equinux VPN Tracker 6.4.6 User Manual

VPN Tracker 6

The Complete Manual

© 2011 equinux AG and equinux USA, Inc. All rights reserved.

Under copyright law, this manual may not be copied, in whole or in part,
without the written consent of equinux AG or equinux USA, Inc. Your rights

to the software are governed by the accompanying software license
agreement.

The equinux logo is a trademark of equinux AG and equinux USA, Inc., regis­tered in the U.S. and other countries. Other product and company names

mentioned herein may be trademarks and/or registered trademarks of their
respective companies.

equinux shall have absolutely no liability for any direct or indirect, special or
other consequential damages in connection with the use of this document
or any change to the router in general, including without limitation, any lost

profits, business, or data, even if equinux has been advised of the possibility
of such damages.

Every effort has been made to ensure that the information in this manual is
accurate. equinux is not responsible for printing or clerical errors.

Manual revision 7

Created using Apple Pages.

www.equinux.com

2

Which Manual is Right for You?

We offer two manuals for VPN Tracker:

VPN Tracker 6 – The Complete Manual (this document)

‣

For VPN administrators and advanced users

‣

Covers setting up your VPN gateway, configuring a connection, exporting
and deploying VPN Tracker and describes every setting and option.

VPN Tracker 6 User Guide

‣

For regular users who want to get the most out of VPN Tracker

‣

Covers using Secure Desktop, accessing your file servers, printers and
other common tasks

Select “Help > User Guide” in VPN Tracker to read the User Guide.

3

Contents

..............................................................Exporting Connections 37

Deploying Connections 40

...........................................................VPN Tracker 6 at a Glance 5

..............................................................Introducing VPN Tracker 6

...................................................................................What’s New? 7

....................................................................VPN Tracker Editions 9

............................................................................Getting Started 11

Installing VPN Tracker 11
Activating VPN Tracker 11

..........................................Migrating from Previous Versions 14

.......................................................................VPN Crash Course 15

.....................................................................Getting Connected 16

Actions and Export 18

...............................................Connecting to an Existing VPN 20

......................................Setup without Configuration Guide 22

.....................................................................Managing Licenses 42

..........................................................................Troubleshooting 44

.....................................................................Settings Reference 47

Basic Tab 47
Advanced Tab 53
Actions Tab 59
Export Tab 59
VPN Tracker Preferences 60

......................................................................................Appendix 62

..............................................Choosing the Right VPN Device 62

..........................................................L2TP / PPTP Connections 63

.............Accessing Files, Printers and Databases over VPN 64

......................VPN and Network Address Translation (NAT) 67

....................................................................................Certificates 70

.............................................................Importing Connections 24

........Secure Desktop: The Easy Way to Access Your Office 25

........................................................Working with VPN Tracker 33

Managing Your Connections 33
VPN Connection Status 34
Actions 34
Menu Bar Item 35
Dashboard Widget 36

Using Smart Cards 74

.......................................................................Further Resources 77

...................................................................Keyboard Shortcuts 78

4

VPN Tracker 6 at a Glance

off.

ers, websites and more.

Basic

Basic settings of your VPN
connection, such as the
VPN gateway that is used.

Secure Desktop

Everything you need to
work over VPN in one
place: Applications, serv-

On/Off Switch

Connect and disconnect
your VPN connection by
sliding its switch on or

Status Area

See what’s happening
on your VPN connec­tion. Click the arrow
button for additional
details.

Advanced

Advanced settings
such as encryption
algorithms.

Actions and Export

Automate frequent
tasks and export
connections.

Log

Get troubleshooting
advice and see what
VPN Tracker is doing.

Connection Details

The settings of the
selected VPN connec­tion. VPN Tracker ships
with device profiles for
many VPN gateways, so
only the settings rele­vant for your VPN
gateway are shown.

Add Items

Add a new VPN connec­tion, group or Secure
Desktop

Toggle Details

Display or hide your con­nection details, your Secure
Desktop, or the status area

5

Introducing VPN Tracker

This manual contains lots of great tips. You can easily spot them
by looking for the light bulb icon.

If you are setting up not just VPN Tracker, but also a VPN gate­way, this icon points out recommended settings and things you
need to pay attention to when setting up a VPN gateway.

