- Posts: 96
- Thank you received: 0
"Default VPN Security Policies"
15 years 9 months ago #29360
by timparker
"Default VPN Security Policies" was created by timparker
Well I think I put myself into a corner now. I just got back from a 3rd Party location where we have a computer for our clinicians that are on site at this location.
I attempted to install the Cisco client and move them off our Watchguard. It wouldn't connect so I thought maybe I screwed up the passwords or something.
So I got out my laptop and tried to use it and got the same thing....so I think I have locked things down to well......
So the question becomes, for users to be able to move from place to place and use the VPN software what is my "default rule" supposed to look like for connecting.
Source Destination Protocol
any external FW int. ????
I think I was a little early in my thinking I was done, since my work from home is a bit jaded since I am also testing and working on the 871 Routers for a couple of our remote sites.
TIA.
I attempted to install the Cisco client and move them off our Watchguard. It wouldn't connect so I thought maybe I screwed up the passwords or something.
So I got out my laptop and tried to use it and got the same thing....so I think I have locked things down to well......
So the question becomes, for users to be able to move from place to place and use the VPN software what is my "default rule" supposed to look like for connecting.
Source Destination Protocol
any external FW int. ????
I think I was a little early in my thinking I was done, since my work from home is a bit jaded since I am also testing and working on the 871 Routers for a couple of our remote sites.
TIA.
15 years 9 months ago #29371
by timparker
Replied by timparker on topic Re: "Default VPN Security Policies"
this apparently is a non-issue now. I tested a different router at home last night with an IP from TWC that isn't in my work ASA and I connected fine.
This is leading me to think that the admin at the remote site is doing some mac filtering or something odd on their network. He isn't a network guy but thinks he is. Their network has been suspect for some other problems from Day 1, so now I can go back and "complain"
This is leading me to think that the admin at the remote site is doing some mac filtering or something odd on their network. He isn't a network guy but thinks he is. Their network has been suspect for some other problems from Day 1, so now I can go back and "complain"
- usaaforce09
- Offline
- New Member
-
Less
More
- Posts: 2
- Thank you received: 0
15 years 8 months ago #29422
by usaaforce09
Replied by usaaforce09 on topic New to the Site!
Hello!
I would check my Transport. Just to make sure if we are doing IP
Sec-over UDP or IPSEC-Over TCP. Check to see my ports are open.
Make sure Third party Ports are open at their end. IPSec-over Tcp is 1000. I am sure you ahve done this already when you install Cisco VPN Client. Plus i'll check the Client Ver.
I would check my Transport. Just to make sure if we are doing IP
Sec-over UDP or IPSEC-Over TCP. Check to see my ports are open.
Make sure Third party Ports are open at their end. IPSec-over Tcp is 1000. I am sure you ahve done this already when you install Cisco VPN Client. Plus i'll check the Client Ver.
15 years 8 months ago #29432
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: "Default VPN Security Policies"
When doing Site-to-Site VPN's i wouldn't recommend going over NAT as it can add all sorts of complications. The main thing here is to ensure that nothing is blocking the IPSec Ports/Protocols;
ESP
UDP 500 (IKE)
If you need to do NAT then you need to ensure that NAT-T is open (UDP 4500) and if IPSec-Over TCP then its actually Port 10,000 (although this is configurable)
You can do some debugging to see if its failing at any of the stages (Phase 1 or Phase 2).
Phase 1 will typically go over UDP 500 as this is the Key Exchange Phase (also known as Main Mode)
Phase 2 will then start utilising ESP (or UDP 500/TCP 10000 if it needs encapsulating into UDP/TCP for NAT). (also known as Quick Mode)
Cheers
ESP
UDP 500 (IKE)
If you need to do NAT then you need to ensure that NAT-T is open (UDP 4500) and if IPSec-Over TCP then its actually Port 10,000 (although this is configurable)
You can do some debugging to see if its failing at any of the stages (Phase 1 or Phase 2).
Phase 1 will typically go over UDP 500 as this is the Key Exchange Phase (also known as Main Mode)
Phase 2 will then start utilising ESP (or UDP 500/TCP 10000 if it needs encapsulating into UDP/TCP for NAT). (also known as Quick Mode)
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.122 seconds