Ubuntu 8.04でCisco VPNクライントをインストールしたのでそのメモ
Ubuntu 8.04でCisco VPNクライントをインストールしたのでそのメモ
やっと見つけた。8.10まで2ヵ月しかないのに。てか、5/1の記事なのに何で今まで見つけられなかったの...
が、やはり一筋縄ではいかず。8.04のリリースからkernelのパッチは既に3回くらい出ており...
タイトルの記事の通りにやると、まずCFLAGS勝手に変えちゃダメ、みたいなエラーが出るので、EXTRA_CFLAGSに書き換え。
hao@olio% diff -uw Makefile.org Makefile [~/work/vpnclient] --- Makefile.org 2007-08-23 04:30:31.000000000 +0900 +++ Makefile 2008-09-02 22:02:17.000000000 +0900 @@ -12,7 +12,7 @@ SOURCE_OBJS := linuxcniapi.o frag.o IPSecDrvOS_linux.o interceptor.o linuxkernelapi.o ifeq ($(SUBARCH),x86_64) -CFLAGS += -mcmodel=kernel -mno-red-zone +#CFLAGS += -mcmodel=kernel -mno-red-zone NO_SOURCE_OBJS := libdriver64.so else NO_SOURCE_OBJS := libdriver.so @@ -28,6 +28,7 @@ -D_LOOSE_KERNEL_NAMES \ -DCNI_LINUX_INTERFACE \ -DHAVE_CONFIG_H +EXTRA_CFLAGS += -mcmodel=kernel -mno-red-zone ifeq ($(PATCHLEVEL), 4) $(obj)/$(MODULE_NAME).o: $($(MODULE_NAME)-objs) CC [M] /home/hao/work/vpnclient/interceptor.o /home/hao/work/vpnclient/interceptor.c: In function ‘recv_ip_packet_handler’: /home/hao/work/vpnclient/interceptor.c:655: 警告: assignment makes integer from pointer without a cast /home/hao/work/vpnclient/interceptor.c:676: 警告: passing argument 2 of ‘CniNewwFragment’ makes pointer from integer without a cast /home/hao/work/vpnclient/interceptor.c: In function ‘do_cni_send’: /home/hao/work/vpnclient/interceptor.c:794: error: 二項演算子 - が不適切です make[2]: *** [/home/hao/work/vpnclient/interceptor.o] エラー 1 make[1]: *** [_module_/home/hao/work/vpnclient] エラー 2 make[1]: ディレクトリ `/usr/src/linux-headers-2.6.24-19- generic' から出ます make: *** [default] エラー 2 Failed to make module "cisco_ipsec.ko".
さらに意味不明なエラーが出て途方に暮れるが、ここから、http://projects.tuxx-home.at/?id=cisco_vpn_clientパッチを入手
hao@olio% wget http://projects.tuxx-home.at/ciscovpn/patches/cisco_skbuff_offset.patch
hao@olio% patch < ../cisco_skbuff_offset.patch [~/work/vpnclient] patching file frag.c patching file interceptor.c Hunk #1 succeeded at 646 (offset 16 lines). Hunk #2 succeeded at 685 (offset 16 lines). Hunk #3 succeeded at 807 (offset 16 lines). patching file linuxcniapi.c patching file linuxkernelapi.c hao@olio% sudo ./vpn_install [~/work/vpnclient] : : /etc/opt/cisco-vpnclient (group bin readable) /etc/opt/cisco-vpnclient/Profiles (group bin readable) /etc/opt/cisco-vpnclient/Certificates (group bin readable) * You may wish to change these permissions to restrict access to root. * You must run "/etc/init.d/vpnclient_init start" before using the client. * This script will be run AUTOMATICALLY every time you reboot your computer.
