Cisco VPN Client

jon.d@c2internet.net · Posted: Mon Feb 16, 2004 1:03 pm Post subject: Cisco VPN Client

Hi

Has anyone managed to get the Cisco VPN Client 4.0.3.B-k9 working on kernel 2.6.1?

Kind Regards

Jonathan C2

mikjik · Posted: Mon Feb 16, 2004 5:39 pm Post subject:

.
Yes, I got it working on kernel 2.6.0 and 2.6.1. But it broke when I went to 2.6.2. I dropped back to 2.6.1 and it works again.

When Googling the topic, I'm learned that it's not a Gentoo issue per se, but something in 2.6.2.

If someone knows how to make it work on 2.6.2+, let me know! :wink:

-MJ

.

cpdsaorg · Guru Joined: 16 Oct 2003 Posts: 359

is this working on 2.6.3??

hanzotutu · Apprentice Joined: 10 Apr 2003 Posts: 170

oops, my cisco-vpnclient-3des-4.0.3b-r2 works

sigSEGV2003 · Posted: Fri Feb 20, 2004 4:29 am Post subject:

I had it working on 2.6.0-2.6.2, but for some reason DNS resolution wouldn't work. Might have been a UDP only problem. I can't get it do anything but lock up my box with 2.6.3. If I have time, I'll open a TAC case with Cisco tomorrow and see 1) are they going to support 2.6 anytime soon and 2) who should fix this, kernel team or Cisco.

mikjik · Posted: Sat Feb 21, 2004 10:46 pm Post subject:

.
So what you doing in 2.6.2+ that I'm not doing? I had it working fine in 2.6.0/1, but it broke for me in 2.6.2/3. I used the same .config file across my kernel builds.

I can do a /etc/init.d/vpnclient start just fine and the module loads, but when I go to connect, it hangs. I'm never prompted for my username and password.

I've tweaked my kernel config to death trying to shake it loose.

-mikjik
.

zeky · Posted: Sun Feb 22, 2004 5:42 pm Post subject:

leszcz · n00b Joined: 03 Feb 2004 Posts: 20

Found on google :

http://tinyurl.com/2uaa8

I haven't tried it yet.

Berni · n00b Joined: 25 Aug 2003 Posts: 71

I have the exact same problem with "/etc/init.d/vpnclient start" working properly but "vpnclient connect" locking up the pc...I'm currently using gentoo-dev-sources 2.6.3_r1 and got everything else working fine on my notebook (stage1-install on a 450Mhz PIII rocks :lol:

) .
Did anyone try the "solution" linked by leszcz? I didn't understand what to do exactly (I'm german and didn't really understand what Pa6trick Toal said in this mailing list...) but if someone could tell me what to do I could try it...

leszcz · n00b Joined: 03 Feb 2004 Posts: 20

OK, I can confirm that solution found on google actually works for me (kernel 2.6.3).
What you have to do is to _reverse_ patch attached by Patric Toal :

net/core/dev.c

@@ -946,11 +996,29 @@
* The notifier passed is linked into the kernel structures and must
* not be reused until it has been unregistered. A negative errno code
* is returned on a failure.
+ *
+ * When registered all registration and up events are replayed
+ * to the new notifier to allow device to have a race free
+ * view of the network device list.
*/

int register_netdevice_notifier(struct notifier_block *nb)
{
- return notifier_chain_register(&netdev_chain, nb);
+ struct net_device *dev;
+ int err;
+
+ rtnl_lock();
+ err = notifier_chain_register(&netdev_chain, nb);
+ if (!err) {
+ for (dev = dev_base; dev; dev = dev->next) {
+ nb->notifier_call(nb, NETDEV_REGISTER, dev);
+
+ if (dev->flags & IFF_UP)
+ nb->notifier_call(nb, NETDEV_UP, dev);
+ }
+ }
+ rtnl_unlock();
+ return err;
}

/**

so my dev.c now is :

* Register a notifier to be called when network device events occur.
* The notifier passed is linked into the kernel structures and must
* not be reused until it has been unregistered. A negative errno code
* is returned on a failure.
*/

int register_netdevice_notifier(struct notifier_block *nb)
{
return notifier_chain_register(&netdev_chain, nb);
}

WARNING : I am completly unaware how this change affects kernel functionality.

Berni · n00b Joined: 25 Aug 2003 Posts: 71

Thanks a lot! It works perfectly now and i didn't experience any drawbacks from this change yet.

I have a rather offtopic-question and would be glad if someone could help me:
The vpn-connection shall be started automatically by a shell script. However, this doesn't work fully automatically because of the following:

joemc91 · n00b Joined: 04 Feb 2004 Posts: 38

Thanks so much for the post. This fix worked for the ck-2.6.1 source too.

rcast · n00b Joined: 22 Apr 2003 Posts: 39

Hello,

Just read an article which had a patch to the cisco client instead of the linux kernel and thought it may be of some use:

http://marc.theaimsgroup.com/?l=linux-kernel&m=107765601402527&w=2

Rene

wwc210 · n00b Joined: 06 Mar 2004 Posts: 5

What is the kernel or the cisco client supposed to look like at the end of the process? I have the 2.6.3 kernel. Can someone tell me how to apply the patch to either the kernel or the cisco client?

