Run vpnc with support for ssl

If you want to establish a virtual private network (VPN) with an organization such as your university AND want to use the free vpnc instead of Cisco's vpnc client AND your organization uses SSL encryption, this is the right How-to for you. The problem with the standard version of vpnc is a missing support for OpenSSL, which happens due to an incompability of the OpenSSL license with GPL. Nevertheless, you can recompile vpnc on your Acer Aspire One with OpenSSL support built in without any problem.

This How-to guide assumes you know how to run a terminal, edit files with a texteditor and install packages. Probably you also activated the Advanced Mode already.

First you will need to download the vpnc source code from the project's homepage. Save the tar.gz file somewhere in your home direcory. Open a terminal and change to that directory. Let's unpack everything:

Code:

tar -xzf  vpnc-0.5.1.tar.gz

Next, we need to include the support for ssl in the code. Change to the unpacked directory

Code:

cd vpnc-0.5.1

and edit the Makefile:

Code:

vim Makefile

In case you don't like Vim editor as much as I do, you can use something like

Code:

mousepad Makefile

.
Go to lines 49 and 50 and uncomment them by removing the hash (#). They should look like this afterwards:

Code:

OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
OPENSSLLIBS = -lcrypto

Save your changes and quit the editor. Now you will need to install quite a bit of software and libraries for building from source code, unless you have set up a development environment already. You can install all the following packages from command-line with

Code:

sudo yum install name-of-package

Alernatively you can use:

Code:

pirut &

You need a basic development environment in order to compile, in case you did not install one already, I suggest using

Code:

sudo yum groupinstall "Development Tools" "Legacy Software Development"

(including quotation marks). On top of that I needed to install the packages kernel-devel - 2.6.23.1-42.fc8.i686 , libgcrypt-devel - 1.2.4-6.i386 (with lots of dependencies) and openssl-devel - 0.9.8b-17.fc8.i386.
In case you need to find out your installed kernel version in order to pick the right package, try

Code:

uname -r

The list of packages mentioned above might be incomplete. If the following compilation doesn't work on your computer, it is probably tributed to the fact that I didn't resolve all dependencies correctly. But as I had many development packages installed already, the following build command worked on my machine:

Code:

make && sudo make install

As a next step, you need to obtain the certificate from your VPN. In my case this is University of Karlsruhe and I downloaded the cert from their page (you have to enter "dfnpem" in the smart-link box at the bottom right of the page in case you want to connect to University of Karlsruhe too). You have to copy the file to the apropriate folder, which is on Linpus Linux:

Code:

sudo cp /mnt/home/Downloads/dfnpca-02.pem /etc/pki/tls/certs/

Then we need to edit the vpnc configuration file:

Code:

vim /etc/vpnc/default.conf

The contents of the file looks like this, please modify to your needs:

Code:

IPSec gateway vpn.uni-karlsruhe.de
IPSec ID vpn
IPSec obfuscated secret ABED22A5C87C97A1A46DCF3B7318FF31A3DCF07E1714F1F0A62DA51456D94BD62FCC576D465E24FD55463E2E5E673BA8
IKE Authmode hybrid
Xauth username your-user-name-goes-here
Xauth password your-password-here
CA-File /etc/pki/tls/certs/dfnpca-02.pem

Please note that the "obfuscated secret" and the following long number has to be a single line. You can protect your configuration file, as it contains a password in clear text, with

Code:

sudo chmod 600 /etc/vpnc/default.conf

Unfortunately we're not done yet. Before we can start vpnc we need to add the tun/tap kernel module. How this is done is described in another how-to guide of the same forum. Please follow the instructions there. You need to insert the kernel module via

Code:

sudo modprobe tun

In case you want to load the tun module at boot time, edit the file

Code:

vim /etc/rc.local

and add the line

Code:

modprobe tun

Now we're ready to go! You should be able to start your VPN with

Code:

sudo /usr/local/sbin/vpnc

and disconnect again with

Code:

sudo /usr/local/sbin/vpnc-disconnect

Please let me know, if it works for you. I hope I didn't mess up anything, because this has become rather long here.

