equinux VPN Tracker 8.1.1 User Manual

VPN Tracker 8
Manual
© 2014 equinux AG and equinux USA, Inc. All rights reserved.
Under copyright law, this manual may not be copied, in whole or in part, without the written consent of equinux AG or equinux USA, Inc. Your rights
to the software are governed by the accompanying software license agreement.
The equinux logo is a trademark of equinux AG and equinux USA, Inc., regis­tered in the U.S. and other countries. Other product and company names
mentioned herein may be trademarks and/or registered trademarks of their respective companies.
equinux shall have absolutely no liability for any direct or indirect, special or other consequential damages in connection with the use of this document or any change to the router in general, including without limitation, any lost
profits, business, or data, even if equinux has been advised of the possibility of such damages.
Every effort has been made to ensure that the information in this manual is accurate. equinux is not responsible for printing or clerical errors.
Revised October 17, 2014
Created using Apple Pages.
www.equinux.com
2
Contents
..............................................................Introducing VPN Tracker 5
...............................................What’s New in VPN Tracker 8? 6
................................................................VPN Tracker Editions 8
.........................................................................Getting Started 9
Installing VPN Tracker 9 Activating VPN Tracker 9
.....................................Migrating from Previous Versions 11
.....................................................................Getting Connected 12
..................................................................VPN Crash Course 12
.......................................................................The Big Picture 13
....................................................Setup for an Existing VPN 16
.................................Setup without Configuration Guide 17
........................................................Importing Connections 19
.............................................Connecting to Your New VPN 20
........................................................Working with VPN Tracker 21
....................................................................Network Scanner 30
..............................................................................Accounting 33
.........................................................Exporting Connections 34
..........................................................................Troubleshooting 38
......................................................................................Reference 43
................................................................Settings Reference 43
Basic Tab 43 Advanced Tab 50 Actions Tab 58 Export Tab 58 VPN Tracker Preferences 58
...................................................Secure Desktop Reference 62
..................................Accessing Files & Printers over VPN 68
.....................................................L2TP / PPTP Connections 70
.................VPN and Network Address Translation (NAT) 71
...............................................Certificates and Smart Cards 74
.........................................Choosing the Right VPN Device 81
..................................................................Further Resources 82
....................................Secure Desktop: Your VPN Cockpit 22
....................................................................VPN Productivity 26
Managing Connections and Secure Desktops 26 VPN Connection Stats 27 Menu Bar Item 27 Notifications 27 Actions 28 Notes 29
...............................................................Keyboard Shortcuts 83
3
VPN Tracker 8 at a Glance
Search
If you’re a consultant with lots of customers, you’ll appreciate being able to filter your connec­tion list to find that VPN.
Secure Desktop
Everything you need to work over VPN in one place: Applications, servers, websites and more.
On/Off Switch
Connect and disconnect your VPN by sliding its switch on or off.
Network Scanner
Explore the remote network and instantly connect to services.
Accounting
Keep track of your connection time.
Log
Get troubleshooting advice and see what VPN Tracker is doing.
Configuration
Set up your VPN or change settings.
Status
Your VPN at a glance – see your assigned IP address, the remote network address, con­tact information and notes.
Network Traffic
See what’s happening on your VPN connection.
Add Items
Add a new VPN connection, group or Secure Desktop
Toggle Details
Display or hide your connection details or the traffic graph.
Contacts & Notes
Jot down notes and store the admin contact for the VPN or the billing reference number for a client.
Technical Support
No matter where you are, technical support is just one click away!
4
Introducing VPN Tracker
VPN Tracker Deployment Guide
Are you deploying VPN Tracker to end users in your organization?
Are you a consultant setting up VPN Tracker for your clients?
Are you managing the VPN Tracker licenses in your organization?
Get the VPN Tracker Deployment Guide for up-to date information and best practices. Download your free copy today at http://www.vpntracker.com
This manual contains lots of great tips. You can easily spot them by looking for the light bulb icon.
If you are setting up not just VPN Tracker, but also a VPN gate­way, this icon points out recommended settings and things you need to pay attention to when setting up a VPN gateway.
This exclamation mark warns you when there is a setting or ac­tion where you need to take particular care.
Welcome to VPN Tracker, the leading VPN client on Mac. Whether you are new to VPN or a seasoned VPN guru, this manual will help you get started with VPN Tracker.
Conventions Used in This Document
Links to External Websites
Sometimes you will be able to find more information on external websites. Clicking links to websites will open the website in your web browser:
http://equinux.com
New to VPN Tracker?
Install VPN Tracker and get a free trial in →#Getting Started
Take our →#VPN Crash Course and then →#Get Connected
Find out how using your VPN is a breeze with →#Secure Desktop
Upgrading to VPN Tracker 8?
See how to →#Upgrade Your License and how VPN Tracker automatically takes care of →#Migrating from Previous Versions
Explore →#What’s New in VPN Tracker 8
System Administrators and IT Departments
Connect to your existing VPN or set up a VPN from scratch in
#Getting Connected
Set up VPN Tracker for others in →#Exporting Connections
Use the →#Settings Reference for in-depth configuration information
Links to Other Parts of this Manual
A →#Link will take you to another place in the manual. Simply click it if you are reading this manual on your computer.
Tips and Tricks
Advice for Setting up Your VPN Gateway
Warnings
Getting Help
VPN Tracker makes VPN simple. However, computer networking and VPNs can be complex and tricky at times, so we have also built in tools and helpful fea-
tures that will assist you if you ever run into problems. Check out →#Trouble­shooting for more information.
5
What’s New in VPN Tracker 8?
Stunning New Look for OS X Yosemite
VPN Tracker was redesigned from the ground up to perfectly match the new look of OS X Yosemite.
Traffic Control
VPN Tracker 8 gives you even more control over your VPN. Don’t want to send traffic to certain IP address or subnets over VPN? Simply exclude them! Have a
Host to Everywhere VPN but only need to some addresses over VPN? Tell VPN Tracker to only send traffic to those IPs over VPN. And even if you’re stuck in a situation where the local network uses the same subnet as the remote net­work there’s a solution...
Force Traffic for the Local Subnet through VPN
If you end up in a situation where the local network is the same as the remote network of your VPN, VPN Tracker 8 can try to help you out by forcing non-
essential local network traffic over the VPN.
VPN Engine Updated for OS X Yosemite
VPN Tracker’s engine has been updated to work smoothly with the changes in OS X Yosemite.
Lower Energy Usage
Use your VPN all day long, even on battery power. VPN Tracker 8 uses signifi­cantly less energy than previous versions of VPN Tracker.
Streamlined Help and Log
VPN Tracker has always been well-known for its unrivaled ease of use. For VPN Tracker 8, we’ve made it even easier to find just the information you need to quickly resolve common configuration errors.
Improved Status View
The new Status View clearly reflects what VPN Tracker is doing at each step, and even displays the most current log message right at the top, and takes
you to the log if necessary.
More Actions in Status View
The Status View now has additional actions such as finding your Mac’s IP ad­dress and taking you straight to your Mac’s network settings.
Quick Install
Individual VPN Tracker users can now install VPN Tracker more quickly, without having to go through the steps of an installer.
Enterprise Installer
If you are deploying VPN Tracker in your organization, VPN Tracker 8 also ships as an enterprise installer that easily integrates with popular software rollout solutions.
6
Upgrading to VPN Tracker 8
If you currently own VPN Tracker, you can easily upgrade to VPN Tracker 8 and take advantage of all these great new features.
To see your upgrade options, choose VPN Tracker 8 > Buy VPN Tracker in the demo, or visit
http://www.equinux.com/goto/upgradevpntracker
The License Manger will show you all available VPN Tracker license upgrades.
7
VPN Tracker Editions
Regardless of the edition you have purchased, you can always download and use the same copy of the VPN Tracker applica-
tion. Your license will automatically unlock all the features in­cluded in your edition.
VPN Tracker
VPN Tracker
Pro
Connectivity
Connect to one VPN
Connect to multiple VPNs at the same time
Connect two sites (Network to Network)
Integration of OS X PPTP/L2TP VPN
Export
Export–✔
Organization
Organize your connections in groups
Use a condensed layout
Search for connections
Accounting–✔
Tools
Ping Tool✔✔
DNS Lookup Tool
Network Scanner
We offer two different editions of VPN Tracker to fit your requirements. Find out which edition is right for you.
VPN Tracker
VPN Tracker is designed for individual users and for end users in corporate environments. It’s perfect for getting connected to an office or home network.
VPN Tracker Pro
VPN Tracker Pro adds advanced features for consultants, network admins and power users.
Do I need VPN Tracker Pro?
VPN Tracker Pro is a great asset if you are a consultant, a system or network administrator, or are working with multiple VPN connections:
VPN Tracker Editions Compared
Export VPN connections for yourself and other users.
Scan the remote network for services or to assist users.
Connect to multiple VPNs at the same time.
Manage a large number of VPNs using search, a condensed layout, and connection groups.
Configure your Mac as a router to provide the entire network with a VPN tunnel using Network to Network connections.
Control your OS X L2TP/PPTP VPN right within VPN Tracker.
8
Getting Started
If you set up your VPN connection during your free demo pe­riod, VPN Tracker will keep all your settings and details once you activate a purchased license.
This chapter shows you how to install VPN Tracker, and how to activate your license. If you do not have a license yet, don’t worry – we’ll also show you how to get a demo key to try VPN Tracker for free.
Installing VPN Tracker
You can always download the latest version of VPN Tracker from the VPN#Tracker website:
http://vpntracker.com/download
There is one single download for all editions of VPN Tracker.
Once your download has finished, double click the downloaded file “VPN#Tracker#8.zip” if it doesn’t open automatically. Then double-click the VPN Tracker 8 app and follow the steps to install VPN Tracker’s engine.
Activating VPN Tracker
Activating VPN Tracker is quick and easy. You can activate your license in a few seconds over any Internet connection.
How many licenses do I need?
VPN Tracker is licensed per-machine, so each Mac you want to run VPN Tracker on will need its own license. Licenses can be bought in the equinux Online Store or at your nearest equinux reseller. You can find your nearest reseller with our Reseller Locator:
http://equinux.com/goto/reseller
Testing VPN Tracker
If you want to make sure VPN Tracker works with your connection and meets your expectations before purchasing, you can request a free demo license. This will give you access to all VPN Tracker Pro features (except exporting connections). Simply click the button to obtain a demo license when you first open VPN Tracker.
Opening VPN Tracker
Go to your Applications folder in Finder and double-click VPN Tracker 8 to open it.
Once you’re satisfied VPN Tracker suits your needs, you can purchase a full license right from within VPN Tracker.
To purchase a license:
Select VPN Tracker 8 > Buy VPN Tracker from the menu bar
Follow the instructions to purchase a license. Your license will be activated immediately.
If you prefer, you can also purchase VPN Tracker using your web browser:
http://equinux.com/goto/buyvpntracker
9
Activating a License from the equinux Online Store
You might be prompted to enter a name and email address. This will make it easier for you to keep track of who is using which
license – particularly useful if you have a large number of VPN users in your organization.
Broken Mac? Stolen Mac?
If your old Mac is broken or unavailable, enter your activation code (or equinux ID and password) on the new Mac, and select the option to reset
your license, or use the license manager to revoke your activation code.
VPN Tracker Deployment Guide
Are you deploying VPN Tracker to end users in your organization?
Are you a consultant setting up VPN Tracker for your clients?
Are you managing the VPN Tracker licenses in your organization?
Get the VPN Tracker Deployment Guide for up-to date information and best practices. Download your free copy today at http://www.vpntracker.com
To activate a license bought in our online store:
Open VPN Tracker. In case you still have time left on your demo period, choose “VPN Tracker 8 > Activate VPN Tracker” from the menu bar on top of
your screen.
If you are asked for your equinux ID and password, enter the equinux ID and password that was used for the purchase.
If you own more than one license, you will be asked to select the one that you would like to activate.
Follow the steps to complete activation
Activating Using an Activation Code
If you received an activation code:
Open VPN Tracker. In case you still have time left on your demo period, choose VPN Tracker 8 > Activate VPN Tracker from the menu bar on top of your screen.
Enter the activation code.
Follow the steps to complete activation.
Managing Licenses
If you are in charge of VPN Tracker licenses at your company, our License
Manager can help you deploy, move and manage those licenses.
Changing Computers
If you'd like to change computers, you can easily move your license:
Choose VPN Tracker 8 > Deactivate VPN Tracker from the menu bar on your old Mac.
Once deactivated, you'll be able to activate your new Mac straight away. Simply follow the activation instructions above.
Enjoy your new Mac!
10
Migrating from Previous Versions
If you are evaluating VPN Tracker 8, don’t worry – your existing connections and settings in previous versions of VPN Tracker remain untouched.
No matter which version you are coming from, it’s easy to migrate all your settings to VPN Tracker 8 to continue working without interruption.
VPN Tracker 5, 6, and 7
Your existing connections and settings from the most recent predecessor are automatically migrated to VPN Tracker 8 when you open it for the first time.
If you ever want to migrate your connections again, you can tell VPN Tracker to repeat the migration to ensure you have the latest connections and set-
tings from your old VPN Tracker version: “File > Migrate from VPN Tracker 5/6/ 7”. Please note that this migration will replace all connections in VPN Tracker 8.
VPN Tracker 4 (and 3)
You can migrate connections from these versions of VPN Tracker from the File menu (File > Migrate...).
You will find your migrated connections in their own connection group named “VPN Tracker 4” (or “VPN Tracker 3” ) in VPN Tracker.
11
Getting Connected VPN Crash Course
Is this your first time working with a VPN? Read this chapter to get you up to speed.
VP...What?
VPN Tracker allows your Mac to securely connect to another network over the Internet. Even if your office is located in San Francisco and you're on a busi-
ness trip in New York, you can work with your applications and files, as if you were in your office.
What do I need?
To create a VPN connection from your Mac, you need three things:
VPN Tracker
An Internet connection
A VPN gateway
If you’re reading this, you probably already have VPN Tracker and an Internet connection for your Mac. So what about a VPN gateway?
VPN Gateway
A VPN gateway is a hardware device (or in some cases specialized software running on a regular computer)
that accepts incoming VPN connections, creating a secure tunnel between its local network and your Mac. In most cases, a VPN firewall or a router with built-in VPN capabilities will act as the VPN gateway.
If there are existing VPN users in your organization you probably already have a properly configured VPN gateway. If not, don’t worry – check out the chap-
ter on →#Choosing the Right VPN Device for some tips on what to look for when buying a VPN gateway.
How does it work?
As the name implies, VPN Tracker uses VPN (Virtual Private Network) technol­ogy to create a connection between your Mac and your remote network. And
unlike normal Internet connections, a VPN Tracker connection is encrypted. Think of a VPN as a highly-secure tunnel through the Internet, your very own "secure line" to your office.
In order to use a VPN, you'll need your Mac running VPN Tracker on your end of the connection. On the other end of the connection (the remote side), you
need a VPN gateway that accepts your incoming VPN connection.
Once you have set up your connection in VPN Tracker and on the device at your remote location, you are ready to connect and start working remotely using your normal tools and applications.
What kind of VPN connections does VPN Tracker support?
VPN Tracker supports industry standard IPsec VPN connections. IPsec VPN is fast, secure, and supported by a great variety of devices.
In addition, VPN Tracker Pro also integrates OS X L2TP VPN connections, as well as legacy PPTP connections. For more information, please refer to chapter
L2TP / PPTP Connections.
12
The Big Picture
If a configuration guide is available for your device and you do not yet have VPN set up on your VPN gateway, you can go
straight to the guide and follow it. Then continue with the chap­ters →#Secure Desktop and →#Working with VPN Tracker for more
information on how to use your VPN connection.
VPN Tracker can also use L2TP or PPTP connections created by OS X. For more information, please see→#L2TP / PPTP.
To give you a better idea how to set up your VPN, here's a quick overview. We'll look at the details in the following chapters, so don't worry about missing pieces right now – there will be a lot more specific information later on.
Add a New Connection
Click the button in the lower left hand corner of the VPN Tracker window
You will see a list of device profiles. We have device profiles for all the VPN gateways that VPN Tracker has been tested with.
Find Your Configuration Guide
Our engineers have tested a large number of VPN gateways with VPN Tracker. For many of these, detailed configuration guides are available. Now is a good
time to check whether a device-specific configuration guide is available.
In VPN Tracker
Click “Configuration Guide” on the Basic tab.
You will be taken to the configuration guide for your device, if available.
On the Web
All configuration guides are also available on our website:
http://vpntracker.com/interop
Select your VPN gateway from the list. If your VPN gateway is not listed, check the box “Use custom device profile”.
Click “Create” to add the new connection
13
Basic Settings
Let’s take a closer look at the essential settings that VPN Tracker needs to connect to your VPN gateway. Depending on your device, some settings may not be shown. If you don’t know yet what to fill in, we’ll cover each setting in detail later in this chapter.
