Connecting Ubuntu 10 LTS with a Cisco VPN

Making Ubuntu and Cisco play nice.

Connecting Ubuntu 10.04 LTS to a Cisco VPN (UDP)

I recently had to VPN into a network running Cisco VPN using the Cisco UDP protocol.  I thought to my self "Great Ubuntu already has support for Cisco/IPSec VPN, I'll just plugin in the settings and run." Very rarely do thoughts like this work when you are running any distro of linux.

I did my homework and discovered "vpnc" the Client that connects to the VPN, and I discovered it had a front end to connect to the network manager in Gnome.  Awesome I though.  I plugged in all my settings... and this is where the story begins.

I got the error "VPN Connection Failed No valid VPN Secrets".  I checked my passwords, and confirmed that everything was typed correctly... and still no dice.  I checked my /var/log/syslog and got this read out:

Sep 26 11:05:27 [host_name] NetworkManager:   Starting VPN service 'org.freedesktop.NetworkManager.vpnc'...
Sep 26 11:05:27 [host_name] NetworkManager:   VPN service 'org.freedesktop.NetworkManager.vpnc' started (org.freedesktop.NetworkManager.vpnc), PID 2983
Sep 26 11:05:27 [host_name] NetworkManager:   VPN service 'org.freedesktop.NetworkManager.vpnc' just appeared, activating connections
Sep 26 11:05:27 [host_name] NetworkManager:   VPN plugin state changed: 1
Sep 26 11:05:27 [host_name] NetworkManager:   VPN plugin state changed: 3
Sep 26 11:05:27 [host_name] NetworkManager:   VPN connection 'XXXX' (Connect) reply received.
Sep 26 11:05:27 [host_name] NetworkManager:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Sep 26 11:05:27 [host_name] NetworkManager:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Sep 26 11:05:27 [host_name] NetworkManager:   VPN connection 'XXXX' (IP Config Get) reply received.
Sep 26 11:05:27 [host_name] NetworkManager:   VPN Gateway: XXX.XXX.XXX.XXX
Sep 26 11:05:27 [host_name] NetworkManager:   Tunnel Device: tun0
Sep 26 11:05:27 [host_name] NetworkManager:   Internal IP4 Address: XXX.XXX.60.187
Sep 26 11:05:27 [host_name] NetworkManager:   Internal IP4 Prefix: 24
Sep 26 11:05:27 [host_name] NetworkManager:   Internal IP4 Point-to-Point Address: XXX.XXX.60.187
Sep 26 11:05:27 [host_name] NetworkManager:   Maximum Segment Size (MSS): 0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.0.0/16   Next Hop: XXX.XXX.0.0
Sep 26 11:05:27 [host_name] NetworkManager:   Static Route: XXX.XXX.XXX.XXX/32   Next Hop: XXX.XXX.XXX.XXX
Sep 26 11:05:27 [host_name] NetworkManager:   Internal IP4 DNS: XXX.XXX.XXX.XXX
Sep 26 11:05:27 [host_name] NetworkManager:   Internal IP4 DNS: XXX.XXX.XXX.XXX
Sep 26 11:05:27 [host_name] NetworkManager:   DNS Domain: '(none)'
Sep 26 11:05:27 [host_name] NetworkManager:   Login Banner:
Sep 26 11:05:27 [host_name] NetworkManager:   -----------------------------------------
Sep 26 11:05:27 [host_name] NetworkManager:   (null)
Sep 26 11:05:27 [host_name] NetworkManager:   -----------------------------------------
Sep 26 11:05:28 [host_name] NetworkManager: nm_system_device_set_ip4_route: assertion `iface_idx >= 0' failed
Sep 26 11:05:28 [host_name] NetworkManager: last message repeated 10 times
Sep 26 11:05:28 [host_name] NetworkManager:   VPN connection 'XXXX' (IP Config Get) complete.
Sep 26 11:05:28 [host_name] NetworkManager:   nm_system_replace_default_ip4_route_vpn(): (tun0): failed to set IPv4 default route: -19
Sep 26 11:05:28 [host_name] NetworkManager:   Policy set 'XXXX' (tun0) as default for routing and DNS.
Sep 26 11:05:28 [host_name] NetworkManager:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
Sep 26 11:05:28 [host_name] NetworkManager:   VPN plugin state changed: 4
Sep 26 11:05:28 [host_name] NetworkManager:   VPN plugin failed: 1
Sep 26 11:05:28 [host_name] NetworkManager:   VPN plugin state changed: 6
Sep 26 11:05:28 [host_name] NetworkManager:   VPN plugin state change reason: 0
Sep 26 11:05:28 [host_name] NetworkManager:   connection_state_changed(): Could not process the request because no VPN connection was active.
Sep 26 11:05:29 [host_name] NetworkManager:   Policy set 'Auto eth1' (eth1) as default for routing and DNS.
Sep 26 11:05:29 [host_name] nm-dispatcher.action: Script '/etc/NetworkManager/dispatcher.d/01ifupdown' exited with error status 1.
Sep 26 11:05:29 [host_name] nm-dispatcher.action: Script '/etc/NetworkManager/dispatcher.d/01ifupdown' exited with error status 1.
 

