SSL VPN

mbox SSL VPN is based on OpenVPN technologies, which utilizes Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) cryptographic protocols. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric session key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.

mbox SSL VPN has following characteristics:

    • primarily runs in client-to-server VPN mode. One mbox acts as a VPN server (head end); one mbox acts as a client (remote end).
    • we can also simulate site-to-site VPN (for connecting remote offices). Head-end/HQ site mbox works as a SSLVPN server, remote site mbox works as SSLVPN client but with protected private networks. Hosts between server and client subnets can communicate directly, as if they are passing through a private leased line.
    • remote/client site mbox can support dynamic/DHCP public IP addressing
  • all SSLVPN tunnels can run in either tunnel mode (default) or tap mode (layer 2 tunnel). Note: If you want to run OSPF or bonding/bridging with ssl tunnel, it's a must to run in tap mode.
  • in either tunnel or tap mode, raw/original traffic is encapsulated and encrypted into side a virtual tunnel:
    • there's a virtual IP assigned to the tunnel interface, for both server and client
    • no address translation for raw traffic passing through the tunnel, eg. hosts on each side "see" each other's original IP address
    • by default all traffic is allowed to pass through the tunnel, eg. no firewall filtering inside tunnel
    • SSLVPN tunnel provides data encryption, integration and authentication

- DH algorithm for session keys

- RSA certificate for client authentication

- SHA-512/MD5-128 for data integrity and DES/3DES/AES-256 for data encryption

    • supports both unicast and multicast across the tunnel
    • extremely scalable, easy to deploy and support.

A few things to NOTE:

  • there's significant performance degradation using SSL VPN tunnels due to SSL encryption processing. For example, for an CMG-1500, which produces wired speed (1Gbps) routing and firewall/NAT throughput, the max SSLVPN throughput is only up to 100Mbps.
  • we must explicitly permit input TCP/443 on the VPN server for remote clients to communicate with gateway mbox
  • we must restart (stop & start) VPN server for after changing server configs, in order for the new config client to take effect.
  • use "no security sslvpn-server x" to remove SSLVPN configuration
  • use "no client xxxx" under sslvpn-server context to remove each client profile config
  • configure "firewall-access xx" rules to permit traffic passing through tunnels

In this example, we have

- HQ mbox as VPN server. HQ private net: 10.1.2.0/24- Remote mbox1 as VPN client, remote private net: 10.1.1.0/24- Remote mbox2 as VPN client, remote private net: 10.1.3.0/24

CONFIGURATION STEPS

    • configure VPN server (head-end mbox), create VPN client profile and export client profile
    • configure VPN client (remote-end mbox) and import respective client profile

SUMMARY STEPS

security sslvpn-server server address <address of sslvpn server appearing to external clientc, can be resolvable DNS or public IP> server net <n.n.n.0 255.255.255.0 server side protected private network> tunnel-pool <vpn tunnel dynamic subnet, dynamically assign IP to each remote client>tunnel-static <vpn tunnel static subnet, must configure client option to bind static ip to respective client> client <client Common-Name> net <n.n.n.0 255.255.255.0, client side protected private net, only needed if client is working as a VPN gateway to peer with VPN server>

SSLVPN SERVER CONFIGURATION EXAMPLES

=========================

1. Prepare and configure mbox as an SSLVPN Gateway

!firewall-input 10 permit all tcp dport 443 remark "permit SSLVPN access"!security sslvpn-server 1 server address sgvpn.ransnet.com server net 10.1.2.0 255.255.255.0 tunnel-pool 10.2.2.0 255.255.255.0 client testprofilenet 10.1.1.0 255.255.255.0 start!mbox# show running-config begin sslvpn-serversecurity sslvpn-server server address sgvpn.ransnet.com server net 10.1.2.0 255.255.255.0 tunnel-pool 10.2.2.0 255.255.255.0 client testprofile net 1.1.1.0 255.255.255.0mbox#

2. Export client profile (to be imported to client mbox).


!show the list of created client profilesmbox# show security sslvpn-server client list testprofilembox# !show the selected profile, copy out to a textpad to import into client machine!Copy below output to a text file and past to client config (next section).Make sure you copy the output start from ######BEGIN PROFILE###### to ######END PROFILE######mbox# show security sslvpn-server client testprofile######BEGIN PROFILE######setenv FORWARD_COMPATIBLE 1client............######END PROFILE######

SSLVPN CLIENT CONFIGURATION EXAMPLES

=========================

Prepare vpn client profile information (from step #2 in earlier section) and continue below steps on remote client.


(mbox)# configure(config)# security sslvpn-client 1(config-sslvpn)# vpnclient profile ← this imports client vpn profile(config-sslvpn)# start(config-sslvpn)# exit(config)# exit

TROUBLESHOOTING STEPS

=========================

Verify on the HQ/SSLVPN server mbox

server status should be "running"


mbox# show security sslvpn-server status SSLVPN server is running... mbox#

A new tunnel interface should be created on server


mbox# show ip interface brief Interface IP_Address NetMask Broadcast MAC_Address --------------------------------------------------------------------------------eth0 10.65.19.14 255.255.255.0 10.65.19.255 00:0C:29:7B:6D:66lo 127.0.0.1 255.0.0.0 0.0.0.0 00:00:00:00:00:00tun0 10.2.2.1 255.255.255.255 0.0.0.0 00:00:00:00:00:00 <---server tunnel interface.!check connected clientssgvpn.ransnet.com# show security sslvpn-server connectedName RealAdd VPNAddress Route RX(B) TX(B) ConnectedSince----------------------------------------------------------------------------------------------------------------------ydev 10.65.19.8:32591 10.2.2.14 10.1.3.0/24; 566864 595209 Sat Aug 1 13:12:41 2015testprofile 210.193.28.179:63895 10.2.2.10 10.1.1.0/24; 573685 603755 Sat Aug 1 12:43:54 2015

check server routing table. All remote client networks should appear in server route

mbox# show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, A - Babel, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 10.65.19.78, eth0 K * 10.1.1.0/24 via 10.2.2.10, tun0 <---client network appears in server routing table. K * 10.2.2.0/24 via 10.2.2.10, tun0 C>* 10.2.2.2/32 is directly connected, tun0 C>* 10.65.19.0/24 is directly connected, eth0 C>* 127.0.0.0/8 is directly connected, lo

Verify on the remote/SSLVPN client mbox

mbox# show ip interface brief Interface IP_Address NetMask Broadcast MAC_Address -------------------------------------------------------------------------------- eth0 NON-IP NON-IP NON-IP 00:E0:6F:12:80:FE eth1 210.193.28.179 255.255.255.240 210.193.28.191 00:E0:6F:12:80:FF lo 127.0.0.1 255.0.0.0 0.0.0.0 00:00:00:00:00:00 tun0 10.2.2.10 255.255.255.255 0.0.0.0 00:00:00:00:00:00 <---client tunnel interface.
# show ip routeCodes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route......S>* 0.0.0.0/0 [1/0] via 210.193.28.177, eth1 C>* 10.1.1.0/24 is directly connected, vlan10 K>* 10.1.2.0/24 via 10.2.2.9, tun0 <---server network appears in client routing table.K>* 10.2.2.1/32 via 10.2.2.9, tun0 C>* 10.2.2.10/32 is directly connected, tun0 C>* 127.0.0.0/8 is directly connected, lo C>* 210.193.28.176/28 is directly connected, eth1