Создание VPN с помощью vpnc на CentOs 5.x

The vpnc program is used to connect to Cisco VPNs. Although Cisco provides a Linux client, it can often be problematic to build, especially on 64 bit or SMP systems. Additionally, vpnc is quick to install and easy to configure.

Start by installing and enabling the rpmforge repo. Once that is done, vpnc can be installed with

yum -y install vpnc 

This will install vpnc, create an /etc/vpnc directory and also install the pcf2vpnc script. The /etc/vpnc directory contains a default sample vpnc.conf and a vpnc-script. The directory and files are owned by root. The vpnc-script must be made executable. As root or with root privilege

chmod 700 /etc/vpnc/vpnc-script

Next create a customized vpnc.conf file. By default, vpnc first looks in /etc/vpnc/ for a file called defaults.conf. If it doesn’t find that, it will then look for /etc/vpnc.conf. The user can either call their custom file vpnc.conf and put it in /etc, or give it its own name and put it in /etc/vpnc. The file should have a .conf suffix, for example, mycompany.conf. If using a custom name, then, when using vpnc, the .conf file will be given as an argument, without the .conf suffix, and the command will be run as

 vpnc company

For purposes of this example, the customized config file will be called vpnc.conf and placed directly in /etc. It might be useful to rename the sample vpnc.conf in /etc/vpnc to avoid any confusion, but the program itself will not try to use the default vpnc.conf in /etc/vpnc. It only looks for a vpnc.conf in /etc.

The next step is to create the customized .conf file. Your company will have provided you with a .pcf file. This file will contain various information, including the group ID, group password, and server’s address. It may include additional information, such as your individual user name and password, and IKE Authmode.

To create a .conf file to use with vpnc, use the pcf2vpnc script. If the supplied pcf file is called company.pcf, the command is

pcf2vpnc company.pcf vpnc.conf

You will get a message that it can’t execute cisco-decrypt and it is adding the password in obfuscated form. This is fine. The cisco-decrypt script will, strangely enough, decrypt the encoded password that is in the pcf, however, vpnc can use the encrypted password. There will also be a message that it was written to vpnc.conf with permissions of 100664 and a message to fix the permissions. Do so. Assuming that this has been done as root or with root privilege, it is owned by root. If not, first change its ownership.

chown root vpnc.conf

Then change it to be read write for root only.

chmod 600 vpnc.conf
mv vpnc.conf /etc/

If your individual username and password were in the file, they will also be included in the newly created vpnc.conf file. This is relatively rare, and it’s more likely that the file will have the lines

# Xauth username <your username>
# Xauth password <your password>

Either add the username and password, (uncommenting the two lines) or, if preferring to enter username and password each time, change it to read

Xauth interactive

As a Cisco VPN may supply its own DNS servers, the vpnc-script will backup /etc/resolv.conf and replace it. If all goes well, after disconnecting, it will put back the backed up /etc/resolv.conf, but the reader might want to make their own copy before running the command, just in case.

cp /etc/resolv.conf /etc/resolv.conf.orig

Once this is done, you can use the program by typing (as root or with root privilege)


When finished with your vpnc session, disconnect with


After disconnecting, the reader may want to confirm that the vpnc-script replaced the original /etc/resolv.conf. If for some reason it didn’t, and you took the advice above about backing up your resolv.conf file, you can manually put it back with cp /etc/resolv.conf.orig /etc/resolv.conf

This is usually not necessary unless you forgot to disconnect when finished and your session timed out, leaving you with your company’s (probably internal) name servers in the resolv.conf created by the Cisco VPN.