VPN & Ascom
Using free VPN client
- Download package 'vpnc' (Synaptic)
- go to /etc/vpnc/ and copy example.conf to e.g. ascom.conf and edit it:
- IPsec gateway <- Host
- IPSec ID <- Groupname
- Xauth username <- username
- Xauth password <- password (let cleared)
- comments can be inserted by prefixing with '#'
- Alternative way: Convert pcf to conf file: /usr/share/vpnc/pcf2vpnc ascom.conf See VPNC configuration
- start: sudo vpnc ascom
- stop: sudo vpnc-disconnect
See for help at [1]. If you want to start Terminal server on the command-line execute tsclient&
Using Cisco-VPN-client
Installation
- Download zipped Cisco-VPN-client from KPUR-NAS (tools/..) -> vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz
- Unzip file, execute vpn_install (as root)
- create profile under /etc/CiscoSystemsVPNClient/Profiles -> ascom.pcf
After a Linux kernel update you have to execute vpn_install again!
Run
- Startup VPN demon: sudo /etc/init.d/vpnclient_init start (installation was unable to configure that as startup procedure)
- Startup VPN-client: vpnclient connect ascom
- enter username: bfuerp
- CryptoCard: press 'PASSWORD', enter your pw, 'ENT', 'ENT' -> enter generated pw in console, wait until connection establishes
- Startup 'Terminal Server Client' (Package 'rdesktop')
- If started in full screen, press CTRL-ALT-Enter to switch back.
Stop
- Press CTRL-C in console OR enter in another console: vpnclient disconnect
- Stop VPN demon: /etc/init.d/vpnclient_init stop
Update routing
Cisco VPN client
When using Cisco VPN client, connections are only allowed to the VPN server (This is a rule imposed by Ascom). Thus, it is best to set up the proxy to proxy.ascom.ch oder info.hasler.ascom.ch. This can be adjusted under 'System', 'Preferences', 'Network Proxy'.
Disadvantages:
- e.g. local network printers cannot be used (unless you can access them via Internet.
- Sending emails is often a problem:
- Access SMTP-server via SSL (was not possible in my case (Hostpoint))his
- Use Ascom SMTP-server: rubicon.hasler.ascom. ch:25 (did not work either)
VPNC
The VPNC seems not strictly follow the rules imposed by Ascom to disallow connections to server beyond the VPN-host:
- printing to server in local LAN is still possible.
- As a instant disadvantage, the Internet browser and Skype did not work after setting up the VPN tunnel. (setting up the proxy helped only partially.)
After some investigation I could solve these issues by updating the route settings (See VPNC-HowTo, see Chapter 7). While VPNC updates the default gateway to the tunnel you can overwrite this setting (with root rights). After setting up the tunnel call something like:
# vpnc imposes default gateway setting: 139.79.108.37 -> overwrite with local router (fritz.box) route add default gw <local gateway> # Tell to access my Ascom PC via VPN tunnel: route my Ascom subnet over tun0: route add -net 139.79.229.0 netmask 255.255.255.0 dev tun0 # Tell to access the Ascom nameserver via VPN tunnel: route Ascom nameserver over tun0: route add -net 139.79.225.0 netmask 255.255.255.0 dev tun0 # Add additional Ascom subnets here (otherwise they are not routed via tunnel)
The setting up of a local nameserver was not necessary in my case... (as suggested in the link above)
The current route settings can be introspected by issuing netstat -r.