introduction - colt technology · web viewthis chapter describes common operations using the...

IPC-IPR-004

CoCom+

VPN Client User Guide for Linux

IPC-IPR-004 CoCom+ VPN Client User Guide for Linux

Introduction

This guide serves as an introduction to the Cisco VPN Client software, which is used in conjunction with the COLT CoCom+ product. It provides end users with information on how to install, configure and use the VPN Client, and includes advice on troubleshooting connectivity.

The Cisco VPN Client permits to create secure connections, so-called IPsec tunnels, between the Reseller’s computer and a central VPN server of the CoCom+ platform. The Linux version of the Cisco VPN Client is a software application that runs on computers with the following operating system: Linux for Intel – Red Hat Version 6.2 or later, or compatible libraries with glibc Version 2.1.1-6 or later, using kernel Versions 2.2.12 or later.

The connection with the CoCom+ FTP servers will be raised in two steps:

1. Establish an IPSec tunnel from the VPN Client to a VPN Server in the CoCom+ environment

2. Establish an FTP session through the tunnel to the CoCom+ FTP servers

Version 0.1 of 9


Key Features

The Cisco VPN Client for Linux (referred to in this user guide as VPN Client) is software that runs on a Linux PC. The VPN Client on a remote PC, communicating with a central VPN server, creates a secure connection over the Internet. The Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) tunnelling protocols are the basis of the VPN Client.

In the CoCom+ environment, the secure connection is established between the Reseller’s end device (PC) and a central router of the CoCom+ platform, which is again supported by a RADIUS server. With the help of the VPN Client software, the Reseller, connected to the Internet, can access the CoCom+ platform as if he were an on-site user.

The main features of the VPN Client can be summarised as follows:

Operating System: Linux (Intel)

Connection Types: Linux supports - async serial PPP, Internet-attached Ethernet, and ISDN

Protocol: IP

Tunnel Protocol: IPSec

User Authentication: RADIUS (and others)

The VPN client allows the configuration of IPSec connections; IPSsec sessions are launched, terminated, and monitored by using the VPN client. The VPN client supports a variety of software features, e. g.:

Automatic VPN Client configuration option – Ability to import a configuration file.

Event logging – The VPN Client log collects events for viewing and analysis.

NAT Transparency – Enables the VPN Client and the VPN device to automatically detect when to use IPSec over UDP to work properly in PAT environments.

Prerequisites

Linux System RequirementsThe VPN Client for Linux supports Red Hat Version 6.2 Linux (Intel), or compatible libraries with glibc Version 2.1.1-6 or later, using kernel Versions 2.2.12 or later.

Configuration ParametersThe information needed to configure and use the VPN client is provided by COLT as part of the service handover package. Within the Reseller’s company, the system administrator should forward the configuration details to the end users of the CoCom+ service. To create an IPSec connection with the VPN access server (or router) of the CoCom+ platform, five parameters are required:

Hostname or IP address of the VPN access server: 80.169.168.42

IPSec Group Name (for pre-shared keys): colt-wholesale.com

IPSec Group Password (for pre-shared keys): Cf. service handover package

Username (RADIUS authentication): Cf. service handover package. The username has the structure of an e-mail address <username>@colt-wholesale.com.

Password (RADIUS authentication): Cf. service handover package.

Version 0.1 of 9


Installation InstructionsThis chapter describes how to install the VPN Client software on your workstation. The VPN Client consists of

A driver, which is a loadable module.

A set of commands accessible through your shell, which is used to access the applications.

The commands and some parts of the driver are distributed in binary form only.

Unpacking the VPN Client Files:

The VPN client is shipped as a compressed tar file. To unpack the files, download the packed files to a directory of your choice. Copy the VPN Client file to a selected directory. Unpack the files using the zcat and tar commands, e.g.:

zcat vpnclient-linux-4.6.00.0045-k9.tar.gz | tar xvf -

This command creates the “vpnclient” directory in the current directory.

Installing the Software:

The installation process can be divided into five steps:

Step 1: Obtain superuser privileges to run the install script.

