Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




656 posts

Ultimate Geek


# 184071 9-Nov-2015 14:16
Send private message

Currently I'm using a Cisco AnyConnect desktop client to connect to remote firewall in Japan and that works okay but does not provide me the requirements I need.

So as a proof of concept I've install SophOS UTM on a ESXi server and I want SophOS to route certain traffic from the LAN over the VPN to Japan. How do I do this??? Google search is not quite coming back with the answer I want.

All I have is Username, password and an IP Address which I use to access the VPN in Japan.

NOTE:
I do have a SonicWall firewall NSA 240, but is does not handle SSL VPN as a Client.
The staff in Japan do not speak English (and I don't speak Japanese) so it's a dam near impossible to get and help from them [Japanese].
Am also trialling out pfSense as well, but do like the rich GUI of SophOS.

Thanks in advance.





Create new topic
252 posts

Ultimate Geek


  # 1423748 9-Nov-2015 14:21
2 people support this post
Send private message

Your Cisco configuration is most likely using Cisco proprietary SSL VPN technology, and you wont be able to connect Sophos to it.

I'm guessing what you are wanting is a site to site VPN, rather than a user to site VPN?  If that is the case you'll need to negotiate the build of an IPSec VPN.  If you are not used to building VPNs you will be better off getting someone in to do it for you,

Google Translate is quite good.




Try my latest project, a Cisco type 5 enable secret password cracker written in javascript!



656 posts

Ultimate Geek


  # 1423754 9-Nov-2015 14:28
Send private message

pdath: Your Cisco configuration is most likely using Cisco proprietary SSL VPN technology, and you wont be able to connect Sophos to it.

I'm guessing what you are wanting is a site to site VPN, rather than a user to site VPN?  If that is the case you'll need to negotiate the build of an IPSec VPN.  If you are not used to building VPNs you will be better off getting someone in to do it for you,

Goggle Translate is quite good.


I was under the impression that Cisco Appliances no longer support IPSec and that they have all moved over to using SSL VPN. That's why I ended up at SophOS because is can handle SSL VPN as a client. I'm I misunderstanding something???

I must admit VPN has never been my strength in networking.





 
 
 
 


252 posts

Ultimate Geek


  # 1423755 9-Nov-2015 14:32
Send private message

There are two technologies at play here.


User to site VPNs, and site to site VPNs.

User to site: Cisco are moving towards all SSL based VPN technology in this space.  All kit at this point in time still supports the IPSec client - but the IPSec client is no longer being worked on, and there wont be new versions released.

Site to site: Cisco routers and firewalls have rich IPSec support, including IKEv2 and Suite-B.


It sounds like you want a site to site IPSec VPN.




Try my latest project, a Cisco type 5 enable secret password cracker written in javascript!



656 posts

Ultimate Geek


  # 1423758 9-Nov-2015 14:38
Send private message

pdath: There are two technologies at play here.


User to site VPNs, and site to site VPNs.

User to site: Cisco are moving towards all SSL based VPN technology in this space.  All kit at this point in time still supports the IPSec client - but the IPSec client is no longer being worked on, and there wont be new versions released.

Site to site: Cisco routers and firewalls have rich IPSec support, including IKEv2 and Suite-B.


It sounds like you want a site to site IPSec VPN.


Okay this is all good Stuff. When I tried to talk to the tech. guy over in Japan and I was asking about Pre-Shared keys, he was very confused and did not know what I was going on about. He told me, "just you the Cisco VPN AnyConnect client".

So before I go back to him with a second round of questioning, what exact details do I need to know for a to site-to-site VPN working? Thanks. 









252 posts

Ultimate Geek


  # 1423765 9-Nov-2015 14:47
Send private message

You will need to know:
Phase 1 (IKE) crypto policy
Phase 2 (IPSEC) crypto policy
Local and remote encryption domain
Local and remote VPN terminator IP addresses
Pre-shared key

Unless you are used to building IPSec VPNs I wouldn't attempt it.  You are better of getting someone in to help you.




Try my latest project, a Cisco type 5 enable secret password cracker written in javascript!

2663 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1423816 9-Nov-2015 15:29
Send private message

pdath: Unless you are used to building IPSec VPNs I wouldn't attempt it.  You are better of getting someone in to help you.

If you have no experience with IPSec VPNs it can be a bit of a minefield.  If you have time and equipment you can play with it and get a connection running from home to work or vice versa for testing purposes and then try and apply that knowledge to this situation.  If you are under time pressure then you might need external help.

We look after a couple of NZ offices with international headquarters, and sometimes we supply VPN firewalls for these offices.  We have used our preferred non-Cisco firewalls successfully with some remote help from the IT guy at the head office on configuring the finer points of the VPN.

Unexpected networking issues have bitten recently on one site and in the end the head office sent over a firewall to the local office.  I suspect they thought our equipment or setup was dodgy.  When their firewall was put in place in the local office the same issues existed which in some ways was a relief.  It did mean that there was then only one direction for the local management to point the finger and say 'sort it out'.




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams



656 posts

Ultimate Geek


  # 1433894 24-Nov-2015 12:56
Send private message

I've now got some Cisco VPN configuration details sent over from my Japanese counterpart, could somebody help me convert/translate these Cisco VPN setting into OpenSwan IPSec configuration (/etc/ipsec.conf).
I have attempted to create a new entry in the ipsec.conf file, but I want to make sure it marry ups with anybody else based on the provided information.
I have already paid for a 'professional' to help me, but he failed to get it working in the allotted 5 hours time period, DOH! I just need to make sure that the configuration is correct on my side before I go back to Japan's IT guy.

Phase 1 (IKE) crypto policy
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


Phase 2 (IPSEC) crypto policy
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 43200






Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00


New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33


IMAGR and Farro bring checkout-less supermarket shopping to New Zealand
Posted 5-Dec-2019 09:07


Wellington Airport becomes first 5G connected airport in the country
Posted 3-Dec-2019 08:42


MetService secures Al Jazeera as a new weather client
Posted 28-Nov-2019 09:40


NZ a top 10 connected nation with stage one of ultra-fast broadband roll-out completed
Posted 24-Nov-2019 14:15


Microsoft Translator understands te reo Māori
Posted 22-Nov-2019 08:46


Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.