Connection Icon
Customize the icon by dragging an image onto the default icon, or choose “Edit#>#Choose Image…” for a new icon.
Device Profile
Click to change the device profile.
VPN Gateway
Enter the public IP address or host name of your VPN gateway, e.g 203.0.113.48 or vpn.example.com
Authentication
Choose whether to use a pre-shared key, certificates or hybrid mode for authen­tication. Most VPN gateways use pre-shared keys.
Identifiers
Select the type and enter the local and remote identi­fiers.
Note: The identifiers need to be entered in reverse, e.g.
“local” in VPN Tracker is what is configured as “remote” on your VPN gateway.
Connection Name
Click to change the name of your connection.
Configuration Guide
Click to access the device­specific configuration guide.
Network Configuration
Select manual configuration or one of the automatic configuration options (not available on all devices).
Extended Authentication
VPN Tracker will prompt you for username and password if your VPN gateway requests Extended Authentication (XAUTH).
DNS
VPN Tracker can use a DNS server on the remote net­work over VPN. It is not nec­essary to configure remote DNS right away, you can always do so later.
14
Advanced Settings
Some VPN gateways use different terms for phase 1 and 2: Phase 1 is sometimes called “IKE”, while phase 2 may be called “VPN” or
“IPsec”. Check out the →#Settings Reference for more details.
It is not necessary to leave edit mode to save the connection or to connect to the VPN. If you make changes while the VPN is connected, reconnect the VPN to apply them.
Are you connecting to a VPN that's already set up?
If you are connecting to an existing VPN (e.g. one that Windows users are already connecting to), all you need to do is gather a few pieces of informa-
tion about your VPN gateway to configure VPN Tracker. The next chapter
#Setup for an Existing VPN has all the details.
Are you setting up both your VPN gateway and VPN Tracker?
Check if your VPN gateway has been tested with VPN Tracker and if there is a configuration guide available (see →#Find Your Configuration Guide).
If a configuration guide is available, follow it.
If no configuration guide is available for your device, or if you are work­ing with an untested device, →#Setup without Configuration Guide will
help you get connected.
Did you receive a VPN Tracker connection from your administrator?
Follow →#Importing Connections to see how to use the connection in VPN Tracker.
You likely won‘t have to modify any settings on the Advanced tab, unless:
your device uses different settings than the factory defaults and/or the set­tings proposed in the configuration guide, or
there is no device profile for your device in VPN Tracker
In both cases, the goal is to have VPN Tracker’s settings for Phase#1 and Phase#2 match exactly what is set up on your VPN gateway.
Actions and Notes
These settings are not relevant to VPN connectivity, so we will skip them for now. They are covered in detail in →#Working with VPN Tracker.
Completing Setup
When you‘re done configuring your VPN, click the „Done“ button on the upper right corner to leave edit mode.
Now that you have a basic idea how to set up a connection in VPN Tracker, you’re ready to apply it to your specific situation.
15
Setup for an Existing VPN
What if my organization does not support Macs?
We often hear from customers in organizations where Macs are not offi­cially supported for VPN access. It may be difficult to get help if the IT help
desk isn’t set up to support Mac users. We’re here to help!
To find out more about your VPN gateway’s configuration, your first stop should be your VPN gateway’s administrator: Your network administrator, your IT department or your help desk are good places to ask.
If they cannot help, you may be able to obtain the settings from another VPN client that has already been configured, for example on a Windows PC.
If you have any questions about specific settings, please refer to the →#Settings Reference in this manual. For some settings, in
particular phase 1 and 2 algorithms, it may be possible to “guess” them – the reference will tell you if and how.
Cisco IPsec VPN
If you have a Cisco IPsec VPN connection profile (.pcf ), you can import it directly into VPN Tracker (File > Import > Cisco VPN Client Connection).
If there is a configuration guide for your VPN gateway (→#Find Your Configuration Guide), refer to it for additional advice. Keep
in mind that the configuration guide describes a working setup, but not the only working setup. In most cases, you won’t need
to make changes to a working setup on the VPN gateway.
When connecting to a VPN that’s already set up, your goal is to configure VPN Tracker to match the settings on your VPN gateway. In order to do so, you will need information about the VPN gateway’s configuration.
Obtain the Configuration
You will always need the following information:
The public IP address or host name (e.g. “203.0.113.48” or “vpn.example.com”) of the VPN gateway you are connecting to
The brand of the VPN gateway (e.g. Cisco, SonicWALL, NETGEAR, ...)
The pre-shared key1 or the client certificate
You may also need one or more of the following:
The address of the network you are connecting to through VPN
The local identifier
The model name of the VPN gateway (e.g. ASA Series, TZ Series, FVS318N, ...)
The settings for phase 1 and 2 (encryption algorithms etc.)
Your username and password, if Extended Authentication (XAUTH) is used
2
Configure VPN Tracker
Create a new VPN connection if you have not yet done so (see → Add a New Connection for additional information).
Enter the settings you obtained in the Basic and Advanced tabs.
Connecting
When you’re done setting up, skip ahead to →#Connecting to Your New VPN to see how to connect to your new VPN.
1
Not required for SonicWALL with “Use Default Key for Simple Client Provisioning” enabled
2
Some VPN gateways (e.g. Cisco) refer to the local identifier as “group name” or “group ID”
16
Setup without Configuration Guide
It is a good idea to carefully choose the address of the VPN gateway’s LAN network if you plan to access it through VPN. To
avoid address conflicts, use a private network that is not used very frequently (e.g. 192.168.142.0/24, or 10.42.23.0/24).
Almost all IPsec VPN gateways can be used with VPN Tracker, even if they have not been tested with VPN Tracker.
Set up Your VPN Gateway
Network Setup
If you haven’t already done so, set up your VPN gateway so it is connected to the Internet and to the internal network that you want to access using
VPN#Tracker. Please refer to your VPN gateway’s manual for more information on how to do this.
VPN Setup
Once you have completed the initial setup of your VPN gateway, it is time to configure VPN on the VPN gateway. Go for the simplest possible configuration first. You can always move to a more sophisticated setup later.
If your VPN gateway’s manual has instructions for setting up a VPN connec­tion, follow it. Otherwise, please follow these basic settings as closely as pos­sible:
Authentication
Choose pre-shared key authentication.
For now, use a pre-shared key that is not too complex to avoid typos. But don’t forget to change it to a very strong password later!
Aggressive Mode vs. Main Mode
For most devices, you should use Aggressive Mode for now.
Main Mode is considered more secure, but may not work with all devices for clients connecting from dynamic IP addresses. You can try Main Mode
once you’ve got everything else working.
Identifiers
Choose Fully-Qualified Domain Name (FQDN) identifiers, if possible.
With most devices, you can enter any identifier you want, it doesn’t have to be a valid domain name. Good choices would be:
Local identifier: vpngateway.local
Remote identifier: vpntracker.local (the remote identifier is sometimes called “peer identifier”)
Some devices use the group name as the remote identifier.
Proposals (Phase 1 and 2 Settings)
Encryption algorithms: AES-128 or 3DES
Hash/Authentication algorithms: SHA-1
Diffie-Hellman (DH) group 2 (1024 bit)
Enable Perfect Forward Secrecy (PFS) using DH group 2 (1024 bit)
While these are not the most secure settings, they are compatible with a wide variety of devices. Use them as a starting point. Once you’ve got the VPN
working, switch to stronger algorithms if available (e.g. AES-256, SHA-2, DH group 5 or higher).
Local Endpoint (Network Access / Policy)
On most VPN gateways, you will have to configure the network(s) VPN us­ers can access. This setting is often called “local endpoint”, or “policy”.
Enter the address of the network you would like to access. Usually this will be the same as the VPN gateway’s LAN network (e.g. 192.168.142.0/24).
This setting will later be configured in VPN Tracker as the Remote Network.
Remote Endpoint
Some VPN gateways will also ask you to configure the “remote endpoint” of the VPN. The remote endpoint is the address VPN clients will be using when connected through VPN.
Whenever possible, set this to “any address” or “dynamic” (sometimes also referred to as “0.0.0.0/0”).
17
If any other settings are required by your VPN gateway to set up a basic VPN connection, check the →#Settings Reference in this
manual and your VPN gateway’s documentation for more infor­mation on what to configure.
If your VPN gateway requires a single address to be entered, this will mean that only one VPN client can use this VPN connection at a time. It also
means that you will have to take the address you configure on the VPN gateway, and enter it in VPN Tracker as the Local Address.
VPN Gateway IP Address or Hostname
Finally, write down your VPN gateway’s public (WAN) IP address or host name.
If your VPN gateway’s public IP address is dynamic, you might want sign up with a dynamic DNS service so you can always refer to it by host name.
Configure VPN Tracker
Once you have your VPN gateway set up, enter the settings in VPN Tracker. For your connection, use a custom device profile to have access to all settings.
Then enter your settings. Please refer to →#Getting Connected to see where required settings are located. Also check the →#Setting Reference if you are
unsure about a specific setting.
A few final notes:
The identifiers are swapped in VPN Tracker. What is local from the VPN gateway’s perspective, is remote from VPN Tracker’s perspective, and vice
versa. You can set the remote identifier to “Don’t verify remote identifier” so you don’t have to deal with it for now.
If you were able to select the algorithms and Diffie-Hellman (DH) groups suggested earlier, you do not have to modify any setting on the Advanced tab. However, if the suggested settings were not available on your device,
make sure to customize the phase 1 and 2 settings on the Advanced tab so they match what is configured on your VPN gateway.
Connecting
When you’re done setting up, skip ahead to →#Connecting to Your New VPN to see how to connect to your new VPN.
18
Importing Connections
Find out how to import a connection that you have been given by your IT department or VPN administrator.
Prerequisites
Before importing a connection, make sure VPN Tracker is installed. If you have not yet downloaded or installed VPN Tracker, or if you haven’t activated your
license yet, please follow →#Getting Started first.
Import Your Connection(s)
Locate the connection in Finder and double-click it. Or open VPN Tracker and choose “File#> Import#> VPN#Tracker#Connection…” from the menu.
Replacing Existing Connections
If you already have the connection you’re about to import, you’ll be asked whether to replace your existing connection, or if you would prefer to add this
connection as a copy:
Replacing a connection
If your new connection replaces your existing connection, click “Replace”. Your existing connection will be overwritten.
Adding a copy
If you would prefer to keep your existing connection and import the new copy, click “Add Copy”.
You’ll find the imported connection further down in your connection list. It will have the word “copy” appended to its name, e.g. “Office
copy”.
You will be asked for the import password. If you dont know the import password, please ask the person who gave you the connection.
Replacing an Existing Secure Desktop
Connection files can also include Secure Desktops. If the included Secure Desktop already exists, you will once again be asked whether you would pre­fer to replace your existing Secure Desktop or add a the new Secure Desktop
as a copy.
19
Connecting to Your New VPN
When you’re done setting up your VPN, you’re ready to connect. To test your VPN, go to a location outside of the network that you want to connect to.
Connecting
Click the on/off slider to connect the VPN.
Connected?
Connecting may take a couple of seconds. If the On/Off button turns blue that’s great –#you’re connected!
Continue with the chapters →#Secure Desktop and →#Working with VPN Tracker to find out how to use your VPN connection.
Problems?
If you are using VPN Tracker for the first time with your current Internet con­nection, it will test your connection. Wait for the test to complete.
If prompted, enter your pre-shared key and Extended Authentication (XAUTH) user name and password.
If there is a problem connecting, VPN Tracker will give you helpful advice and troubleshooting tips. To learn more about troubleshooting VPN connections, visit the chapter →#Troubleshooting
20
Working with VPN Tracker
Secure Desktop Items
Click an icon to launch an applica­tion, connect to a server etc.
VPN Tracker will automatically take care of connecting your VPN.
Secure Desktop Background
Drag in a picture while in edit mode, to give your Secure Desk­top a personal touch. Or choose any color you like.
Edit your Secure Desktop
Click the triangle to drag new items to your Secure Desktop, and edit existing ones.
End Session
When you’re done working over VPN, click the “End Session” button to take care of closing and disconnecting everything.
21
Secure Desktop: Your VPN Cockpit
Make sure you have set up your VPN connection first. To learn how to set up your VPN connection, refer to the chapter →#Get-
ting Connected.
Connect to file servers, launch the applications you need, and much more. And stop thinking about VPN connections.
Setting up your Secure Desktop
Working over a VPN connection used to be a hassle. First you needed to con­nect to your VPN. Then you went to Finder in order to connect to your file
servers, and finally, you could open the applications you need and get to work.
Not any more! VPN Tracker is designed with your workflow in mind: You click to open the application. VPN Tracker does the rest.
Building your Secure Desktop with the Assistant
To add items to your Secure Desktop, select it from the top left corner of the VPN Tracker window and then click “Build Secure Desktop”.
VPN Tracker will guide you through selecting applications, file servers and websites for your Secure Desktop. Of course you can always modify your Se-
cure Desktop later, so don’t worry if you don’t yet know what to add.
Adding Applications to Your Secure Desktop
The Secure Desktop Assistant will suggest a few commonly used applications. If your application is not among them, click “Other Application…” to add the
application you want to use.
You can also add applications to your Secure Desktop later, so don’t worry about them now if you’re not sure.
22
Adding File Servers to Your Secure Desktop
Alternatively, you can connect to file servers in the OS X Finder.
Accessing Files, Printers and Databases has more details.
For more information about file servers in Secure Desktop, take a look at the → Secure Desktop Reference
I don’t know my file server’s IP address. Can’t I just browse for my file servers via the Finder Sidebar?
For technical reasons, when using a VPN connection, your servers won’t show up in the Finder sidebar. If you don’t have your file server’s IP address,
you can easily find it out next time you’re in your office network (or what­ever other network you’re connecting to through VPN):
Open “Tools > DNS Lookup…”
Enter your file server’s name and click “Lookup”
After a few seconds, VPN Tracker should tell you the file servers IP address. Again, this will only work when you’re actually in your remote network, not
if you’re connected via VPN.
If you would like to access a file server, enter the details in the Secure Desktop Assistant.
To connect to a Mac-based (AFP) file server:
Enter “afp://” followed by the IP address1 of the server, e.g. afp://192.168.144.11
To connect to a Windows-based (SMB) server:
Enter “smb://” followed by the IP address1 of the server, e.g. smb://192.168.144.17
Adding Websites to Your Secure Desktop
If you have intranet websites that you need to access over VPN, you can add those to your Secure Desktop as well. Just enter your website URLs when
prompted by the Secure Desktop Assistant.
Customizing Your Secure Desktop
If you would like, you can customize the name and color of your Secure Desk­top. Then click to finish creating your new Secure Desktop.
1
If your connection is set up to use remote DNS, you may also be able to enter a DNS host name, e.g. “fileserver.example.com”
23
Working with Secure Desktop
To use Secure Desktop when your Mac is physically connected to your VPN’s remote network (e.g. at the office), teach VPN Tracker to recognize your remote network using → Direct Link Detection.
Adding Items from the Network Scanner
You can add new items to your Secure Desktop right from the Network Scanner!
Just click the … button and choose “Add to Secure Desktop”, or drag the services straight to a Secure Desktop in the sidebar.
Starting a Secure Desktop Session
Multiple Secure Desktops
You can have more than one Secure Desktop (e.g. for different clients, de­partments or tasks). To add a new Secure Desktop, choose File > New Secure
Desktop from the menu bar on top of your screen.
Editing Your Secure Desktop
You can easily add, modify or remove Secure Desktop items.
To edit your Secure Desktop:
Select the Secure Desktop that you would like to edit.
Click the triangle at the bottom to switch to edit mode
A drawer with new items will open. Drag an item to your Secure Desktop to add it. Or drag an existing item outside your Secure Desktop to remove it.
Click one of the icons on your Secure Desktop to start working with that ap­plication, file server or website. VPN Tracker will automatically connect any
necessary VPN connections, and then open your application, connect to your file server, website, etc.
Ending a Secure Desktop Session
Once you’re done working over VPN, simply end your session by clicking the large red button at the bottom of the window. VPN Tracker will take care of disconnecting file servers and disconnecting your VPN.
24
To modify an item, click it while Secure Desktop
Further information about Secure Desktop is available in the
Secure Desktop Reference.
is in edit mode. To finish editing, click on a free space on your Secure Desktop or hit the Esc key.
When you are done configuring, click the trian­gle again to leave the edit mode.
Customize the Appearance of Your Secure Desktop
You can give your Secure Desktop a personal touch, by adding your own pic­ture, choosing your own background and changing icons.
To customize your Secure Desktop icon:
VPN Tracker automatically shows a preview of what’s on your Secure Desktop. If you wish, you can replace that with a custom icon, simply drag the new icon onto the preview in the sidebar.
