I've been trying to figure this out and I'm completely stumped. I've got the newest kernel (2174) and have tried both the Cisco 4.0.3 and the 4.0.1.A-k9 clients and neither will work. The only message I can see is from dmesg and it states:

===========================
divert: not allocating divert_blk for non-ethernet device cipsec0
Cisco Systems VPN Client Version 4.0.3 (B) kernel module loaded
divert: no divert_blk to free, cipsec0 not ethernet
===========================

After I get everything started per instructions, my local network is disabled, but ifconfig only shows the lo and eth0 interfaces.

Anyone got a suggestion?

Originally posted by crackers
I've been trying to figure this out and I'm completely stumped. I've got the newest kernel (2174) and have tried both the Cisco 4.0.3 and the 4.0.1.A-k9 clients and neither will work. The only message I can see is from dmesg and it states:

===========================
divert: not allocating divert_blk for non-ethernet device cipsec0
Cisco Systems VPN Client Version 4.0.3 (B) kernel module loaded
divert: no divert_blk to free, cipsec0 not ethernet
===========================

After I get everything started per instructions, my local network is disabled, but ifconfig only shows the lo and eth0 interfaces.

Anyone got a suggestion?


I've used Cisco VPN client 4.0.3 before.

Check if your vpn kernel module has been installed for your new kernel.

$ /sbin/service vpnclient_init status
Module Size Used by Tainted: P
cisco_ipsec 400512 0 (unused)

cipsec0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1400 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Also check if your iptables configuration allows IPSEC protocol. You could temporarily stop iptables service and restore it back after VPN session is over.

Thomas

Originally posted by tchung
Check if your vpn kernel module has been installed for your new kernel.
...
Also check if your iptables configuration allows IPSEC protocol. You could temporarily stop iptables service and restore it back after VPN session is over.

Thomas

Thanks, Thomas - but I was already past that point. What I'm trying to figure out is why the vpnclient, when it's started, won't create the network connection. The local connections drop off (as expected), but I don't get the new outbound connection, nor do I get the gateway reset.

Hah! Problem solved...

I was using subnets with my new Netgear Wireless router. The default IP on the router was 192.168.0.1 and my internal boxen were set to use 192.16.1.xxx - so I had a netmask of 255.255.0.0. Changed the router to 192.168.1.xxx and netmask to 255.255.255.0 and viola!

Pardon me while I go kick myself several times...

I'm having trouble installing this client - also 4.0.3 (b) onto Fedora Core 1. It won't build. Lots of errors in the install. In checking out the kernel modules, /lib/modules/2.4.22-1.2188.nptl , the "build" symlink is broken. Could that be the problem? How would I fix it?

Thanks for any help offered!

Here is a couple of samples of the output:

/usr/include/asm/pgalloc.h: At top level:
/usr/include/asm/pgalloc.h:57: error: syntax error before '*' token
/usr/include/asm/pgalloc.h: In function `get_pgd_slow':
/usr/include/asm/pgalloc.h:59: error: `pgd_t' undeclared (first use in this function)
/usr/include/asm/pgalloc.h:59: error: (Each undeclared identifier is reported only once
/usr/include/asm/pgalloc.h:59: error: for each function it appears in.)
/usr/include/asm/pgalloc.h:59: error: `pgd' undeclared (first use in this function)
/usr/include/asm/pgalloc.h:59: error: syntax error before ')' token
/usr/include/asm/pgalloc.h:62: error: `USER_PTRS_PER_PGD' undeclared (first use in this function)
/usr/include/asm/pgalloc.h:63: error: `swapper_pg_dir' undeclared (first use in this function)
/usr/include/asm/pgalloc.h:63: error: `PTRS_PER_PGD' undeclared (first use in this function)
/usr/include/asm/pgalloc.h: At top level:


frag.c:111: error: `KERN_DEBUG' undeclared (first use in this function)
frag.c:111: error: syntax error before string constant
frag.c:116: error: dereferencing pointer to incomplete type
frag.c:116: error: `IP_OFFSET' undeclared (first use in this function)
frag.c:124: error: dereferencing pointer to incomplete type
frag.c:131: error: dereferencing pointer to incomplete type
frag.c:132: error: dereferencing pointer to incomplete type
frag.c:136: error: dereferencing pointer to incomplete type
frag.c:136: error: `IP_MF' undeclared (first use in this function)
frag.c: In function `need_reorder_frag':
frag.c:183: error: dereferencing pointer to incomplete type
frag.c:188: error: dereferencing pointer to incomplete type
frag.c:191: error: `KERN_DEBUG' undeclared (first use in this function)
frag.c:191: error: syntax error before string constant
frag.c:195: error: `IP_MF' undeclared (first use in this function)
frag.c:195: error: `IP_OFFSET' undeclared (first use in this function)
frag.c: In function `handle_fragment':
frag.c:246: error: `KERN_DEBUG' undeclared (first use in this function)
frag.c:246: error: syntax error before string constant
ld: cannot open frag.o: No such file or directory