This exclamation mark warns you when there is a setting or ac­tion where you need to take particular care.

Welcome to VPN Tracker, the leading VPN client on Mac.
Whether you are new to VPN or a seasoned VPN guru, this
manual will help you get started with VPN Tracker.

New to VPN Tracker?

‣

See how to install VPN Tracker and how to activate your license (or get a
free trial) in →#Getting Started

‣

Learn about VPN Basics in our →#VPN Crash Course and then move straight
to →#Getting Connected

‣

Explore how using your VPN is a breeze with →#Secure Desktop

Upgrading to VPN Tracker 6?

‣

See how to →#Upgrade Your License to VPN Tracker 6 and how VPN Tracker
automatically takes care of →#Migrating from Previous Versions

‣

Explore →#What’s New in VPN Tracker 6

‣

Check out the new →#Secure Desktop – the starting point of your VPN

Conventions Used in This Document

Links to External Websites

Sometimes you will be able to find more information on external websites.
Clicking links to websites will open the website in your web browser:

http://equinux.com

Links to Other Parts of this Manual

A →#Link will take you to another place in the manual. Simply click it if you
are reading this manual on your computer.

Tips and Tricks

Advice for Setting up Your VPN Gateway

System Administrators and IT Departments

‣

Learn how to connect to your existing VPN gateway or set up everything
from scratch in →#Getting Connected

‣

See how easy it is to deploy VPN Tracker in big or small organizations by

#Exporting Connections, creating customized VPN Tracker applications,

→

and →#Managing Licenses

‣

At the end of this manual you can find a complete →#Settings Reference
that describes every setting in VPN Tracker in detail

Warnings

Getting Help

VPN Tracker makes VPN simple. However, computer networking and VPNs can
be complex and tricky at times, so we have also built in tools and helpful fea-

tures that will assist you if you ever run into problems. Check out →#Trouble­shooting for more information.

6

What’s New?

With VPN Tracker 6, working on the go is not only more
secure, it's more comfortable too. Use Secure Desktop to
access everything you need in a single location: Read emails,
access file servers, open applications, run scripts and more.

New and improved features

Security

VPN Tracker is built with the security of your connection in mind. We have in­tegrated the latest security standards to make VPN Tracker secure and ready

for the future.

VPN Tracker takes full advantage of Snow Leopard's new security features in­cluding Apple's Service Management framework. As the market-leading VPN
solution for Mac, VPN Tracker also includes the latest security algorithms, in­cluding the SHA-2 family of hash algorithms.

Secure Desktop

Your Secure Desktop is the starting point for all your VPN-based work: With a
single click VPN Tracker will automatically connect to your VPN and open the

applications, file servers or webpages that are part of your daily workflow.

In addition to Diffie-Hellman Groups 1, 2, and 5, VPN Tracker now also sup­ports Diffie-Hellman Groups 14 to 18 with up to 8192 bits for key exchange.

Simplified Configuration

VPN Tracker has been vastly refined to make configuring and editing VPN
connections easier and more intuitive. We have not only updated the device
profiles but also substantially simplified the settings. We were also sure to in-

clude a direct link to each device's configuration guide when selecting a de­vice. It's everything you need to know, right where it needs to be.

Endless Connections

VPN Tracker has been optimized for continuous operation. Those annoying
disconnection error messages resulting from interrupted connections are a
thing of the past. With improved rekeying, automatic DHCP renewal and sup-

port for Dead-peer-detection, VPN Tracker works hard to keep you connected.

Ready for the Future

As the market-leading VPN solution for Mac OS X, VPN Tracker consistently
one step ahead. We have optimized VPN Tracker for Mac OS X Snow Leopard.
It supports 64 bit mode and is ready for the Internet of tomorrow with sup­port for IPv6.

Export Secure Desktops

The new Secure Desktop in VPN Tracker 6 makes it easy to organize every­thing you need for working over VPN. And of course, Secure Desktops can be

exported so you can provide your users a standardized environment where
they'll find everything they need to get right to work.

7

Edition Changes

We’ve heard your feedback and have substantially boosted the Player Edition’s
capabilities:

VPN Tracker 6 Player Edition now supports any configuration created by VPN
Tracker 6 Professional Edition – even when using advanced features such as
AES-256, smart cards and SonicWALL Simple Client Provisioning.

