| View previous topic :: View next topic |
| Author |
Message |
jasn
Guru
Joined: 05 May 2005
Posts: 439
Location: Maryland, US
|
 Posted: Thu May 05, 2005 4:36 pm Post subject: Cisco VPNClient stops working after a few seconds - [SOLVED] |
 |
|
Hi All,
I've moved over to a X86 Gentoo Linux machine for my work laptop. Most everyone at work uses a Win2K or XP desktop, and there are a very few who use Mac OSX as their desktops. I've used the Cisco VPN client on both platforms and it works well. I even have the company provided .pcf Profiles for both platforms.
My problem is now with getting my Gentoo laptop into our corporate intranet (mostly for email), I've emerged the Cisco VPN client successfully, (after searching the threads here and finding a public spot to download the latest client from, 4.6.02.0030), and I can connect using either the Windows or Mac .pcf Profiles. I pull up our internal webpage and it works. I can click on links and surf our intranet, for about 30 seconds.. Afterwards I can't find any internal webpages anymore, and if I had clicked on something during this period when the connection stops, I get timeouts.. I'm a little curious as to whether or not our IT department's configuration of the VPN server "kicks" any "unauthorized" Linux boxes off of the net, after a set amount of time. When I asked our IT group about supporting a Linux laptop, they mentioned that they don't suggest it, as they require all Linux boxes at HQ, (I'm in the field), to have root access, (and to explicitly deny the person using the box root access), at least for now.
I'm curious if anyone has any experience with the Cisco VPN client, and whether or not this "kicking off" scenario makes sense. Is there something I can try editing my .pcf profile with to try and stay connected? I looked at both the Windows and OSX .pcf files, and I can't notice anything especially different between them. I tried the ForceKeepAlives=1 option as another thread here suggested, but it did nothing for me. The reason I did this is because while the Windows client connect, the connection process checks to see if they have the IT supplied Firewall software running. If it doesn't, then in the notification message, they alert you that you should have it running, but they don't stop the connection. For the OSX platform, there is no check, and no notification, beyond the standard VPN message. (That's why I thought I could make this connection using the Mac .pcf..)
Thanks
Last edited by jasn on Fri Jul 08, 2005 6:03 pm; edited 1 time in total |
|
| Back to top |
|
 |
Praxxus
Apprentice
Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US
|
| Posted: Thu May 05, 2005 8:54 pm Post subject: Suggestion: |
|
|
Jasn,
I recommend you experiment with ditching the Cisco client entirely. In my experience, their Linux client has been like unto a pile of garbage. I use the "vpnc" client for Cisco 3000 VPN Concentrators, and it has been working really well for me. Its one big flaw right now is that it doesn't support rekeying, but our concentrator at work is set to rekey every 8 hours (the Cisco default). That's a lot better than 30 seconds! VPNC has the added bonus of letting you access the rest of the internet while you've got a VPN session going with work.
I had to write some scripts around it to make sure that traffic got sent to the right place, but that's easy to do, and I'd be glad to help you if you need it. There is also a decent front-end for KDE, kvpnc. Both of these apps are in Portage.
Note that you'll need your "Group" password to use vpnc. Fortunately, the vpnc homepage has a link to a password decoder(!) that can get that out of the way for you.
As for the kicking, I don't remember off the top of my head if you can configure the concentrators to do that. I'll have to double check. But my initial hunch is that the Linux client is junk. 
_________________
My glaucoma just got worse! |
|
| Back to top |
|
|
[Lx]-=Mystify=-
Apprentice
Joined: 16 Mar 2004
Posts: 180
|
| Posted: Thu May 05, 2005 9:54 pm Post subject: |
|
|
| Code: |
In my experience, their Linux client has been like unto a pile of garbage. |
that's exactly my experience, but the windows version is not better...
I do tutoring for about 60 people in our hostel at university... all windows, and the cisco VPN client makes a lot of problems...
| Code: |
VPNC has the added bonus of letting you access the rest of the internet while you've got a VPN session going with work. |
the cisco VPN client lets you do this too, but you have to modify the profile, cause the default profile delivered by cisco disables the LAN access...
with vpnc I haven't had any problems until now... maybe rekeying will be implemented if enough people ask for it... the mail adress of the gui who is developing it is vpnc (at) unix-ag.uni-kl.de...
I call everyone who uses vpnc to write him an email with he please to implement rekeying... |
|
| Back to top |
|
|
Praxxus
Apprentice
Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US
|
| Posted: Fri May 06, 2005 1:44 pm Post subject: |
|
|
| [Lx]-=Mystify=- wrote: | | I call everyone who uses vpnc to write him an email with he please to implement rekeying... |
An excellent suggestion! Will do.
