Cisco has software VPN clients for Linux, Windows and OS X. One of the most important particularities of the clients is that your VPN administrator has the ability to set your route ruleset and avoid delivering certain traffic (i.e. P2P) to your client computer. One of the most annoying consequences of this issue, is the fact that a multi-homed client can be impossible to configure if the VPN administrator so decides, as the cisco client takes control of your connections.

Fortunately there is an FOSS piece of software which can be very helpful if your host is a Cisco VPN concentrator. This peace of software uses the TUN/TAP device in Linux (modprobe tun) and OSX (no idea about Windows); it can be installed using the appropriate repository of your distribution (OS X: it is in the dawin-ports repository).

An initial configuration can be found in “/etc/vpnc/default.conf”

IPSec gateway         “hostname”
IPSec ID                         “group-id”
IPSec secret                 “group-passwd”
Xauth username         “your USERNAME”
Xauth password         “your password”

Please make sure that you fill in every option. All of these configuration options can be taken from you VPNs pcf, except for the group password. There is very good utility in the internet, cisco decode, for deciphering the group password. Take a look a the references for the appropriate link.

Once you are finished configuring these options you should be able to connect to your VPN concentrator. Remember that you still have to configure VPNC accordingly if you want to have a multi-homed environment. This is the case, i.e., if you are working in a home office connecting through a VPN tunnel to your central office.

With the new version of vnpc new features were added, including the ability to actually type in an split network environment and the DNS / route settings for this setup.

In the following I am using a 192.168.4.5 address in my home computer. The office network I am trying to connect is 172.0.0.0/24. I set up my custom script this way:

#!/bin/sh

# this effectively disables changes to /etc/resolv.conf
INTERNAL_IP4_DNS=

# This sets up split networking regardless
# of the concentrators specifications.
# You can add as many routes as you want,
# but you must set the counter $CISCO_SPLIT_INC
# accordingly
CISCO_SPLIT_INC=1
CISCO_SPLIT_INC_0_ADDR=172.0.0.0
CISCO_SPLIT_INC_0_MASK=255.0.0.0
CISCO_SPLIT_INC_0_MASKLEN=8
CISCO_SPLIT_INC_0_PROTOCOL=0
CISCO_SPLIT_INC_0_SPORT=0
CISCO_SPLIT_INC_0_DPORT=0

. /etc/vpnc/vpnc-script

To use this script you need to call it using:

sudo vpnc –script /etc/vpnc/vpnc-custom

After setting up both configuration files I could connect my computer to my central office and still modify the routes I want my traffic to go through successfully.

EDIT:

I had some troubles using the vpnc script in my home since the connection would drop down every couple of hours. I wrote this quick and dirty hack for my openwrt router which pings 3 hosts inside of the network vpnc is connecting to. If any of the three hosts is reachable, nothing is done. If none of the the hosts are reached, the vpnc connection is restarted.

The following script is run by cron every 10 minutes. Output is being redirected to /dev/null

 */10 * * * * /usr/sbin/vpnc-test > /dev/null; 

#!/bin/sh
HOST0=”ip host 0″
HOST1=”ip host 1″
HOST2=”ip host 2″

if  ((ping -c 1 -q $HOST0 ||  ping -c 1 -q $HOST1 || ping -c 1 -q $HOST2 )); then
echo “VPNC Net is UP”
echo “VPNC Restart Not Needed”
exit 0; else
echo “VPNC Net is DOWN”
echo “VPNC Restart Needed — Restarting”
/usr/sbin/vpnc-disconnect && vpnc;
fi