William Cash and Keonwook Kang
- We have two types of IPSEC VPNs: Lan-to-Lan (or site-to-site) encrypted VPN and Remote Access VPN. The first one is extensively used to securely connect distant office networks and the second one for allowing remote users/teleworkers to access resources on a central site network.
- Complete these steps in the ASDM in order to allow VPN Clients to have local LAN access while connected to the ASA: Choose€Configuration Remote Access VPN€ Network (Client) Access Group Policy€and select the Group Policy in which you wish to enable local LAN access. Then click€Edit.
- Remote access VPN issues, cannot ping local LAN hosts. Hi Guys, Having an issue seting up remote access to a Cisco router running IOS 15.2. Im using the cisco VPN client, it connects just fine, i get an IP in the 180.0.0.0/24 range, i can ping the VLAN 1 SVI (192.168.1.210) and even remote manage the router, but i cannot for the life of me.
I have a Cisco ASA 5520 that has a Client Access VPN using Cisco AnyConnect. When most users connect to the VPN they have access to the office network and can still have local network access. Some users are reporting that when they connect to the VPN they lose local network access. The AnyConnect client is configured to 'Allow local (LAN.
|
Updates
4/28/09 - This guide has been around in different forms for nearly two years and has generated a good deal of interest. The basic steps are still exactly the same, but many of the compilation errors listed in the subsections have been resolved in newer versions of the Cisco VPN client (v4.8.02.0030) and Linux kernel (2.6.28). I'm still actively updating this site for my own sake, so please contact me (William Cash) with any mistakes or suggestions.
4/29/09 - Added a section on vpnc in Ubuntu, because I now feel that it's integrated into the OS well-enough to be superior to the Cisco VPN client.
Introduction
Cisco VPN is required to connect to many of Stanford's computer resources because of some past security lapses. Unlike the Windows and Mac OS clients, Cisco's Linux VPN requires use of the terminal and comparatively little documentation from the company. This guide will show you how to install and use the Linux client. In addition, it addresses some of the most common problems encountered during this problem.
As an alternative to using the Cisco VPN client, vpnc is an open-source program available on many *NIX systems that is compatible with Cisco VPNs. A general guide for vpnc is not included here. However, instructions for using it with Ubuntu's Network Manager are discussed at the end of this document. This is a more elegant and useful way to connect to Cisco VPNs, and I encourage Ubuntu users to try this before they install the Cisco VPN client.
Installing the VPN client
Note: most of the following steps require superuser access.
- Download the v4.8 VPN client from http://vpn.stanford.edu.
- Extract the downloaded file.
- Install the VPN client
- Answer the following questions during the installation (the defaults should be fine)
- Note that you need to reinstall the VPN client whenever your kernel is upgraded. Before reinstalling it, first run:
- to clean files and directories previously installed.
If you're receiving errors during installation
Most common error
With the newer Linux kernels that are incompatible with the Cisco VPN you may receive an errors similiar to these:
This is a fairly well known problem with numerous websites and forum postings on the topic. The website http://projects.tuxx-home.at has been releasing patches for the installation files of the Cisco VPN client for all the latest Linux kernels.
Instead of using the VPN client provided by Stanford, download the latest one from there (currently v4.8.02.0030) and the patch file for the linux kernel you are running. Update: Stanford has finally decided to upgrade its download to v4.8.02.0030 , as well. If you aren't sure which you have run:
Assuming you've already performed steps 1-2 of installation procedure for the new client, you will now place your patch file in the vpnclient directory and patch the installation:
Then follow steps 3 and 4 as before.
64-bit operating system errors
If you are still receiving errors after using the previous patch and are using a 64-bit OS, you should also patch the installer with cisco_skbuff_offset.patch from http://projects.tuxx-home.at.
Then follow steps 3 and 4 as before.
CFLAGS / EXTRA_CFLAGS error
Finally, if you've tried the last two patches and are receiving the following error when compiling:
you need to do exactly what the compiler error is telling you and change CFLAGS to EXTRA_CFLAGS in the makefile. First, open the file Makefile in the installer directory with your preferred text editor.
Then, change CFLAGS to EXTRA_CFLAGS in line 15. The line should read:
Now try compiling once more.
Configuring the VPN Client
Note: As an alternative to the steps below, Stanford now provides a working configuration file that can simply be placed in the Profile directory (/etc/opt/cisco-vpnclient/Profiles). A line to store your user name can be added to the profile (see Step 2). This profile is not included in the supplied VPN client and must be downloaded separately from http://vpn.stanford.edu.
- A sample configuration file is: /etc/opt/cisco-vpnclient/Profiles/sample.pcf.
- Copy and edit the configuration file.
