Networking/Security

German Translations FTW!

Alexander Griesser — 2009-12-18T11:20:58+01:00

While configuring a Linksys WRT54G3G today, I found the following great German translation on the webinterface of this router:

Funny stuff...

AMD 64bit SEGFAULT Fix for Cisco VPN Clients on Linux systems

Alexander Griesser — 2009-05-12T19:03:01+01:00

Today someone contacted me about this issue some of you might well be aware of. Even the latest Cisco VPNClient (4.8.02 as to my knowledge) doesn't work on AMD Phenom (64bit) processors, it always segfaults when you start the service or attempt to connect to your VPN gateway.

This guy has really done some great work and has modified the binaries to work on AMD 64bit systems again. Right now, we don't have much feedback of affected people, so if you are affected, go ahead and try the patched versions (links in the download section below) and please give us feedback either in the forums or via the comments system here.

Downloads

vpnclient-linux-x86_64-4.8.01.0640-k9.tar.gz (all CPUs 32bit/Intel 64bit)
vpnclient-linux-x86_64-4.8.01.0640-k9-AMD64_ONLY_by_t3x.tar.gz (ONLY 64bit AMD)
vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz (all CPUs 32bit/Intel 64bit)
vpnclient-linux-x86_64-4.8.02.0030-k9-AMD64_ONLY_by_t3x.tar.gz (ONLY 64bit AMD)

Links

Configuring my first Linksys SRW224G4 switch

Alexander Griesser — 2008-08-13T11:18:15+01:00

Today I got my first Linksys SRW224G4 switch (I do usually only work with Cisco but the customer looked for something cheaper and so I decided to go for Linksys, a Cisco division).
Alright, plug and play, the Cisco console cable doesn't work so you have to use their serial console cable. Now you get greeted by an ugly interface that reminds me of the good old AS/400 times, log in there and see a somewhat crippled menu where you can just configure a few things, but definetly not everything this switch is capable of.
OK, I activated SSH, HTTPS and so on and tried to connect to the webinterface with Firefox just to find out that the SRW224g4 webgui is broken for gecko based browsers.
Reading through the above mentioned article was really helpful though, especially the comments, where someone said that hitting CTRL-Z when the menu appears gets you into an IOS shell and yes, that works. After you get to the prompt, simply type "lcli", authenticate again et voila, you're in. Damn this freaking web interface, no need for it anymore.

While I was playing around with the IOS interface I tried do a firmware upgrade in parallel using IE7 and the webinterface. After about 30 minuts of waiting for the firmware upgrade to complete, I cancelled it and tried the firmware upgrade from 1.2.1b to 1.2.2b on the CLI using the following commands:

# Save the old firmware
copy image tftp://192.168.0.199/ls-srw224g4-1.2.1b.fw

# Load the new firmware
copy tftp://192.168.0.199/ls_106-12216.ros image

# Reboot the switch
reload

This took about 5 minutes (including backup and reboot) and after reboot the switch was working fine with 1.2.2b (even the ugly login prompt has changed to something more modern).

Unfortunately, the webinterface is now even broken on IE7 as it seems (can't even log in correctly), but I don't mind for now, maybe it's just IE7 or that I didn't allow the webinterface to run and install the MSXML 5.0 active X control (why the hell would a switch need to have such a control running on the client??).

Update: OK, the webinterface works when you enable the HTTP server. I do usually disable HTTP in favor of HTTPS, but I could reproducibly connect to the webserver when HTTP is turned on (in IE7, Firefox is still broken) but I can _NOT_ connect when HTTP is off.

I tend to believe that the people who get fired at Cisco are picked up by Linksys. Good ideas sometimes, good prices, mostly good quality and functionality, but such annoyances might have been the reason why they got fired at Cisco.

New VPN client versions available for download

Alexander Griesser — 2008-08-08T21:07:30+01:00

You can now download the latest and greatest Cisco VPN clients from http://projects.tuxx-home.at.

