Client access VPN recommendation

Security Gateway Discussions
SECOIT GmbH
Posts: 17
Joined: 13 Feb 2018, 16:20
Contact:

Client access VPN recommendation

Postby SECOIT GmbH » 13 Feb 2018, 16:34

Hi All,
When I did the Clavister VPN class we tested around ten thousand different ways (felt like it at least ;) )of creating a remote access VPN with Windows.
The question is... Which one does Clavister "officially" recommend to use?

I guess all these options differ in
- Performance (lower data overhead, packet overhead)
- Simplicity (easy to setup, easy to roll-out, easy to maintain e.g. automatic client updating)
- Security ("secure" in terms of not breakable with the available amount of computing power on earth within a reasonable amount of time would be sufficient)

Are there probably any comparing documents available that cover these bullet points?

Thanks,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

Peter
Posts: 572
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Client access VPN recommendation

Postby Peter » 14 Feb 2018, 08:37

Hello.

Clavister recommends the use of IKEv2 tunnels due to several reasons such as:

Less bandwidth usage
Support for EAP
MOBIKE support
Native NAT support
Native DPD support

Basically IKEv2 takes the best parts from IKEv1 and refines/optimizes them and more clearly defines how it should behave.

A Lan2Lan tunnel for instance is identical in it's setup compared to an IKEv1 tunnel but the biggest differences comes on the client side. I Windows for instance we must use certificates an EAP in order to establish the tunnel. So it can be a bit of a pain to get it working the first time. Luckily cOS's local user database supports EAP but the certificate part still needs to be handled by third party software such as Microsoft CA or XCA.

It is however possible to push out the needed certificate/settings to the clients by using GPO in MS AD.

Some reference links:

Configuring Roaming IKEv2 tunnel using XCA CA and FreeRadius
https://forums.clavister.com/viewtopic.php?f=8&t=5447

IKEv2 roaming tunnel with certificate using iOS
https://forums.clavister.com/viewtopic.php?f=8&t=6037

Chapter 10 in the admin guide also contains lots of information about IKEv2 and how to setup a tunnel using it. We are also in the process of finalizing the Clavister VPN cookbook which will be available for download on our webpage soon™ :mrgreen:

The VPN book does however not go into details on how to configure third party certificate systems. for that i recommend checking the above how-to's.

Best regards
/Peter

Peter
Posts: 572
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Client access VPN recommendation

Postby Peter » 14 Feb 2018, 08:43

Also if i make a short list of which tunnel that is most simple to setup and use it would look something like this (most difficult at the top):

1. IKEv2
2. IKEv1 with L2TP
3. SSL VPN
4. PPTP

But at the same time if we look at encryption strength/security and that sort of thing it would be like this (best encryption capability at the top):

1. IKEv2
2. IKEv1 with L2TP
3. SSL VPN
4. PPTP

So i guess you could say the more complex it is to setup, the more secure it is based on the above lists :mrgreen:

Best regards
/Peter

SECOIT GmbH
Posts: 17
Joined: 13 Feb 2018, 16:20
Contact:

Re: Client access VPN recommendation

Postby SECOIT GmbH » 17 Feb 2018, 15:40

Hi Peter,

Many thanks for your detailed replies!

"Difficult" setup is not a big issue as long as it can be automated (GPOs etc.) and doesn't have to be done manually on each client. All our customers have an AD anyway, most of them have automatic certificate deployment (for WLAN access with WPA enterprise and RADIUS) and currently some of them are in the process of deploying certs to smart cards / Yubikeys for 2FA/MFA so the part with certs is basically been taken care of already.

The important part for me is to have it safe, fast (in terms of VPN performance) and with low/no manual maintenance requirement (for example no manual updating of client VPN software) to keep the TCO low for the customer.

I'll focus on IKEv2 then.

Best Regards,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

vikaskundu
Posts: 1
Joined: 31 Mar 2018, 14:09

Re: Client access VPN recommendation

Postby vikaskundu » 31 Mar 2018, 14:12

Hi Peter, I've installed the Clavister Authenticator app on my Google Pixel 2 which is running on Android 8.1. But as I open the app it is simply loading a blank white screen on startup and crashes itself automatically in few seconds..Any idea how to get it working?

Har-Ben
Posts: 33
Joined: 08 Dec 2016, 07:59

Re: Client access VPN recommendation

Postby Har-Ben » 18 May 2018, 09:29

aren't the commercial ones best for security and privacy? I have never used clavister VPN. Still using the old ones that I believed I purchased on a deal somwhere near blackfriday. Bestvpn from here I believe.


Also, my connection is mainly passing through PPTP, when vpn is on it changes to IKEv1 with L2TP. Is it secure enough?


Return to “SG Discussions”



Who is online

Users browsing this forum: No registered users