Login Main site Create account

10.04.2007 15:55

Cisco VPN Client and Linux Kernel 2.6.19+ Rev.1


============================== ATTENTION ==============================
This article is _OUTDATED_. You can find an updated version of the patch below in the Links section.
============================== ATTENTION ==============================

I'm still surprised about the huge number of comments and e-mails from people regarding my weblog entry that makes the Cisco VPN Client work again with linux kernels 2.6.19+ and therefore, I'll add another entry on this topic here.

First of all: There's an error in the previous patch.

A nice fellow called Andy Ritger mailed to me yesterday and told me that my patch breaks DNS name resolution inside the tunnel. As I never use name resolution with my tunnels (you know, real geeks know all these funny numbers inside out ;) ) I didn't recognize this bug. Fortunately, he had a solution to this problem too and you can find his modified patch at the end of this entry.

Again, the installation instructions:
1. Untar the VPN Client
# tar xzf vpnclient-linux-4.8.00.0490-k9.tar.gz

2. Download the patch
# wget -q http://tuxx-home.at/projects/cisco-vpnclient/vpnclient-linux-2.6.19+-rev1.diff

3. Change to the vpnclient diretory
# cd vpnclient

4. Apply the patch
# patch <../vpnclient-linux-2.6.19+-rev1.diff
patching file IPSecDrvOS_linux.c
patching file frag.c
patching file interceptor.c
patching file linuxcniapi.c

Now the patch has been applied and you can safely install the client
#./vpn_install

Downloads:

References:

Links:
============================== ATTENTION ==============================
This article is _OUTDATED_. You can find an updated version of the patch above in the Links section.
============================== ATTENTION ==============================

Comments added earlier to http://tuxx-home.at/archives/2007/04/10/T15_55_43/index.html:
Guest on 2007-04-10 19:09:46 wrote:
JFYI: Wenn du nicht relative URLs verwendest (also statt href=/foobar/... ein href=http://www.tuxx-home.at/foobar/ nehmen), tun sich Leute, die dein Blog via externem Service alla Bloglines.com lesen ein bissi leichter. ;-)

thx && mfg,
-mika-
Alexander Griesser on 2007-04-10 19:35:46 wrote:
war eh nur einer :) -> gefixt.
Guest on 2007-04-14 18:51:25 wrote:
Thanks for this article, do you know from where can I download this vpn client release ?
Alexander Griesser on 2007-04-15 02:21:46 wrote:
You may download it from our corporate website.
Unfortunately, the domain name currently is broken,
so please use this link:

http://213.33.64.129/vpn/
Guest on 2007-04-16 14:27:34 wrote:
Thanks Alexander!
Guest on 2007-04-24 17:21:18 wrote:
Apperantly your fix is so good, that Cisco TAC pointed me here.

Thanks.
Guest on 2007-04-24 21:17:17 wrote:
Vielen Dank für den Patch! Ich war echt frustriert, als mein VPN Client unter Feisty nicht sofort funktioniert hat.
Guest on 2007-04-25 06:14:21 wrote:
Thanks
I could not get past the error msg in interceptor.c CHECKSUM_HW
Alexander Griesser on 2007-04-26 13:24:58 wrote:
Is this true, that Cisco itself pointed you to my website?
Well, that's surprising... Matrox Technical support points
users to my website and Cisco TAC points their users
to my website too...

If I'd be such a big company, I'd feel blamed by not
incorporating such small patches into a next release
version...

But, what shells. Feeling lucky that my site can help
so many people having troubles :)
Guest on 2007-05-04 09:50:48 wrote:
Hallo,<BR />danke für den Patch, damit konnte ich den Client unter feisty Fehlerfrei builden, aber er will leider nicht verbinden:<BR /><BR />Initializing the VPN connection.<BR />Secure VPN Connection terminated locally by the Client<BR />Reason: Failed to establish a VPN connection.<BR />There are no new notification messages at this time.<BR /><BR />Mit vpnc 0.4.0 geht alles in Ordnung, aber damit geht die Verbindung nach einer halben Stunde kaput, deshalb möchte ich cisco Client benutzen. <BR /><BR />Habt ihr vielleicht eine Idee was bei mir schiefgeht?<BR /><BR />
Guest on 2007-05-04 16:05:45 wrote:
not working under Kernel 2.6.20.15
Alexander Griesser on 2007-05-04 20:12:47 wrote:
@deutschsprachiger Gast:
Ohne genauere Fehlermeldungen etc. kann ich da hier nicht viel machen. Bitte schreib mir mal ein E-Mail, hier im Weblog ist sowas blöd zu lösen.

