Difference between revisions of "Cisco VPN"

From NComputing Knowledge Base
Jump to: navigation, search
(OpenConnect)
 
(18 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The Cisco AnyConnect VPN client for Linux works fine in NoTouch and some OS images have it included. To enable it, a special set-up procedure is used:
+
NoTouch supports both the original Cisco IPSec VPN client as well as the more modern SSL VPNs.'''Please note that VPN capabilities are only included in the special Enhanced Security images (on x86 thin client).''' However, OpenConnect (free Cisco VPN client) support is now available on RX-HDX firmware version 2.40.4306 or later.
  
# Repurpose one PC with the latest NoTouch image that includes the VPN client
+
== OpenConnect ==
# Create your normal connection (View, Citrix, whatever)
+
 
# Create a connection named "Start VPN" and with connection mode "Custom command".  
+
For Cisco connectivity, we favor OpenConnect, not only because it is open, but also because it seems to be better maintained than the original Cisco software. The web page of the OpenConnect product is http://www.infradead.org/openconnect/
#* As soon as you have clicked the Change button, the parameter "Command to be executed" will appear a bit below. Set this parameter to:  
+
 
 +
We do have the [http://rx-hdx.ncomputing.com/kb/OpenConnect OpenConnect binary] included (see screenshot). So running openconnect on NoTouch is not better or worse than on any other Linux system. Of course, we try to have parameters for everything so that our customers do not need to go to the command line, but for openconnect we have only the binary for now.
 +
 
 +
The OpenConnect manual looks relatively simple - http://www.infradead.org/openconnect/connecting.html - There are many parameters if you just run openconnect without any parameter, you will need to check what is necessary for your installation. The OpenConnect manual says that you need to have a vpnc-script. Of course is this included in its default location /etc/vpnc/vpnc-script.
 +
 
 +
Our first advice is to just run it from the command line. Log in to the system's configuration page, click on Console, use the su command to get root (same password again) and try to connect, start with openconnect <nowiki>https://mygateway.mycompany.com</nowiki>
 +
 
 +
Running on system startup: Use [[Eventscripts]], use Startup 3 (this happens after networking).
 +
 
 +
Running via a desktop icon: Create a connection as if you would create a VMware Horizon or Citrix connection. However, chose the connection mode "custom command" and set the parameter "Command to be executed" to whatever openconnect command line you want to run.
 +
 
 +
== Cisco SSL ==
 +
 
 +
The Cisco VPN client for Linux works fine in NoTouch and some OS images have it included.
 +
 
 +
In this guide we assume you have a NoTouch machine with a configured [[connection]], be it [[Citrix]], [[VMware Horizon View]], whatever, and you want to add Cisco VPN support in a way that your users can click on an icon to start the VPN connection when they need it.
 +
 
 +
# Open a [[Shell prompt]] and make sure are logged in as root (Use the "su" command with the client admin password to elevate your privileges from normal user to root if necessary)  
 +
# Configure the Cisco VPN service
 +
#* Create the folder where the file will reside:
 +
#** mkdir /config/ciscovpn
 +
#* Create/edit your ProfileName.pcf connection file
 +
#** See here: [http://micro.stanford.edu/wiki/How_to_install_and_configure_the_Cisco_VPN_client_on_a_Linux_computer#Configuring_the_VPN_Client Install Cisco VPN on Linux]
 +
#* Save the file to /config/ciscovpn
 +
# [[Configure NoTouch OS|In the configuration]], or via NoTouch Center, create a connection named "Start VPN" and with connection mode "Custom command".  
 +
#* Set the parameter "Command to be executed" to:  
 
#** vpnclient connect ProfileName
 
#** vpnclient connect ProfileName
 +
#** (Please note that ProfileName is supposed to come without the .pcf extension!)
 