Upgrading to VPN Tracker 6

If you currently own VPN Tracker 5, you can easily upgrade to VPN Tracker 6
and take advantage of all these great new features.

To see your upgrade options:

http://www.equinux.com/goto/upgradevpntracker

The equinux License Manger will now show you all available VPN Tracker li­cense upgrades.

8

VPN Tracker Editions

Regardless of the Edition you have purchased, you can always
download and use the same copy of the VPN Tracker applica-

tion. Your license will automatically unlock all the features in­cluded in your edition.

A note about VPN Tracker Player Edition

VPN Tracker Player Edition supports any connection created by VPN Tracker
Professional Edition. Simply import the connection, and you’re done!

Using the deployment features in Professional Edition, you can create cus­tom VPN Tracker applications that contain the connections your users need.

If you plan to deploy VPN Tracker Player Edition within your organization
you will need at least one Professional Edition license to set up VPN con­nections for your users.

If some of your users have a need to set up or modify their own VPN con­nections, they will need Professional or Personal Edition licenses.

We offer three different editions of VPN Tracker to fit different
requirements. Find out which edition is right for you.

Personal Edition

VPN Tracker Personal edition is designed for individual users. It supports the
most commonly used VPN encryption standards and features.

Professional Edition

VPN Tracker Professional Edition adds advanced features such as AppleScript
support, military-grade encryption, smart card support, and the ability to con­nect to multiple networks and VPN gateways at the same time.

Professional Edition can export VPN connections and even create customized
copies of VPN Tracker that include connections and licenses to make large-

scale rollouts a breeze.

Player Edition

VPN Tracker Player Edition can import and use VPN connections that have
been prepared using VPN Tracker Professional Edition. It is the ideal low-cost
solution for organizations with a large number of Mac VPN users.

Do I need VPN Tracker Professional Edition?

Your connection requires a VPN Tracker Professional Edition license (instead of
the Personal Edition), if it uses one of the following:

‣

Multiple remote networks

‣

AES-192 or AES-256

‣

SonicWALL Simple Client Provisioning

‣

Diffie-Hellman Groups 14-18

‣

SHA-2 (SHA-256 or SHA-512)

‣

IPv6

‣

Network to Network connection (i.e. connecting two networks using VPN
Tracker as a site-to-site VPN gateway)

Professional Edition helps you get your job done!

VPN Tracker Professional Edition is a great asset if you are a system or network
administrator, or are working with multiple VPN connections:

‣

Export VPN connections for yourself and other users, and even create a cus­tomized version of VPN Tracker that already includes a license and a pre­configured VPN connection for your users.

‣

Simultaneously connect to more than one VPN gateway, control your Mac
OS X L2TP/PPTP VPN, and organize your VPN connections.

‣

AppleScript lets you automate common tasks with VPN Tracker.

Note: In order to use Player Edition, you will need at least one Professional
Edition license in your organization.

9

VPN Tracker Editions Compared

Professional

Personal

Player

General

Set up and edit connections

✔

✔

Import only

Export & Deployment

✔––

Connect to multiple VPNs simultaneously

✔––

Organize your connections in groups

✔

–

Import only

AppleScript✔–

✔

Integration of Mac OS X PPTP/L2TP VPN

✔––

Connectivity

Connect to a single remote network

✔✔✔

Connect to multiple remote networks

✔–✔

Tunnel all traffic (Host to Everywhere)

✔✔✔

Connect two sites (Network to Network)

✔––

SonicWALL Simple Client Provisioning

✔–✔

IPv6 Support

✔–✔

Authentication

Pre-Shared Key, X.509 Certificates

✔✔✔

Smart cards and PKI token

✔–✔

Extended Authentication (XAUTH)

✔✔✔

Hybrid Mode Authentication

✔–✔

Professional

Personal

Player

Security

DES, 3DES, AES-128 encryption

✔✔✔

AES-192, AES-256 encryption

✔–✔

SHA-1, MD5 hash algorithms

✔✔✔

SHA-2 hash algorithms

✔–✔

Diffie-Hellman (DH) groups

✔✔✔

Diffie-Hellman (DH) groups 14 - 18

✔–✔

Technical Support

✔

✔

Support

through Profes-

sional Edition

10

Getting Started

If you set up your VPN connection during your free demo pe­riod, VPN Tracker will keep all your settings and details once you
activate a purchased license.

