Cisco VPN Client and Linux kernel 2.6.15

Posted on
tutorial linux

I've always struggled with the Cisco VPN client for linux. It has seemingly never installed smoothly for me, but now I finally have figured out what's going on. Last week I built a Debian Sarge (stable) box, and installed Cisco's VPN client v4.7. I used a patched installer I had made a long time ago (and forgot why I needed to patch it), but the module compile was failing. After lots of frustration, I reversed the patch to the original sources, and then the installer compiled the kernel module without any problems. I was using the Sarge 686-SMP (officially linux-image-2.6-686-smp) kernel on a dual Xeon SMP 3.0Ghz box, which for Stable means kernel 2.6.8-3-686-smp.

Just now I built a Debian testing machine, this time using kernel 2.6.15-1-686-smp. I rsync'd the Cisco VPN client from the previus box (Sarge 686-SMP), and after running 'make clean', ran the installer. This time I got this:

altefrau:/home/tracv/vpnclient_old# ./vpn_install
Cisco Systems VPN Client Version 4.7.00 (0640) Linux Installer
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms.

Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.

Directory containing linux kernel source pre [/lib/modules/2.6.15-1-686-smp/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.15-1-686-smp/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.15-1-686-smp/build" will be used to build the module.

Is the above correct [y]

Shutting down /opt/cisco-vpnclient/bin/vpnclient: module cisco_ipsec is not running.
Stopped: /etc/init.d/vpnclient_init (VPN init script)
Making module
make -C /lib/modules/2.6.15-1-686-smp/build SUBDIRS=/home/tracv/vpnclient_old modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.15-1-686-smp'
CC [M] /home/tracv/vpnclient_old/linuxcniapi.o
/home/tracv/vpnclient_old/linuxcniapi.c: In function 'CniInjectReceive':
/home/tracv/vpnclient_old/linuxcniapi.c:292: error: 'struct sk_buff' has no member named 'stamp'
/home/tracv/vpnclient_old/linuxcniapi.c: In function 'CniInjectSend':
/home/tracv/vpnclient_old/linuxcniapi.c:432: error: 'struct sk_buff' has no member named 'stamp'
make[2]: *** [/home/tracv/vpnclient_old/linuxcniapi.o] Error 1
make[1]: *** [_module_/home/tracv/vpnclient_old] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.15-1-686-smp'
make: *** [default] Error 2
Failed to make module "cisco_ipsec.ko". 

Arg, not this again, I thought. Then I remembered that I had reversed the patch for the last machine, so I re-applied the patch and then re-ran the installer. This time it built the kernel module without a problem, and then all was gravy. What this means is that Cisco's installer does not compile out of the box for kernel 2.6.15, but it does work for kernel 2.6.8. I'm guessing that somewhere in between those releases, pre was changed that breaks the Cisco installer.

So, the point of this post is to help anyone out there who has struggled with the Cisco VPN client. First, make sure you've got your kernel's headers installed - apt-get install linux-headers-`uname -r`. If you're still getting a compiler error, try using this patch (I don't even know where I found it anymore):

    --- linuxcniapi.c 2005-11-12 11:53:06.000000000 -0600
    +++ 2.6.14-vpnclient-linux-4.7.00.0640-linuxcniapi.c 2005-11-12 11:49:20.000000000 -0600
    @@ -276,6 +276,8 @@
    struct sk_buff *skb = NULL;
    unsigned char *pIP = NULL, *pMac = NULL;

    + struct timeval timecount;
    +
    /* we need to build the actual sk_buff from the packet structure */
    pBinding = (PBINDING) Binding;
    lpPacketDescriptor = (LPPACKETDESCRIPTOR) Packet;
    @@ -289,7 +291,10 @@
    goto exit_gracefully;
    }
    /* move the data into the packet */
    - do_gettimeofday(&skb->stamp);
    + do_gettimeofday(&timecount);
    +
    + skb->tstamp.off_sec = (u32) timecount.tv_sec;
    + skb->tstamp.off_usec = (u32) timecount.tv_usec;

    pIP = skb_put(skb, lpPacketDescriptor->uiPacketSize);

    @@ -389,6 +394,8 @@
    unsigned char *pIP = NULL, *pMac = NULL;
    int tmp_rc = 0;

    + struct timeval timecount;
    +
    int (*tmp_InjectSend) (struct sk_buff * skb, struct net_device * dev);
    tmp_InjectSend = NULL;

    @@ -429,7 +436,10 @@
    CniGetPacketData(Packet, 0, lpPacketDescriptor->uiPacketSize, pIP);

    /* put the mac header on */
    - do_gettimeofday(&skb->stamp);
    + do_gettimeofday(&timecount);
    +
    + skb->tstamp.off_sec = (u32) timecount.tv_sec;
    + skb->tstamp.off_usec = (u32) timecount.tv_usec;

    skb->dev = pBinding->pDevice; 

Copy and paste that as is into your favorite text editor (or click download on the file at the bottom of this post), and then place it into the Cisco VPN installer root directory, then run:

patch -p0 < vpnclient-linux-4.7.patch.txt

Then re-run the installer. Good luck, and feel free to leave a comment if it worked for you (or if you have any questions).

UPDATE AUG 30 2006

I recently installed version 4.8 of the Cisco client, and it appears as though Cisco fixed the problem. It works with new >2.6.15 kernels without requiring this patch.