I did update all of them yesterday and the AnyConnect client will follow soon.
The latest linux client (4.8.02) seems to work good enough with linux kernel 2.6.26+ (although I haven't tested it on my own, but I read some user comments about it on http://forum.tuxx-home.at.

Cisco VPN Client Patch update for 2.6.24 final

Alexander Griesser — 2008-01-25T09:54:46+01:00

As 2.6.24 was released today I had a look at the code and recognized that the "init_net" symbol is now again exported using EXPORT_SYMBOL() instead of EXPORT_SYMBOL_GPL() so the Cisco VPN client can make use of it again.

Below is the updated patch to reflect this change.
Installation instructions:

1. Untar the VPN Client
# tar xzf vpnclient-linux-4.8.01.0640-k9.tar.gz

2. Download the patch
# wget -q http://projects.tuxx-home.at/ciscovpn/patches/vpnclient-linux-2.6.24-final.diff

3. Change to the vpnclient diretory
# cd vpnclient

4. Apply the patch
# patch <../vpnclient-linux-2.6.24-final.diff
patching file GenDefs.h
patching file interceptor.c


Now the patch has been applied and you can safely install the client
#./vpn_install

Downloads:

vpnclient-linux-2.6.24-final.diff

Links:

tuxx-home.at support forum (go here if you have any questions regarding this patch)

Please consider donating if this patch was helpful to you, thanks!

Patch to make the Cisco VPN Client work on Linux 2.6.24+

Alexander Griesser — 2008-01-11T19:40:26+01:00

After hours of reading kernel code, changelogs and coding examples I finally managed to come up with a patch that allows you to use the Cisco VPN client on Linux kernel 2.6.24+.
I've tested it thoroughly, but it still may be able to panic your kernel, so please use with care and don't make me responsible if your system catches fire or something like that.

Update 2008-01-13:
I replaced the old nasty version of the patch with a new version that works around using the GPL-only symbol init_net and therefore deleted the first version of this patch.
You should replace it too if you already downloaded the previous patch which violates the GPL.

Update 2008-01-27:
There's a new version of this patch available for 2.6.24 non-rc kernels. Please have a look here.

The installation instructions are (as always) straight forward, but I'll quote them here for your convenience.

1. Untar the VPN Client
# tar xzf vpnclient-linux-4.8.01.0640-k9.tar.gz

2. Download the patch
# wget -q http://projects.tuxx-home.at/ciscovpn/patches/vpnclient-linux-2.6.24.diff

3. Change to the vpnclient diretory
# cd vpnclient

4. Apply the patch
# patch <../vpnclient-linux-2.6.24.diff
patching file GenDefs.h
patching file interceptor.c

Now the patch has been applied and you can safely install the client
#./vpn_install

Downloads:

vpnclient-linux-2.6.24.diff

Links:

tuxx-home.at support forum (go here if you have any questions regarding this patch)

Please consider donating if this patch was helpful to you, thanks!

New patch to make Cisco VPN Client 4.8.01.0640-k9 work on 64bit systems!

Alexander Griesser — 2007-11-09T18:06:10+01:00

Today I received an e-mail from Stephen Frost who wrote a patch to the latest Cisco VPN client 4.8.01.0640-k9 which should fix the compile problems on 64bit systems.
The client didn't compile on 64bit systems with the following error message during compilation:

interceptor.c:778: error: invalid operands to binary -

Due to the lack of 64bit hardware, I can't confirm that it works so you'll have to do the testing for me ;)

Please add a comment if you tried the patch and report whether it worked or not for you.
Thanks, Stephen!

Downloads:

cisco_skbuff_offset.patch

New Cisco VPN Client 4.8.01.0640-k9 compiles on 2.6.22 out of the box!

Alexander Griesser — 2007-09-24T15:26:49+01:00

Today I received the brandnew Cisco VPN Client for Linux: v4.8.01.0640-k9. It finally contains all necessary fixes to compile flawlessly on recent kernel versions, so all the patching on the old v4.8.0.0490 isn't necessary anymore.
Additionally, the new version is a so called "biarch" archive, that means although the name of the file contains "x86_64" it is suitable for both, 64bit and 32bit systems.

