Cisco VPN under Windows - without using the Cisco VPN client!

by Simon Woodward | 24 Sep 2008 | Permalink | Everything Else, Open Source, Software

Cisco’s Windows VPN client is a decent bit of software in that it’s stable, easy to use and it does what it says on the tin. However, the uninstaller for it is a bit too flaky. If things go badly enough wrong then you can end up with a machine that that won’t connect to any network without an OS reinstall or all sorts of hackery in the registry. The problem is that it installs obscure things like the “deterministic network enhancer” into your network stack. This is all well and good, until a few months down the line when you’ve installed other things into the same stack with other utilities – and then you uninstall the Cisco VPN client which totally trashes the stack, leaving you unable to connect to anything.

This has happened to me when I needed to upgrade to newer versions of the VPN software, and it’s very annoying. The time when I’m upgrading my VPN software is by definition when I need to connect to the VPN. Finding myself unable to connect to any network at all is painful to say the least.

So, after the last time this happened to me, I decided to hunt around for an alternative. I found vpnc, a Unix implementation of the Cisco VPN software maintained my Maurice Massar. A little while ago a clever bloke named Paolo Zerpellon did some work to get this working over Cygwin under Windows, using a TAP driver from the OpenVPN project.

TAP driver is a pseudo network interface that permits applications to tunnel things over Ethernet. An application can write an ethernet frame to the TAP device, and the Windows networking stack will receive it as if it came from a normal network interface. Vpnc uses this to sit between the Windows kernel and the VPN.

So, the steps you need to follow are:

1. Get Cygwin going.
2. Download, install and build vpnc.
3. Install the OpenVPN distribution to get the TAP driver.
4. Get your Cisco VPN connection file and translate it into a vpnc connection file.
5. Tweak the connection file a bit.
6. If you’re using vpnc 0.5.1, fix a little bug in it.
7. Connect!

So, on with the show:

Installing Cygwin

Cygwin is a bit of Windows software that provides a Linux emulation layer. It means that you can compile Linux software to run on Windows. I’m not going to document it here, obviously, but suffice it to say that it installs direct from the internet using a program called “Setup.exe” that you download from their site (http://www.cygwin.com/). Keep setup.exe safe – it’s how you install additional packages in future.

During the installation phase, it gives you the chance to select any additional packages you want. The packages are in a tree view, and you expand the top node to find the ones you’re after. Packages that are not selected have the value “Skip” in the “New” column (obviously). To install them, click the “Skip” and it’ll change to the version that will be installed. The non-default packages that you want are:

• Devel -> make (to make vpnc)
• Devel -> gcc-core (to compile vpnc)
• Libs -> libgcrypt-devel (headers needed by vpnc)

Download and build vpnc

• Download the latest vpnc package from here to somewhere obvious.
• Untar it:
  tar -xzf <vpnc.tar.gz you downloaded>
• Build and install it:
  cd <dir that it was untarred to>; make install

You’ll get some warnings and stuff, and it’ll build a few executables. Those exes will be copied into the right places on your system, and a default (but useless) config will be created in your /etc/vpnc/default.conf directory. The executables you’re interested in are:

• vpnc.exe: the main vpnc executable, installed into /usr/local/sbin
• pcf2vpnc.exe: a utility to translate Cisco configs into vpnc ones (see below), installed into /usr/local/bin

Download and install OpenVPN

Download the MSI installer from here and install it on your machine. During the installation, you can choose (if you wish) to uncheck all the components of it except for the Win32 Tap Driver, which is the only bit you need.

After the installation, you’ll see that you have a new network connection in your Network Connections that’s got an adapter of type “TAP-Win32 Adapter V8” or some such. It’ll be called something really useful like “Network Connection 4”, so rename it to “TAP Driver”, or just “TAP”, or “Binky” – whatever you like.

Translate your Cisco VPN connection file into one for vpnc

For vpnc to connect to your VPN and log in with the correct details, it needs loads of connection info. The way it gets this is either from the command line or from a config file. You can create multiple configs and tell vpnc which one to use on the command line when you run it. The configs you create need to be named like “something.conf”, and they must be placed in /etc/vpnc/.

