VPN clients
From UA Wiki
You would like to connect to the UA network from your home or abroad? Then the UA's VPN service is for you.
Establishing a VPN connection to the campus will redirect all network traffic of your computer, whereever it may be, through to the unversity network. You will get an IP address of the UA domain, and in general, your computer will act as if it was physically attached to the campus network.
This can be useful for getting access to restricted services, such as SMTP access for sending mails with your UA account, accessing servers, downloading sofware (e.g., Microsoft Office) and so on.
Contents |
Browser
Browser-only access
To consult such databases and journals of the library you can use any browser to access:
Use your UA credentials and make sure to choose "GROUP" to be "1-WebProxy".
Full VPN access
It is also possible to get full VPN via Cisco's browser application AnyConnect. Compared to the methods described in the other sections below, this has the advantage that it will work virtually anywhere as the requirements on the network are minimal (only port 443 needs to be open).
To use it, login at
with "GROUP" set to "2-AnyConnectClient". This will start the installer (see screen shot on the right). Note that your system has to have Java support in the browser for this to work.
There are problems reported with 64bit Linuxes, see for example
- Using Cisco AnyConnect VPN Client in Ubuntu Jaunty 64-bit,
- Gentoo forums: Cisco AnyConnect VPN fails on AMD64.
This capability is described here on the UA sites as well (Dutch).
Microsoft Windows
Installation
First, get the installation file as linked on [1] (file name such as vpnclient-win-msi-5.0.05.0290-k9.exe or newer). Execute this installation file.
Configuration
The client needs to be configured for access to the UA net. The recommended way to do so is the following.
- Download the configuration file (login required).
- Open the client, click on Import, and provide it with the just downloaded file.
A new entry in the list will be created for you.
Although more tedious, the configuration can also be added manually with the data as given in the following screen shots
Usage
As soon as the configuration is done, you can actually start using it.
- Select the connection VPNUA-NEW (as configured in the previous step) and click on connect.
- You will be promted for you ua user name and ua password.
- Success! A lock will appear next to VPNUA-NEW to indicate a successful connection.
You can also check at popular IP address checkers (such as www.whatismyip.com) to see if your IP is now within the UA range (143.*).
Mac OS X
10.4 (Tiger)
Upgrade to 10.5 (Leopard) or 10.6 (Snow Leopard) recommended.
10.5 (Leopard)
The standard method described on UA-InfoCenter-VPN works, but the Cisco VPNClient is out of date.
10.6 (Snow Leopard)
The standard method described on UA-InfoCenter-VPN should work, but the Cisco VPNClient is out of date and quite probably not compatible with Snow Leopard. Hence it's much easier and recommended to use OS X's built-in VPN functionality:
- Go to Network in System Preferences and add a network interface by clicking on the + button. Choose VPN as interface, Cisco IPSec as type and provide it with some suitable service name.
- After creating the VPN interface provide the address of the new UA VPN server: vpnua.ua.ac.be and your UA user name.
- In Authentication Settings... fill in the credentials you got out of the UA config file (login required).
- Fill in the Shared Secret field from the GroupPwd field in the PCF file. In the case that the PCF file only provides an encoded version of the group password (enc_GroupPwd) you may decode it using e.g. [2]
- Enter "UAntwerpen" under Group Name
- Clicking Connect should greet you with an authentification window to provide your UA user name and password. You should be able to connect now.
Linux
Unfortunately, again, the UA doesn't provide any official Linux support for this. However, the necessary software is provided for download and with the help of the following instructions, you will manage to successfully build a VPN connection.
There are several possibilities to connect to the UA's internal network from outside the university.
Classically, one would have used the proprietary Cisco client, but this has been less than optimal as Cisco does not cooperate with Linux as good as it could be. Quite luckily, the new UA VPN server permits connections with the ever more popular vpnc client, which is also interfacting though the ever more popular NetworkManager.
All methods are described here, and it is highly recommended for any UA Linux user to first check out the NetworkManager/vpnc way.
NetworkManager
With the help of NetworkManager, configuring the VPN connection to the UA is straightforward. It is demonstrated here with Gnome's nm-applet, the NetworkManager front-end.
- Fill in the connection data. To this end, right-click on the nm-applet logo, "Edit connections...", and choose VPN. You have two possibilities now, the first one being for the lazy.
- Choose "Import" and feed the interface with the file you got here (UA user name and password required). All the data should be filled in automatically.
vpnc
Since April 2009, the new VPN server is running. As stated on the UAnet site, the service is still in BETA phase, but it appears to be pretty stable already.
