Top

Categories

Archives

Twitter

Bookmarks

Support

Adium Boxee BBEdit Coda Alfred HandBrake ScreenFlow Caffeine Moom Evernote Pixelmator SecureFiles TextWrangler Transmit Shimo RapidWeaver VLC Dropbox Steam Spotify Acorn VMware Fusion Unison

Entries in VPN (4)

Monday
Mar082010

Introducing Shimo - VPN Made Easy

DateMonday, March 8, 2010 at 10:11AM | Print ArticlePrint Article

Working in Telecoms I am always interested in new networking solutions for the Mac. Mac OS X has a built-in VPN (virtual private network) client which is actually very good. It is easy to set up, has simple menu-bar controls, and for the most part provides reliable connections. However its achilles heel has always been Cisco VPN, which just so happens to be the most widely used VPN solution on the market. If you search the web you will find plenty of complaints from users trying to configure OS X’s built-in VPN client to connect to Cisco VPN's. Normally the only solution is to download and install the official Cisco VPN client, but unfortunately the Mac client is not one of Cisco's greater achievements. It basically looks and feels like a rushed Windows port, that requires the installation of kernel extensions and other system-level files (something all Mac users should try and avoid). Thankfully there is another option -  Shimo.

Shimo by ChungwaSoft is a native Mac OS X VPN client that supports almost every VPN protocol available today. This includes Cisco VPN, OpenVPN, PPTP and L2TP, Hamachi and even Cisco's next generation AnyConnect protocol. It also has the ability to automatically detect changes in your network configuration and react accordingly, like initiating a VPN connection or reconnection.

The table below shows the full spec list compared to it's main two rivals:

Shimo was designed from the ground up for the Mac. As a result it has the simple, clean, no-fuss user interface that you have come to expect from native Mac applications. Once started, Shimo will load into the menu-bar and provide you with four options - connect, view stats of your session, edit preferences or quit. Before you can connect you must first configure your VPN. This can be done by selecting "Preferences".

Under the "Profiles" tab click the "+" button to add a new connection form the list of available options. You can either configure the connection manually or import from an existing configuration file (such as a Cisco PCF file). If you choose to import, Shimo will do everything for you and you will see the new connection appear in your profile list. You can create as many new connections as you want and even specify "automatic connect" settings so that your machine will automatically build the VPN tunnel when it detects a specific network (work SSID, etc).

Once configured all you need to do is select the specific VPN you would like to connect to from the menu-bar, where you will be prompted to complete your standard authentication process.

Shimo is currently on version 2, however the developer is already hard at work on version 3, which promises to bring a huge number of new features, as well as improve the reliability of existing connections. Shimo costs £10 for the full version, however it is the best and most versatile VPN client I have used for the Mac and therefore, in my opinion, is worth every penny. To find out more about Shimo and to download the free trial head over to their website.

tagged , , in , , |
Thursday
Jun042009

iVPN - The Simple VPN GUI Apple Forgot

DateThursday, June 4, 2009 at 7:55PM | Print ArticlePrint Article

Ever wanted to setup a virtual private network (VPN) to securely connect to your home network? If you read the Apple support guide it states that you will need a copy of OS X Server to enable this functionality.

Thankfully this is not the case. The standard client version of OS X actually has the VPN Server installed, however the administrator GUI is not available. iVPN (currently on version 4.1) changes that and provides you with a GUI that can configure and switch on the VPN server.

 

As iVPN uses the standard VPN server built into OS X, it supports PPTP and L2TP IPSec VPN. iVPN can be downloaded for £14.99 from MacServer (also be sure to check out iSSH). 

tagged , , , in , |
Thursday
Apr302009

Configure Cisco ASA & AnyConnect VPN Client

DateThursday, April 30, 2009 at 1:30PM | Print ArticlePrint Article

This article aims to explain how to configure a Cisco ASA to terminate a Cisco AnyConnect SSL VPN client using the ASDM (GUI).

The following example was configured on an ASA 5505 running software version 8.0(4). The ASA also has ASDM v6.1(5) and AnyConnect v2.3 installed on its flash and was set to the factory default configuration.

Before starting please ensure you have the latest version of Java installed on the Windows computer you intend to use to setup the ASA.

Connect a Windows computer to the inside interface of the ASA (Interface 1 is set to the Inside interface by default). The ASA should automatically allocate an IP address to the computer by DHCP. This address will likely be 192.168.1.2.

Open a browser (I recommend Internet Explorer 6/7/8 for this installation) and go to:

https://192.168.1.1

You will be prompted with the following page:

Click "Install ASDM Launcher and Run ASDM". You will be prompted for your ASA login password (if configured).

Once the ASDM has been downloaded and installed login via the ASDM:

Choose "Configuration > Device Setup > Interfaces" and check "Enable traffic between two or more hosts connected to the same interface". Please note I have also assigned the IP address 172.16.1.1/24 to the outside interface (interface 0). This is for example purposes only.

Choose "Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools" and click Add in order to create the IP address pool "vpnpool".

Choose "Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles" and under Access Interfaces, click the check box "Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client on the interfaces selected in the table below". Once checked you will be asked to select the AnyConnect image stored on the ASA Flash.

Also check "Allow Access" and "Enable DTLS" for the outside interface.

Choose "Configuration > Remote Access VPN > Network (Client) Access > Group Policies" and click Add to create an internal group policy "clientgroup". Under the "General tab > More Options", select the "SSL VPN Client" check box in order to enable the WebVPN as tunneling protocol.