You need to have the kernel sources installed in order to compile it - it loads a kernel module to do the VPN "spoofing." For example,


$ l /lib/modules/2.4.22-1.2174.nptl/build
lrwxrwxrwx 1 root root 41 Feb 22 12:47 /lib/modules/2.4.22-1.2174.nptl/build -> ../../../usr/src/linux-2.4.22-1.2174.nptl

OK. I've just upgraded kernels by yum or up2date. How do I load the modules? And, which place will be their home? /lib/modules... or usr/src/...?

Thanks

There's a "vpn_install" script in the tarball - just run that (as root) and it should do the whole thing for you.

That's what I've done... several times, and it always says "Failed to make module "cisco_ipsec"." and returns all the errors I mentioned. Here are the last several lines the returns...

frag.c: In function `need_reorder_frag':
frag.c:183: error: dereferencing pointer to incomplete type
frag.c:188: error: dereferencing pointer to incomplete type
frag.c:191: error: `KERN_DEBUG' undeclared (first use in this function)
frag.c:191: error: syntax error before string constant
frag.c:195: error: `IP_MF' undeclared (first use in this function)
frag.c:195: error: `IP_OFFSET' undeclared (first use in this function)
frag.c: In function `handle_fragment':
frag.c:246: error: `KERN_DEBUG' undeclared (first use in this function)
frag.c:246: error: syntax error before string constant
ld: cannot open frag.o: No such file or directory
Failed to make module "cisco_ipsec".

That's... interesting. KERN_DEBUG is used plenty of times before that line, for example. I honestly haven't had any problems, but I'm on kernel 2.4.22-1.2174.nptl and using the 4.0.3(b) just fine. Double-check frag.c and see if it's okay - this is the MD5SUM I just generated from my copy:

2b8b26045caea33b23512d3c300d1a5f

That's the same as mine.
You don't think it would be the /lib/modules/2.4.22-1.2188.nptl/build symlink that I mentioned?

I though we'd already gone past that point. Do you or do you not have the kernel source package installed. If you do, that symlink should not be broken. If it is, correct it to point to the correct directory (using mine as an example).

How is the kernel source installed separate from installing or upgrading the kernel itself? Do I need to reinstall the current 2.4.22-1.2188 kernel with an additional switch? Or install an rpm? Sorry to be so ignorant on this point.
Here's what my /lib/modules/2.4.22-1.2188 directory looks like:

[root@orion 2.4.22-1.2188.nptl]# ls
build modules.generic_string modules.parportmap modules.usbmap
kernel modules.ieee1394map modules.pcimap unsupported
modules.dep modules.isapnpmap modules.pnpbiosmap vmlinux

But again, the "build" link is broken.

Okay, I think we found the disconnect - you must install the kernel-sources-*.rpm package that matches your current, running kernel. That fixes the broken link and should take care of your compilation issues.

OK, I got the kernel source installed, and it starts to work, then errors out with

Initializing the VPN connection.
Secure VPN Connection terminated locally by the Client
Reason: Failed to establish a VPN connection.

Any clues?

Nevermind. I thought I'd created the usc.pcf file as the instructions said with the Host and AuthType, but it only had the username= and password= in it.

Now, it says "Local LAN Access is disabled", and I've seen that before, but with the windows version, you can check a box to disable that. Is there a switch to allow local lan access in linux?

Thanks for ALL your help!

