From George Smart's Wiki
As of September 2010, UCL no-longer support the use of Roamnet, and advise users to switch to Janet JRS Eduroam service. For information on using the Janet JRS Eduroam service under Linux, visit my Eduroam page.
This document aims to help you set up the Cisco VPN client that UCL uses for its Roamnet service. For people who don’t know, the internet system for any non IS (information Service) managed computers requires you to log in via a VPN (virtual private network). This ensures that only people who are authorised to do so, can access the university internet. This is usually a good thing. However, not if you are running Linux. As many more people are starting to use Linux, and many Netbooks, such as Asus’ EeePC (which is what I have, hence the investigation into the problem).
Limitations of this approach
There are a couple of limitations with this approach. Please read before you attempt.
- Currently I have only managed to get the how-to done for Debian based systems. This includes Ubuntu and Xandros, which are common. Basically, if your system is Debian based, this will work fine. If not, it will still work. You will just need to meet the dependancies of the package. This is fundamentally having the openssl source libs.
- This article describes ‘how to make it work’. It is not the cleanest, or best approach. It uses the open source version of the CiscoVPN Client, and is therefore not supported by Cisco. To be honest, there was no support for their existing client, hence this article.
A few other points
Before you go away smashing up your linux system, or complaining to me that it doesn’t work, bear in mind:
- I didn’t try every combination of every program on every computer. It has worked on about 10 computers that I know. If you are having trouble, I can probably help you. You will need to submit some information using the feedback form.
- If anything does go wrong, it wasn’t me! As I mentioned above, nothing here is in any way ‘dodgy’.
- It has been known to crash the kernel on the Toshiba Satellite Pro U200. This is only case thus far.
- I assume you know how to use linux enough to make, move, rename and delete directories/files, and that you understand how file permissions work. You should also understand how to use the sudo command. You should be able to extract compressed archives.
- This cannot be done from inside UCL. You’ll have to set it up at home, and then take it in to test it.
What you’ll need
You need everything mentioned below - Links are provided here too, to ensure you have everything. This is the bare minimal:
- A UCL username & password (or whatever university you attend) & permission to use said service.
- Source code for vpnc0.5.1 - it must be version 0.5.1 or later. You need to modify the source, so no binaries.
- You need to meet the dependencies for vpnc0.5.1. This includes OpenSSL0.9.8
- Configuration details for your VPN server. I have made a file for UCL Roamnet. It’s on my site, mentioned below.
- The SSL Certificate for your VPN server. I cannot give you this. You’ll have to log in, and download it yourself.
What to do
So here we are. Ready?
- Firstly make yourself a directory in your home folder to work in. I’ll assume you’ve called it vpnc.
- Download and extract the source code for vpnc0.5.1. You can get it from here.
- Inside the extracted code, open Makefile in an editor, as we need to modify it.
- Find the following section in the source code
# Comment this in to obtain a binary with certificate support which is # GPL incompliant though. #OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION #OPENSSLLIBS = -lcrypto
- Change the section to exactly: Its basically just removing the two hashes (#) from the lower two lines of the section. This enables the SSL stuff, which UCL Roamnet requires.
# Comment this in to obtain a binary with certificate support which is # GPL incompliant though. OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION OPENSSLLIBS = -lcrypto
- Save Makefile. This is all we needed to do.
- Now we have to compile the vpnc client. This is the tricky bit. This is the only complicated step. vpnc0.5.1 has dependencies, as I mentioned above. You have to meet those. As far as I know, you need to install the following programs, using apt-get.
- If the package build-essential is not available, you’ll need to get the packages contained in the metapackage. It contains stuff like libc6, and other standard C complier files. Check on Google if you are unsure.
- Take a deep breath, and then type make. This file tells the computer to compile the VPN client. If you are lucky and have satisfied all the dependencies, it will work. You’ll get a few warnings, but no errors. If you get errors then you’ll need to work out what is missing from your system. As I mentioned before, it worked for me. I haven’t tried everything. Above is a list of what I had to install. You may not have everything that my computers had.
- Now you need to install the VPN client. Type sudo make install. This will install the program into the computer.
- Once this finishes, try a quick test. Just type the command sudo vpnc and it should complain with something like:
george@laptop:~/vpnc$ sudo vpnc vpnc: unknown host `<gateway>' george@laptop:~/vpnc$
- This is a good thing. If you get anything other that the above, then something hasn’t worked. You should check your previous steps. You will probably have unmet dependencies. Recheck the output of the make command.
- Follow these two links: roamnet.conf and rootcert - You will have to log into UCL for rootcert. Save them both to /etc/vpnc. You will need to be root for this.
- You then need to edit (as root) roamnet.conf replacing the section saying <YOUR-USERNAME> with your actual username. Save the file. You should check its permissions are 600. It is also worth checking that rootcert’s permissions are 600 too. Both should be owned by root.
- Ensure you are connected to the Roamnet Wireless network, with the key provided by IS.
- When you are ready, you can try to connect to the VPN server by typing sudo vpnc roamnet into the terminal. You will be prompted for your password. And then, if you are lucky:
george@laptop $ sudo vpnc roamnet.conf Connect Banner: | Welcome to the RoamNet Service Version 2 (KLB). | | Access to and use of this service is restricted to authorised individuals ....... | | Please see http://www.ucl.ac.uk/is/roamnet/status.htm for service details and history. VPNC started in background (pid: X)... george@laptop $
- When you have finished, you should issue the command sudo vpnc-disconnect. This will hang up cleanly - its better than shutting down your computer with it all running.
- VPNC Source Code & development
- Information on VPNC with Linux
- Connecting to a Cisco VPN using VPNC
If you spot any mistakes, or can suggest any improvements, etc., please Contact Me. A special thank you to Stelios Vitorakis who helped me to test the setup on various machines.