To customize your Secure Desktop background
Switch the Secure Desktop to edit mode by clicking the triangle
Drag an image to your Secure Desktop
or
Right-click or Ctrl-click the Secure Desktop area
Select a background image or background color
Enjoy the view!
To customize the icons of your Secure Desktop items:
Switch Secure Desktop to edit mode by clicking the trian­gle
Drag an image onto one of your Secure Desktop icons
25
VPN Productivity
An exported connection knows the group it belongs to, and will recreate it as needed.
Find out about other VPN Tracker features that will help you work more productively with your VPN.
Locking Connections
You can lock a connection with a password to prevent it from being modified (VPN > Lock Connection…). To prevent others from modifying connections you export for them, enable locking in the export settings.
Managing Connections and Secure Desktops
At this point, you probably already have your first VPN Tracker connection. You can see your connection in the sidebar on the left-hand side of the VPN
Tracker window.
Adding More Connections or Secure Desktops
To create a new connection or Secure Desk­top, click the ‘+’ icon in the lower left hand corner of the window.
For more information on setting up a new connection, please refer to the → Getting Connected chapter.
Reordering
Drag & drop your connections and Secure Desktops in the sidebar to reorder.
Renaming
To rename connection or Secure Desktop, right-click (or hold down Ctrl and click) it in the sidebar and select „Rename“ from the menu.
Organizing Connections in Groups
If you have a lot of connections, it will be useful to divide your connections up into groups, e.g. by client, by branch office, by geographical location etc.
To add a new group, click the ‘+’ icon in the lower left hand corner of the window and select ‘New Group’.
You can drag & drop connections and Secure Desktops between groups to rearrange them.
To rename, delete or control a group of connec­tions, use the gear menu on the right side of the group.
Icons
To customize the icon for a connection or a Secure Desktop, drag the new image onto
the existing icon in the sidebar.
You can also use „Edit > Choose Icon…“ in the menu to change icons.
Search
If you are looking for a specific connection, use the search box at the top of the sidebar to find it.
26
VPN Connection Stats
When connected to your VPN, you can see statistics for your connection in the sidebar. The traffic graph lets you know how much data is currently being sent
and received over your VPN connection, the total amounts of data transferred, and the maximum throughput seen in the last measurement period. It also lists the the algorithms that are in use and the current network settings.
Click to toggle between traffic, network or security information
Click to hide or show the traffic statistics
The graph indicates the amount of traffic cur­rently being transferred over the VPN connection
Menu Bar Item
You can also control VPN Tracker directly from your menu bar, allowing you full control over your VPN connection, without having to leave the application
you’re working in.
Access your Secure Desktop items from the menu bar.
Click to connect/ disconnect VPNs. A checkmark indicates a connected VPN.
The ring of the menu bar icon is black, when you’re connected.
The stop button discon­nects all VPNs and closes file server connections etc. in Secure Desktops.
Hide the Details
If you only want to see your connections and the connection status, you can hide the entire right part (the connection details) of your VPN Tracker window.
To hide or show the connection details:
Click the details toggle at the bottom of the connection list
Click to hide or show the connection details.
Notifications
VPN Tracker shows little popup notifications whenever something interesting happens to your VPN.
You may customize these notifications in “VPN Tracker 8 > Preferences…”.
27
Actions
Actions can help you to be even more productive with Secure Desktop. For example, if you have certain applications on your
Secure Desktop that require a file server to be connected, add that file server here to ensure that it’s always available to your Secure Desktop items.
Actions can also be AppleScript or shell scripts. There is no limit to what you can do!
Connect this VPN when VPN Tracker is opened
Enable this option to automatically connect to this VPN whenever VPN Tracker is opened.
Actions After Connecting
VPN Tracker can take care of any tasks that need to be performed after the VPN connects.
For example, if you always need to connect to a file server, enter it here to make sure it’s available any time you connect the VPN. Or if you want to open your company’s intranet website whenever you connect, enter it here.
Actions Before Disconnecting
If there’s anything that needs to be taken care of before the VPN is discon­nected, add it here. VPN Tracker automatically adds an action to disconnect all file servers that use the VPN.
Locations
If you use multiple network locations on your Mac (System Preferences > Network), VPN Tracker can automatically connect or disconnect your VPN connection, depending on the current network location.
Switch the slider to “On” to automatically connect in this location
Switch the slider to “Off” to automatically disconnect in this location
Wi-Fi Networks
VPN Tracker will automatically connect to your VPN whenever your Mac con­nects to the wireless networks you have specified.
Actions that can take a long time have a timeout to make sure VPN Tracker does not keep trying forever.
28
Notes
If you would like to make a few notes – for yourself, or for others that you’re setting up this VPN for, the Notes tab is the right place.
Notes are included with exported connections
When exporting Accounting records, the reference number and organiza­tion can be included for use with billing systems
All information from the Notes tab is displayed on the Status tab
29
Network Scanner
To be able to use the Network Scanner when you’re physically at the remote network and no VPN is needed, set up →#Direct Link
Detection for your VPN connection.
OS Detection
The Network Scanner can detect the type of host (e.g. OS X, Windows, Linux, Network Equipment, Printers) from the services that are available on
that host.
OS detection requires certain services to be included in the scan. If you un­check a service that is required for OS detection, OS detection will be un­checked as well.
Customizing Network and Services
The Network Scanner in VPN Tracker Pro lets you explore the remote network of your VPN, assist users and easily locate hosts and services.
Scanning Networks
To scan a network, your Mac must be connected to the network via VPN.
Select the VPN in the sidebar and connect the VPN.
Open the Scanner tab.
Click the Scan button to scan the network using a selection of the most popular network services.
By default, the Network Scanner scans for a selection of the most popular net­work services.
To select different services, click the gear icon and check or uncheck the services that you would like VPN Tracker to scan.
To turn OS detection on or off, use the checkbox at the top of the set­tings.
To check/uncheck all services, hold down the Option key while clicking a
checkbox.
To restore the default selection of services and networks, click the “De­faults” button at the top of the set­tings.
If you are connected to a VPN where all network traffic is sent through the VPN (Host to Everywhere), VPN Tracker will ask you to specify the network that
you would like to scan. Depending on the size of the network and your Internet connection, the scan
may take a while to complete. You can continue working with VPN Tracker while a scan is in progress. You’ll see a notification when the scan is complete.
At the bottom of the settings, you can change the network that is being scanned.
Select one of the remote networks of the VPN, or enter a custom range or IP address. The more addresses a scan includes, the longer it will take.
30
Scan Results
Display Mode
Show results by address (IP address or host name) or by service.
Filter Results
Type a search term to locate specific hosts or services. Use the popup button to show or hide groups of hosts or services.
Your Mac
If your Mac was part of the scan, it is marked with a home icon.
Services / Hosts
The right side of the window displays the services for the selected host (“By Host”) or the hosts for the selected service (“By Service”)
Web Previews
A preview is automatically generated for web servers so you can easily recognize different web servers.
Instant Connect
Click to connect to the service or open the application associated with this service on your Mac.
OS Detection Group
If OS detection is enabled, hosts are grouped according to the OS that was detected (the detected OS can change during the scan as more results come in).
Reset Scan Results
Click to remove all scan results.
If you hold down the Option key while clicking, your customizations (names, icons, groups) will also be removed.
Size Slider
Drag to change the size of icons and web previews.
Go Button
Click to add the service to Secure Desktop, copy IP addresses, or jump to all services of this kind or host.
Settings
Click to select the services to scan or change the IP range that is being scanned.
31
Using Scan Results
Automatic Hostname Lookup
VPN Tracker can automatically look up the host names for IP addresses in the Network Scanner. All you need is a → Remote DNS server for your VPN
that can provide host names for the IP addresses that are being scanned (reverse DNS lookup). Make sure the checkbox “Use for reverse lookup of IP
addresses in remote networks” (Basic > DNS) is checked.
Connect to Services
You can connect to a service right from the Network Scanner, or open the app associated with this service on your Mac.
Setting a Custom Icon for a Host
Display the scan results ”By Address”.
Right click the host you want to change the icon for.
Click ”Choose Icon…” to set a custom icon for this host.
Display the scan results ”By Address” or “By Service”.
On the right side, click the “Connect” or “Open” for the service or host that you would like to connect to.
Add to Secure Desktop
To add a service to Secure Desktop, click the button for the service that you would like to add to Secure Desktop.
Choose “Add to Secure Desktop” and select the Secure Desktop that you want the service to be added to.
You can also drag a service to your Secure Desktop in the sidebar.
Customizing Scan Results
Renaming Hosts
Renaming hosts in the Network Scanner list makes it easy to locate your most important computers and network devices.
Display the scan results ”By Address”.
Right click the host you want to rename.
Choose ”Rename” and enter a name.
Change the OS Detection Group
The Network Scanner can automatically detect the kind of host –#whether it’s a Mac running OS X, a PC running Windows or Linux, or a printer or network equipment. OS detection uses the services on a host to determine the most
likely type of host.
In some cases, OS detection might put a host into a different group than what it actually is. You can change the group if a host is not detected correctly.
Display the scan results ”By Address”
Right click the host whose group you want to change.
Select the new group from the “Group” menu.
Resetting Scan Results
Click ”Reset Scan Results” in order to clear the results. Customized host names, icons, and groups will not be modified – if the host is encountered again in a future scan, the customization will be applied.
Hold down the Option key while clicking ”Reset Scan Results” in order to also reset all customization (names, icons, and groups).
Scanner Preferences
You can configure the Network Scanner’s performance and aggressiveness, and enable or disable Web Preview loading in → Scanner Preferences.
32
Accounting
Reference Number and Organization
To integrate VPN Tracker’s accounting with your own time tracking or bill­ing system, an organization and a reference number can be set for each of
your VPN connections in the →#Notes tab
Accounting tracks the time you were connected to your VPN. It can assist you with billing your clients, documenting your work, or figuring out 6 weeks later when exactly you logged in to make that configuration change.
Customize the Display
To select the month for which data is being displayed, click
the back/forward buttons next to the month.
To select the columns dis­played in the Accounting ta­ble, right-click the table
header and check or uncheck the columns.
Add Comments
You can add a comment for every connection to your client‘s VPN. This helps you to keep track why you used the connection on this day and also makes
billing easier. To add a comment, double-click the “Comment” field.
Exporting Accounting Data
VPN Tracker Pro not just tracks connection time for you, it also lets you export it for Num­bers or Excel, or to third-party time tracking or billing systems that can import CSV files.
Click ”Export” in the ”Accounting” tab
Choose ”Export for Numbers…” or ”Export for Excel…” depending on with which application you want
to use the data with
To export data in a customizable CSV format, choose “Custom Ex­port…“
The export can include data for one or more connections, simply select addi-
tional connections from the “Connec­tion” popup.
33
Exporting Connections
To export multiple connections in a single file, select the con­nections you would like to export (hold down the key to se-
lect more than one), and choose File > Export….
Whether you’re quickly exporting a VPN connection for a co­worker, or rolling out VPN Tracker to hundreds of users, VPN Tracker’s sophisticated export and convenient installer is there to help.
Exporting a Connection
Once you have set up and tested a VPN connection, you can export your con­nection for other VPN Tracker users.
To export a connection
Select the connection
Choose „Export…“ from the File menu
If you are exporting for users of previous versions of VPN Tracker select the appropriate file format. Not all features are available in previous versions of
VPN Tracker. When exporting for earlier versions of VPN Tracker, we recom­mend testing the exported connection before rolling it out to end users.
Set an encryption password for the file. Users of this connection will be re­quired to enter the password once when importing the connection
Exporting a Secure Desktop
You can also export Secure Desktops for your users, along with their connec­tions. Simply select it along with the connections when exporting (hold down
the key to select more than one item in the sidebar).
To always export a Secure Desktop with a connection, check the box for this Secure Desktop in the connection‘s export settings.
34
Locking Exported Connections
The OS X keychain is a very secure way of storing passwords.
However, users will be able to see the pre-shared key via the Key­chain Access application.
If you include a pre-shared key but don’t permit storing the pre­shared key in keychain, the pre-shared key will be left in the con­nection. This is less secure in terms of encryption, but will pre-
vent a user from seeing the pre-shared key.
VPN Tracker offers several ways of locking down and protecting your connec­tion information when you export or deploy connections. To change the secu-
rity settings for an exported connection:
Select a connection
Click the Configure… button
Click „Export Settings…“ at the bottom of the window
Export Settings Explained
Pre-Shared Key
Include pre-shared key from keychain
If you have saved the pre-shared key in your keychain, VPN Tracker can in­clude this pre-shared key with the exported connection.
Permit pre-shared keys to be stored in and loaded from the keychain
Checking this option will (a) move an included pre-shared key into the user’s keychain when importing the connection, and (b) permit users to store their
pre-shared key in keychain if none is included with the exported connection.
Now you can password-protect the connection and adjust which information is visible to the user. All security settings are explained in more detail in
#Export Settings Explained.
Extended Authentication (XAUTH)
Include XAUTH login and password
If you are using Extended Authentication (XAUTH), you can also include a user’s XAUTH credentials (username and password) in the exported connec­tion. Select whether you would like to include the username and password stored in your keychain, or be asked for an XAUTH username and password when exporting the connection.
35
Permit XAUTH credentials to be stored in and loaded from the keychain
If you do not set an unlock password, there will be no way to ever make any changes to the exported connection or use a Technical Support Report to analyze a technical problem.
You can configure →#Direct Link Detection so your users are able to use Secure Desktop even when no VPN is required,
e.g. when connected directly to the office network.
Unlocking a Locked Connection
A locked connection has a padlock icon in the top right corner of the win­dow. Click it to enter the unlock password and access all settings.
window.
Checking this option will (a) move included XAUTH credentials into the user’s keychain when importing the connection, and (b) permit users to store their
XAUTH password in keychain if none is included with the exported connec­tion.
Security
Don’t allow settings to be changed
This settings prevents users from making accidental or undesirable changes to their VPN connections. The connection is “locked”. Users will be able to see
the connection settings, but will not be able to modify them.
Temporarily unlock a locked connection by click­ing the padlock in the up­per right corner of the
Hide settings and detailed logs
Hides the Basic and Advanced tabs, as well as the more detailed log levels. Only basic logging and troubleshooting information is displayed. Technical Support Reports cannot be created unless an unlock password is set.
Temporarily permit editing with unlock password
With an unlock password, the connection can be unlocked temporarily, for example if an administrator needs to make changes at a user’s computer, or to
read the contents of Technical Support Reports.
Secure Desktop
If you have configured a Secure Desktop, you can choose to include it with your exported connection.
Use a Secure Desktop to provide your users with a familiar environment for everything they need to do over VPN – network shares, websites, databases,
and applications.
Secure Desktops selected here are always included when exporting this con­nection. If you’d like to export additional Secure Desktops, simply select them together with your connection before exporting.
36
Actions
VPN Tracker Deployment Guide
Are you deploying VPN Tracker to end users in your organization?
Are you a consultant setting up VPN Tracker for your clients?
Are you managing the VPN Tracker licenses in your organization?
Get the VPN Tracker Deployment Guide for up-to date information and best practices. Download your free copy today at http://www.vpntracker.com
Other Day-to-Day Considerations
If you have configured actions to be executed when the connection is con­nected or disconnected, you can include them as well. Any settings you have configured in your connection’s “Actions” tab will be included.
Contact info
If your VPN users run into any issues, they can email you a Technical Support Report with details about their connection settings, local internet connection and VPN logs. The email address you enter as your contact info will be set as the default recipient of the report.
Unlock Password
Experience has shown that when exporting a locked connection, you‘ll want to unlock it at one point or the other – whether it‘s making a quick change at
an end user‘s Mac, accessing an end user‘s Technical Support Report, or even importing the (locked) connection onto your own Mac and accidentally re­placing the (unlocked) original.
If you do not set an unlock password for a locked connection, there is no way to ever change settings.
If you do not set an unlock password and hide the settings and logs, there‘s no way to ever access the setting.
We therefore strongly recommend always setting an unlock password.
Certificates
If your connection uses certificates for authentication, keep in mind that the certificates are not included with the exported connection. You’ll need to dis-
tribute the certificates as you would normally do.
VPN Tracker will automatically attempt to use the same certificates on the Mac where the connection is imported. If they are not available, the user will be prompted to select new certificates. For additional information, please refer
to →#Certificates.
Overwriting Existing Connections
If you have made changes to an connection that you already distributed to your users earlier, it’s a good idea to re-use the same connection when ex-
porting (don’t create a new one).
That way your users will be prompted to replace their existing connection with the updated one, instead of ending up with another copy, and in the end not knowing which connection is the current one.
37
Troubleshooting
Press Cmd-L to open the log in a new window. That way, you can have the log side-by-side with your VPN configuration while
making changes to troubleshoot a problem.
