Cisco VPN Client Readme file

This file describes the contents of the Cisco VPN Client files for the Linux platform

Refer to the Bug Navigator on Cisco Connection Online for open issues:

Revision: Release



New Features:

Two new Certificate features have been added to dynamically map a Certificate to a profile without
manual selection by the user.  See the Certificate notes at the end of this document for details.

Versioning Notes:

This release is a Beta for the VPN Client installed on biarch* linux systems for x86_64 platforms.
The client is NOT compatible with pure 64-bit operating systems.
The client operates on both 32-bit i386 and biarch x86_64 operating systems.
On i386 32-bit operating systems, this release is not cosidered a Beta.
The VPN Client now requires GLIBC_2.2 and  Distributions like RedHat 9 and SuSe 9 comply with these requirements.

* biarch = 64-bit kernel that allows execution of 32-bit applications. is expected to be the last release of the non-x86 version of the Linux VPN Client.
The non-x86 version supports platforms that do not have the GLIBC_2.2 and (such as versions prior to RedHat 9 and SuSe 9).

Resolved Issues

CSCsc39924  unity linux client fails to install on machines running kernel 2.6.14
CSCeh67124  unity clients should not filter local multi/broadcast beside firewall
CSCei03756  unity linux 64 bit machines application unable to communicate
CSCei32030  unity certificatekeyusage precedence failover 

Unresolved Issues

Revision: Release 4.6 Rel
Files:    vpnclient-linux-x86_64-

Contents: - See Release Notes for Release 4.6 Rel at:

Certificate Matching Details:

1. Cerificate Extended Key Usage Matching
Profile Keyword: CertMatchEKU

This parameter specifies the list of Extended Key Usage fields that the client should honor. When 
this profile keyword is specified, the client looks only at those certs (irrespective of certificate 
store) whose Extended Key Usage fields match those that are specified by the profile keyword, during 
a connection attempt.

ie. When this profile keyword is specified, for any given cert, at least one of the Extended Key 
Usage fields specified in the profile keyword must be present in the certificate's Extended Key 
Usage field.

This keyword applies to connection attempts only and not to any other 
certificate-related operation (viz. listing certs, viewing certs, etc).
This keyword applies of all forms of certificate selection 
( viz. CertSerialHash, CertMatchDN, CertSubjectName, CertName).
The value of this keyword is a comma separated list of Extended Key Usage OID strings.

CertMatchEKU=, => Client Authentication => Server Authentication

Custom Extended Key Usage Strings must be of the form, where X can be any number.

2. Certificate Key Usage Matching
Profile Keyword: CertMatchKU

The feature allows the profile selection of Certificates based on the Key Usage as well as the DN and 
Extended Key Usage fields.  This keyword overrides the vpnclient.ini keyword "CertificateKeyUsage".


CRL_SIGN           2

If the Certificate matches any of the usages in the CertMatchKU field, it will pass on to the next 
criteria.  Otherwise the Certificate will not be selected.


If two identical Certificates except for Key Usage were available to the profile above, only the one 
with Non-Repudiation would be chosen.

3. Certificate Fall Through.
This behavior is implicit and does not have any profile keyword associated with it. For a given 
connection attempt, a certificate can be selected using one or more of four keywords given below 
(in order of precedence).

a) CertMatchEKU and CertMatchKU
b) CertSerialHash
c) CertMatchDN
d) CertSubjectName
e) CertName

If the client cannot find a cert in the given cert store using all four Certificate keywords noted above, 
the connection attempt fails.

Sample profile:

CertMatchDN=issuer-ou*"vpn group",ea*""

The profile above will only match certificates that have a Key Usage of "Non-Repudiation" AND have EITHER 
Client or Server Authentication in the Extended Key Usage.  The Issuer-ou field MUST contain "vpn group" 
and the email address for the user Certificate MUST contain "" (case insensitive). 

The scenario above would allow a common workstation to connect users based on their smart card 
certificates.  A user could walk up, put in their card, and hit connect.  The generic profile above would
find the proper certificate on their card (without restarting the client or modifying the profile) and 
prompt them for their Certificate password, username, and password.  The concentrator could also be 
configured to connect without a username and rely entirely upon the Certificates for authentication.

Note the use of the "!" character in the profile.  This prevents the previous user's information from 
being retained between connections.

# Firewall configuration written by Cisco Systems
# Designed for the Linux VPN Client Virtual Adapter
# Blocks ALL traffic on eth0 except for tunneled traffic

# Allow all traffic in both directions through the VA adapter
-A INPUT -i cipsec0 -j ACCEPT
-A OUTPUT -o cipsec0 -j ACCEPT

# Accept all encrypted VPN Client traffic in either direction on eth0
-A INPUT -i eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT 
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT 

-A INPUT -i eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT 
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT 

-A OUTPUT -o eth0 -p udp -s 0/0 --sport 1024: -d 0/0 --dport 29747 -j ACCEPT 

# Block all other traffic in either direction on eth0
-A INPUT -i eth0 -j REJECT 
-A OUTPUT -o eth0 -j REJECT