RE: PIX to PIX Certificate VPN question

See, I had thought about that a bit as well, but the config takes it cool if 
you are doing it from a software client.
 
> From the software client you need the vpngroup to match the OU of the client 
> (Assuming at least your using Windows CA, no idea about any others) and then 
> it carries over the split tunnel and everything.  If the OU doesn't match the 
> vpngroup, no dice, no vpn tunnel.
 
Now, the rest of this is based on assumption, but I think since the VPN client 
basically imitates an IOS box, wouldn't an IOS (or PIXOS) box be able to do the 
same?
 
Me thinks I will ask Cisco directly on Monday.
 
Conlan Adams

________________________________

From: Aaron Rohyans [mailto:aaronr@imcu.com]
Sent: Fri 6/9/2006 4:34 PM
To: Conlan Adams; firewalls@securityfocus.com
Subject: Re: PIX to PIX Certificate VPN question



I'm not sure that's possible now that I think about it?  I could definitely
be wrong though...cause aren't RSA sigs used soley for authentication
purposes (relative to the PIX I mean) during IKE Phase 1 negotiations?  The
PIX doesn't discriminate who's who based on their certificate, and thus
can't apply "per-user" specific split-tunnel ACLs to it's peer endpoints.
It just looks to see if the cert doesn't match the CRL and is still valid.
If the cert is good on both sides, tunnel establishment proceeds.  Something
tells me that the sigs are there solely as an authentication means so you
don't have to create a vpngroup/group pass on each peer device....all it has
to do is enroll with the CA (thus making it a highly scalable and secure
option vs. PSKs).  To apply per-user split-tunnels and ACLs, you would need
an access control server I believe.  I could be WAAAAAY off on all this
though, so don't flame me too much if I'm wrong :)

Aaron

----- Original Message -----
From: "Conlan Adams" <conlan@midwesteyebanks.org>
To: "Aaron Rohyans" <aaronr@imcu.com>; <firewalls@securityfocus.com>
Sent: Friday, June 09, 2006 4:03 PM
Subject: RE: PIX to PIX Certificate VPN question


What you put works great when using PSK as the authentication for your VPN,
and it works with the software clients assuming the OU they belong to is
called "mygroup".  But when you run that config with a PIX 501, it doesn't
pickup the split tunnel.  That's basically what I have on the head end, but
the ACLs for the split tunnel don't get pushed.

I attempted to do a ca subject-name <ca_nickname> OU=<my_ou_here> without
luck, attempting to set the OU to the same as the vpngroup name

Conlan Adams

________________________________

From: Aaron Rohyans [mailto:aaronr@imcu.com]
Sent: Fri 6/9/2006 1:01 PM
To: Conlan Adams; firewalls@securityfocus.com
Subject: Re: PIX to PIX Certificate VPN question


I may be misunderstanding you, but why do you have to use names within your
certs to activate your split tunnel?  Why can't you define the group and
create a split tunnel ACL within it on both ends to serve as the basis for
split-tunneling?

access-list nonat permit ip <local ip><local sub> <remote ip><remote sub>

isakmp policy 5 authentication rsa
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400

vpngroup mygroup address-pool myaddresspool
vpngroup mygroup dns-server X.X.X.X
vpngroup mygroup wins-server X.X.X.X
vpngroup mygroup split-tunnel nonat
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********

Or are you using an EasyVPN client/server setup?

Aaron

----- Original Message -----
From: Conlan Adams <mailto:conlan@midwesteyebanks.org>
To: firewalls@securityfocus.com
Sent: Friday, June 09, 2006 10:12 AM
Subject: PIX to PIX Certificate VPN question


Stupid question that I am having a heck of a time finding an answer for when
I search the web.



I have a remote access setup, where I have a PIX 515E inhouse, and several
501s outhouse.  All of them have validated certs, but I am having issues
with my split-tunnel implementation.



After much digging, I seem to have found that the split tunnel isn't
propagating the ACLs because the vpngroup isn't being set properly on the
501s.  They are connecting, and authenticating properly, and all traffic is
sent over, but since the split-tunnel has to be assigned by name, its not
carrying over.



The PIXs are connecting fine, and passing traffic, just not running the
split-tunnel.



Any thoughts on how I set the vpngroup on the 501s?  I attempted to set an
OU with the ca subject-name command, but doesn't seem to help.



Thanks in advance



Conlan Adams


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________