This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN for IOS and OpenVPN Question

Hi, I would like to provide for IOS Devices the most secure VPN for Active Directory Users. First I thought about L2TP IPSEC and RADIUS.
But now I read https://www.cloudcracker.com/ are offering for 200 Dollar MSChap V2 Passwort cracking. Radius is using MSChap V2 so I am not sure if I should use it, if it is so easy. On their Website they say MSChap V2 and PPTP but how Secure is the Combination of L2TP IPSEC Radius ?
Whats the best way to provide a VPN for IOS ?
How secure is Cisoc IPSEC ? It can also Authenticate Active Directory Users.
What do you think what should I use?

And I read that L2TP IPSEC Radius has a bug and is not in the User Portal so I need to share the Pre shared key manually...

What should I use?

This thread was automatically locked due to age.

Parents

0 BAlfson over 13 years ago

There are two places that are exposed - between the client and the Astaro and between the Astaro and the AD server.  We have to assume that it's only the first one we need to worry about, so RADIUS doesn't have any more exposure than using Local authentication.  Astaro-Sophos doesn't see the issue with the User Portal as a bug (I do!), but you're right that L2TP/IPsec and PPTP aren't there if RADIUS is used.

The most-secure is with a certificate, so that leaves out PPTP, and it requires syncing VPN users to the Astaro from the AD.  The SSL VPN and L2TP/IPsec can be configured with a certificate for Windows and Macs, but iPhones and iPads don't support certs for L2TP/IPsec and can't do SSL VPNs.

If you're worried about the MS-CHAPv2 cracking, the only secure Astaro solution for iOS at present is the 'Cisco™ VPN Client'.  This requires adding the synced users to 'Allowed users' or to a local group already in there, and the same is true of L2TP/IPsec.

For non-iOS devices, the SSL VPN does allow you to use a Backend Group in 'Allowed Users', so, with a lot of users, you save effort by not having to populate that manually with the synced users.

There are some downsides to using the SSL VPN.  When you have lots of users, the same hardware only supports about a fifth the number that L2TP and IPsec support.  The client must be installed and be run as administrator (in V9, it doesn't need to be run as administrator).

Windows and Astaro don't provide free clients for IPsec or Cisco, so most will choose SSL VPN or L2TP/IPsec for Windows users.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 bigdaddy over 13 years ago in reply to BAlfson

There are two places that are exposed - between the client and the Astaro and between the Astaro and the AD server.  We have to assume that it's only the first one we need to worry about, so RADIUS doesn't have any more exposure than using Local authentication.  Astaro-Sophos doesn't see the issue with the User Portal as a bug (I do!), but you're right that L2TP/IPsec and PPTP aren't there if RADIUS is used.

The most-secure is with a certificate, so that leaves out PPTP, and it requires syncing VPN users to the Astaro from the AD.  The SSL VPN and L2TP/IPsec can be configured with a certificate for Windows and Macs, but iPhones and iPads don't support certs for L2TP/IPsec and can't do SSL VPNs.

If you're worried about the MS-CHAPv2 cracking, the only secure Astaro solution for iOS at present is the 'Cisco™ VPN Client'.  This requires adding the synced users to 'Allowed users' or to a local group already in there, and the same is true of L2TP/IPsec.

For non-iOS devices, the SSL VPN does allow you to use a Backend Group in 'Allowed Users', so, with a lot of users, you save effort by not having to populate that manually with the synced users.

There are some downsides to using the SSL VPN.  When you have lots of users, the same hardware only supports about a fifth the number that L2TP and IPsec support.  The client must be installed and be run as administrator (in V9, it doesn't need to be run as administrator).

Windows and Astaro don't provide free clients for IPsec or Cisco, so most will choose SSL VPN or L2TP/IPsec for Windows users.

Cheers - Bob

I Found the Following PDF Document From Apples Website.

URL: https://www.apple.com/ipad/business/docs/iOS_VPN_Mar12.pdf

Supported Protocols and Authentication Methods For VPNs.

SSL VPN
Supports user authentication by password, two-factor token, and certificates.

Cisco IPSec
Supports user authentication by password, two-factor token, and machine
authentication by shared secret and certificates.

L2TP over IPSec
Supports user authentication by MS-CHAP v2 Password, two-factor token, and
machine authentication by shared secret.

PPTP
Supports user authentication by MS-CHAP v2 Password and two-factor token.

Pros and Cons

Cisco IPSec: Supports Certificates But Does not let you Send All Traffic.

L2TP over IPSec: Lets you Send All Traffic But Does Not Support Certificates.

SSL VPN: Sends All Traffic and Supports Certificates. The Most Secure Solution for IOS Devices like the iPad.

So Here is my Question when will Sophos Update UTM 9 to Support SSL VPN for IOS Devices ?

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 bigdaddy over 13 years ago in reply to BAlfson

There are two places that are exposed - between the client and the Astaro and between the Astaro and the AD server.  We have to assume that it's only the first one we need to worry about, so RADIUS doesn't have any more exposure than using Local authentication.  Astaro-Sophos doesn't see the issue with the User Portal as a bug (I do!), but you're right that L2TP/IPsec and PPTP aren't there if RADIUS is used.

The most-secure is with a certificate, so that leaves out PPTP, and it requires syncing VPN users to the Astaro from the AD.  The SSL VPN and L2TP/IPsec can be configured with a certificate for Windows and Macs, but iPhones and iPads don't support certs for L2TP/IPsec and can't do SSL VPNs.

If you're worried about the MS-CHAPv2 cracking, the only secure Astaro solution for iOS at present is the 'Cisco™ VPN Client'.  This requires adding the synced users to 'Allowed users' or to a local group already in there, and the same is true of L2TP/IPsec.

For non-iOS devices, the SSL VPN does allow you to use a Backend Group in 'Allowed Users', so, with a lot of users, you save effort by not having to populate that manually with the synced users.

There are some downsides to using the SSL VPN.  When you have lots of users, the same hardware only supports about a fifth the number that L2TP and IPsec support.  The client must be installed and be run as administrator (in V9, it doesn't need to be run as administrator).

Windows and Astaro don't provide free clients for IPsec or Cisco, so most will choose SSL VPN or L2TP/IPsec for Windows users.

Cheers - Bob

I Found the Following PDF Document From Apples Website.

URL: https://www.apple.com/ipad/business/docs/iOS_VPN_Mar12.pdf

Supported Protocols and Authentication Methods For VPNs.

SSL VPN
Supports user authentication by password, two-factor token, and certificates.

Cisco IPSec
Supports user authentication by password, two-factor token, and machine
authentication by shared secret and certificates.

L2TP over IPSec
Supports user authentication by MS-CHAP v2 Password, two-factor token, and
machine authentication by shared secret.

PPTP
Supports user authentication by MS-CHAP v2 Password and two-factor token.

Pros and Cons

Cisco IPSec: Supports Certificates But Does not let you Send All Traffic.

L2TP over IPSec: Lets you Send All Traffic But Does Not Support Certificates.

SSL VPN: Sends All Traffic and Supports Certificates. The Most Secure Solution for IOS Devices like the iPad.

So Here is my Question when will Sophos Update UTM 9 to Support SSL VPN for IOS Devices ?

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data