Step 2: Enter the following commands:

cd vpnclient./vpn_install

The default directories for the binaries, kernel, VPN modules, and profiles are listed during the installation process. You receive the following prompts during the installation process:

Directory where binaries will be installed [/lib/modules/<kernel version>/build/]

Automatically start the VPN service at boot time [yes]

Directory containing linux kernel source code [/usr/src/linux]

Is the above correct [y]

Step 3: Press “Enter” to choose the default response. At the directory prompts, if you do not choose the default, you must enter another directory in your user’s path.

Step 4: If the installer cannot auto detect these settings, you might receive the following prompts:

Directory containing init scripts: The directory where scripts that are run at boot time are kept. Typically this is “/etc/init.d” or “/etc/rc.d/init.d”.

Directory containing run level directories (rcX.d): The directory that contains init’s run level directories. Typically this is “/etc” or “/etc/rd.d”.

Version 0.1 of 9


Step 5: Enable the VPN service by using one of the following methods:

Restart your computer

Enable the service without restarting. Enter the following command:

/etc/rc.d/init.d/vpnclient_init start

During the installation process, the module is compiled, linked, and copied to either the directory “/lib/modules/preferred/CiscoVPN”, if it exists, or to “/lib/modules/system/CiscoVPN”, where system is the kernel version. The application binaries are copied to the specified destination directory. The startup file “/etc/rc.d/init.d/vpnclient_init” is created to enable and disable the VPN service. The links “/etc/rc3.d/s85vpnclient” and “/etc/rc5.d/s85vpnclient” are added to run level 3 and level 5 if startup at boot time is requested. These links allow the tunnel server to start at boot time and run in levels 3 and 5.

Version 0.1 of 9


User ProfilesThe VPN client uses parameters that must be uniquely configured for each remote user of the private network. Together these parameters make up a user profile, which is contained in a profile configuration file (.pcf file). User profiles reside in the default directory “/etc/CiscoSystemsVPNClient/Profiles/”, or in the directory specified during the VPN Client installation.

User profile parameters include the remote server address, IPSec group name and password, use of a log file, etc. This chapter describes two ways to create a VPN Client user profile: A new user profile can be created by adapting an existing profile, or it can be configured from scratch.

Modifying the Sample Profile:The VPN Client software is shipped with a sample user profile. The file is named “sample.pcf”. An example of a sample user profile is listed below:

To modify the sample profile, open the sample user profile with a text editor. Modify the keywords you want to change. The IP address of the VPN server in the CoCom+ environment is “Host=80.169.168.42”. The Group Name for establishing the IPSec tunnel is “GroupName=colt-wholesale.com”; the IPSec Group Password can be found in COLT’s service handover package. The Username and UserPassword identifying an end user as valid member of the IPSec group “colt-wholesale.com” are also listed in COLT’s service handover package. Within the Reseller’s company, the IT administrator should distribute the username and password information. Finally, save

Version 0.1 of 9


the modified profile with a unique name in the “/etc/CiscoSystemsVPNClient/Profiles/” directory. When establishing an IPSec connection with the “vpnclient connect” command, use the new profile name.

Creating a User Profile:Alternatively, a new user profile can be created from scratch by using any text editing program. At a minimum, the profile must contain the following keywords:

[main]

Host

AuthType

GroupName

Username

Save your new profile in the “etc/CiscoSystemsVPNClient/Profiles/” directory. The table below gives a brief description of the mandatory user profile keywords:

Keyword Description[main] A required keyword that identifies the main section. Enter exactly as shown as the first

entry in the user profile.

Host = IP_Address or hostname

The hostname or IP address of the VPN device you want to connect with. The IP address of the VPN server in the CoCom+ environment is 80.169.168.42.

AuthType = 1 The authentication type the user is using. In conjunction with the CoCom+ service, the value “1” for “Preshared Keys” is mandatory.

GroupName = String The name of the IPSec group configured on the VPN server that contains this user. Specify “colt-wholesale.com” as GroupName. (keysensitive)

GroupPwd = String The password for the IPSec group that contains this user; cf. the COLT service handover package. If GroupPwd is not included in the user profile, the user will be prompted for the group password when connecting to the VPN server.

