VPN & Ascom

Aus Peter Fuerholz' Wiki
Zur Navigation springen Zur Suche springen

Using free VPN client

  1. Download package 'vpnc' (Synaptic)
  2. go to /etc/vpnc/ and copy example.conf to e.g. ascom.conf and edit it:
    1. IPsec gateway <- Host
    2. IPSec ID <- Groupname
    3. Xauth username <- username
    4. Xauth password <- password (let cleared)
comments can be inserted by prefixing with '#'
Alternative way: Convert pcf to conf file: /usr/share/vpnc/pcf2vpnc ascom.conf See VPNC configuration
  1. start: sudo vpnc ascom
  2. stop: sudo vpnc-disconnect

See for help at [1]. If you want to start Terminal server on the command-line execute tsclient&

Using Cisco-VPN-client

Installation

  1. Download zipped Cisco-VPN-client from KPUR-NAS (tools/..) -> vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz
  2. Unzip file, execute vpn_install (as root)
  3. create profile under /etc/CiscoSystemsVPNClient/Profiles -> ascom.pcf

After a Linux kernel update you have to execute vpn_install again!

Run

  1. Startup VPN demon: sudo /etc/init.d/vpnclient_init start (installation was unable to configure that as startup procedure)
  2. Startup VPN-client: vpnclient connect ascom
    1. enter username: bfuerp
    2. CryptoCard: press 'PASSWORD', enter your pw, 'ENT', 'ENT' -> enter generated pw in console, wait until connection establishes
  3. Startup 'Terminal Server Client' (Package 'rdesktop')
If started in full screen, press CTRL-ALT-Enter to switch back.

Stop

  1. Press CTRL-C in console OR enter in another console: vpnclient disconnect
  2. Stop VPN demon: /etc/init.d/vpnclient_init stop

Update routing

Cisco VPN client

When using Cisco VPN client, connections are only allowed to the VPN server (This is a rule imposed by Ascom). Thus, it is best to set up the proxy to proxy.ascom.ch oder info.hasler.ascom.ch. This can be adjusted under 'System', 'Preferences', 'Network Proxy'.

Disadvantages:

  • e.g. local network printers cannot be used (unless you can access them via Internet.
  • Sending emails is often a problem:
    • Access SMTP-server via SSL (was not possible in my case (Hostpoint))his
    • Use Ascom SMTP-server: rubicon.hasler.ascom. ch:25 (did not work either)

VPNC

The VPNC seems not strictly follow the rules imposed by Ascom to disallow connections to server beyond the VPN-host:

  • printing to server in local LAN is still possible.
  • As a instant disadvantage, the Internet browser and Skype did not work after setting up the VPN tunnel. (setting up the proxy helped only partially.)

After some investigation I could solve these issues by updating the route settings (See VPNC-HowTo, see Chapter 7). While VPNC updates the default gateway to the tunnel you can overwrite this setting (with root rights). After setting up the tunnel call something like:

 # vpnc imposes default gateway setting: 139.79.108.37 -> overwrite with local router (fritz.box)
 route add default gw <local gateway>
 # Tell to access my Ascom PC via VPN tunnel: route my Ascom subnet over tun0:
 route add -net 139.79.229.0 netmask 255.255.255.0 dev tun0
 # Tell to access the Ascom nameserver via VPN tunnel: route Ascom nameserver over tun0:
 route add -net 139.79.225.0 netmask 255.255.255.0 dev tun0
 # Add additional Ascom subnets here (otherwise they are not routed via tunnel)

The setting up of a local nameserver was not necessary in my case... (as suggested in the link above)

The current route settings can be introspected by issuing netstat -r.