The
Cisco VPN Client is a
software application
that runs on computers using any of
the following operating
systems:
ï Linux
for Intel RedHat Version
6.2 or later,
or compatible libraries with glibc
Version 2.1.1-6 or later,
using kernel
Versions 2.2.12 or
later.
ï Solaris
UltraSPARC 32-bit or 64-bit Solaris
kernel OS Version 2.6 or later.
The VPN client on a
remote PC, communicating
with a VPN server ,
creates a secure
connection over the Internet. This
connection allows you to access the
HUJI network as if you were an on
site user, creating a
virtual private
network (VPN).
Use the VPN client
command-line interface
to establish a VPN
connection to a private
network, manage connection entries,
certificates, and events logging.
As a remote
user (low speed or high
speed), you first
connect to the Internet. Then you use
the VPN Client to securely access HUJI
network through a VPN server
that supports
the VPN Client.
System requirements:
This
section describes system requirements
for the VPN client for each operating
system.
Linux System Requirements
The
VPN client for Linux supports Red Hat
Version 6.2 Linux (Intel), or
compatible
libraries with glibc
Version 2.1.1-6 or later, using kernel
Versions 2.2.12 or later.
Note
The VPN
client for
Linux does not support kernel Version
2.5 or SMP (multiprocessor)
kernels.
Solaris System
Requirements
The
VPN client for Solaris runs
on any ultraSPARC
computer running a 32-bit or
64-bit Solaris
kernel
OS
Version 2.6 or later.
Changing
a Kernel Version
You
can install the VPN client running the
32-bit or 64-bit version of the kernel
(referred to as 32-bit
mode
and 64-bit mode). If you
experience problems
installing or running the VPN client in
one mode,
try
the other one.
To
see which mode the system is running
in, enter this
command:
isainfo -kv
If
the cipec module is loaded correctly,
the dmesg log displays a
message similar
to the following:
Oct 29 11:09:54 sol-2062 cipsec: [ID
952494 kern.notice] Cisco Unity IPSec
Module Load OK
Note
If
the dmesg log
does not show the cipec log message,
you should switch to the
other mode.
To
switch to 32-bit mode:
Temporarily Enter the following
command (ok is the
system prompt):
ok boot
kernel/unix
Permanently Execute
the following command
as root, then
restart your computer:
eeprom
boot-file=/platform/sun4u/kernel/unix
To
switch to 64-bit mode:
Temporarily Enter
the following command (ok is the
system prompt):
ok boot
kernel/sparcv9/unix
Permanently Execute
the following command
as root, then
restart your computer:
Before
you install a new version of
the VPN client,
or before you re-install your current
version, you
must use the
stop command to disable VPN
service.
If
you are upgrading
from the VPN 3000 client to
the VPN client,
use the following stop
command:
/etc/rc.d/init.d/vpnclient_init
stop
The
following steps will guide you through
the brief process of
installing the client.
If
you have the earlier version of
the VPN client
installed on your
computer, remove it
by following
the instructions
.
Download
the packed files to a directory
of your choice.
Unpack
the file using the zcat and tar
commands. For example:
zcat
vpnclient-linux-3.7.K9.tar.gz
| tar xvf -
This
command creates the vpnclient
directory in the
current directory.
Obtain superuser privileges to
run the install script.
Enter
the following commands:
cd
vpnclient
./vpn_install
The
default directories
for the binaries,
kernel, VPN modules,
and profiles
are listed during the
installation
process. You receive
the following
prompts during the
installation:
Directory
where binaries will
be installed
[/lib/modules/<kernel version>/build/]
Automatically
start the VPN service at boot
time [yes]
Directory
containing linux kernel source
code
[/usr/src/linux]
Is
the above correct
[y]
Press Enter to choose
the default
response. At the
directory prompts,
if you do not choose
the default,
you must enter
another directory
in your userís path.
If
the installer cannot autodetect
these settings, you
might receive
the following prompts:
Directory
containing init
scripts:
--This is the directory where
scripts run at boot
time are kept.
Normally it is /etc/init.d
or
/etc/rc.d/init.d
Note
If you are installing the VPN
Client for Solaris, Release
3.7 or later
on a version 2.6 Solaris
platform, you
receive the following message during
the VPN client installation: ìPatch
105181 version 29 (or
higher) to Solaris
2.6 is required for the
client to function
properly. Installing
without this patch
will cause the kernel to
crash as soon
as the client kernel module
is loaded.
This patch is available from Sun as
part of the "Recommended Solaris
Patch Cluster". If you proceed
with installation, the kernel module
will not be enabled. After you have
installed the patch, you may enable
the kernel module by uncommenting all
lines in /etc/iu.ap that
contain ëcipsecí.î
If
you have the
earlier version
of the VPN
client installed
on your computer, remove
it by following
the instructions
.
