|
|
Firewalls
PIX to PIX Certificate VPN question Jun 09 2006 02:12PM Conlan Adams (conlan midwesteyebanks org) (2 replies) RE: PIX to PIX Certificate VPN question Jun 09 2006 05:32PM Brandon Harris (brandon harris comcast net) Re: PIX to PIX Certificate VPN question Jun 09 2006 05:01PM Aaron Rohyans (aaronr imcu com) (1 replies) RE: PIX to PIX Certificate VPN question Jun 09 2006 08:03PM Conlan Adams (conlan midwesteyebanks org) (1 replies) Re: PIX to PIX Certificate VPN question Jun 09 2006 08:34PM Aaron Rohyans (aaronr imcu com) (1 replies) |
|
Privacy Statement |
From the software client you need the vpngroup to match the OU of the client (Assuming at least your using Windows CA, no idea about any others) and then it carries over the split tunnel and everything. If the OU doesn't match the vpngroup, no dice, no vpn tunnel.
Now, the rest of this is based on assumption, but I think since the VPN client basically imitates an IOS box, wouldn't an IOS (or PIXOS) box be able to do the same?
Me thinks I will ask Cisco directly on Monday.
Conlan Adams
________________________________
From: Aaron Rohyans [mailto:aaronr (at) imcu (dot) com [email concealed]]
Sent: Fri 6/9/2006 4:34 PM
To: Conlan Adams; firewalls (at) securityfocus (dot) com [email concealed]
Subject: Re: PIX to PIX Certificate VPN question
I'm not sure that's possible now that I think about it? I could definitely
be wrong though...cause aren't RSA sigs used soley for authentication
purposes (relative to the PIX I mean) during IKE Phase 1 negotiations? The
PIX doesn't discriminate who's who based on their certificate, and thus
can't apply "per-user" specific split-tunnel ACLs to it's peer endpoints.
It just looks to see if the cert doesn't match the CRL and is still valid.
If the cert is good on both sides, tunnel establishment proceeds. Something
tells me that the sigs are there solely as an authentication means so you
don't have to create a vpngroup/group pass on each peer device....all it has
to do is enroll with the CA (thus making it a highly scalable and secure
option vs. PSKs). To apply per-user split-tunnels and ACLs, you would need
an access control server I believe. I could be WAAAAAY off on all this
though, so don't flame me too much if I'm wrong :)
Aaron
----- Original Message -----
From: "Conlan Adams" <conlan (at) midwesteyebanks (dot) org [email concealed]>
To: "Aaron Rohyans" <aaronr (at) imcu (dot) com [email concealed]>; <firewalls (at) securityfocus (dot) com [email concealed]>
Sent: Friday, June 09, 2006 4:03 PM
Subject: RE: PIX to PIX Certificate VPN question
What you put works great when using PSK as the authentication for your VPN,
and it works with the software clients assuming the OU they belong to is
called "mygroup". But when you run that config with a PIX 501, it doesn't
pickup the split tunnel. That's basically what I have on the head end, but
the ACLs for the split tunnel don't get pushed.
I attempted to do a ca subject-name <ca_nickname> OU=<my_ou_here> without
luck, attempting to set the OU to the same as the vpngroup name
Conlan Adams
________________________________
From: Aaron Rohyans [mailto:aaronr (at) imcu (dot) com [email concealed]]
Sent: Fri 6/9/2006 1:01 PM
To: Conlan Adams; firewalls (at) securityfocus (dot) com [email concealed]
Subject: Re: PIX to PIX Certificate VPN question
I may be misunderstanding you, but why do you have to use names within your
certs to activate your split tunnel? Why can't you define the group and
create a split tunnel ACL within it on both ends to serve as the basis for
split-tunneling?
access-list nonat permit ip <local ip><local sub> <remote ip><remote sub>
isakmp policy 5 authentication rsa
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
vpngroup mygroup address-pool myaddresspool
vpngroup mygroup dns-server X.X.X.X
vpngroup mygroup wins-server X.X.X.X
vpngroup mygroup split-tunnel nonat
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
Or are you using an EasyVPN client/server setup?
Aaron
----- Original Message -----
From: Conlan Adams <mailto:conlan (at) midwesteyebanks (dot) org [email concealed]>
To: firewalls (at) securityfocus (dot) com [email concealed]
Sent: Friday, June 09, 2006 10:12 AM
Subject: PIX to PIX Certificate VPN question
Stupid question that I am having a heck of a time finding an answer for when
I search the web.
I have a remote access setup, where I have a PIX 515E inhouse, and several
501s outhouse. All of them have validated certs, but I am having issues
with my split-tunnel implementation.
After much digging, I seem to have found that the split tunnel isn't
propagating the ACLs because the vpngroup isn't being set properly on the
501s. They are connecting, and authenticating properly, and all traffic is
sent over, but since the split-tunnel has to be assigned by name, its not
carrying over.
The PIXs are connecting fine, and passing traffic, just not running the
split-tunnel.
Any thoughts on how I set the vpngroup on the 501s? I attempted to set an
OU with the ca subject-name command, but doesn't seem to help.
Thanks in advance
Conlan Adams
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
[ reply ]