How To: Cisco and Microsoft VPN Through Firestarter on Ubuntu

After doing a fresh install of Ubuntu 9.10 Karmic Koala on my router, I realized that I had lost the ability to connect to my employer’s VPN. I use Firestarter for managing my firewall on this particular router.
As I usually do, I googled “firestarter vpn“. Much to my dismay, it appeared that the Firestarter website was no longer alive. Instead of the usual Firestarter page, a page filled with useless links about security and anti-virus loaded. Luckily I was able to access the cached version of the page from Google. Since then, it appears that the Firestarter website has come back to life.

I wanted to make a note of how to allow VPN connections in the event that the Firestarter website becomes inaccessible again, that’s basically the point of this post. The page on the Firestarter site that details VPN connections can be found here. This should apply to pretty much every Linux distribution, not just Ubuntu.

To allow VPN connections with the Microsoft VPN client, simply enter the following lines into /etc/firestarter/user-pre.

# Forward PPTP VPN client traffic
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

And to allow VPN connections with the Cisco VPN client, enter the following lines into /etc/firestarter/user-pre.

# Forward Cisco VPN client traffic
$IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Finally, if you’re running a Microsoft VPN server and want to allow incoming PPTP VPN connections, add the following lines to /etc/firestarter/user-pre.

# Forward PPTP VPN connections to internal server
SERVER= # Internal VPN server

$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF -p tcp --dport 1723 -j DNAT --to $SERVER
$IPT -A FORWARD -i $IF -o $INIF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF -p 47 -j DNAT --to $SERVER 

That should pretty much cover it. If you are using OpenVPN, head over to the Firestarter VPN configuration page for details.


How To: Cisco VPN Client On Ubuntu


So, I installed Ubuntu 7.04 Feisty Fawn beta about 2 months ago. I installed it on my notebook and one of my workstations, both of which had Windows installed previously. I’m not dual booting on those machine, they’re 100% Ubuntu now.

After getting everything setup and running nicely, I realized I had no way of connecting to the Cisco PIX VPN we have at work. This is really important for me to be able to do, my job depends on it. I immediately went to Google and started searching. Turns out a nice fellow named Alexander Griesser has created a patch for the Cisco VPN client. The most recent CIsco VPN client for linux won’t compile with kernels 2.6.19 or newer. There’s really not much of a difference between his instructions and this how-to. However, I’m including more detailed instructions for those who may not be familiar with compiling software on Linux.

Here’s the steps I took to get the Cisco VPN Client to work under Unbutu 7.04 (Feisty Fawn). In all reality, this should work with any version of Ubuntu, not just 7.04. I used this same method to get the Cisco VPN Client working on Ubuntu 8.04. Note: A $ at the beginning of a line signifies a command to be run from the terminal.

  1. Download vpnclient-linux- (mirror) to your home directory.
  2. Open a terminal window and untar the vpnclient with the following command:
    $ tar xzf vpnclient-linux-
    This will create a new folder called vpnclient in your home directory. Leave the terminal window open, you’ll need it later.
  3. Download the patch (mirror) and save it to the vpnclient folder that was created in step 2.
  4. Go back to your terminal window and move into the vpnclient folder:
    $ cd vpnclient/
  5. Now patch the Cisco VPN source with this command:
    $ patch < vpnclient-linux-2.6.22.diff
  6. Next we actually build the Cisco VPN client, issue this command:
    $ sudo ./vpn_install
    Just hit enter for everything it asks you, the defaults are all OK. You may see lots of warnings, but those are OK.
  7. The VPN client is installed, now we need to start it:
    $ sudo /etc/init.d/vpnclient_init start
  8. Place your .pcf configuration files in /etc/opt/cisco-vpnclient/Profiles/
  9. If your .pcf file is called myVPN.pcf, you’ll connect to the VPN with the following command:
    $ sudo vpnclient connect myVPN

That’s it! You should now be able to connect to your Cisco VPN with the official Cisco VPN client on Linux. This will probably work on pretty much any linux setup, not just Ubuntu.

UPDATE (8/18/2007):
Alexander Griesser released a new patch that works with kernel versions 2.6.22 and greater. The new patch is backwards compatible, so it also works with older kernels as well, such as 2.6.10 and 2.6.21. All the download links above point to the newest release of the patch. I’ll continue to update this how-to as he releases new patches.

UPDATE (10/04/2007):
Cisco has finally released a new version of their vpn client for Linux. This new version compiles on all the new 2.6.xx kernels without the need for patching! You can download it from Alexander’s site or you can get it right here.