A Technical Support Report contains the settings and logs nec­essary for resolving technical problems. Confidential information
(e.g. passwords, private keys for certificates) is not included in a Technical Support Report. If you contact equinux technical sup­port, always include a Technical Support Report.
In most cases, your connection will work fine if you follow the instructions in this manual. However, computer networking and VPN are complex, so sometimes problems do occur. Read this chapter to learn how to resolve them.
Missing Settings
If you forgot to fill in a setting, VPN Tracker will point it out to you:
Simply fill in the missing information, then try connecting again.
If you need additional help, you can email the log to your administrator, or send a Technical Support Report to equinux or to your administrator.
Connection Errors
In case of any other problem, a yellow warning triangle will show up:
Click the yellow warning triangle to be taken to the log. The log will explain exactly what the problem is. Follow the steps listed in the log to resolve the
problem.
38
No Access to the Remote Network
Browsing the Network – Bonjour and VPN
Bonjour is the technology that makes your file servers appear in your Finder’s sidebar. It depends on broadcasts on the local network. These
broadcasts do not travel over VPN. If you are connecting to servers over VPN, you will therefore need to use their IP address (or DNS host name, if using remote DNS).
To learn more about how to connect to servers over VPN, see →#Secure Desktop and →#Accessing Files, Printers and Databases
About Subnet Masks and Routing Prefixes
A network mask determines the size of the network. For IPv4 networks, it can be written in two ways: As a subnet mask (e.g. 255.255.255.0) or as a
routing prefix (e.g /24). For IPv4 it does not make a difference which one is used. If you enter a subnet mask, VPN Tracker will automatically convert it to a routing prefix (CIDR notation).
Lets take a look at the network 192.168.42.0 / 255.255.255.0 (which is the same as 192.168.42.0/24). This network contains all IP addresses that begin
with 192.168.42., for example 192.168.42.1 and 192.168.42.99. It does not con­tain 192.168.43.1 or 10.1.2.3.
If you find yourself in a situation where your VPN appears to be connected, but you cannot access resources (servers, email, etc.) in the remote network,
check the following points to resolve the problem.
Connect to an IP address (instead of a host name)
If you are using a host name (e.g. fileserver.example.com) to connect to the resource, please try using its IP address instead.
Check that the IP address you are connecting to is part of the VPN’s remote network
Check that the IP address you are connecting to is part of the remote net­work(s) of the VPN. Also double-check the network mask that you have con-
figured for the remote network(s) in VPN Tracker.
If you are using SonicWALL Simple Client Provisioning or Cisco EasyVPN, the remote network(s) are assigned by your VPN gateway. You can see the remote
network(s) on the Status tab.
If the connection works when using the IP address, but not when using a host name, please make sure that your Mac’s DNS server is able to resolve this host name to an IP address, or set up a suitable remote DNS server in VPN#Tracker.
See →#Troubleshooting Remote DNS for more information.
39
Make sure the host you are trying to reach knows where to send replies
This one is a little more complex to check. Start with checking if your local address is part of the remote network:
Connect the VPN
Go to the Status tab
Compare the IP address listed under “This Mac” (local address) and the networks listed under “Remote Network”. Is the local address part of the remote network(s)?
That third one is a bit tricky to figure out. If you find a reference to ARP Proxy (or Proxy ARP) in the device’s documentation, or if the manual specifically in-
structs to choose the local address or the Mode Config address pool to be part of the remote network, then it’s ok for the IP address to be part of the remote network.
In all other cases you must choose an IP address as the local address (or a Mode Config address pool) that is not part of the remote network(s). If
you are using Mode Config, you need to change the Mode Config address pool on the VPN gateway. Otherwise, simply change the local address in VPN Tracker (Basic > Local Address).
If the local IP is not part of the remote network(s):
Check if your VPN gateway is the default gateway (router) of its network.
If your VPN gateway is not the default gateway of the remote network, you will have to ensure that responses to all IP addresses used by VPN clients are
routed to the VPN gateway. You can do so either by adding a general route on the network’s actual default gateway, or by adding individual routes on each host that VPN clients need to communicate with.
In this example, the local address 192.168.213.189 is part of the remote network
192.168.213.0/24
If the local address is part of the remote network(s):
There are exactly three setups where the local IP address may be part of the remote network(s). If your setup is not one of these, you must choose a local address that is not part of the remote network(s).
1. When connecting to a SonicWALL using SonicWALL Simple Client Provision­ing or DHCP over VPN.
2. When connecting to a Cisco VPN gateway using Cisco EasyVPN.
3. When connecting to a VPN gateway that can act as an ARP proxy for IP ad­dresses assigned through Mode Config, and/or for fixed local addresses.
40
Troubleshooting Remote DNS
If you set a remote DNS server for “All Domains” instead of spe­cific “Search Domains”, make sure it is a working DNS server that can resolve hosts on the Internet. Otherwise, your Mac will seem to be cut off from the Internet when the VPN is connected.
If you can access resources on the remote network using their IP addresses, but not their host names, you will need a suitable remote DNS setup.
Prerequisites for remote DNS:
A DNS server that is able to resolve those IP addresses exists.
The DNS server can be reached through the VPN.
To illustrate the steps for debugging remote DNS issues, here’s an example setup using remote DNS:
We have a VPN connection to the remote network 192.168.42.0/24.
In this network, there’s a file server fileserver.example.com.
We can reach this file server using its IP address 192.168.42.10.
We’d like to reach this file server using its host name fileserver.example.com.
This host name cannot be looked up using public DNS servers, but there is an internal DNS server with IP address 192.168.42.2 that is able to resolve
hosts in the example.com domain, including fileserver.example.com.
For remote DNS settings to take effect, the VPN needs to be reconnected. We should now be able to connect to fileserver.example.com using its host name.
Steps to Troubleshoot
If connecting using the host name does not work, the first step is to use the DNS Lookup Tool to verify that the host name can be looked up.
Connect the VPN
Choose Tools > DNS Lookup from the menu bar on top of the screen
Enter the host name (here: fileserver.example.com) and click “Lookup”
If the DNS Lookup Tool displays the expected result, remote DNS is configured correctly. In that case, the problem is with the actual connectivity, not DNS.
If DNS lookup fails, then the problem is with remote DNS. The next step is to figure out if the problem is with the remote DNS server itself, or with the re-
mote DNS setup.
Open a Terminal window (Applications > Utilities > Terminal)
Enter: dig <host name> @<remote DNS server> and press return. In our example: dig fileserver.example.com @192.168.42.2
If you see an “Answer Section” with the correct IP address, then both the con­nectivity to the DNS server, and the DNS server’s response are ok. In that case,
the problem lies with the remote DNS setup. Double-check the configuration in VPN Tracker.
41
If you don’t see an “Answer Section” with the correct IP address, then the re-
Some DNS servers are configured to talk only to specific hosts or networks. When connected through the VPN, your Mac may not be part of these. Check your DNS server’s settings or ask the DNS server’s administrator to be sure.
DNS Troubleshooting Advice for Experts
Command-line tools like nslookup and dig do not accurately reflect DNS resolution on modern OS X versions (but can be very helpful in debugging
connections to and results from a single DNS server, as we did above).
To get exactly the DNS results an OS X application would receive, use the DNS Lookup Tool in VPN Tracker (Tools > DNS Lookup)
The DNS settings (and search domains) assigned by the VPN gateway using Mode Config, Cisco EasyVPN, or SonicWALL Simple Client Provi­sioning / DHCP over VPN, are displayed in the connection log and in the
“Network” section of the →#VPN Connection Stats.
To see the Mac’s currently applicable DNS settings, including those set by VPN Tracker for remote DNS use the Terminal command scutil --dns.
mote DNS server is not configured to resolve fileserver.example.com.
If you get a timeout error, then the remote DNS server is not reachable over the VPN or it is not a properly configured DNS server.
Further Questions?
You can find the latest news and compatibility information on our support and FAQ website:
http://equinux.com/support
Contacting Technical Support
If you can’t resolve your issue with the information available on our website or in this guide and would like to contact Technical Support through our web­site, please be sure to include the following information:
The manufacturer and model and firmware revision of the VPN gateway
A Technical Support Report from VPN Tracker (Help > Generate Technical Support Report)
Screenshots of what you have configured on your VPN gateway, in particular all VPN-related settings
A detailed description of the problem and the troubleshooting steps you have already taken
42
Reference
Availability: always (use the Edit menu to change the name if locked)
Related Settings: Advanced > IPv6 > Use IPv6 VPN gateway address when
available
Availability: always
VPN Gateway Setting: WAN IP address, public IP address, external IP address
Related Settings: Basic > Network Configuration > Local Address
Basic > Remote DNS > Receive DNS Settings from VPN Gateway
Availability: Depending on the selected device profile. Use a custom device profile to be able to select any method.
VPN Gateway Setting: Mode Config, Config Mode, IKE-CFG
Settings Reference
This chapter describes the settings available in VPN Tracker. Settings are grouped by location and sorted from top to bottom as they occur in VPN Tracker. Where possible, related settings and the corresponding settings on a VPN gateway (and the terms different vendors use) are also included.
Basic Tab
Connection Name
A name for the connection. You may choose any name you like.
VPN Gateway
The public IP address or host name of the VPN gateway to connect to.
Network Configuration
VPN Tracker supports a number of vendor-specific and vendor-independent automatic configuration methods.
Mode Config
A vendor-independent automatic configuration method that is capable of transmitting the settings for the local address and the remote DNS settings
(DNS servers and search domain).
The "active" and "passive" variants are used to resolve interoperability issues with some devices.
43
Cisco EasyVPN
Related Settings: Basic > Network Configuration > Local Address
Basic > Network Configuration > Remote Networks Basic > Remote DNS > Receive DNS Settings from VPN Gateway Advanced > Interoperability > Cisco
Availability: Depending on the selected device profile. Use a custom device profile to be able to select any method.
VPN Gateway Setting: No special settings are needed to use Cisco EasyVPN with EasyVPN-capable Cisco devices. For more details, refer to our Cisco con­figuration guides.
Related Settings: Basic > Network Configuration > Local Address Basic > Remote DNS > Receive DNS Settings from VPN Gateway
Availability: Depending on the selected device profile. Use a custom device profile to be able to select any method.
VPN Gateway Setting: GroupVPN > Client > Virtual Adapter Setting > DHCP Lease (or DHCP Lease or Manual Configuration) + suitable configuration for DHCP server and VPN > DHCP over VPN.
Related Settings: Basic > Remote DNS > Receive DNS Settings from VPN Gateway
Availability: Depending on the selected device profile. Use a custom device profile to be able to select any method.
VPN Gateway Setting: No special configuration needed. Requires SonicOS
4.0 or newer.
An extension of Mode Config for Cisco devices that is also capable of trans­mitting the Remote Network(s) and Perfect Forward Secrecy (PFS) setting.
The "passive" variant can be used to resolve problems when the general EasyVPN setting does not work with a particular device.
If you are using EasyVPN with a custom device profile, make sure to turn on "Identify as Cisco Unity Client" on the Advanced tab.
SonicWALL DHCP over VPN
An automatic configuration method implemented by SonicWALL devices that is capable of transmitting the settings for the Local Address and the Remote
DNS settings (DNS servers and search domain).
Topology
In most cases, the topology should be set to Host to Network. This means that a single host (= your Mac) connects to one or more remote networks through VPN. Only network traffic destined for these networks is sent through
the VPN, all other traffic is sent out unmodified through the Mac’s Internet connection.
Other possible topologies are:
Host to Everywhere
A single host tunneling all its Internet traffic through VPN. This is equivalent to a Host to Network connection with a remote network of 0.0.0.0/0.
For Host to Everywhere to work, the VPN gateway must accept a policy with a
0.0.0.0/0 endpoint, and also take care of the routing and Network Address Translation (NAT) for the VPN client when it tries to access the Internet.
SonicWALL Simple Client Provisioning (SCP)
An automatic configuration method implemented by SonicWALL devices that can supply all settings of a VPN connection to the client.
Network to Network
A (local) network being connected to another (remote) network, with the Mac running VPN Tracker acting as the local VPN gateway, and another VPN gate­way at the remote end. This can be used to connect a branch or home office
with multiple computers to a main office. The Mac running VPN Tracker needs to have routing enabled and has to be configured as the router for the other computers that are to use the VPN.
Host to Host
A single host (= your Mac) accessing another single host (e.g. a single file server, email server etc.) through VPN.
44
Related Settings: Basic > Local Address, Basic > Network Configuration, Ba­sic > Remote Networks
Availability: Not available with Cisco EasyVPN and SonicWALL Simple Client Provisioning. Network to Network requires VPN Tracker Pro.
VPN Gateway Setting: Set default route as this gateway (SonicWALL), Allow all traffic through tunnel (WatchGuard), or determined implicitly by VPN endpoints.
Local Address
Related Settings: Basic > Topology, Basic > Network Configuration
Availability: Not available when an automatic configuration method is being
used. When a Network to Network topology is used, the setting is called “Lo­cal Networks” and describes the local network(s) to which the VPN tunnel applies.
VPN Gateway Setting: Remote (IP) address, peer (IP) address, remote end­point, remote network
Related Settings: Advanced > Phase 2 > Establish a separate tunnel for each remote network, (Cisco only) Advanced > Interoperability > Cisco > Establish a shared tunnel to 0.0.0.0/0 for split-tunneling
Availability: Not available when EasyVPN or SonicWALL Simple Client Provi­sioning are used. For these setups, the VPN gateway supplies the networks.
When a Host to Host topology is used, the setting is called “Remote Address” and describes the single remote address the VPN tunnel applies to.
VPN Gateway Setting: Local (IP) address, local endpoint, local network
The local address is the IP address that the Mac running VPN Tracker uses in the remote network when connected through VPN1.
If the local address is left empty, the current IP address of the Mac's en0 net­work interface will be used. Since this is most likely a private IP address, it is
not unique worldwide. In order to avoid situations where two clients coming in through VPN using the same IP, do not leave the local address empty when you have multiple VPN users. In that case, always set a unique local address for each client.
The local address should be from a →#private subnet, and must not be part of the remote network(s) of the VPN connection (unless the documentation of your VPN gateway specifically instructs you to do so2).
Remote Networks
The network(s) the VPN connects to3. Traffic destined for these network(s) will be tunneled over the VPN.
The network(s) can be entered in CIDR notation (e.g. 192.168.42.0/24) or – for IPv4 connections – using the subnet mask (e.g. 192.168.42.0/255.255.255.0).
Always make sure you are using a correct network address. VPN Tracker will try to help you with this, so it might change your input to turn it into a correct network address. Please double check the changes that VPN Tracker made, and correct them if necessary.
Authentication
The authentication method VPN Tracker uses. Three methods are available:
Pre-Shared Key
The VPN client is authenticated using a shared password, the pre-shared key. This is the most commonly used authentication method.
It is possible to store the pre-shared key in the OS X keychain, or be prompted every time the VPN connections.
1 In IPsec terms: the local endpoint of the IPsec Security Association (SA)
2 Such VPN gateways typically have you configure a specific IP address for the client to use and/or have a setting called “Proxy ARP” or “Tie remote stations into the LAN”
3 In IPsec terms: the remote endpoint of the IPsec Security Association (SA)
45
Certificate
Related Settings: (certificates only) Advanced > Certificates
(pre-shared key only) Advanced > Phase 1 Diffie-Hellman Group, Advanced > Additional Settings > Credentials
Availability: According to the selected device profile.
VPN Gateway Setting: (Pre-Shared Key) Pre-shared secret, shared secret,
password, key, (Certificates) X.509 certificates, RSA signatures
XAUTH can be set to "Automatic", even if it is actually turned off on the VPN gateway. The VPN gateway will tell VPN Tracker if
XAUTH should be used or not. However, there are VPN gateways that need XAUTH specifically turned on or off, that's where the "Off" and "Always" settings can help.
Related Settings: Advanced > Additional Settings > Credentials
Availability: According to the selected device profile.
VPN Gateway Setting: XAUTH, user authentication
Related Settings: Basic > VPN Gateway (for “Remote Endpoint IP Address”)
Basic > Authentication > Certificates (for “Local/Remote Certificate”)
Availability: Identifiers are determined automatically if SonicWALL Simple Client Provisioning is used.
VPN Gateway Setting: The local identifier from VPN Tracker's perspective is the remote (!) identifier from the VPN gateway's perspective, and vice versa. Therefore you will normally have to swap the identifiers configured on the VPN gateway when entering them in VPN Tracker:
Local Identifier:
Remote Identifier:
Remote Identifier (or client/peer identifier/identity/ID) Local Identifier (or own/my identifier/identity/ID)
The VPN client and the VPN gateway mutually authenticate using X.509 cer­tificates (RSA signatures). This method is very secure, but requires an infra-
structure for creating and distributing certificates, and a VPN gateway that supports it.
