Connecting to a Cisco VPN server hosted by a Cisco firewall with Linux is a small challenge, but I've got two ways to do it.

Why a VPN

VPN stands for Virtual Private Network and it's a technique for securely accessing data services over a WAN (like the Internet) that would ordinarily be restricted. VPNs work by creating an additional network stack -- a virtual network -- over the physical network.

One of the most common uses for a VPN is to allow the traveling employee -- the road warrior -- to access resources on a corporate LAN. Consider the scenario shown in the diagram below:

The road warrior could have a public Internet address or he/she could have a private address behind a network address translation (NAT) router.

To access services on the corporate LAN, the road warrior has to appear to be local. That is, the road warrior needs to have an address on the corporate LAN. By using a VPN, he/she can do this. When the road warrior is connected to the VPN, the corporate LAN is, essentially, tunnelled across the Internet and extended to the road warrior, no matter where they are.

All in all, it's pretty dang cool.

VPN implementations

There are many VPN implementations. My favorite, I think, is OpenVPN which is an open source VPN. OpenVPN client and server software is available for Windows or Unix/Linux. It can be set up to use simple pre-shared keys/passphrases or a public/private key system.

Older VPN implementations include PPTP (point-to-point tunneling protocol) and L2TP (Layer 2 tunneling protocol) which were widely used (and still in use) by Microsoft Windows networks. Older implementations of PPTP are horribly insecure and easy to compromise.

The industry standard VPN standard now is IPSec (IP Security). The VPN service offered on Cisco routers and firewalls is an IPSec VPN.

Cisco offers official Cisco VPN client software for connecting to Cisco-powered VPN servers. This software is available for various flavors of Microsoft Windows, Unix/Linux, and MacOS. The software is available on optical media that accompanies the Cisco appliance, or you may download it from Cisco's website, but only if you can prove you have a current support agreement with Cisco.

There is an impressive open source IPSec implementation available called Openswan which is based on a fork of an older project called FreeS/WAN.

IPSec is a complex standard and features many different implementation nuances. Openswan aims to support them all and, as a result, configuration can be overwhelming.

For the relatively simple task of connecting to a Cisco VPN server, I decided Openswan was overkill, but I'm still interested in what a working configuration would look like.

It didn't take me very long to find another open source project called vpnc which is a simple user-space Cisco VPN client implemented completely in open source code.

Even better, vpnc was easy to install Fedora Core 5 thanks to its inclusion as a package in the Fedora Extras repository. Installing it is as easy as typing yum -y install vpnc.

The Cisco VPN client for Linux stores its configuration in plain text configuration files. On my systems, those are stored in /etc/opt/cisco-vpnclient/Profiles.

I found an excellent page hosted by the Peninsula Linux Users' Group of the San Francisco Bay Area which describes how to set up vpnc and how to translate the configuration information stored in the Cisco configuration files into data for the vpnc configuration files.

Maybe I'll go into some more detail about the actual connection process in a future flog.