# Enable Cisco VPN service (under Services)
 
# Enable Cisco VPN service (under Services)
# Reboot the machine, do NOT start any of the connections
+
# Reboot the machine and check the workflow
# Open a terminal window (Configuration -> Console)
+
 
# Configure the Cisco VPN service
+
You can of course use [[Connection autostart]] for the CiscoVPN connection to automatically connect to the VPN. We found however that most end-users like to have some control as they want to decide if they need it or not (think of a worker who sometimes works in the office without VPN and sometimes from home with VPN).  
#* This means that you create/edit your ProfileName.pcf connection file
+
 
#** See here: [http://micro.stanford.edu/wiki/How_to_install_and_configure_the_Cisco_VPN_client_on_a_Linux_computer]
+
Should you require different connections for in-house and "on-the-road" scenarios, you can of course create more connections, such as "Citrix office" vs. "Citrix outside" or similar.  
#* Save its profile to the standard location /etc/opts/cisco-vpnclient
+
 
# Execute this command: cp -a /etc/opts/cisco-vpnclient /config/ciscovpn
+
Notes:
# In the local configuration application of NoTouch, click on "All" and then on "Eventscripts". Set the parameter "Startup command 1" to the following value:  
+
* The CiscoVPN client service needs to be restarted before you can reconnect. You might expect that the vpnclient does this for, but that is not the case. You need to explicitly call the following command, e.g. from the session exit-action:
#* mkdir -p /etc/opts ; cp -a /config/ciscovpn /etc/opts/cisco-vpnclient
+
    /etc/init.d/vpnclient_init restart
# Save the config as usual, and reboot the machine, check the workflow:
 
## Boot
 
## Start the "Start VPN" connection
 
## Start the VMware connection
 
  
  
[[Category:NoTouch Receiver]]
+
[[Category:NoTouch OS]]

Latest revision as of 21:21, 23 March 2020

NoTouch supports both the original Cisco IPSec VPN client as well as the more modern SSL VPNs.Please note that VPN capabilities are only included in the special Enhanced Security images (on x86 thin client). However, OpenConnect (free Cisco VPN client) support is now available on RX-HDX firmware version 2.40.4306 or later.

OpenConnect

For Cisco connectivity, we favor OpenConnect, not only because it is open, but also because it seems to be better maintained than the original Cisco software. The web page of the OpenConnect product is http://www.infradead.org/openconnect/

We do have the OpenConnect binary included (see screenshot). So running openconnect on NoTouch is not better or worse than on any other Linux system. Of course, we try to have parameters for everything so that our customers do not need to go to the command line, but for openconnect we have only the binary for now.

The OpenConnect manual looks relatively simple - http://www.infradead.org/openconnect/connecting.html - There are many parameters if you just run openconnect without any parameter, you will need to check what is necessary for your installation. The OpenConnect manual says that you need to have a vpnc-script. Of course is this included in its default location /etc/vpnc/vpnc-script.

Our first advice is to just run it from the command line. Log in to the system's configuration page, click on Console, use the su command to get root (same password again) and try to connect, start with openconnect https://mygateway.mycompany.com

Running on system startup: Use Eventscripts, use Startup 3 (this happens after networking).

Running via a desktop icon: Create a connection as if you would create a VMware Horizon or Citrix connection. However, chose the connection mode "custom command" and set the parameter "Command to be executed" to whatever openconnect command line you want to run.

Cisco SSL

The Cisco VPN client for Linux works fine in NoTouch and some OS images have it included.

In this guide we assume you have a NoTouch machine with a configured connection, be it Citrix, VMware Horizon View, whatever, and you want to add Cisco VPN support in a way that your users can click on an icon to start the VPN connection when they need it.

  1. Open a Shell prompt and make sure are logged in as root (Use the "su" command with the client admin password to elevate your privileges from normal user to root if necessary)
  2. Configure the Cisco VPN service
    • Create the folder where the file will reside:
      • mkdir /config/ciscovpn
    • Create/edit your ProfileName.pcf connection file
    • Save the file to /config/ciscovpn
  3. In the configuration, or via NoTouch Center, create a connection named "Start VPN" and with connection mode "Custom command".
    • Set the parameter "Command to be executed" to:
      • vpnclient connect ProfileName
      • (Please note that ProfileName is supposed to come without the .pcf extension!)
  4. Enable Cisco VPN service (under Services)
  5. Reboot the machine and check the workflow

You can of course use Connection autostart for the CiscoVPN connection to automatically connect to the VPN. We found however that most end-users like to have some control as they want to decide if they need it or not (think of a worker who sometimes works in the office without VPN and sometimes from home with VPN).

Should you require different connections for in-house and "on-the-road" scenarios, you can of course create more connections, such as "Citrix office" vs. "Citrix outside" or similar.

Notes:

  • The CiscoVPN client service needs to be restarted before you can reconnect. You might expect that the vpnclient does this for, but that is not the case. You need to explicitly call the following command, e.g. from the session exit-action:
   /etc/init.d/vpnclient_init restart