When you study or work at the University of Karlsruhe you can have access to the services of the University or the Internet by installing the proprietary Cisco VPN Client. But to be frank, this programm is a pain in the ass. It’s proprietary, it needs kernel modules, you’ve got to patch it to run on current kernels. In short: Don’t use it, use vpnc. I’ll help you with it…

Compile vpnc

Usually you can install vpnc out of the repositories. The reason we can’t do this now is that we need support for openssl (certificates). Since this function may infringe some license violations, linux distributors usually deactivate openssl inside vpnc. So we’ve got to get the code and compile vpnc by ourself. So first, let’s get the code and untar the archive.

$ wget http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.5.3.tar.gz
$ tar -xzf vpnc-0.5.3.tar.gz

Later on we will generate a .deb package for your own version of vpnc. To avoid that the package management tries to update your version we need to add a suffix for your package. We can do this by changing the name of the directory. When we generate the package, this suffix will be added to the version number.

$ mv vpnc-0.5.3 vpnc-0.5.3-christoph1
$ cd vpnc-0.5.3-christoph1

Now, that we’ve got the source, we’ve got to enable the support for openssl. To do this, you’ve got to edit the file called Makefile, e.g. with

$ gedit Makefile

and remove the hash sign “#” in front of line 49 and 50. These two line should now look like these.

…
OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
OPENSSLLIBS = -lcrypto
…

After you saved the Makefile you need a couple of packages to be able to compile vpnc. You can install them via the package management.

$ sudo apt-get install libssl-dev build-essential dh-make fakeroot
$ sudo apt-get build-dep vpnc

Now the “real deal”. In a final step you have to compile vpnc. You can do this with

$ make
$ dh_make -f ../vpnc-0.5.3.tar.gz
$ fakeroot debian/rules binary
$ sudo dpkg -i ../vpnc*.deb

This compiles vpnc, creates a .deb file, and install vpnc. Please test if everything worked out.

$ vpnc --version
[...]
Built with openssl (certificate) support. Be aware of the
license implications.

Supported DH-Groups: nopfs dh1 dh2 dh5
Supported Hash-Methods: md5 sha1
Supported Encryptions: null des 3des aes128 aes192 aes256
Supported Auth-Methods: psk psk+xauth hybrid(rsa)

You’ve got to see the line “Built with openssl (certificate) support”. This means you compiled and installed vpnc with openssl support. Gratulations

The Certificate

Since October 2008 the University uses a Root-Certificate provided by the Deutsche Telekom. You can download the certificate from the VPN-Homepage of the University. To make things simpler, here a short command to download the certificate with wget and copy it to the right place inside /etc/ssl/certs.

$ sudo wget --no-check-certificate https://pki.pca.dfn.de/uni-karlsruhe-ca/pub/cacert/rootcert.crt -O /etc/ssl/certs/rootcert.crt

Configuration to access the University of Karlsruhe

Now it’s tome to configure vpnc, so that you can access the VPN of the University of Karlsruhe. This can be done by editing the /etc/vpnc/default.conf with and editor.

$ sudo gedit /etc/vpnc/default.conf

Please replace the content with these settings.

IPSec gateway vpn.uni-karlsruhe.de
IPSec ID vpn
IPSec secret vpnvpn
IKE Authmode hybrid
Xauth username u...
Xauth password xxx
CA-File /etc/ssl/certs/rootcert.crt

Please notice that you’ve got to enter your login and passwort into this file. Since this info won’t be encrypted, I recommend to limit read access to root.

$ sudo chmod 600 /etc/vpnc/default.conf

Start-/stop the connection

This is all you have to:

$ sudo vpnc
$ sudo vpnc-disconnect

to start or stop the connection. But i recommend

$ sudo vpnc --dpd-idle 0

this disabled “DPD idle timeout” which results in a more stable connection.

Automatically connect to the VPN

I’m a lazy person and entering vpnc every time when I’m at the university is a bit inconvenient. To make this more comfortable I wrote a shot script for Ubuntu’s network manager. There are so called “Dispatcher”-Skript which get executed every time you establish or close a network connection. The script will check if you’re inside the network of the University of Karlsruhe and will establish the VPN-connection if you are. I tested this inside our shiny new 24/7 library and with the WLAN “VPN/WEB”. You can download the script from my homepage. Don’t forget to make the script executable.

$ sudo wget http://www.christoph-langner.de/static/02uni-ka-vpn-1.4.sh -O /etc/NetworkManager/dispatcher.d/02uni-ka-vpnc
$ chmod +x /etc/NetworkManager/dispatcher.d/02uni-ka-vpnc

The script is able to show you informations about the connections via small popups. These are quite useful, since i noticed that vpnc has sometimes problems starting the encrypted connection. Without those popups you want see whats going on.

To be able to see those messages you’ve got to install the package libnotify-bin.

$ sudo apt-get install libnotify-bin

As far as i know libnotify-bin only works with the GNOME desktop enviroment. the rest of the script doesn’t depend on your DE. Now matter if you use KDE, Xfce or whatever. As long as you use the network manager, it should work.

[UPDATE 25.04.09] Updated for vpnc 0.5.3[/UPDATE]