Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-doc-cvs

From: swift <swift@×××××××××××.org>
To: gentoo-doc-cvs@l.g.o
Subject: [gentoo-doc-cvs] cvs commit: vpnc-howto.xml
Date: Tue, 09 May 2006 06:30:45
Message-Id: 20060509063102.E60CA646E4@smtp.gentoo.org
1 swift 06/05/09 06:31:02
2
3 Modified: vpnc-howto.xml
4 Log:
5 Some updates, mostly 1.12 (cf #97760) and line length
6
7 Revision Changes Path
8 1.4 xml/htdocs/doc/en/draft/vpnc-howto.xml
9
10 file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/draft/vpnc-howto.xml?rev=1.4&content-type=text/x-cvsweb-markup&cvsroot=gentoo
11 plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/draft/vpnc-howto.xml?rev=1.4&content-type=text/plain&cvsroot=gentoo
12 diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/draft/vpnc-howto.xml.diff?r1=1.3&r2=1.4&cvsroot=gentoo
13
14 Index: vpnc-howto.xml
15 ===================================================================
16 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/draft/vpnc-howto.xml,v
17 retrieving revision 1.3
18 retrieving revision 1.4
19 diff -u -r1.3 -r1.4
20 --- vpnc-howto.xml 29 Sep 2005 15:11:35 -0000 1.3
21 +++ vpnc-howto.xml 9 May 2006 06:31:02 -0000 1.4
22 @@ -1,15 +1,15 @@
23 <?xml version='1.0' encoding='UTF-8'?>
24 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
25
26 -<guide link="/doc/en/draft/vpnc-howto.xml">
27 +<guide link="/doc/en/vpnc-howto.xml">
28
29 <title>Gentoo vpnc HOWTO</title>
30
31 <author title="Author">
32 - David H. Askew
33 + <mail link="dhaskew@×××××××××.net">David H. Askew</mail>
34 </author>
35
36 -<!--
37 +<!--
38 My email address is dhaskew on earthlink.net
39 -->
40
41 @@ -23,7 +23,7 @@
42 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
43 <license/>
44
45 -<version>0.10</version>
46 +<version>0.11</version>
47 <date>2005-08-07</date>
48
49 <chapter>
50 @@ -47,7 +47,7 @@
51 <body>
52
53 <ul>
54 - <li>A guide to the basic workings of vpnc</li>
55 + <li>A guide to the basic workings of <c>vpnc</c></li>
56 <li>A discussion of DNS and routing issues that relate to VPNs</li>
57 <li>Examples of managing VPN sessions</li>
58 <li>Useful tips and tricks (hopefully)</li>
59 @@ -61,7 +61,7 @@
60
61 <ul>
62 <li>An in-depth guide to VPN / encryption technologies</li>
63 - <li>A feature by feature explanation of vpnc</li>
64 + <li>A feature by feature explanation of <c>vpnc</c></li>
65 </ul>
66
67 </body>
68 @@ -115,10 +115,11 @@
69 </p>
70
71 <pre caption="Checking the kernel config">
72 -# <i>cat /usr/src/linux/.config | grep TUN</i>
73 +# <i> grep "TUN" /usr/src/linux/.config</i>
74 CONFIG_INET_TUNNEL=m
75 # CONFIG_INET6_TUNNEL is not set
76 # CONFIG_IPV6_TUNNEL is not set
77 +<comment>(TUN/TAP enabled as a module)</comment>
78 CONFIG_TUN=m
79 # CONFIG_8139TOO_TUNE_TWISTER is not set
80 </pre>
81 @@ -153,7 +154,7 @@
82 </pre>
83
84 <p>
85 -If you build TUN/TAP support as a module, you first must load the <c>tun</c>
86 +If you build TUN/TAP support as a module, you first must load the <c>tun</c>
87 module:
88 </p>
89
90 @@ -166,7 +167,7 @@
91 </pre>
92
93 <p>
94 -Now that the <c>tun</c> module is loaded, check <c>dmesg</c> output. You
95 +Now that the <c>tun</c> module is loaded, check <c>dmesg</c> output. You
96 should see something like the following:
97 </p>
98
99 @@ -185,12 +186,12 @@
100 <body>
101
102 <p>
103 -Now that you have a working kernel setup, you need to install
104 +Now that you have a working kernel setup, you need to install
105 <c>net-misc/vpnc</c>:
106 </p>
107
108 <pre caption="Installing vpnc">
109 -# <i>emerge net-misc/vpnc</i>
110 +# <i>emerge -av net-misc/vpnc</i>
111 </pre>
112
113 </body>
114 @@ -209,7 +210,7 @@
115 255.255.255.0 network. The LAN in question is run by a Gentoo box using an
116 iptables firewall, DHCP, caching DNS, etc ... and it masquerades the LAN
117 behind the public IP address it receives from an ISP. You also have a
118 -workstation on the LAN from which you want to be able to VPN into your
119 +workstation on the LAN from which you want to be able to VPN into your
120 office with.