The big advantage for Linux users is that the proprietary Cisco client it no longer required to connect to the internal UA net; the free and open source vpnc is enough.
The installation steps are:
- Install vpnc. The method to so might vary from distribution to distribution. If the
vpncis correctly, installed, you'll get something like this
| Code: vpnc --version |
vpnc version 0.5.3 Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others vpnc comes with NO WARRANTY, to the extent permitted by law. You may redistribute copies of vpnc under the terms of the GNU General Public License. For more information about these matters, see the files named COPYING. Built with openssl (certificate) support. Be aware of the license implications. Supported DH-Groups: nopfs dh1 dh2 dh5 Supported Hash-Methods: md5 sha1 Supported Encryptions: null des 3des aes128 aes192 aes256 Supported Auth-Methods: psk psk+xauth hybrid(rsa) |
- Get the certificate at UA's VPN distribution site (link at the bottom, or click here).
The format of the configuration file is Microsoft's PCF; to get a vpnc compliant format, apply
If the pcf2vpnc command is not available, you can install it using the following steps:
curl -O http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc chmod +x pcf2vpnc
Note that you can optionally insert your UA username and password to avoid the need of typing it in each time you want to connect.
- Move the just created file ua.conf to a location where vpnc can find it. That would typically by /etc/vpnc/.
- Connect to the UA net via (as root)
Give your UA username and password, and you should have a connection with the UA already. You are set if ifconfig tells you
| Code: ifconfig -a |
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:143.169.136.28 P-t-P:143.169.136.28 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:9610 errors:0 dropped:0 overruns:0 frame:0
TX packets:7388 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:9370697 (8.9 MiB) TX bytes:762466 (744.5 KiB)
|
All traffic will go through the VPN connection now.
When you would like to terminate the connection, type
Cisco VPN
Before we start, make sure you fetched the following files from the UA net:
- the binaries for the Cisco VPN client, vpnclient-linux-x86_64-4.8.01.0640-k9.tar.gz
Note: If you're looking for Cisco's latest version 4.8.02.0030-k9 of the client which brings several improvements for the latest Linux kernels, you won't find it at the UA (yet?). The ICT has been made aware of that several times since August 2008, but no reaction so far.
You can look for newer cisco versions at this unofficial cisco-patches site. The version 4.8.01.0640 with 2.6.24+ and 64-bit patch worked for me on 2.6.27 on 64-bit. If you are running ubuntu and have an error message about "CFLAGS" change all CFLAGS in the Makefile to EXTRA_CFLAGS.
- the profile file,
- the root certificate of the UA net (md5sum 291edfe174aed1b44bb131798e6ae2aa),
- and the user certificate (md5sum 0d152707a35a4051ccb749eeafc2926e).
All these files are necessary to get VPN running. The profile needs to be copied to
/etc/opt/cisco-vpnclient/Profiles/
and it is advisable, though not strictly necessary, to put the certificates into /etc/opt/cisco-vpnclient/Certificates/. It is from now on assumed that the files are found there.
- Before we start, make sure you have the Cisco VPN client installed on your system. This is not the open source connector vpnc, but Cisco's very own proprietary solution. Usually, there should be package available for your distro. When this is done, you should have the cisco_cert_mgr command at hand.
| Code: /opt/cisco-vpnclient/bin/cisco_cert_mgr |
Cisco Systems VPN Client Version 4.8.01 (0640) Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.6.26-gentoo #1 PREEMPT Mon Jul 21 13:52:27 CEST 2008 i686 [...] |
Getting the Cisco Client running on a 64bit system is not exactly straightforward. That's because the kernel module is closed-source and we depend on Cisco's goodwill to keep it up-to-date with the latest kernel, which apparently is not the case right now. If you experience problems, please refer to [3] or [4] or [5].
- Import the root certificate.
| Code: /opt/cisco-vpnclient/bin/cisco_cert_mgr -R -op import |
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.26-gentoo #1 PREEMPT Mon Jul 21 13:52:27 CEST 2008 i686
[ Importing Certificate ]
Enter filename: /etc/opt/cisco-vpnclient/Certificates/uanetroot.der
Success: certificate imported from path: /etc/opt/cisco-vpnclient/Certificates/uanetroot.der
|
If this was successful, you can look at your imported certificate by
| Code: /opt/cisco-vpnclient/bin/cisco_cert_mgr -R -op list |
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.26-gentoo #1 PREEMPT Mon Jul 21 13:52:27 CEST 2008 i686
Cert # Common Name
------- ------------
0 UANET Standalone Root CA
|
- Import the user certificate:
| Code: /opt/cisco-vpnclient/bin/cisco_cert_mgr -U -op import |
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.26-gentoo #1 PREEMPT Mon Jul 21 13:52:27 CEST 2008 i686
[ Importing Certificate ]
Enter filename: /etc/opt/cisco-vpnclient/Certificates/vpnclient_pwd_UANET.pfx
Import Password: UANET
Enter a password to protect your certificate.