The client's certificate and private key (also called an "identity") need to be present in the OS X keychain.
The VPN gateway's certificate can in most cases be sent by the VPN gateway and verified just as a web browser would do for HTTPS, however, it is also pos-
sible to add it to the local keychain and select that specific certificate in VPN Tracker.
Hybrid Mode
The VPN gateway authenticates itself with a certificate, and users authenticate themselves through Extended Authentication (XAUTH). This method is sup-
ported by a small number of vendors (e.g. Check Point) and considered more secure than using an Aggressive Mode connection with just a pre-shared key.
In its basic form, XAUTH asks for a username and password, however it is also possible for the VPN gateway to ask for passcodes (such as the ones gener-
ated by RSA SecurID tokens) etc.
It is possible to store the XAUTH username and password in the OS X key­chain, or be prompted every time the VPN connections.
The VPN gateway's certificate can in most cases be sent by the VPN gateway, but it is also possible to add it to the local keychain and set that specific cer­tificate in VPN Tracker.
Extended Authentication (XAUTH)
Extended authentication is a way of authenticating individual users on top of one of the general authentication methods, pre-shared key or certificates (hy­brid mode already incorporates XAUTH).
Identifiers
The identifiers are small pieces of identifying information that VPN Tracker and the VPN gateway use to recognize each other.
46
Local Identifier
Make sure that the local identifier type and value in VPN Tracker match what the VPN gateway expects! Otherwise the VPN gateway may refuse or silently drop the connection.
Some VPN gateways expect FQDN or User FQDN type identifiers that are neither valid FQDNs nor email addresses. This is ok.
Simply enter whatever your VPN gateway expects you to use (e.g. a connection identifier, user name or group name).
Some VPN gateways use FQDN or User FQDN type identifiers that are neither valid FQDNs nor email addresses. This is ok.
Simply enter whatever your VPN gateway sends as its identifier.
The identifier that VPN Tracker uses to identify itself to the VPN gateway. The VPN gateway uses the identifier to map the incoming connections to the
VPNs it has configured.
Local Certificate
The identifier is the ASN.1 Distinguished Name taken from the subject of the local certificate (only possible when using certificates for authentication).
Remote Identifier
The identifier that VPN Tracker should expect from the VPN gateway. VPN Tracker will compare the actual identifier sent by the VPN gateway to the one configured here. If the identifiers do not match, the connection attempt will be stopped and an error displayed in the log.
IP Address
An IP address is used for identification. Make sure to enter the IP address the VPN gateway expects.
Local Endpoint IP Address
Same as “IP Address”, but VPN Tracker will automatically use the Mac’s current local IP address as the value. Useful if your VPN gateway permits incoming
connections using any IP address-based identifier.
Fully Qualified Domain Name (FQDN)
A fully qualified domain name (FQDN) is used for identification (e.g. client.example.com).
Email (User FQDN)
An email address is used for identification (e.g. vpntracker@example.com).
Key ID
An identifier for vendor-specific use. Cisco EasyVPN devices use this for the group name of the connecting user.
Don’t verify remote identifier
Turn off identifier verification (e.g. for testing). Identifier verification provides minor security benefits for Aggressive Mode connections, but should always
be used for Main Mode connections.
IP Address
An IP address is used for identification. Enter the IP address the VPN gateway sends. It is often, but not always, the VPN gateway’s public IP address.
Remote Endpoint IP Address
Same as “IP Address”, but VPN Tracker will automatically use the public IP ad­dress of the VPN gateway.
Fully Qualified Domain Name (FQDN)
A fully qualified domain name (FQDN) is used for identification (e.g. vpn.example.com). Enter the FQDN the VPN gateway sends.
Email (User FQDN)
An email address is used for identification (e.g. vpnservice@example.com). Enter the email address the VPN gateway sends.
ASN.1 DN
An ASN.1 Distinguished Name (DN) is used for identification. Normally this is used in conjunction with certificate-based authentication. Enter the (correctly formatted) ASN.1 DN that the VPN gateway expects.
Key ID
An identifier for vendor-specific use.
47
ASN.1 DN
Availability: always
Related Settings: Basic > Network > Automatic Configuration
Basic > DNS > Use Remote DNS Server
Availability: Available if an automatic configuration method is selected and “Use Remote DNS Server” is turned on.
Related Settings: Basic > DNS > Use Remote DNS Server Basic > DNS > Use DNS Server for
Availability: Available if “Use Remote DNS Server” is turned on, and “Receive DNS Settings from VPN Gateway” is turned off.
Related Settings: Basic > DNS > Use Remote DNS Server Basic > DNS > Use DNS Server for
Availability: Available if “Use Remote DNS Server” is turned on, and “Receive DNS Settings from VPN Gateway” is turned off.
When using this option, it is important to make sure the VPN connection and the remote DNS server are correctly configured:
If one or both are not working, the Mac will appear to be cut off from the Internet while the VPN is active.
An ASN.1 Distinguished Name (DN) is used for identification. Normally used in conjunction with certificate-based authentication. Enter the (correctly format-
ted) ASN.1 DN that the VPN gateway sends.
Remote Certificate
The identifier is the ASN.1 Distinguished Name taken from the subject of the remote certificate (only possible when using certificates for authentication).
Search Domains
The search domain(s) to use. To enter more than one search domain, click the plus button to get additional input fields.
DNS
Use Remote DNS Server
VPN Tracker can use a name (DNS) server in the remote network of the VPN to look up certain (or all) host names. This is useful if your organization operates an internal DNS server that can look up host names of computers on the in­ternal network.
Receive DNS Settings from VPN Gateway
When checked, VPN Tracker will use the DNS settings transmitted by the VPN gateway during automatic configuration. To see if your VPN gateway transmits such information, turn off Remote DNS, then connect. VPN Tracker will show a
message in the log suggesting to turn on Remote DNS if settings have been transmitted.
If “Use DNS Server for” is set to “Search Domains”, the search domain(s) will also be used to determine the domains the remote DNS server is being used for.
Use DNS Server for
This setting determines the scope of the remote DNS server(s). It is possible to use the remote DNS server(s) for all DNS lookups, or just for hosts in a specific
domain.
All Domains
While the VPN is connected, the remote DNS server is used for every DNS lookup on this Mac, not just hosts that are part of the remote network.
DNS Servers
The IP address of a remote DNS server. To enter more than one server, click the plus button to get additional input fields.
Search Domains
The remote DNS server is used only for looking up host names that are part of the search domain(s). At least one search domain must be configured.
Search Domains (if available)
48
“Receive DNS Settings from VPN gateway” only: If the VPN gateway transmits a
Related Settings: Basic > DNS > Search Domains Basic > DNS > Use Receive DNS Settings from VPN Gateway
Availability: Available if “Use Remote DNS Server” is turned on.
Related Settings: Basic > Network Configuration > Remote Networks
Basic > DNS > Use DNS Server for
Availability: Available if “Use Remote DNS Server” is turned on.
Need more help configuring your remote DNS setup? A chapter on →#Troubleshooting Remote DNS is available in this manual.
search domain, the remote DNS server is used only for looking up host names that are part of the search domain(s). If no search domain is transmitted, the
remote DNS server is used for every DNS lookup on this Mac while the VPN is connected.
Use for reverse lookup of IP addresses in remote networks
The remote DNS server is used for reverse lookups (mapping IP addresses back to host names) in the remote networks. When the remote DNS server is
used for “All Domains”, this happens automatically.
49
Advanced Tab
Establishing the VPN: Phases, Proposals and Device Profiles
An IPsec VPN connection is established in two phases. In phase 1, VPN Tracker and the VPN gateway verify each other’s identity and negotiate encryption
keys through which the actual setup of the VPN, phase 2, will be secured.
In each phase, VPN Tracker sends the algorithms it is willing to use, as well as a few other settings to the VPN gateway (the “proposals”). The algorithms that VPN Tracker sends are determined by the settings for Phase 1 and 2 on the Advanced tab.
The VPN gateway then selects one set of algorithms, or responds with an error (typically something like “no proposal chosen”) if it does not agree to use any of the proposed algorithms.
At first glance, it would seem a good idea to simply propose all possible algo­rithms to the VPN gateway, hoping that it will agree with at least one pro-
posal. However, there are several problems with this approach:
Selecting too many algorithms causes data packets on the network to be so large they need to be split up ("fragmented"). Many VPN gateways out­right refuse these fragmented VPN packets, and intermediate routers often have difficulties with fragmented VPN data packets as well.
Some VPN gateways refuse connection attempts altogether that contain many proposals or algorithms unsupported by the VPN gateway, most likely to serve as an intrusion prevention measure.
It is desirable to offer only those algorithms providing a very high level of security.
In the device profiles shipping with VPN Tracker, two or three algorithms that are most commonly used with a given device have been selected.
This increases the chance of a successful connection, even if the exact con­figuration is not known (while still keeping the data packets small enough to not be fragmented). However, if you know your VPN gateway’s exact configu-
ration, it is best to select exactly one proposal (combination of encryption, authentication/hash algorithm, and DH group) that your VPN gateway is set up to use.
50
Phase 1
Related Settings: Basic > VPN Gateway, Basic > Network Configuration >
Automatic Configuration, Basic > Authentication, Basic > Identifiers
Availability: Phase 1 settings are not configurable when SonicWALL Simple Client Provisioning is used.
VPN Gateway Setting: Phase 1 proposals, phase 1, IKE
Most VPN gateways only support Aggressive Mode connections for VPN clients connecting from dynamic IP addresses or from
behind a NAT router.
If you are setting up your VPN gateway from scratch: It is com­mon to select a lifetime of between 1 and 24 hours (3600 to
86400 seconds).
If you are setting up your VPN gateway from scratch: Each VPN gateway uses different hardware and has a different selection of
algorithms available, however, most support at least one of AES­128, 3DES or DES, so if there is no information what your VPN gateway might be using, try those.
AES-256 is considered to be the most secure algorithm. All AES variants and 3DES provide reasonably good security. Use DES
only if there’s no better choice.
In case you do not know what is configured on your VPN gate­way, it is possible to select more than a single algorithm. VPN Tracker will then offer all selected algorithms to the VPN gate­way and negotiate which one to use.
To avoid fragmentation of network packets or triggering intru­sion prevention mechanisms on VPN gateways, it is not recom-
mended to select more than two or three algorithms
If you are setting up your VPN gateway from scratch: Use SHA-1 if possible. Only use MD5 if no other algorithm is available.
If you own a modern device, it is possible that it already sup­ports SHA-2, which offers additional security.
In phase 1, using the pre-shared key or RSA signatures, VPN Tracker and the VPN gateway negotiate encryption keys with which the set up of the actual VPN tunnel (phase 2) will be secured, and verify each other’s identity.
Exchange Mode
The Exchange Mode determines how the initial steps of establishing a VPN connection take place. The setting must match the exchange mode selected
on the VPN gateway.
Aggressive Mode
Aggressive Mode is faster and requires less information, in particular, it does not require the IP address of the connecting client to be known prior to con­necting.
Encryption Algorithm
The encryption algorithm to use for phase 1 of the connection. It must match the algorithm configured on the VPN gateway for phase 1.
Main Mode
Main Mode is more secure but often requires the IP address of the connecting client to be known beforehand.
Lifetime
For security reasons, the encryption keys of a VPN connection are periodically re-negotiated. The lifetime determines when this takes place. The setting must match the lifetime for phase 1 on the VPN gateway, however a misconfigura-
tion will usually not show up right away, but will only be recognizable when the re-negotiation does not work properly.
Hash Algorithm
The hash algorithm used for phase 1 of the connection. It must match the algorithm configured on the VPN gateway for phase 1.
51
In case you do not know what is configured on your VPN gate­way, it is possible to select both SHA-1 and MD5 here, most VPN gateways will be able to negotiate which one they want to use.
Diffie-Hellman (DH) Key Exchange
If you are setting up your VPN gateway from scratch: Choose at least "Group 2 (1024 bit)" whenever possible.
Many VPN gateways support up to "Group 5 (1536 bit)", and it is a good idea to use that if it is available. Some recent high-end devices support up to "Group 18 (8192 bit)".
Related Settings: Basic > Network Configuration
Availability: Phase 2 settings are not configurable when SonicWALL Simple
Client Provisioning is used.
VPN Gateway Setting: Phase 2 proposals, phase 2, IPsec, VPN, tunnel
If you are setting up your VPN gateway from scratch: The lifetime for phase 2 can be different from the phase 1 lifetime, if it is, it is
typically shorter. It is common to select a lifetime of between 1 and 24 hours (3600 to 86400 seconds).
If you are setting up your VPN gateway from scratch: The en­cryption algorithm for phase 2 can be different from the phase 1
encryption algorithm. For VPN gateways with severly limited encryption hardware, it may be appropriate to choose a less se­cure but better performing algorithm here, and set a more se­cure algorithm for phase 1.
Do not select "No authentication", unless you have a very special setup that does not support using authentication. No authenti- cation means exactly what it says and is extremely insecure.
If you are setting up your VPN gateway from scratch: Using Per­fect Forward Secrecy is recommended.
The key length to use for the Diffie-Hellman key exchange. It must match the key length (group) selected on the VPN gateway for phase 1.
If you are getting inexplicable errors about an incorrect pre-shared key, double-check that the Diffie-Hellman group matches the VPN gateway’s con-
figuration.
Phase 2
This second phase of the connection establishes the actual VPN tunnel. All settings here must match the respective setting on the VPN gateway.
Encryption Algorithm
This is the algorithm used for encrypting the actual data that goes over the connection. See →#Advanced > Phase 1 > Encryption Algorithm for more in-
formation.
Authentication Algorithm
See →#Advanced > Phase 1 > Hash Algorithm
Perfect Forward Secrecy (PFS)
Using Perfect Forward Secrecy provides additional security when encryption keys are re-negotiated. The setting must match what is configured on your VPN gateway.
Lifetime
For security reasons, the encryption keys of a VPN connection are periodically re-negotiated. The lifetime determines when this takes place. The setting must
match the lifetime for phase 2 on the VPN gateway, however a misconfigura­tion will usually not show up right away, but will only be recognizable when the re-negotiation does not work properly.
If you are using a Cisco device with Easy VPN: Cisco devices can transmit their Perfect Forward Secrecy preference. Since using PFS is always more secure, VPN Tracker will use it when requested by a Cisco VPN gateway.
52
VPN Gateway Setting: Some devices do not have a dedicated setting for the PFS DH group. These devices typically use the same group as for phase 1.
Establish a separate phase 2 tunnel for each remote network
Related Settings: Basic > Network > Remote Networks
Advanced > Interoperability > Cisco > Establish a Shared Tunnel to 0.0.0.0/0 for Split-Tunneling
Availability: The setting is available only if there are multiple remote net­works, or when using an automatic configuration method that could lead to connecting to multiple remote networks.
Related Settings: Basic > Authentication > Certificate
Availability: The setting is only available for certificate-based authentication.
Related Settings: Basic > Authentication > Certificate
Availability: The setting is only available for certificate-based authentication.
Do not turn off this option except for debugging purposes!
Related Settings: Basic > Authentication > Certificate
Availability: The setting is only available for certificate-based authentication.
Traffic Control is an advanced feature that can cause traffic not to be encrypted. If you are unsure whether Traffic Control can help with your particular scenario, please contact support.
When connecting to multiple remote networks, VPN Tracker can either estab­lish a separate VPN tunnel (Security Association, SA) for each network, or send all traffic over a single tunnel. The single tunnel will use the first remote net-
work as the endpoint.
Send Request for Remote Certificate
If turned on, VPN Tracker will request the VPN gateway’s certificate. This set­ting should normally be turned on. Only turn off this setting if your VPN
gateway has trouble dealing with certificate requests from connecting clients. In that case, you’ll need to have the VPN gateway’s certificate in your keychain.
Which setting to use depends on the VPN gateway. If you find that with a single tunnel you cannot access any remote network but the first, then try swapping the order of the remote networks. If you can now access the new first network, then you likely need this setting turned on (or, less likely, your
VPN gateway supports only a single remote network for the connection).
Cisco EasyVPN-based VPN gateways are a special case, here you should almost always uncheck this setting and enable “Establish a Shared Tunnel to 0.0.0.0/0 for Split-Tunneling” in the Interoperability settings.
Certificates
Send Certificate
If turned on, VPN Tracker will send the local certificate to the VPN gateway. This setting should normally be turned on. Only turn off this setting if your VPN gateway has trouble dealing with certificates sent by connecting clients.
Verify Remote Certificate
This setting can be used to temporarily disable certificate verification for de­bugging purposes.
Traffic Control
Traffic Control provides more fine-grained control over the traffic that will be sent through the VPN or exempted from it.
Always exempt the addresses below from the VPN
Use this setting to exempt certain addresses from the VPN that would other­wise be sent through it.