- The edited configuration file should look similar to this:
- Start VPN service.
- Note that VPN service will be started automatically at boot time. If you want to stop VPN service, use the option stop instead. Also, You may use status, restart or reload in addition to start and stop.
- For a detailed description of each keyword in configuration file, refer to Cisco's guide.
VPN service still does not start automatically after rebooting
If you issued the previously mentioned command to start the VPN service at boot but are receiving the error message:
after rebooting, your operating system is not actually starting the service. A temporary, but somewhat annoying fix, is to continue issuing the command:
each time you reboot the system. To actually remedy the problem, you need to create symbolic links for the VPN client at different run-levels. The Cisco VPN client, only creates one in runlevel 4, but many Linux OS's don't run at this level. For example, Ubuntu commonly uses runlevel 2. To have the client start at boot for runlevel 2, issue the command:
To have the client run at a different runlevel boot simply replace rc2 in the previous command with the appropriate number. If you are unsure which runlevel to choose, you could place links in all seven.
Connecting to the VPN Host
- Once the VPN client service starts, you are ready to connect to the VPN Concentrator. Enter the group password and your SUNet ID/Pass to activate the connection. The group password is given in the file REAME-Stanford.Note: If you don't want to keep entering that terrible group password, you can store it under GroupPwd= in the configuration file. The first time the client connects with the host it will remove the plain-text password and replace it with an encrypted one under enc_GroupPwd=.
- Press ctrl + z and type bg to run vpnclient in the background. Now you can do ssh or scp to other machines.
- To disconnect, type:
If you are unable to connect without superuser privileges
When trying to connect to the VPN host as a regular user you may encounter the following error:
This is because you don't have the correct privileges to read the profile file.
To change its permissions run:
as the superuser.If you are still not able to use the VPN without being root, type:
If you are unable to browse the internet, check email, etc. after connecting to the VPN
Another common problem with the Cisco VPN client for linux is that it disables your local LAN access once you connect to the host, even if the host is not set to disable local LAN access. This can be remedied with the override-local-lan-access.diff patch from projects.tuxx-home.at. You will first have to uninstall your VPN client and move the patch to vpnclient source code directory. If you had to use the aforementioned kernel patch, apply that first. Then apply the LAN access patch and install as usual.
Additional LAN access issues due to Firestarter firewall
Firestarter is a popular desktop firewall tool used by many Linux users. However, it can also restrict internet access when the Cisco VPN is active. A quick temporary fix is to open the Firestarter utility and simply stop the firewall. A safer and permanent fix is to add the following code to /etc/firestarter/user-pre (for many users this file will be empty beforehand):
Where xxx.xxx.xxx.xxx is the IP address of the VPN server (you can find this from the Server Address given when starting the VPN), and cipsec0 is the common name for the VPN network device on your computer. You can verify if cipsec0 is the correct name by running:
ifconfig will also display the names of your network and/or wireless cards.
For the changes to take effect, you will need to restart the firewall by running:
vpnc Integration with Network Manager in Ubuntu 9.04
Ubuntu's Network Manager is the way Ubuntu organizes all your wired and wireless networks. It's the icon in the task bar you're always clicking to view all the available wifi signals, because it always seems to connect to the wrong network. It used to suck (e.g. 7.04), but it has improved greatly in recent releases. In version 9.04, I finally feel that it is reliable enough to warrant a section in this guide - especially since more of us at Stanford seem to be using Ubuntu these days.
- To allow Network Manager to manage your Cisco VPN connection you will first need to install the vpnc plugin. You will need to get the packages network-manager-vpnc and vpnc from the Ubuntu repositories using either the Synaptic Package Manager or apt-get. If this is over your head, you can also find it in Add/Remove Programs if you search for 'vpnc' in all available applications.
- Click the Network Manager icon in your task bar and there should now be an option labeled 'VPN Connections'. Expand this option and select Configure VPN, as shown below (my desktop and task bar probably look different than yours because I was on my netbook).
- The Network Connections window should open with the VPN tab selected. Choose the 'Add' option to create a new VPN connection, or you can import an existing .pcf configuration file using the 'Import' button. A window like the one below will open. Gateway is the URL or IP address of the VPN host (this is called 'Host' in the Cisco .pcf configuration file). Group name, user name, and their passwords are all self-explanatory and can be permanently stored if you prefer. These should be the only options most users should have to change.
- Apply the changes and now try to connect to the VPN by returning to Network Manager in the task bar and selecting your newly created VPN.Stanfprd _Public_VPN .pcf configuration file
- It may ask you for access to your network security key ring. You should select 'Always Allow' unless you want the window to continually pop up.
