Difference between revisions of "EBC Exercise 07 Connecting to Rose VPN"

From eLinux.org
Jump to: navigation, search
m
m
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
[[Category:ECE497]]
 
[[Category:ECE497]]
 
{{YoderHead}}
 
{{YoderHead}}
Here are  instructions for connecting to Rose-Hulman's VPN via Global Connect.
+
Here are  instructions for connecting to Rose-Hulman's VPN.
 +
Two methods are presented, one uses the open-source [https://www.infradead.org/openconnect/ openconnect],
 +
the other uses [https://www.globalconnect.net/ Global Connect].
 
([https://roseshare.rose-hulman.edu/storage/u.svc/download.dn/fid/816521741589750591_13592231390549000959 Rose Global Connect Instructions])
 
([https://roseshare.rose-hulman.edu/storage/u.svc/download.dn/fid/816521741589750591_13592231390549000959 Rose Global Connect Instructions])
 +
 +
== openconnect ==
 +
To install openconnect, simply:
 +
bone$ '''sudo apt update'''
 +
bone$ '''sudo apt install openconnect'''
 +
Once installed make sure you have version 8 or newer.
 +
bone$ '''openconnect --version'''
 +
OpenConnect version '''v8.02-1+deb10u1'''
 +
Using GnuTLS. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
 +
Supported protocols: anyconnect (default), nc, gp
 +
 +
Run it in the background with the following, using your name instead of mine.
 +
bone$ '''sudo openconnect --pid-file=/tmp/oc.pid --background --user=yoder@rose-hulman.edu --protocol gp gp.rose-hulman.edu'''
 +
POST https://gp.rose-hulman.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
 +
Connected to 137.112.9.46:443
 +
SSL negotiation with gp.rose-hulman.edu
 +
Connected to HTTPS on gp.rose-hulman.edu
 +
Enter login credentials
 +
'''PASSWORD:'''
 +
POST https://gp.rose-hulman.edu/ssl-vpn/login.esp
 +
GlobalProtect login returned authentication-source=RADIUS - GlobalProtect
 +
POST https://gp.rose-hulman.edu/ssl-vpn/getconfig.esp
 +
Tunnel timeout (rekey interval) is 720 minutes.
 +
Idle timeout is 600 minutes.
 +
No MTU received. Calculated 1431 for SSL tunnel. No ESP keys received
 +
POST https://gp.rose-hulman.edu/ssl-vpn/hipreportcheck.esp
 +
WARNING: Server asked us to submit HIP report with md5sum 648914735cb358e4739bb5f749ca1c8d.
 +
VPN connectivity may be disabled or limited without HIP report submission.
 +
You need to provide a --csd-wrapper argument with the HIP report submission script.
 +
Set up UDP failed; using SSL instead
 +
Connected as '''137.112.193.200''', using SSL, with ESP disabled
 +
Continuing in background; pid 24042
 +
This starts the VPN, runs it in the background, and saves the process id (pid) in /tmp/oc.pid.
 +
The Rose IP address in this case is 137.112.193.200.
 +
We can then later stop the VPN using the number in the file.
 +
 +
You can verify the IP address with
 +
bone$ '''pi a'''
 +
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 +
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 +
    inet 127.0.0.1/8 scope host lo
 +
...
 +
5: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
 +
    link/ether c8:a0:30:a6:26:ea brd ff:ff:ff:ff:ff:ff
 +
    inet 192.168.7.2/24 brd 192.168.7.255 scope global usb0
 +
        valid_lft forever preferred_lft forever
 +
...
 +
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1431 qdisc pfifo_fast state UNKNOWN group default qlen 500
 +
    link/none
 +
    inet '''137.112.193.200'''/32 scope global tun0
 +
        valid_lft forever preferred_lft forever
 +
    inet6 fe80::3eba:b33c:a268:299d/64 scope link stable-privacy
 +
        valid_lft forever preferred_lft forever
 +
 +
When you are done with the VPN:
 +
bone$ '''sudo kill `cat /tmp/oc.pid`'''
 +
POST https://gp.rose-hulman.edu/ssl-vpn/logout.esp
 +
SSL negotiation with gp.rose-hulman.edu
 +
Connected to HTTPS on gp.rose-hulman.edu
 +
Invalid user name
 +
Logout failed.
 +
RTNETLINK answers: No such process
 +
RTNETLINK answers: No such process
 +
User cancelled (SIGINT/SIGTERM); exiting
 +
 +
== Global Connect ==
 +
The is the method used by Rose's VPN provider.
  
