VPN Article Update

At 7:52 AM -0700 8/18/05, Kevin van Haaren wrote:
>I can't find release notes on Cisco's sites yet, but I did find a
>posting at a university indicating these other fixes were also
>included:
>
>>*fixed - unity mac gui split tunnels will not pass traffic 10.4
>>*fixed - unity mac switching networks prevents client connect 10.4
>>*fixed - unity mac proxy information ignored by client
>>*fixed - unity mac 10.4 does not inherit search domains with vpn
>>*fixed - unity mac 10.4 classic traffic fails over tunnel

You're welcome. ;-)

--
Andrew Laurence atlaurenuci.edu
Central Computing & Security http://www.nacs.uci.edu/~atlauren/
Network & Academic Computing Svcs.
University of California, Irvine

At 7:52 AM -0700 2005/08/18, Kevin van Haaren wrote:

>Steve Peterson recommends Apple's port list:
><http://docs.info.apple.com/article.html?artnum=106439>
>
>But more importantly corrects my mistake where I stated that Apple Remote
>Desktop won't work with SSH port forwarding because SSH port forwarding
>can't work with UDP. SSH can't work with UDP, but ARD works over TCP (port
>5900).

        Well, ARD2 uses 4 ports, 2 TCP and 2 UDP; 5900/TCP is the VNC
port (for primary display -- VNC can use a whole bunch), and is how
ARD2 does remote control/observe. The other ARD2 features, like
reporting and machine status, run on other ports, including
ssh-unsupported UDP. A 'real' VPN supports all these other features
correctly.

        Additionally, ARD2 keeps a list of machines, so if you're
using ssh tunneling, you have this funny entry for localhost which
can be a bit confused when it gets status information from the real
local machine, while remote control sessions are redirected elsewhere
through ssh tunnels.


                                                Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
Rockefeller University: <http://www.rockefeller.edu/>
** I am out of the office August 22-26, returning the 29th.
Please call the Help Desk at x8940 if you need assistance.

Quoting dano <danowell.com>:

At 5:09 PM -0700 8/15/05, Kevin van Haaren wrote: > First, you need to pick a VPN client. Mac OS X includes an IPsec > implementation based on Racoon from the KAME Project.

<snip>

Our research has turned up information that claims that OSX' built-in IPsec client was created not quite to standards. Our testing has been frustrating in that we've not been successful in getting the Mac OS X built-in IPsec client to talk to either CheckPoint or Cisco terminals.

I'm pretty sure it meets the IPSec standard, however the standard is so flexible and has so many options it is possible to meet the standard and still not interoperate with another product that also meets the standards.

For example, my VPN router only supports DES and 3DES encryption. If my client only supported AES-128 encryption both would still meet the standard but not be able to talk to each other.

That said, both Cisco and Checkpoint offer "value adds" to their clients that support additional functionality above the minimum of a standard IPSec implementation. Checkpoint for example has a firewall with policies that can be pushed from policy server -- thereby ensuring the client machines are protected to the companies standards. These additions may make supporting basic standard IPSec connections more difficult for the network administrator.

Before Checkpoint had a Mac OS X client I was able to get VPN Tracker (on OS X 10.2 I believe) to establish a VPN tunnel with a Checkpoint firewall, however it required sitting down with our network administrator and going through the options one by one and configuring them to match. Most of the additional functionality had to be disabled.

I haven't needed to setup a VPN tunnel from my Mac in quite sometime so I've not tried setting this up under 10.4.

Quoting James Bailey <jimjdb.name>:

> IPsec client was created not quite to standards. I believe that
> Tiger is L2TP/IPSec compatible. It can do PSK
> (pre-shared keys) or X.509 Certificates or Kerberos. Panther only
> supports PSK. Also, Apple's IPSec doesn't do NAT Traversal. This may
> be what you are talking about. You can find more info here:
> http://www.jacco2.dds.nl/networking/freeswan-panther.html#NAT-Traversal[1]
> Links:
> ------
> [1]
> http://www.jacco2.dds.nl/networking/freeswan-panther.html%23NAT-Traversal


I've done NAT Tranversal on my Mac with IPSec back to 10.3. My current
implementation is behind a D-Link firewall that is NAT'd and when I was using
my PowerBook I connected from many hotels that used NAT as well.

I'm connecting to a D-Link VPN router.

Oh wait, i read the link more -- that's for L2TP over IPSec. I use straight
IPSec in Tunnel Mode which seems to work fine.

Kevin

At 5:09 PM -0700 8/15/05, Kevin van Haaren wrote:
>First, you need to pick a VPN client. Mac OS X includes an IPsec
> implementation based on Racoon from the KAME Project.

<snip>

Our research has turned up information that claims that OSX' built-in
IPsec client was created not quite to standards. Our testing has been
frustrating in that we've not been successful in getting the Mac OS X
built-in IPsec client to talk to either CheckPoint or Cisco terminals.

