User Tools

Site Tools


Connecting to Carleton University VPN with Linux

1. Use your distro's package manager to install 'vpnc'.

2. Download the WindowsXP CISCO client from the website provided by Carleton, using the username and password supplied by Carleton. The file is a self-extracting ZIP file with an .exe extension.

3. Use 'unzip' to extract the files to a handy directory. Look for the “.pcf” file, in my case, it was “CarletonIntranetVPN.pcf”. Using information from that file, you will need to populate the vpnc config file. In Ubuntu Natty, that is “/etc/vpnc/default.conf”. (Ubuntu created an 'example.conf' that you can copy and edit. Other distros may do similar or different things.) Copy the values for the fields “Host” and “GroupName” from the .pcf file to the “IPSec gateway” and “IPSec ID” fields of the vpnc config file. For the “Xauth username” and “Xauth password” fields, use the information supplied to you by Carleton, the same info as you used to download the Windows client from the Carleton web site.

4. The “IPSec secret” field is the only slightly tricky bit. The .pcf will include a hash of the required value in the “enc_GroupPwd” field, but vpnc needs the unhashed value. Luckily, this hash can be decoded easily, and there is a web page that will do it for you:

Decode the value of the “enc_GroupPwd” of the .pcf file and use that for the “IPSec secret” field in the vpnc config file. I understand that you can install a utility (it may even be a part of the vpnc package) to do the decoding locally if you prefer. No other fields are required, at least not for Carleton.

5. You are good to go. Use some variant of 'sudo vpnc-connect' to connect (root privileges are required) and 'sudo vpnc-disconnect' to disconnect. These commands will build the connection, create the /dev/tun0 device, modify the routing tables properly and then tear it all down again afterward. There are also KDE and Gnome helper apps, but I did not investigate or install them.


1. The tiny bit of investigation I did suggested that the routing table changes were clever enough to keep the local subnet traffic routed locally, but all other traffic would be routed through the vpn. I understand that you can do more clever routing so that you could keep, say, your web surfing, through your own connection while still routing other traffic through the vpn, but I have not investigated this.

2. The Carleton set-up seems to use password-based authentication. Superficial googling suggests that vpnc may not work so well if certificate-based authentication is required. I have not investigated.

3. The command-line approach described here may wreak havoc or otherwise not work with boxes running networkmanager's. My box doesn't, so I don't know. Installing and using the helper apps I alluded to might help in this respect.

4. Your mileage may vary.

Credits: I used the following general guide from Linux Planet:

Thanks also to Singer for the encouragement to 'just do it.'

Michael Walma

oneguysexperiencewithcarletonuniversityvnp2011.txt · Last modified: 2015/06/09 15:23 by