Remote Access via Cisco VPN Client General Information This guide describes step by step the configuration of a remote access to the Astaro Security Gateway by using the Cisco VPN Client. The Cisco VPN Client is an executable program from Cisco Systems that allows computers to connect remotely to a Virtual Private Network (VPN) in a secure way. This article based on a configuration of Astaro Security Gateway Version 7.400 and Cisco VPN Client Version 5.0. The Cisco VPN Client supports Windows 2000, XP and Vista (x86/32-bit only); Linux (Intel); Mac OS X 10.4; and Solaris UltraSparc (32 and 64-bit). Note As their might be restrictions for using the Cisco IPSec Client in conjunction with non-cisco VPN gateways you should check your Cisco license agreement first before using this feature! Configuration of the Firewall 1. Define the user account of the remote host Open the Users >> Users page and click on New User to define a new account for the remote client. With remote access via Cisco VPN Client this user account is also necessary for accessing the Astaro User Portal.
Username: Enter a specific user name (e.g. gfreeman). In doing so remember that the remote user will need this username later to log in to the Astaro User Portal. Real name: Enter the full name of the remote user (e.g. Gordon Freeman). Email address: Enter the e-mail address of the user. Authentication: With the Local authentication method the following two entry menus will be displayed for the definition of the password. In doing so remember that also the remote user will need this username later to log in to the Astaro User Portal. You re also able to use the Remote authentication here, for example with A-Dir- or E-Dir-User. Password: Enter the password for the user. Repeat: Confirm the password. Use static remote access IP (optional): Select if you want to assign a static IP address for a user gaining remote access instead of assigning a dynamic IP address from an IP address pool. For users behind a NAT router, for example, it is mandatory to use a static remote access IP address. Comment (optional): Enter a description or additional information on the user. Save your settings by clicking on the Save button. 2. Configure the Cisco VPN remote access 2.1 Global Open the Remote Access >> Cisco VPN Client page and enable the Cisco VPN remote access by clicking the Enable button. The status light shows amber and the page becomes editable.
Interface: Select an interface to be used for Cisco VPN Client connections. Server Certificate: Select the certificate with which the server identifies itself to the client. Pool Network: Select or add a network pool to choose virtual network addresses from to assign them to connecting clients. By default VPN Pool (Cisco) is selected. Users and Groups: Select or add users and/or groups that are allowed to connect via Cisco VPN Client (in this example: gfreeman). Automatic Packet Filter Rules (optional): Select this checkbox to automatically create packet filter rules that grant access to (below) specified local networks. If you do not select this checkbox or create packet filter rules yourself clients are blocked by the firewall. Local Networks (optional): Select or add local networks here for which the automatic packet filter rules are applied. Click on the Apply button to save your settings. Live Log: Use the live log to track connection logs of the IPSec IKE daemon log. It shows information on establishing, upkeeping, and closing connections. 2.2 iphone You can enable that iphone users are offered automatic Cisco IPSec configuration in the User Portal. However, only users that have been added to the Users and Groups box on the Global tab will find configuration files on their User Portal site. The iphone status is enabled by default.
Connection Name: Enter a descriptive name for the Cisco IPSec connection so that iphone users may identify the connection they are going to establish. The default name is your company name followed by the protocol Cisco IPSec. Note Connection Name must be unique among all iphone connection settings (PPTP, L2TP over IPSec, Cisco VPN Client). Override Hostname: In case the system hostname cannot be publicly resolved by the client, you can enter a server hostname here that overrides the internal preference of the DynDNS Hostname before the System DNS Hostname. To disable automatic iphone configuration, click the status icon or Disable in the header of the tab. The status icon turns red. Note Connecting iphones get presented the server certificate specified on the Global tab. The iphone checks whether the VPN ID of this certificate corresponds to the server hostname and refuses to connect if they differ. If the server certificate uses Distinguished Name as VPN ID Type it compares the server hostname with the Common Name field instead. You need to make sure the server certificate fulfills these constraints. 3. Define the packet filter rule Open the Network Security >> Packet Filter >> Rules page and create a New rule.
Source: Remote host or user (in this example: gfreeman). Service: Set the service. Destination: The allowed internal network (in this example: Internal (Network)). Action: Allow. Time Event: By default, no time event is selected, meaning that the rule is always valid. If you select a time event, the rule will only be valid at the time specified by the time event definition. Log Traffic: If you select this option, logging is enabled and packets matching the rule are logged in the packet filter log. Comment (optional): Enter a description or additional information on the rule. Save your settings by clicking on the Save button. Note New rules will be added at the end of the list and remain disabled (status light shows red) until they are explicitly enabled by clicking on the status light. Note Active rules are processed in the order of the numbers (next to the status light) until the first matching rule. Then the following rules will be ignored! The sequence of the rules is thus very important. Therefore never place a rule such as Any Any Any Allow at the beginning of the rules since all traffic will be allowed through and the following rules ignored!
Configuration of the Remote Client 1. Astaro User Portal: Download the Certificate 1) Start your Browser and open the Astaro User Portal Start your browser and enter the management address of the Astaro User Portal as follows: https://ip address (example: https://192.168.0.1) 2) Log in to the Astaro User Portal Username: Your username (in this example: gfreeman). Password: Your password. 3) Download the Certificate Click on the Remote Access tab to download your certificate. Enter an export password and click on Download. 2. Cisco VPN Client: Configure the Client Click on Certificates >> Import to import your certificate. Browse for the PKCS#12 file and select it. Then enter the import password (in this example: secret) and click on Import.
Now you have to create a new connection. Click on Connection Entries >> New and make following settings: Connection Entry: Enter a connection entry. Description: Enter a description of this VPN-connection. Host: Enter the external IP-address of the ASG. Authentication: Activate the Certificate Authentication and select your imported certificate from the drop-down menu. Save your settings by clicking on the Save button. 3. Cisco VPN Client: Establish a connection Click on the Connect button and enter your username/password to authenticate at the remote site. If the connection establishes successfully, you will see details in the information bar of the Cisco VPN Client. You can switch between the details by clicking on the Arrow button. To disconnect from the VPN, click on Connection Entries >> Disconnect. Troubleshooting For further information about unsuccessful connections please refer to Logging >> View Log Files >> IPSec Log. You are also able to extend the logging with debug information by select various checkboxes in Remote Access >> Cisco VPN Client >> Debug.