This chapter shows you how to install VPN Tracker, and how
to activate your license. If you do not have a license yet, don’t
worry – we’ll also show you how to get a demo key to try
VPN Tracker for free.

Installing VPN Tracker

You can always download the latest version of VPN Tracker from the equinux
website:

http://equinux.com/vpntracker/download

There is only one single download for all editions of VPN Tracker.

Once your download has finished, double click the downloaded “VPN Tracker

6.dmg” disk image file, if it doesn’t open automatically. Then simply drag the
VPN Tracker icon into your applications folder.

Activating VPN Tracker

Activating VPN Tracker is quick and easy. You can activate your license in a few
seconds over any internet connection.

How many licenses do I need?

VPN Tracker is licensed per-machine, so each Mac you want to run VPN Tracker
on will need its own license. Licenses can be bought in the equinux Online
Store or at your nearest equinux reseller. You can find your nearest reseller
with our Reseller Locator:

http://equinux.com/goto/reseller

Testing VPN Tracker

If you want to make sure VPN Tracker works with your connection and meets
your expectations before purchasing, you can request a free demo key. This
will give you access to all VPN Tracker Professional Edition features, except ex­porting connections.

To request your free demo key, please go to the following webpage:

http://equinux.com/goto/vpntrackerdemo

Open your Applications folder and double-click VPN Tracker 6 to open it.
When opening VPN Tracker for the first time, you will be prompted for the

user name and password of an administrator on your Mac.

To activate your demo:

‣

Open VPN Tracker

‣

Create a new equinux ID if this is your first equinux software, or sign in with
your existing equinux ID

‣

Enter your demo key when prompted

Once you’re satisfied VPN Tracker suits your needs, you can purchase a full
license right from within VPN Tracker.

11

To purchase a license:

Entering a name and email address will make it easier for you to
keep track of who is using which license – particularly useful if

you have a large number of VPN Tracker users in your organiza­tion.

‣

Select VPN Tracker > Buy VPN Tracker from the menu bar

‣

Choose an edition

‣

Follow the instructions to purchase a license

If you prefer, you can also purchase VPN Tracker in our online Store:

http://equinux.com/goto/buyvpntracker

Activating a License from the equinux Online Store

Activating a Retail Box

To activate a retail box of VPN Tracker:

‣

Open VPN Tracker

‣

In case you still have time left on your demo period, choose “VPN Tracker 6
> Activate VPN Tracker” from the menu

‣

Create a new equinux ID if this is your first equinux software, or sign in with
your existing equinux ID

‣

Enter the activation code on your Quick Start booklet

‣

Enter the name of the user who will be using this particular license

To activate a license bought in our online store:

‣

Open VPN Tracker

‣

In case you still have time left on your demo period, choose “VPN Tracker 6
> Activate VPN Tracker” from the menu

‣

Enter your equinux ID and password in the new window that will open

‣

Select the license you would like to use on this Mac

‣

Enter the name of the user who will be using this particular license

Activating with a License Voucher

If you received your VPN Tracker license from your organization, you probably
were given a license voucher file to activate.

To activate using a license voucher file:

‣

Locate the license voucher in Finder and double-click the file to begin the
activation.

12

‣

Broken Mac? Stolen Mac?

If your old Mac is broken or unavailable, you can also reset your license on­line. Please read →#Resetting Licenses for details.

Some license vouchers are password-protected. If you are prompted for a
password, enter the license password. If you don’t know your license pass-

word, ask your whoever gave you the voucher, they should know.

‣

Click Activate to complete your license activation

Managing Licenses

If you are in charge of VPN Tracker licenses at your company, our License
Manager can help you deploy, move and manage those licenses. Please see

Managing Licenses for more information.

→#

Changing Computers

If you'd like to change computers, you can easily move your license:

‣

Select VPN Tracker > Deactivate VPN Tracker from the menu bar on your old
Mac

‣

Once deactivated, you'll be able to activate your new Mac straight away.
Simply follow the activation instructions above.

‣

Enjoy your new Mac!