Have fun giving it a try, below are the download links.

Downloads:

vpnclient-linux-x86_64-4.8.01.0640-k9.tar.gz (32bit/64bit biarch archive)

Linux 2.6.22 breaks the Cisco VPN client again - here's the one and only patch

Alexander Griesser — 2007-05-29T16:34:26+01:00

============================== ATTENTION ==============================
This article is _OUTDATED_. No more patches needed for the new Cisco VPN-Client for Linux (v4.8.01.0640-k9).
See the links section for download information.
============================== ATTENTION ==============================

Today I got an e-mail from someone having problems compiling the Cisco VPN client on Linux 2.6.22-rc3. I heard some rumors about network cleanups etc. in the new version of the Linux kernel but didn't pay attention to it until now.
Infact, some things regarding the "sk_buff" structure have been changed and therefore quite some work was needed to make the Cisco VPN client compatible again.

The new patch is backwards compatible and can also be applied for kernel versions below 2.6.22 (that means it incorporates the changes made for 2.6.19 too) and therefore this one is the one and only VPN client patch around here.

If you already patched your VPN Client, you need to undo the previous patch before applying the new one or simply untar the installation archive again into a new directory and apply the new patch onto it.

Installation instructions:

1. Untar the VPN Client
# tar xzf vpnclient-linux-4.8.00.0490-k9.tar.gz

2. Download the patch
# wget -q http://tuxx-home.at/projects/cisco-vpnclient/vpnclient-linux-2.6.22.diff

3. Change to the vpnclient directory
# cd vpnclient

4. Apply the patch
# patch <../vpnclient-linux-2.6.22.diff
patching file frag.c
patching file interceptor.c
patching file IPSecDrvOS_linux.c
patching file linuxcniapi.c
patching file linux_os.h

Now the patch has been applied and you can safely install the client
#./vpn_install

Downloads:

vpnclient-linux-2.6.22.diff

References:

Links:

New Cisco VPN Client 4.8.01.0640-k9 compiles on 2.6.22 out of the box!

Cisco VPN Client and Linux Kernel 2.6.19+ Rev.1

Alexander Griesser — 2007-04-10T15:55:43+01:00

============================== ATTENTION ==============================
This article is _OUTDATED_. You can find an updated version of the patch below in the Links section.
============================== ATTENTION ==============================

I'm still surprised about the huge number of comments and e-mails from people regarding my weblog entry that makes the Cisco VPN Client work again with linux kernels 2.6.19+ and therefore, I'll add another entry on this topic here.

First of all: There's an error in the previous patch.

A nice fellow called Andy Ritger mailed to me yesterday and told me that my patch breaks DNS name resolution inside the tunnel. As I never use name resolution with my tunnels (you know, real geeks know all these funny numbers inside out ) I didn't recognize this bug. Fortunately, he had a solution to this problem too and you can find his modified patch at the end of this entry.

Again, the installation instructions:

1. Untar the VPN Client
# tar xzf vpnclient-linux-4.8.00.0490-k9.tar.gz

2. Download the patch
# wget -q http://tuxx-home.at/projects/cisco-vpnclient/vpnclient-linux-2.6.19+-rev1.diff

3. Change to the vpnclient diretory
# cd vpnclient

4. Apply the patch
# patch <../vpnclient-linux-2.6.19+-rev1.diff
patching file IPSecDrvOS_linux.c
patching file frag.c
patching file interceptor.c
patching file linuxcniapi.c

Now the patch has been applied and you can safely install the client
#./vpn_install

Downloads:

vpnclient-linux-2.6.19+-rev1.diff (old version, doesn't work for 2.6.22)

References:

http://www.speakeasy.org/~aritger/vpnclient-linux-2.6.20.6.diff (the original location of the patch by Andy Ritger)
My weblog entry about the first patch to the vpnclient

Links:

New version of the patch (adapted for Kernel Version 2.6.22) + Release Notes

============================== ATTENTION ==============================
This article is _OUTDATED_. You can find an updated version of the patch above in the Links section.
============================== ATTENTION ==============================