[K12OSN] CISCO vpn client for linux

"Terrell Prudé, Jr." microman at cmosnetworks.com
Mon Oct 11 22:40:09 UTC 2004 

If you're dealing w/ hospital-type info, then there's *really* a case 
for PAT'ed addresses in your environment.  And I've got a lawyer using 
K12LTSP in his office.  Works great.

Do let us know how this turns out!  You've got at least me curious.

--TP

Lewis Holcroft wrote:

> Terrell,
>
> I'll try the Terminal Server approach. The fact is I'm not using 
> K12LTSP in a school environment. I'm using it in an office 
> environment. I choose K12LTSP because the the adults act like third 
> graders. Not to insult third graders. Many of the things my client 
> wanted to accomplish were already proven in the K12 setup, so it 
> seamed like a good choice. In fact I'm very happy with making that 
> choice.
>
> The connection is to a hospital. Federal Law (HIPAA) imposes mandates 
> in this arena. I'll go back to the vendor and have them work on the 
> problem from a Windows 2000 Terminal Server perspective.
>
> Thanks again
>
> Lewis
>
> On Oct 11, 2004, at 4:06 PM, Terrell Prudé, Jr. wrote:
>
>> Ah...that's unfortunate.  That's not something that the VPN client 
>> can do anything about.  You have to establish the VPN connection on 
>> the server, since, remember, the clients don't actually run anything 
>> besides, essentially, a kernel and an X11 server.
>>
>> You're right; the service provider should know these answers, since 
>> what we're really talking about here (IP connectivity) is 
>> platform-agnostic.  One way to deal with these people is to say that 
>> you've got a Windows 2000 Terminal Server, and that's how "it has 
>> been decided," that connectivity to this application "will take 
>> place," if you get my meaning.  You don't have to tell them *who* 
>> made the decision.  :-)  I've found that this bit of sleight-of-hand 
>> can get answers when "cleaner" methods don't.
>>
>> I would also ask them why they are limiting sessions by IP address 
>> instead of by actual authentication (user/password, certificates, 
>> etc.).  How do they handle schools, like, say, my district, that 
>> use--matter of fact, *have* to use--Port Address Translation on our 
>> firewalls?  Just about everybody today does this for a variety of 
>> reasons.  My district couldn't function as it does without it.
>>
>> --TP
>>
>> Lewis Holcroft wrote:
>>
>>> Terrell,
>>>
>>> I was premature with my excitement. While I am able to get the VPN 
>>> Client running on my sandbox machine. I am not so fortunate with the 
>>> production machine.
>>>
>>> Perhaps you could answer a couple more questions I have? In my case 
>>> the vpn client connection is made by my server. Each user can then 
>>> start the "special" windows telnet client using wine. I have a 
>>> problem in the that the service they connect to only allows one 
>>> session per IP. Do you establish the vpn connection on the server, 
>>> or do you somehow establish it on a per workstation basis? If the 
>>> later how is this configured on the workstation sessions?
>>>
>>> I realize the folks that I am trying to connect to should know the 
>>> answers, but the word Linux gives them the heebee geebee's. Which is 
>>> much better that the "we don't support that" answer.
>>>
>>> Thanks is advance.
>>>
>>> Lewis
>>>
>>>
>>> On Oct 7, 2004, at 6:11 PM, Terrell Prudé, Jr. wrote:
>>>
>>>> Ted thanks you, as does Terrell.  :-)
>>>> Good to hear that it's working.  FWIW, this is exactly how I've 
>>>> gotten a couple more converts to GNU/Linux, so I'm glad to see 
