How To: Cisco and Microsoft VPN Through Firestarter on Ubuntu

After doing a fresh install of Ubuntu 9.10 Karmic Koala on my router, I realized that I had lost the ability to connect to my employer’s VPN. I use Firestarter for managing my firewall on this particular router.
As I usually do, I googled “firestarter vpn“. Much to my dismay, it appeared that the Firestarter website was no longer alive. Instead of the usual Firestarter page, a page filled with useless links about security and anti-virus loaded. Luckily I was able to access the cached version of the page from Google. Since then, it appears that the Firestarter website has come back to life.

I wanted to make a note of how to allow VPN connections in the event that the Firestarter website becomes inaccessible again, that’s basically the point of this post. The page on the Firestarter site that details VPN connections can be found here. This should apply to pretty much every Linux distribution, not just Ubuntu.

To allow VPN connections with the Microsoft VPN client, simply enter the following lines into /etc/firestarter/user-pre.

# Forward PPTP VPN client traffic
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

And to allow VPN connections with the Cisco VPN client, enter the following lines into /etc/firestarter/user-pre.

# Forward Cisco VPN client traffic
$IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Finally, if you’re running a Microsoft VPN server and want to allow incoming PPTP VPN connections, add the following lines to /etc/firestarter/user-pre.

# Forward PPTP VPN connections to internal server
SERVER= # Internal VPN server

$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF -p tcp --dport 1723 -j DNAT --to $SERVER
$IPT -A FORWARD -i $IF -o $INIF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF -p 47 -j DNAT --to $SERVER 

That should pretty much cover it. If you are using OpenVPN, head over to the Firestarter VPN configuration page for details.


How To: Cisco VPN Client On Ubuntu


So, I installed Ubuntu 7.04 Feisty Fawn beta about 2 months ago. I installed it on my notebook and one of my workstations, both of which had Windows installed previously. I’m not dual booting on those machine, they’re 100% Ubuntu now.

After getting everything setup and running nicely, I realized I had no way of connecting to the Cisco PIX VPN we have at work. This is really important for me to be able to do, my job depends on it. I immediately went to Google and started searching. Turns out a nice fellow named Alexander Griesser has created a patch for the Cisco VPN client. The most recent CIsco VPN client for linux won’t compile with kernels 2.6.19 or newer. There’s really not much of a difference between his instructions and this how-to. However, I’m including more detailed instructions for those who may not be familiar with compiling software on Linux.

Here’s the steps I took to get the Cisco VPN Client to work under Unbutu 7.04 (Feisty Fawn). In all reality, this should work with any version of Ubuntu, not just 7.04. I used this same method to get the Cisco VPN Client working on Ubuntu 8.04. Note: A $ at the beginning of a line signifies a command to be run from the terminal.

  1. Download vpnclient-linux- (mirror) to your home directory.
  2. Open a terminal window and untar the vpnclient with the following command:
    $ tar xzf vpnclient-linux-
    This will create a new folder called vpnclient in your home directory. Leave the terminal window open, you’ll need it later.
  3. Download the patch (mirror) and save it to the vpnclient folder that was created in step 2.
  4. Go back to your terminal window and move into the vpnclient folder:
    $ cd vpnclient/
  5. Now patch the Cisco VPN source with this command:
    $ patch < vpnclient-linux-2.6.22.diff
  6. Next we actually build the Cisco VPN client, issue this command:
    $ sudo ./vpn_install
    Just hit enter for everything it asks you, the defaults are all OK. You may see lots of warnings, but those are OK.
  7. The VPN client is installed, now we need to start it:
    $ sudo /etc/init.d/vpnclient_init start
  8. Place your .pcf configuration files in /etc/opt/cisco-vpnclient/Profiles/
  9. If your .pcf file is called myVPN.pcf, you’ll connect to the VPN with the following command:
    $ sudo vpnclient connect myVPN

That’s it! You should now be able to connect to your Cisco VPN with the official Cisco VPN client on Linux. This will probably work on pretty much any linux setup, not just Ubuntu.

UPDATE (8/18/2007):
Alexander Griesser released a new patch that works with kernel versions 2.6.22 and greater. The new patch is backwards compatible, so it also works with older kernels as well, such as 2.6.10 and 2.6.21. All the download links above point to the newest release of the patch. I’ll continue to update this how-to as he releases new patches.

UPDATE (10/04/2007):
Cisco has finally released a new version of their vpn client for Linux. This new version compiles on all the new 2.6.xx kernels without the need for patching! You can download it from Alexander’s site or you can get it right here.

UPDATE (12/29/2007): Alexander Griesser has a new project page for his Cisco VPN client patches. It contains basic usage information and will most likely always have the latest and greatest patch available for download. In addition to that, Alexander has a new patch to make version of the Cisco VPN Client compile on 64bit systems. Again, you can download the latest Cisco VPN Client for linux from the following link:
UPDATE (8/11/2011): Marius B commented and mentioned he has a post up on this same subject. It’s worth checking his post out. He basically suggests enabling the option to only use the VPN connection for resources on the network you’re connected to. See his post for more.


Ubuntu Billboard

Look at the beautiful Ubuntu Billboard WildBill got a photo of as he was driving by.
Ubuntu Billboard
Pretty neat huh? I’m not a huge Ubuntu fan, but I do appreciate it. If I wasn’t such an avid Slackware user, Ubuntu would be my distro of choice. In fact, I just used the Ubuntu LiveCd yesterday at work to get some needed files off a dying hard drive. Pretty neat, I expect Microsoft billboards, but not Ubuntu. Wonder what it’d take to get a Slackware billboard put up somewhere?

Oh, and as you’d expect, the Ubuntu Blog author is pretty excited about the billboard too.


Looking Ahead: Slackware 11

Crossposted from Slackware Blog.

Well, we’re getting closer to a Slackware 11 release. What kind of software goodies can we expect from this release? On May 31st, KDE released KDE 3.5.3, which has since been included in slackware-current. Unless KDE makes another release soon, I expect we’ll see KDE 3.5.3 included in Slackware 11.

Slackware 11 is still using a 2.4 kernel by default, with the kernel in “testing”. Chess Griffin is guessing Slackware 11 will be released on June 25th. I don’t think that’s gonna happen, but Chess made that guess back in May. I am guessing that Slackware 11 will be released around August 11th. I say that because we haven’t even seen Slackware 11 Beta 1 yet.

I would expect to see a 2.6 kernel as the default kernel in Slackware 11. Having a 2.4 kernel as the default is something people like to poke fun at Slackware for. Now that kernel 2.6 has been around for a few years, I expect Patrick will set it as the default. Patrick will make the right decision, as he always has, no matter which kernel he chooses to set as the default.

Other new software that will be included in Slackware 11 is MySQL 5.0, Apache 1.3.36, PHP 4.4.2, Mozilla Firefox, Mozilla Thunderbird, and X11 6.9.0. Now, this is software that’s currently included in slackware-current, so the version numbers may change slightly before Slackware 11 is actually released.

So far, it looks like we can expect a nicely polished release of Slackware 11, as usual. I’m just hoping Patrick decides to go with a 2.6 kernel by default.

On a somewhat releated note, this guy here at seems to be addicted to his Slackware box. Apparently it’s caused him to miss a few lunches, he’s having trouble dragging himself away from the beauty that is Slackware.

Somebody should drag me away from my PC. Ever since I installed Slackware on it, I could not get myself to stay away from the damn thing. My eyes are hurting, and my stomach is grumbling from missed lunches.