SophOS UTM SSL VPN connection to a Cisco Firewall

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › SophOS UTM SSL VPN connection to a Cisco Firewall

jimbob79

673 posts

Ultimate Geek

#184071 9-Nov-2015 14:16

Currently I'm using a Cisco AnyConnect desktop client to connect to remote firewall in Japan and that works okay but does not provide me the requirements I need.

So as a proof of concept I've install SophOS UTM on a ESXi server and I want SophOS to route certain traffic from the LAN over the VPN to Japan. How do I do this??? Google search is not quite coming back with the answer I want.

All I have is Username, password and an IP Address which I use to access the VPN in Japan.

NOTE:
I do have a SonicWall firewall NSA 240, but is does not handle SSL VPN as a Client.
The staff in Japan do not speak English (and I don't speak Japanese) so it's a dam near impossible to get and help from them [Japanese].
Am also trialling out pfSense as well, but do like the rich GUI of SophOS.

Thanks in advance.

pdath

252 posts

Ultimate Geek

#1423748 9-Nov-2015 14:21

Your Cisco configuration is most likely using Cisco proprietary SSL VPN technology, and you wont be able to connect Sophos to it.

I'm guessing what you are wanting is a site to site VPN, rather than a user to site VPN? If that is the case you'll need to negotiate the build of an IPSec VPN. If you are not used to building VPNs you will be better off getting someone in to do it for you,

Google Translate is quite good.

Try my latest project, a Cisco type 5 enable secret password cracker written in javascript!

jimbob79

673 posts

Ultimate Geek

#1423754 9-Nov-2015 14:28

pdath: Your Cisco configuration is most likely using Cisco proprietary SSL VPN technology, and you wont be able to connect Sophos to it.

I'm guessing what you are wanting is a site to site VPN, rather than a user to site VPN? If that is the case you'll need to negotiate the build of an IPSec VPN. If you are not used to building VPNs you will be better off getting someone in to do it for you,

Goggle Translate is quite good.

I was under the impression that Cisco Appliances no longer support IPSec and that they have all moved over to using SSL VPN. That's why I ended up at SophOS because is can handle SSL VPN as a client. I'm I misunderstanding something???

I must admit VPN has never been my strength in networking.

pdath

252 posts

Ultimate Geek

#1423755 9-Nov-2015 14:32

There are two technologies at play here.

User to site VPNs, and site to site VPNs.

User to site: Cisco are moving towards all SSL based VPN technology in this space. All kit at this point in time still supports the IPSec client - but the IPSec client is no longer being worked on, and there wont be new versions released.

Site to site: Cisco routers and firewalls have rich IPSec support, including IKEv2 and Suite-B.

It sounds like you want a site to site IPSec VPN.

Try my latest project, a Cisco type 5 enable secret password cracker written in javascript!

jimbob79

673 posts

Ultimate Geek

#1423758 9-Nov-2015 14:38

pdath: There are two technologies at play here.

User to site VPNs, and site to site VPNs.

User to site: Cisco are moving towards all SSL based VPN technology in this space. All kit at this point in time still supports the IPSec client - but the IPSec client is no longer being worked on, and there wont be new versions released.

Site to site: Cisco routers and firewalls have rich IPSec support, including IKEv2 and Suite-B.

It sounds like you want a site to site IPSec VPN.

Okay this is all good Stuff. When I tried to talk to the tech. guy over in Japan and I was asking about Pre-Shared keys, he was very confused and did not know what I was going on about. He told me, "just you the Cisco VPN AnyConnect client".

So before I go back to him with a second round of questioning, what exact details do I need to know for a to site-to-site VPN working? Thanks.

pdath

252 posts

Ultimate Geek

#1423765 9-Nov-2015 14:47

You will need to know:
Phase 1 (IKE) crypto policy
Phase 2 (IPSEC) crypto policy
Local and remote encryption domain
Local and remote VPN terminator IP addresses
Pre-shared key

Unless you are used to building IPSec VPNs I wouldn't attempt it. You are better of getting someone in to help you.

Try my latest project, a Cisco type 5 enable secret password cracker written in javascript!

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1423816 9-Nov-2015 15:29

pdath: Unless you are used to building IPSec VPNs I wouldn't attempt it. You are better of getting someone in to help you.

If you have no experience with IPSec VPNs it can be a bit of a minefield. If you have time and equipment you can play with it and get a connection running from home to work or vice versa for testing purposes and then try and apply that knowledge to this situation. If you are under time pressure then you might need external help.

We look after a couple of NZ offices with international headquarters, and sometimes we supply VPN firewalls for these offices. We have used our preferred non-Cisco firewalls successfully with some remote help from the IT guy at the head office on configuring the finer points of the VPN.

Unexpected networking issues have bitten recently on one site and in the end the head office sent over a firewall to the local office. I suspect they thought our equipment or setup was dodgy. When their firewall was put in place in the local office the same issues existed which in some ways was a relief. It did mean that there was then only one direction for the local management to point the finger and say 'sort it out'.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

jimbob79

673 posts

Ultimate Geek

#1433894 24-Nov-2015 12:56

I've now got some Cisco VPN configuration details sent over from my Japanese counterpart, could somebody help me convert/translate these Cisco VPN setting into OpenSwan IPSec configuration (/etc/ipsec.conf).
I have attempted to create a new entry in the ipsec.conf file, but I want to make sure it marry ups with anybody else based on the provided information.
I have already paid for a 'professional' to help me, but he failed to get it working in the allotted 5 hours time period, DOH! I just need to make sure that the configuration is correct on my side before I go back to Japan's IT guy.

Phase 1 (IKE) crypto policy
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Phase 2 (IPSEC) crypto policy
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 43200