Cisco vpnclient 4.8.00 on x86_64 FC5: Failed to establish a VPN connection

[Otto J. Makela]

I've been successfully using vpnclient-linux-x86_64-4.8.00.0490-k9
from Cisco on a Fedora Core 5 x86_64 computer, but
kernel-2.6.20-1.2312.fc5 no longer plays nicely with it.
It did work fine with 2.6.18-1.2257 from January.

Firstly, I had to install the patch from
http://www.tuxx-home.at/archives/2006/12/07/T09_36_48/
which makes it possible to compile the vpn package, albeit with a few
warnings. I end up with a module that the kernel accepts, but trying
to open the vpn connection always fails with the rather cryptic error
message "Failed to establish a VPN connection" without producing
anything else in the system logs.

Suggestions, anyone?

Compile log (newlines added and slightly edited down for clarity):

# tail -f /var/log/messages &
# uname -a
Linux tigger.otto.net 2.6.20-1.2312.fc5 #1 SMP Tue Apr 10 15:14:58 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
Fedora Core release 5 (Bordeaux)
# tar xzf vpnclient-linux-x86_64-4.8.00.0490-k9.tar.gz
# cd vpnclient

vpnclient# patch < ../vpnclient-linux-2.6.19.diff
patching file IPSecDrvOS_linux.c
patching file frag.c
patching file interceptor.c
patching file linuxcniapi.c

vpnclient# ./vpn_install
Cisco Systems VPN Client Version 4.8.00 (0490) Linux Installer
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms.

Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.

Directory containing linux kernel source code [/lib/modules/2.6.20-1.2312.fc5/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.20-1.2312.fc5/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.20-1.2312.fc5/build" will be used to build the module.

Is the above correct [y]

Shutting down /opt/cisco-vpnclient/bin/vpnclient: Done
Stopped: /etc/init.d/vpnclient_init (VPN init script)
Making module
make -C /lib/modules/2.6.20-1.2312.fc5/build SUBDIRS=/home/otto/Software/vpn/vpnclient modules
make[1]: Entering directory `/usr/src/kernels/2.6.20-1.2312.fc5-x86_64'
CC [M] /home/otto/Software/vpn/vpnclient/linuxcniapi.o
In file included from /home/otto/Software/vpn/vpnclient/Cniapi.h:15,
from /home/otto/Software/vpn/vpnclient/linuxcniapi.c:27:
/home/otto/Software/vpn/vpnclient/GenDefs.h:110:2: warning: #warning 64 bit
CC [M] /home/otto/Software/vpn/vpnclient/frag.o
In file included from /home/otto/Software/vpn/vpnclient/Cniapi.h:15,
from /home/otto/Software/vpn/vpnclient/frag.c:16:
/home/otto/Software/vpn/vpnclient/GenDefs.h:110:2: warning: #warning 64 bit
CC [M] /home/otto/Software/vpn/vpnclient/IPSecDrvOS_linux.o
In file included from /home/otto/Software/vpn/vpnclient/IPSecDrvOS_linux.c:20:
/home/otto/Software/vpn/vpnclient/GenDefs.h:110:2: warning: #warning 64 bit
CC [M] /home/otto/Software/vpn/vpnclient/interceptor.o
In file included from /home/otto/Software/vpn/vpnclient/Cniapi.h:15,
from /home/otto/Software/vpn/vpnclient/interceptor.c:30:
/home/otto/Software/vpn/vpnclient/GenDefs.h:110:2: warning: #warning 64 bit
/home/otto/Software/vpn/vpnclient/interceptor.c: In function 'handle_vpnup':
/home/otto/Software/vpn/vpnclient/interceptor.c:318: warning: assignment from incompatible pointer type
/home/otto/Software/vpn/vpnclient/interceptor.c:342: warning: assignment from incompatible pointer type
/home/otto/Software/vpn/vpnclient/interceptor.c:343: warning: assignment from incompatible pointer type
/home/otto/Software/vpn/vpnclient/interceptor.c: In function 'do_cleanup':
/home/otto/Software/vpn/vpnclient/interceptor.c:386: warning: assignment from incompatible pointer type
CC [M] /home/otto/Software/vpn/vpnclient/linuxkernelapi.o
/home/otto/Software/vpn/vpnclient/linuxkernelapi.c: In function 'kernel_alloc':
/home/otto/Software/vpn/vpnclient/linuxkernelapi.c:12: warning: format '%d' expects type 'int', but argument 2 has type 'size_t'
LD [M] /home/otto/Software/vpn/vpnclient/cisco_ipsec.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: /home/otto/Software/vpn/vpnclient/cisco_ipsec.o - Section mismatch: reference to .init.text: from .data between 'interceptor_dev' (at offset 0xd0) and 'interceptor_notifier'
WARNING: could not find /home/otto/Software/vpn/vpnclient/.libdriver64.so.cmd for /home/otto/Software/vpn/vpnclient/libdriver64.so
CC /home/otto/Software/vpn/vpnclient/cisco_ipsec.mod.o
LD [M] /home/otto/Software/vpn/vpnclient/cisco_ipsec.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.20-1.2312.fc5-x86_64'
Copying module to directory "/lib/modules/2.6.20-1.2312.fc5/CiscoVPN".
Already have group 'bin'

