cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

730 Remote Access VPN: Show/Configure Encryption

Is there a way to determine the settings used (or ideally configure them) for the remote access VPN in a 730 appliance.  That is to see the encryption/authentication/dhgroup/pfs/.. settings at either the client end in endpoint security or on the server?

Right now it seems like it's completely a black box and I've gotten some questions about whether we are meeting certain standards and haven't found any way to answer.

0 Kudos
5 Replies
Admin
Admin

Re: 730 Remote Access VPN: Show/Configure Encryption

There's a couple settings you can change in the advanced settings:

When you create a Site-to-Site VPN you can see some other settings.

Which, even if you can't configure, should give you an idea of what's supported.

What exact settings are you interested in?

0 Kudos

Re: 730 Remote Access VPN: Show/Configure Encryption

Well I want to know and potentially configure how clients are connecting.  Supposing I had a requirement not to use 3DES for encryption or MD5 for authentication for IPSEC remote access clients.  I don't see any way to verify that or configure that.  The options you've shown have some limited control over SSL, but I don't see any for IPSEC beyond IKEv1/v2.

0 Kudos
Admin
Admin

Re: 730 Remote Access VPN: Show/Configure Encryption

Generally we'll offer all of the above and the client will connect with the strongest supported option between the two.

I believe you can use vpn tu on the CLI to see how clients are connected currently.

Will have to check and see if there's a way to configure what's offered.

0 Kudos

Re: 730 Remote Access VPN: Show/Configure Encryption

"vpn tu" does not appear to show any of that information:

> vpn tu

**********     Select Option     **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

1

Peer  172.16.10.132, user md5 4d1ec04c938f7451:

        1. IKE SA <f433b35763e193c9,ad88db390b67a16a>:

2

Peer  172.16.10.132, user md5 4d1ec04c938f7451:

        1. SPI's related to IKE SA <f433b35763e193c9,ad88db390b67a16a>:
        INBOUND:
                1. 0xd70c4ede
        OUTBOUND:
                1. 0x70b7338c

Trying "vpn shell" appears not to work:

> vpn shell tunnels/show/IPSec/all
 arrange_objects: Not supported

I also tried looking in the log files for both the appliance and the Endpoint Security product, but was unable to find anything informative in their either.  Is there a particular log file that would log what settings were used to establish the connection?

0 Kudos
Admin
Admin

Re: 730 Remote Access VPN: Show/Configure Encryption

This information can definitely be found in logs when managing the 1400 series appliances with central management.

I am checking with R&D on these locally managed appliances.

0 Kudos