13

Migrating from Previous Versions

If you are evaluating VPN Tracker 6 and have not yet purchased
the upgrade, don’t worry – your existing connections and set­tings in previous versions of VPN Tracker remain untouched.

No matter which version you are coming from, it’s easy to
migrate all your settings to VPN Tracker 6 to continue
working without interruption.

If you ever want to migrate your connections again, you can tell VPN Tracker
to repeat the migration to ensure you have the latest connections and set-

tings from VPN Tracker 5: “Tools > Migrate from VPN Tracker 5”. Please note
that this migration will replace all connections in VPN Tracker 6

VPN Tracker 4 (and 3)

Your existing connections and settings are automatically migrated to VPN
Tracker 6 when you open it for the first time. Any certificates you may have

been using will be added automatically to your Mac OS X keychain.

VPN Tracker 5

Your existing connections and settings are automatically migrated to VPN
Tracker 6 when you open it for the first time.

You will find your migrated connections in their own connection group
named “VPN Tracker 4” (or “VPN Tracker 3” ) in VPN Tracker.

If you have already been using VPN Tracker 5, your VPN Tracker 4 (and VPN
Tracker 3) connections are not automatically migrated. If you want to have

them available in VPN Tracker 6, simply choose “Tools > Migrate from VPN
Tracker 3 / 4” from the menu.

14

VPN Crash Course

Is this your first time working with a VPN? Read this chapter
to get you up to speed.

VP...What?

VPN Tracker allows your Mac to securely connect to another network over the
Internet. Even if your office is located in San Francisco and you're on a busi-

ness trip in New York, you can work with your applications and files, as if you
were in your office.

How does it work?

As the name implies, VPN Tracker uses VPN (Virtual Private Network) technol­ogy to create a connection between your Mac and your remote network. And
unlike normal Internet connections, a VPN Tracker connection is strongly en­crypted. You could think of a VPN as a highly-secure tunnel through the Inter-

net, your very own "secure line" to your office.

In order to use a VPN, you'll need your Mac running VPN Tracker, and a VPN­capable device on the other end of the connection. A VPN firewall or a router
with built-in VPN capabilities is commonly used at the remote location to ac­cept your incoming VPN connection.

What do I need?

To create a VPN connection from your Mac, you need three things:

‣

VPN Tracker

‣

An Internet connection

‣

A VPN gateway

If you’re reading this, you probably already have VPN Tracker and an Internet
connection for your Mac. So what about a VPN gateway?

VPN Gateway

A VPN gateway is a hardware device (or in some cases
specialized software running on a regular computer)
that accepts incoming VPN connections, creating a
secure tunnel between its local network and your
Mac. In most cases, a VPN firewall or a router with

built-in VPN capabilities will act as the VPN gateway.

If there are existing VPN users in your organization you probably already have
a properly configured VPN gateway. If not, don’t worry – check out the chap-

ter on →#Choosing the Right VPN Device for some tips on what to look for
when buying a VPN gateway.

What kind of VPN connections does VPN Tracker support?

VPN Tracker supports industry standard IPsec VPN connections. IPsec VPN is
fast, secure, and supported by a great variety of devices. In addition, VPN

Tracker also seamlessly integrates Mac OS X L2TP VPN connections, as well as
legacy PPTP connections. For more information, please refer to chapter →

L2TP / PPTP Connections.

Once you have set up your connection in VPN Tracker and on the device at
your remote location, you are ready to connect and start working remotely
using your normal tools and applications.

15

Getting Connected

If a configuration guide is available for your device and you are
setting up your VPN gateway as well as VPN Tracker, you can go

straight to the guide and follow it. Then continue with the chap­ters →#Secure Desktop and →#Working with VPN Tracker for more

information on how to use your VPN connection.

VPN Tracker can also use L2TP or PPTP connections created by
Mac OS X. For more information, please see→#L2TP / PPTP.

Next we’ll walk you through setting up your VPN connection
in VPN Tracker. Don’t worry if you do not know yet what to
configure – simply follow along for now, there’ll be a lot more
specific information later on.

Add a New Connection

‣

Click the button in the lower left hand cor­ner of the VPN Tracker window

‣

You will see a list of device profiles. We have
device profiles for all the VPN gateways that
VPN Tracker has been tested with. Select your VPN gateway from the list.