121 </p>
122
123 @@ -268,19 +269,18 @@
124 <body>
125
126 <p>
127 -Now that you have vpnc installed and we have an example to work from, let's
128 -discuss the basics of setting up vpnc. The configuration file for vpnc
129 -connection settings can be located in a couple places, depending on how many
130 -profiles you want to setup. By default, vpnc looks first for
131 -<path>/etc/vpnc/default.conf</path> for its connection settings. If it doesn't
132 +Now that you have <c>vpnc</c> installed and we have an example to work from,
133 +let's discuss the basics of setting up <c>vpnc</c>. The configuration file for
134 +<c>vpnc</c> connection settings can be located in a couple places, depending on
135 +how many profiles you want to setup. By default, <c>vpnc</c> looks first for
136 +<path>/etc/vpnc/default.conf</path> for its connection settings. If it doesn't
137 find that file, then it looks for <path>/etc/vpnc.conf</path>. This setup will
138 -only address a single profile example and will use the configuration file
139 +only address a single profile example and will use the configuration file
140 location <path>/etc/vpnc.conf</path>. Make sure you do not have a
141 <path>/etc/vpnc/default.conf</path> file.
142 </p>
143
144 -<pre caption="Example vpnc configuration file">
145 -# <i>cat /etc/vpnc.conf</i>
146 +<pre caption="Example /etc/vpnc.conf file">
147 IPSec gateway vpngateway.domain.org
148 IPSec ID group_id
149 IPSec secret group_password
150 @@ -289,25 +289,24 @@
151 </pre>
152
153 <p>
154 -The configuration file example above should be modified to reflect the
155 -appropriate values for your setup. The gateway option
156 -<c>vpngateway.domain.org</c> can be a fully qualified domain name or an IP
157 -address. The ID and secret options should be given to you by a network
158 -administrator. If they are hesitant about giving you this info and you
159 -currently have a working setup on a Windows box which utilizes the official
160 -Cisco VPN client, then all you have to do is export your profile. The
161 +The configuration file example above should be modified to reflect the
162 +appropriate values for your setup. The gateway option
163 +<c>vpngateway.domain.org</c> can be a fully qualified domain name or an IP
164 +address. The ID and secret options should be given to you by a network
165 +administrator. If they are hesitant about giving you this info and you
166 +currently have a working setup on a Windows box which utilizes the official
167 +Cisco VPN client, then all you have to do is export your profile. The
168 user name and password options are for your normal network
169 sign-on, such as a Windows NT domain account.
170 </p>
171
172 <p>
173 If you are forced to export your profile from a Windows machine, then what you
174 -will likely have is a file ending in <path>.pcf</path>. This file will have
175 +will likely have is a file ending in <path>.pcf</path>. This file will have
176 all the information you need. Below is an example:
177 </p>
178
179 -<pre caption="Example .pcf file">
180 -# <i>cat example.pcf</i>
181 +<pre caption="Example profile.pcf file">
182 [main]
183 Description=
184 Host=VPNGATEWAY.DOMAIN.ORG
185 @@ -347,19 +346,19 @@
186 </pre>
187
188 <p>
189 -In the above example, we can see entries for <c>Host</c>, <c>GroupName</c> and
190 -<c>enc_GroupPwd</c>. Your <c>Username</c> and <c>UserPassword</c> may or may
191 +In the above example, we can see entries for <c>Host</c>, <c>GroupName</c> and
192 +<c>enc_GroupPwd</c>. Your <c>Username</c> and <c>UserPassword</c> may or may
193 not be exported depending on the setup.
194 </p>
195
196 <note>
197 -The vpnc configuration file uses an unencrypted group password (IPSec secret),
198 -so if you do not know the group password, but you have a copy of the encrypted
199 -group password from an exported profile, then you need not worry. The encoding
200 -scheme for these group passwords is widely known, and all you have to do is
201 -visit a web page that will offer to decrypt it for you. The
202 +The <c>vpnc</c> configuration file uses an unencrypted group password (IPSec
203 +secret), so if you do not know the group password, but you have a copy of the
204 +encrypted group password from an exported profile, then you need not worry.
205 +The encoding scheme for these group passwords is widely known, and all you
206 +have to do is visit a web page that will offer to decrypt it for you. The
207 <uri link="http://www.unix-ag.uni-kl.de/~massar/vpnc/">vpnc homepage</uri>
208 -has <uri link="http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode">a
209 +has <uri link="http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode">a
210 link</uri> to such a page.
211 </note>
212
213 @@ -374,24 +373,25 @@
214 start <c>vpnc</c> you do the following:
215 </p>
216
217 -<pre caption="Example vpnc-connect usage">
218 -# <i>vpnc-connect</i>
219 -Enter password for username@×××××××××××××××××.org:
220 +<pre caption="Example vpnc usage">
221 +# <i>vpnc</i>
222 +Enter password for username@×××××××××××××××××.org:
223 VPNC started in background (pid: 14788)...
224 </pre>
225
226 <p>
227 -As you can see from the above command output, once you type <c>vpnc-connect</c>
228 -(as root), you are prompted for your password. After entering your password,
229 -which will not be echoed back to you, the vpnc process will automatically
230 +As you can see from the above command output, once you type <c>vpnc</c>
231 +(as root), you are prompted for your password. After entering your password,
232 +which will not be echoed back to you, the <c>vpnc</c> process will automatically
233 become a background process.
234 </p>
235
236 <note>
237 -If you specified the <c>Xauth password</c> option in your vpnc config file, then
238 -you will not be prompted for your password at vpnc startup. Additionally, if
239 -vpnc needs some extra options not specified in the configuration file, or if
240 -you have forgotten something, don't worry, it will ask you for it.
241 +If you specified the <c>Xauth password</c> option in your <c>vpnc</c> config
242 +file, then you will not be prompted for your password at <c>vpnc</c> startup.
243 +Additionally, if <c>vpnc</c> needs some extra options not specified in the
244 +configuration file, or if you have forgotten something, don't worry, it will
245 +ask you for it.
246 </note>
247
248 <pre caption="Sample interface configuration changes made by vpnc">
249 @@ -434,7 +434,7 @@
250 </pre>
251
252 <p>
253 -As you can see from the above command output(s), vpnc has done the following:
254 +As you can see from the above command output(s), <c>vpnc</c> has done the following:
255 </p>
256
257 <ul>
258 @@ -448,12 +448,12 @@
259
260 <p>
261 At this point, your workstation is capable of communicating with hosts via the
262 -VPN, but only by IP address. As you might have noticed, vpnc did not alter
263 -your <path>/etc/resolv.conf</path>, thus not setting up DNS services for the
264 -virtual link. Also, because vpnc sets your default route to your VPN gateway,
265 -all network traffic will travel across the VPN, even if it destined for the
266 -Internet or elsewhere not specifically specified by additional routes. For
267 -some, this basic type of connection may be satisfactory, but for most,
268 +VPN, but only by IP address. As you might have noticed, <c>vpnc</c> did not
269 +alter your <path>/etc/resolv.conf</path>, thus not setting up DNS services for
270 +the virtual link. Also, because <c>vpnc</c> sets your default route to your VP
271 +gateway, all network traffic will travel across the VPN, even if it destined
272 +for the Internet or elsewhere not specifically specified by additional routes.
273 +For some, this basic type of connection may be satisfactory, but for most,
274 additional steps need to be taken.
275 </p>
276
277 @@ -465,13 +465,13 @@
278 <li>DNS for the VPN</li>
279 <li>
280 A routing setup that will only send traffic destined for the VPN down
281 - the virtual tunnel. This way, you can browse the Internet while connected
282 + the virtual tunnel. This way, you can browse the Internet while connected
283 to the VPN, without your personal web/p2p etc ... traffic going across the
284 tunnel.
285 </li>
286 <li>
287 - A script to manage all this, because <c>vpnc-connect</c> just doesn't do
288 - enough
289 + A script to manage all this, because <c>vpnc</c> just doesn't do
290 + enough by default.
