Thursday, May 9, 2013

ssl

There are three options to remote access on a Cisco router:

1. PPTP/L2TP + windows build in software - simple to configure, CAN use Internet while suing VPN router

2. IPSec (EZVPN) + Cisco VPN Client software - reletively simple to setup, VPN traffic via VPN router, Internet traffic via local router (by enable Split Tunnelling)

3. Web SSL VPN + NO software needed - complicated to setup, flexible, can send ALL traffic to VPN router (or offload Internet traffic via local router), can bypass firewall as it is utelising HTTPS, this is the furture.


Web SSL VPN delivers the following three modes of SSL VPN access:
Clientless - Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser such as Internet access, web-based intranet, webmail etc.
Thin Client (port-forwarding Java applet) - Thin client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet and Secure Shell (SSH).
Tunnel Mode (AnyConnect Secure Mobility Client) - Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.
The advantage of SSL VPN comes from its accessibility from almost any Internet-connected system without needing to install additional desktop software.


Port reference
GRE: IP protocol number 47.
PPTP: TCP port 1723
L2TP: UDP port 1701

IPSec:
  • IP Protocol ID 50:
    For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
  • IP Protocol ID 51:
    For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
  • UDP Port 500:
    For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
Web SSL VPN: TCP port 443

http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://support.microsoft.com/kb/233256
http://technet.microsoft.com/library/cc768084.aspx
http://www.cisco.com/en/US/products/ps6659/prod_configuration_examples_list.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bdf.pdf
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/904-cisco-router-anyconnect-webvpn.html