Small VPN-Device?

Hello,

we are looking for some small hardware box that should replace the Cisco VPN client software. What we would like to achieve is: the box is between a user's notebook and the public Internet. It connects to a PIX and establishes a VPN. The keystring for the ipsec-connection is stored in the box, the user has to be asked for a username and password which the Pix will use to authenticate the user. Can someone recommend some sort of appliance?

Regards, Christoph Gartmann

Reply to
Christoph Gartmann
Loading thread data ...

In article , Christoph Gartmann wrote: :we are looking for some small hardware box that should replace the Cisco VPN :client software. What we would like to achieve is: the box is between a user's :notebook and the public Internet. It connects to a PIX and establishes a VPN. :The keystring for the ipsec-connection is stored in the box, the user has :to be asked for a username and password which the Pix will use to authenticate :the user. Can someone recommend some sort of appliance?

It looks like you might be able to do this with a PIX 501 or PIX 506/506E.

formatting link
You use the 'vpnclient' commands to configure the PIX 501 as a Easy VPN Remote client. You must configure isakmp for that to work, so that could be the pre-shared key. You do -not- need to configure the xauth username and xauth password for vpnclient. If the other end is configured for xauth, then it isn't clear exactly what will happen, whether the user will be given the appropriate prompt or not. It -looks- like it should work, but I haven't tried it.

There's an issue that would have to be resolved to get this working. The vpnclient documentation says that you need to provide all the parameters except the xauth username & password. That implies that you must configure the vpngroup and preshared key. The documentation for 'vpngroup' (which would have to be configured on the headend PIX) indicates that the vpngroup password is used as the IKE password. Other documentation nearby indicates that if Easy VPN remote is detected then the vpngroup password is used instead of the isakmp key preshared string, which is slightly at odds with the vpnclient documentation requirement that IKE be set up...

Reply to
Walter Roberson

Hi,

where are the user database store?

Pix or Radius?

Why you will remove the VPN-Client?

greetings

student/u16035

************************ german ************************ Das, was Du vorhasst ist nicht so einfach. So wie es sich anhört, möchtest Du die Benutzer unabhängig vom VPN-Tunnel checken.

Der permanente VPN-Tunnel ist schnell realisiert. Das Problem ist die Userauthentifizierung vor dem bestehenden Tunnel.

Dazu fallen mir zwei Möglichkeiten ein.

1.) Redirector zwischen Client und VPN-Box (der über Radius die User zur VPN-Box läßt)

2.) der h-Standart (ist aber eklig zu konfigurieren)

Warum willst Du denn den VPN-Clienten rauswerfen?

grüße

student/u16035

P.S.

formatting link
Christoph Gartmann schrieb:

Reply to
student/u16035

Radius. The pix contacts the Radius server. But this doesn't make any difference for the remote client.

Because we don't want to deal with software and configurations on a bunch of different computers. In addition the approach with the hardware device offers a better security. Then you'll need both, the hardware box with our configuration (the box alone is not sufficient, you would need the key/password as well) plus a username/password combination.

Nicht zwingend. Der Tunnel darf aufgebaut werden, aber ohne Authentisierung soll halt nichts weiter durchgeroutet werden.

Was ist das?

Siehe oben.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

In article , Christoph Gartmann wrote: :In article , student/u16035 writes: :>where are the user database store?

:>Pix or Radius?

:Radius. The pix contacts the Radius server. But this doesn't make any :difference for the remote client.

Actually it does. Any of the PIX series (including the 501) can be configured to contact a remote radius server to authenticate outgoing user traffic. If you were to provide the users with

501's, then the goal of requiring the user to have both the device and the ID+password would be reached, without the theoretical difficulty of wanting a security-gateway to security-gateway (LAN to LAN) to be able to perform username/ password prompting all the way back from the remote gateway to the user's -host- (which is a host to gateway function instead of a gateway to gateway function.)

If I recall correctly, instead of a PIX series, you could also use a Linksys BEFVP41 with radius authentication. The BEFVP41 has no problems connecting to a remote PIX (unless said PIX is demanding AES). I have experienced a very small number of connection hangs with the BEFVP41. There is also the BEFXS41, able to handle two VPN tunnels, but I had connection hangs every few days with it; the higher quality of the BEFVP41 is worth the price difference.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.