- If it successfully finds the server it will either ask or verify your passwords. Assuming these are correct you should receive a confirmation message such as the one below. I'm not sure if this message is specific to the Stanford VPN, but it asks you to click the 'Continue Button'. I have no idea where this so-called button is, but the VPN works fine anyway. You will know your VPN connection is active if there is a gold padlock on top of your Network Manager icon.
- Actually, Stanford offers a very convenient way to set the VPN parameter in Ubuntu. After installing the packages vpnc, network-manager-vpnc and network-manager-vpnc-gnome, you can directly download the Stanford _Public_VPN .pcf configuration file from https://itservices.stanford.edu/service/vpn/downloads. Next, you should select VPN Connections > Configure VPN from the GNOME notification area and import the .pcf file you have downloaded. Finally, you may edit this VPN connection configuration by entering your SUNet ID in the User name field and entering your SUNet password in the password field.
References
Introduction
This document describes how to allow the Cisco VPN Client or the Cisco AnyConnect Secure Mobility Client to only access their local LAN while tunneled into a Cisco Adaptive Security Appliance (ASA) 5500 Series or the ASA 5500-X Series. This configuration allows Cisco VPN Clients or the Cisco AnyConnect Secure Mobility Client secure access to corporate resources via IPsec, Secure Sockets Layer (SSL), or Internet Key Exchange Version 2 (IKEv2) and still gives the client the ability to carry out activities such as printing where the client is located. If it is permitted, traffic destined for the Internet is still tunneled to the ASA.
Note: This is not a configuration for split tunneling, where the client has unencrypted access to the Internet while connected to the ASA or PIX. Refer to PIX/ASA 7.x: Allow Split Tunneling for VPN Clients on the ASA Configuration Example for information on how to configure split tunneling on the ASA.
Prerequisites
Requirements
This document assumes that a functional remote access VPN configuration already exists on the ASA.
Refer to PIX/ASA 7.x as a Remote VPN Server using ASDM Configuration Example for the Cisco VPN Client if one is not already configured.
Refer to ASA 8.x VPN Access with the AnyConnect SSL VPN Client Configuration Example for the Cisco AnyConnect Secure Mobility Client if one is not already configured.
Components Used
The information in this document is based on these software and hardware versions:
- Cisco ASA 5500 Series Version 9(2)1
- Cisco Adaptive Security Device Manager (ASDM) Version 7.1(6)
- Cisco VPN Client Version 5.0.07.0440
- Cisco AnyConnect Secure Mobility Client Version 3.1.05152
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Network Diagram
The client is located on a typical Small Office / Home Office (SOHO) network and connects across the Internet to the main office.
Background Information
Unlike a classic split tunneling scenario in which all Internet traffic is sent unencrypted, when you enable local LAN access for VPN clients, it permits those clients to communicate unencrypted with only devices on the network on which they are located. For example, a client that is allowed local LAN access while connected to the ASA from home is able to print to its own printer but not to access the Internet without first sending the traffic over the tunnel.
An access list is used in order to allow local LAN access in much the same way that split tunneling is configured on the ASA. However, instead of defining which networks should be encrypted, the access list in this case defines which networks should not be encrypted. Also, unlike the split tunneling scenario, the actual networks in the list do not need to be known. Instead, the ASA supplies a default network of 0.0.0.0/255.255.255.255, which is understood to mean the local LAN of the client.
Note: When the client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. However, you can browse or print by IP address. See the Troubleshoot section of this document for more information as well as workarounds for this situation.
Configure Local LAN Access for VPN Clients or the AnyConnect Secure Mobility Client
Complete these tasks in order to allow Cisco VPN Clients or Cisco AnyConnect Secure Mobility Clients access to their local LAN while connected to the ASA:
- Configure the ASA via the ASDM or Configure the ASA via the CLI
Configure the ASA via the ASDM
Complete these steps in the ASDM in order to allow VPN Clients to have local LAN access while connected to the ASA:
- Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policy and select the Group Policy in which you wish to enable local LAN access. Then click Edit.
- Go to Advanced > Split Tunneling.
- Uncheck the Inherit box for Policy and choose Exclude Network List Below.
- Uncheck the Inherit box for Network List and then click Manage in order to launch the Access Control List (ACL) Manager.
- Within the ACL Manager, choose Add > Add ACL... in order to create a new access list.
- Provide a name for the ACL and click OK.
- Once the ACL is created, choose Add > Add ACE... in order to add an Access Control Entry (ACE).
- Define the ACE that corresponds to the local LAN of the client.
- Choose Permit.
- Choose an IP Address of 0.0.0.0
- Choose a Netmask of /32.
- (Optional) Provide a description.
- Click OK.
- Click OK in order to exit the ACL Manager.
- Be sure that the ACL you just created is selected for the Split Tunnel Network List.