53
Send only traffic for the addresses below over VPN
Traffic Control is limited by the VPN’s topology and remote net­works. It is not possible to send traffic over the VPN for addresses that are not part of the remote networks.
Availability: always
Availability: always
Availability: always
Availability: According to the selected device profile.
Related Settings: Advanced > Interoperability > Perform active Dead Peer
Detection
Availability: According to the selected device profile.
Use this setting to send only traffic for certain addresses through the VPN. This is useful for VPNs that require a Host to Everywhere topology if you only need
to reach certain hosts over the VPN, but don’t want all your Internet traffic to go through the VPN.
Force traffic over the VPN if remote networks conflict with local networks
Private IP addresses are not globally unique. If your VPN connects to a “popu­lar” network such as 192.168.1.0/24, it can easily happen that you find yourself connected to an 192.168.1.0/24 network locally as well. VPN Tracker will refuse
to connect because there’s no way to tell which traffic to send over the VPN, and which needs to reach the local network.
If you do not need any of the resources on the local network, VPN Tracker can try to connect anyway if you turn on this setting. VPN Tracker will exempt critical local addresses (router, DNS, DHCP), but otherwise force all traffic for
the remote network(s) over the VPN.
Connection Timeout
The default settings are more than sufficient for most setups. Only in extreme network environments with high packet loss or extremely high latency (think “connecting from a space probe back to earth”) will you have to increase the timeout (and/or the number of times VPN Tracker attempts to resend a
packet).
Interoperability
Send INITIAL-CONTACT Message
For some devices it is necessary to send this message when establishing a VPN connection in order to tell the VPN gateway to clean up “old” VPN con-
nections. However, other devices will disconnect all other VPN users upon re­ceiving this message (in particular if multiple VPN users connect from the same public IP address, or when users share an XAUTH account).
NAT-Traversal
Set NAT-Traversal to "Automatic".
There are some very specific circumstances in which you may need to change the setting, please read and understand →#VPN and Network Address Transla- tion (NAT), before making any changes to this setting.
Advertise as Dead Peer Detection Capable
VPN Tracker supports Dead Peer Detection (DPD) to detect if the other end of the connection is no longer responding. When this setting is turned on, VPN Tracker will tell the VPN gateway that it supports Dead Peer Detection.
For most VPN gateways (whether they support Dead Peer Detection or not) this option should be turned on. Only turn it off if you suspect that VPN Tracker offering to perform Dead Peer Detection causes a problem on the VPN gateway, or if the VPN gateway’s Dead Peer Detection implementation is broken.
54
Perform active Dead Peer Detection every ... seconds, if necessary
Related Settings: Advanced > Interoperability > Advertise as Dead Peer De-
tection Capable
Availability: According to the selected device profile.
Related Settings: Basic > Network Configuration
Availability: Available with a custom device profile or a Cisco device profile
when using Mode Config or EasyVPN.
Availability: Only available using a custom device profile. The setting is automatically used in all Cisco device profiles.
Related Settings: Basic > Network Configuration
Availability: Only available with custom device profiles or Cisco device pro-
files when using EasyVPN (or Mode Config with the “Send Cisco Unity Ven­dor ID” option turned on).
Related Settings: Basic > Network Configuration Advanced > Phase 2 > Establish a separate phase 2 tunnel for each remote network
Availability: Available when EasyVPN is used and “Establish a separate phase#2 tunnel for each remote network” is turned off.
Related Settings: Basic > VPN Gateway
If the VPN gateway is Dead Peer Detection capable, but does not perform Dead Peer Detection itself, VPN Tracker can perform Dead Peer Detection.
For most VPN gateways (whether they support Dead Peer Detection or not) this option should be turned on. Only turn it off if you suspect that VPN Tracker performing Dead Peer Detection causes problems (such as unex­pected disconnects because the VPN gateway is not responding but the VPN is working anyway).
Use ... as the Application Version during Mode Config
When performing Mode Config (or EasyVPN), VPN Tracker will identify itself as “VPN Tracker 8”. Identifying as a different client or version may be necessary to
work with some VPN gateways.
To identify as a specific client, simply enter its name and version, e.g. “Cisco Systems VPN Client 4.8.0:Linux”.
Send Cisco Firewall Attribute during Mode Config
When checked, VPN Tracker will send a special attribute indicating the pres­ence of a firewall. This may help to successfully connect to some Cisco de-
vices.
Establish a Shared Tunnel to 0.0.0.0/0 for Split-Tunneling
When checked, VPN Tracker will establish a single tunnel (Security Association, SA) to 0.0.0.0/0 and set suitable routes to achieve split-tunneling. This can no-
ticeably speed up connecting to a Cisco VPN gateway with multiple remote networks using EasyVPN and resolve issues with idle timeouts for those con­nections.
This setting should be turned on when connecting to Cisco devices using Cisco EasyVPN.
Send Cisco Unity Vendor ID
This setting is necessary in order to use certain Cisco-specific extensions, such as EasyVPN. Turn on this setting if you are connecting to a Cisco device using
a custom device profile (it is not necessary to use this setting when using one of the Cisco device profiles shipping with VPN Tracker).
IPv6
Prefer IPv6 VPN gateway address, if available
You will not normally need to change this setting. If your VPN gateway is reachable through IPv6 and its host name resolves to an IPv4 address as well as to an IPv6 address, VPN Tracker will use the IPv6 address if this setting is turned on.
55
Availability: According to the selected device profile.
Additional Settings
Related Settings: Basic > Network > Remote Network(s)
Availability: always
Availability: always
Direct Link Detection
This setting helps VPN Tracker detect when your Mac is physically attached to the network you normally connect to through VPN so you can use Secure
Desktop and the Network Scanner in those locations.
For example, if you use your MacBook at the office without VPN, and from home with VPN, you can teach VPN Tracker to recognize when you are con­nected to your office network and no VPN is needed.
To teach VPN Tracker to recognize a direct link to your remote network:
Physically connect your Mac to the remote network of your VPN connec­tion (e.g. if you connect to your office through VPN, connect your Mac to the office network). Direct link detection also works with wireless networks.
Open VPN Tracker and go to Advanced > Additional Settings > Direct Link Detection
Click “Use Current Router”
VPN Tracker will detect the local router’s unique hardware address (MAC ad­dress) and remember it. The next time you are connected to this network and try to connect to the VPN, VPN Tracker will know that no VPN is needed:
You’ll also see a message in the log when Direct Link Detection is active:
If you have a very complex network, you can teach VPN Tracker about more than one router. Simply click the green plus button to add more input fields.
Display credentials prompt for ... seconds
When VPN Tracker asks for VPN connection passwords (pre-shared key, Ex­tended Authentication (XAUTH) credentials), the password prompts are only displayed for a limited of time to indicate that most VPN gateways will drop
the connection attempt if the password is not supplied within a short time.
If necessary, this setting lets you increase the time a password prompt is be­ing displayed. This can be useful for accessibility purposes, or when dealing with devices that request the next passcode from a passcode generator token (which can take up to 1 minute).
Do not increase the timeout unless you have a specific reason to do so. Most devices will no longer expect a password after 15-60 seconds and thus the connection attempt will fail if entering a password takes too much time.
Always prompt for the pre-shared key Always prompt for XAUTH credentials
If enabled VPN Tracker will always prompt for the pre-shared key and/or XAUTH password, even if one is stored in keychain.
56
If a pre-shared key or password is stored, the password entry field will be pre-
Availability: always
Availability: always
Related Settings: Advanced > Phase 2 > Lifetime
Advanced > Phase 2 > Perfect Forward Secrecy (PFS)
Availability: Only available using a custom device profile.
Availability: always
Availability: Only available using a custom device profile.
filled with this password, but the “Store in Keychain” checkbox will be turned off in order to prevent you from accidentally replacing the stored password.
This settings is useful if
You are using a VPN gateway that asks you to fill the password field with password/pin + a generated one-time passcode. In that case, you can store the password/pin in keychain and have it pre-filled, and then add the gen-
erated code every time you connect.
You sometimes need to connect as a different XAUTH user but still want your “regular” XAUTH user account to be stored in keychain.
Use stored XAUTH password as passcode
A VPN gateway can ask for an XAUTH password or for a generated one-time passcode. Since it does not make sense to store one-time passcodes in key­chain, VPN Tracker does not offer this option by default.
However, some VPN gateways incorrectly ask for a passcode even though they actually expect a password. In that case, enable this option to permit storing the password in keychain etc.
Use remote proposals if more secure
VPN Tracker will use the settings the VPN gateway suggests if they are at least as secure as the current settings in VPN Tracker. If the lifetime mismatches and
the VPN gateway's lifetime is longer, VPN Tracker will attempt to use its own (shorter) lifetime. While this will allow initial connectivity, it may lead to the connection being dropped unexpectedly later on.
Never use remote proposals
VPN Tracker will treat a mismatch as an error and stop connecting.
Manually set MTU for network used by VPN
VPN Tracker normally uses an MTU (maximum transfer unit) of 1280 bytes. In extremely rare circumstances it may be necessary to decrease the MTU further in order to avoid fragmentation of network packets.
If you have to decrease the MTU, please be aware that the MTU in VPN Tracker needs to be set to 52 bytes less than the actual MTU that can be used.
Proposal Conflict Resolution
When VPN Tracker and the VPN gateway disagree about the lifetime or the Perfect Forward Secrecy (PFS) setting, VPN Tracker can choose to accept the
VPN gateway’s proposal instead of insisting on its own settings (in which case the connection attempt would fail).
Use remote proposals
VPN Tracker will use whatever settings the VPN gateway suggests, even if they are less secure
Use remote proposals if more secure (strict)
VPN Tracker will use the settings the VPN gateway suggests if they are at least as secure as the current settings in VPN Tracker
Padding
These settings determine how VPN Tracker handles cryptographic padding.
You should not change these settings unless instructed to do so by tech­nical support.
Nonce Size
Determines the size of the nonce for the Diffie-Hellman (DH) key exchange.
You should not change this setting unless instructed to do so by technical support.
57
Availability: Only available using a custom device profile.
Availability: Only available using a custom device profile.
VPN Tracker Preferences
Treat delete payloads in phase 2 as errors
A delete payload normally is a strong indication that the VPN gateway has terminated the connection, and the only recovery possible is a reconnect of the VPN. This setting disables this recovery mechanism and will cause dead
connections for almost all users. Do not uncheck this setting unless in-
structed to do so by technical support.
General Preferences
Reconnect VPNs after quitting and re-opening
VPN Tracker can remember and reconnect the VPNs that were connected when you quit the application or restarted your Mac.
Actions Tab
The actions tab is explained in detail in →#Working with VPN Tracker
Export Tab
A description of the export settings can be found →#Exporting Connections.
If you would like to temporarily disable automatic reconnect, hold down the option key while opening VPN Tracker.
Open VPN Tracker at login
VPN Tracker can open automatically at login. By default, VPN Tracker will open hidden. If you would like VPN Tracker to be visible on login, uncheck the
“Hide” checkbox in System Preferences > Users & Groups > Login Items.
To connect certain VPNs at launch, check the box on the Actions tab of the VPN(s) you would like to connect.
58
Show VPN status in menu bar
VPN Tracker can show its status in the menu bar. For more information about what the menu bar item can do, see →#Menu Bar Item
Hide Dock Icon
Check this box if you want to control VPN Tracker entirely from the menu bar, with no application icon being displayed in the Dock.
Automatically check for updates.
VPN Tracker can automatically check for updates so you never miss out on important improvements to VPN Tracker. When an update is available, you will be asked if you would like to download and install the update.
Network Preferences
If VPN Tracker cannot connect from ports 500 and 4500 because they are al­ready in use, it will resort to alternate ports if the setting is “Automatic”.
In case you need VPN Tracker to always use a specific port (and treat it as an error, should that port not be available), you may set specific network ports here.
Test VPN availability of unknown Internet connections
VPN Tracker automatically tests if VPN is available over your current Internet connection before attempting to connect to your VPN. Testing occurs only
once for any given Internet connection – for example, the first time you connect from a hotel’s Internet access, VPN Tracker will test the connection. When returning to that hotel a few months later, VPN Tracker usually won’t need to test again.
Testing your Internet connection enables VPN Tracker to adjust its NAT­Traversal settings depending on what the Internet connection supports. For
more information about NAT-Traversal and how VPN Tracker is testing your Internet connection, see →#VPN and Network Address Translation (NAT)
Network Ports
VPN Tracker normally connects from network port 500, the default port for IPsec VPN, and port 4500 for NAT-Traversal (VPN Tracker always connects to
ports 500, and 4500 on the VPN gateway end).
It is strongly recommended to let VPN Tracker test unknown Internet connec­tions for their VPN availability: If VPN Tracker knows what NAT-Traversal mechanisms are supported by your current Internet connection, VPN Tracker will be able to avoid many common connectivity issues automatically.
However, if you are using VPN Tracker to secure access to internal networks from another internal network (e.g. securing a corporate Wi-Fi network), it may be necessary to disable testing (entirely or just when connected to this par­ticular network).
To disable testing for all Internet connections (not recommended):
Open Preferences > Network
Uncheck “Test VPN availability of unknown Internet connections”
59
To disable testing for the current Internet connection:
Open the VPN Availability Test (Tools > VPN Availability Test)
Click “More Details”
Check “Ignore test result”
You can also choose to skip the test while the test is in progress.
A medium setting is recommended for good performance and low risk of be­ing blocked.
Timeout
By default, VPN Tracker waits for two seconds to receive a response from a service. Increase the timeout for slow (high latency) network connections or if hosts on the remote network are slow to respond.
To reset all skipped Internet connections and start testing again, click the but­ton “Forget Skipped Locations” in Preferences > Network.
Scanner Preferences
Increasing the timeout significantly increases the time a scan will take to complete, but may also increase the accuracy of the results.
Load website previews
VPN Tracker shows previews of websites that the Network Scanner has found. Loading these previews may require a significant of network bandwidth if there are many and/or complex websites.
You may want to disable website previews if you are being charged for net­work bandwidth, or if you are on a very low-bandwidth Internet connection.
Notification Preferences
Performance
This setting determines how aggressively VPN Tracker scans a network. On the slowest setting, VPN Tracker will only scan a single service on a single host at a
time. On the fastest setting, many services and hosts will be scanned concur­rently. This could trigger intrusion detection systems on the VPN gateway or other firewalls, and cause you to be blocked from network access.
VPN Tracker can display notifications for events such as VPN connect and dis­connect, status changes, or errors.
60
Use the “Notifications” popup to select those events that you would like to be notified about. You can customize the way notifications are displayed in Sys-
tem Preferences > Notifications.
61
Secure Desktop Reference
It is not possible to use Bonjour or NETBIOS names for accessing file servers. Please use IP addresses instead, or set up →#Remote
DNS to be able to use DNS host names.
This chapter describes the items available in Secure Desktop and how to customize them to get the most out of Secure Desktop.
Connecting to File Servers
To connect to a file server (network share), drag the “File Server” item to your Secure Desktop. Secure Desktop must be in →#Edit Mode to add items.
Select the VPN that is required for accessing this file server (here, the VPN is called “London”).
Select the type of server that you would like to connect to, and enter its IP address. There are several types of file servers that VPN Tracker can connect to.
If your VPN has a working →#Remote DNS setup, you can use a host name instead
of an IP address.
If there are file servers currently con­nected to your Mac, they will be shown in the list and you can select one of those directly.
When you’re done setting up the file server, leave the Secure Desktop’s edit
mode and click the item to test it.
You will be prompted for your username and password (if required), as well as for the volume(s) on the file server that you would like to access1.
OS X File Servers (AFP)
Select “AFP Server” if your file server is a Mac running OS X, or an Apple Time Capsule. Some NAS (Network Attached Storage) devices can be accessed us-
ing AFP, please refer to your device’s documentation for details.
In addition to the server’s address, you may optionally enter the volume after the address, separated by a forward slash (“/”), e.g. 192.168.42.11/SharedDocs.
Windows File Servers (SMB/CIFS)
Select “SMB/CIFS Server” if your file server is running Windows, or if you are connecting to a file server with Windows-compatible network shares. Many NAS devices offer SMB services.
In addition to the server’s address, you may optionally enter the share after the
address, separated by a forward slash (“/”), e.g. 192.168.42.11/Documents.
FTP Server
Select “FTP Server” if you are connecting to a file server running the File Trans­fer Protocol (FTP). Many NAS devices offer FTP services, and FTP is a popular
protocol for uploading files to web hosting.
NFS Server
Select “NFS Server” if you are connecting to a file server running the Network File System (NFS). You must specify the entire path to the network share, e.g.
192.168.42.11/export/docs.
1
For NFS file servers, the share must be specified in the Secure Desktop file server item.
WebDAV Server
Select “WebDAV Server” if you are connecting to a file server running the WebDAV protocol. WebDAV is a popular protocol for uploading files to web hosting.
