topic Re: 730 Remote Access VPN: Show/Configure Encryption in Spark Firewall (SMB)

730 Remote Access VPN: Show/Configure Encryption

Kris_Jurka — Thu, 12 Jul 2018 22:50:36 GMT

Is there a way to determine the settings used (or ideally configure them) for the remote access VPN in a 730 appliance. That is to see the encryption/authentication/dhgroup/pfs/.. settings at either the client end in endpoint security or on the server?

Right now it seems like it's completely a black box and I've gotten some questions about whether we are meeting certain standards and haven't found any way to answer.

Re: 730 Remote Access VPN: Show/Configure Encryption

PhoneBoy — Fri, 13 Jul 2018 09:36:27 GMT

There's a couple settings you can change in the advanced settings:

When you create a Site-to-Site VPN you can see some other settings.

Which, even if you can't configure, should give you an idea of what's supported.

What exact settings are you interested in?

Re: 730 Remote Access VPN: Show/Configure Encryption

Kris_Jurka — Fri, 13 Jul 2018 15:02:09 GMT

Well I want to know and potentially configure how clients are connecting. Supposing I had a requirement not to use 3DES for encryption or MD5 for authentication for IPSEC remote access clients. I don't see any way to verify that or configure that. The options you've shown have some limited control over SSL, but I don't see any for IPSEC beyond IKEv1/v2.

Re: 730 Remote Access VPN: Show/Configure Encryption

PhoneBoy — Fri, 13 Jul 2018 15:48:08 GMT

Generally we'll offer all of the above and the client will connect with the strongest supported option between the two.

I believe you can use vpn tu on the CLI to see how clients are connected currently.

Will have to check and see if there's a way to configure what's offered.

Re: 730 Remote Access VPN: Show/Configure Encryption

Kris_Jurka — Fri, 13 Jul 2018 19:18:40 GMT

"vpn tu" does not appear to show any of that information:

> vpn tu

********** Select Option **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

Peer 172.16.10.132, user md5 4d1ec04c938f7451:

1. IKE SA <f433b35763e193c9,ad88db390b67a16a>:

Peer 172.16.10.132, user md5 4d1ec04c938f7451:

        1. SPI's related to IKE SA <f433b35763e193c9,ad88db390b67a16a>:
        INBOUND:
                1. 0xd70c4ede
        OUTBOUND:
                1. 0x70b7338c

Trying "vpn shell" appears not to work:

> vpn shell tunnels/show/IPSec/all
arrange_objects: Not supported

I also tried looking in the log files for both the appliance and the Endpoint Security product, but was unable to find anything informative in their either. Is there a particular log file that would log what settings were used to establish the connection?

Re: 730 Remote Access VPN: Show/Configure Encryption

PhoneBoy — Fri, 13 Jul 2018 22:33:13 GMT

This information can definitely be found in logs when managing the 1400 series appliances with central management.

I am checking with R&D on these locally managed appliances.