vpnc 0.5.4beta & VPNC Front End 1.0 Nateis Edition - Free GPL Juniper SRX compatible VPN client - Linux, Mac OS X and Windows releases

2012/06/17 :

Nateis adds a watchdog feature to VPNC FE with the possibility to monitor up to 3 IP addresses. In order for this feature to run correctly, you need to configure the Xauth username and Xauth password in the used configuration file. You can access this feature like this : Right click on VPNC icon > Options > Program Settings : check Watchdog and fill the Monitor IP addresses field if required, with the IP addresses to monitor separated by comas. You can also check the Connect At Startup option if you want the VPN to connect automatically at VPNC FE startup.

Linux watchdog wrapper also added.

2011/01/15 :

Nateis tested successfully its VPNC and VPNC FE editions with Fortinet Fortigate firewalls, using local authentication, because no radius server was available on remote site. Following Juniper SRX sample configuration and explanations you'll find Fortinet Fortigate's sample configurations.

2010/10/22 :

Nateis is proud to present its new vpnc and VPNC Front End Nateis Edition, a free Juniper SRX compatible VPN client, under GPL, with straight forward installation. Cisco, Netscreen and Juniper compatible VPN client vpnc is a VPN client compatible with cisco ASA VPN Concentrator, Netscreen SSG and Juniper SRX firewalls. vpnc runs entirely in userspace and does not require kernel modules except of the tun driver to communicate with the network layer. It supports most of the features needed to establish connection to the VPN concentrator: MD5 and SHA1 hashes, 3DES and AES ciphers, PFS and various IKE DH group settings. vpnc runs on Linux platforms. VPNC Front End is a Windows distribution of vpnc including a useful GUI.
WARNING : Using Pre-Shared-Key + XAUTH can be insecure : Cisco Security Notice 50600
This free software is provided *as is* without warranty of any kind under GPL license. Nateis can't be liable for its use. If you want to use a Juniper approved VPN client, distributed by the SRX firewall itself, please consider buying SRX-RAC-xx-LTU Juniper Dynamic VPN Client licenses.

Before downloading and using this software please be informed of cryptography laws of your country : Restrictions on the import of cryptography

You can download the latest releases of vpnc and VPNC FE here :

VPNC sources :
- vpnc SRX sources : vpnc-0.5.4beta-20101022-1824.tgz
- 0.5.3 to 0.5.4beta patch : vpnc-0.5.3-to-0.5.4beta.patch

VPNC for Linux :
- vpnc SRX debian package : vpnc_0.5.4beta_i386.deb
- vpnc SRX rpm package : vpnc-0.5.4beta-2.i386.rpm (not tested)

Watchdog wrapper for Linux :
vpnc_safe.sh (to add for instance in /etc/rc.local file like this : /usr/local/sbin/vpnc_safe.sh >> /home/tmp/vpnc_safe.out &)
N.B. : Use default.conf file and insert Xauth username and Xauth password fields in it.

VPNC for Mac OS X (MacOS X Snow Leopard) :
- vpnc SRX Mac OS X package : vpnc-0.5.4beta-macosx-snow.pkg (tested on Snow Leopard)
You'll need to install the Tun/Tap package you will find in the root directory of your drive before using vpnc.

Note : Latest releases of MacOS X need the new TUN TAP driver :
http://tuntaposx.sourceforge.net/download.xhtml

VPNC FRONT END for Windows XP & 7 :
- VPNC FE Nateis Edition : vpncfe-1.0-nateis-edition-setup.exe (Watchdog and IP monitoring included)

Windows 10 needs you to install the following TAP driver (NDIS 6 migration) :
https://swupdate.openvpn.org/community/releases/tap-windows-9.21.1.exe

Under Windows 10, for the moment, routes are not corectly added to the routing table and need Post-Script and Disconnect-Script script use. Samples of these scripts following (in Connection Settings / Scripts tab, click on Post-Script and Disconnect-Script labels - not fields ! - to select the files and save the configuration) :

Post-Script :