Your network admin will have given you a file with a “.pcf” extension to use with the Cisco VPN software when connecting to your VPN. You might find it in under your home directory – do a search for “.pcf”. It’s a text file that contains details like your VPN concentrator’s DNS name, the group name, the encoded group password and so on. You need the details from this file in vpnc’s config format, and luckily enough, vpnc comes with a utility to translate it.

Run the utility, specifying the output file (default.conf):
pcf2vpnc MyCompanys.pcf default.conf

Move the resulting file into the place where vpnc looks for its configurations:
mv default.conf /etc/vpnc

The reason that you call this file “default.conf” is that if you run vpnc with no arguments then it’ll look for the “default.conf” file and use that.

Tweaking the resulting file

Your default.conf file contains most of the info that you need, but it doesn’t yet tell vpnc to use the TAP driver. The following lines do that:

# This next line contains the name you renamed 
# your TAP network connection to:
Interface name TAP_Driver
# This line tells vpnc that you're doing TAP, not TUNnelling.
Interface mode tap
# For some reason that I don't understand, vpnc doesn't work under cygwin
# unless it's still attached to the console it was running from,
# so don't detach:
No Detach

Something else that you need to do is to tell vpnc which local port to listen on. Windows boxes already have LSAS (Local Security Authentication Server) listening on UDP 500 (which is vpnc’s default), so you have to tell vpnc to use something else.

# Tell vpnc to select a random free port instead of using 500
Local Port 0

There’s some more that you can put in there for ease of use. The following lines are useful, but note that your password is in there in plain text – you MUST restrict access to this file on your Windows system to keep it safe.

# Login credentials
Xauth username Somebody.Clever
Xauth password biggusbrainus

Fixing the bug in the routing script

When vpnc starts up it needs to add some entries to your routing tables. It needs to redirect all traffic to the VPN concentrator through one of your normal internet gateways, and then it needs to redirect all traffic to the addresses on the VPN through the vpnc interface. It manages this by executing the file in /etc/vpnc/vpnc-script.

This file is a little shell script that actually does the changes in the Unix world, but in the Windows world it delegates the work to a javascript script in /etc/vpnc/vpnc-script-win.js. If you look at this script, you’ll see it’s just a hundred lines or so of code that adds some entries to your routing tables. Bizarrely, in the version of vpnc that I downloaded (0.5.1), there is a bug in this file: it generates broken “route” command lines, and so the second set of routing entries (redirecting all VPN addresses down the TAP interface) don’t get added. Look at line 80 – the bug should be fairly obvious!

This is the diff of the fix:

$ diff vpnc-script-win.js /etc/vpnc/vpnc-script-win.js
80c80
<                       run("route add " + network + " mask " + netmask +
---
>                       run("route add " + network + " mask " + netmask

As you can see, there’s an extra “+”. I’ve told the author about this, but I can’t believe nobody else has already – this release of vpnc just doesn’t work for cygwin.

Finally – start the thing already!

Okay, you’re now ready to kick it off. From your cygwin session, run:
$ /usr/local/sbin/vpnc

You should get output that looks like this:

Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Device: TAP_Driver
TAP-Win32 Driver Version 8.4 
Warning: using insecure memory!
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

VPN Gateway: 83.244.123.33
Internal Address: 192.168.100.109
Internal Netmask: 255.255.255.0
Interface: "TAP_Driver"
Configuring "TAP_Driver" interface...
done.
Configuring networks:
Route configuration done.
--------------------------------------------------
Your company's banner text will go here!
--------------------------------------------------
VPNC started in foreground...

…and you’ll see in your Windows UI that the disconnected TAP interface is now connected. It should resolve you an address over DHCP and then you’re away – you’re on the VPN. To exit, just kill the process in cygwin (bring your cygwin window to the front and hit ctrl-C). This won’t remove any of the routing entries from your routing tables, but they won’t do any harm and they’ll disappear the next time you reboot.

The annoying bit…

Just as I’d finished getting all of this working on my machine at home (and writing this long winded howto), a colleague of mine pointed out that there is another Windows based OSS project that will do this with a lot less hassle. I’m not going to tell you which one because I was sulking too much to take notice, and maybe he’s fibbing. I checked, and OpenVPN can’t do it, so I’m hopeful. Anyway, this was still fun and hey… Cygwin’s cooler than a Windows UI based thing any day. Right?

…right?