_________________
My glaucoma just got worse! |
|
| Back to top |
|
|
jasn
Guru
Joined: 05 May 2005
Posts: 439
Location: Maryland, US
|
| Posted: Fri May 06, 2005 2:34 pm Post subject: Re: Suggestion: |
|
|
| Praxxus wrote: | Jasn,
I recommend you experiment with ditching the Cisco client entirely. In my experience, their Linux client has been like unto a pile of garbage. I use the "vpnc" client for Cisco 3000 VPN Concentrators, and it has been working really well for me. |
Thanks for this. I actually have been trying to get vpnc to work for me. I find that the documentation is almost non-existent though. But through googling, this is what I have done;
1) Rebuilt kernel (2.6.11 r7) with TUN module support
2) modprobe tun
3) edited /etc/vpnc.conf to include just; VPN server IP, Groupname, GroupPW, and Username
4) ran vpnc-connect. It asks me for my password and then connects me..
My problem is that my routing doesn't seem to be working. I gather I may need to do a "route add" command. But I'm lost on exactly what I should type. I read somewhere and tried "route add -net default dev tun0" but it didn't work. A route -n shows that I have a route for eth0 that has as its destination my VPN server IP, but my local LAN gateway IP. That can't be right. Can anyone help? |
|
| Back to top |
|
|
Praxxus
Apprentice
Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US
|
| Posted: Fri May 06, 2005 2:55 pm Post subject: |
|
|
Here are my vpnc scripts, which I hacked up from the ones that came with vpnc. I set it up so that ONLY the traffic for my work subnet ($vpn_subnet) goes over the tunnel. You'll need the "iproute" package to get "ip" installed.
Connect: | Code: | #!/bin/bash
tun_num=`echo $TUNDEV| cut -d n -f 2`
defr=/var/run/vpnc/default_route
gate=/var/run/vpnc/gateway
pid=/var/run/vpnc/pid
mytun=/var/run/vpnc/tundev
myconf=/etc/vpnc.conf
vpnc=/usr/bin/vpnc
vpn_subnet="xxx.xxx.xxx.0/20"
extra_ip="xxx.xxx.xxx.xxx/32"
iptables="/sbin/iptables"
PID="$(cat "$pid" 2> /dev/null)"
fix_ip_get_output () {
sed 's/cache//;s/metric[0-9]\+ [0-9]\+//g' | xargs echo
}
if [ -z "$VPNGATEWAY" ] ; then
if [ "$PID" ] ; then
if kill -0 "$PID" > /dev/null 2>&1; then
echo "vpnc found running (pid: $PID, pidfile: $pid)"
exit 1
fi
fi
exec "$vpnc" --pid-file "$pid" --script "$0" "$@" $myconf || exit 1
fi
ifconfig $TUNDEV inet $INTERNAL_IP4_ADDRESS \
pointopoint $INTERNAL_IP4_ADDRESS \
netmask 255.255.255.255 mtu 1412 up
ip route add $(ip route get $VPNGATEWAY | fix_ip_get_output)
ip route | grep '^default' | fix_ip_get_output > "$defr"
ip route add to "${vpn_subnet}" dev $TUNDEV
ip route add to ${extra_ip} dev $TUNDEV
ip route flush cache
echo "$VPNGATEWAY" > "$gate"
echo "$TUNDEV" > $mytun
$iptables -A FORWARD -i $TUNDEV -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i eth1 -o $TUNDEV -j ACCEPT
$iptables -t nat -A POSTROUTING -o $TUNDEV -j MASQUERADE
exit 0 |
Note that in addition to my work subnet, there is an extra IP address routed through the tunnel. That's because work has a subscription to Safari, and it's nice to have access to that from home. 
I also have some iptables rules at the end (optional), since I run the VPN from my firewalled gateway machine at home.
