Secure tunnel

Similar Questions

• How to secure Tunnel VPN

  Hello

  I installed a tunnel VPN between ASA and PIX. I want to implement security on the ASA or PIX so that some remote endpoint specfic IP can access resources of tunnel. is it possible to block additional IP addresses?

  Thank you

  Amardeep

  Please read this link, you can implement VPN-filter.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

  Thank you

  Ajay

• VTI & OSPF tunnel

  Hi all

  I have configured the interfaces of tunnel VTI (ipv4 ipsec tunnel mode) and OSPF on which interacts.

  VTI is encrypt all traffic data. But what about the OSPF traffic?

  Is encrypted as OSPF traffic or I need to configure OSPF authentication?

  Thank you

  OSPF Exchange is already encrypted inside the tunnel, so u don't have to use the ospf authentication. OSPF uses IPs of tunnel for the communications and traffic between these two addresses is possible only through the secure tunnel.

• Question connection with Blast after upgrade to view 6.1.1 ("your office may have a security certificate not approved")

  Hello guys,.

  We are facing a very strange problem with Blast after the upgrade to view 6.1.1. Let me show you the scenario:

  We have two security servers (paired with two servers connection).

  On both servers security (and on the servers of connection), the default self-signed certificate is used.

  Secure Tunnel, PCoIP Secure Gateway and Secure Gateway Blast are activated.

  Users access it from internet via Netscaler which balance the traffic load and present a trusted signed certificate.

  For now I won't go in deeper into the Netscaler configuration, as it was working fine.

  We were on view Horizon 5.2 and everything worked fine! ...

  After the upgrade to view 6.1.1 we are unable to connect using the web browser! We can open a session and select the desktop, but as soon as the connection to the desktop is launched, we receive the following error message:

  "Your Office has been disconnected.

  Try to reconnect to the office...

  Your office can have an untrusted security certificate. Click here to accept the security certificate, then try to connect to your desktop again. »

  

  If we click on the link, we are redirected to something like https://Blast_External_URL:8443/r/F386565D-D068-4AC1-BFD3-3A903CBEB235/certAccept.html , receiving a blank page with the following text:

  "Could not resolve the route of proxy for the request.

  Just before the upgrade, we have been able to use the HTML Protocol! We have does no change at all, so I really think it's related to some changes introduced by the new version of Horizon view, but may not know what is causing the problem.

  No problem connecting with the customer to view Horizon (PCoIP and RDP).

  If in the external URL Blast Secure Gateway, we insert the hostname of the server security instead of the external URL (Netscaler), we are able to connect but of course only from our local network.

  Someone at - it ideas?

  Thank you.

  Hi Calyps0Craig,

  Yes, I found a solution for this. In our case the issue was resolved by changing the configuration of Netscaler.

  In the past, we use SSL offloading and worked all protocols. It seems that with the new version of view SSL offloading does more work.

  Change the Service and virtual server on ports 443 and 8443 for SSL to SSL_BRIDGE solved our problem.

  Hope this will help you.

  Best regards

  Claudio

• Secure Gateway

  Hello

  We have a mixture of zero clients and software, and I'm having a problem where the internal software customers seem to be tunnelling through the gateway PCoIP secure servers for internal connection, rather than connect directly on the desktop. This works until we do maintenance on our servers connection, as software clients disconnected when we reboot a server connection.

  In the example below, the top one is a client software, the bottom is a zero client.

  

  Our internal connection servers have no "Use PCoIP Secure Gateway" checked as shown below.

  

  Anyone has an idea why this happens? Can we change the behavior so that clients of the software don't not tunnel by connecting servers, or what are the expected behavior?

  We run see 5.1, Win 7 mV with agent 5.1 connection.

  Thank you

  The answer is on the screenshot you posted - nothing happens through PCoIP Secure Gateway, but software clients always establish an HTTP (S) Secure Tunnel connection to the login server. This is used for the channel framework (used for the USB transport for customers of software) and MMR, among other things. If you want real direct connections then this should also be disabled. Please see the administration guide for more details on this setting.

  Mike

• Problems with PCoIP secure Gateway

  I am using view 4.6 and faced with this configuration.  Under the "view Configuration", "Servers", then "view connection server" it shows my connection to the server.  The PCoIP column he says no secure portal is installed which is true.  See screenshoot

  

  the problem arises in the settings of the connection servers.

  When I select my connection to the server and fill in the external URL 'Tunnel secured HTTP (S)' and uncheck it ' user secure Tunnel connection to the Office I cam continue to use the internal connection server.

  When I check the box and check also the "gateway of PCoIP PCoIP connections for desktop machine, so this will work remotely, but not internally.  Also the external URL PCoIP is grayed out.

