Difference between revisions of "EBC Exercise 07 Connecting to Rose VPN"

From eLinux.org
Jump to: navigation, search
m (Added openconnect)
m (openconnect: Added ip a)
Line 15: Line 15:
 
  Using GnuTLS. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
 
  Using GnuTLS. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
 
  Supported protocols: anyconnect (default), nc, gp
 
  Supported protocols: anyconnect (default), nc, gp
 +
 +
Run it in the background with the following, using your name instead of mine.
 +
bone$ '''sudo openconnect --pid-file=/tmp/oc.pid --background --user=yoder@rose-hulman.edu --protocol gp gp.rose-hulman.edu'''
 +
POST https://gp.rose-hulman.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
 +
Connected to 137.112.9.46:443
 +
SSL negotiation with gp.rose-hulman.edu
 +
Connected to HTTPS on gp.rose-hulman.edu
 +
Enter login credentials
 +
'''PASSWORD:'''
 +
POST https://gp.rose-hulman.edu/ssl-vpn/login.esp
 +
GlobalProtect login returned authentication-source=RADIUS - GlobalProtect
 +
POST https://gp.rose-hulman.edu/ssl-vpn/getconfig.esp
 +
Tunnel timeout (rekey interval) is 720 minutes.
 +
Idle timeout is 600 minutes.
 +
No MTU received. Calculated 1431 for SSL tunnel. No ESP keys received
 +
POST https://gp.rose-hulman.edu/ssl-vpn/hipreportcheck.esp
 +
WARNING: Server asked us to submit HIP report with md5sum 648914735cb358e4739bb5f749ca1c8d.
 +
VPN connectivity may be disabled or limited without HIP report submission.
 +
You need to provide a --csd-wrapper argument with the HIP report submission script.
 +
Set up UDP failed; using SSL instead
 +
Connected as '''137.112.193.200''', using SSL, with ESP disabled
 +
Continuing in background; pid 24042
 +
This starts the VPN, runs it in the background, and saves the process id (pid) in /tmp/oc.pid.
 +
The Rose IP address in this case is 137.112.193.200.
 +
We can then later stop the VPN using the number in the file.
 +
 +
You can verify the IP address with
 +
bone$ '''pi a'''
 +
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 +
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 +
    inet 127.0.0.1/8 scope host lo
 +
...
 +
5: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
 +
    link/ether c8:a0:30:a6:26:ea brd ff:ff:ff:ff:ff:ff
 +
    inet 192.168.7.2/24 brd 192.168.7.255 scope global usb0
 +
        valid_lft forever preferred_lft forever
 +
...
 +
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1431 qdisc pfifo_fast state UNKNOWN group default qlen 500
 +
    link/none
 +
    inet '''137.112.193.200'''/32 scope global tun0
 +
        valid_lft forever preferred_lft forever
 +
    inet6 fe80::3eba:b33c:a268:299d/64 scope link stable-privacy
 +
        valid_lft forever preferred_lft forever
 +
 +
When you are done with the VPN:
 +
bone$ '''sudo kill `cat /tmp/oc.pid`'''
 +
POST https://gp.rose-hulman.edu/ssl-vpn/logout.esp
 +
SSL negotiation with gp.rose-hulman.edu
 +
Connected to HTTPS on gp.rose-hulman.edu
 +
Invalid user name
 +
Logout failed.
 +
RTNETLINK answers: No such process
 +
RTNETLINK answers: No such process
 +
User cancelled (SIGINT/SIGTERM); exiting
  
 
== Global Connect ==
 
== Global Connect ==

Revision as of 14:40, 9 September 2020

thumb‎ Embedded Linux Class by Mark A. Yoder


Here are instructions for connecting to Rose-Hulman's VPN. Two methods are presented, one uses the open-source https://www.infradead.org/openconnect/, the other uses https://www.globalconnect.net/. (Rose Global Connect Instructions)

openconnect

To install openconnect, simply:

bone$ sudo apt update
bone$ sudo apt install openconnect

Once installed make sure you have version 8 or newer.

bone$ openconnect --version
OpenConnect version v8.02-1+deb10u1
Using GnuTLS. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp

Run it in the background with the following, using your name instead of mine.

bone$ sudo openconnect --pid-file=/tmp/oc.pid --background --user=yoder@rose-hulman.edu --protocol gp gp.rose-hulman.edu
POST https://gp.rose-hulman.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to 137.112.9.46:443
SSL negotiation with gp.rose-hulman.edu
Connected to HTTPS on gp.rose-hulman.edu
Enter login credentials
PASSWORD: 
POST https://gp.rose-hulman.edu/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=RADIUS - GlobalProtect
POST https://gp.rose-hulman.edu/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 720 minutes.
Idle timeout is 600 minutes.
No MTU received. Calculated 1431 for SSL tunnel. No ESP keys received
POST https://gp.rose-hulman.edu/ssl-vpn/hipreportcheck.esp
WARNING: Server asked us to submit HIP report with md5sum 648914735cb358e4739bb5f749ca1c8d.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Set up UDP failed; using SSL instead
Connected as 137.112.193.200, using SSL, with ESP disabled
Continuing in background; pid 24042

This starts the VPN, runs it in the background, and saves the process id (pid) in /tmp/oc.pid. The Rose IP address in this case is 137.112.193.200. We can then later stop the VPN using the number in the file.

You can verify the IP address with

bone$ pi a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
...
5: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether c8:a0:30:a6:26:ea brd ff:ff:ff:ff:ff:ff
    inet 192.168.7.2/24 brd 192.168.7.255 scope global usb0
       valid_lft forever preferred_lft forever
...
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1431 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 137.112.193.200/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::3eba:b33c:a268:299d/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

When you are done with the VPN:

bone$ sudo kill `cat /tmp/oc.pid`
POST https://gp.rose-hulman.edu/ssl-vpn/logout.esp
SSL negotiation with gp.rose-hulman.edu
Connected to HTTPS on gp.rose-hulman.edu
Invalid user name
Logout failed.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting

Global Connect

The is the method used by Rose's VPN provider.

On the bone, get the installation file and untar it.

bone$ cd /tmp
bone$ VERS=PanGPLinux-5.1.1-c17.tgz
bone$ wget -O $VERS https://roseshare.rose-hulman.edu/storage/u.svc/download.dn/fid/5504766564276453800_3845984564090334472
bone$ tar -xvf $VERS

Install.

bone$ sudo apt install ./GlobalProtect_deb_arm-5.1.1.0-17.deb

Run the VPN. Substitute your Rose username for username.

bone$ globalprotect
>> connect -p gp.rose-hulman.edu -u username@rose-hulman.edu
Retrieving configuration...                                            
gp.rose-hulman.edu - Enter login credentials                           

(e.g. username@rose-hulman.edu)
username(yoder@rose-hulman.edu):
Password:
Discovering network...                                                 
Connecting...                                                          
Connected                                                              
>> quit

You are now connected. Find you Rose ip address.

bone$ ip a show gpd0
3: gpd0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 137.112.193.177/32 scope global gpd0
       valid_lft forever preferred_lft forever

Disconnect when done.

bone$ globalprotect
>> disconnect
>> quit




thumb‎ Embedded Linux Class by Mark A. Yoder