62
Opening Websites and other URLs
URLs will open in the default application registered on the Mac for the URL. The icon will automatically change to reflect the ap-
plication that will open. You can set a custom icon by clicking the gear icon in the upper right corner of the inspector.
Microsoft Remote Desktop for Mac needs to be installed and a connection set up in order to use this feature. Microsoft Remote Desktop can be downloaded at http://www.microsoft.com/mac
If you haven’t set up a Microsoft Remote Desktop connection yet, you can do so right within the Microsoft Remote Desktop
for Mac application. Any connections configured there can be selected in Secure Desktop.
Accessing Windows PCs using Microsoft Remote Desktop
You can use the Web Browser item in Secure Desktop to open a website.
The Web Browser item can open any URL, e.g. telnet://, ssh://, etc., so if you have an application that can open URLs, you can use it here.
You can put Microsoft Remote Desktop connections onto your Secure Desk­top to share the screen of remote Windows PCs.
To share the screen of a Windows PC, drag the “Micro­soft Remote Desktop” item to your Secure Desktop.
Secure Desktop must be in →#Edit Mode to add items.
Select the VPN that is required for accessing the Windows PC (here, the VPN is called “London”).
Select the Microsoft Remote Desktop connection needed to connect to the Windows PC (here, the connection is called “BigBen”).
When you’re done setting up the item, leave Secure Desktop’s edit mode and click the item to test it.
When you’re done setting up the Microsoft Remote Desktop item, leave Se­cure Desktop’s edit mode and click the item to test it.
63
Accessing Windows PCs using CoRD
CoRD needs to be installed and a connection set up in order to use this feature. CoRD can be downloaded at http://cord.sf.net.
Accessing your Macs using Screen Sharing (VNC)
CoRD is an alternative to Microsoft Remote Desktop for Mac to share the screen of remote Windows PCs right form Secure Desktop.
To share the screen of a Windows PC, drag the “CoRD” item to your Secure Desktop. Secure Desktop must be in →#Edit Mode to add
items.
Select the VPN that is required for accessing the Windows PC (here, the VPN is called “London”).
Select the Microsoft Remote Desktop connection needed to connect to the Windows PC (here, the connection is called “Windows 8 Test”).
All modern versions of OS X support Screen Sharing through VNC. Make sure Screen Sharing is enabled on the Mac whose screen you would like to share (System Preferences > Sharing).
To share the screen of a Mac, drag the “Screen Sharing” item to your Secure Desktop. Secure Desktop must be in →#Edit Mode
to add items.
Select the VPN that is required for accessing the Mac (here, the VPN is called “London”).
Enter the IP address of the Mac whose screen you would like to share. If your VPN has a working →#Remote DNS setup, you can use a host name
instead of an IP address.
When you’re done setting up the CoRD item, leave Secure Desktop’s edit mode and click the item to test it.
When you’re done setting up the Screen Sharing item, leave Secure Desktop’s edit mode and click the item to test it.
64
Accessing your Macs using Apple Remote Desktop (ARD)
Apple Remote Desktop needs to be installed and the Mac needs to be in one of its computer lists in order to use this feature.
More information about Apple Remote Desktop can be found at
http://www.apple.com/remotedesktop
The Apple Remote Desktop item will fall back to VNC Screen Sharing if the computer you’re attempting to connect to is not
in one of Apple Remote Desktop’s computer lists.
FileMaker needs to be installed to use this feature. Information about FileMaker can be found at http://www.filemaker.com
Accessing FileMaker Databases
If you have Apple Remote Desktop (ARD) installed, you can use it to manage remote Macs over VPN right from Secure Desktop.
To observe or control a remote Mac, drag the “Apple Remote Desktop” item to your Secure Desktop. Secure Desktop must
be in →#Edit Mode to add items.
Select the VPN that is required for accessing the Mac (here, the VPN is called “London”).
Choose if you would like to control or observe the Mac.
Enter the IP address of the Mac that you would like to manage. If your VPN has a working →#Remote DNS setup, you can use a host name instead of an
IP address.
If you have FileMaker installed, you can open remote (and local) databases and run scripts from Secure Desktop.
To open a FileMaker database, drag the “FileMaker” item to your Secure Desktop. Secure Desktop must be in →#Edit Mode to add
items.
Select the VPN that is required for accessing the FileMaker server (here, the VPN is called “London”).
Enter the IP address of the FileMaker server. If your VPN has a working
#Remote DNS setup, you can use a host name instead of an IP address.
Enter the name of the database.
If you would like to run a script when opening the database, enter its name.
When you’re done setting up the Apple Remote Desktop item, leave Secure Desktop’s edit mode and click the item to test it.
When you’re done setting up the FileMaker item, leave Secure Desktop’s edit mode and click the item to test it.
65
Opening Mac and Windows Applications
The VPN settings determine which network traffic goes through the VPN. Putting an application on your Secure Desktop will not cause its traffic to go through the VPN unless the associated VPN is configured to send that traffic through the VPN. More
information can be found in →#Topology.
Windows Applications
To add Windows applications from your virtual machines, locate the folder that mirrors your VM’s applications (e.g. Documents > Virtual Machines >
Your Windows Machine > Applications) and choose the application from there.
You need a virtual machine software that makes Windows applications ac­cessible through the OS X file system and the VM needs to be set up to share your Mac’s network connection.
The OS X Server application needs to be installed on your Mac (OS X server itself does not have to be installed), and the server needs to be listed in the app to be accessible to Secure Desktop.
You can open any Mac application from Secure Desktop, as well as Windows applications from Virtual Machines running Windows.
To open any application, drag the “Custom App” icon to your Secure Desktop. Secure Desktop must be in →#Edit Mode to add
items.
Select the VPN that you would like to connect prior to opening the app (here, the VPN is called “London”).
Select the app to open (here: Numbers).
Optionally, check the box to quit the app before the VPN is disconnected.
Administrating OS X Server
You can manage OS X Server from Secure Desktop using the OS X Server app.
To add OS X Server, drag the “OS X Server” icon to your Secure Desktop. Secure Desktop must be in →#Edit Mode to add items.
When you’re done setting up the application item, leave Secure Desktop’s edit mode and click the item to test it.
66
Select the VPN that is required for accessing the server (here, the VPN is called “Office”).
Enter the IP address of the server. If your VPN has a working →#Remote DNS setup, you can use a host name instead of an IP address.
Automating Tasks Using AppleScript
If your script or workflow needs a file server to be connected, you can either connect the file server as part of the script, or use
an →#Action in your VPN to connect the file server.
Automating Tasks Using Automator
You can use AppleScript to automate repetitive tasks that need a VPN: Up­loading files to a server, getting the newest data from a database, sending files to a service for processing, etc.
To add an AppleScript, drag the “AppleScript” item to your Secure Desktop. Secure Desktop must be in →#Edit Mode to add items.
Select the VPN that you would like to connect prior to running the script (here, the VPN is called “London”).
Enter the AppleScript. Use the Run and Compile buttons to test your script.
You can add Automator workflows to Secure Desktop to automate repetitive tasks that require a VPN. Uploading files to a server, getting the newest data from a database, sending files to a service for processing, etc.
To add an Automator workflow, drag the “Automator” item to your Secure Desktop. Secure Desktop must be in →#Edit
Mode to add items.
Select the VPN that you would like to connect prior to running the Automator workflow (here, the VPN is called “London”).
Drag the workflow into the inspector, or use the Select button to select a workflow from disk. Use the Run button to test your workflow.
67
Accessing Files & Printers over VPN
Secure Desktop or Finder? Your Choice!
Secure Desktop lets you connect to file servers right from within VPN Tracker (→#Learn More). However, if you wish, you can of course also use the
Finder to connect to your file servers.
I don’t know my file server’s IP address. Can’t I just access my file servers via the Finder Sidebar?
When using a VPN connection, your servers won’t show up in the Finder sidebar because the network protocols used for this service, Bonjour and
NETBIOS, do not travel over the VPN.
If you don’t know your file server’s IP address, you can easily find it out next time you’re in your office network:
Open Tools > Ping Host and enter your file server’s name. After a few sec­onds, VPN Tracker should tell you the file server’s IP address. Again, this will
only work when you’re actually in your office network, not if you’re con­nected via VPN.
Using Finder to Connect to File Servers
To connect to your file server (network share):
Switch to Finder by clicking its icon in the Dock
Choose Go > Connect to Server from the menu bar on top of your screen. You can also use the keyboard short­cut -K
If your file server is a Mac (AFP):
Enter the IP address (e.g. 192.168.42.4)1 of your server in the “Server Address” field and click “Connect”.
If your file server is running Windows (SMB/CIFS):
Enter “smb://” followed by the IP address (e.g. 192.168.42.14)1 of your server and click “Connect”.
You will be prompted for your username and password (if required), as well as for the volume(s) on the file server that you would like to access.
If your VPN has a working →#Remote DNS setup, you can use a host name in- stead of an IP address.
1 If your VPN connection uses remote DNS, you can also use a DNS host name instead of an IP address.
68
Printing over VPN
In VPN Tracker Pro, you can add printers directly from the Net­work Scanner’s results.
It is possible to print to network printers over VPN. The trick is to use the printers IP address (or DNS host name) when setting up the printer on your
Mac. It is not possible to use printers that have been auto-detected by Bon­jour over the VPN because your Mac does not know their IP address or DNS host name.
If you have a network printer that’s already set up on your Mac, check if it is using Bonjour:
Open System Preferences “Print & Fax”.
Click “Options & Supplies”.
Adding a Network Printer for Printing Over VPN
Before starting, make sure you know your printer’s IP address or DNS host name. To help your Mac auto-detect the printer settings, it is helpful if your
Mac is physically connected to your remote network or connected to the VPN while you set up the printer.
Open System Preferences “Print & Fax”.
Click the plus button to add a new printer.
If the URL starts with “mdns://” your printer is a Bonjour printer and you will need to add it again using its IP address.
69
Select whether your printer is an IPP, LPD or HP JetDirect printer (your printer’s administrator or its manual will be able to tell you which it is).
Enter your printer’s IP address.
Wait until OS X has determined your printer type. This works only if the printer is reachable. If not, you’ll have to select the printer driver yourself.
Click “Add” to add the new printer.
L2TP / PPTP Connections
OS X L2TP/PPTP VPN connections are always associated with a specific network location. VPN Tracker therefore only shows
those VPN connections that belong to the current network loca­tion (System Preferences > Network > Location).
Find out how to integrate OS X LT2P / PPTP connections into VPN Tracker.
OS X has a built-in VPN client that can connect to L2TP and PPTP VPNs. In VPN Tracker Pro, these connections are automatically integrated into the sidebar so you can use all your VPN connections from one place.
Setting up a new L2TP or PPTP VPN in OS X
Open System Preferences > Network.
Click the ‘+’ icon.
Select the VPN interface and your type of VPN.
Configure the VPN and click “Apply”.
For further information, please click the question mark to open OS X Help.
The VPN will automatically appear in the sidebar in VPN Tracker under “Other VPN Connections” and can be controlled from there.
70
VPN and Network Address
First IP Address
Last IP Address
Number of IP Addresses
192.168.0.0
192.168.255.255
65#536
10.0.0.0
10.255.255.255
16#777#216
172.16.0.0
172.31.255.255
1#048#576
moment! Instead, it makes a few changes to the sender’s information in the request:
Translation (NAT)
VPN Tracker provides reliable VPN connectivity, even through routers that perform Network Address Translation (NAT). This chapter explains the technical background of Network Address Translation, the different NAT-Traversal methods available, and how VPN Tracker makes everything work seamlessly.
Private IP Addresses
In the early years of the Internet, each computer had a worldwide unique IP address. When it became clear that the Internet was growing rapidly and
would soon run out of IP addresses, certain blocks of IP addresses were re­served for use on private networks. These private IP addresses can be used over and over again in different private networks, they do not have to be unique worldwide.
The following IP address ranges are reserved for private use:
It replaces the private IP address of the sender with its own public IP ad­dress.
If necessary, it changes the outgoing network port number so no other computer communicating with the recipient of the request uses the same network port (it also remembers which port was used by which computer
on its private network).
It then forwards the request to the Internet.
When responses come back, the process needs to be reversed. Responses will come back on the same network port the request was sent out. The router can therefore easily look up which computer sent the original request.
The router replaces the recipient of the response with the private IP ad­dress of the computer who sent the original request.
If it had to change the network port, the router puts back the original net­work port.
It then forwards the response to its private network.
The entire process is called Network Address Translation (NAT). If you have a DSL or wireless router (e.g. an AirPort Base Station) at home, it is very likely performing Network Address Translation. In most offices, hotels, and Internet cafes you will be connecting to a private network that has a NAT router for accessing the Internet.
Network Address Translation (NAT)
When a computer with a private IP address accesses the Internet, it sends the request through its local router. The local router cannot simply forward the
request to the Internet: The sender’s private IP address is not unique outside its particular private network#– in fact there can be millions of computers on the Internet worldwide that have the same private IP address at any given
71
NAT-Traversal
If you are buying a new VPN gateway, make sure it supports all forms of NAT-Traversal – it is very likely that you will encounter Internet connections that require NAT-Traversal to work.
NAT-Traversal: Earlier Draft Versions vs. RFC
The early NAT-Traversal draft versions sent UDP packets on network port 500, the same port also used for the initial connection process of the VPN.
This sometimes caused trouble with NAT routers that simply discarded UDP packets on network port 500.
To deal with this problem, the final NAT-Traversal standard (RFC) changed the network port for performing NAT-Traversal to the (non-privileged) UDP network port 4500.
Phase 1
Phase 2
Established
XAUTH,
Mode Config,
EasyVPN
(optional)
DHCP over VPN
SonicWALL
(optional)
ESP is being used (no ports) NAT-Traversal encapsulates ESP in UDP (port 4500 for RFC, port 500 for early drafts)
The VPN gateway and VPN Tracker negotiate which NAT­Traversal mechanism to use later. Phase 1 always uses UDP port 500.
NAT-Traversal (RFC) switches to UDP port 4500, all others continue on UDP port 500
Network Address Translation used to be a problem for VPN connections: Once the VPN is established, the actual communication over the VPN uses a net-
work protocol called ESP. Unlike the TCP and UDP network protocols you may be familiar with, ESP does not use network ports. Since NAT depends on being able to use network ports to identify the recipient of an incoming response, it cannot work with ESP out of the box. Two methods have been developed to deal with NAT-Traversal:
IPSec Passthrough
For IPsec Passthrough, the local router needs to know about IPsec VPN and the ESP protocol. In its most basic form, the router simply sends all ESP traffic to the last host on its network that talked to the VPN gateway. Most NAT rout­ers have some limitation on their IPsec Passthrough capability, for example it often cannot support more than a single computer connecting to the VPN.
Since the local router takes care of everything, no special support is required on the VPN gateway or the VPN client.
NAT-Traversal
With NAT-Traversal, VPN Tracker wraps ESP into regular UDP packets (which have port numbers and can easily be handled by NAT routers). On the other end, the VPN gateway needs to remove the UDP “wrapper” before it can de-
crypt the VPN communication.
There are several versions of NAT Traversal. Some VPN gateways support only one form of NAT-Traversal, and some, particularly older or low-end VPN gate­ways, support none. VPN Tracker and the VPN gateway automatically nego-
tiate which form of NAT-Traversal, if any, to use.
Since VPN Tracker and the VPN gateway take care of everything, no special support for NAT-Traversal is required from the local router, though firewall rules or firmware issues could prevent NAT-Traversal from working.
The following diagram shows how a VPN is established using different NAT­Traversal mechanisms:
72
Testing for NAT-Traversal Support
As you can see from the diagram, there are a several points where the local router could interfere with the VPN. VPN!Tracker can detect such problems
and in most cases work around them by selecting the most suitable NAT­Traversal method for any given situation –!whether it’s a hotel, an Inter­net cafe or your home Wi-Fi network.
There is one specific situations in which the availability test may not give ac­curate results: If communication to your VPN gateway goes through a differ-
ent router than Internet traffic, or is treated differently (firewall rules etc.).
Since the test VPN gateway is located on the Internet, the test results reflect the connectivity from your location to VPN gateways on the Internet, but may not be accurate for your VPN gateway if it is handled differently.
VPN Tracker runs a test the first time it encounters a new local router (that's the progress bar you see before the VPN connection is established).
Even though it may take a short moment, it's very important to run the test! It only needs to run a single time at any given location.
What does the test do?
The test connects to a VPN gateway at equinux using all possible NAT­Traversal methods: IPsec Passthrough, NAT-Traversal (early drafts), and NAT­Traversal (RFC). VPN Tracker tests and remembers which methods worked, and from then on it will only use the working methods.