これでようやくコンパイルおっけー。
証明書のインポート。この手順と実際の接続操作(vpnclient connect)は、rootではなく、自ユーザでやるのが正しいのだと思う。たぶん。てか、証明書のインポートと接続操作は同じユーザでないとうまくいかない。意味を考えれば当然だが。
hao@olio% /opt/cisco-vpnclient/bin/cisco_cert_mgr -U -op import [~] Cisco Systems VPN Client Version 4.8.01 (0640) Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.6.24-19-generic #1 SMP Wed Aug 20 17:53:40 UTC 2008 x86_64 [ Importing Certificate ] Enter filename: 20080521_14b1407_12762.p12 Import Password: Enter a password to protect your certificate. Choose a password that you can remember. Password: Confirm Password: Success: certificate imported from path: /home/hao/20080521_14b1407_12762.p12
hao@olio% cisco_cert_mgr -U -op list Cisco Systems VPN Client Version 4.8.01 (0640) Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.6.24-19-generic #1 SMP Wed Aug 20 17:53:40 UTC 2008 x86_64 Cert # Common Name ------- ------------ 0 14b1407
root@olio# diff sample.pcf uniadex.pcf [/etc/opt/cisco- vpnclient/Profiles] 2,5c2,5 < Description=sample user profile < Host=10.212.20.52 < AuthType=1 < GroupName=monkeys --- > Description=uniadex > Host=vpn1.uniadex.co.jp > AuthType=3 > GroupName= 10c10 < Username=chimchim --- > Username=14b1407 14,17c14,17 < EnableNat=1 < CertStore=0 < CertName= < CertPath= --- > EnableNat=0 > CertStore=1 > CertName=14b1407 > CertPath=/etc/opt/cisco-vpnclient/Certificates 21a22,34 > UserPassword= > enc_UserPassword= > GroupPwd= > enc_GroupPwd= > ISPPhonebook= > NTDomain= > EnableMSLogon=1 > MSLogonType=0 > TunnelingMode=0 > TcpTunnelingPort=10000 > SendCertChain=0 > PeerTimeout=90 > EnableLocalLAN=1
root@olio# /etc/init.d/vpnclient_init start [/etc/opt/cisco-vpnclient/Profiles] Starting /opt/cisco-vpnclient/bin/vpnclient: Done
hao@olio% vpnclient connect uniadex [~] Cisco Systems VPN Client Version 4.8.01 (0640) Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.6.24-19-generic #1 SMP Wed Aug 20 17:53:40 UTC 2008 x86_64 Config file directory: /etc/opt/cisco-vpnclient Enter Certificate password: Initializing the VPN connection. Contacting the gateway at 124.39.25.34 User Authentication for uniadex... Enter Username and Password. Username [14b1407]: Password []: Authenticating user. Negotiating security policies. Securing communication channel. Your VPN connection is secure. VPN tunnel information. Client address: 10.80.146.44 Server address: 124.39.25.34 Encryption: 168-bit 3-DES Authentication: HMAC-MD5 IP Compression: None NAT passthrough is inactive Local LAN Access is disabled ^C Disconnecting the VPN connection.
Leopard対応版もhttp://www.macupdate.com/info.php/id/10317/cisco-vpn-clientに。あ、ここにも。
そして、これを書きながら、こんなものを見つけてしまった。意味深な名前。禁断のパッチ...
hao@olio% patch -p0 < ../ override-local-lan-access.diff [~/work/vpnclient] patching file frag.c patching file interceptor.c Hunk #1 succeeded at 646 (offset 16 lines). Hunk #2 succeeded at 685 (offset 16 lines). Hunk #3 succeeded at 807 (offset 16 lines). patching file linuxcniapi.c patching file linuxkernelapi.c
vpnclient connectした状態では、
root@olio# netstat -nr [/proc/sys/net/ipv4] カーネルIP経路テーブル 受信先サイト ゲートウェイ ネットマスク フラグ MSS Window irtt インタ フェース 124.39.25.34 192.168.253.1 255.255.255.255 UGH 0 0 0 eth0 10.80.146.0 0.0.0.0 255.255.255.0 U 0 0 0 cipsec0 0.0.0.0 10.80.146.59 0.0.0.0 UG 0 0 0 cipsec0
こうなっていて、local LANへの経路がなくなっているので、手動で追加。
root@olio# route add -net 192.168.253.0 netmask 255.255.255.0 eth0 root@olio# netstat -nr [/proc/sys/net/ipv4] カーネルIP経路テーブル 受信先サイト ゲートウェイ ネットマスク フラグ MSS Window irtt インタ フェース 124.39.25.34 192.168.253.1 255.255.255.255 UGH 0 0 0 eth0 10.80.146.0 0.0.0.0 255.255.255.0 U 0 0 0 cipsec0 192.168.253.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 10.80.146.59 0.0.0.0 UG 0 0 0 cipsec0 root@olio# ping 192.168.253.1 [/proc/sys/net/ipv4] PING 192.168.253.1 (192.168.253.1) 56(84) bytes of data. 64 bytes from 192.168.253.1: icmp_seq=1 ttl=64 time=0.391 ms 64 bytes from 192.168.253.1: icmp_seq=2 ttl=64 time=0.352 ms 64 bytes from 192.168.253.1: icmp_seq=3 ttl=64 time=0.354 ms 64 bytes from 192.168.253.1: icmp_seq=4 ttl=64 time=0.392 ms 64 bytes from 192.168.253.1: icmp_seq=5 ttl=64 time=0.351 ms --- 192.168.253.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4000ms rtt min/avg/max/mdev = 0.351/0.368/0.392/0.019 ms root@olio# ping mx.uXXXXX.co.jp [/proc/sys/net/ipv4] PING mx.uXXXXX.co.jp (10.80.132.30) 56(84) bytes of data. 64 bytes from vmx00.uXXXXX.co.jp (10.80.132.30): icmp_seq=1 ttl=62 time=9.58 ms 64 bytes from vmx00.uXXXXX.co.jp (10.80.132.30): icmp_seq=2 ttl=62 time=8.80 ms 64 bytes from vmx00.uXXXXX.co.jp (10.80.132.30): icmp_seq=3 ttl=62 time=37.2 ms --- mx.uXXXXX.co.jp ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 8.802/18.542/37.236/13.222 ms
できてしまいました....