Username = String The name that identifies a user as a valid member of the IPSec group specified in GroupName. The VPN client prompts the user for that value during user authentication. Within the CoCom+ service, the Username has the structure of an e-mail address “<sampleuser>@colt-wholesale.com”; for details cf. the COLT service handover package.

Version 0.1 of 9

mailto:[email protected]


Using the Command-Line Interface

This chapter describes common operations using the command-line interface. You can create your own script files that use the CLI commands to perform routine tasks, such as connect to the CoCom+ server platform, run reports, and then disconnect from the server.

Displaying a List of CommandsTo display a list of available VPN Client commands, locate the directory that contains the VPN Client software and enter the vpnclient command at the command line prompt. The following example shows the command and the information that is displayed:

Establishing a Connection:To establish an IPSec connection, use the vpnclient connect command and optional command parameters:

vpnclient connect <profile> [user <username>] [eraseuserpwd | pwd <password>] [nocertpwd]

The parameters for the vpnclient connect command are summarised in the table below:

Parameter Description<profile> (required) The name of the user profile configured for this connection entry (.pcf file). Enter

the profile name without the .pcf file extension.

User <username> (optional) The username configured for this connection entry. If you use this option together with the pwd option, the username prompt is suppressed in the authentication dialog box.

[eraseuserpwd | pwd <password>] (optional)

eraseuserpwd erases the user password that is saved on the VPN client workstation, forcing the VPN Client to prompt you for a password each time you establish a connection. pwd <password> suppresses the password prompt in the authentication dialog box.

nocertpwd (optional) Suppresses the prompt for a certificate password and assumes that the password is blank (optional, not used for the CoCom+ service)

Version 0.1 of 9


Depending on your user profile, you are prompted for the following passwords:

Group password

User name

User password

Disconnecting the VPN Client:To disconnect from your IPSec session, there are two methods: Either enter the command vpnclient disconnect, or press “Crtl-C” while you are in the VPN Client window.

Displaying VPN Client Statistics:Especially if you experience stability or performance issues with IPSec connections, it is often helpful to check the status information about the current session. To display VPN Client statistics, use the vpnclient stat command and its optional parameters. The optional parameters are described in the following table:

Parameter Descriptionreset Restarts all connection counts from zero.

traffic Displays a summary of bytes in and out, packets encrypted and decrypted, and packets bypassed and discarded.

tunnel Displays IPSec tunnelling information

route Displays configured routes

repeat Provides a continuous display, refreshing it every few seconds. To end the display, press “Ctrl-C”

If you enter the vpnclient stat command without any optional parameters, all status information is shown.

In the section “VPN tunnel information”, you should find the client address and the server address. The server address is the public IP address 80.169.168.42 of the central VPN server in the CoCom+ environment. The client address is a private address from the address range 10.100.220.1 to 10.100.223.254. When establishing the IPSec tunnel, the client address is temporarily assigned to your computer. The client IP address allows your computer to communicate with the confidential (private) parts of the CoCom+ platform, in particular with the FTP server cluster (10.49.11.252). If you are in doubt that the IPSec tunnel really works, try to reach the private side or LAN interface of the central VPN server (strictly speaking a router) by ping; a ping to the IP address 10.44.19.5 should be successful. Remember that the Firewall and the FTP servers do not respond to a ping.

In the section “VPN traffic summary”, “Time connected” indicates for how long the current IPSec session has been established. When exchanging payload traffic over the IPSec tunnel, i.e. when downloading CDR files for example, the number of “Packets encrypted” and “Packets decrypted” should significantly increase. A small number of “Packets bypassed” and “Packets discarded” during the tunnel establishment phase are acceptable; a slight rise of these figures for an unused tunnel can be looked upon as normal behaviour as well, and is no reason of concern.

The section “Configured routes” just shows a default route.

.

Version 0.1 of 9

introduction - colt technology · web viewthis chapter describes common operations using the...

Documents