hi
This is in continuation of
http://ubuntu-virginia.ubuntuforums....d.php?t=441042
I just want to report success as of today on jaunty...
DISCLAIMER:
USE AT YOUR OWN RISK, PLEASE CONSULT YOUR COMPANY IT DEPARTMENT TO SEE IF THE FOLLOWING PROCEDURE
IS LEGAL. I AM NOT AND NO ONE IS, RESPONSIBLE FOR ANY OF YOUR ACTIONS AFTER READING THIS POST..
Here are my instructions...
0. Install the compile tools
apt-get install build-essentials subversion
apt-get build-dep vpnc
1. Get the source code (note that I am mentioning release number as it is the most current release as of the day of this post, and has worked for me)
svn co -r 414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
2. cd vpnc-nortel
3. vi Makefile # edit the PREFIX and set it to /usr
4. make
if all compiles well (which it should)
5. sudo make install
6. sudo mv /etc/vpnc/default.conf /etc/vpnc/default.conf.install
7.
Create the following config file..
vi /etc/vpnc/contivity-ip-split.confbefore this step, open your Windows Nortel Contivity client and connect as usual...
next right-click the icon in the task-bar and open the status window
Note: the options for
Security:
IKE: (Diffie Hellman=>"dh")
Compression:
Destination IP Address
IPSec NAT Traversal
etc...
and write them down so you can see them when editing the file here..
next on your ubuntu box, type
vpnc --long-help
and see if any of the options noted above have any co-relation with the options available with vpnc... if so change them accordingly...
8. sudo chmod 600 /etc/vpnc/contivity-ip-split.confCode:#===== /etc/vpnc/contivity-ip-split.conf IPSec gateway XXX.XXX.XXX.XXX IPSec ID COMPANY_GROUP_ID IPSec secret COMPANY_GROUP_ID_PSK # This is specific to Nortel Contivity Server Config # please update accodingly Vendor nortel Nortel Client ID V06_01 IKE DH Group dh5 IKE Authmode gpassword ## To add your username and password, ## use the following lines: Xauth username MY_LOGIN Xauth password MY_PASSWD Script /etc/vpnc/contivity-ip-split-script # No Detach # This is for debugging purposes only... runs vpnc in foreground # Debug 99 # Again for debug purposes check vpnc --long-help for verbosity levels # # NEVER post debug99 log on the internet, it contains username and passwd
9. Create the following split script...
vi /etc/vpnc/contivity-ip-split-script
Note that we are switching off the 'internal DNS' and hence name resolution is left uptoCode:#!/bin/sh # ===== /etc/vpnc/contivity-ip-split-script add_ip () { export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.255 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=32 export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1)) } add_Csubnet () { export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.0 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=24 export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1)) } add_Bsubnet () { export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.0.0 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=16 export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1)) } add_Asubnet () { export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.0.0.0 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=8 export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1)) } # Initialize empty split tunnel list export CISCO_SPLIT_INC=0 # Delete DNS info provided by VPN server to use internet DNS # Comment following line to use DNS beyond VPN tunnel unset INTERNAL_IP4_DNS # List of IPs beyond VPN tunnel # These should be listed in /etc/hosts also... add_ip 10.XXX.XXX.XXX #email server add_ip 10.YYY.YYY.YYY # www server add_ip 10.AAA.BBB.CCC # your workstation add_ip 10.ZZZ.ZZZ.ZZZ # some other server # add_Asubnet 10.0.0.0 # full 10.0.0.0 private class A subnet # add_Bsubnet 10.10.0.0 # eg class B subnet # add_Csubnet 10.10.10.0 # eg class C subnet # Execute default script . /etc/vpnc/vpnc-script # End of script
the /etc/hosts and my understanding is that you would want to access only a few hosts from your work instead of the whole network. In my case I am really content with my
IMAP/mail server, the intra--office web-server, and my workstation on which I run VNC.
I usually work off my VNC so things run much faster than over the network...
In theory you can write a split script which gives access to your whole companies intranet and run your own DNS server which can forward your queries appropriately, however I guess it is more insecure, than using split which itself is insecure!!!
10. chmod 700 /etc/vpnc/contivity-ip-split-script
11. Finishing touches...
cd /etc/vpnc/
ln -s contivity-ip-split.conf default.conf
# create these 2 aliases in your .cshrc/..bashrc
alias vpnc 'sudo \vpnc'
alias vpnc-disconnect 'sudo \vpnc-disconnect'
# --------------------- ALL DONE ------------------------------------
To connect type
vpnc
to disconnect type
vpnc-disconnect
Note that your contivity admin has configured a "MAX" for number of consecutive failed
login attempts, so my recommendation is if it does not work and you are playing around with your config to get it right, then use your ******* box to connect and disconnect after every 2 failed tries using the method described here, else your account could get locked out..
Hope this helps...
Ghattoubleshooting tips
- : Feb 2011:
Sometimes the company network is set to route packets through various subnets (I guess), so if a certain other IP address is not available as you specifically set the add_ip (without a custom route) then it will not work.. in this case you may want to use the add_*subnet functions... the worst/best scenario is to use a list of all subnets available in your company, which you can ping usinge.g. (if you company uses the 10.0.0.0 class A private subnet. )
(now that will take a really long time to run...)Code:nmap -oG mySubnets.txt -sP 10.1-255.1-255.1-255
Bookmarks