Installing Shrew Soft VPN on Linux - lmmx/devnotes GitHub Wiki

University of Manchester provides a Cisco VPN client that pretty much installs on Windows, but Linux requires a bit more work to get up and running.

Main ServiceDesk page: How To:Install the Shrew Soft client on 64-bit linux

NB: (I advise) do not use the page "How To: Install and use the VPN (Virtual Private Network) software on Linux" - it suggests using the Cisco client and pretty sure this didn't work for me... but can't really remember.

As the ServiceDesk page suggests, install Shrew Soft by first downloading ike from the shrew.net page (most recent stable release).

• Extract it -- simply right click and 'extract here' in the file viewer, or tar xvzf ike* on the command line (see README)
• enter the directory in a terminal (cd ike), and (as explained in the README) run a command to build the program: first though, this command has some important system requirements to sort out.

...these requirements can be installed through the apt-get package manager on Linux Mint/Ubuntu as follows:

• c++ compiler: g++ --version (version doesn't matter as long as it's installed, else sudo apt-get install g++)
  • it's also advisable to sudo apt-get install build-essential (generally important libraries)
• lex or flex (lex --version or flex --version - these should both be installed on Linux Mint, else sudo apt-get install flex)
• libedit (may very likely not be installed, so sudo apt-get install libedit2 libedit-dev - will not do anything if they are already installed)
• bison >= 2.3 (bison --version - should already be installed else sudo apt-get install bison)
• cmake >= 2.4 (cmake --version - may very likely not be installed, so sudo apt-get install cmake)
• openssl >= 0.9.x (openssl version - should already be installed, else sudo apt-get install openssl)

Not listed in the README but also potential source of build problems:

• QT 4: one possible error message is "Found unsuitable Qt version "" from NOTFOUND, this code requires Qt 4.x". To avoid it: sudo apt-get install libqt4-dev

(This list is current as of October 2015, feel free to type sudo apt-get install and then the first few letters of a package name, then hit tab, to quickly list the available packages)

Building

Again as specified in the README, for Linux:

cmake -DCMAKE_INSTALL_PREFIX=/usr -DQTGUI=YES -DETCDIR=/etc -DNATT=YES

If no errors appear (not including warnings, which should not prevent cmake successfully running), and you receive a message something like Built target qikec, run:

make

Which should not give a problem, and then:

make install

...make install may error out something like:

file INSTALL cannot copy file "/home/{USERNAME}/{DIRECTORY-PATH}/ike/source/iked/iked" to "/usr/sbin/iked"

This may well just require sudo make install instead. As the above error message states, the built iked program will be installed to the /usr/sbin/iked directory (unless a different parameter was passed to cmake earlier than -DCMAKE_INSTALL_PREFIX=/usr).

To check ike is now installed, run iked. If it is, you should receive a snarky error, "you must be root to run this program !!!" :smile: :+1:

iked is the "daemon" that runs in the background, allowing a second program qikea to start, request credentials, and pass these to the university server using a VPN profile (see below).

• check for a configuration file at /etc/iked.conf (ls /etc/iked.conf). It's probably not there, so paste in this sample one (via), for example by opening the graphical text editor Gedit (sudo gedit /etc/iked.conf, paste, hit save, close Gedit):

#
# sample client iked.conf file
#

daemon
{
	# bind to ports
	socket ike 500;
	socket natt 4500;

	# log output
	log_level error;
	log_file "/var/log/iked.log";
#	pcap_decrypt "/var/log/ike-decrypt.pcap";
#	pcap_encrypt "/var/log/ike-encrypt.pcap";

	# retry settings
	retry_delay 10;
	retry_count 2;
}

• run sudo iked - the terminal will request your password
• run ps cax | grep 'iked - there should now be a process running called "iked" :tada:

Optional - keyboard bindings to start the VPN

With this setup, each time you want to use VPN you have to open a terminal, type sudo iked, enter your password, run qikea & to make the VPN program run in the background (else closing the terminal window would end your session...) and it'd all be a bit awkward.

The easier way is to map keyboard bindings on Linux Mint to these 2 steps of VPN initiation. From the main menu (via the 'Windows button'), navigate to Keyboard > Keyboard shortcuts > Custom shortcuts > Add new shortcut, and add:

• "VPN step 1", command: gnome-terminal -e "bash -c \"sudo iked;\"" --geometry 30x3 -t VPN - this will open a small, 30-characters-wide-by-3-lines-tall, terminal window with a window title "VPN" and ask for your password then close itself (nice and 'user friendly' :relieved:)
• "VPN step 2", command: qikea
• after you add these shortcuts you'll see "Keyboard bindings: unassigned" when one is selected in the shortcut list - double click unassigned and the text will change to say "Pick an accelerator". I use Ctrl + Alt + V for step 1, then Windows key + Alt + V for step 2, for pretty quick access to VPN.

Using the VPN

Either by the keyboard shortcuts (Ctrl + Alt + V followed by Windows key + Alt + V after the popup terminal requests your password), or by terminal commands (sudo iked followed by qikea & and closing the terminal) you can now open the graphical program qikea.

qikea needs a 'profile', the University of Manchester's is available (as of October 2015) at woodstock.its.manchester.ac.uk/downloads/vpn/shrewsoft/Shrewsoft.vpn (File > Import > select this downloaded file). It will then remember the configuration specified in this text file, and double clicking the profile's icon will give a popup requesting your username and password credentials (as used to login to my.manchester.ac.uk etc -- i.e. your short 'central username', not your email address.

A few tips

• The successful login banner displays

"You have successfully connected to the University of Manchester VPN Service. If you are not an authorised member of the University, please disconnect immediately. All transactions via this system are monitored and logged."

When you see this, you're in!

• Incorrect username/password will give an error (bold = in red):

config loaded for site 'Shrewsoft'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
user authentication error
tunnel disabled
detached from key daemon

• If you get a "user authentication error" but also "failed to attach to key daemon", check iked is running (check ps cax | grep 'iked' lists an iked process), and if not then remember to run it first!
• Intermittent internet connections, maintenance on the university servers and other general technical difficulties can result in your connection being lost, and as a security measure you'll be booted off VPN. The VPN shows a log, which will explain what happened.
• If putting your computer to "sleep" / "hibernate", disconnect the VPN first - one thing this VPN client does is edit /etc/resolv.conf (comment out the existing settings in favour of the university server 'IP addresses' / undo its changes when disconnecting). Putting it to sleep/hibernate or hard-restarting (i.e. holding the power button down) can sometimes catch the resolv.conf file 'stuck in VPN mode' while the VPN is actually not edited
• If you're on a site or service that requires constant access the VPN switchover may break this (very very momentarily) - I think Freenode webchat (in-browser IRC chatroom) may be one such sensitive thing - you'll be kicked off the Freenode server.
• You can have multiple workspaces on Linux Mint - switchable with Ctrl + Alt + ← / → arrow keys. I usually switch one or two workspaces 'to the left', kick off the VPN over there then switch back over to the windows I'm working in. This makes it easily accessible when you need to disconnect, or if you need to check it's still working.