- Click OK in order to return to the Group Policy configuration.
- Click Apply and then Send (if required) in order to send the commands to the ASA.
Configure the ASA via the CLI
Rather than use the ASDM, you can complete these steps in the ASA CLI in order to allow VPN Clients to have local LAN access while connected to the ASA:
- Enter configuration mode.
- Create the access list in order to allow local LAN access.
Caution: Due to changes in the ACL syntax between ASA software versions 8.x to 9.x, this ACL is no longer permited and admins will see this error message when they try to configure it:
rtpvpnoutbound6(config)# access-list test standard permit host 0.0.0.0
ERROR: invalid IP address
The only thing that is allowed is:
rtpvpnoutbound6(config)# access-list test standard permit any4
This is a known issue and has been addressed by Cisco bug ID CSCut3131. Upgrade to a version with the fix for this bug in order to be able to configure local LAN access. - Enter the Group Policy configuration mode for the policy that you wish to modify.
- Specify the split tunnel policy. In this case, the policy is excludespecified.
- Specify the split tunnel access list. In this case, the list is Local_LAN_Access.
- Issue this command:
- Associate the group policy with the tunnel group
- Exit the two configuration modes.
- Save the configuration to non-volatile RAM (NVRAM) and press Enter when prompted to specify the source filename.
Configure the Cisco AnyConnect Secure Mobility Client
In order to configure the Cisco AnyConnect Secure Mobility Client, refer to the Establish the SSL VPN Connection with SVC section of ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example.
Split-exclude tunneling requires that you enable AllowLocalLanAccess in the AnyConnect Client. All split-exclude tunneling is regarded as local LAN access. In order to use the exclude feature of split-tunneling, you must enable the AllowLocalLanAccess preference in the AnyConnect VPN Client preferences. By default, local LAN access is disabled.
In order to allow local LAN access, and therefore split-exclude tunneling, a network administrator can enable it in the profile or users can enable it in their preferences settings (see the image in the next section). In order to allow local LAN access, a user selects the Allow Local LAN access check box if split-tunneling is enabled on the secure gateway and is configured with the split-tunnel-policy exclude specified policy. In addition, you can configure the VPN Client Profile if local LAN access is allowed with <LocalLanAccess UserControllable='true'>true</LocalLanAccess>.
User Preferences
Here are the selections you should make in the Preferences tab on the Cisco AnyConnect Secure Mobility Client in order to allow local LAN access.
XML Profile Example
Here is an example of how to configure the VPN Client Profile with XML.
Verify
Cisco Vpn Allow Local Lan Access
Complete the steps in these sections in order to verify your configuration.
Connect your Cisco AnyConnect Secure Mobility Client to the ASA in order to verify your configuration.
- Choose your connection entry from the server list and click Connect.
- Choose Advanced Window for All Components > Statistics... in order to display the Tunnel Mode.
- Click the Route Details tab in order to see the routes to which the Cisco AnyConnect Secure Mobility Client still has local access.
In this example, the client is allowed local LAN access to 10.150.52.0/22 and 169.254.0.0/16 while all other traffic is encrypted and sent across the tunnel.
Cisco AnyConnect Secure Mobility Client
When you examine the AnyConnect logs from the Diagnostics and Reporting Tool (DART) bundle, you can determine whether or not the parameter that allows local LAN access is set.
Vpn Vs Lan
Test Local LAN Access with Ping
An additional way to test that the VPN Client still has local LAN access while tunneled to the VPN headend is to use the ping command at the Microsoft Windows command line. Here is an example where the local LAN of the client is 192.168.0.0/24 and another host is present on the network with an IP address of 192.168.0.3.
Troubleshoot
This section provides information you can use in order to troubleshoot your configuration.
Unable to Print or Browse by Name
When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. There are two options available in order to work around this situation:
- Browse or print by IP address.
- In order to browse, instead of the syntax sharename, use the syntax x.x.x.x where x.x.x.x is the IP address of the host computer.
- In order to print, change the properties for the network printer in order to use an IP address instead of a name. For example, instead of the syntax sharenameprintername, use x.x.x.xprintername, where x.x.x.x is an IP address.
- In order to browse, instead of the syntax sharename, use the syntax x.x.x.x where x.x.x.x is the IP address of the host computer.
- Create or modify the VPN Client LMHOSTS file. An LMHOSTS file on a Microsoft Windows PC allows you to create static mappings between hostnames and IP addresses. For example, an LMHOSTS file might look like this:
In Microsoft Windows XP Professional Edition, the LMHOSTS file is located in %SystemRoot%System32DriversEtc. Refer to your Microsoft documentation or Microsoft knowledge base Article 314108 for more information.