Cisco Systems VPN 3000 Client -- Linux

Uninstalling an Old Client

This section describes how to uninstall the VPN client.

You must uninstall an old VPN client for Solaris before you install a new VPN client.

You are not required to uninstall an old VPN client for Linux or for Mac OS X before you install a new VPN client.

Uninstalling a VPN Client for Linux

To uninstall the VPN client for Linux:

a. Locate the script vpn_uninstall.

This file must be run as root.

b. You are prompted to remove all profiles and certificates.

If you answer yes, all binaries, startup scripts, certificates, profiles, and any directories that were created during the installation process are removed.

If you answer no, all binaries and startup scripts are removed, but certificates, profiles, and the vpnclient.ini file remain.

Firewall Issues

If you are running a Linux firewall (for example, ipchains or iptables), be sure that the following types of traffic are allowed to pass through:

UDP port 500

UDP port 10000 (or any other port number being used for IPSec/UDP)

IP protocol 50 (ESP)

TCP port configured for IPSec/TCP

Troubleshooting Tip

The following two lines might be added by default with your Linux installation in the /etc/sysconfig/ipchains directory. For Redhat, this might be written to the /etc/sysconfig/ipchains directory. These two commands might prevent UDP traffic from passing through.

-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT

If you have problems with UDP traffic, first delete the above two lines, then enter the following two commands:

/etc/init.d/ipchains stop
/etc/init.d/ipchains start

Note: Ipchains might be replaced by iptables or it might be located in a different directory on your Linux distribution.

Installing the VPN Client for Linux

Before you install a new version of the VPN client, or before you re-install your current version, you must use the stop command to disable VPN service.

If you are upgrading from the VPN 5000 client to the VPN client, use the following stop command:

/etc/rc.d/init.d/vpn stop

If you are upgrading from the VPN 3000 client to the VPN client, use the following stop command:

/etc/rc.d/init.d/vpnclient_init stop

To install the VPN client for Linux

Step 1 Obtain superuser privileges to run the install script.

Step 2 Enter the following commands:

cd vpnclient
./vpn_install

Step 3 At the prompt, choose a directory in which to install the VPN client.

Use the default directory (by pressing Enter), or choose a directory in your user's path.

Step 4 Enable the VPN service by using one of the following methods:

Reboot your computer.

Enable the service without rebooting. Enter the following command:

/etc/rc.d/init.d/vpnclient_init start


VPN Client for Linux Install Script Notes

During the installation process:

1. The module is compiled, linked, and copied to either the directory /lib/modules/preferred/CiscoVPN, if it exists, or to /lib/modules/system/CiscoVPN, where system is the kernel version.

2. The application binaries are copied to the specified destination directory.

3. The startup file /etc/rc.d/init.d/vpnclient_init is created to enable and disable the VPN service.

4. The links /etc/rc3.d/s85vpnclient and /etc/rc5.d/s85vpnclient are added to run level 3 and level 5 if startup at boot time is requested.

These links allow the tunnel server to start at boot time and run in levels 3 and 5.

Use a text editor to modify the sample profile that comes with the VPN client installer and rename it.

Create a unique user profile using a text editor.

User profiles have a .pcf file extension and reside in the default location /etc/CiscoSystemsVPNClient/Profiles/ directory.

There is only one user profile per connection.

Tip: User profiles for the VPN client are interchangeable between platforms.


Sample Profile

The VPN client software is shipped with a sample user profile. The file is named sample.pcf. and is located in /etc/CiscoSystemsVPNClient/Profiles/

The following is an example of a sample user profile that might be shipped with your installer.

[main]
Description= MCCCD VPN
Host=10.7.44.1 (Change to the MCCCD VPN Host name)
AuthType=1
GroupName= MCCCD VPN Group Name
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=gawf
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=0
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0

Step 1 Using a text editor, open the sample user profile.

Step 2 Modify the keywords you want to change.

See your administrator for IP addresses, user name, and any security information.

Step 3 Save your new profile with a unique name in the /etc/CiscoSystemsVPNClient/Profiles/ directory.

When you use the vpnclient connect command to establish a connection, use your new profilename.