Creating start/stop script "/etc/init.d/vpnclient_init".
/etc/init.d/vpnclient_init
Enabling start/stop script for run level 3,4 and 5.

Installing license.txt (VPN Client license) in "/opt/cisco-vpnclient/":

Installing bundled user profiles in "/etc/opt/cisco-vpnclient/Profiles/":
* Replaced Profiles: sample

Copying binaries to directory "/opt/cisco-vpnclient/bin".
Adding symlinks to "/usr/local/bin".
/opt/cisco-vpnclient/bin/vpnclient
/opt/cisco-vpnclient/bin/cisco_cert_mgr
/opt/cisco-vpnclient/bin/ipseclog
Copying setuid binaries to directory "/opt/cisco-vpnclient/bin".
/opt/cisco-vpnclient/bin/cvpnd
Copying libraries to directory "/opt/cisco-vpnclient/lib".
/opt/cisco-vpnclient/lib/libvpnapi.so
Copying header files to directory "/opt/cisco-vpnclient/include".
/opt/cisco-vpnclient/include/vpnapi.h

Setting permissions.
/opt/cisco-vpnclient/bin/cvpnd (setuid root)
/opt/cisco-vpnclient (group bin readable)
/etc/opt/cisco-vpnclient (permissions not changed)
* You may wish to change these permissions to restrict access to root.
* You must run "/etc/init.d/vpnclient_init start" before using the client.
* This script will be run AUTOMATICALLY every time you reboot your computer.

vpnclient# /etc/init.d/vpnclient_init start
Starting /opt/cisco-vpnclient/bin/vpnclient: Done
Apr 27 15:34:26 tigger kernel: Cisco Systems VPN Client Version 4.8.00 (0490) kernel module loaded

vpnclient# /usr/local/bin/vpnclient connect Su4TSF
Cisco Systems VPN Client Version 4.8.00 (0490)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.20-1.2312.fc5 #1 SMP Tue Apr 10 15:14:58 EDT 2007 x86_64
Config file directory: /etc/opt/cisco-vpnclient

Enter Certificate password:
Initializing the VPN connection.
Secure VPN Connection terminated locally by the Client
Reason: Failed to establish a VPN connection.
There are no new notification messages at this time.

Followup-to: comp.os.linux.networking

--
/* * * Otto J. Makela <o...@iki.fi> * * * * * * * * * * * * * * * */
/* Phone: +358 40 765 5772, FAX: +358 42 7655772, ICBM: 60N 25E */
/* Mail: Mechelininkatu 26 B 27, FI-00100 Helsinki, FINLAND */
/* * * Computers Rule 01001111 01001011 * * * * * * * * * * * * */

[Otto J. Makela]

I've been successfully using vpnclient-linux-x86_64-4.8.00.0490-k9
from Cisco on a Fedora Core 5 x86_64 computer, but
kernel-2.6.20-1.2312.fc5 no longer plays nicely with it.
It did work fine with 2.6.18-1.2257 from January.