Berni · n00b Joined: 25 Aug 2003 Posts: 71

I have patched the kernel and I think that leszcz described it quite good. Open your net/core/dev.c file and search for "int register_netdevice_notifier(struct notifier_block *nb)". Then just delete these lines (alternatively you could also use a diff-file, but editing the file directly is better/easier/safer here I think...)

ponds · Posted: Tue Mar 09, 2004 5:44 pm Post subject:

Does anyone know if there is a way to get the new version other than through your VPN provider? I know that portage used make you fetch it manually from their site, and I assume it still does (I am computerless at the moment, waiting for ibm to ship my new laptop).

My university requires VPN client, and has some old version (like 3.2 or something), which definately does not work with 2.6, and getting them to get the new version for us is going to be an uphill battle.

denniruz · n00b Joined: 04 Mar 2004 Posts: 7 Location: Buffalo, NY

When I have something interactive that I need to start, I use a perl script and the expect perl module to do it-- It's not an elegant solution, but it works.
--Dennis

Berni · n00b Joined: 25 Aug 2003 Posts: 71

Yeah thanks. I already figured that out (but I'm just using "normal" expect and not the perl expect). My script to answer looks like that

denniruz · n00b Joined: 04 Mar 2004 Posts: 7 Location: Buffalo, NY

hehe-- Slick. Thanks for the info.

tbender · n00b Joined: 10 Mar 2004 Posts: 11

Hi

I downloaded and compiled ( on my linux2.6.3-system) the modiefied vpn-client( which was linked above). This new client, now does not lock my comp and i can connect normally to the vpn-gateway... It seems, that i can do everything normal, EXCEPT of dns-resolution!

The second solution posted, has the same problems....

Has anybody made similar experiences?

Thanx in advance,
Tobias.

joyman · n00b Joined: 24 Jan 2004 Posts: 1

I can confirm that the patch-version mentioned as second solution from Berni works for me (I didn't download the patched vpn-client-file, but ran the patch myself). I used a kernel 2.6.4-rc1.

I didn't have any problems with DNS-Resolution so far.

Try it again with that one. If you need more details please ask.

synack1337 · n00b Joined: 17 Mar 2004 Posts: 5

I emerged the -r3 ebuild for the cisco vpn client and it works great w/ gentoo-dev sources for 2.6.4....except for dns resolution.

i am able to ping/ssh/http to devices across the tunnel, but dns does not work. This includes direct dig/nslookup against the servers. The correct servers are listed in resolv.conf.

other udp traffic doesnt appear to work either (snmp queries)

i've verified that my traffic is reaching the other side, but its not coming back to me. I will do more reserach on this. my windows client works fine.

if anyone has any info, please contribute.

synack1337 · n00b Joined: 17 Mar 2004 Posts: 5

so check this out;

I was doing some snoops on the destination dns server. As I was looking through the packet details of my captured dns query, I see that the UDP checksum was incorrect.

I stepped back to the egress port of the last firewall the packets cross before hitting the dns server and did a capture, and again, incorrect udp checksum.

I took another step back and captured on the ingress port of this firewall, and again, incorrect udp checksum.

To eliminate the vpn tunnel, i did a local dns query w/ my local dns server and guess what...incorrect udp checksum. But I at least got a response from my query. (local dns server is a windows box, dns server across vpn is solaris/bind)

Is it a dns thing? I did a snmpwalk...and again incorrect udp checksum.

so either ethereal/libpcap has problems capturing udp packets, or something is broke elsewhere.

2.6.4-gentoo
libpcap 0.8
ethereal 10.2
3c59x.0

I'm not sure where I'm going to head next. I did some captures of a dnsquery on my windows box w/ winpcap 3.0 and ethereal 10.2 and the udp checksum is valid. Is this a known bug? maybe its cosmetic and there is something else wrong. not sure, but i'll poke around the libpcap/ethereal site.

if you have any suggestions, lets hear'em

synack1337 · n00b Joined: 17 Mar 2004 Posts: 5

the goal is to keep finding stuff out till someone just posts and tells me what the specific problem is

(and how to fix it)

so, 2.4.22-r7's udp packets pass checksum. same ver of all other utils.
this also means that dns worked for me across the tunnel (read as: the dns server accepted the packets becuase the had a correct checksum)

2.6.5-rc1 does not. (i thoguht it was worth a shot with all those network driver udpates )

so, something broke in 2.6.4+ w/ the net drivers/stack it seems. I'm guessing here, but what else is there?

d33k · n00b Joined: 11 Aug 2003 Posts: 13 Location: Jersey

Any update snizack?