Displaying a List of VPN Client Commands

To display a list of available VPN client commands, go to the directory that contains the VPN client software and enter the vpnclient command at the command line prompt.

The following example shows the command and the information that is displayed.

%vpnclient
Cisco Systems VPN Client Version 3.0.7
Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686

Usage:
vpnclient connect profilename [nocertpwd] [eraseuserpwd]
vpnclient disconnect
vpnclient stat [reset] [traffic] [tunnel] [route] [repeat]

To establish a connection, enter the following command:

vpnclient connect profilename [nocertpwd] [eraseuserpwd]

Profilename is the name of the user profile configured for this user (.pcf file). This parameter is required. Enter your profilename without the .pcf file extension. If your profilename contains spaces, enclose it in double quotation marks on the command line.

If your user profile is configured with the SaveUserPassword keyword set to the default, the password is saved locally. The eraseuserpwd keyword erases the user password that is saved on the VPN client workstation, forcing the VPN client to prompt you for a password. The eraseuserpwd keyword is an optional parameter that returns the VPN client to a state that requires you to enter a password each time you try to establish a connection.

The nocertpwd is a keyword that suppresses the prompt for a certificate password.

For more information on profilename keywords, see the "User Profile Keywords" section.

Depending on the parameters that have been configured in your user profile, you are prompted for the following passwords:

Group password

User name

User password

If your VPN client has been configured to use SecurID or RADIUS authentication, you are prompted for those passwords.

See your administrator for any security information.

When the connection is established, the VPN Client window stays in the foreground to allow the VPN client to be reauthenticated during a rekey by the VPN device. To send the VPN Client window to the background, press Ctrl-Z followed by the bg command at the command line prompt.

Disconnecting the VPN Client

To disconnect from your session, use one of the following methods:

Enter the following command:

vpnclient disconnect

The following example shows the command that disconnects you from your secure connection and the prompt that appears when you are not connected.

vpnclient disconnect
Disconnecting the IPSEC link.
Your IPSec link is not connected.

Press Crtl-C while you are in the VPN Client window.

Displaying VPN Client Statistics

To generate status information about your connection, enter the following command:

vpnclient stat [reset][traffic][tunnel][route][repeat]

If youenter this command without any of the optional parameters, the vpnclient stat command displays all status information. The optional parameters are described in Table 4-1.

Examples

This section shows examples of output from the different options for the vpnclient stat command.

No Options
The following is a sample output from the vpnclient stat command with no
options.

vpnclient stat
IPSec tunnel information.
Client address: 209.154.64.50
Server address: 10.10.32.32
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port 5000

VPN traffic summary.
Time connected: 0 day<s>, 00:18.32
Bytes out: 3420
Bytes in: 3538
Packets encrypted: 23
Packets decrypted: 57
Packets bypassed: 102
Packets discarded: 988

Configured routes
Secured Network Destination Netmask Bytes
* 10.10.32.32 255.255.255.255 7638
* 0.0.0.0 0.0.0.0 1899

Reset Option
To reset all connection counters, use the vpnclient stat reset command.

vpnclient stat reset
Tunnel statistics have been reset.

Traffic Option
The following is a sample output from the vpnclient stat command with the
traffic option.

vpnclient stat traffic
VPN traffic summary
Time connected: 0 day<s>, 00:30:04
Bytes out: 5460
Bytes in: 6090
Packets encrypted: 39
Packets decrypted: 91
Packets bypassed: 159
Packets discarded: 1608

Tunnel Option
The following is a sample output from the vpnclient stat command with the
tunnel option. The vpnclient stat tunnel command shows only tunneling
information.

vpnclient stat tunnel
IPSec tunnel information.
Client address: 220.111.22.30
Server address: 10.10.10.1
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port 5000

Route Option
The following is a sample output from the vpnclient stat command with the
route option.

vpnclient stat route
Configured routes
Secured Network Destination Netmask Bytes
* 10.10.02.02 255.255.255.255 17638
* 0.0.0.0 0.0.0.0 18998

Getting Additional Help

Please contact the Help Desk if you have any questions, via email at helpdesk@domail.maricopa.edu or by calling (480) 731-8632.