Find Your Configuration Guide

Our engineers have tested a large number of VPN gateways with VPN Tracker.
For many of these, detailed configuration guides are available. Now is a good

time to check whether a configuration guide is available for your device.

In VPN Tracker

‣

Click “Configuration Guide” on the Basic tab.

‣

You will be taken to the configuration guide for your device, if available.

On the Web

All configuration guides are also available on our website:

If your VPN gateway is not listed, don’t worry. For now, simply check the box
“Use custom device profile”.

‣

Click “Create” to add the new connection

16

http://vpntracker.com/interop

Basic Settings

Device Profile

Click to change the device
profile this connection is
based on. Click “Configura­tion Guide” for detailed
setup instructions.

Network Configuration

Select manual configuration
or one of the automatic
configuration options (not
available on all devices).

VPN Gateway

Enter the public IP address
or hostname for your VPN
gateway, e.g 1.2.3.4 or
vpn.example.com

Authentication

Choose whether to use a
pre-shared key, certificates
or hybrid mode for authen­tication.

Extended Authentication

VPN Tracker will prompt you
for username and password
if your VPN gateway re­quests Extended Authenti­cation (XAUTH).

Identifiers

Select the type and enter
the local and remote identi­fiers.

Note: The identifiers need to
be entered in reverse, e.g.

“local” in VPN Tracker is what
is configured as “remote” on
your VPN gateway.

DNS

VPN Tracker can use a DNS
server on the remote net­work over VPN. It is not nec­essary to configure remote
DNS right away, you can
always do so later.

Remote Networks

Enter the remote network(s)
your are connecting to
through VPN.

Connection Name and Icon

Customize the icon by
dragging an image onto the
placeholder. To change the
name, choose “Connection >
Rename” from the menu.

Let’s take a closer look at the essential settings that VPN Tracker needs to connect to your VPN gateway. Depending on your device, some settings may not be
shown. Don’t be afraid if you don’t know what to fill in just, we’ll cover each setting in detail later in this chapter.

17

Advanced Settings

VPN gateways sometimes use different terms for phase 1 and 2:
Phase 1 is sometimes also called “IKE”, while phase 2 may also be

called “VPN” or “IPsec”. To learn more about each setting on the
Advanced tab, check out the →#Settings Reference.

If you are connecting to one of the devices VPN Tracker has been tested with
and are following the configuration guide, you most likely won’t need to

change any advanced settings.

However, if you are not following a configuration guide (or have modified the
default VPN configuration on your VPN gateway), or if you are using a custom
device profile in VPN Tracker, you will probably need to adjust some advanced
settings: Make sure the settings for phase 1 and phase 2 in VPN Tracker match

exactly what is set up on your VPN gateway. You can ignore the other settings
in the Advanced tab for now.

Actions and Export

These settings are not relevant to VPN connectivity, so we will skip them for
now. They are covered in detail in →#Working with VPN Tracker and →#Export-

ing Connections

Log

The log shows what is going on when VPN Tracker establishes a connection. If
there is ever a problem with your connection, the log will help you resolve it
quickly by giving you detailed suggestions specific to the problem at hand.

Status Indicator

Click the warning triangle to open the
log and view suggestions

Suggestions

Try the sug­gestions to fix
the problem.

18

Log Level

View more detailed logging
and error information.

Email Log /

Technical Support Report

Send your log or a full Techni­cal Support Report to your IT
helpdesk or equinux support.

If you need additional help, you can email the log or a full Technical Support

A Technical Support Report contains the settings and logs nec­essary for resolving technical problems (confidential informa-

tion, such as passwords and certificates are not included in a
Technical Support Report). If you contact equinux technical
support, always include a Technical Support Report.

Report straight from the Log tab.

Completing Setup

Now that you have a basic idea about how to set up a connection in VPN
Tracker, you’re ready to apply it to your specific situation.

If you have configuration access to your VPN gateway...

If you are setting up VPN Tracker as well as your VPN gateway, first check if
your VPN gateway has been tested with VPN Tracker and if there is a configu-

ration guide available (see →#Find Your Configuration Guide).

If a configuration guide is available, follow it (if your VPN gateway already has
a VPN configuration, use the configuration guide and the →#Settings Reference

to help you configure VPN Tracker for your specific setup).

