ubuntu linux VPN connection without cisco vpn client

chris (2006-08-10 09:26:30)
8 replies
Getting a reliably working VPN connection on your linux box isn't as easy as one might think. The Cisco VPN client for linux comes with a few major flaws - firstly it's a complete arse to install - particulary on heavily package-based distros such as Ubuntu - the program requires all the kernel headers to be present and it also insists that they exactly match the running kernel version. This may or may not be a total ballache to manage. In addition to that, I have run the Cisco VPN client for linux on at least two distros (including Slackware and Redhat) and it has been bad to say the least. Connections just die over SSH when any more than a few packets are sent and nothing less than a restart of the client will allow the system to reconnect - Such a program falls well beyond my 'suitable-for-use' radar. It was these issues which pushed me to find an alternative solution.

The solution came in the form of Maurice Massar's vpnc - a relatively little-known and fairly unassuming application which does exactly as it says on the tin. Ubuntu users are one step ahead of the source-based distros just because a vpnc package does exist for dapper. First let's install that on the client system. Do this with the following command:
sudo apt-get install vpnc

If you are not running ubuntu, you will probably have to compile the program yourself. I would image this to be quite simple. The sources are downloadable from this page: http://www.unix-ag.uni-kl.de/~massar/vpnc/

Now this is where things get a bit tricky - you have the application installed, but it won't work until you have a working config. This contains a bunch of IPSec settings required to talk to your VPN endpoint. When I first looked at these, I really didn't know where to start, but I pretty soon determined that the most important values would be these:

IPSec gateway
IPSec secret
Xauth username
Xauth password

So from whence should we collect this data? I knew that if I was to ask the IT department at work, they would probably tell me that the software isn't supported and to use the cisco client under windows. That doesn't suit my needs, but it does offer a clue. You see, for every connection profile, the Cisco VPN client keeps a profile description file called a .pcf. All I need to do is locate the .pcf file on my windows partition and copy it over.

mount /dev/hda1 /windows
cp /windows/Program Files/Yahoo! Inc/VPN Client/profiles/London.pcf /home/chris/Desktop/.

Now we can extract the vpn gateway hostname, the Group ID and the group 'secret' from the locally copied .pcf. The group secret is a very long string of characters - it's actually a hexadecimal representation of the key, (which itself is formed from a mixture of SHA-1 hashing and triple-DES in CBC mode - a web search will yield all the gory details if that interests you). This throws a slight hurdle in our path, because it is the original plain text version which we need to offer our vpnc config. Thankfully there are tools around to help us with this. First you will need to install the libgcrypt-dev package:

sudo apt-get install libgcrypt-dev

You will then need to compile the cisco-decrypt.c utility which is downloadable from here: http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c . Note that when you come to compile the program you will need to use the following compile options:

gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)

This will result in a working binary in ./cisco-decrypt.

Okay, we're nearly there.. all we need to do now is decrypt that cipher string from the .pcf file and then we can paste that into our vpnc.conf. The first thing cisco-decrypt does is convert the string from hexadecimal to binary. Here's how I did that:

root@snackerjack-lx:~/Desktop# grep enc_GroupPwd London.pcf | awk -F= '{print  $2 }' | xargs ./cisco-decrypt

Of course I have modified it for obvious reasons, but you get the idea. And now to the final stage - creating the config file:

vim /etc/vpnc/vpnc.conf

Just enter the follwing lines (of course using your own settings), write out the file and exit:

IPSec gateway <your gateway address from the pcf>
IPSec ID General
IPSec secret atat@atet8s8cu*7777uv8paiaiecrac$
Xauth username clacy
Xauth password nottellingyou

It's worth mentioning here that if you omit the username and/or password, the vpnc program will prompt you for them at run time. I highly recommend you do this. It will save you from having to enter them in plain text into a config file. Additionally, if you use RSA-SecureID fobs for your passwords it will make using the application far easier. Nobody wants to hack a config every time they run a program!

Now all you need to do is fire up the connection like this:

sudo vpnc /etc/vpnc/vpnc.conf

If this is useful to you and you would like some of this packaged up in some way, please let me know. I think it's pretty simple as it is, but if there is any interest out there and I can make this simpler for the next person, then I will :)

2007-06-24 19:20:14

VPN Install Package

I personally am fairly new to Linux but I'm learning. In the meanwhile, any help would be greatly appreciated and making a package of some kind to use rather than a lot of command line work and compiling would be wonderful.

One other short question. I am able to see the .pcf file and have copied the information out of it. What I don't see is anything called an IPSec Secret. I do see a enc_GroupPwd. Is that the same thing? Thanks in advance for your help.
reply icon
2007-07-17 02:57:12

It worked

Chris, Thank you. Your intsructions worked very well for connection to the cisco vpn.
reply icon
2008-04-16 16:17:11

You may also mention that the IPSec ID <XXXXX> is important. The id is the Group name. General does not work
for everyone.

reply iconedit reply
2008-05-02 21:56:56


How do you know when you have a connection. I ran it tonight at work and I thought it was connected but I could not use any of servers or connect ot the internet.

Thx for the great info hopefully I can get this to work.

reply iconedit reply
2008-09-29 19:02:39

Thanks. Worked for me.
reply iconedit reply
2009-04-12 04:52:01


Hey, your article was helpful. I was unsuccessful in connecting to my works VPN, but I think they may have some crazy configuration going on. The output suggested that there is a setting to only allow the windows client to connect, and I fear that may be the case. I have the Cisco VPN connect on my iPhone, and that is not successful either. The part on compiling the cisco-decrypt was very useful however. Thank you for taking the time to do this write up!
reply iconedit reply
Mike P.
2009-07-22 04:53:05

Help with decrypt

Thanks for this post!

I'm having just one issue, and please forgive as I'm fairly new to linux.

When I run the decrypt command, instead of getting the hash, I get:

grep enc_GroupPwd Lab_VPN.pcf | awk -F= '{print $2}' | xargs ./cisco-decrypt
decoding input: Success

If you have any ideas, please advise. Thanks again for your help.

BTW - Running Jaunty 9.04

reply iconedit reply
2009-10-09 22:40:11

Remove a CR-character

When I run the decrypt command, instead of getting the hash, I get:

grep enc_GroupPwd Lab_VPN.pcf | awk -F= '{print $2}' | xargs ./cisco-decrypt
decoding input: Success

If you have any ideas, please advise. Thanks again for your help.

I had the same problem. It was probably due to a '\r' character at the
end of the line (from a Windows-style line separator in the pcf-file),
which confused the decrypting program. By removing this character from
the end of the encrypted password before giving it to the decrypting
program, I made it work:
grep enc_GroupPwd foo.pcf | awk -F= '{print $2 }' | tr -d '\r' | xargs ./cisco-decrypt

This is an alternative way to do exactly the same:
./cisco-decrypt $(sed -n 's/^enc_GroupPwd=//p' foo.pcf | tr -d '\r')

Fedde Schaeffer
reply icon