@echo off

:: Using VPN IP address (%INTERNAL_IP4_ADDRESS%) instead
:: of VPN Gateway (%VPNGATEWAY%). In some cases it's better
:: to use the VPN Gateway.
set MyIP=%INTERNAL_IP4_ADDRESS%

echo Tunnel IP Address: [%MyIP%]

echo.
echo ORIGINAL ROUTES
route print | find "%MyIP%"

for /f "tokens=1 delims=." %%a in ('"route print | find "TAP-Win32""') do set /a ifindex=%%a

:: Delete any left-over old routes (just in case they are still around)
route delete 10.0.0.0 MASK 255.0.0.0 > nul

ping -4 %MyIP% > nul

:: Create routes
route add 10.0.0.0 MASK 255.0.0.0 %MyIP% > nul

echo.
echo FINAL ROUTES
route print | find "%MyIP%"

:: C:\Program Files\VPNC Front End\etc\vpnc\vpnc-script.exe

echo.
echo Post-Script Exiting
echo.

Disconnect-Script :

@echo off

:: Using VPN IP address (%INTERNAL_IP4_ADDRESS%) instead
:: of VPN Gateway (%VPNGATEWAY%). In some cases it's better
:: to use the VPN Gateway.
set MyIP=%INTERNAL_IP4_ADDRESS%

echo Tunnel IP Address: [%MyIP%]

echo.
echo ORIGINAL ROUTES
route print | find "%MyIP%"

:: Delete any left-over old routes (just in case they are still around)
route delete 10.0.0.0 MASK 255.0.0.0 > nul

echo.
echo FINAL ROUTES
route print | find "%MyIP%"

echo.
echo Disconnect-Script Exiting
echo.

- first Nateis release : vpncfe-0.9.8beta-setup.exe (tested under XP an 7)

- VPNC Front End SRX Windows installer : vpncfe-0.9.8beta-setup.exe (tested on XP and 7)

VPNC FRONT END sources :
- VPNC Front End SRX sources : vpncfe-0.9.8-20101022-1934.tgz
- 0.9.7 to 0.9.8 patch : vpncfe-0.9.7-to-0.9.8.patch

Sample default.conf file for Juniper SRX :

# IPSec peer address
IPSec gateway 172.31.31.31
# IPSec domain as ID
IPSec ID yourdomain.com
# Preshared-key
IPSec secret YOUR_SECRET_KEY
# To be able to connect to JunOS SRX device
Vendor juniper
# Nat Traversal
NAT Traversal Mode force-natt
# No PFS
Perfect Forward Secrecy nopfs
# To remain connected as long as possible
DPD idle timeout (our side) 0
# To force split tunneling using target network
Target split tunneling
# Network adapter used under Windows
# 2 following lines to be deleted under Linux
Interface name tap0
Interface mode tap
#Target network
IPSEC target network 10.0.0.0/255.0.0.0
# Local Network used by SRX to check Proxy ID
IPSEC local network 172.16.1.0/255.255.255.0
Local Port 0

SRX configuration is explained in the following Juniper application note :
Remote Access VPN with XAuth Configuration and Troubleshooting

Note : We tested VPNC, SRX compatible vpn client, using an SRX240H and a Linux server running freeradius.

Sample default.conf file for Fortinet Fortigate :

# IPSec peer address
IPSec gateway 172.31.31.31
# IPSec domain as ID
IPSec ID yourdomain.com
# Preshared-key
IPSec secret YOUR_SECRET_KEY
# Nat Traversal
NAT Traversal Mode force-natt
# No PFS
Perfect Forward Secrecy nopfs
# To remain connected as long as possible
DPD idle timeout (our side) 0
# To force split tunneling using target network
Target split tunneling
# Network adapter used under Windows
# 2 following lines to be deleted under Linux
Interface name tap0
Interface mode tap
#Target network
IPSEC target network 10.0.0.0/255.0.0.0
# Local Network used by SRX to check Proxy ID
IPSEC local network 172.16.1.0/255.255.255.0
Local Port 0