  To sum up I can't get this to work for internal or external use and not both at the same time.

  You can do this work with just a single server connection or an external as internal access, but it will mean that internal PCoIP is unnecessarily sent by gateway through a connection to the server or security server.

  It is best to dedicate servers to connect to internal and external to internal PCoIP direct access between the client and the virtual office.

  There is a detailed description of this http://communities.vmware.com/docs/DOC-14974 here, which includes a video detailing a deployment configuration of view for internal and external access.

  Select this option.

• VMWare View 4.6 PCoIP tunneling problem. UDP is not get tunnel

  
  Hello

  I have the black screen "classic" - question.
  So, when I try to connect to a virtual desktop, I am well auhtenticated, I can select a pool of offices, but once the bureau is launching,
  I just get a black screen and afterawhile it times out.

  I read the manuals, the document http://communities.VMware.com/docs/doc-14974 , written by Mark benson; Watched the video; Checked and re-checked the 3 magic steps;
  Blog reading Sláger, Paul http://paulslager.com/?p=1300 and still I'm stuck. I read the (some the) logs from the login view, view Security Server, View Client and Agent of the view server.
  None of the newspapers I read gave me all significant errors that would have solved this for me. Admitted, 'full' newspapers - trace State, there's a lot that wasn't exactly clear to me.

  I have simplified our mitigation debugging environment to be as follows:

  See connection to the server,
  running on Windows Server 2008 R2 (Datacenter) 64-bit VMware View Server connection 4.6.0 - 366101,.
  Checkboxes for both "Tunnel secure HTTPS: connection to Tunnel secure usage on the desktop" and "PCoIP Secure Gateway: use PCoIP PCoIP Gateway Secure connections to desktop" have been checked.

  View secure server,
  running on Windows Server 2008 R2 (Datacenter) 64-bit VMware View Server Security 4.6.0 - 366101,.
  has been paired with the login server and the two aswell "HTTPS Secure Tunnel: external URL" as "PCoIP Secure Gateway: PCoIP external URL" has been set to a virtual IP address in the firewall external dmz with a dst - nat on the real IP address of the Security Server.

  The reviews are pointing to the virtual IP address of the Server Secure View.

  Since it is not a production environment, I installed a bunch of Wireshark to see traffic;
  I ran traffic snooping on the view connection server, see Security Server, View Client and the virtual desktop connected
  at the same time and have verified that traffic TCP PCoIP on get 4172 port of talked about between my security server host <>client - and the
  securityserver <>- virtual desktop just fine. TCP traffic seems to be in the tunnel. But what bothers me is the wireshark on the virtual office reveals that the virtual office is trying
  to talk subject port 4172 - UDP back directly to my reviews host IP traffic. Because this is not allowed by the firewall, the virtual office propably does not work...

  But all scenarios describe only the Security server could handle all pcoip-traffic with the agent of the view (as shown in the documentation of the Architecture in Figure 5-6), so that no direct connection between the Client of the view and the view Agent is necessary... I can't work. But it is possible, right?

  Any ideas what I could do wrong?

  Help really appreciated.

  It works in the way that you described in your original post. There is no obligation for the virtual office send UDP responses to the client. They will be sent on the Security Server, which will forward them to turn to the customer.

  Something must be configured incorrectly.

  Check very carefully the UDP traffic in your wireshark traces. The client, you should see 4172 TCP for the VIP of your SS. You should then see 4172-UDP to the same VIP. You should see the UDP of SS response to the customer data. The destination for this data answer UDP port must be the source port used for the UDP request. The source for the response data port must be 4172.

  Then check your wireshark SS track. You should see the same customer traffic and you should see a similar PCoIP conversation between the SS and the virtual office. From the virtual desktop, the SS looks like a customer. PCoIP UDP must be sent to the SS, when it is properly configured.

  Client - TCP 4172-> SS - TCP 4172-> Virtual Office

  Customer - UDP 4172-> SS - UDP 4172-> Virtual Office

  Customer<-UDP 4172--="" ss=""><-UDP 4172--="" virtual="" desktop="" (the="" 4172="" here="" is="" src="" port,="" the="" dst="" udp="" port="" will="" be="" the="" source="" port="" of="" the="" udp="" request="" packets="" above)="" 4172--="" virtual="" desktop="" (the="" 4172="" here="" is="" src="" port,="" the="" dst="" udp="" port="" will="" be="" the="" source="" port="" of="" the="" udp="" request="" packets="">

  If you have verified that you can connect to the same virtual desktop with PCoIP then this problem will not be something to do with the virtual office or agent of view etc.

  Check your display settings, network, firewall and NAT.

  Select this option.

