How To Connect Securely With Your Company's VPN server (Cisco VPN servers) Using "vpnc" Client

Now days, several software companies provide their employees with the flexibility of working from home as and when there is a need. This way, employees can maintain a better balance between their work life and personal life. However, while working from home, employees are needed to use a VPN (virtual private network) client for connecting with their company’s VPN servers. VPNs are useful for preventing company’s confidential communication from outsiders. “vpnc” is a software, that can be used to accomplish this, and can be downloaded from http://www.unix-ag.uni-kl.de/~massar/vpnc/. I am assuming that your company uses Cisco VPN servers, because “vpnc” is primary developed as a client for them. “vpnc” software implements IPsec (IP Security) based technology for providing VPN connections. The instructions, I am going to describe below, have been tested on Linux (Ubuntu and Fedora) machines. On Fedora, you can do “yum install vpnc”, and on Ubuntu, you can do “apt-get install vpnc” for installing “vpnc” on your machine, if you do not want to compile from “vpnc” source code. You must be logged in as a “root” user for installing software on your Linux machine. If you are not logged in as a root user, then you must have “sudo” permission to install “vpnc” software, and then commands will be “sudo yum install vpnc” on Fedora, and “sudo apt-get install vpnc” on Ubuntu.

Simple “vpnc” configurations (mostly used):

First, you need to create a file named as “vpnc.conf” in your “/etc” directory. Again, for creating files in /etc directory, either you must be root user or must have “sudo” permissions. The contents of your “vpnc.conf” file should be:

IPSec gateway (you can ask your company’s network administrator about it).
IPSec ID (Again, you can ask your company’s network administrator about it).
IPSec secret (Please ask your company’s network administrator about it, and should be kept secret).
Xauth username (You must be knowing this).
Xauth password (You must be knowing this).
NAT Traversal Mode natt

A sample vpnc.conf file should be as follows:

IPSec gateway your.vpn.server.com
IPSec ID  abcdef
IPSec secret xyz1234
Xauth username johnmatt
Xauth password at!23gh5
NAT Traversal Mode natt

Once you have written above information in your vpnc.conf, then type following command on the command prompt:

vpnc (if logged in as a root)

and,

sudo vpnc (if not a root user)

In the above instructions, I have assumed that your user password (Xauth password) does not change, and remains same for long duration. However, several companies are giving RSA secure IDs (also called RSA tokens) that are being used as one time password (OTP) for better security. If you have also got RSA secure ID from your company, then you need to change your vpnc.conf slightly as discussed next.

vpnc with RSA secure IDs:

Then, your vpnc.conf should like:

IPSec gateway your.vpn.server.com
IPSec ID  abcdef
IPSec secret xyz1234
Xauth username johnmatt
NAT Traversal Mode natt

Note, the line “Xauth password at!23gh5” is missing. The reason is that now vpnc will prompt you for a password. When using RSA secure IDs, your password generally would be “PIN+RSA number displayed”, where PIN is a fixed secure string created by you. Your company must tell you about it, so you should not be worried.

Advanced “vpnc” configurations:

By default, vpnc is configured with Diffie Hellman group 2. If your company’s VPN server is configured with some other group, then you need to enable following option in your vpnc.conf file:

IKE DH Group <dh1/dh2/dh5>

If your company’s VPN server is configured with PFS (Perfect Forward Secrecy), then enable following option in your vpnc.conf (by default disabled):

Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>

By default, vpnc uses IPsec in PSK (pre shared key) mode for authentication. However, if you want to use certificates for authentication, you also need to use following configuration variables in your vpnc.conf:

IKE Authmode hybrid
CA-File  <certificate-authority-pem-file>
CA-Dir <path-to-your-certificate-authority-directory>

When running vpnc, it does not output any messages. However, if you want to see the output messages for debugging purposes, please enable the following option in your vpnc.conf file.

Debug <0/1/2/3/99>

Insecure vpnc options:

I would suggest vpnc users never enable following options in your vpnc.conf.

Enable Single DES

If you enabled single DES (Data Encryption Standard), your VPN connection will become a joke. Also, be careful while enabling following:

Enable no encryption

If you are sure that you are not communicating any confidential or sensitive company information, or you may be concerned with your VPN connection’s performance that may have been slowed down due to encryption, you may enable this option. In general, DO NOT enable this option.

Note: please refer vpnc man page (command: man vpnc) for more details on configurations.

This entry was posted in Technology and tagged . Bookmark the permalink.

2 Responses to How To Connect Securely With Your Company's VPN server (Cisco VPN servers) Using "vpnc" Client

  1. uk vpn says:

    Hello there! Would you mind if I share your blog
    with my twitter group? There’s a lot of people that I think would really appreciate your content. Please let me know. Thank you

Leave a Reply to fleewhedo Cancel reply

Your email address will not be published.