_pre_init
add host xx.xx.xx.xx: gateway zz.zz.zz.zz
add host xx.xx.xx.xy: gateway zz.zz.zz.zz
add host xx.xx.xx.xz: gateway zz.zz.zz.zz
VPNC started in background (pid: 3971)...


10. The interfaces look like this, where zz.zz.zz.zz is the IP Address that got assigned from the other side of the tunnel. The tun0 device was automatically created by vpnc·


ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
rge0: flags=201004843 mtu 1500 index 2
inet 192.168.1.35 netmask ffffff00 broadcast 192.168.1.255
ether 0:22:15:5e:61:2b
tun0: flags=10010008d1 mtu 1412 index 4
inet zz.zz.zz.zz --> zz.zz.zz.zz netmask ffffffff
ether 2:0:0:0:0:0

Comments

James Legg said…
Are you doing this on a 64 or 32 bit system? I've been unable to keep the tunnel up long enough under a 32 kernel to set the routes up before it closes. (I must admit to not investigating very hard) On my 64 bit workstation I have no such issues.
Unknown said…
I had this working on 64-bit and on a 32-bit Eee Pc (Atom Chip)

Although the latter one since a couple of days.

Do you see any errors in the messages log?
Anonymous said…
Thank you very much for the vpnc-script. I have used this script, changed the add_host entries to those which I needed, and I'm able to connect without problems.

For the tun driver, I followed the instructions given here : atechnicaljourney.blogspot.com/2008/10/howto-get-tuntap-compile-for-x64.html
PhiMic`s World said…
i get a compilation error see http://rafb.net/p/OHkWhH88.html for more details
Anonymous said…
just a note: vpnc 0.5.3 changed an openlog() call in tunip.c to include the non-posix flag LOG_PERROR (which prints the log to STDERR as well as the system log)

this causes the compile to fail; the simple fix is to simply remove the '| LOG_PERROR' from the function call on line 1061 of tunip.c

hth
alex smith said…
I actually heard about logs kept by isp and I didnt want to be under the eye of "Big Brother" so I searched on google and found you. Happy that i did. Using vpn has put my mind at ease. Your server has gone down once or twice but that was just a temporary hardware glitch as you put it.
Shmerl said…
Hi. In my office they use Cisco AnyConnect VPN. It doesn't have any PCF configuration - it uses web authentication and it doesn't work with OpenSolaris. Is it possible to use vpnc instead of AnyConnect? I didn't figure out how.

Thanks.
Anonymous said…
Connecting Opensolaris to a Cisco VPN, (thanks for the head start!) but some changes were needed for my system. (2008.11)

pkg install sunstudioexpress
export CC=/opt/SunStudioExpress/bin/cc

Download the tun/tap driver from Kazuyoshi.

run ./configure and then you will need to edit the Makefile (for x64 only!)

Change these options

modules: tun.o tap.o
$(LD) -r -o tun tun.o
$(LD) -r -o tap tap.o

to

modules: tun.o tap.o
$(LD) -melf_x86_64 -r -o tun tun.o
$(LD) -melf_x86_64 -r -o tap tap.o
My Blog : earn money chao!
dwmw2 said…
bahaltener,

No, you can't use vpnc with the Cisco AnyConnect VPN; it only supports the legacy IPsec VPNs.

For AnyConnect, you need the OpenConnect client, which can be found here.

The patches to make it build on Solaris were committed to git today; I've just been testing it.

It uses a vpnc-script just like vpnc, so the one from this page should suffice. Note, though, that the script should set the MTU from the $INTERNAL_IP4_MTU variable, which the above script doesn't. And the script on this page needs you to configure your routing manually — it doesn't obey the routes given to it by vpnc/openconnect in the environment.

Has anyone submitted patches to vpnc to fix their vpnc-script to work on Solaris?
dwmw2 said…
I've now fixed my copy of vpnc-script to work on Solaris.

It should work with both vpnc and openconnect, and do all the correct things with routes automatically according to the information passed to it from the VPN client.
Anonymous said…
Hello. And Bye. great site great yes yess.
[url=http://free-sex-porn-xxx-clips.tumblr.com] sex[/url]
sex
http://free-sex-porn-xxx-clips.tumblr.com
Anonymous said…
Don't stop posting such stories. I like to read stories like that. By the way add more pics :)
Anonymous said…
good evening friends. I'm really into shoes and I was searching as far as something that exact brand. The prices as regards the sneakers are around 240 pounds on every site. But definitively I found this area selling them someone is concerned half price. I exceptionally love these [url=http://www.shoesempire.com]prada sneakers[/url]. I will definetly order them. what can you tell me about these?
Anonymous said…
Hi when I put the following
Step 1
pkg install sunstudioexpress
export CC=/opt/SunStudioExpress/bin/cc
./configure
make
but in the following step appear the next error

