Ubuntu 8.04でCisco VPNクライントをインストールしたのでそのメモ

Linux

Ubuntu 8.04でCisco VPNクライントをインストールしたのでそのメモ
やっと見つけた。8.10まで2ヵ月しかないのに。てか、5/1の記事なのに何で今まで見つけられなかったの...
が、やはり一筋縄ではいかず。8.04のリリースからkernelのパッチは既に3回くらい出ており...
タイトルの記事の通りにやると、まずCFLAGS勝手に変えちゃダメ、みたいなエラーが出るので、EXTRA_CFLAGSに書き換え。

hao@olio% diff -uw Makefile.org Makefile                     [~/work/vpnclient]
--- Makefile.org        2007-08-23 04:30:31.000000000 +0900
+++ Makefile    2008-09-02 22:02:17.000000000 +0900
@@ -12,7 +12,7 @@
SOURCE_OBJS := linuxcniapi.o frag.o IPSecDrvOS_linux.o  interceptor.o linuxkernelapi.o

ifeq ($(SUBARCH),x86_64)
-CFLAGS += -mcmodel=kernel -mno-red-zone
+#CFLAGS += -mcmodel=kernel -mno-red-zone
NO_SOURCE_OBJS := libdriver64.so
else
NO_SOURCE_OBJS := libdriver.so
@@ -28,6 +28,7 @@
-D_LOOSE_KERNEL_NAMES \
-DCNI_LINUX_INTERFACE \
-DHAVE_CONFIG_H
+EXTRA_CFLAGS += -mcmodel=kernel -mno-red-zone

ifeq ($(PATCHLEVEL), 4)
$(obj)/$(MODULE_NAME).o: $($(MODULE_NAME)-objs)
CC [M]  /home/hao/work/vpnclient/interceptor.o
/home/hao/work/vpnclient/interceptor.c: In function ‘recv_ip_packet_handler’:
/home/hao/work/vpnclient/interceptor.c:655: 警告: assignment makes integer from pointer without a cast
/home/hao/work/vpnclient/interceptor.c:676: 警告: passing  argument 2 of ‘CniNewwFragment’ makes pointer from integer without a cast
/home/hao/work/vpnclient/interceptor.c: In function ‘do_cni_send’:
/home/hao/work/vpnclient/interceptor.c:794: error: 二項演算子 - が不適切です
make[2]: *** [/home/hao/work/vpnclient/interceptor.o] エラー 1
make[1]: *** [_module_/home/hao/work/vpnclient] エラー 2
make[1]: ディレクトリ `/usr/src/linux-headers-2.6.24-19- generic' から出ます
make: *** [default] エラー 2
Failed to make module "cisco_ipsec.ko".

さらに意味不明なエラーが出て途方に暮れるが、ここから、http://projects.tuxx-home.at/?id=cisco_vpn_clientパッチを入手

hao@olio% wget http://projects.tuxx-home.at/ciscovpn/patches/cisco_skbuff_offset.patch

hao@olio% patch < ../cisco_skbuff_offset.patch               [~/work/vpnclient]
patching file frag.c
patching file interceptor.c
Hunk #1 succeeded at 646 (offset 16 lines).
Hunk #2 succeeded at 685 (offset 16 lines).
Hunk #3 succeeded at 807 (offset 16 lines).
patching file linuxcniapi.c
patching file linuxkernelapi.c
hao@olio% sudo ./vpn_install                                 [~/work/vpnclient]
:
:
/etc/opt/cisco-vpnclient (group bin readable)
/etc/opt/cisco-vpnclient/Profiles (group bin readable)
/etc/opt/cisco-vpnclient/Certificates (group bin readable)
* You may wish to change these permissions to restrict access to root.
* You must run "/etc/init.d/vpnclient_init start" before using the client.
* This script will be run AUTOMATICALLY every time you reboot your computer.

これでようやくコンパイルおっけー。
証明書のインポート。この手順と実際の接続操作(vpnclient connect)は、rootではなく、自ユーザでやるのが正しいのだと思う。たぶん。てか、証明書のインポートと接続操作は同じユーザでないとうまくいかない。意味を考えれば当然だが。

hao@olio% /opt/cisco-vpnclient/bin/cisco_cert_mgr -U -op import             [~]
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-19-generic #1 SMP Wed Aug 20  17:53:40 UTC 2008 x86_64

[ Importing Certificate ]

Enter filename: 20080521_14b1407_12762.p12
Import Password:

Enter a password to protect your certificate.
Choose a password that you can remember.