Sample Fortinet Fortigate configuration :

config firewall address
edit "Net_10s8"
set associated-interface "internal"
set subnet 10.0.0.0 255.0.0.0
next
end

config user local
edit "youruser"
set type password
set passwd YOURPASSWORD
next
end

config user group
edit "FSAE_Guest_Users"
set group-type directory-service
next
edit "yourdomain.com"
set member "youruser"
next
end

config vpn ipsec phase1-interface
edit "dialup"
set type dynamic
set interface "port1"
set dhgrp 2
set proposal 3des-sha1
set xauthtype pap
set mode aggressive
set mode-cfg enable
set authusrgrp "yourdomain.com"
set ipv4-start-ip 172.16.1.2
set ipv4-end-ip 172.16.1.253
set ipv4-netmask 255.255.255.0
set ipv4-dns-server1 10.10.10.10
set ipv4-split-include "Net_10s8"
set psksecret YOUR_SECRET_KEY
next
end

config vpn ipsec phase2-interface
edit "dialupp2"
set keepalive enable
set pfs disable
set phase1name "dialup"
set proposal 3des-sha1
set dst-subnet 172.16.1.0 255.255.255.0
set keylifeseconds 3600
set src-subnet 10.0.0.0 255.0.0.0
next
end

config firewall address
edit "vpn-net"
set associated-interface "dialup"
set subnet 172.16.1.0 255.255.255.0
next
end

configure firewall policy
edit your_next_rule_id
set srcintf "dialup"
set dstintf "internal"
set srcaddr "vpn-net"
set dstaddr "Net_10s8"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end

If any suggestions or contributions, use this email : vpnc.dev@nateis.fr

Many thanks to the communities and authors of previous releases of vpnc and VPNC Front End. Here are the links to the official websites of these projects :
- vpnc official website;
- VPNC Front End official sourceforge website

Changelog following :

VPNC FE 1.0-nateis-edition

- Added Watchdog and IP monitoring options to automatically reconnect when VPNC terminates or IP monitored hosts are unreachables : configuration files including credentials are required for this option to run correctly.

VPNC FE 0.9.8beta

- Uses vpnc-0.5.4beta with Juniper SRX support and better Windows support included (vpnc release notes following)
- Added a Local Network field in the GUI Advanced Tab to specify the Local Network to the VPN peer (needed for Proxy ID check with SRX)
- Added a Target Split tunneling checkbox (to force split tunneling and send target network information to vpnc)
- Made vpncfe interact better with vpnc (graceful shutdown of VPN connections when disconnecting)

* vpnc-0.5.4beta.tar.gz Thu Oct 17 20:34:00 GMT+1 2010

User visible changes:
Beta release by Mikael Cam - Nateis
* Added Juniper SRX VPN support, running with xauth (SRX + radius server)
* Added --local-network "IPSEC local network" option to comply with SRX needs for proxy ID check
* Added Juniper VENDOR for new Juniper SRX equipments
* Changed the ISAKMP "sequence" and QM to fit Juniper needs (reverse engineering of VPNC and ISAKMP sequences)
* Was tested on SRX240H with IP address dynamically assigned by the firewall
* Added some changes for Juniper SRX to make the re-association possible after lifetime expiration
* Added Jindrich Makovicka Patch
* Added --split-tunneling "Target split tunneling" option to force split tunneling using defined target network
* Added Windows graceful shutdown support to release tunnel before exiting (catching WM messages + SIGTERM) and to better interact with vpncfe
* Added and changed what was needed for these add-ons to vpnc-fe
* Tested successfully this release on linux and windows to connect Cisco ASA, Netscreen SSG and Juniper SRX

Découvrir

vpnc & VPNC Front End Nateis Edition
Un client VPN Open Source pour Juniper SRX et SSG, Fortinet Fortigate, Cisco ASA...

Iperf, l'outil de mesure de performances IP.

Focus Produit
Télétravail :


Intégration de matériels :

Produits de sécurité Juniper :

© Nateis 2015 - Réseau et Sécurité Informatique