vpnc 0.5.4beta & VPNC Front End 0.9.8 Nateis Edition - Free GPL Juniper SRX compatible VPN client - Linux, Mac OS X and Windows releases

vpnc 0.5.4beta & VPNC Front End 0.9.8 Nateis Edition - Free GPL Juniper SRX compatible VPN client - Linux, Mac OS X and Windows releases

2011/01/15 :

Nateis tested successfully its VPNC and VPNC FE editions with Fortinet Fortigate firewalls, using local authentication, because no radius server was available on remote site. Following Juniper SRX sample configuration and explanations you'll find Fortinet Fortigate's sample configurations.

2010/10/22 :

Nateis is proud to present its new vpnc and VPNC Front End Nateis Edition, a free Juniper SRX compatible VPN client, under GPL, with straight forward installation. Cisco, Netscreen and Juniper compatible VPN client vpnc is a VPN client compatible with cisco ASA VPN Concentrator, Netscreen SSG and Juniper SRX firewalls. vpnc runs entirely in userspace and does not require kernel modules except of the tun driver to communicate with the network layer. It supports most of the features needed to establish connection to the VPN concentrator: MD5 and SHA1 hashes, 3DES and AES ciphers, PFS and various IKE DH group settings. vpnc runs on Linux platforms. VPNC Front End is a Windows distribution of vpnc including a useful GUI.
WARNING : Using Pre-Shared-Key + XAUTH can be insecure : Cisco Security Notice 50600
This free software is provided *as is* without warranty of any kind under GPL license. Nateis can't be liable for its use. If you want to use a Juniper approved VPN client, distributed by the SRX firewall itself, please consider buying SRX-RAC-xx-LTU Juniper Dynamic VPN Client licenses.

Before downloading and using this software please be informed of cryptography laws of your country : Restrictions on the import of cryptography

You can download the latest releases of vpnc and VPNC FE here :

VPNC sources :
- vpnc SRX sources : vpnc-0.5.4beta-20101022-1824.tgz
- 0.5.3 to 0.5.4beta patch : vpnc-0.5.3-to-0.5.4beta.patch

VPNC for Linux :
- vpnc SRX debian package : vpnc_0.5.4beta_i386.deb
- vpnc SRX rpm package : vpnc-0.5.4beta-2.i386.rpm (not tested)

VPNC for Mac OS X (MacOS X Snow Leopard) :
- vpnc SRX Mac OS X package : vpnc-0.5.4beta-macosx-snow.pkg (tested on Snow Leopard)
You'll need to install the Tun/Tap package you will find in the root directory of your drive before using vpnc.

VPNC FRONT END for Windows XP & 7 :
- VPNC Front End SRX Windows installer : vpncfe-0.9.8beta-setup.exe (tested on XP and 7)

VPNC FRONT END sources :
- VPNC Front End SRX sources : vpncfe-0.9.8-20101022-1934.tgz
- 0.9.7 to 0.9.8 patch : vpncfe-0.9.7-to-0.9.8.patch

Sample default.conf file for Juniper SRX :

# IPSec peer address
IPSec gateway 172.31.31.31
# IPSec domain as ID
IPSec ID yourdomain.com
# Preshared-key
IPSec secret YOUR_SECRET_KEY
# To be able to connect to JunOS SRX device
Vendor juniper
# Nat Traversal
NAT Traversal Mode force-natt
# No PFS
Perfect Forward Secrecy nopfs
# To remain connected as long as possible
DPD idle timeout (our side) 0
# To force split tunneling using target network
Target split tunneling
# Network adapter used under Windows
# 2 following lines to be deleted under Linux
Interface name tap0
Interface mode tap
#Target network
IPSEC target network 10.0.0.0/255.0.0.0
# Local Network used by SRX to check Proxy ID
IPSEC local network 172.16.1.0/255.255.255.0
Local Port 0

SRX configuration is explained in the following Juniper application note :
Remote Access VPN with XAuth Configuration and Troubleshooting

Note : We tested VPNC, SRX compatible vpn client, using an SRX240H and a Linux server running freeradius.

