Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kris_Jurka
Explorer

730 Remote Access VPN: Show/Configure Encryption

Is there a way to determine the settings used (or ideally configure them) for the remote access VPN in a 730 appliance.  That is to see the encryption/authentication/dhgroup/pfs/.. settings at either the client end in endpoint security or on the server?

Right now it seems like it's completely a black box and I've gotten some questions about whether we are meeting certain standards and haven't found any way to answer.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

There's a couple settings you can change in the advanced settings:

When you create a Site-to-Site VPN you can see some other settings.

Which, even if you can't configure, should give you an idea of what's supported.

What exact settings are you interested in?

0 Kudos
Kris_Jurka
Explorer

Well I want to know and potentially configure how clients are connecting.  Supposing I had a requirement not to use 3DES for encryption or MD5 for authentication for IPSEC remote access clients.  I don't see any way to verify that or configure that.  The options you've shown have some limited control over SSL, but I don't see any for IPSEC beyond IKEv1/v2.

0 Kudos
PhoneBoy
Admin
Admin

Generally we'll offer all of the above and the client will connect with the strongest supported option between the two.

I believe you can use vpn tu on the CLI to see how clients are connected currently.

Will have to check and see if there's a way to configure what's offered.

0 Kudos
Kris_Jurka
Explorer

"vpn tu" does not appear to show any of that information:

> vpn tu

**********     Select Option     **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

1

Peer  172.16.10.132, user md5 4d1ec04c938f7451:

        1. IKE SA <f433b35763e193c9,ad88db390b67a16a>:

2

Peer  172.16.10.132, user md5 4d1ec04c938f7451:

        1. SPI's related to IKE SA <f433b35763e193c9,ad88db390b67a16a>:
        INBOUND:
                1. 0xd70c4ede
        OUTBOUND:
                1. 0x70b7338c

Trying "vpn shell" appears not to work:

> vpn shell tunnels/show/IPSec/all
 arrange_objects: Not supported

I also tried looking in the log files for both the appliance and the Endpoint Security product, but was unable to find anything informative in their either.  Is there a particular log file that would log what settings were used to establish the connection?

0 Kudos
PhoneBoy
Admin
Admin

This information can definitely be found in logs when managing the 1400 series appliances with central management.

I am checking with R&D on these locally managed appliances.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events