• Uninstalling programs... Should I or shouldn't I

  While he was trying to improve the performance of my pc, I've pulled up to see what I could uninstall programs. I noticed that there are programs that I does not recognize. They were as follows:, Cisco LEAP module, module Cisco PEAP module Cisco EAP-FAST.  I don't know what they are for. Please help, before I make something irreversible.

  Hello

  Those used for authentication network so let install them.

  LEAP Lightweight Extensible Authentication Protocol is a patented LAN wireless authentication method developed by Cisco Systems. Important features of JUMP are dynamicWEP keys mutual authentication (between a wireless client and server aRADIUS). LEAP allows clients to authenticate again frequently; each successful authentication, customers acquire a new WEP key (with the hope that the WEP keys do not live long enough to be broken). JUMP can be configured to use TKIP instead of dynamic WEP.
  http://en.Wikipedia.org/wiki/Lightweight_Extensible_Authentication_Protocol

  PEAP, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Protocol EAP (Extensible Authentication) in a Tunnel of Security TLS (Transport Layer) encrypted and authenticated. The goal was to correct the deficiencies in the EAP; EAP took a secure channel, such as that provided by the physical security, so the facilities for the protection of the EAP conversation has not been provided.
  http://en.Wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

  EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal byCisco systems as a replacement for the JUMP
  http://en.Wikipedia.org/wiki/EAP-fast

  I hope this helps.

  Rob Brown - MS MVP - Windows Desktop Experience: Bike - Mark Twain said it right.

• issue certificates of 802. 1 x authentication and X 509

  Hello

  Can someone please help me with the following question:

  First off I am a guy from Windows Server/PKI/AD etc. rather than CISCO, even if I have a CCNA :)

  I take care of PKI to my company and will work with the team CISCO that are the introduction of CISCO's ISE, we will use X 509 CERT on the suppliants (desktop/laptops Windows computers mainly)

  What I want to know is something pretty basic, but I saw not written anywhere

  Question 1:

  First stop, I guess it's the AAA (ISE) server is the entity that verifies the pleading certificate X 509, rather than the AP (access wireless router for example point)? is that correct

  Question 2:

  As supplicants X 509 certificate is public (for example, it is not secure and anyone can ask what it is normal) I guess the AAA server must encrypt a (random number for example) value with the public key of supplicants (of the X 509 cert) then send this value to the supplicant by which the supplicant decrypts with its private key (that no one else has as usual). Then the supplicant figure the value even with servers AAA public key (which is held in servers announced AAA X 509 cert) cela send on the AAA server and once that deciphers AAA server (with its private key) if the value matches the value originally sent to the supplicant then the AAA server can continue with authentication etc.

  The above assumption is correct?

  If the above is correct, not ISE always act like that or can you lower the security and get just the ISE server to check whether he trusts the issuer of the certificate (CRL does OK) the pleading X 509 Cert and not bother to send the encrypted packet as described above (this of course would ensure not begging-1 is actually "supplicant" - 1).

  Thank you very much in advance

  Ernie

  Answers:

  1 - Yes, ISE verifies the certificate presented by the device of end-user (begging) against his PB of authority certificate TRUSTED internal to import in ISE root and intermediary certificates where you use CA non-public servers (this is my case for EAP - TLS) such as Verisign, Entrust, etc. UNFORTUNATELY, ISE allows you only to have 1 cert for the use of EAP in the list (PEAP, EAP - TLS, etc.), which means that you CAN not EAP - TLS and PEAP running on different SSID. The problem is now that Entrust for example use an intermediary called L1K Entrust which is not included in trust for the devices Apple and Win 7 CA. This causes a certificate not approved for IPADs warning then you need to trust this certificate but for Win 7 features the PEAP TLS Tunnel, Setup will fail if the connection cannot be established if you uncheck "VALIDATE SERVER" on Win 7 for this SSID profile.

  2 - you can create a condition that validates the issuer cert but the authorized Protocol is EAP - TLS or PEAP so that the actual process for one of these protocols, based on my understanding is actually. For example, Protocol PEAP, the configuration of the TLS Tunnel is the 1st step, so once the configured secure tunnel then the inside MSChapv2 + EAPOL is performed and finally the data passes through the tunnel

• encryption of wireless data

  Is it possible to encrypt the data wirelessly between the hosts and access point? We use TTLS and PEAP and felt that ALL data when, through a secure tunnel, but it seems we are wrong and only authentication process goes through the tunnel. Somehow we can implement encryption? Thank you.

  Implement WPA or WPA2, it will encrypt ALL traffic data between AP & Client after authentication.

