Last Updated: 18-Aug-05This guide describes the setup and configuration of the VPNC client in Fedora Core 4 for use with the UIUC network. The VPNC client is an open alternative to the Cisco VPNclient which is comaptible with Cisco's EasyVPN equipment. The advantage of using VPNC is that it runs completely in userspace and does not introduce tainted modules into the kernel. It uses the standard kernel TUN module/interface so you don't need to recompile it each time you upgrade the kernel. VPNC comes in the standard fedora-extras repository, so you can even install it with yum. The only potential disadvantage is that rekeying is not supported at this point in time, which means you may have to periodically restart it after several hours. I am currently using VPNC 0.3.3.
Once you have VPNC installed you will want to create configuration files for the vpn profiles. The default configuration file is /etc/vpnc/default.conf. I removed this file, and created two new ones. The first one is based on the UIUCnet-offcampus.pcf file distributed by CITES for the Cisco VPN client:
# /etc/vpnc/offcampus.conf # Based on UIUCnet-offcampus.pcf IPSec gateway 130.126.144.3 IPSec ID Remote1 IPSec secret grouppassword Xauth username myusername
The grouppassword on the "IPSec secret" line is a clear text version of the GroupPassword in the UIUCnet-offcampus.pcf file. I describe how to decode the encrypted password to get the clear text version in the next section. The myusername on the "Xauth username" line is your bluestem login. When you start the client it will prompt you for your bluestem password. You could leave this line out if you want to be prompted for your username each time you start the client. To use online journals you need a profile that disables split routing and sends all traffic over the VPN. This will run slower, but allows you to tunnel through a UIUC IP. For library access I created a /etc/vpnc/library.conf file which is based on UIUCnet-library.pcf:
# /etc/vpnc/library.conf # Based on UIUCnet-library.pcf IPSec gateway 130.126.144.3 IPSec ID Wireless1 IPSec secret grouppassword Xauth username myusername
Once again you will need the clear text version of the group password for this group. This is different from the one used in the previous profile.
There are a few ways to decrypt the group password in the UIUCnet-*.pcf files. The first is to install the Cisco VPN client, start up a connection and sniff the decrypted password with ltrace:
# ltrace -i vpnclient connect UIUCnet-offcampus 2>&1 | more
The second way is to simply upload the hashed password into the following webform: Cisco-Decode. This does the exact same thing, but you don't have to install the cisco client. I personally recommend this method since it is easier, and the encrypting of the group password is really false security since anyone could easily decode it.
For people using UIUCnet, Cites has posted the Decrypted Group Password on their website.
On my laptop computer I allow anyone logged in to the console to start and stop network interfaces. Since the VPN is just an extension of the network, I decided to have the same policy for starting and stopping the VPN connection. To allow non-root users to control start and stop VPNC, I used the "consolehelper" and "pam". To do this I basically just cloned the security policy for the "reboot" command.
[root@localhost]# ln -s /usr/bin/consolehelper /usr/bin/vpnc [root@localhost]# ln -s /usr/bin/consolehelper /usr/bin/vpnc-disconnect
[root@localhost]# cp -a /etc/security/console.apps/reboot \
/etc/security/console.apps/vpnc
[root@localhost]# cp -a /etc/security/console.apps/reboot \
/etc/security/console.apps/vpnc-disconnect
[root@localhost]# cp -a /etc/pam.d/reboot \
/etc/pam.d/vpnc
[root@localhost]# cp -a /etc/pam.d/reboot \
/etc/pam.d/vpnc-disconnect
That's all it takes. You should now be able to start and stop the vpn client as a regular user with the "vpnc" and "vpnc-disconnect" commands.