In the "Advanced > Split Tunneling" tab, choose "Tunnel All Networks" from the drop down list of the Policy in order to make all the packets coming from the remote PC through a secure tunnel.

To enable the "Keep Installer on Client System" option, uncheck the Inherit check box under "Advance > SSL VPN Client", and click the Yes radio button.

Click "Advance > SSL VPN Client > Login Setting" in order to set the Post Login Setting and Default Post Login Selection as shown below.

Click "Advance > SSL VPN Client > Key Regeneration"

For the" Renegotiation Interval" option, uncheck the Inherit box, uncheck the Unlimited check box, and enter 30. Security is enhanced by setting limits on the length of time a key is valid.

For the "Renegotiation Method" option, uncheck the Inherit check box, and click the SSL radio button. Renegotiation can use the present SSL tunnel or a new tunnel created expressly for renegotiation.

Finally Click OK and Apply.

Choose "Configuration > Remote Access VPN > AAA/Local Users > Local Users" click Add in order to create the new user account "ssluser1". Select a password of your choice (For example "cisco"). Click OK and then Apply.

Choose "Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Connection Profiles" click Add in order to create the new tunnel group "sslgroup". In the "Basic" tab apply the following settings:

Under "Advance > SSL VPN > Connection Aliases" click Add, specify the group "alias sslgroup_users" and click OK.

Choose "Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Login Page Setting", check "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWEBVPNGroup will be connection profile and Apply".

Finally choose "Configuration > Firewall > NAT Rules > Add Dynamic NAT Rule" so the traffic that comes from the inside network can be translated with outside IP address 172.16.1.5. Click OK when complete.

Choose "Configuration > Firewall > NAT Rules > Add Dynamic NAT Rule" for the traffic coming from the outside network. 192.168.10.0 can be translated with outside IP address 172.16.1.5. Click OK when complete.

To finish click Apply and Save.

To test you will need to connect a Windows computer to the outside interface of the ASA (interface 0) and set the IP settings to:

IP Address: 172.16.1.5

Subnet Mask: 255.255.255.0

Now open a browser (I recommend Internet Explorer 6/7/8 for this test) and establish an SSL connection with the ASA by going to:

https://172.16.1.1

You will be prompted for your login credentials.

Once authenticated (ssluser1 / cisco / sslgroup_users) your browser will automatically download the Cisco AnyConnect client, install it and establish an SSL VPN connection to the ASA.

tagged , , , , in |
Thursday
Apr232009

NetMotion – Making Remote Users Mobile

DateThursday, April 23, 2009 at 6:00PM | Print ArticlePrint Article

NetMotion Wireless is a US based company formed in 2001. Their primary product known as Mobility XE is a Mobile Virtual Private Network (Mobile VPN) targeted at mobile workers in the enterprise, public safety, government, health care and utility industries.

Mobility XE is a software only product that aims to provide secure, continuous remote access to network resources from mobile devices over wired or wireless IP-based networks. This type of service is offered by many other vendors, however Mobility XE has a unique selling point called "Application Persistence".

Traditional IPSec and SSL VPN’s do not tend to handle wireless or roaming access very well. This means that if you are connected via a wireless hotspot or 3G, your connection strength will vary depending on location and surroundings. This will often result in a temporary loss of connectivity. Unfortunately, when this happens, network driven services such as e-mail, calendaring, Intranet access and file transfers will lose their connection and display an error message to the user or simply become unresponsive. This is especially frustrating if a user is authenticated against a secure application or half way through completing a file transfer as they will be forced to re-authenticate or re-start the transfer process from the beginning.

"Application Persistence" offered by Mobility XE is able to sustain an applications session through a loss of connectivity and even through a change of connection type, such as 3G to a wireless hotspot. This means that any application or process the user was previously using will be automatically suspended with no irritating error messages being displayed. When the connection returns, the suspended applications will automatically continue from where they left off, without requiring the user to re-authenticate. This process works for almost all applications and requires no additional configuration work to be completed, even connection orientated applications such as FTP and Telnet will suspend without an issue. Not only is "application persistence" useful during a loss of connectivity, but it also enables true roaming capabilities. This means the user is able to connect to a wireless hotspot, move outside and maintain a connection during the switch to 3G, and then connect via a wired network at home without ever losing their session to the enterprise network.

Mobility XE also has advance access control features, centralized management and reporting. To learn more about the product please visit: www.netmotionwireless.com.

How it works:

The Mobility XE client is a customizable, lightweight application that sits on the user’s computer. Unfortunately at this time the application only supports Windows, therefore Mac and Linux users will have to look elsewhere for their remote access solution. The client automatically handles the available network interface cards installed on the user’s computer (including 3G), as well as the IP addressing, security policies, access control and application optimisation. Once installed it should require no user input or configuration and handles connection termination and application persistence automatically.

The Mobility XE client terminates against the Mobility XE server, this is a piece of software that runs on a Windows server platform which sets up and maintains user sessions. NetMotion dictate that one server (depending on specification) is able to terminate up to 1500 concurrent user sessions. If more sessions are required then the software supports clustering whereby multiple servers run together to provide additional capacity.

The diagram below shows the remote user changing connection type whilst maintaining their session to the enterprise network which is being handled by the Mobility XE server.

tagged , , , in |