UCL RoamNet/CiscoVPNClient under Linux

Connecting to the UCL wireless network under Linux (kernel 2.6...)

In order to connect to the University College London RoamNet service it is necessary to have Cisco Systems VPN Client running to authenticate the connection. I had problems installing Cisco VPN Client on Linux. It turns out it was necessary to patch one of the files. The UCL Information Systems website was useless as to how to set it up, and the Cisco manual was not great. This page is intended as a helper for getting RoamNet up and running with Linux (kernel 2.6...)

Eligibility

In order to use the service you need a UCL username and password (all students and staff should have one). You also need to be in a RoamNet location.

My system

I am running SuSE 10.0 (kernel 2.6.13) on an Advent laptop. This information should be applicable to anyone running kernel 2.6.9+

Getting started

Wireless

You'll need to connect to the wireless network---visit https:// www.ucl.ac.uk/is/roamnet/config/checklist_wificonfg.htm for the WEP key; use DHCP. Once you've done this you should be able to connect to http://www.ucl.ac.uk, but not any external sites.

Wired

I've not tried it, but you should just be able to plug in (using one of the special RoamNet cables and, again, be able to connect to www.ucl.ac.uk but not any external sites.

Getting Cisco VPN Client

You'll now need to get Cisco VPN Client running. Visit http://www.ucl.ac. uk/is/roamnet/checklist_2ndphase.htm to download CiscoVPNClient as well as the certificate (.crt file), and the profile (.pcf file).

Kernel sources

Cisco VPN Client is going to be made as a kernel module, so you'll need your kernel sources. If you have them, they should be found at /usr/src/linux which should be a symlink to the kernel sources. Also, you may need to
make cloneconfig
make prepare
within the /usr/src/linux directory.

Preparing for install

Bundling the root certificate---do this!

Unzip and untar the vpnclient:
zcat vpnclient-linux-<version>.tar.gz | tar xf -
You should now have a vpnclient directory.

Copy the certificate file to the vpnclient directory---and rename it "rootcert" (no extension):
cp -f <filename>.crt vpnclient/rootcert

Patching interceptor.c

The Cisco VPN client doesn't work with kernel 2.6.9+. This is the bit that UCL doesn't tell you. In order to get it to work the interceptor.c file must be patched by moving the supported_device function above the definition of add_netdev and recompiled. The patch below is reported to rectify problems with Cisco VPN Client with kernel 2.6.9. It also works with my kernel 2.6.13.

--- interceptor.c.orig 2005-01-04 14:55:44.246848280 -0500 +++ interceptor.c 2005-01-04 14:56:15.955027904 -0500 @@ -236,6 +236,24 @@ dev_kfree_skb(skb); return 0; } + +static int +inline supported_device(struct net_device* dev) +{ + int rc=0; + + if(dev->type == ARPHRD_ETHER) + { + rc=1; + } + else if(dev->type == ARPHRD_PPP) + { + rc=1; + } + + return rc; +} + static int add_netdev(struct net_device *dev) { @@ -476,23 +494,6 @@ s->rc = 0; } -static int -inline supported_device(struct net_device* dev) -{ - int rc=0; - - if(dev->type == ARPHRD_ETHER) - { - rc=1; - } - else if(dev->type == ARPHRD_PPP) - { - rc=1; - } - - return rc; -} - static BINDING * getbindingbydev(struct net_device *dev)

Save the above patch as ciscovpnpatch.txt in the vpnclient directory (click to download text file) and issue
patch -p0 < ciscovpnpatch.txt

In addition, for kernel 2.6.10+ the system will hang unless the first parameter to the calls to the function skb_checksum_help() are changed to skb and NOT &skb in the file interceptor.c.

So, within interceptor.c, search for
(skb_checksum_help(&skb
and replace with
(skb_checksum_help(skb
There should be two replacements.

Installing

You should now be ready to do the install as per the manual. As root from within the vpnclient directory issue
./vpn_install

The installation program will ask where to install it, whether you want it to start at boot, and the location of the kernel sources. The defaults worked for me, although I chose not to have it start automatically at boot (to start it after just issue /etc/init.d/vpnclient_init start as root [or use sudo]).

Once the installation program has finished, copy the profile file to /etc/opt/cisco-vpnclient/Profiles/UCL.pcf (note: I renamed it to UCL.pcf for ease of use):

cp <path>/UCL\ RoamNet.pcf
/etc/opt/cisco-vpnclient/Profiles/UCL.pcf

Running Cisco VPN Client

All being well, you should be ready to connect to the Internet.

Start the vpnclient daemon: as root (or sudo) issue
/etc/init.d/vpnclient_init start

Now, connect!
vpnclient connect UCL
You should be prompted for a username, then a password. After this you should be welcomed to the RoamNet service, and given VPN tunnel information. You should now be able to browe the Net and check your email.

Epilogue

To facilitate connection you can put the run commands in a script file:

cat > roamnet

#Connect to the UCL RoamNet service

#!/bin/bash

/etc/init.d/vpnclient_init start

/usr/local/bin/vpnclient connect UCL

ctrl+d
chmod 700 roamnet

You can now connect by issuing as root
./roamnet
or, better, as a user:
sudo roamnet
if you store it in a directory listed in your PATH, and set up your /etc/sudoers file (use visudo).

Credits

Credit for the patch goes to Kevin J. Smith;
slacker775 and urr on linuxquestions.org.

No thanks goes to the UCL Information Systems team who didn't even respond to an email for help and for having a shit set of install instructions for Linux on their website.

Created: 2006 03 17 --- Andrew Pugsley