Choose a password that you can remember.
Password: <your chosen password>
Confirm Password: <your chosen password>
Success: certificate imported from path: /etc/opt/cisco-vpnclient/Certificates/vpnclient_pwd_UANET.pfx
|
If you want to use VPN later on, you'll have to type in <your chosen password> each time you connect using this certificate. Some people find it hence more comfortable to leave <your chosen password> empty. Check the result with
| Code: /opt/cisco-vpnclient/bin/cisco_cert_mgr -U -op list |
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.26-gentoo #1 PREEMPT Mon Jul 21 13:52:27 CEST 2008 i686
Cert # Common Name
------- ------------
0 vpnclient2.ua.ac.be
|
This step is the most error prone. See below for the most frequently done mistakes.
- Put the profile file in place, that is
/etc/opt/cisco-vpnclient/Profiles/
You source choose its basename, let us suppose we take
| Code: ls /etc/opt/cisco-vpnclient/Profiles/ |
sample.pcf ua.pcf |
[...] CertName=vpnclient2.ua.ac.be [...]
[...] Username=<your ua username> [...]
This way, you don't have to type it in (like in the next stept) each time you connect to the UA.
- Done!
To use your newly set-up connection, type
| Code: vpnclient connect ua |
Cisco Systems VPN Client Version 4.8.01 (0640) Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.6.26-gentoo #1 PREEMPT Mon Jul 21 13:52:27 CEST 2008 i686 Config file directory: /etc/opt/cisco-vpnclient Enter Certificate password: <your chosen password> Initializing the VPN connection. Contacting the gateway at 143.169.249.1 User Authentication for ua... Enter Username and Password. Username []: <your ua username> Password []: <your ua password> Authenticating user. User Authentication for ua... Enter Username and Password. Username [<your_ua_username>]: Password []: Authenticating user. Negotiating security policies. Securing communication channel. Your VPN connection is secure. VPN tunnel information. Client address: 143.169.195.127 Server address: 143.169.249.1 Encryption: 256-bit AES Authentication: HMAC-SHA IP Compression: None NAT passthrough is active on port UDP 4500 Local LAN Access is disabled |
Troubleshooting
- If you get an error message like this
| Code: /opt/cisco-vpnclient/bin/cisco_cert_mgr -U -op import |
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.26-gentoo #1 PREEMPT Mon Jul 21 13:52:27 CEST 2008 i686
[ Importing Certificate ]
Enter filename: <your path>
Import Password:
Enter a password to protect your certificate.
Choose a password that you can remember.
Password:
Confirm Password:
error: unable to import certificate from path: <your path>
|
be sure that you are not alone. This is the most common problem when installing the Cisco VPN client, and there are many possible remedies.
- Check that you correctly typed in the password. This is the mistake most commonly made.
- Check that you correctly typed in password again.
- You are not so sure about the password? Contact the one who gave you the file and make sure you have the password correct.
- Make sure you have the correct certificate file. Take an md5sum and compare with someone's who has a running set-up. Make sure you gave cisco_cert_mgr the correct location of the file. (If no file exists at the given path, cisco_cert_mgr will bail out with a corresponding error message)
| Code: /opt/cisco-vpnclient/bin/cisco_cert_mgr -U -op import |
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.26-gentoo #1 PREEMPT Mon Jul 21 13:52:27 CEST 2008 i686
[ Importing Certificate ]
Enter filename: file_that_does_not_exist
error: the following path does not exist
|
External links
- Official vpnc website
- Universiteit Antwerpen: The UA's central resource page for VPN
- Universiteit Antwerpen: Off-campus access : Dialin - VPN (in Dutch)
- Universiteit Antwerpen: Off-campus access : Upgrade Certificaat voor VPN client (in Dutch)
- Universiteit Antwerpen: More information on the Cisco client (in Dutch)
- Bart Braem's description for installing, specifically aimed at Gentoo users
- VPN Client User Guide for Linux and Solaris, Release 4.6
 |
Language: |
English • Nederlands |