Should VPN Tracker ever encounter a situation where the local router blocks all VPN traffic, or where the properties of the local Internet connection would
require a form of NAT-Traversal that is not supported by your VPN gateway, it will specifically tell you so.
In what situations is the automatic test not sufficient?
The automatic test will work in almost all situations. It will help you to get hassle-free VPN connectivity at Internet cafes, hotels, airports – basically in all
those places where you have little time and encounter routers that may not support all NAT-Traversal methods.
In that case, you can open the VPN Availability Test (Tools > Test VPN Availabil­ity) and tell VPN Tracker to ignore the test results for this specific location.
To disable testing entirely, go to →#VPN Tracker Preferences.
What if my local router changes? What if a firmware up­grade changes its capabilities?
If you exchange the router for a different device, VPN Tracker will notice automatically (it uses the router's hardware address (MAC) to remember
which routers it already tested).
If only the firmware is updated, or you are using an Internet connection where NAT-Traversal happens off-site at your Internet Service Provider (ISP), VPN Tracker cannot detect a change automatically. In that case, please open the VPN Availability Test (Tools > Test VPN Availability) and repeat the test.
73
Certificates and Smart Cards
What about Tokens?
We are using the term “smart card” to describe both an actual smart card that is placed into a card reader, and a USB token with a non-removable
smart card chip that plugs directly into your Mac. From VPN Tracker’s per­spective, there is no difference if the smart card chip is accessed through a card reader, or built into a USB token.
There is also a another type of token on the market: These tokens generate a one-time code (e.g. RSA SecurID). When using such tokens, the VPN gate-
way usually request the code through Extended Authentication (XAUTH). To use such tokens in VPN Tracker, simply set up your VPN gateway according to your vendor’s instructions and enable XAUTH in VPN Tracker.
This chapter describes how VPN Tracker can be integrated into a PKI (Public Key Infrastructure) using digital certificates or smart cards.
Getting Started
To use certificates with VPN Tracker, you will need certificates and a VPN gateway that can authenticate users through X.509 certificates (RSA signa-
tures).
Obtaining Certificates
If you have an existing Public Key Infrastructure (PKI) that uses certificates:
Certificates (and private keys for the client/user certificates) need to be available in a format supported by the OS X keychain. If your users already have their certificates in their OS X keychain, there’s nothing that needs to be done.
If you have an existing Public Key Infrastructure (PKI) that uses smart cards:
Software is required to make your smart card certificates available in OS X through the keychain. If you have already installed your vendor’s driver or software, you can easily determine if it satisfies this requirement by check­ing if your smart card appears as a keychain in the OS X Keychain Access application (Applications > Utilities > Keychain Access)
If your vendor does not provide the necessary software, there may be a third party solution available
If you do not have an existing Public Key Infrastructure (PKI) in place:
Use the Certificate Assistant built into the OS X Keychain Access application to create certificates (Keychain Access > Certificate Assistant). Some VPN gateways also can create and export certificates.
VPN Gateway Prerequisites
Your VPN gateway must support the use of authentication based on digital certificates (X.509 certificates)
Configure your VPN gateway for certificate-based authentication. Refer to your vendor’s documentation for details.
Certificate Management in OS X
To use certificates with VPN Tracker, the certificates must be available in a keychain. This chapter therefore will first cover
the basics of certificate management using the keychain on OS X, before showing how to include certificates in VPN Tracker.
In OS X, certificates (and their private keys) are stored in keychains. Keychains are managed using the Keychain Access application (found in Applications >
Utilities).
A keychain protects the private key by only permitting access if the keychain has been unlocked using the appropriate password. Also, if applications at­tempt to access a private key in a keychain for the first time, the user is asked
to permit access, even if the keychain is unlocked. By default, a user has a sin­gle keychain, the login keychain, protected with their password. It is possible to change the login keychain’s password to a different one, and to create ad­ditional keychains.
74
Importing Certificates
Certificates can be imported into a OS X keychain using any of the usual cer­tificate formats (PEM, DER, PKCS#7, PKCS#12). To import a certificate, simply
double-click the certificate file, or choose File > Import Items... in Keychain Access.
If the certificate contains a private key and the certificate file is protected by a password, you will be asked for this password:
If the certificate contained a private key, you will see both the certificate and its private key in the list after importing. A combination of a certificate and its
private key is called an identity in OS X.
Checking a Certificate’s Trust
Keychain Access easily lets you see if a given certificate is trusted, and if not, why not. Simply select the certificate and examine the top part of the Key-
chain Access window (if the details are not visible, choose View > Show Sum­mary to display them):
If only the public part of the certificate was imported, you will see only the certificate listed after importing.
Importing Certificate Authorities
Importing a certificate authority works the same as importing a regular cer­tificate. After importing, you will be asked if you want to trust this certificate authority. If you choose “Always Trust”, certificates signed by this certificate authority will be trusted automatically in the future.
75
Which Certificates Do I Need?
You can easily check if a private key is available for a given certifi­cate by selecting the “My Certificates” category in the left column
in Keychain Access. If a certificate appears there, it has a private key available.
Make sure your VPN gateway is already configured for certificate­based (X.509 certificates / RSA signatures) authentication before starting to configure VPN Tracker.
To use certificate-based authentication in VPN Tracker, you will need the fol­lowing certificates in your OS X keychain:
VPN Client:
VPN client (VPN user) certificate and
Private key belonging to the VPN client (VPN user) certificate
VPN Gateway (optional):
VPN gateway’s certificate (without the private key) or
Certificate authority (CA) that signed the VPN gateway’s certificate. Its cer­tificate must be set as trusted on your Mac. The VPN gateway must be ca-
pable of sending its actual certificate upon connection initiation, which is the case for almost all VPN gateways
Selecting Certificates in VPN Tracker
If you have not yet done so, set the authentication method to “Certificates”.
In the certificate selection window, select your certificate(s). The certificate selection window opens automatically if you are not yet using certificates. If you have already selected some certificates earlier, click the “Edit” button on the Basic tab.
76
Local Certificate
Inspecting a Certificate
Click the triangle to see the details for the selected certificate.
Even though CA certificates may show up in the list, you should selecting a CA certificate as the remote certificate will not work.
Certificates and Exported Connections
Certificates are never included in an exported connection, since most or­ganizations with a PKI infrastructure already have well-established (and se-
cure) procedures of distributing certificates to users in place. The exported connection does include the information which certificates were selected.
When exporting an unlocked connection:
If the selected certificates are present on the recipient’s Mac, VPN Tracker will use these certificates
If the selected certificated do not exist on the recipient’s Mac, the recipi­ent will be able to select different certificates
When exporting a locked connection:
The recipient will not be able to edit their VPN connection settings. It is therefore important to select the correct certificates before exporting
Certificate Identifier Types
A “Local (Remote) Certificate” identifier will technically be sent as an identi­fier of type ASN.1 Distinguished Name (DN). On your VPN gateway, such an
identifier may also be called simply Distinguished Name or Subject.
The local certificate is the certificate you are using to identify to the VPN gateway as a user/client. It is sometimes called client certificate or user certifi-
cate. A private key is required for the local certificate, since it must sign mes­sages to the VPN gateway.
If you cannot find your certificate here even though you have imported it into the OS X keychain, make sure the corresponding private key is also available in the keychain. You can easily check that by selecting the “My Certificates”
category in Keychain Access. If it does not appear there, the private key is missing.
Remote Certificate
The remote certificate is the VPN gateway’s certificate. A private key is not needed. There are two options:
Select your VPN gateway’s certificate or
Select “Use certificate supplied by peer”1 to use the certificate the VPN gateway sends upon connecting, and verify it against the certificate authorities installed on your Mac. If verification fails, you will be prompted to verify the certificate manually.
Identifiers Based on Certificates
It is possible to use the information from certificates as an identifier for the VPN connection. To do this, set the Local (Remote) Identifier to Local (Remote)
Certificate". VPN Tracker will then use the certificate’s information (such as subject, organization, country etc.) as the identifier for the connection.
Advanced Certificate Settings
1
Locked connections require the VPN gateway certificate or a trusted CA that signed the certificate. If your VPN gateway is not capable of transmitting its certificate, the certificate is always required.
There are several settings on the Advanced tab that influence how certificates are verified. These options should usually be left enabled. For more informa-
tion, see the →#Settings Reference
77
Using Smart Cards
Storing certificates on a smart card provides even more security than using certificate-based authentication with certificates stored locally on your Mac.
This chapter shows how to set up smart card based authentication with VPN Tracker using Aladdin eToken.
Vendor Software Installation
To access your smart card on your Mac, you will first have to install the soft­ware provided by your smart card vendor. The following steps show the soft­ware installation for Aladdin eToken.
Step 1 – Start the installation
Step 2 – Follow the installation wizard
Step 3 – Finish the installation by logging out
The installation program will guide you through the necessary installation steps
Make sure to carefully read all instructions
78
When the installation has finished, you will have to log out (and log back in) to complete the installation.
The installation will provide you with two software applications. The PKI­Monitor allows you to monitor the attached eToken devices, and the eTo- ken Properties application lets you configure your eToken and import cer-
tificates onto the device.
Please refer to your vendor’s documentation for additional details on how to set up your smart card or token.
Verifying Access
To verify that you are indeed able to access your smart card or token through the OS X keychain, start the Keychain Access application. You should be able
to find your token in the keychain list on the left (use “View > Show Keychain List” if the keychain list is not displayed).
If you have not done so yet, import or create your certificates on the smart card now. The best way to do this is through the software tools provided by
your smart card vendor (such as through the eToken Properties application when using Aladdin eToken). Make sure that the private key for your client/ user certificate is also present on the smart card. You can easily verify this by selecting the “My Certificates” category in Keychain Access. If the certificate is displayed there, the private key is available.
Selecting Smart Card Certificates in VPN Tracker
Selecting a certificate located on a smart card works exactly the same as se­lecting a regular certificate. Please refer to →#Selecting Certificates in VPN
Tracker for details.
79
Troubleshooting Certificates
Most errors can be resolved quickly by carefully following the hints given by VPN Tracker in its log. However, here are some frequently asked questions that
cannot be covered by the log hints.
My connection works fine, but I am prompted for my keychain password or keychain access permission every time I connect
If you are using a smart card, this behavior is inherent to the way smart cards work, storing the access code is not possible
If you are using normal certificates stored in your keychain, please make sure the OS X keychain subsystem has write access to the keychain that
your certificate and private key are stored in, and to the folder the keychain is in. You can run the Keychain First Aid tool that is part of Keychain Access (Keychain Access > Keychain First Aid) to verify permissions.
My certificate is only in the Remote Certificate list, however, I want to select it as the Local Certificate
A certificate that is to be used as the local certificate must have its private key stored in the keychain (or on the smart card). If a certificate does not have a
private key available, it will not be displayed in the Local Certificates list.
I cannot add my certificate to the keychain: Keychain Access keeps complaining that the certificate already exists, but I searched for it and it is not there!
A certificate is uniquely identified by the combination of issuer (i.e. the certifi­cate authority signing it), and the serial number. If your keychain already con­tains a certificate issued by the same certificate authority with the same serial number, it will not be possible to add another certificate with the same issuer
and serial number combination, even though the rest of the certificate may be completely different.
Unfortunately, it is fairly easy to accidentally create certificates with duplicate serial numbers when using the OS X Certificate Assistant. There are two possi­ble ways of resolving this problem:
Recreate the certificate using an unused serial number (in Certificate Assis­tant, check the box “Let me override defaults” to modify the serial number)
If you do not have the possibility to recreate the certificate, put the offend­ing certificate into a separate keychain
I followed the advice in the log and double-checked my configuration, but the connection still fails
Before contacting technical support, please run the Keychain First Aid tool that is part of Keychain Access (Keychain Access > Keychain First Aid). Then try
connecting again. Also double-check that you have selected the correct cer­tificates. A certificate authority (CA) certificate should never be selected as the local or remote certificate.
If the problem persists, and you need to contact us, please include the follow­ing information with your support request:
A Technical Support Report from VPN Tracker (Help > Technical Support Report…)
Screenshots of the VPN configuration on your VPN gateway, if possible
The output of the Terminal command security dump-keychain (pre- ferred), or screenshots of the details of all certificates used with the con-
nection: In Keychain Access, select each certificate and choose “File > Get Info”. Make sure the details are visible (click the triangle, if necessary) and take a screenshot of the details.
80
Choosing the Right VPN Device
Apple Airport Base Stations
AirPort base stations are only capable of passing through VPN connections, but do not provide VPN services (i.e. act as a VPN gateway) themselves. If
you are using an AirPort base station, you will need to buy a dedicated VPN gateway to replace or work alongside your Airport base station.
What You’re Looking For
Whether you’re shopping for a new device or are trying to find out if your ex­isting router can act as a VPN gateway, these are the magic words you’ll want
to look for – if they’re mentioned in the manual or data sheet, the device is probably suitable:
IPsec VPN Access
IPsec Tunnels
<any number of> IPsec Tunnels
<any number of> IPsec VPN connections
<any number of> IPsec VPN users
<any number of> IPsec SAs
Misleading Feature Names
If a device lists only one or more of the following features, it probably cannot act as a VPN gateway:
IPsec Passthrough
VPN Passthrough
IPsec NAT-Traversal
These features indicate that the device is capable of letting IPsec VPN connec­tions pass through. They do not indicate whether the device is capable of of-
fering VPN services itself.
Other Types of VPNs
L2TP or L2TP/IPsec
PPTP
If your device offers only these types of VPNs, it may be possible to use the limited VPN client built-in to OS X. VPN Tracker lets you control these connec-
tions from inside VPN Tracker. Other VPN types, such as OpenVPN and proprie­tary SSL VPNs are not supported.
Recommended Devices
Now for the big question: Which device do we recommend?
Unfortunately there is no generic answer to this question. There are a lot of factors you’ll need to consider, such as the number of VPN users you need to
support, the type of Internet connection you have, etc.
Generally speaking, the most important features are
Robust support for client-to-gateway connections (some older or low-end VPN gateways are designed to provide only a single gateway-to-gateway
VPN that requires static IP addresses on both ends of the connection).
Support for all forms of NAT-Traversal.
Reasonable level of security (at least 3DES encryption, better AES, SHA-1 hash algorithms, better SHA-2, DH groups 2 and 5, better higher).
If you expect more than one VPN user: Support for Extended Authentica­tion (XAUTH) and a form of client provisioning (Mode Config, Cisco
EasyVPN, SonicWALL DHCP over VPN, WatchGuard MobileUser VPN).
The technical support team at equinux has extensive experience with a large number of VPN gateways, so please feel free to email us with a brief outline of your requirements, and a list of devices you're considering, and we'll be happy
to give you our take on them!
http://vpntracker.com/support
81
Further Resources
VPN Tracker
VPN Tracker Interoperability Website
Up-to-date information about device compatibility and detailed configuration guides for many popular VPN gateway devices.
http://vpntracker.com/interop
VPN Tracker Support Website
Large database of Frequently Asked Questions (FAQs), as well as downloads and the possibility to contact technical support.
http://vpntracker.com/support
VPN Tracker Deployment Guide
Deployment resources and best practices.
http://www.vpntracker.com/goto/vpntmanualdeployment
Computer Networking and VPNs
DNS
http://en.wikipedia.org/wiki/Domain_Name_System
IPsec
http://en.wikipedia.org/wiki/IPsec
The TCP/IP Guide
An book on networking and the most popular networking protocols. Also available for free to read online.
http://www.tcpipguide.com
Wikipedia
Internet Protocol (IP)
http://en.wikipedia.org/wiki/Internet_Protocol
Subnets and Network Addressing:
http://en.wikipedia.org/wiki/Subnetwork
Private IP Addresses
http://en.wikipedia.org/wiki/Private_network
Network Address Translation (NAT)
http://en.wikipedia.org/wiki/Network_address_translation
82
Keyboard Shortcuts
Action
Shortcut
Managing connections
Start connection
-Return
Reconnect
-Option-Return
Edit Secure Desktop
-Shift-E
New Connection
-N
New Secure Desktop
-Shift-N
New Group
-Option-N
Delete Connection or Secure Desktop
-
Tools
Test VPN Availability
-Option-W
Ping Host
-Option-P
Lookup Host
-Option-L
Export & Deployment
Import Connection
-Shift-i
Export Connection
-E
Show Export Settings
-Option-E
Action
Shortcut
Window shortcuts
Open Log
-L
Show / Hide Main Window
-0
Show / Hide Connection Details
-i
Switch Tabs Status/Accounting/Scanner/Log
-1 to -4
Switch Edit Tabs Basic/Advanced/Actions/Notes
-Option-1 to 4
Application shortcuts
Preferences
-,
Hide VPN Tracker
-H
Hide Others
-Option-H
Close Window
-W
Minimize Window
-M
Quit VPN Tracker
-Q
Here are some of the most useful keyboard shortcuts supported by VPN Tracker.
83
Loading...