Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIX to PIX Certificate VPN question

from [Conlan Adams] Network Security [Permanent Link]
Subject: RE: PIX to PIX Certificate VPN question
Date: Fri, 9 Jun 2006 16:03:47 -0400 
What you put works great when using PSK as the authentication for your VPN, and 
it works with the software clients assuming the OU they belong to is called 
"mygroup".  But when you run that config with a PIX 501, it doesn't pickup the 
split tunnel.  That's basically what I have on the head end, but the ACLs for 
the split tunnel don't get pushed.
 
I attempted to do a ca subject-name <ca_nickname> OU=<my_ou_here> without luck, 
attempting to set the OU to the same as the vpngroup name
 
Conlan Adams

________________________________

From: Aaron Rohyans [mailto:aaronr@imcu.com]
Sent: Fri 6/9/2006 1:01 PM
To: Conlan Adams; firewalls@securityfocus.com
Subject: Re: PIX to PIX Certificate VPN question


I may be misunderstanding you, but why do you have to use names within your 
certs to activate your split tunnel?  Why can't you define the group and create 
a split tunnel ACL within it on both ends to serve as the basis for 
split-tunneling?
 
access-list nonat permit ip <local ip><local sub> <remote ip><remote sub>
 
isakmp policy 5 authentication rsa
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400

vpngroup mygroup address-pool myaddresspool
vpngroup mygroup dns-server X.X.X.X
vpngroup mygroup wins-server X.X.X.X
vpngroup mygroup split-tunnel nonat
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
 
Or are you using an EasyVPN client/server setup?

Aaron

        ----- Original Message ----- 
        From: Conlan Adams <mailto:conlan@midwesteyebanks.org>  
        To: firewalls@securityfocus.com 
        Sent: Friday, June 09, 2006 10:12 AM
        Subject: PIX to PIX Certificate VPN question


        Stupid question that I am having a heck of a time finding an answer for 
when I search the web.

         

        I have a remote access setup, where I have a PIX 515E inhouse, and 
several 501s outhouse.  All of them have validated certs, but I am having 
issues with my split-tunnel implementation.

         

        After much digging, I seem to have found that the split tunnel isn't 
propagating the ACLs because the vpngroup isn't being set properly on the 501s. 
 They are connecting, and authenticating properly, and all traffic is sent 
over, but since the split-tunnel has to be assigned by name, its not carrying 
over.

         

        The PIXs are connecting fine, and passing traffic, just not running the 
split-tunnel.

         

        Any thoughts on how I set the vpngroup on the 501s?  I attempted to set 
an OU with the ca subject-name command, but doesn't seem to help.

         

        Thanks in advance

         

        Conlan Adams


        ______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security System.
        For more information please visit http://www.messagelabs.com/email 
        ______________________________________________________________________
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Fwbuilder-discussion] Should FW have DNS name?, ted creedon
Next by Date:  RE: PIX to PIX Certificate VPN question, Brandon Harris
Previous by Thread:  Re: PIX to PIX Certificate VPN question, Aaron Rohyans
Next by Thread:  Re: PIX to PIX Certificate VPN question, Aaron Rohyans
Indexes:  [Date] [Thread] [Top] [All Lists]