EBC Exercise 07 Connecting to Rose VPN

Here are instructions for connecting to Rose-Hulman's VPN. Two methods are presented, one uses the open-source openconnect, the other uses Global Connect. (Rose Global Connect Instructions)

openconnect
To install openconnect, simply: bone$ sudo apt update bone$ sudo apt install openconnect Once installed make sure you have version 8 or newer. bone$ openconnect --version OpenConnect version v8.02-1+deb10u1 Using GnuTLS. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp

Run it in the background with the following, using your name instead of mine. bone$ sudo openconnect --pid-file=/tmp/oc.pid --background --user=yoder@rose-hulman.edu --protocol gp gp.rose-hulman.edu POST https://gp.rose-hulman.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows Connected to 137.112.9.46:443 SSL negotiation with gp.rose-hulman.edu Connected to HTTPS on gp.rose-hulman.edu Enter login credentials PASSWORD: POST https://gp.rose-hulman.edu/ssl-vpn/login.esp GlobalProtect login returned authentication-source=RADIUS - GlobalProtect POST https://gp.rose-hulman.edu/ssl-vpn/getconfig.esp Tunnel timeout (rekey interval) is 720 minutes. Idle timeout is 600 minutes. No MTU received. Calculated 1431 for SSL tunnel. No ESP keys received POST https://gp.rose-hulman.edu/ssl-vpn/hipreportcheck.esp WARNING: Server asked us to submit HIP report with md5sum 648914735cb358e4739bb5f749ca1c8d. VPN connectivity may be disabled or limited without HIP report submission. You need to provide a --csd-wrapper argument with the HIP report submission script. Set up UDP failed; using SSL instead Connected as 137.112.193.200, using SSL, with ESP disabled Continuing in background; pid 24042 This starts the VPN, runs it in the background, and saves the process id (pid) in /tmp/oc.pid. The Rose IP address in this case is 137.112.193.200. We can then later stop the VPN using the number in the file.

You can verify the IP address with bone$ ip a 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo ... 5: usb0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether c8:a0:30:a6:26:ea brd ff:ff:ff:ff:ff:ff inet 192.168.7.2/24 brd 192.168.7.255 scope global usb0 valid_lft forever preferred_lft forever ... 12: tun0:  mtu 1431 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 137.112.193.200/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::3eba:b33c:a268:299d/64 scope link stable-privacy valid_lft forever preferred_lft forever

When you are done with the VPN: bone$ sudo kill `cat /tmp/oc.pid` POST https://gp.rose-hulman.edu/ssl-vpn/logout.esp SSL negotiation with gp.rose-hulman.edu Connected to HTTPS on gp.rose-hulman.edu Invalid user name Logout failed. RTNETLINK answers: No such process RTNETLINK answers: No such process User cancelled (SIGINT/SIGTERM); exiting

Global Connect
The is the method used by Rose's VPN provider.

On the bone, get the installation file and untar it. bone$ cd /tmp bone$ VERS=PanGPLinux-5.1.1-c17.tgz bone$ wget -O $VERS https://roseshare.rose-hulman.edu/storage/u.svc/download.dn/fid/5504766564276453800_3845984564090334472 bone$ tar -xvf $VERS Install. bone$ sudo apt install ./GlobalProtect_deb_arm-5.1.1.0-17.deb Run the VPN. Substitute your Rose username for username. bone$ globalprotect >> connect -p gp.rose-hulman.edu -u username@rose-hulman.edu Retrieving configuration...                                            gp.rose-hulman.edu - Enter login credentials (e.g. username@rose-hulman.edu) username(yoder@rose-hulman.edu): Password: Discovering network...                                                 Connecting...                                                           Connected >> quit You are now connected. Find you Rose ip address. bone$ ip a show gpd0 3: gpd0:  mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 137.112.193.177/32 scope global gpd0 valid_lft forever preferred_lft forever

Disconnect when done. bone$ globalprotect >> disconnect >> quit