Client access VPN recommendation

Security Gateway Discussions
Post Reply
SECOIT GmbH
Posts: 30
Joined: 13 Feb 2018, 16:20
Contact:

Client access VPN recommendation

Post by SECOIT GmbH » 13 Feb 2018, 16:34

Hi All,
When I did the Clavister VPN class we tested around ten thousand different ways (felt like it at least ;) )of creating a remote access VPN with Windows.
The question is... Which one does Clavister "officially" recommend to use?

I guess all these options differ in
- Performance (lower data overhead, packet overhead)
- Simplicity (easy to setup, easy to roll-out, easy to maintain e.g. automatic client updating)
- Security ("secure" in terms of not breakable with the available amount of computing power on earth within a reasonable amount of time would be sufficient)

Are there probably any comparing documents available that cover these bullet points?

Thanks,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

Peter
Posts: 617
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Client access VPN recommendation

Post by Peter » 14 Feb 2018, 08:37

Hello.

Clavister recommends the use of IKEv2 tunnels due to several reasons such as:

Less bandwidth usage
Support for EAP
MOBIKE support
Native NAT support
Native DPD support

Basically IKEv2 takes the best parts from IKEv1 and refines/optimizes them and more clearly defines how it should behave.

A Lan2Lan tunnel for instance is identical in it's setup compared to an IKEv1 tunnel but the biggest differences comes on the client side. I Windows for instance we must use certificates an EAP in order to establish the tunnel. So it can be a bit of a pain to get it working the first time. Luckily cOS's local user database supports EAP but the certificate part still needs to be handled by third party software such as Microsoft CA or XCA.

It is however possible to push out the needed certificate/settings to the clients by using GPO in MS AD.

Some reference links:

Configuring Roaming IKEv2 tunnel using XCA CA and FreeRadius
viewtopic.php?f=8&t=5447

IKEv2 roaming tunnel with certificate using iOS
viewtopic.php?f=8&t=6037

Chapter 10 in the admin guide also contains lots of information about IKEv2 and how to setup a tunnel using it. We are also in the process of finalizing the Clavister VPN cookbook which will be available for download on our webpage soon™ :mrgreen:

The VPN book does however not go into details on how to configure third party certificate systems. for that i recommend checking the above how-to's.

Best regards
/Peter

Peter
Posts: 617
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Client access VPN recommendation

Post by Peter » 14 Feb 2018, 08:43

Also if i make a short list of which tunnel that is most simple to setup and use it would look something like this (most difficult at the top):

1. IKEv2
2. IKEv1 with L2TP
3. SSL VPN
4. PPTP

But at the same time if we look at encryption strength/security and that sort of thing it would be like this (best encryption capability at the top):

1. IKEv2
2. IKEv1 with L2TP
3. SSL VPN
4. PPTP

So i guess you could say the more complex it is to setup, the more secure it is based on the above lists :mrgreen:

Best regards
/Peter

SECOIT GmbH
Posts: 30
Joined: 13 Feb 2018, 16:20
Contact:

Re: Client access VPN recommendation

Post by SECOIT GmbH » 17 Feb 2018, 15:40

Hi Peter,

Many thanks for your detailed replies!

"Difficult" setup is not a big issue as long as it can be automated (GPOs etc.) and doesn't have to be done manually on each client. All our customers have an AD anyway, most of them have automatic certificate deployment (for WLAN access with WPA enterprise and RADIUS) and currently some of them are in the process of deploying certs to smart cards / Yubikeys for 2FA/MFA so the part with certs is basically been taken care of already.

The important part for me is to have it safe, fast (in terms of VPN performance) and with low/no manual maintenance requirement (for example no manual updating of client VPN software) to keep the TCO low for the customer.

I'll focus on IKEv2 then.

Best Regards,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

vikaskundu
Posts: 1
Joined: 31 Mar 2018, 14:09

Re: Client access VPN recommendation

Post by vikaskundu » 31 Mar 2018, 14:12

Hi Peter, I've installed the Clavister Authenticator app on my Google Pixel 2 which is running on Android 8.1. But as I open the app it is simply loading a blank white screen on startup and crashes itself automatically in few seconds..Any idea how to get it working?

Har-Ben
Posts: 33
Joined: 08 Dec 2016, 07:59

Re: Client access VPN recommendation

Post by Har-Ben » 18 May 2018, 09:29

aren't the commercial ones best for security and privacy? I have never used clavister VPN. Still using the old ones that I believed I purchased on a deal somwhere near blackfriday. Bestvpn from here I believe.


Also, my connection is mainly passing through PPTP, when vpn is on it changes to IKEv1 with L2TP. Is it secure enough?

Peter
Posts: 617
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Client access VPN recommendation

Post by Peter » 28 May 2018, 13:40

vikaskundu wrote:Hi Peter, I've installed the Clavister Authenticator app on my Google Pixel 2 which is running on Android 8.1. But as I open the app it is simply loading a blank white screen on startup and crashes itself automatically in few seconds..Any idea how to get it working?
We have received reports that some people have problems with the app, you could use the "Phenix Pocket Pass" as an alternative until the problem(s) have been sorted.

/Peter

Peter
Posts: 617
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Client access VPN recommendation

Post by Peter » 28 May 2018, 13:48

Har-Ben wrote:aren't the commercial ones best for security and privacy? I have never used clavister VPN. Still using the old ones that I believed I purchased on a deal somwhere near blackfriday.

Also, my connection is mainly passing through PPTP, when vpn is on it changes to IKEv1 with L2TP. Is it secure enough?
The commercial VPN clients (i usually call them "Pure IPsec clients") are usually superior in their ability to be customized. But if you for instance use Windows IKEv2 and it negotiates AES-256 with SHA-256 that is very strong encryption and should be safe to use for quite some time.

PPTP should not be used as it's encryption is very weak compared to IPsec. IKEv1 with L2TP should still be OK as long as you do not use MD5 (SHA1 is starting to be considered unsecure/weak as well), but the best is IKEv2 and AES-256 with SHA-256 (and higher) or XCBC.

/Peter

SECOIT GmbH
Posts: 30
Joined: 13 Feb 2018, 16:20
Contact:

Re: Client access VPN recommendation

Post by SECOIT GmbH » 29 Aug 2018, 11:11

Hi Peter,

Many thanks again for guiding me to IKEv2. Never used it before you suggested it since I always used OpenVPN whenever possible.

Since I use IKEv2 with several setups now I really like it and I even started replacing OpenVPN setups on other firewall gateways with IKEv2. It's just so much faster to connect, can be easily rolled out via Windows GPO, and doesn't require any client installing/updating (OS does it since it's included basically everywhere).

I tried IKEv2 client authentication to cOS Core via a Windows RADIUS server using username/password, user certificate, computer certificate, even a certificate on a Yubikey with touch policy works.
All works very well without any 3rd party software (well, Windows AD is required of course).

So... thanks again!


Best Regards,
Michael
--
Michael Steffens
SECOIT GmbH
https://www.secoit.de

Post Reply