VPN - Virtual Private Network

The opening installment of a series that focuses on VPN technology. Here you will find a brief description of VPNs and their types. Next, IPsec-based VPNs are described in more detail, primarily the Remote Access VPN type. The entire description is general, but the future focus is on deployment on Cisco devices, primarily Cisco ASA. At the end, the parameters supported by the Cisco VPN Client, the integrated client on Google Android and on Windows XP/Vista/7 are mentioned.

After the first theoretical part, we'll take a look, really only lightly, at the Cisco ASA security appliance, which we'll use to configure various VPNs in later parts. We will also mention a few important points that we will use next time when configuring IPsec Remote Access VPNs. For the Cisco ASA, we will only look at the features that relate to the VPN. The ASA currently stands for the ASA 5500 series (I'm working with the ASA 5510), but we can run VPNs on most routers.

We have completed a theoretical description of the whole IPsec Remote Access VPN issue as well as a basic introduction (let's say initial configuration) of Cisco ASA. Today we will focus on the practical configuration of the aforementioned extended type of VPN for user access to the corporate environment. In the first part of the article, we will describe the individual building blocks that we will configure on the Cisco ASA and their interrelationships. In the second part there are already links to the individual items in ASDM that we need to configure.

SSL VPNs are now considered a modern type of VPN connection. They have a number of advantages, especially over the traditional IPsec protocol. With Cisco, however, we need to find out licensing information first, as AnyConnect licenses are quite expensive. Clientless SSL VPN is a special type of VPN where we don't need a client (a web browser will do for that). It doesn't have quite the same capabilities as a standard VPN, but it can be suitable for many situations. The basic functionality will securely mediate our internal web and file servers. We'll take a look at that today. There are also various plugins that can be used, for example, to allow access via SSH or RDP. And more advanced features are coming, such as Smart Tunnel.

Last time we covered the basic features of Clientless SSL VPN on Cisco ASA. This allows us to access some corporate resources from the Internet from a computer where we don't need administrator rights and just need a web browser and Java or ActiveX. Now we'll look at the advanced features that add more access (Port Forwarding and Smart Tunnels) and security (Cisco Secure Desktop). The description of each feature is brief and does not cover all options.

Cisco no longer supports traditional IPsec VPN for remote user (and VPN Client) connections. Instead, it uses the new AnyConnect client and (modern) SSL VPN or IPsec IKEv2. In this article, we will look at the principle of SSL VPN as presented by Cisco and show how to configure it using ASDM.

This article is a follow-up to the last article where we created SSL VPNs. Now we'll look at ways to increase the security of your connection, or better yet, determine under what conditions a user can connect. When the user is allowed to log in to the VPN, after correct authentication, the user is connected. Let's describe the options to check various parameters of the connected device and enable, restrict or completely disable the connection accordingly. We will use Cisco Secure Desktop component Host Scan and Dynamic Access Policies.

Cisco ASA offers a number of possible ways to authenticate a client connecting to a VPN. The most common is to authenticate the user with a name and password against various sources (locally, LDAP, RADIUS). We can also use two-factor authentication (Double Authentication), where the user is authenticated against two different sources. We can also do certificate authentication and combine it into multi-factor authentication. In this article, we will first look at a bit of theory and in the second half we will look at authentication with a certificate as well as a name and password.

Last time, we described user accounts on FortiGate and authentication locally or against remote servers (LDAP). Today, we'll take a look at multi-factor authentication (MFA) options. Specifically, the use of a digital certificate to log into an SSL VPN. We'll show how we can use the more common user certificate as well as a computer certificate.

Another sequel that looks at the possibilities of multi-factor authentication (MFA) on FortiGate. We will look at two-factor authentication (2FA) using an OTP (One-time Password) sent to an email or as an SMS message. The use case is for logging into an SSL VPN, but we can use it elsewhere as well.

After a few introductory articles that covered user authentication, there is an extensive piece on SSL VPN configuration. I tried to make the description very comprehensive, as I find the official documentation insufficient. A few simple steps are all you need to create a basic VPN connection (examples are in the official documentation). This article should also show all the special options we can set up. It focuses on the links between the different parts of the configuration. And it tries to take a global view that goes into describing the details.

In this article, we'll add a final section to the previously described creating an SSL VPN on FortiGate. We'll cover client checks when connecting to an SSL VPN. We can check a number of things on the client and decide whether or not it can connect to the VPN based on the result of the check. We can only perform the checks on a Windows operating system (a little bit on a Mac). We can check the operating system version, the presence of antivirus and firewall, the client MAC address, the existence of a certain file, process or key in the registry.

I've tried to put together a brief description of how the IPsec protocol works for establishing VPNs. Primarily the article focuses on Site to Site VPN using IKEv2 (and ESP). I have not studied the RFC, the information is from various articles on the internet, mostly from manufacturers (focused on Fortinet). The theory focuses on individual terms and point descriptions. The following is a tentative description of how to configure an IPsec VPN on FortiGate. The rest of the article covers how to perform monitoring, troubleshooting, and debugging. It also mentions problems I have encountered.

Let's take a look at an old known issue where FortiClient connecting to the SSL VPN on FortiGate gets stuck or terminates at 98 percent. This issue should have been resolved in FortiClient 5.6.0. However, according to discussions, it still occurs in newer versions. There are various hints to solve it, but in our environment, the one I haven't seen mentioned anywhere helped in the end. Disable DTLS and connect classically using TLS. We'll also take a look at the SSL VPN debug on FortiGate.