Yeah dude I know what your problem is.... I been playing around with the vpnclient on 2.4 and 2.6 kernels. The problem is that when you install a kernel from RedHad and the source, the name of the kernel is usually like 2.4.22-1.2188.nptl where the -1.2188.nptl is the cutom tag in the makefile before it was compiled. The source however by default uses a custom take in the make file which looks like -custom. This value needs to be change to be exactly what the kernel you want to compile the kernel to. Afer you edit the makefile run 'make oldconfig' and 'make dep' and then when the vpnclient install script compiled the module it will install in the correct location for your kernel and have the right dependencies

Check and make sure the Cisco service is also running - do this as root:

# /etc/rc.d/init.d/vpnclient_init status

And you should see something like this:

Module Size Used by Tainted: P
cisco_ipsec 400544 0

cipsec0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1400 Metric:1
RX packets:202357 errors:0 dropped:0 overruns:0 frame:0
TX packets:22719 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)


If not, then (still as root

# /etc/rc.d/init.d/vpnclient_init start

Then retry your vpn connect and make sure you're using the correct .pcf filename as the one you're really trying to connect to. If that isn't it, I'm afraid I can't help...

OK. All is working well. Thanks for your help!!!

Hallo!



I have had the vpn-client working on my laptop, until now. When I should include it in the new kernel it refuses to work. Output of the install is included. Do anybody know how to help?

It worked with 2.6.9-1.681_FC3. But not with either 2.6.9-1.724_FC3 or 2.6.10-1.737_FC3.


[FONT=Courier New]
[root@localhost vpnclient]# ./vpn_install
Cisco Systems VPN Client Version 4.0.4 (B) Linux Installer
Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms.


Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes] y

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.

For RedHat 6.x users these files are installed in /usr/src/linux by
default
For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by
default
For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE
by default

Directory containing linux kernel source code
[/lib/modules/2.6.9-1.724_FC3/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.9-1.724_FC3/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.9-1.724_FC3/build" will be used to
build the module.

Is the above correct [y] y


Shutting down /usr/local/bin/vpnclient: module cisco_ipsec is not running.
Stopped: /etc/init.d/vpnclient_init (VPN init script)
Making module
make -C /lib/modules/2.6.9-1.724_FC3/build SUBDIRS=/usr/src/vpnclient
modules
make[1]: Entering directory `/lib/modules/2.6.9-1.724_FC3/build'
CC [M] /usr/src/vpnclient/linuxcniapi.o
CC [M] /usr/src/vpnclient/frag.o
CC [M] /usr/src/vpnclient/IPSecDrvOS_linux.o
CC [M] /usr/src/vpnclient/interceptor.o
/usr/src/vpnclient/interceptor.c: In function `add_netdev':
/usr/src/vpnclient/interceptor.c:49: sorry, unimplemented: inlining failed
in call to 'supported_device': function body not available
/usr/src/vpnclient/interceptor.c:226: sorry, unimplemented: called from
here
make[2]: *** [/usr/src/vpnclient/interceptor.o] Error 1
make[1]: *** [_module_/usr/src/vpnclient] Error 2
make[1]: Leaving directory `/lib/modules/2.6.9-1.724_FC3/build'
make: *** [default] Error 2
Create module directory "/lib/modules/2.6.9-1.724_FC3/CiscoVPN".
Copying module to directory "/lib/modules/2.6.9-1.724_FC3/CiscoVPN".
Creating start/stop script "/etc/init.d/vpnclient_init".
Enabling start/stop script for run level 3,4 and 5.
Updating VPN configuration file
"/etc/CiscoSystemsVPNClient/vpnclient.ini".

Installing license.txt (VPN Client license) in
"/etc/CiscoSystemsVPNClient/":

Installing bundled user profiles in
"/etc/CiscoSystemsVPNClient/Profiles/":
* Replaced Profiles: sample


Copying binaries to directory "/usr/local/bin".

Setting permissions.
/usr/local/bin/cvpnd (setuid root)
/etc/CiscoSystemsVPNClient (world writeable)
/etc/CiscoSystemsVPNClient/Profiles (world writeable)
/etc/CiscoSystemsVPNClient/Certificates (world writeable)
* You may wish to change these permissions to restrict access to root.

* You must run "/etc/init.d/vpnclient_init start" before using the client.
* This script will be run AUTOMATICALLY every time you reboot your
computer.
[root@localhost vpnclient]# chmod -R o-w /etc/CiscoSystemsVPNClient/
[root@localhost vpnclient]# /etc/init.d/vpnclient_init start
Starting /usr/local/bin/vpnclient: insmod: error inserting
'/lib/modules/2.6.9-1.724_FC3/CiscoVPN/cisco_ipsec.ko': -1 Invalid module
format
Failed (insmod)
[root@localhost vpnclient]#
[/FONT]

http://fedoraforum.org/forum/showthread.php?t=30438