@Guest:
> not working under Kernel 2.6.20.15

Well, it does. It also works for 2.6.21.1, so maybe it's
just a problem with your installation.
If you like to, you can write me an e-mail and I'll try to
fix this with you.
Guest on 2007-05-08 16:41:09 wrote:
Thank you very much; it worked for me. Sweet!
Guest on 2007-05-10 04:50:00 wrote:
I'm not seeing any joy under 2.6.20.15 either..
Secure VPN Connection terminated locally by the Client
Reason: Failed to establish a VPN connection.
There are no new notification messages at this time.

Sure doesn't give you much to debug with..
Alexander Griesser on 2007-05-10 10:08:20 wrote:
I know, that posting comments with a Guest user is easy, but I'm not able
to help you if you don't provide contact information or mail me directly, at
least.

So, if you ever happen to read this again, here's some information on how
to enable debugging:

Open the file /etc/opt/cisco-vpnclient/vpnclient.ini and set the option "EnableLog" to "1":

------------------- 8< ------------------
EnableLog=1
------------------- 8< ------------------

Afterwards, start the ipseclog utility:

ipseclog /tmp/connection.log

Open another terminal and initiate your VPN connection.
All relevant information was now logged to the file /tmp/connection.log
and can be viewed for further debugging with your favourite editor.
Guest on 2007-05-14 12:29:01 wrote:
HI!
I have the same problem with kernel 2.6.20-15 on ubuntu Feisty, in my connection.log compare this message:

Started vpnclient:
Cisco Systems VPN Client Version 4.8.00 (0490)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686

10 12:23:46.070 05/14/2007 Sev=Info/4 CM/0x43100002
Begin connection process

11 12:23:46.071 05/14/2007 Sev=Info/4 CM/0x43100004
Establish secure connection using Ethernet

12 12:23:46.071 05/14/2007 Sev=Info/4 CM/0x43100024
Attempt connection with server "x.x.x.x"

13 12:23:46.071 05/14/2007 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).

14 12:23:46.072 05/14/2007 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (4500).

15 12:23:46.072 05/14/2007 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with x.x.x.x.

16 12:23:46.588 05/14/2007 Sev=Info/4 IKE/0x43000075
Unable to acquire local IP address after 5 attempts (over 5 seconds), probably due to network socket failure.

17 12:23:46.588 05/14/2007 Sev=Warning/2 IKE/
Alexander Griesser on 2007-05-14 13:43:11 wrote:
This seems to be a bug known by cisco for the 4.8 releases of the Cisco VPN clients when connecting to the internet over several modem resp. connection types.

For MacOS X, they released an updated version (4.9) which
does fix it.

Please have a look at the following link for further information:

http://forums.macnn.com/92/networking/297134/problems-with-cisco-vpn/
Guest on 2007-05-16 17:08:41 wrote:
I found workaround: I had multiple new interfaces. I ifdown eth0 and vpnclient now works fine on eth1. Hope it helps.
Alexander Griesser on 2007-05-16 17:19:57 wrote:
I read that somewhere but I didn't think that this would really help.
But it's good to know, thanks for sharing this with us!
Guest on 2007-05-16 23:39:20 wrote:
Thank you for the patch. I had the same problem as guest (2007-05-14 12:29:01) - my computer has two network interfaces. After I shut down one iface, the vpn client is was running properly..
Guest on 2007-06-09 15:13:16 wrote:
ejjuarezperez@gmail.com

Hi
I ifdow eth0 and my vpnclient works fine (but shows a message in terminal about LAN is dissabled)

but the main problem is: now i can't connect to internet as usual. furthermore i dont know use the vpnclient to open my remote folders. I am new in linux, Please, could you help me?
Guest on 2007-06-09 16:13:14 wrote:
ejjuarezperez@gmail.com

hi again,
my problems are solved.
my remote folders in my work (samba) are in "network" and i can open it from my home!!!

when i finish: ifup etho0 and internet works good again.