Disconnect: | Code: | #!/bin/bash
defr=/var/run/vpnc/default_route
gateway=/var/run/vpnc/gateway
pid=/var/run/vpnc/pid
mytun=/var/run/vpnc/tundev
VPN_SUBNET="xxx.xxx.xxx.0/20"
extra_ip="xxx.xxx.xxx.xxx/32"
iptables="/sbin/iptables"
if [ $# -ne 0 ]; then
echo "Usage: $0" 1>&2
exit 1
fi
PID=`cat $pid`
TUNDEV=`cat $mytun`
if [ "${PID}" == "" ]; then
echo "no vpnc found running"
exit 1
fi
if ! kill -0 "$PID" > /dev/null 2>&1; then
echo "no vpnc found running"
exit 1
fi
echo "Terminating vpnc daemon (pid: $PID)"
kill $PID
if [ -r "$defr" ]; then
if [ -r "$gateway" ] ; then
ip route del `cat $gateway`
fi
ip route flush cache
fi
rm -f -- "$defr" "$pid"
$iptables -D FORWARD -i $TUNDEV -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -D FORWARD -i eth1 -o $TUNDEV -j ACCEPT
$iptables -t nat -D POSTROUTING -o $TUNDEV -j MASQUERADE
exit 0 |
Note the removal of the iptables rules.
When tun0 is taken down by killing vpnc, all the associated routing info gets cleared when you flush the cache.
Hope these help!
_________________
My glaucoma just got worse! |
|
| Back to top |
|
|
jasn
Guru
Joined: 05 May 2005
Posts: 439
Location: Maryland, US
|
| Posted: Fri May 06, 2005 11:50 pm Post subject: |
|
|
| Praxxus wrote: | | Here are my vpnc scripts, which I hacked up from the ones that came with vpnc. |
Praxxus,
Thanks for all the help. I'm sure that in the hands of someone more knowledgeable, it would have been sufficient. Unfortunately I wasn't able to get vpnc to work. I get a connection but my routing doesn't seem to work correctly. I tried both the installed vpnc-connect script and yours, but I just don't know enough about the networking configuration in Linux to know how to setup the routing. So until someone knows what the Cisco client may be doing and can offer a suggestion with that software here, or I spend some time learning enough to be able to configure vpnc to work (maybe someone will come up with a clear vpnc HowTo), I'm back to using the XP Cisco client, and Outlook for now.. |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Sat May 07, 2005 2:46 am Post subject: |
|
|
Hi!
I didn't want binary crap in my Gentoo, so I started using vpnc. I put together an init script and a watchdog in case the connection somehow breaks. Here we go:
/etc/init.d/vpn:
| Code: | #!/sbin/runscript
depend() {
need net.eth0
}
start() {
ebegin "Starting VPN"
sleep 2
/usr/bin/vpnc-connect
ifconfig vpnlink mtu 1330
eend $?
}
stop() {
ebegin "Stopping VPN"
/usr/bin/vpnc-disconnect
sleep 2
eend $?
} |
/etc/init.d/vpnwatchdog:
| Code: | #!/sbin/runscript
depend() {
after shorewall
}
start() {
ebegin "Starting vpnwatchdog"
start-stop-daemon --start \
--background \
--make-pidfile \
--pidfile /var/run/vpnwatchdog.pid \
--exec $WATCHDOG
eend $? "Failed to start vpnwatchdog."
}
stop() {
ebegin "Stopping vpnwatchdog"
start-stop-daemon --stop --pidfile /var/run/vpnwatchdog.pid
eend $? "Failed to stop vpnwatchdog."
} |
/etc/conf.d/vpnwatchdog:
| Code: | # Path to the VPN watchdog shellscript:
WATCHDOG="/usr/local/bin/vpnwatchdog.sh" |
vpnwatchdog.sh:
| Code: | #!/bin/bash
while sleep 60; do
ping www.xxx.yyy.zzz -c 1 -w 40 >/dev/null && RUN=1
if [ -z $RUN ]; then
logger -i -t vpnwatchdog -p local0.info "initializing full internet connection restart"
/etc/init.d/net.eth0 stop 2>&1 >/dev/null
/etc/init.d/shorewall start 2>&1 >/dev/null
fi
unset RUN
done |
The watchdog sends one ping to an internet machine (www.xxx.yyy.zzz) every 60 seconds to see if the connection is alive. If that's not the case the whole internet stuff is shutdown and afterwards restarted.
Maybe you can use it, too. The watchdog script is derived by a watchdog for VDR. There's an ebuild from which I got it.
Cheers
mic |
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 6:19 pm Post subject: |
|
|
does it work when u add scripts in /etc/init.d/..
to default runlevels?
and where is that file vpnwatchdog.sh located? |
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 6:56 pm Post subject: |
|
|
and also i did exactly the same as you did
in vpn script: /usr/bin/vpnc-connect /usr/net/xyz.conf #my vpnc config file
and deleted the line with ifconfig since i have no idea what is that - and it writes
/etc/init.d/vpnwatchdog start
* ERROR: "/etc/init.d/vpnwatchdog" has syntax errors in it; not executing...
and same for vpn script
any idea why? |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Jun 01, 2005 7:19 pm Post subject: |
|
|
| Slavo wrote: | does it work when u add scripts in /etc/init.d/..
to default runlevels?
and where is that file vpnwatchdog.sh located? |
Its location must be what you write down in /etc/conf.d/vpnwatchdog (look above).
In case you don't use shorewall (a firewall) you have to change a line in vpnwatchdog.sh:
| Code: | | /etc/init.d/shorewall start 2>&1 >/dev/null |
to
| Code: | | /etc/init.d/vpn start 2>&1 >/dev/null |
And yes, add both vpn and vpnwatchdog to your default runlevel.
Last edited by micmac on Wed Jun 01, 2005 7:23 pm; edited 2 times in total |
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 7:21 pm Post subject: |
|
|
got that one 
any idea why it writes me syntax error?
i just pasted the source code and did chmod 700 /etc/init.d/vpn |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Jun 01, 2005 7:26 pm Post subject: |
|
|
| Code: | | ifconfig vpnlink mtu 1330 |
just changes the MTU of your vpn device. |
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 7:27 pm Post subject: |
|
|
| i have no idea what is that |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Jun 01, 2005 7:28 pm Post subject: |
|
|
Oh, and because you apparently don't use shorewall, you have to edit /etc/init.d/vpnwatchdog:
to
That may get rid of the "syntax error" message. MTU = Maximum Transfer Unit. 1300 is pretty standard for vpn afaik. Your VPN provider should be able to tell you the proper number. If the MTU is too big you should see messages about "too many packets" or "too large packets" in your syslog and the connection should become unstable. |
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 7:36 pm Post subject: |
|
|
still same
here is the code:
#!/sbin/runscript
depend() {
need net.eth0
}
start() {
ebegin "Starting VPN"
sleep 2
/usr/bin/vpnc-connect /usr/net/xyz.conf
ifconfig vpnlink mtu 1330
eend $?
}
stop() {
ebegin "Stopping VPN"
/usr/bin/vpnc-disconnect
sleep 2
eend $?
}
and after i type:
#/etc/init.d/vpn start
* ERROR: "/etc/init.d/vpn" has syntax errors in it; not executing...
why is that???? |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Jun 01, 2005 7:42 pm Post subject: |
|
|
I don't know. I checked and I have exactly the same script and it totally works. The permissions are correct, right? Can you see any additional info in dmesg after the error occurs?
Last edited by micmac on Wed Jun 01, 2005 7:44 pm; edited 1 time in total |
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 7:43 pm Post subject: |
|
|
this i dont know i habvent worked with that just copied chmod 700 from somewhere
what are yours ? |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Jun 01, 2005 7:45 pm Post subject: |
|
|
| Slavo wrote: | this i dont know i habvent worked with that just copied chmod 700 from somewhere
what are yours ? |
Same perms as the other scripts have.
will tell you. |
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 7:46 pm Post subject: |
|
|
yeah you are right thats probably the error:
btw why do u have in watchdog also net.eth0 restart? |
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 7:47 pm Post subject: |
|
|
| so now the problem how to change permissions but thats probably another topics ..... |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Jun 01, 2005 7:49 pm Post subject: |
|
|
| Slavo wrote: | yeah you are right thats probably the error:
btw why do u have in watchdog also net.eth0 restart? |
Either your vpn connection or your dhcp connection can break. That's why I restart both in order to be sure that it works after the restart. |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Jun 01, 2005 7:51 pm Post subject: |
|
|
| Slavo wrote: | | so now the problem how to change permissions but thats probably another topics ..... |
| Code: | | chmod 755 /etc/init.d/vpn |
| Code: | | chmod 755 /etc/init.d/vpnwatchdog |
|
|
| Back to top |
|
|
Slavo
Apprentice
Joined: 26 May 2005
Posts: 229
|
| Posted: Wed Jun 01, 2005 7:56 pm Post subject: |
|
|
thatnks it helped but i still have the same error  |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Jun 01, 2005 8:08 pm Post subject: |
|
|
| Slavo wrote: | | thatnks it helped but i still have the same error |
Grab it from here:
Put it in /etc/init.d, change perms and try again. Maybe you just messed up the lines in your script.
Cheers
mic
Last edited by micmac on Wed Jun 01, 2005 8:28 pm; edited 1 time in total |
|
| Back to top |
|
|
|
Networking & Security
