Using VPNC & Squid to access Ebix Sunrise VPN from WinBEAT
Ebix support the use of the Cisco VPN client for Windows and the VPN client in Cisco routers for accessing their Cisco VPN based “Sunrise” VPN. This VPN was originally set up by Telstra for Electronic Data Interchange between insurance brokers and underwriters.
Neither the discontinued Cisco VPN client for Linux or the Linux VPNC client is supported by Ebix, but both these can be set up in conjunction with a proxy server to effectively share a single connection to Sunrise with a number of Windows workstations.
I had previously used the Cisco VPN client for Linux, but found that compiling it on Ubuntu 12.04 LTS Server (kernel v 3.2.0) gave errors. Rather than trying to make it compile, I decided to try using VPNC.
VPNC compiled straight away, and I was able to use the included profile converter to convert the old Cisco VPN client profile file.
As VPNC was running on the default gateway, no additional routing of the VPN subnets was required. The Sunrise service utilises http, and I was able to retrieve data on the VPN servers using a web browser on the workstations. It all looked good.
However, testing with the Ebix “WinBEAT” insurance broking software revealed that the first attempt to access a Sunrise server was very slow, after which everything ran well. If a workstation then didn’t access Sunrise services for a while, again the first request took far too long.
I thought this might be a vagary of VPNC, so I installed the Cisco VPN Client for Linux on an older Slakware server running a 2.6.21 kernel. Of course this sever wasn’t the default gateway, so I had to route the VPN subnets to it. But it didn’t matter whether I routed the subnets at the workstation or the default gateway, the long delay for the first Sunrise request was the same.
Installing the Squid proxy server on the server running VPNC, and setting the workstation to use the proxy server solved the problem, but rather than change each workstation’s proxy settings, I chose to run Squid as a transparent proxy and use IP Tables to force all web traffic through Squid.
I found that I had to add a rule to redirect traffic for port 8080 into Squid as well as one for port 80. This was because the first query for each Sunrise transaction is a port 8080 request.