  Master encryption keys are unique to each client, to change for every package update on homelessness and group composition changes (IE, someone leaves / joined the AP)

  Currently, the safest way to implement WPA2-AES, WPA-TKIP is however still extremely secure (still not cracked up to the best of my knowledge) and has a broader support for older clients.

• PIX support IPsec over UDP or TCP

  Series 500 firewall Cisco PIX support IPsec over UDP or TCP so that the secure tunnel VPN IPsec can go through the PAT and NAT. If so, how to configure it? THX

  Concerning

  Jeffrey

  Hi Jeff,

  The tentative date is around end of March 2003.

  Kind regards

  Arul

• ASA (v9.1) VPN from Site to Site with IKEv2 and certificates CEP/NDE MS

  Hi all

  I am currently a problem with VPN Site to Site with IKEv2 and certifiactes as an authentication method.

  Here is the configuration:

  We have three locations with an any to any layer 2 connection. I created each ASA (ASA5510 worm 9.1) to establish one VPN of Site connection to the other for the other two places. Setting this up with pre shared keys and certificates that are signed by the CA MS administrator manually work correctly.

  But when we try to enroll these certificates through the Protocol, CEP/NDE his does not work.

  Here are my steps:

  1 configure the CA Turstpoint to apply to the certification authority

  2. request that the CA through the SCEP protocol works fine

  3. set up a Trustpoint and a pair of keys for the S2S - VPN connection

  4. registration form identity certificate CA via the SCEP Protocol with a one time password works fine

  5. set the trustpoint created as for the S2S - VPN IKEv2 authentication method.

  Now I did it also for the other site of the VPN Tunnel. But when I ping on a host that is on a different location to make appear the Tunnel VPN - the VPN session is not established. In the debugs I see that there are a few problems during authentication of the remote peer.

  On the MS that I see that the certifactes of identity for both ASAs are communicated and not revoked or pending state. The certificate based on the model of the "IPSec (Offline).

  When the CA-Admin and a certificate me manually based on a copy of the model of "Domaincontroller" connection is successfully established.

  So I would like to know which is the correct certificate for IP-Sec peers template to use for the Protocol, CEP and MS Enterprise CA (its server 2008R2 of Microsoft Enterprise)?

  Anyone done this before?

  ASA requires that the local and Remote certificate contains EKU IP Security Tunnel Endpoint (1.3.6.1.5.5.7.3.6) (aka IP Security Tunnel termination). You can create a Microsoft CA model to add.

  If you absolutely must go with the 'bad' cert, there is a command

  ignore-ipsec-keyusage

  but it is obsolete and not recommended.

  Meanwhile at the IETF:

  RFC 4809

  3.1.6.3 extended Key use

  Extended Key Usage (EKU) indications are not required.  The presence
  or lack of an EKU MUST NOT cause an implementation to fail an IKE
  connection.
  

• External URLs

  Hello!

  If a user located in the Inet uses Horizon customer via PCoIP to get his remote desktop, what URL should I put Enabled and I can disable?

  External URL of the secure tunnel, PCoIP external URL and external URL Blast

  The external URL is used for secondary communications made between the client and the server.  It is also used as a means of transport secure when you use RDP as display protocol.

  The secure gateway PCoIP is generally used when you have a secure server deployed, or have a desire to all customer traffic through several IP addresses of the funnel.  With the gateway secure enabled PCoIP, PCoIP traffic between the Agent of the view and the customer view is all be channeled through the Security Server or the connection to the server.  Without this setting is enabled, clients and agents will communicate with one another.  The first is generally used in an environment with a firewall, while the latest is most commonly used for internal traffic only.

• With both internal customers and external view of the Horizon, I do * have * to have at least a connection to the server by type of connection?

  If I want both external and non - VPN and LAN users internal to access desktops from view, I need to have a connection to the server dedicated to external users and another for internal? Right now I have one pair of Security Server-connection to the server and external connections work fine, but the internal connections are not. I have to get up at least a connection replication server and change the URL HTTPS Secure Tunnel for internal users only?

  Apparently, you don't need a connection to the server dedicated to internal users if you also external users and a security server. I found this during my troubleshooting. The URL of security server will be configured as administrator mode that external URL can be resolved and accessible while the URL to connect to the server will be configured with a URL can be resolved internally and is accessible in administrator mode.

• Restart a server view connection, connections disconnected?

  I have a server connection view and a view security server.  All connections are pointing at the level of the Security Server view and both the secure tunnel HTTPS and secure gateway PCoIP are archived in page view server connection settings.

  If I reboot login server in my opinion, this will cut my active sessions?  I do not think that it should all connections are circulating in the Security Server, but I'm not sure.

  Thank you

  It should not affect users already logged, but the web page will be down and unable to fix all new connections until the machine started upward.