Alexander Griesser on 2007-06-10 23:18:16 wrote:
Unfortunately, I was still not able to reproduce this on one of my systems, so
if you're willing to assist me in tracking this down, please send me an e-mail.
Guest on 2007-07-02 00:32:28 wrote:
Another thank you to the guest who posted about the 2 network interfaces. I had this problem also, and disabling one fixed it.
Guest on 2007-07-04 08:10:30 wrote:
Another big thank you Alex! You saved my sanity
Guest on 2007-07-10 17:16:54 wrote:
Thanks for the diagnostics guide!

Frustrated Linux User
Guest on 2007-07-25 02:24:24 wrote:
hi there,

I also have the problem, that whenever I want to start VPN client I get

Initializing the VPN connection.
Secure VPN Connection terminated locally by the Client
Reason: Failed to establish a VPN connection.
There are no new notification messages at this time.

:-(
I have no Idea why, I googled around, but this did not help. I am running Open SUSE Linux 10.2 (2.6.18.2-34-default)

Does anybody has an idea?

Thank you a lot!
Guest on 2007-08-29 21:32:19 wrote:
i have ubuntu feisty fawn with kernel 2.6.20.16 and when i run patch, it FAILS. i tryed with patch 2.6.19, 2.6.22, 2.6.20.6 and nothing, HELP please!!

my email is egpextasis@hotmail.com
Guest on 2007-09-10 17:28:27 wrote:
Remove the folder, untar a fresh copy, and try again. Seems to have worked for me, and I have feisty.
Guest on 2007-09-22 06:43:16 wrote:
Typing "ifdown eth0" also worked for me.

I connect with eth1, which is the wireless on my laptop.

Thanks.
Guest on 2007-09-23 16:28:26 wrote:
"ifdown eth0" worked for me too! (through wireless router at home)

I assume "ifup eth0" will undo for when I go back to wired connection at work...

Thanks so much for this thread! Have spent hours and hours trying to fix this!

Dell Latitude D8320, Ubuntu 7.04, Cisco VPN Client 4.8.00 (0490),Linux 2.6.20-16-generic
Guest on 2007-10-30 15:32:52 wrote:
I only got the cisco vpn client 4.8.01 (0640) to work via WLAN when I unloaded the kernel module for my ethernet card, so that only one device (wlan card, eth1) was present. Also I had to remove network devices created by the modules irda (infrared port) and ieee1394 (firewire port). This seems to be the only configuration working for me atm.

Any other conf. results in the error:

Initializing the VPN connection.
Secure VPN Connection terminated locally by the Client
Reason: Failed to establish a VPN connection.
There are no new notification messages at this time.

And the ipseclog would then return
"Unable to acquire local IP address after 5 attempts (over 5 seconds), probably due to network socket failure."

Alexander Griesser on 2008-01-03 09:48:38 wrote:
Please let's discuss all these issues in the newly created forum:

http://forum.tuxx-home.at/

This comment system is not suitable for debugging such stuff.
Thanks!
Guest on 2008-01-11 08:23:36 wrote:
Hi There,

I ran into some of the problems mentioned above, One of them was solved when I did a ifconfig down of the other interface, After that I am able to connect to my office VPN but am unable to connect to any machine in my office. Here's the output of vpnclient connect:

Authenticating user.
Negotiating security policies.
Securing communication channel.

Your VPN connection is secure.

VPN tunnel information.
Client address: 192.168.10.155
Server address: xxx:xxx:xxx:xxx
Encryption: 168-bit 3-DES
Authentication: HMAC-SHA
IP Compression: None
NAT passthrough is inactive
Local LAN Access is disabled

My configuration file does enable NAT and LAN access but for some reason the vpnclient seems to disable it. Also my internet access stops working.

The same configuration file works correctly under windows. Im using ubuntu. I'd appreciate any help.

Thanks
sansadk@gmail.com

Your comment (HTML tags will be stripped !!):

To verify You are not a bot, type down text from this image.

Your try: