Multiple VPN connections at the same time
Feb 22nd, 2008 by Li Zhao
Introduction:
If your company is like mine, you will have multiple VPN profiles on your Cisco VPN client. The issue is that you are only allow to connect one VPN at a time. If you need to get to resources on multiple locations you will need to keep disconnecting and reconnecting between different VPN tunnels. Thanks to my co-worker Alex, who show me that it’s possible to connect to multiple with vpnc on Linux, I got it to work on windows. This has been tested on Windows XP SP2 only.
Requirements:
- Download Cygwin setup and run the setup file. Set up cygwin and select the following packages during installation
- Devel -> gcc
- Devel -> make
- Libs -> libgcrypt (and the source code as well)
- Libs -> libgpg (and the source code as well)
- Perl -> perl
- Download OpenVPN and install it. You can uncheck most of the options if you like, make sure “TAP-Win32 Virtual Ethernet Adapter” and “Add Shortcuts to Start Menu” (so you can add more virtual interface from start menu) are selected.
- Download vpnc and copy it to c:\cygwin\tmp
Launch cygwin bash shell and run the following commands in the shell
cd /tmp
tar xvfz vpnc-<version>.tar.gz
Note: <version> is the version that you have downloaded. As of writing the version is 0.5.1. Hence, the command would be “tar xvfz vpnc-0.5.1.tar.gz”
cd vpnc-<version>
Example: cd vpnc-0.5.1
make
make PREFIX=/usr install
Note: PREFIX is optional. By default it will install the executables to /usr/local. By putting PREFIX=/usr it will install the executables to /usr/bin an /usr/sbin.
mkdir /var/run/vpnc
Multiple Tunnels:
For each VPN tunnel you will need 1 TAP virtual adapter. If you are planning to use multiple tunnels at the same time, you will need to OpenVPN and run “Add a new TAP-Win32 virtual ethernet adapter”.
Note:
There’s a bug in “vpnc-script-win.js” that came with the 0.5.1. You will need to rename the TAP virtual Adapter from “Local Area Connection X” to TAPX. The included js file doesn’t support space in the virtual adapter. The file doesn’t add route correctly as well. To fix this issue, you will need to use the “vpnc-script-win.js” that was modified to get it to work. Copy the “vpnc-script-win.js” file and replace the existing one located in c:\cygwin\etc\vpnc (or /etc/vpnc if you are in cygwin shell).
Setting up Profiles:
You can use pcf2vpnc command to convert the existing cisco PCF to out what needs to create profiles for VPNC. The profiles need to be stored at c:\cygwin\etc\vpnc (in <profile>.conf format). The installation comes with a default.conf that you can refrence to. Alternatively, you can run /usr/sbin/vpnc –long-help to get more help and what you can put in the file. You can also connect by passing all the switches via the command line. Below is an example that will work
IPSec gateway <IPSEC GATEWAY>
IPSec ID <Group ID>
IPSec secret <Group Password>
IKE Authmode psk
Xauth username <Your Username>
Interface mode tap
Pidfile /var/run/vpnc/<profile>.pid
Local Port <510>
NAT Traversal Mode force-natt
No Detach
## Enable Single DES
When you run pcf2vpnc it will give you IPSec gateway, IPSec ID, IPSec secret (decrypted), Xauth username, IKE Authmode.
Important:
The “No Detach” option is required, as if you don’t specify it the VPN will connect, but you will not be able to access the VPN even thought it’s connected. “Local Port” needs to be different for each profile – so that there’s collision. Each profile needs to have its own pid file.
Depends on your network administrator’s setting you might need to enable single des. If your network administrator enables weak encryption, you will need to use “Enable Single
Awesome! great work.
Yeah dude - glad to see it posted! Hopefully it will be useful for other geeks like us!
Just used it again - great write-up
Can you provide details on installing under windows?
Larry,
Basically, you need to setup Cygwin, OpenVPN, and vpnc. Somehow the links I posted above were collapsed together. I just fixed it. Install the required software follow these steps.
What additional details would you like to get?
Any ideas on how to setup this up on a couple machines without having to compile vpnc? E.g. maybe I can just install OpenVPN and then some compiled DLLs on the other machines? We have a few Vista 64-bit laptops we want to use this on since Cisco VPN Software is not on that platform (yet?).
i have a problem: make- command not found
g.e: Either you didn’t install make, gcc, and other required development packages in cygwin, or you didn’t launch cygwin shell when you tried to compile the source.
Lex: Sorry, haven’t tried 64bits vista yet.
Hi, I am getting the following error
- make: libgcrypt-config: Command not found
I did install the libgcrypt from the cygwin install. Is there another step I need to make?
Richard
Nevermind, I installed all three libraries and now it compiles correctly.
Is this using a vpn to connect to another vpn?
Let said the vpn keep ip log, your ip is 1.2.3.4, server A 2.3.4..5 and server B 3.4.5.6. when you both login, the log of server B have ip as 1.2.3.4 or 2.3.4.5?
===
When you surfing the internet which ip are you using the Server A or B, if used the method above?
This doesn’t not act as a proxy to bridge to networks.
Hi,
I’m tryin to re-create your setup on a ubuntu 9.04 server. Created two vpnc profiles and can sucessfully vpn to each of them. What I cant re-create though is how to run vpnc simultaneously on both profiles.
Any pointers?
Ronald
This seems to work well, except when I connect with vpnc it doesn’t pick up the routes. Any ideas?
Cool. But I have one note: I’m not sure if I understand you right, but I’m absolutely sure that “no-detach” option means that the process of vpnc doesn’t start in background, so you can stop it with ctrl-c.
This is an interesting and helpful write-up.
What will be more interesting to me is an integrated multiple (virtual) desktop environment, where each (virtual) desktop has its VPN tunnel to separate department/domain. Do you know of such solution/product out there? Thanks.
Hi there.
Thank you for a great post. It was very helpfull.
Anyone reading this post should bookmark this guys contents.
I have a new PC and needed some installation help so i went over to http://www.InstallSoftware.com but they did not provide me with the in depth
info this guy did. he kicks all the bigger sites’ butts.
Thanks Again