> After examining the available documentation, I decided there
> must be a better way. Fortunately I was not the only one with
> this idea. A quick Internet search turned up several graphical
> configuration tools. VPN Tracker ($90 for a personal license,
> $200 for a professional license) from Equinux, and IPSecuritas
> (free) from Lobotomo are two of the most popular.

>At the time of this writing, Check Point
> had not updated their IPsec clients to work with any version
> of Mac OS X 10.4.

Equinux has been remarkably unresponsive in requests for a test copy.
They will provide one from their site, but its time-to-live is only
three (:03) minutes, which is not at all close to enough time for
thorough testing of multiple applications connecting into a corporate
network. Repeated requests (email and phone) went without reply.

> Additionally, many VPN firewall makers have produced Mac OS X
> versions of their client software. Check Point and Cisco both
> offer Mac OS X clients for their VPN products. Be sure to check
> the supported configurations and versions of the software.

CheckPoint requires OS X 10.3, no more and no less. They have
promised a 10.4 version sometime in 2006. (Promise was made in early
June.) Their support costs are quite high, and their actual tech
support has been disappointing. (Even when one pays the high support
costs. YMMV.)

DISCLAIMER: I speak for me and not for any company I have worked for
or might currently work for.

> Cisco
> only recently added support for dual-processor Macs and Mac OS X
> 10.4 Tiger, although there are reports it doesn't completely work
> even with 10.4.2.

>Cisco's latest release seems to work fine
> for me. Again, verify the software's documentation show your
> particular configuration is supported before installing.

The Cisco client (v 4.7) works in 10.2, 10.3 and 10.4. It works from
the GUI layer or from the Terminal. The GUI still has some minor bugs
and a 10.2-ish look-and-feel, but is easy to understand and works
well.

One advantage is that the Cisco client looks and works the same in
Windows as it does in OSX. This may help make Windows-centric
administrators more confident and happy with the Cisco client.

The Cisco client may have some cost associated if you do not have a
Cisco VPN concentrator and its associated support costs. If you have
that, then the client is free (unlimited copies, too).

An additional feature is that RSA SecurID can be enabled on Cisco VPN
terminators so that this type of authentication works from the client
end. There is no change in configuration at the client - the RSA
authentication windowoid just pops up on connection.



Latest info page on Cisco VPN clients is for 4.6 and has not been
updated for 4.7. This info is still very useful though for learning
how to work with the CLI and GUI of the application. They also have
info for earlier versions. (Side comment: It was gratifying to read
the Cisco documentation and see some good technical writing and
documentation. Perhaps this is a comment more about other
corporations' documentation...)

<http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/index.htm>

<http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/ugmac/index.
htm>

KvH's TBT post to his article lists the improvements in 4.7. There
are still some unresolved Issues (remaining in 4.7, according to
Cisco):

CSCei02133 unity mac client install with uid 502
CSCei43441 unity mac 10.4 mtu drops with location switching and sleep
CSCei44573 unity mac 10.4 needs domain added from push
CSCei48783 unity mac classic ping over 150 kernel panics



Notes from this reporter:
CSCei43441 is the most significant bug we've encountered. The vpn client is
actually a process running in Darwin, and the process can crash when
the computer is put to sleep and does not not revive when the
computer is rewakened. The restart can be easily executed from the
command line, but not all users are comfortable with going into a
Terminal window and issuing a command.

Cisco says this will be fixed soon. We are considering creating an
AppleScript we can put in the Dock which would allow users to
double-click a restart of the vpn client. Or maybe we'll just wait
for the next version.



Other unresolved Issues (new in 4.7, according to this reporter from
field testing)

1) Installer no longer reads from /Profiles folder. (And perhaps not
from the /Certificates folder either. We did not test the
Certificates.) [1]

2) Delete command string as found in the documentation is no longer
valid. [2] The installation path of the application has changed.
Administrators must look to the new directory path and follow that
for correct argument to the delete_vpnclient command. [3]


[1] The metapackage installer for the Cisco VPN client 4.6 was well
scripted by somebody. It had the .mpkg which installs all Cisco's
files in their proper places, but it also had a writable folder (on
the installer volume) named Profiles. This folder allows an
administrator to preconfigure the connection
information in the files the Cisco VPN app loads in order to connect.
The installer would look to any contents of the Profiles folder and
put those contents in the correct location. This was very convenient
when one is providing the installer package to hundreds of users who
need a preconfigured application. (Setting up the configs would be
difficult for many people to manage.)

This installer script worked in 4.6, but no longer works in 4.7. A
bug report has been filed with Cisco.

[2] Cisco strongly recommends deleting any previous version of the
VPN client before installing the new version. Experience has shown
this to be sound advice. The delete command and path/argument stated
in 4.6 is no longer valid in 4.7, but is not hard to find ( /etc/opt/
)

[3] The delete command allows the administrator to delete the entire
Cisco VPN client installation, or optionally to retain the Profiles
and Certificates. This is convenient when one needs to upgrade the
software but wants to retain the configuration settings.