Firstly, I had to install the patch from
http://www.tuxx-home.at/archives/2006/12/07/T09_36_48/
which makes it possible to compile the vpn package, albeit with a few
warnings. I end up with a module that the kernel accepts, but trying
to open the vpn connection always fails with the rather cryptic error
message "Failed to establish a VPN connection" without producing
anything else in the system logs.

Suggestions, anyone?

Compile log (newlines added and slightly edited down for clarity):

# tail -f /var/log/messages &
# uname -a
Linux tigger.otto.net 2.6.20-1.2312.fc5 #1 SMP Tue Apr 10 15:14:58 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
Fedora Core release 5 (Bordeaux)
# tar xzf vpnclient-linux-x86_64-4.8.00.0490-k9.tar.gz
# cd vpnclient

vpnclient# patch < ../vpnclient-linux-2.6.19+-rev1.diff

patching file IPSecDrvOS_linux.c
patching file frag.c
patching file interceptor.c
patching file linuxcniapi.c

vpnclient# ./vpn_install
Cisco Systems VPN Client Version 4.8.00 (0490) Linux Installer
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms.

Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.

Directory containing linux kernel source code [/lib/modules/2.6.20-1.2312.fc5/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.20-1.2312.fc5/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.20-1.2312.fc5/build" will be used to build the module.

Is the above correct [y]

Shutting down /opt/cisco-vpnclient/bin/vpnclient: module cisco_ipsec is not running.

Stopped: /etc/init.d/vpnclient_init (VPN init script)
Making module
make -C /lib/modules/2.6.20-1.2312.fc5/build SUBDIRS=/home/otto/Software/vpn/vpnclient modules
make[1]: Entering directory `/usr/src/kernels/2.6.20-1.2312.fc5-x86_64'
CC [M] /home/otto/Software/vpn/vpnclient/linuxcniapi.o
In file included from /home/otto/Software/vpn/vpnclient/Cniapi.h:15,
from /home/otto/Software/vpn/vpnclient/linuxcniapi.c:27:
/home/otto/Software/vpn/vpnclient/GenDefs.h:110:2: warning: #warning 64 bit
CC [M] /home/otto/Software/vpn/vpnclient/frag.o
In file included from /home/otto/Software/vpn/vpnclient/Cniapi.h:15,
from /home/otto/Software/vpn/vpnclient/frag.c:16:
/home/otto/Software/vpn/vpnclient/GenDefs.h:110:2: warning: #warning 64 bit
CC [M] /home/otto/Software/vpn/vpnclient/IPSecDrvOS_linux.o
In file included from /home/otto/Software/vpn/vpnclient/IPSecDrvOS_linux.c:20:
/home/otto/Software/vpn/vpnclient/GenDefs.h:110:2: warning: #warning 64 bit
CC [M] /home/otto/Software/vpn/vpnclient/interceptor.o
In file included from /home/otto/Software/vpn/vpnclient/Cniapi.h:15,
from /home/otto/Software/vpn/vpnclient/interceptor.c:30:
/home/otto/Software/vpn/vpnclient/GenDefs.h:110:2: warning: #warning 64 bit
/home/otto/Software/vpn/vpnclient/interceptor.c: In function 'handle_vpnup':

/home/otto/Software/vpn/vpnclient/interceptor.c:322: warning: assignment from incompatible pointer type
/home/otto/Software/vpn/vpnclient/interceptor.c:346: warning: assignment from incompatible pointer type
/home/otto/Software/vpn/vpnclient/interceptor.c:347: warning: assignment from incompatible pointer type
/home/otto/Software/vpn/vpnclient/interceptor.c: In function 'do_cleanup':
/home/otto/Software/vpn/vpnclient/interceptor.c:390: warning: assignment from incompatible pointer type

vpnclient#_ /etc/init.d/vpnclient_init start
Starting /opt/cisco-vpnclient/bin/vpnclient: Done
Apr 27 16:13:07 tigger kernel: Cisco Systems VPN Client Version 4.8.00 (0490) kernel module loaded

vpnclient# vpnclient connect my-corporate-profile-name