UPDATE (12/29/2007): Alexander Griesser has a new project page for his Cisco VPN client patches. It contains basic usage information and will most likely always have the latest and greatest patch available for download. In addition to that, Alexander has a new patch to make version of the Cisco VPN Client compile on 64bit systems. Again, you can download the latest Cisco VPN Client for linux from the following link:
UPDATE (8/11/2011): Marius B commented and mentioned he has a post up on this same subject. It’s worth checking his post out. He basically suggests enabling the option to only use the VPN connection for resources on the network you’re connected to. See his post for more.


Looking Ahead: Slackware 11

Crossposted from Slackware Blog.

Well, we’re getting closer to a Slackware 11 release. What kind of software goodies can we expect from this release? On May 31st, KDE released KDE 3.5.3, which has since been included in slackware-current. Unless KDE makes another release soon, I expect we’ll see KDE 3.5.3 included in Slackware 11.

Slackware 11 is still using a 2.4 kernel by default, with the kernel in “testing”. Chess Griffin is guessing Slackware 11 will be released on June 25th. I don’t think that’s gonna happen, but Chess made that guess back in May. I am guessing that Slackware 11 will be released around August 11th. I say that because we haven’t even seen Slackware 11 Beta 1 yet.

I would expect to see a 2.6 kernel as the default kernel in Slackware 11. Having a 2.4 kernel as the default is something people like to poke fun at Slackware for. Now that kernel 2.6 has been around for a few years, I expect Patrick will set it as the default. Patrick will make the right decision, as he always has, no matter which kernel he chooses to set as the default.

Other new software that will be included in Slackware 11 is MySQL 5.0, Apache 1.3.36, PHP 4.4.2, Mozilla Firefox, Mozilla Thunderbird, and X11 6.9.0. Now, this is software that’s currently included in slackware-current, so the version numbers may change slightly before Slackware 11 is actually released.

So far, it looks like we can expect a nicely polished release of Slackware 11, as usual. I’m just hoping Patrick decides to go with a 2.6 kernel by default.

On a somewhat releated note, this guy here at seems to be addicted to his Slackware box. Apparently it’s caused him to miss a few lunches, he’s having trouble dragging himself away from the beauty that is Slackware.

Somebody should drag me away from my PC. Ever since I installed Slackware on it, I could not get myself to stay away from the damn thing. My eyes are hurting, and my stomach is grumbling from missed lunches.


Newsvine is Ready

Newsvine is “a perfectly different, perfectly efficient way to read, write, and interact with the news”. I’ve been using the Newsvine beta since about January. I make very heavy use of Newsvine all the time, although I don’t seed articles or post very often.

After 2 months of beta testing, Newsvine was released for public consumption yesterday. Mike Davidson, founder, writes a few notes about the release in his blog:

After eight weeks of testing in private beta, Newsvine is now live to the world. It’s been an extremely productive couple of months, with countless enhancements and feature additions making their way onto the site almost every day.

The decision when to release to the world was a tough one for us. The site has come so far in its short existence, and yet, we feel we still have so far to go. Things are never finished around here, but that’s a good thing. By continuing to listen and react to the needs of the community, the Newsvine team is determined to make this site what it has always promised to be: a perfectly different, perfectly efficient way to read, write, and discuss the news.

If you are a news junkie like me, you’ll probably be right at home with Newsvine. Breaking stories often show up there hours before they hits the likes of Fox News or the other large players. Go check it out!


Network Poopery

Last Tuesday (July 26th), our network at work went totally down. Turned out a really old hub crapped out. Tuesday isn’t a good time for that to happen. It’s the last day that Mom’s Meals clients can call in orders for their next deliveries. In other words, it’s wicked busy. Ashley and her co-workers are busy entering the orders they’ve taken. Orders are of course entered into a database via a custom application.

They obviously can’t enter orders while the network is down. We were probably set back about 2 hours by the whole thing. Anyway, I quickly got a temporary network up so the girls could at least enter their orders. Then, after determining that the router wasn’t the cause, I removed one really old hub from the picture and things started looking better.

I headed off to staples to pick up a Linksys EtherFast® 4124 24-Port 10/100 Ethernet Switch. Before we had this, some people’s pc’s were hooked into the router. Others were in that old hub. Now, the only cables going to the router come from the modem and go to the new Linksys switch. Two CAT-V cables going to the router, that’s it. What’s really nice is everyone is now on a 100Mbit network. And everyone is on the Linksys switch.

I also discarded a bunch of unused cables that didn’t seem to serve any purpose other than adding to the clutter. I wish we didn’t have to have all that stuff in the packing room. Ideally, it would be up here in the office somewhere. They wouldn’t get unplugged all the time if it was all up here.

Oh, I’m claiming my feedster. Dun bother clicking that link. And one more time.