>>>> Cisco supporting our favorite platform.
>>>>
>>>> --TP...er, Ted
>>>>
>>>> Lewis Holcroft wrote:
>>>>
>>>>> Ted! Who's Ted?
>>>>>
>>>>> Sorry TP. It was pre coffee.
>>>>>
>>>>> And once again I'm very exited about getting this to work.
>>>>>
>>>>> Lewis
>>>>>
>>>>> On Oct 7, 2004, at 8:22 AM, Lewis Holcroft wrote:
>>>>>
>>>>>> Ted,
>>>>>>
>>>>>> Thank you very much. This worked like a charm.
>>>>>>
>>>>>> Lewis
>>>>>>
>>>>>> On Oct 6, 2004, at 9:14 PM, Terrell Prudé, Jr. wrote:
>>>>>>
>>>>>>> Lewis Holcroft wrote:
>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> I'm glad to know this is in use and works.
>>>>>>>>
>>>>>>>> I should say I am new to this process and site I am connecting 
>>>>>>>> too are all windows folks. So the learning curve is steep.
>>>>>>>>
>>>>>>>> I did run into a problem. I am running the vpnclient on the 
>>>>>>>> server and when it does connect the LAN gets disabled. This is 
>>>>>>>> a problem as all of the local desktops stop responding. Are 
>>>>>>>> folks using the vpnclient on the server or on workstations on 
>>>>>>>> the network? Is this a configurable option?
>>>>>>>>
>>>>>>>> I'm working with no documentation here. So I'm really in the dark.
>>>>>>>>
>>>>>>>> Lewis
>>>>>>>>
>>>>>>>> On Oct 5, 2004, at 7:42 PM, Terrell Prudé, Jr. wrote:
>>>>>>>>
>>>>>>>>> Lewis Holcroft wrote:
>>>>>>>>>
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I have rolled out a K12LTSP 4.0 cluster of 5 servers (I could 
>>>>>>>>>> upgrade but I just got this installation working and am going 
>>>>>>>>>> to wait a while)  and now that we have all the equipment in 
>>>>>>>>>> we are told that the client needs to use a $MS product. The 
>>>>>>>>>> vendor does not offer a Linux version so....
>>>>>>>>>>
>>>>>>>>>> The first step is to set up a vpn link. The vendor uses CISCO 
>>>>>>>>>> 3000 series product and has sent along a copy of the cisco 
>>>>>>>>>> vpn client version 4.6.00.0045-k9.
>>>>>>>>>>
>>>>>>>>>> This requires the kernel source to install. That was fun to 
>>>>>>>>>> install.
>>>>>>>>>>
>>>>>>>>>> When I start the daemon I get messages about tainting the 
>>>>>>>>>> kernel, which concerns me. Should I be concerned? I think so.
>>>>>>>>>>
>>>>>>>>>> Is anyone running this vpn client?
>>>>>>>>>>
>>>>>>>>>> If so, does it work well or have problems?
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>> Lewis
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have been using the Cisco VPN Client since v4.0.3B, up to 
>>>>>>>>> and including the 4.6 version specified above, since 4.0.3B 
>>>>>>>>> came out.  Works fine, though for 2.6 kernels, experience has 
>>>>>>>>> taught me that you will need the 4.6 version for reliable 
>>>>>>>>> operation.
>>>>>>>>>
>>>>>>>>> I have successfully done this on Red Hat Linux 9, Slackware 
>>>>>>>>> GNU/Linux 9.1 and 10.0, and SuSE Linux 9.1.  "Tainted" simply 
>>>>>>>>> means that a proprietary, i. e. non-GPL kernel module is 
>>>>>>>>> getting inserted into the kernel.  Doesn't affect operation, 
>>>>>>>>> but I wish Cisco would be less anally retentive about the GPL.
>>>>>>>>>
>>>>>>>>> --TP
>>>>>>>>> _____________________
>>>>>>>>> Do you GNU!? <http://www.gnu.org>
>>>>>>>>> Be virus- and spam-free with Free/Open Source Software (FOSS). 
>>>>>>>>> Check it out! <http://www.mozilla.org/thunderbird>
>>>>>>>>>
>>>>>>>
>>>>>>> In my .pcf file, there's a setting "EnableLocalLan".  Try 
>>>>>>> setting that to 1 and let us know.
>>>>>>>
>>>>>>> --TP
>>>>>>> __________________
>>>>>>

More information about the K12OSN mailing list