# make install
make: Fatal error: Don't know how to make target `install'
Anonymous said…
Good post and this enter helped me alot in my college assignement. Gratefulness you seeking your information.
Anonymous said…
hi friends. I'm actually into shoes and I have been searching allowing for regarding that meticulous model. The prices due to the fact that the velcros are all over 180 bucks on every page. But finally I found this location selling them as a remedy for half price. I really love these [url=http://www.shoesempire.com]gucci sneakers[/url]. I will probably buy them. what do you think?
Anonymous said…
good evening fellas. I'm actually into shoes and I have been searching as far as something that meticulous brand. The prices seeking the boots were all over 250 dollars everwhere. But finally I set this area selling them for the benefit of half price. I exceptionally like those [url=http://www.shoesempire.com]gucci sneakers[/url]. I will definetly buy those. what do you think?
Anonymous said…
Any ideas on the newest MSP program out there?
I looked on the web and discovered the following:
Kaseya.com
GFI.com
Logmein.com

They all look different... Does anyone can recommend any other?
In addition did anybody try this:
N-able remote environment manager software ?
Anonymous said…
gmake fails with "ifr_hwaddr" not present in any of ".h" files.....

# gmake
gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings -DVERSION=\"0.5.3\" -c -o sysdep.o sysdep.c
sysdep.c: In function `tun_get_hwaddr':
sysdep.c:684: error: structure has no member named `ifr_hwaddr'
gmake: *** [sysdep.o] Error 1


Not sure how get this ".h" file in Solaris...
Anonymous said…
I have the same problem in opensolaris snv_134

root@local:/install/vpnc-0.5.3$ gmake
gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings -DVERSION=\"0.5.3\" -c -o sysdep.o sysdep.c
sysdep.c: In function `tun_get_hwaddr':
sysdep.c:684: error: structure has no member named `ifr_hwaddr'
gmake: *** [sysdep.o] Błąd 1

help please.....
Anonymous said…
Hi Guru, Well I try to do step by step, but I have some doubt, for example:
Step 1.
1. Get the tun/tap driver from Kazuyoshi. This driver is used for creating a using between the client and the Cisco VPN router.. In what path I must be install it?

step 2.
The same problem
3. Download the vpnc client. This program handels the vpn connection. I've used the version 0.5.1.
In what path I must be install it


Step 3
5. Adjust installation paths (my personal preferences):
Makefile:
PREFIX=/opt/vpnc
ETCDIR=/opt/vpnc/etc
config.c (hardcoded locations):
Line 250: return "/opt/vpnc/etc/ssl/certs";
Line 270: return "/opt/vpnc/etc/vpnc-script";
Line 275: return "/var/run/vpnc.pid";
Line 541: ... : /opt/vpnc/etc/", ...
Line 760: ... "/opt/vpnc/etc/default.conf" ...
Line 761: ... "/opt/vpnc/etc/vpnc.conf" ...
gmake
gmake install

What do you want to do when say makefile?, where I do, what path.

Please explain me,
Regardles
Anonymous said…
Hi Guru, Well I try to do step by step, but I have some doubt, for example:
Step 1.
1. Get the tun/tap driver from Kazuyoshi. This driver is used for creating a using between the client and the Cisco VPN router.. In what path I must be install it?

step 2.
The same problem
3. Download the vpnc client. This program handels the vpn connection. I've used the version 0.5.1.
In what path I must be install it


Step 3
5. Adjust installation paths (my personal preferences):
Makefile:
PREFIX=/opt/vpnc
ETCDIR=/opt/vpnc/etc
config.c (hardcoded locations):
Line 250: return "/opt/vpnc/etc/ssl/certs";
Line 270: return "/opt/vpnc/etc/vpnc-script";
Line 275: return "/var/run/vpnc.pid";
Line 541: ... : /opt/vpnc/etc/", ...
Line 760: ... "/opt/vpnc/etc/default.conf" ...
Line 761: ... "/opt/vpnc/etc/vpnc.conf" ...
gmake
gmake install

What do you want to do when say makefile?, where I do, what path.

Please explain me,
Regardles
Jake said…
I have a resolution for this compile time issue:
$ gmake
gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings -DCRYPTO_GNUTLS -DVERSION=\"0.5.3-451M\" -c -o sysdep.o sysdep.c
sysdep.c: In function `tun_get_hwaddr':
sysdep.c:684: error: structure has no member named `ifr_hwaddr'
gmake: *** [sysdep.o] Error 1

See this patch for wine http://bugs.winehq.org/show_bug.cgi?id=20714#c1

You need to replace the line in sysdep.c:
#elif defined(SIOCGIFHWADDR)
with
#elif defined(SIOCGIFHWADDR) && !defined(__sun)

This functionality changed as of OSOL build 125. I was pulling my hair out trying to figure out how I compilied it before.

Thought this might help someone.

Popular posts from this blog

Heating up the Data Pipeline (Part 1)

Heating up the Data Pipeline (Part 3)

SLOG Latency