If no configuration guide is available for your device, or if you are working
with an untested device, skip ahead to →#Setup without Configuration Guide.

If you are connecting to an existing VPN and don’t have configuration
access to the VPN gateway:

If you are configuring VPN Tracker to connect to an existing VPN (e.g. one that
Windows users in your organization already connect to), there’s some infor-

mation that you will need to gather about your VPN gateway. The next section
on →#Connecting to an Existing VPN has detailed instructions.

19

Connecting to an Existing VPN

Lonely Mac User in a World of Windows?

We often hear from VPN Tracker users who work in predominately
Windows-based organizations. It’s often difficult for them to get help, as

their IT help desk isn’t set up to support Mac users.

If you’re the only person in your organization who has escaped the dark
side, we know you might not have much help setting up your connection.
But never fear, we’re here to help!

To find out more about your VPN gateway’s configuration, your first stop
should be your VPN gateway’s administrator. Your network administrator,

your IT department or your help desk are good places to ask.

If your VPN gateway’s administrator cannot help you, you may be able to
find some of the settings in another VPN client that has already been con­figured, for example on a Windows PC.

If you have any questions about specific settings, please refer to
the →#Settings Reference in this manual. For some settings, it is

even possible to “guess” them – the reference will tell you if and
how.

When connecting to an existing VPN, your goal is to
configure VPN Tracker to match the settings on your VPN
gateway. In order to do so, you will need information about
the VPN gateway’s configuration.

‣

Your username and password (if Extended Authentication (XAUTH) is used)

‣

The settings for phase 1 and 2 (encryption algorithms etc.)

2

Configure VPN Tracker

‣

Create a new VPN connection if you have not yet done so (see → Add a
New Connection for additional information)

‣

Enter the settings you obtained in the Basic and – if necessary – Advanced
tabs

Connect

‣

Click the on/off slider to connect the VPN

‣

You will always need the following information:

‣

Your VPN gateway’s public IP address or hostname (e.g. “1.2.3.4” or
“vpn.example.com”)

‣

The brand and model of your company’s VPN gateway

‣

The pre-shared key

In most cases, you will also need one or more of the following:

‣

The address of the network you are connecting to through VPN

‣

The local identifier

1 If you have very specific configuration information (e.g. the complete phase 1 and 2 settings), knowing the model and manufacturer may not be necessary.

2 Not required for some SonicWALL devices

3 Not required for Cisco devices with Cisco EasyVPN

2

or certificate

2

1

3

20

If you are using VPN Tracker for the first time with your current Internet
connection, VPN Tracker will test your connection so it can adjust settings

to your Internet connection’s capabilities. Wait for the test to complete.

‣

If prompted, enter your pre-shared key and Extended Authentication
(XAUTH) user name and password.

Connected?

Great! Continue with the chapters →#Secure Desktop and →#Working with VPN
Tracker to find out how to use your VPN connection.

Problems?

If there is a problem connecting, VPN Tracker will give you helpful advice and
troubleshooting tips. To learn more about troubleshooting VPN connections,

visit the chapter →#Troubleshooting

21

Setup without Configuration Guide

It is a good idea to carefully choose the address of the VPN
gateway’s LAN network if you plan to access it through VPN. To

avoid later address conflicts, use a private network that is not
used very frequently (e.g. 192.168.142.0/24, or 10.42.23.0/24).

If any other settings are required by your VPN gateway in order
to set up a basic VPN connection, check the →#Settings Refer-

ence in this manual and your VPN gateway’s documentation for
more information on what to configure.

Nearly all IPsec VPN gateways can be used with VPN Tracker,
even if they’re not specifically listed as a supported model.

Set up Your VPN Gateway

As a first step, set up your VPN gateway so it is connected to the Internet and
to the internal network you would like to access through VPN Tracker. Please

refer to your VPN gateway’s manual for more information on how to do this.

Once you have completed the initial setup of your VPN gateway, it is time to
configure VPN. Always go for a very simple configuration first. You can always

change it into a more sophisticated setup later.

If your VPN gateway’s manual has instructions for setting up a VPN connec­tion, follow it. If possible, set up a connection with the following properties:

‣

For most VPN gateways, you will have to configure the network(s) VPN us­ers can access. This setting may be called “local endpoint”, or “policy”.

