Connect to Cisco VPN /Easy VPN/ IPSec from centos using free vpnc client

From vpsget wiki
Jump to: navigation, search

How to Connect to Cisco VPN /Easy VPN/ IPSec from linux/centos 6 using free vpnc client.


You do not require the next block if you are using dedicated server /kvm If you are our client - you can easily enable TUN/TAP from SolusVM CP or contact us.

---------only for openvz vps------------

Ensure that tun interface is enabled if you are plan to run vpnc in openvz container check the vm.conf in /etc/vz/conv/<CTID>.conf add the lines :

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport 

iptable_filter iptable_nat iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length

ipt_state ip_nat_ftp ipt_REDIRECT"

DEVICES="c:10:200:rw c:108:0:rw "
CAPABILITY=" NET_ADMIN:on"
DEVNODES="net/tun:rw "


restart Ct to apply settings if need:

vzctl <CTID> restart

---------end----------------------------

yum install vpnc
chmod 700 /etc/vpnc/vpnc-script

In case yum can;t find package try to add remi repo

Copt the config from default to new profile:

cp /etc/vpnc/default.conf /etc/vpnc/asa.conf

Edit the /etc/vpnc/asa.conf. Depending on your cisco config you may use key or cert. We

are using key :

 IPSec gateway <gw_ip>
 IPSec ID <group_name>
 IPSec secret <pre-shared_key> 
 # your username goes here: 
 #Xauth username 


try to connect:

vpnc  asa

You'll be prompted to enter username and password.

To disconnect use next command:

vpnc-disconnect

You can store vpn user name and password in the conf file:

Xauth username <your username>
Xauth password <your password>

Be sure that the password storing policy allowed on the cisco side.

Also it's posible to create a .conf file to use with vpnc from .pcf . SImply install

pcf2vpnc

yum install pcf2vpnc


NOTE:after connecting you may lost internet access on your linux vps/server/ws. This caused due to vpnc removes default route. so you can write some script to run the next lines after vpnc connect command issued:

route delete <gwe.ip> gw 0.0.0.0 venet0
route delete 8.8.8.8 gw 0.0.0.0 tun0 

there may be differ names for network interfaces so check with route -n command

Lets create the connect script and place it in cron:

 GNU nano 2.0.9                                                               File: /home/vpnconnect.sh                                                                                                                           Modified  
#!/bin/bash
/bin/ping -c 1 192.168.99.2                      # Try ping on some service located behind the asa [ internal ip]
rc=$?
if $rc -eq 0  ; then
   ((count = 1))                      # ok do nothing
else
    vpnc  asa
    route delete 217.24.12.11 gw 0.0.0.0 venet0
    route delete 8.8.8.8 gw 0.0.0.0 tun0
fi

save it as /home/vpnconnect.sh remember to

chmod +rwx

add cron task

nano /etc/crontab

add line:

1 * * * * root /home/vpnconnect.sh   

this will start this sctip every minute - it;s usefuil if you require permanent connection.