Tags: networking | ubuntu

There are many times that one may have to work from home. More and more people are now choosing this as a full-time choice, only rarely (if at all) venturing into the office.The majority of these connections are by VPN, usually requiring some kind of VPN Token. In the past, connecting Ubuntu to a VPN was clunky and required a lot of custom modules and compiling. These days, it's much easier.

However, the initial setup of a VPN can be quite complicated. When I was setting up my connection for the first time, I didn't realise that VPN Tokens come with PIN's. (The PIN is used as an additional security mechanism). When a VPN Token is first sent out, its in what is known as "new PIN mode".

Now, the built-in client (at least up to 11.04) doesn't include PIN Setup. So how do you do this...?

My company uses Cisco's VPN, and these instructions will deal with that VPN type.

First, ask your Network Admin for the Cisco Client program. This is usually a Windows Executable in a zip file. Somewhere in that will be a PCF file.

Open this up, and look for the following lines:

Host=123.456.254.43
GroupName=MYGROUP
GroupPwd=

If the GroupPwd line is blank, look for:

enc_GroupPwd=long string of digits

You can decrypt the encoded Group Password by using the decoder at http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

Now we have these details we can try updating the PIN. First install vpnc:

sudo apt-get install vpnc

And then switch to the super-user:

sudo su

Now start vpnc and enter the details as shown here. Each "Enter" line will ask you a question:

root@erewhon:/home/me# vpnc-connect
Enter IPSec gateway address: 123.456.254.43
Enter IPSec ID for 123.456.254.43: MYGROUP
Enter IPSec secret for 
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 :

This is the encoded password you decoded

Enter username for 123.456.254.43: w123456

Your username is usually your employee Id #. It's unlikely you are employee 123456...

Enter password for  
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 :

Enter the digits shown on your VPN Token now. This authenticates you before you change the PIN.

Enter your new Access PIN, containing 4 to 8 digits or 'x' to cancel the new PIN procedure: 
Passcode for VPN 
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 : 
Passcode for VPN 
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 : 
vpnc-connect: authentication unsuccessful

Here you need to enter a 4 - 8 digit PIN. I recommend four digits as its easier to remember. It will then ask for it again to confirm. So far I have never got this to return successful. But for some reason it will work fine later. Now, remember you PIN. It is very embarrassing (and a time waste) to do this all again..

Now let's try and connect. As before, have the details ready and enter them when asked:

root@erewhon:/home/me# vpnc-connect
Enter IPSec gateway address: 123.456.254.43
Enter IPSec ID for 123.456.254.43: MYGROUP
Enter IPSec secret for 
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 : 
Enter username for 123.456.254.43: w123456
Enter password for 
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 : 

Now at the above stage enter your PIN and the number displayed on the VPN Token.

VPNC started in background (pid: 12751)...

You can then use ifconfig to verify you are connected. There will be a new interface called "tun0" with a IP that is in your corporate network.

When you are happy that it is all working, disconnect with:

root@erewhon:/home/me# vpnc-disconnect
Terminating vpnc daemon (pid: 12751)

You should now be able to use the GUI client to connect...!