 

Here's some additional information, probably not very relevant:
When I experimented with various versions of vpnc before I found the solution described in the how-to guide above, I installed and removed two different versions of a package called vpnc-consoleuser. Apparently this corrupted my consolehelper environment, because afterwards I found out, whenever I tried to start pirut or pup as regular user, the system would start vpnc instead. I was able to start pirut or pup as su without the described problem. I had a look at the files contained in the /etc/security/console.apps/ folder and the symbolic links of pirut and pup, everything seemed to be OK. The problem seemed quite weird to me...

Anyway, I got past this poblem with a brutal reinstall of the usermode package:

Code:

su -
rpm -e --nodeps usermode
yum install usermode

The rpm command erases the usermode package without caring about dependencies. This is dangerous, as ~90 other packages depend on usermode. So one should reinstall usermode on the next command prompt... it helped.

Again: If you follow the steps of my previous post, you shouldn't even get to this problem. I only added this post for the folks keen to experiment, they might get stucked with the same problem.

 

It works! You are my hero
I've tried so hard to install the damned CISCO vpnclient. You save me.

Web 2.0 rules

 

I tried to follow the guide, but vpnc just will not compile. I can't figure out which dependency I'm missing. I installed everything mentioned above and quite a few things more...

Here's my error message:

Code:

$ make
gcc -o vpnc sysdep.o vpnc-debug.o isakmp-pkt.o tunip.o config.o dh.o math_group.o supp.o vpnc.o -g  -lgcrypt -lgpg-error -lcrypto
tunip.o: In function `encap_esp_recv_peer':
/home/user/Documents/tuhh/vpnc-0.5.1/tunip.c:536: undefined reference to `gcry_cipher_setiv'
tunip.o: In function `encap_esp_encapsulate':
/home/user/Documents/tuhh/vpnc-0.5.1/tunip.c:360: undefined reference to `gcry_cipher_setiv'
tunip.o: In function `vpnc_doit':
/home/user/Documents/tuhh/vpnc-0.5.1/tunip.c:1023: undefined reference to `gcry_cipher_setkey'
/home/user/Documents/tuhh/vpnc-0.5.1/tunip.c:1010: undefined reference to `gcry_cipher_setkey'
config.o: In function `deobfuscate':
/home/user/Documents/tuhh/vpnc-0.5.1/config.c:164: undefined reference to `gcry_cipher_setkey'
/home/user/Documents/tuhh/vpnc-0.5.1/config.c:165: undefined reference to `gcry_cipher_setiv'
vpnc.o: In function `isakmp_crypt':
/home/user/Documents/tuhh/vpnc-0.5.1/vpnc.c:422: undefined reference to `gcry_cipher_setkey'
/home/user/Documents/tuhh/vpnc-0.5.1/vpnc.c:423: undefined reference to `gcry_cipher_setiv'
vpnc.o: In function `do_rekey':
/home/user/Documents/tuhh/vpnc-0.5.1/vpnc.c:2904: undefined reference to `gcry_cipher_setkey'
/home/user/Documents/tuhh/vpnc-0.5.1/vpnc.c:2905: undefined reference to `gcry_cipher_setkey'
collect2: ld returned 1 exit status
make: *** [vpnc] Error 1

Any ideas? Thanks, Mo

 

The function

Code:

gcry_cipher_setiv

belongs to the libgcrypt package. On my machine both the libgcrypt-1.2.4-6.i386 and the libgcrypt-devel-1.2.4-6.i386 package were installed. Do you have both packages installed?

HTH,
openschnitzel

 

Yup, had it installed, but I guess I broke something while tinkering around... reinstalling the libgcrypt-devel package did the trick. Thanks for the great howto and the help, works like a charm.

 

OK, glad to hear it works now.