Cisco VPN

From NComputing Knowledge Base
Jump to: navigation, search

NoTouch supports both the original Cisco IPSec VPN client as well as the more modern SSL VPNs.Please note that VPN capabilities are only included in the special Enhanced Security images (on x86 thin client). However, OpenConnect (free Cisco VPN client) support is now available on RX-HDX firmware version 2.40.4306 or later.

OpenConnect

For Cisco connectivity, we favor OpenConnect, not only because it is open, but also because it seems to be better maintained than the original Cisco software. The web page of the OpenConnect product is http://www.infradead.org/openconnect/

We do have the OpenConnect binary included (see screenshot). So running openconnect on NoTouch is not better or worse than on any other Linux system. Of course, we try to have parameters for everything so that our customers do not need to go to the command line, but for openconnect we have only the binary for now.

The OpenConnect manual looks relatively simple - http://www.infradead.org/openconnect/connecting.html - There are many parameters if you just run openconnect without any parameter, you will need to check what is necessary for your installation. The OpenConnect manual says that you need to have a vpnc-script. Of course is this included in its default location /etc/vpnc/vpnc-script.

Our first advice is to just run it from the command line. Log in to the system's configuration page, click on Console, use the su command to get root (same password again) and try to connect, start with openconnect https://mygateway.mycompany.com

Running on system startup: Use Eventscripts, use Startup 3 (this happens after networking).

Running via a desktop icon: Create a connection as if you would create a VMware Horizon or Citrix connection. However, chose the connection mode "custom command" and set the parameter "Command to be executed" to whatever openconnect command line you want to run.

Cisco SSL

The Cisco VPN client for Linux works fine in NoTouch and some OS images have it included.

In this guide we assume you have a NoTouch machine with a configured connection, be it Citrix, VMware Horizon View, whatever, and you want to add Cisco VPN support in a way that your users can click on an icon to start the VPN connection when they need it.

  1. Open a Shell prompt and make sure are logged in as root (Use the "su" command with the client admin password to elevate your privileges from normal user to root if necessary)
  2. Configure the Cisco VPN service
    • Create the folder where the file will reside:
      • mkdir /config/ciscovpn
    • Create/edit your ProfileName.pcf connection file
    • Save the file to /config/ciscovpn
  3. In the configuration, or via NoTouch Center, create a connection named "Start VPN" and with connection mode "Custom command".
    • Set the parameter "Command to be executed" to:
      • vpnclient connect ProfileName
      • (Please note that ProfileName is supposed to come without the .pcf extension!)
  4. Enable Cisco VPN service (under Services)
  5. Reboot the machine and check the workflow

You can of course use Connection autostart for the CiscoVPN connection to automatically connect to the VPN. We found however that most end-users like to have some control as they want to decide if they need it or not (think of a worker who sometimes works in the office without VPN and sometimes from home with VPN).

Should you require different connections for in-house and "on-the-road" scenarios, you can of course create more connections, such as "Citrix office" vs. "Citrix outside" or similar.

Notes:

  • The CiscoVPN client service needs to be restarted before you can reconnect. You might expect that the vpnclient does this for, but that is not the case. You need to explicitly call the following command, e.g. from the session exit-action:
   /etc/init.d/vpnclient_init restart