VPN-access with KVpnc (Linux)

Short manual on how to set up VPN-connections to the VPN-gateway of the ZIV with the help of KDE-frontends KVpnc.

Below you will find an instruction on how to set up a VPN-connection to the VPN-server of the university using the open-source-combination vpnc/kvpnc (i.e. without using the proprietary Cisco-driver).

In this context it is assumed that both vpnc and KVpnc installiert sind. have been installed. Both programs are at least available as packages in the newer distributions and can be installed by means of apt-get (Ubuntu) or yast (Suse). Alternatively, you can find the source codes under http://www.unix-ag.uni-kl.de/~massar/vpnc/ or at http://home.gna.org/kvpnc/en/index.html.

Instructions:
Starting kvpnc (you will be asked for the root-password). The surface of KVpnc will appear.

Choose Profile/New Profile (Assistant) in the menu.

Click continue.

Choose Cisco (free) as VPN-Type and click continue.

Choose Import PCF-file and click continue.

You will now be asked for the VPN-Profile (PCF-file). You can download the VPN-profile provided by the ZIV here. You must now choose the downloaded file. (Normally this file is called vpnstandard.pcf.)

You will now be asked for the user ID and the password for network access (not the standard-password). You can change the passwords at the portal ZIV.MeinZIV.
Take care: The password will be saved in the clear text, but it can only be read with Root-rights. Entering the password here is optional. If you do not give any details here, KVpnc will ask for the information every time you want to set up a connection.

Now click continue three times.

If everything is ok, the KVpnc-surface will reappear.

In order to complete the remaining settings, choose set up settings/kvpnc in the menu:

Choose the category Profile/Network/NAT.

Activate the button Use UDP (NAT-T). As UDP port for NAT-T enter, for example, 10000.
Note: If you use a router with integrated firewall, it might be necessary to transfer the relevant port. The router handbook will provide information about how to proceed. It might also be necessary to configure the Linux-Firewall (if applicable) accordingly.

If you want to set up a VPN-connection, you can now choose the requested profile (in this case: vpnstandard) and click connect.

You will now be asked for the group password:

It is slightly more difficult to get the group password. First open the file vpnstandard.pcf with a text editor. There you will find the string:

!enc_GroupPwd=*PASSWORT*

http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

(for vpnstandard.pcf currently: Der_preshardkey_$4$_vpnstandard%

You might also be asked to enter your password for network access (see above). After that an encrypted VPN-connection to the VPN-Gateway of the ZIV will be set up. Job done.

The connection can be dropped by clicking Disconnect.

The configurations made can be saved under ~root/.kde/share/config/kvpnrc. If you want to start anew, you can also delete this file (a restart of KVpnc will re-set them).

Problems with (k)vpnc at more specific client gateways

Beside the general VPN-Gateway ("vpnstandard") the ZIV also operates many more specific gateways used to connect into other net zones (comp. http://www.uni-muenster.de/ZIV/Technik/Netz/VPN.html). For those gateways you need especially provided VPN-profiles and the users must be especially authorized for this connection.

Unfortunately, the use of these more specific client gateways does not work with the (k)vpnc at present. This might be because of the authentication with "user@xyz" necessary for these gateways: in the TODO-list for the vpnc 0.5.3 it says: "research/bugs: - usernames containing "@" unable to login".

In this case your only choice is to use the Cisco-client (see here).

-- LauraOeste - 2011-05-10