Enter the address of the network you would like to access. Usually this will
be the same as the VPN gateway’s LAN network (e.g. 192.168.142.0/24). This
setting will later be configured in VPN Tracker as the Remote Network.

‣

Most VPN gateways will also ask you to configure the “remote endpoint” of
the VPN. The remote endpoint is the address VPN clients will be using when

connected through VPN.
If possible, set this to “any address” (sometimes also referred to as
“0.0.0.0/0”). If your VPN gateway requires a single address to be entered,
this will mean that only one VPN client can use this VPN connection at a
time. It also means that you will have to take the address you configure on

the VPN gateway, and enter it in VPN Tracker as the Local Address.

‣

Finally, write down your VPN gateway’s public (WAN) IP address or host
name. If your VPN gateway’s public IP address is dynamic, you might want
to get it signed up to a dynamic DNS service so you can always refer to it
by host name.

‣

Choose pre-shared key authentication. For now, use a pre-shared key that
is not too complex to avoid typos. But don’t forget to change it to a very

strong password once you’ve got the basic connection working!

‣

Use Aggressive Mode. Only select Main Mode if your device does not offer
Aggressive Mode.

‣

Choose Fully-qualified domain name (FQDN) identifiers, if possible. With
most devices, you can enter any identifier you want, it doesn’t have to be a

valid domain name. Good choices would be:
Local identifier: vpngateway.local
Remote identifier: vpntracker.local

‣

Encryption algorithms: If possible, use 3DES or AES-128 for now.

‣

Hash/Authentication algorithms: Use SHA-1 for now.

‣

Select Diffie-Hellman (DH) group 2 (1024 bit).

‣

Enable Perfect Forward Secrecy (PFS) using DH group 2 (1024 bit)

22

Configure VPN Tracker

Once you have your VPN gateway set up, enter the settings in VPN Tracker. For
your connection, use a custom device profile to have access to all settings.

Once you’ve added your connection, begin entering your settings. Refer to

#Getting Connected to see where required settings are located. Also check

→

the →#Setting Reference if you are unsure about a specific setting.

Connect

‣

Click the on/off slider to connect the VPN

‣

If you are using VPN Tracker for the first time with your current Internet
connection, VPN Tracker will test your connection so it can adjust settings

to your Internet connection’s capabilities. Wait for the test to complete.

‣

If prompted, enter your pre-shared key and Extended Authentication
(XAUTH) user name and password.

Connected?

Please note:

‣

The identifiers are swapped in VPN Tracker. What is local from the VPN

gateway’s perspective, is remote from VPN Tracker’s perspective, and vice

versa. You can set the remote identifier to “Don’t verify remote identifier” so

you don’t have to deal with it for now.

‣

If you were able to select the algorithms and Diffie-Hellman (DH) groups

suggested earlier, you will not have to modify any setting on the Advanced

tab. However, if the suggested settings were not available on your device,

make sure to customize the phase 1 and 2 settings so they match what is

configured on your VPN gateway.

Great! Continue with the chapters →#Secure
Desktop and →#Working with VPN Tracker to find

out how to use your VPN connection.

Problems?

If there is a problem connecting, VPN Tracker will
give you helpful advice and troubleshooting tips.
To learn more about troubleshooting VPN con-

nections, visit the chapter →#Troubleshooting

23

Importing Connections

Find out how to import a connection that you have been
given by your VPN administrator

Import the Connection

‣

Locate the connection file in Finder and double-click it

‣

You will be asked to enter a password. This password is set by your IT de-

partment or VPN administrator. Please contact the person that gave you

the connection file if you’re unsure what the import password is.

Replacing Existing Connections

If your imported connection already exists, you will be asked whether you
want to replace your existing connection, or if you would prefer to add this

connection as a copy:

Replacing a connection

If your new connection replaces your existing connection, click “Replace”. Your
existing connection will be overwritten.

Adding a copy

If you would prefer to keep your existing
connection as well, click “Add Copy”.

The imported connection will be further
down in your connection list and will have
the word “copy” appended to its name, e.g.

“Office Connection copy”.

Replacing an existing Secure
Desktop

Connection files can also include Secure
Desktops. If the included Secure Desktop
already exists, you will again be asked
whether you would prefer to replace it or

add a the new Secure Desktop as a copy.

24