Password:
Confirm Password:
Success: certificate imported from path: /home/hao/20080521_14b1407_12762.p12

hao@olio% cisco_cert_mgr -U -op list
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-19-generic #1 SMP Wed Aug 20 17:53:40 UTC 2008 x86_64


Cert #          Common Name
-------         ------------

0               14b1407

root@olio# diff sample.pcf uniadex.pcf      [/etc/opt/cisco- vpnclient/Profiles]
2,5c2,5
< Description=sample user profile
< Host=10.212.20.52
< AuthType=1
< GroupName=monkeys
---
> Description=uniadex
> Host=vpn1.uniadex.co.jp
> AuthType=3
> GroupName=
10c10
< Username=chimchim
---
> Username=14b1407
14,17c14,17
< EnableNat=1
< CertStore=0
< CertName=
< CertPath=
---
> EnableNat=0
> CertStore=1
> CertName=14b1407
> CertPath=/etc/opt/cisco-vpnclient/Certificates
21a22,34
> UserPassword=
> enc_UserPassword=
> GroupPwd=
> enc_GroupPwd=
> ISPPhonebook=
> NTDomain=
> EnableMSLogon=1
> MSLogonType=0
> TunnelingMode=0
> TcpTunnelingPort=10000
> SendCertChain=0
> PeerTimeout=90
> EnableLocalLAN=1

root@olio# /etc/init.d/vpnclient_init start [/etc/opt/cisco-vpnclient/Profiles]
Starting /opt/cisco-vpnclient/bin/vpnclient: Done

hao@olio% vpnclient connect uniadex                                         [~]
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-19-generic #1 SMP Wed Aug 20 17:53:40 UTC 2008 x86_64
Config file directory: /etc/opt/cisco-vpnclient

Enter Certificate password:
Initializing the VPN connection.
Contacting the gateway at 124.39.25.34
User Authentication for uniadex...

Enter Username and Password.

Username [14b1407]:
Password []:
Authenticating user.
Negotiating security policies.
Securing communication channel.

Your VPN connection is secure.

VPN tunnel information.
Client address: 10.80.146.44
Server address: 124.39.25.34
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is inactive
Local LAN Access is disabled

^C
Disconnecting the VPN connection.

Leopard対応版もhttp://www.macupdate.com/info.php/id/10317/cisco-vpn-clientに。あ、ここにも。
そして、これを書きながら、こんなものを見つけてしまった。意味深な名前。禁断のパッチ...

hao@olio% patch -p0 < ../ override-local-lan-access.diff       [~/work/vpnclient]
patching file frag.c
patching file interceptor.c
Hunk #1 succeeded at 646 (offset 16 lines).
Hunk #2 succeeded at 685 (offset 16 lines).
Hunk #3 succeeded at 807 (offset 16 lines).
patching file linuxcniapi.c
patching file linuxkernelapi.c

vpnclient connectした状態では、

root@olio# netstat -nr                                     [/proc/sys/net/ipv4]
カーネルIP経路テーブル
受信先サイト    ゲートウェイ    ネットマスク   フラグ   MSS Window  irtt インタ フェース
124.39.25.34    192.168.253.1   255.255.255.255 UGH       0 0          0 eth0
10.80.146.0     0.0.0.0         255.255.255.0   U         0 0          0 cipsec0
0.0.0.0         10.80.146.59    0.0.0.0         UG        0 0          0 cipsec0

こうなっていて、local LANへの経路がなくなっているので、手動で追加。

root@olio# route add -net 192.168.253.0 netmask 255.255.255.0 eth0
root@olio# netstat -nr                                     [/proc/sys/net/ipv4]
カーネルIP経路テーブル
受信先サイト    ゲートウェイ    ネットマスク   フラグ   MSS Window  irtt インタ フェース
124.39.25.34    192.168.253.1   255.255.255.255 UGH       0 0          0 eth0
10.80.146.0     0.0.0.0         255.255.255.0   U         0 0          0 cipsec0
192.168.253.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         10.80.146.59    0.0.0.0         UG        0 0          0 cipsec0
root@olio# ping 192.168.253.1                              [/proc/sys/net/ipv4]
PING 192.168.253.1 (192.168.253.1) 56(84) bytes of data.
64 bytes from 192.168.253.1: icmp_seq=1 ttl=64 time=0.391 ms
64 bytes from 192.168.253.1: icmp_seq=2 ttl=64 time=0.352 ms
64 bytes from 192.168.253.1: icmp_seq=3 ttl=64 time=0.354 ms
64 bytes from 192.168.253.1: icmp_seq=4 ttl=64 time=0.392 ms
64 bytes from 192.168.253.1: icmp_seq=5 ttl=64 time=0.351 ms

--- 192.168.253.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.351/0.368/0.392/0.019 ms
root@olio# ping mx.uXXXXX.co.jp                            [/proc/sys/net/ipv4]
PING mx.uXXXXX.co.jp (10.80.132.30) 56(84) bytes of data.
64 bytes from vmx00.uXXXXX.co.jp (10.80.132.30): icmp_seq=1 ttl=62 time=9.58 ms
64 bytes from vmx00.uXXXXX.co.jp (10.80.132.30): icmp_seq=2 ttl=62 time=8.80 ms
64 bytes from vmx00.uXXXXX.co.jp (10.80.132.30): icmp_seq=3 ttl=62 time=37.2 ms

--- mx.uXXXXX.co.jp ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 8.802/18.542/37.236/13.222 ms

できてしまいました....