I made sure to restart my network and network manager with these commands:

sudo restart network-manager
sudo /etc/init.d/networking restart

Then I got the particularly useless error "VPN connection failed." (via the gnome network manager alert popup) It did not say why it failed.

I did lots of reading about various parts of this and discovered that "vpnc" does not seem to be actively developed any more.  The last update I found on the website was in 2008.  I found a myriad of people saying that it did not work with Cisco IPSec VPN (UDP) properly. After doing a lot of research, I decided to bypass the GUI (network manager plugin), and run it manually.  And that worked for me.  Here is the command I needed. You will need to tweak this to get it right for your individual network, but I strongly recommend doing this manually or creating a script to get it working.

sudo vpnc --gateway [Server-IP or Host name] --id [Group-Name] --username [User-Name] --natt-mode cisco-udp --debug 99 --no-detach --enable-1des

When I ran this it specifically asked me for my sudo password,  group password and then user password, and connected me. 

The option "--debug 99", can be left off, this shows ALL the information going back and forth between you and the VPN (useful for debugging).

The option "--no-detach" leaves the vpnc command running (so you can see the debug).

The options "--enable-1des" allows DES encryption.  This was specific to the setup I was connecting to, and might not be needed for your settings.  Check with your system admin, or just try it and see.  If your connection requires it and you do not have it there, it will tell you you need to add it to the list of parameters.

The other options should be self explanatory. 

Running via the command line WORKED in Ubuntu 10.04 LTS.  Now, you can create a "script" to do the login and authentication for you automatically, however command line is fine with me.

Stopping the VPN

To stop using the VPN run the command (or to disconnect from the VPN)

sudo vpnc-disconnect

Don't forget the "sudo". This stops the vpn and returns back to normal settings.  For more information check the "man vpnc".  Again you may have to tweak your settings some, but it works very nicely via command line.  I am not sure if the errors are cause because the network manager, the network manager plugin, OR if it is a permissions issue that it cannot update the routing table without "sudo" privilege.  I'll leave that for the developers to figure out. 

Scripting - Automated

Ok so now it is working on the command line here is a "base" config file you can use to load it with less typing.  I saved this in my home directory and named it "vpnc.conf": (You can place it anywhere you like...)

IPSec gateway [XXX.XXX.XXX.XXX]
IPSec ID [Insert_group_name]
IPSec secret [Insert_group_pass_here]
Xauth username [Insert_Username_Here]
Xauth password [Insert_userpass_here]
NAT Traversal Mode cisco-udp
Enable Single DES
Debug 3

Feel free to remove the DES line, and change the Debug to what ever level you want (0,1,2,3,99) I think are the options.  But this should get you working on your remote vpn with as little headache as possible.  Read the vpnc man page for more options you can include to configure your specific connection type.

Now I run this command:

sudo vpnc /home/{My_Name}/vpnc.conf

It asks me for the sudo password, but automatically logs into the vpn and starts running.

Errors and Notes:

If you get this error:

vpnc: Error binding to source port. Try '--local-port 0'
Failed to bind to 0.0.0.0:500: Address already in use

This means that vpnc is ALREADY running.  If you want to restart it, you need to stop the service and try it again, use this command:

sudo vpnc-disconnect

Then you can try to run your service again, and it should work (Don't forget the "sudo"!)

Testing

To confirm your vpn is working, you can perform a "netstat -r" and it should show you your vpn host listed as a gateway.  You can also try to ping any of the known servers in your remote Network and that should prove your connection as well.

Page Information:
  • Tags: Cisco, VPN, UDP, Ubuntu 10.04, vpnc
  • Description: How to get Ubuntu 10.04 to connect to a Cisco VPN.