Introduction / Background
As part of increased network security measures being implemented to protect the UNC
network from unauthorized and/or malicious access, many campus network services now
require authenticated, encrypted access via a VPN (Virtual Private Network). To enable me
to work as effectively in Linux as in my Windows XP operating system, I am
interested in setting up the same secure VPN connection capabilities in my Linux
environment as I have in Windows XP.
From the UNC HELP FAQ:
Installation and Troubleshooting Narrative
"A Virtual Private Network (VPN) provides an encrypted connection (secure tunnel) from
outside networks or Internet Service Providers (ISPs) to the UNC-Chapel Hill internal
network. UNC has installed a Cisco VPN concentrator that allows authorized users to access
network resources from off campus using an ISP dial-in, DSL or cable modem service with
Onyen authentication. You can work securely, just as if you were physically on campus."
In addition to providing encrypted network communications between the off-campus user's
computer and the campus network, the VPN connection also assigns the user's computer a UNC
IP address and unc.edu hostname for the duration of the VPN session. Campus network
services that require a UNC IP address for access are thereby reachable as if the user was
on-campus. To obtain the UNC-licensed Cisco VPN client, you must download the
agreement form at https://www.unc.edu/security/campus/encrypt.pdf and fax it in
to UNC Software Acquisitions office at (919) 843-2427. Once the agreement has been faxed
and received you will be emailed a URL to download the Cisco VPN client software.
Though technically possible, it is not technically feasible for the UNC
VPN connection (UNC IP assignment) to be extended to user's off-campus connections to
services outside the UNC network. For example authorized users coming to UNC
Libraries e-resource sites (e.g. Campus
Ejournals list) are assigned a UNC IP address for all communications with the
UNC servers hosting those e-resource listings. However, once the user proceeds via the
web to the remotedly-hosted e-resource, these non-UNC connections are not processed
by the VPN server (no UNC IP address is assigned to those communications) so authentication to
and use of the UNC Libraries proxy server is still required to access these e-resources.
The proxy server is configured to treat the VPN range of UNC IP addresses as off-campus
addresses so the proper proxy configuration information is delivered to those browsers -
INITIATE INSTALLATION (see script 1)
I submitted the required agreement to Software Acquistions in August in order to obtain
the Windows version of the VPN client for my work and home computers. This same agreement
allowed me to download the Linux version of the VPN client as well. I revisited the
download URL as part of this assignment and downloaded a more current version of that
client. The client comes as a tarred and gzipped binary file that in terms of numbers of
steps appears fairly easy to install, configure and run. I consulted the UNC HELP
Linux VPN client documentation
for this installation process.
The Cisco VPN client requires Linux kernal source files
to be installed and available to it in order to install (and run?) properly.
So, after unpacking the VPN client
package in my home directory and unsuccessfully attempting to install it with my RedHat
8.0 installed kernel (2.4.18-14; no source files installed), I decided to install the
2.4.19 kernel using a source tarball to upgrade my kernel and obtain the VPN-required
source files at the same time. This was a challenging exercise in and of itself and even
after getting the new kernel to load and run fairly successfully, the VPN client,
though installed, is not running successfully yet.
INSTALL KERNEL UPGRADE
After multiple cycles of configuration and kernel build steps, I was able to get the
2.4.19 kernel to run successfully on my home computer. See kernel install script for the intial installation
and failed run attempts and see kernel troubleshooting
script for subsequent reconfiguration/rebuild processes that eventually lead to a
successful load of the 2.4.19 kernel. There are outstanding issues with the new kernel;
3 USB modules and the system logger fails to load/start on boot.
VPN CLIENT INSTALLATION (see vpn install script)
steps from script file to be extracted here.
Instructions for Use
Once the VPN client is successfully installed and working, it should
start running on boot up by virtue of start scripts included in
a connection to UNC relies on the unc.pcf profile file that I've
already setup with the UNC group name and password. To invoke that
profile and connect, the user should just need to give the following
$ vpnclient connect unc
One must authenticate with a valid UNC ONYEN id and password to
successfully establish a connection to the UNC VPN server. Once
established the VPN client runs as a background process ensuring that all
traffic between the client machine and UNC is encrypted and IP wrapped
with a UNC IP.
After the kernel upgrade and kernel source file install, the VPN client
appeared to setup and install properly (no errors
besides harmless warning outlined in the ATN
documentation. However, ps -ef | grep vpn confirms that it is not
successfully running either after a manual start
(/etc/init.d/vpnclient_init start) or after a reboot that runs the
auto-installed start scripts in /etc/rc3.d/. Additionally, the new 2.4.19
kernel now "panics" upon shutdown, complaining about a null pointer
dereferences at virtual address 00000000, a bad EIP value and an inability
to sync the interrupt handler. There are the biggest, best looking errors
I've gotten all semester, so I've got some regrouping to do.