291 </li>
292 </ul>
293
294 @@ -502,13 +502,13 @@
295 <p>
296 Unfortunately, <c>vpnc</c> doesn't handle the setup and management of DNS for
297 your newly established tunnel. The user is left to decide how DNS should be
298 -handled. You could just overwrite <c>/etc/resolv.conf</c> when you connect, but
299 -that would utilize your VPN DNS for all DNS queries regardless of whether or not
300 -the traffic is destined for your VPN tunnel. This is a very functional solution
301 -and if you simply need to connect to the tunnel, do your work, and then
302 -disconnect, read no further. But, if you want to be able to leave your tunnel
303 -connected for lengthy periods of time and don't want your work DNS servers
304 -handling requests for your personal traffic, read on.
305 +handled. You could just overwrite <path>/etc/resolv.conf</path> when you
306 +connect, but that would utilize your VPN DNS for all DNS queries regardless of
307 +whether or not the traffic is destined for your VPN tunnel. This is a very
308 +functional solution and if you simply need to connect to the tunnel, do your
309 +work, and then disconnect, read no further. But, if you want to be able to
310 +leave your tunnel connected for lengthy periods of time and don't want your
311 +work DNS servers handling requests for your personal traffic, read on.
312 </p>
313
314 <p>
315 @@ -520,12 +520,12 @@
316 </p>
317
318 <note>
319 -We will consider VPN-related DNS queries to be any query belonging to the
320 +We will consider VPN-related DNS queries to be any query belonging to the
321 example.org domain, such as host1.example.org or server1.example.org.
322 </note>
323
324 <p>
325 -So how do you set things up, so that only requests made to hosts on the
326 +So how do you set things up, so that only requests made to hosts on the
327 example.org domain get sent to VPN supplied DNS servers? Well, you're going to
328 need to install a local DNS server, but don't worry, it's much easier than you
329 think. There are several software packages that can handle the type of setup
330 @@ -543,24 +543,24 @@
331 </pre>
332
333 <p>
334 -Now you need to add an option to your <c>dnsmasq</c> startup options. Edit the
335 -following option to suit your needs. Substitute .example.org with the
336 -appropriate domain and the IP address with a valid DNS server that belongs
337 +Now you need to add an option to your <c>dnsmasq</c> startup options. Edit the
338 +following option to suit your needs. Substitute .example.org with the
339 +appropriate domain and the IP address with a valid DNS server that belongs
340 to the VPN tunnel.
341 </p>
342
343 <pre caption="/etc/conf.d/dnsmasq">
344 -<comment># Config file for /etc/init.d/dnsmasq
345 +Config file for /etc/init.d/dnsmasq
346
347 -# See the dnsmasq(8) man page for possible options to put here.</comment>
348 +# See the dnsmasq(8) man page for possible options to put here.
349 DNSMASQ_OPTS="-S /.example.org/192.168.125.10"
350 </pre>
351
352 <p>
353 -Next, make sure that the first entry in <path>/etc/resolv.conf</path>
354 +Next, make sure that the first entry in <path>/etc/resolv.conf</path>
355 is your local host <c>127.0.0.1</c>, followed by the location of the backup DNS
356 -servers that should handle the DNS traffic in case dnsmasq fails to start, or
357 -if it needs to forward a DNS query it doesn't currently have in its cache. An
358 +servers that should handle the DNS traffic in case dnsmasq fails to start, or
359 +if it needs to forward a DNS query it doesn't currently have in its cache. An
360 example <path>/etc/resolv.conf</path> is shown below.
361 </p>
362
363 @@ -593,15 +593,16 @@
364 travel across the link. At this point, you have a VPN tunnel setup and all
365 traffic will travel across the tunnel, unless you specify additional routes. In
366 order to fix this situation you need to know what networks are available to you
367 -on your VPN. The easiest way to find out the needed information is to ask a
368 +on your VPN. The easiest way to find out the needed information is to ask a
369 network administrator, but sometimes they are reluctant to answer such
370 questions. If your local network admin wont provide the needed information,
371 some trial and error experiments will be required.
372 </p>
373
374 <p>
375 -When the VPN tunnel was started, vpnc set the default route to the tunnel. So
376 -you must set your default route back to normal, so that things work as expected.
377 +When the VPN tunnel was started, <c>vpnc</c> set the default route to the
378 +tunnel. So you must set your default route back to normal, so that things
379 +work as expected.
380 </p>
381
382 <pre caption="Resetting your default route">
383 @@ -609,7 +610,7 @@
384 </pre>
385
386 <p>
387 -Earlier, when DNS services were being configured for your VPN, you specified a
388 +Earlier, when DNS services were being configured for your VPN, you specified a
389 DNS server to handle your example.org domain. You need to add a route for the
390 192.168.125.0 subnet so that DNS queries will work.