Sample default.conf file for Fortinet Fortigate :

# IPSec peer address
IPSec gateway 172.31.31.31
# IPSec domain as ID
IPSec ID yourdomain.com
# Preshared-key
IPSec secret YOUR_SECRET_KEY
# Nat Traversal
NAT Traversal Mode force-natt
# No PFS
Perfect Forward Secrecy nopfs
# To remain connected as long as possible
DPD idle timeout (our side) 0
# To force split tunneling using target network
Target split tunneling
# Network adapter used under Windows
# 2 following lines to be deleted under Linux
Interface name tap0
Interface mode tap
#Target network
IPSEC target network 10.0.0.0/255.0.0.0
# Local Network used by SRX to check Proxy ID
IPSEC local network 172.16.1.0/255.255.255.0
Local Port 0

Sample Fortinet Fortigate configuration :

config firewall address
edit "Net_10s8"
set associated-interface "internal"
set subnet 10.0.0.0 255.0.0.0
next
end

config user local
edit "youruser"
set type password
set passwd YOURPASSWORD
next
end

config user group
edit "FSAE_Guest_Users"
set group-type directory-service
next
edit "yourdomain.com"
set member "youruser"
next
end

config vpn ipsec phase1-interface
edit "dialup"
set type dynamic
set interface "port1"
set dhgrp 2
set proposal 3des-sha1
set xauthtype pap
set mode aggressive
set mode-cfg enable
set authusrgrp "yourdomain.com"
set ipv4-start-ip 172.16.1.2
set ipv4-end-ip 172.16.1.253
set ipv4-netmask 255.255.255.0
set ipv4-dns-server1 10.10.10.10
set ipv4-split-include "Net_10s8"
set psksecret YOUR_SECRET_KEY
next
end

config vpn ipsec phase2-interface
edit "dialupp2"
set keepalive enable
set pfs disable
set phase1name "dialup"
set proposal 3des-sha1
set dst-subnet 172.16.1.0 255.255.255.0
set keylifeseconds 3600
set src-subnet 10.0.0.0 255.0.0.0
next
end

config firewall address
edit "vpn-net"
set associated-interface "dialup"
set subnet 172.16.1.0 255.255.255.0
next
end

configure firewall policy
edit your_next_rule_id
set srcintf "dialup"
set dstintf "internal"
set srcaddr "vpn-net"
set dstaddr "Net_10s8"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end

If any suggestions or contributions, use this email : vpnc.dev@nateis.fr

Many thanks to the communities and authors of previous releases of vpnc and VPNC Front End. Here are the links to the official websites of these projects :
- vpnc official website;
- VPNC Front End official sourceforge website

Changelog following :

VPNC FE 0.9.8beta

- Uses vpnc-0.5.4beta with Juniper SRX support and better Windows support included (vpnc release notes following)
- Added a Local Network field in the GUI Advanced Tab to specify the Local Network to the VPN peer (needed for Proxy ID check with SRX)
- Added a Target Split tunneling checkbox (to force split tunneling and send target network information to vpnc)
- Made vpncfe interact better with vpnc (graceful shutdown of VPN connections when disconnecting)

* vpnc-0.5.4beta.tar.gz Thu Oct 17 20:34:00 GMT+1 2010

User visible changes:
Beta release by Mikael Cam - Nateis
* Added Juniper SRX VPN support, running with xauth (SRX + radius server)
* Added --local-network "IPSEC local network" option to comply with SRX needs for proxy ID check
* Added Juniper VENDOR for new Juniper SRX equipments
* Changed the ISAKMP "sequence" and QM to fit Juniper needs (reverse engineering of VPNC and ISAKMP sequences)
* Was tested on SRX240H with IP address dynamically assigned by the firewall
* Added some changes for Juniper SRX to make the re-association possible after lifetime expiration
* Added Jindrich Makovicka Patch
* Added --split-tunneling "Target split tunneling" option to force split tunneling using defined target network
* Added Windows graceful shutdown support to release tunnel before exiting (catching WM messages + SIGTERM) and to better interact with vpncfe
* Added and changed what was needed for these add-ons to vpnc-fe
* Tested successfully this release on linux and windows to connect Cisco ASA, Netscreen SSG and Juniper SRX

Français