Download
the packed files, either
from your
internal network
or the Cisco website, to
a directory of your
choice.
Unpack
the file using the zcat
and tar
commands. For example:
zcat
vpnclient-solaris-3.7.K9.tar.Z
| tar xvf -
This
command creates
the vpnclient
directory in the current
directory.
Obtain
superuser privileges
to run the
install script.
Enter the
following command:
pkgadd
-d . vpnclient
The
default directories for
the binaries, kernel, VPN
modules, and profiles are
listed during the
installation
process.
You
receive the
following prompts
during the
installation.
Directory
where binaries will
be installed
[/usr/local/bin]
Is
the above correct
[y]
If
the installer
finds a conflict
with the VPN client files
and another application,
you receive this
message:
The
following files are already
installed on the system and
are being used by
another
package:<installer
lists files> Do you want
to install these conflicting
files
[y,n,?,q]
The
following files are
being installed
with setuid and/or
setgid permissions:<installer
lists
files>Do
you
want to install
these as setuid/setgid
files
[y,n,?,q]
This
package contains
scripts which
will be executed
with super-user
permission during
the process
of
installing this package. Do
you want to continue with the
installation of
<vpnclient>
[y,n,?]
Press Enter to choose the
default response. At the
directory prompts, if you
do not choose
the default,
you must enter
another directory
in your userís path.
Restart
your computer.
VPN Client for Solaris Install
Script Notes
During
the installation process:
1.
The following line is added to the
/etc/iu.ap file to enable
the autopush
facility at startup:
<dev_name>
-1 0 cipsec
where
dev_name is the name of
the interface
without the trailing numbers (for
example ipdtp, le, or
hme).
A line is added for every supported
network device detected.
2.
The VPN module is copied
to the /kernel/strmod
directory, which is in the systemís
module search
path.
The
pkginfo command provides
information
about the installed packages. For
more information on
other
package-related commands,
enter:
man
pkgadd
Connecting with the VPN Client
Note
If
you are connecting to a VPN
device using
Telnet or SSH, check to see
if the device
allows split
tunneling.
If it does not, you lose connectivity
to your VPN device after making a VPN
connection.
After
you have installed the
VPN client,
you can now attempt to connect to the
HUJI network.
Connect
to your Internet
Service Provider (ISP).
Locate the directory that contains
the VPN client software and enter
the vpnclient command at
the command
line prompt
vpnclient connect huji
After
a few seconds, you will be prompted
to enter your username
and password.
Type
your ID number as
username
(Type your 8 digits id
number without
the control digit. If
your ID consists
of less than 8 digits add zeros to
the beginning). Type your password
(from your one time
password card).
Click OK.
In a few seconds, the VPN
client will
establish the connection. At this
point, the VPN
client is active and you
should be able to access
the resources
you need. To make sure
you are connected,
enter the following command:
vpnclient
stat
if
you are connected
properly: the Client
IP address listed in the output of
status
command should start with the
numbers
132.64 (like
"132.64.12.12").
When you are done with
the VPN client
enter the following command:
vpnclient disconnect
or Press Crtl-C
while you are in the VPN
Client window.(Note:
while this will not
disconnect you from
the Internet, it will turn
off the VPN
client and may close certain Internet
programs like telnet).
Displaying VPN
Client Statistics
This section describes the VPN client
statistics commandvpnclient stat
and its optional
parameters.
To
generate status information
about your
connection, enter the
following command:
vpnclient
stat
[reset][traffic][tunnel][route][repeat]
>If you enter this command
without any
of the optional parameters,
the vpnclient
stat command displays
all status information. The optional
parameters are described in
Table
Parameter
Description
reset
Restarts all
connection counts
from zero.
traffic
Displays
a summary of bytes in and out,
packets encrypted and
decrypted,
and packets discarded.
tunnel
Displays IPSec
tunneling information.
route
Displays configured routes.
repeat
Provides a continuous display,
refreshing it every
few seconds.
To end the display,
press Ctrl-C.
Viewing Log
Files
To view logging
information, enter the
following command:
/usr/local/bin/ipseclog
/directory/clientlog.txt
Note
If you did not use the default
directory /usr/local/bin
during installation, logging commands
must be
entered using your chosen path.
To view logging information in real
time, enter the following
command after
you start the ipseclog:
tail
-f
/directory/clientlog.txt
The ipseclog does not automatically
go to the background. To
send the ipseclog
to the background, press
Ctrl-Z
followed by bg
on the command
line, or enter the ampersand symbol
at the end of the view
After
you have installed the
VPN client,
you can now attempt to connect to the
HUJI network.
