Assignment 9 - Installation of UNC VPN Client (Security) + Kernel Upgrade
INLS 183 - Distributed Systems (new window)
November 18, 2002
Send comments to: bhayes@email.unc.edu

Assignments Index Page
nbsp;

Introduction / Background

As part of increased network security measures being implemented to protect the UNC network from unauthorized and/or malicious access, many campus network services now require authenticated, encrypted access via a VPN (Virtual Private Network). To enable me to work as effectively in Linux as in my Windows XP operating system, I am interested in setting up the same secure VPN connection capabilities in my Linux environment as I have in Windows XP.

Software Overview

From the UNC HELP FAQ:
"A Virtual Private Network (VPN) provides an encrypted connection (secure tunnel) from outside networks or Internet Service Providers (ISPs) to the UNC-Chapel Hill internal network. UNC has installed a Cisco VPN concentrator that allows authorized users to access network resources from off campus using an ISP dial-in, DSL or cable modem service with Onyen authentication. You can work securely, just as if you were physically on campus."

In addition to providing encrypted network communications between the off-campus user's computer and the campus network, the VPN connection also assigns the user's computer a UNC IP address and unc.edu hostname for the duration of the VPN session. Campus network services that require a UNC IP address for access are thereby reachable as if the user was on-campus. To obtain the UNC-licensed Cisco VPN client, you must download the agreement form at https://www.unc.edu/security/campus/encrypt.pdf and fax it in to UNC Software Acquisitions office at (919) 843-2427. Once the agreement has been faxed and received you will be emailed a URL to download the Cisco VPN client software.

Though technically possible, it is not technically feasible for the UNC VPN connection (UNC IP assignment) to be extended to user's off-campus connections to services outside the UNC network. For example authorized users coming to UNC Libraries e-resource sites (e.g. Campus Ejournals list) are assigned a UNC IP address for all communications with the UNC servers hosting those e-resource listings. However, once the user proceeds via the web to the remotedly-hosted e-resource, these non-UNC connections are not processed by the VPN server (no UNC IP address is assigned to those communications) so authentication to and use of the UNC Libraries proxy server is still required to access these e-resources. The proxy server is configured to treat the VPN range of UNC IP addresses as off-campus addresses so the proper proxy configuration information is delivered to those browsers - see details.

Installation and Troubleshooting Narrative

INITIATE INSTALLATION (see script 1)
I submitted the required agreement to Software Acquistions in August in order to obtain the Windows version of the VPN client for my work and home computers. This same agreement allowed me to download the Linux version of the VPN client as well. I revisited the download URL as part of this assignment and downloaded a more current version of that client. The client comes as a tarred and gzipped binary file that in terms of numbers of steps appears fairly easy to install, configure and run. I consulted the UNC HELP Linux VPN client documentation for this installation process.

The Cisco VPN client requires Linux kernal source files to be installed and available to it in order to install (and run?) properly. So, after unpacking the VPN client package in my home directory and unsuccessfully attempting to install it with my RedHat 8.0 installed kernel (2.4.18-14; no source files installed), I decided to install the 2.4.19 kernel using a source tarball to upgrade my kernel and obtain the VPN-required source files at the same time. This was a challenging exercise in and of itself and even after getting the new kernel to load and run fairly successfully, the VPN client, though installed, is not running successfully yet.

INSTALL KERNEL UPGRADE
After multiple cycles of configuration and kernel build steps, I was able to get the 2.4.19 kernel to run successfully on my home computer. See kernel install script for the intial installation and failed run attempts and see kernel troubleshooting script for subsequent reconfiguration/rebuild processes that eventually lead to a successful load of the 2.4.19 kernel. There are outstanding issues with the new kernel; 3 USB modules and the system logger fails to load/start on boot.

VPN CLIENT INSTALLATION (see vpn install script)

  • steps from script file to be extracted here.

Instructions for Use

Once the VPN client is successfully installed and working, it should start running on boot up by virtue of start scripts included in /etc/rc3.d/. Establishing a connection to UNC relies on the unc.pcf profile file that I've already setup with the UNC group name and password. To invoke that profile and connect, the user should just need to give the following command:

$ vpnclient connect unc

One must authenticate with a valid UNC ONYEN id and password to successfully establish a connection to the UNC VPN server. Once established the VPN client runs as a background process ensuring that all traffic between the client machine and UNC is encrypted and IP wrapped with a UNC IP.

Functionality
After the kernel upgrade and kernel source file install, the VPN client appeared to setup and install properly (no errors besides harmless warning outlined in the ATN documentation. However, ps -ef | grep vpn confirms that it is not successfully running either after a manual start (/etc/init.d/vpnclient_init start) or after a reboot that runs the auto-installed start scripts in /etc/rc3.d/. Additionally, the new 2.4.19 kernel now "panics" upon shutdown, complaining about a null pointer dereferences at virtual address 00000000, a bad EIP value and an inability to sync the interrupt handler. There are the biggest, best looking errors I've gotten all semester, so I've got some regrouping to do.
nbsp; Send comments to: bhayes@email.unc.edu