391 </p>
392 @@ -619,9 +620,9 @@
393 </pre>
394
395 <p>
396 -At this point, you should add any additional routes for known networks. If
397 +At this point, you should add any additional routes for known networks. If
398 your friendly network administrator gave you the required info,
399 -great. Otherwise, you might need to ping hosts you will be connecting to
400 +great. Otherwise, you might need to ping hosts you will be connecting to
401 frequently, to give yourself an idea about what your routing table should look
402 like.
403 </p>
404 @@ -641,8 +642,9 @@
405 </pre>
406
407 <p>
408 -As you can see from the above example, the ping probes to intranet1.example.org
409 -were unsuccessful. So we need to add a route for that subnet.
410 +As you can see from the above example, the ping probes to
411 +<c>intranet1.example.org</c> were unsuccessful. So we need to add a route for
412 +that subnet.
413 </p>
414
415 <pre caption="another route command example">
416 @@ -650,7 +652,7 @@
417 </pre>
418
419 <p>
420 -A few ping and route commands later, you should be well on your way to a
421 +A few ping and route commands later, you should be well on your way to a
422 well working routing table.
423 </p>
424
425 @@ -666,7 +668,7 @@
426 <p>
427 Next is an example script to manage the VPN connection. You could execute it
428 (as root) from an xterm to start a connection to your VPN. Then all you have
429 -to do is press return to disconnect the VPN. Obviously you will need to
430 +to do is press return to disconnect the VPN. Obviously you will need to
431 modify this for your setup, remembering to add all the additional routes that
432 you may need.
433 </p>
434 @@ -677,8 +679,8 @@
435 source /sbin/functions.sh
436
437 ebegin "Connecting to the VPN"
438 -vpnc-connect
439 -eend
440 +vpnc
441 +eend
442
443 ebegin "Modifying the routing table"
444 route add default gw 192.168.0.1
445 @@ -693,7 +695,7 @@
446
447 ebegin "Disconnecting from the VPN"
448 vpnc-disconnect
449 -eend
450 +eend
451 ebegin "Reconfiguring the default routing table"
452 route add default gw 192.168.0.1
453 eend
454 @@ -711,10 +713,10 @@
455 <body>
456
457 <p>
458 -If you are looking for a linux application that supports RDP (Remote Desktop
459 +If you are looking for a linux application that supports RDP (Remote Desktop
460 Protocol) then give <c>grdesktop</c> a try. It's a GUI app written in Gtk that
461 fits in well with a gnome desktop, but doesn't require it. If you don't want
462 -the GUI configuration dialogs that grdesktop provides, then just install
463 +the GUI configuration dialogs that grdesktop provides, then just install
464 <c>rdesktop</c>. Ultimately, grdesktop is just a frontend for rdesktop.
465 </p>
466
467 @@ -726,19 +728,19 @@
468 <p>
469 If you need to connect to a windows machine which doesn't have a DNS entry, and
470 you know the address of an available WINS server, you can use a tool called
471 -<c>nmblookup</c> to query the WINS server for the host name of the machine you
472 +<c>nmblookup</c> to query the WINS server for the host name of the machine you
473 want to connect to. Unfortunately, you have to install samba to get it, but if
474 you are going to be working with boxes running Windows you might as well want to
475 install samba, because it includes several other useful tools.
476 </p>
477
478 <pre caption="Installing samba">
479 -# <i>emerge samba</i>
480 +# <i>emerge -av samba</i>
481 </pre>
482
483 <p>
484 When you have samba and its tools installed, test <c>nmblookup</c> by
485 -asking the WINS server at IP address 192.168.125.11 about a host named
486 +asking the WINS server at IP address 192.168.125.11 about a host named
487 wintelbox1.
488 </p>
489
490 @@ -780,7 +782,7 @@
491
492 <p>
493 Hopefully by now you have been able to connect to your VPN on choice and are
494 -well on your way to remote office work. Feel free to file a bug at
495 +well on your way to remote office work. Feel free to file a bug at
496 <uri link="http://bugs.gentoo.org">bugs.gentoo.org</uri> should you find a
497 mistake or wish to make a addition or recommendation regarding this document.
498 </p>
499
500
501
502 --
503 gentoo-doc-cvs@g.o mailing list
Report Message
Find on MARC Find on Google Groups