 
On the bone, get the installation file and untar it.
 
On the bone, get the installation file and untar it.

Latest revision as of 14:43, 9 September 2020

thumb‎ Embedded Linux Class by Mark A. Yoder


Here are instructions for connecting to Rose-Hulman's VPN. Two methods are presented, one uses the open-source openconnect, the other uses Global Connect. (Rose Global Connect Instructions)

openconnect

To install openconnect, simply:

bone$ sudo apt update
bone$ sudo apt install openconnect

Once installed make sure you have version 8 or newer.

bone$ openconnect --version
OpenConnect version v8.02-1+deb10u1
Using GnuTLS. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp

Run it in the background with the following, using your name instead of mine.

bone$ sudo openconnect --pid-file=/tmp/oc.pid --background --user=yoder@rose-hulman.edu --protocol gp gp.rose-hulman.edu
POST https://gp.rose-hulman.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to 137.112.9.46:443
SSL negotiation with gp.rose-hulman.edu
Connected to HTTPS on gp.rose-hulman.edu
Enter login credentials
PASSWORD: 
POST https://gp.rose-hulman.edu/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=RADIUS - GlobalProtect
POST https://gp.rose-hulman.edu/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 720 minutes.
Idle timeout is 600 minutes.
No MTU received. Calculated 1431 for SSL tunnel. No ESP keys received
POST https://gp.rose-hulman.edu/ssl-vpn/hipreportcheck.esp
WARNING: Server asked us to submit HIP report with md5sum 648914735cb358e4739bb5f749ca1c8d.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Set up UDP failed; using SSL instead
Connected as 137.112.193.200, using SSL, with ESP disabled
Continuing in background; pid 24042

This starts the VPN, runs it in the background, and saves the process id (pid) in /tmp/oc.pid. The Rose IP address in this case is 137.112.193.200. We can then later stop the VPN using the number in the file.

You can verify the IP address with

bone$ pi a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
...
5: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether c8:a0:30:a6:26:ea brd ff:ff:ff:ff:ff:ff
    inet 192.168.7.2/24 brd 192.168.7.255 scope global usb0
       valid_lft forever preferred_lft forever
...
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1431 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 137.112.193.200/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::3eba:b33c:a268:299d/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

When you are done with the VPN:

bone$ sudo kill `cat /tmp/oc.pid`
POST https://gp.rose-hulman.edu/ssl-vpn/logout.esp
SSL negotiation with gp.rose-hulman.edu
Connected to HTTPS on gp.rose-hulman.edu
Invalid user name
Logout failed.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting

Global Connect

The is the method used by Rose's VPN provider.

On the bone, get the installation file and untar it.

bone$ cd /tmp
bone$ VERS=PanGPLinux-5.1.1-c17.tgz
bone$ wget -O $VERS https://roseshare.rose-hulman.edu/storage/u.svc/download.dn/fid/5504766564276453800_3845984564090334472
bone$ tar -xvf $VERS

Install.

bone$ sudo apt install ./GlobalProtect_deb_arm-5.1.1.0-17.deb

Run the VPN. Substitute your Rose username for username.

bone$ globalprotect
>> connect -p gp.rose-hulman.edu -u username@rose-hulman.edu
Retrieving configuration...                                            
gp.rose-hulman.edu - Enter login credentials                           

(e.g. username@rose-hulman.edu)
username(yoder@rose-hulman.edu):
Password:
Discovering network...                                                 
Connecting...                                                          
Connected                                                              
>> quit

You are now connected. Find you Rose ip address.

bone$ ip a show gpd0
3: gpd0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 137.112.193.177/32 scope global gpd0
       valid_lft forever preferred_lft forever

Disconnect when done.

bone$ globalprotect
>> disconnect
>> quit




thumb‎ Embedded Linux Class by Mark A. Yoder