SSLVPN

All mbox gateways (HSG/CMG/HSA) support SSLVPN. Our SSLVPN is based on OpenVPN technology, which utilizes Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) cryptographic protocols. It uses X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric session key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.

mbox SSL VPN has following key characteristics:

    • primarily runs in client-to-server VPN mode. One mbox acts as a VPN server (head end); one mbox acts as a client (remote end). In this case, remote/client site mbox can support dynamic/DHCP public IP addressing or behind any firewall (without punch a hold on the firewall for inbound access) because the VPN is always initiated from remote(client) site. This is a significant advantage over traditional IPSec or GRE VPN tunnels, which require both sites to have static IP addresses and directly accessible/reachable to each other. And it is extremely scalable, easy to deploy and support.

    • two mbox gateways form site-to-site VPN (for protected networks) for their protected private networks. Hosts behind mbox gateways can communicate directly, as if they are passing through a private leased line. Dynamic routing protocols (OSPF and BGP) are used to auto learn/advertise routes/networks behind each gateway.

    • all SSLVPN tunnels can run in either tunnel mode (default) or tap mode (layer 2 tunnel). Note: If you want to run OSPF or bonding/bridging with SSL tunnel, it's a must to run in tap mode.

        • in either tunnel or tap mode, raw/original traffic is encapsulated and encrypted into a virtual tunnel:

        • there's a virtual IP assigned to the tunnel interface, for both server and client

        • by default, no address translation for raw traffic passing through the tunnel, eg. hosts on each side "see" each other's original IP address

        • by default all traffic is allowed to pass through the tunnel, eg. no firewall filtering inside tunnel

        • supports both unicast and multicast across the tunnel

    • SSLVPN tunnel provides data encryption, integration and authentication

      • RSA certificate for gateway authentication

      • DH algorithm for generating session keys

      • SHA-512/MD5-128 for data integrity

      • DES/3DES/AES-256 for data encryption

A few things to NOTE:

  • there's significant performance degradation using SSL VPN tunnels due to SSL encryption (also depends on which which encryption options used). For example, for an CMG-1500, which produces wired speed (1Gbps) routing and firewall/NAT throughput, the max SSLVPN throughput can drop down to 200Mbps.

  • we must explicitly permit input TCP/1443 (depends on your VPN instance port number) on the VPN server for remote clients to communicate with gateway mbox

  • we must restart (stop & start) VPN server for after changing server configs, in order for the new config client to take effect.

  • use "no security sslvpn-server x" to remove SSLVPN configuration

  • use "no client xxxx" under sslvpn-server context to remove each client profile config

  • configure "firewall-access xx" rules to permit traffic passing through tunnels

SSLVPN Server configuration example

In this example, we have

  • HQ mbox as VPN server. HQ private net: 10.1.2.0/24

  • Remote mbox1 as VPN client, remote private net: 10.1.1.0/24

  • Remote mbox2 as VPN client, remote private net: 10.1.3.0/24

CONFIGURATION STEPS

    • configure VPN server (head-end mbox), create VPN client profile and export client profile

    • configure VPN client (remote-end mbox) and import respective client profile

1. Prepare and configure mbox as an SSLVPN Gateway

!firewall-input 10 permit all tcp dport 443 remark "permit SSLVPN access"!security sslvpn-server 1 server address sgvpn.ransnet.com server net 10.1.2.0 255.255.255.0 tunnel-pool 10.2.2.0 255.255.255.0 client testprofilenet 10.1.1.0 255.255.255.0 start!mbox# show running-config begin sslvpn-serversecurity sslvpn-server server address sgvpn.ransnet.com server net 10.1.2.0 255.255.255.0 tunnel-pool 10.2.2.0 255.255.255.0 client testprofile net 1.1.1.0 255.255.255.0mbox#

2. Export client profile (to be imported to client mbox).

!show the list of created client profilesmbox# show security sslvpn-server client list testprofilembox# !show the selected profile, copy out to a textpad to import into client machine!Copy below output to a text file and past to client config (next section).Make sure you copy the output start from ######BEGIN PROFILE###### to ######END PROFILE######mbox# show security sslvpn-server client testprofile######BEGIN PROFILE######setenv FORWARD_COMPATIBLE 1client......######END PROFILE######

SSLVPN Client configuration example

Prepare vpn client profile information (from step #2 in earlier section) and continue below steps on remote client.

(mbox)# configure(config)# security sslvpn-client 1(config-sslvpn)# vpnclient profile ← this imports client vpn profile(config-sslvpn)# start(config-sslvpn)# exit(config)# exit

Troubleshooting techniques

Verify on the HQ/SSLVPN server mbox

mbox# show security sslvpn-server status SSLVPN server is running... mbox#

A new tunnel interface should be created on server

mbox# show ip interface brief Interface IP_Address NetMask Broadcast MAC_Address --------------------------------------------------------------------------------eth0 10.65.19.14 255.255.255.0 10.65.19.255 00:0C:29:7B:6D:66lo 127.0.0.1 255.0.0.0 0.0.0.0 00:00:00:00:00:00tun0 10.2.2.1 255.255.255.255 0.0.0.0 00:00:00:00:00:00 <---server tunnel interface.!check connected clientssgvpn.ransnet.com# show security sslvpn-server connectedName RealAdd VPNAddress Route RX(B) TX(B) ConnectedSince----------------------------------------------------------------------------------------------------------------------ydev 10.65.19.8:32591 10.2.2.14 10.1.3.0/24; 566864 595209 Sat Aug 1 13:12:41 2015testprofile 210.193.28.179:63895 10.2.2.10 10.1.1.0/24; 573685 603755 Sat Aug 1 12:43:54 2015

check server routing table. All remote client networks should appear in server route

mbox# show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, A - Babel, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 10.65.19.78, eth0 K * 10.1.1.0/24 via 10.2.2.10, tun0 <---client network appears in server routing table. K * 10.2.2.0/24 via 10.2.2.10, tun0 C>* 10.2.2.2/32 is directly connected, tun0 C>* 10.65.19.0/24 is directly connected, eth0 C>* 127.0.0.0/8 is directly connected, lo

Verify on the remote/SSLVPN client mbox

mbox# show ip interface brief Interface IP_Address NetMask Broadcast MAC_Address -------------------------------------------------------------------------- eth0 NON-IP NON-IP NON-IP 00:E0:6F:12:80:FE eth1 210.193.28.179 255.255.255.240 210.193.28.191 00:E0:6F:12:80:FF lo 127.0.0.1 255.0.0.0 0.0.0.0 00:00:00:00:00:00 tun0 10.2.2.10 255.255.255.255 0.0.0.0 00:00:00:00:00:00 <---client tunnel interface.
# show ip routeCodes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route......S>* 0.0.0.0/0 [1/0] via 210.193.28.177, eth1 C>* 10.1.1.0/24 is directly connected, vlan10 K>* 10.1.2.0/24 via 10.2.2.9, tun0 <---server network appears in client routing table.K>* 10.2.2.1/32 via 10.2.2.9, tun0 C>* 10.2.2.10/32 is directly connected, tun0 C>* 127.0.0.0/8 is directly connected, lo C>* 210.193.28.176/28 is directly connected, eth1