Remote Access via Cisco VPN Client

General Information
This guide describes step by step the configuration of a remote access to the Astaro Security
Gateway by using the Cisco VPN Client. The Cisco VPN Client is an executable program from
Cisco Systems that allows computers to connect remotely to a Virtual Private Network (VPN) in
a secure way.
This article based on a configuration of Astaro Security Gateway Version 7.400 and Cisco VPN
Client Version 5.0. The Cisco VPN Client supports Windows 2000, XP and Vista (x86/32-bit
only); Linux (Intel); Mac OS X 10.4; and Solaris UltraSparc (32 and 64-bit).


Note As their might be restrictions for using the Cisco IPSec Client in conjunction
with non-Cisco VPN gateways you should check your Cisco license agreement first
before using this feature!



Configuration of the Firewall

1. Define the user account of the remote host

Open the Users >> Users page and click on New User to define a new account for the
remote client.



With remote access via Cisco VPN Client this user account is also necessary for accessing the
Astaro User Portal.
Username: Enter a specific user name (e.g. gfreeman). In doing so remember that the
remote user will need this username later to log in to the Astaro User Portal.

Real name: Enter the full name of the remote user (e.g. Gordon Freeman).

Email address: Enter the e-mail address of the user.

Authentication: With the Local authentication method the following two entry menus will be
displayed for the definition of the password. In doing so remember that also the remote user
will need this username later to log in to the Astaro User Portal. Youre also able to use the
Remote authentication here, for example with A-Dir- or E-Dir-User.

Password: Enter the password for the user.

Repeat: Confirm the password.

Use static remote access IP (optional): Select if you want to assign a static IP address for a
user gaining remote access instead of assigning a dynamic IP address from an IP address pool.
For users behind a NAT router, for example, it is mandatory to use a static remote access IP
address.

Comment (optional): Enter a description or additional information on the user. Save your
settings by clicking on the Save button.


2. Configure the Cisco VPN remote access

2.1 Global

Open the Remote Access >> Cisco VPN Client page and enable the Cisco VPN remote
access by clicking the Enable button. The status light shows amber and the page becomes
editable.


Interface: Select an interface to be used for Cisco VPN Client connections.

Server Certificate: Select the certificate with which the server identifies itself to the client.

Pool Network: Select or add a network pool to choose virtual network addresses from to
assign them to connecting clients. By default VPN Pool (Cisco) is selected.

Users and Groups: Select or add users and/or groups that are allowed to connect via Cisco
VPN Client (in this example: gfreeman).

Automatic Packet Filter Rules (optional): Select this checkbox to automatically create
packet filter rules that grant access to (below) specified local networks. If you do not select
this checkbox or create packet filter rules yourself clients are blocked by the firewall.

Local Networks (optional): Select or add local networks here for which the automatic packet
filter rules are applied.

Click on the Apply button to save your settings.

Live Log: Use the live log to track connection logs of the IPSec IKE daemon log. It shows
information on establishing, upkeeping, and closing connections.


2.2 iPhone
You can enable that iPhone users are offered automatic Cisco IPSec configuration in the User
Portal. However, only users that have been added to the Users and Groups box on the Global
tab will find configuration files on their User Portal site. The iPhone status is enabled by
default.

Connection Name: Enter a descriptive name for the Cisco IPSec connection so that iPhone
users may identify the connection they are going to establish. The default name is your
company name followed by the protocol Cisco IPSec.


Note Connection Name must be unique among all iPhone connection settings (PPTP, L2TP
over IPSec, Cisco VPN Client).


Override Hostname: In case the system hostname cannot be publicly resolved by the client,
you can enter a server hostname here that overrides the internal preference of the DynDNS
Hostname before the System DNS Hostname.
To disable automatic iPhone configuration, click the status icon or Disable in the header of the
tab. The status icon turns red.


Note Connecting iPhones get presented the server certificate specified on the Global tab.
The iPhone checks whether the VPN ID of this certificate corresponds to the server hostname
and refuses to connect if they differ. If the server certificate uses Distinguished Name as VPN
ID Type it compares the server hostname with the Common Name field instead. You need to
make sure the server certificate fulfills these constraints.



3. Define the packet filter rule

Open the Network Security >> Packet Filter >> Rules page and create a New rule.



Source: Remote host or user (in this example: gfreeman).

Service: Set the service.

Destination: The allowed internal network (in this example: Internal (Network)).

Action: Allow.

Time Event: By default, no time event is selected, meaning that the rule is always valid. If
you select a time event, the rule will only be valid at the time specified by the time event
definition.

Log Traffic: If you select this option, logging is enabled and packets matching the rule are
logged in the packet filter log.

Comment (optional): Enter a description or additional information on the rule. Save your
settings by clicking on the Save button.


Note New rules will be added at the end of the list and remain disabled (status light shows
red) until they are explicitly enabled by clicking on the status light.





Note Active rules are processed in the order of the numbers (next to the status light) until
the first matching rule. Then the following rules will be ignored! The sequence of the rules is
thus very important. Therefore never place a rule such as Any Any Any Allow at the
beginning of the rules since all traffic will be allowed through and the following rules ignored!

Configuration of the Remote Client

1. Astaro User Portal: Download the Certificate

1) Start your Browser and open the Astaro User Portal

Start your browser and enter the management address of the Astaro User Portal as
follows:

https://IP address (example: https://192.168.0.1)

2) Log in to the Astaro User Portal

Username: Your username (in this example: gfreeman).
Password: Your password.

3) Download the Certificate

Click on the Remote Access tab to download your certificate. Enter an export
password and click on Download.




2. Cisco VPN Client: Configure the Client

Click on Certificates >> Import to import your certificate. Browse for the PKCS#12 file and
select it. Then enter the import password (in this example: secret) and click on Import.


Now you have to create a new connection. Click on Connection Entries >> New and make
following settings:

Connection Entry: Enter a connection
entry.

Description: Enter a description of this
VPN-connection.

Host: Enter the external IP-address of the
ASG.

Authentication: Activate the Certificate
Authentication and select your imported
certificate from the drop-down menu.

Save your settings by clicking on the Save
button.






3. Cisco VPN Client: Establish a connection

Click on the Connect button and enter your username/password to authenticate at the remote
site.




If the connection establishes successfully, you will see details in the information bar of the
Cisco VPN Client. You can switch between the details by clicking on the Arrow button.






To disconnect from the VPN, click on Connection Entries >> Disconnect.


Troubleshooting

For further information about unsuccessful connections please refer to Logging >> View Log
Files >> IPSec Log. You are also able to extend the logging with debug information by select
various checkboxes in Remote Access >> Cisco VPN Client >> Debug.