HOWTO Subjugate Cisco's VPN Client

Problems:

1. I do not have access to a version of Cisco’s VPN client which doesn’t kernel panic my Quad or works on Intel-based Macs.
2. VPN Tracker is incompatible with the client’s VPN.
3. Client’s IT dept turn off “allow LAN access” which means my local network Goes Away when I’m connected.
4. Client’s VPN doesn’t route to the public Internet, which effectively knocks me completely offline whenever I do connect. Thus, being connected is not a workable/sustainable environment. I treat it like dialup: get on, blast, get off.
5. Connecting often fails. It’s better to leave a connection up than make many small connections (which works against Problem 4).

Solution: sacrifice a Mac to Cisco duty.

The Cisco VPN client goes out of its way to sever connections when the VPN is brought up. However, I recently noticed that existing incoming connections weren’t severed. This is the crack we’ll pry open to realize our goal of 1) segregating Cisco’s piss-poor software to a machine where it can cause minimal damage and 2) allowing simultaneous access to both VPN resources and local resources.

Recipe:

1. Dedicate a Mac to Cisco duty. A shame, I know. I use a mini, which I’ll use as the machine’s identifier (the workstation is “the Quad”). It’s best to use a uniprocessor Mac — I don’t think Cisco will ever get their code completely preemptive-clean.
2. Install a noncurrent version of Mac OS X on the mini. Cisco has a hard time keeping up with Mac OS X releases, and I found running their VPN client with the latest Mac OS X is just asking for kernel panics. Just a couple of steps behind seems ideal. For example, 10.4.5 is the latest version of Mac OS X, so my mini is running 10.4.3.
3. Enable ssh access on the mini.
4. Install Cisco’s VPN client on the mini. You will not need to install it the Quad. Yay!
5. On the Quad, add a couple of lines to your /etc/hosts file mapping the VPN resources to localhost. Example:
   127.0.0.1 internalwiki.example.com
127.0.0.1 internalp4.example.com
6. Run lookupd -flushcache on the command line to force the system to load your changes.
7. Your basic setup is now complete. Here’s how to connect — the order of operations are important:
   1. ssh from the Quad into the mini, setting up port forwarding. I use something like: sudo ssh -L 80:internalwiki.example.com:80 -L 1666:internalp4.example.com:1666 wolf@mini-vpn.local.
   2. Once ssh is up, connect the mini to the VPN.

At this point, you should be able to access VPN resources on the Quad. Opening http://internalwiki.example.com in your Quad’s web browser will transparently connect you to your own box, which is ssh-forwarded to the mini, which tossed over the VPN.

On the mini, when Cisco falls over — and it will fall over — run sudo kextunload /System/Library/Extensions/CiscoVPN.kext && sudo kextload /System/Library/Extensions/CiscoVPN.kext to get it going again. It put mine in a .command file and keep it in the Dock since I need it so often.

Saturday, February 25, 2006
03:08 AM