Help, does anyone know how I can configure a Watchguard X1000 to allow users to connect to the VPN using PPTP where the external IP address is provided using PPPoE? I have no way to change the external IP to a static address as the ISP in this case (Etisalat in Dubai) do not provide static IP addresses on DSL lines! I have the X1000 set up with VPN tunnels between the UK branches and the Dubai branch using a dynamic DNS name which the Dubai server updates when the IP address changes and these work OK (most of the time). However if I try to get a mobile user connected the X1000 bloks theincoming packet automatically even though I have incoming VPNport traffic set to allowed. I also cannot access the Remote User setup options to check the settings. I compared a config file from our X1000 to the one for Dubai and managed to amend the file to give the appropriate IP address options, etc. And also changed 'networking.remotevpn.ppt p.active' from 'no' to 'yes'.
Cable/DSL VPN Router BEFVP41 v2 User Guide. Basic PPPoE Setup 14. Figure 6-12: Setup tab - MAC Address Clone 25.
However if I try to save this configuration file back to the X1000 in Dubai it returns an error message saying 'PPTP clients are not supported when networking.dynamicip is true'. As mentioned, a static IP address is not an option, but can anyone give me any pointers at all. I am getting my backside kicked about this. Thanks, Eddie. Which version of WG software are you running if you are running version 10.x then with PPPoE and dynaic IP you can enable dynamic DNS on external interface and then configure remote user VPN regularly.
I would like to point out here that, currently firebox only supports DynDNS and NO other dynamic DNS providers. Other option is bit tricky, as GUI would disable remote user option itself when on dynamic IP then we can put up a cheap device eg, D-link router (or any other brand as you wish) in between DSL modem and FB.
Now configure FB with static IP which would be on NATted subnet behind the router. Also, configure router to forward all ports to the FB IP something like DMZ. With this configuration you would get remote user VPN to work, here the success rate may not be 100% due to NAT implementation by different devices/vendors and ISP restrictions.
It’s been weeks since Apple released its new operating systems, iOS 10 and mac OS Sierra. The new updates brought security patches, features and upgrades. Has finally arrived on desktops, and an exciting universal clipboard allows you to select photos from an iPhone device and paste them directly on the desktop. However, with these changes, Apple has decided to leave old loose ends which could affect the security of its products. One of the changes is Apple’s departure from the PPTP encryption protocol in its built-in VPN. The reason for such a step is because of a found in this security protocol.
Apple has publicly announced the and encouraged the use of other security protocols, such as L2TP/IPsec, IKEv2/IPsec, Cisco IPsec, and SSL VPN. PPTP (Point-To-Point Tunneling protocol) – which is considered weak encryption protocol – is also perceived as the fast communication protocol that offers better speed than other protocols. It leaves many PPTP VPN users frustrated as they are hand-tied to using third-party client applications in order to use PPTP VPN connection. Microsoft also mentioned and advised its users to use alternative protocols in a: “iOS 10 no longer supports the PPTP VPN protocol. If you have deployed any custom profiles in Intune that use the PPTP protocol, iOS 10 will remove the PPTP connections from any VPN profiles when a user upgrades their device. Intune supports alternatives to PPTP from the IT Admin console.” Apple has always been taken the security a top priority, which could be seen by the recent question and answers session by the company’s CEO, Tim Cook. There, he described encryption as “one of the things that make the public safe.” He further said: “We feel we have a responsibility to protect our customers.” “We believe the only way to protect both your privacy and safety from a cyber attack is to encrypt.
We throw all of ourselves into this and are very much standing on principle in this.” While departing from a PPTP connection may seem a frustration for some and a cumbersome process for organizations to update their protocols, it is also a step forward to ensure the security of those who are using and iOS devices. Understanding the said protocols L2TP/IPsec L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used in VPN connection. It does not have its own encryption algorithm but relies on the encryption suite of IPsec, which authenticates and encrypts each IP packet of a communication taking place. This protocol offers a balance of speed and security as compared to PPTP. However, L2TP is not compatible with NAT, port-forwarding becomes a necessity in some cases, and if the IP of the IPsec server changes, all clients needs to be informed of the change.
IKEv2/IPsec (VPN Reconnect) IKEv2 (Internet Key Exchange version 2) is a tunneling protocol that uses IPsec encryption protocol over UDP port 500. Jointly developed by Microsoft and Cisco, also dubbed as “VPN reconnect,” IKEv2 provides resilience to the VPN connection. When the VPN client moves from one wireless hotspot to other, it automatically disconnects all internet activities when a VPN connection is lost and re-establishes the connection upon successful connectivity. Mobile users specifically can benefit from such a protocol. However, it is not supported on many platforms as it is fairly new to VPN services. In many cases, they just offer a “kill switch option” as a feature in their VPN client.
Cisco IPsec Cisco IPsec is a tunneling protocol typically used in the network infrastructure of organizations to secure the communications between Cisco routers and VPN clients. Cisco IPsec applies without affecting the individual workstations, which typically occurs in IPsec. The benefits of Cisco IPsec technology over typical IPsec protocol is that it applies to all the traffic cross the perimeter of the company’s network. There is no need to change the software on the server system.
It supports remote access of offsite workers. SSL VPN SSL (Secure Socket Layer) VPN works similar to traditional VPN. The technology has grown in popularity as compared to its counterpart IPsec and allows users to connect remotely to their organizations, obtaining access to the restricted network. It adds advanced encryption technology of SSL and transmits data through an encrypted tunnel to a VPN concentrator, which gives the appearance of a user as that of the local network regardless of the actual location of the user.
Choosing Between Tunneling Protocols When choosing between L2TP, Cisco IPsec, SSL VPN, and IKEv2/IPsec VPN solutions, consider the following:. PPTP, unlike other protocols, does not require PKI (Public Key Infrastructure). PPTP VPN provides data confidentiality (captured packets cannot be decoded without encryption key). However, PPTP VPN does not offer data integrity (data was not modified in transit) or data origin authentication (data sent by authorized user). L2TP supports either preshared key or computer certificates as the authentication method for IPSec encryption protocol. Computer Certificate Authentication is the recommended method, which requires the PKI to issue computer certificates at each communication step between VPN server and VPN client.
L2TP offers data confidentiality, data authentication, and data integrity. Unlike other protocols, L2TP facilitates machine authentication at IPsec layer and authentication at user level at PPP layer. Cisco IPsec is suitable for organizations to secure network infrastructure. IKEv2 support is limited to systems running Windows 7 and Windows Server 2008 R2.
IKEv2 supports latest IPsec encryption ciphers. It supports mobility (MOBIKE), which handles the VPN connectivity issues, and it is a good choice for users. It provides data integrity, confidentiality, and authentication.
SSL VPN supports the latest technology of SSL as compared to its counterpart IPsec. It is widely used in OpenVPN client. OpenVPN is an open-source software application that applies VPN techniques to create secure connections. It utilizes TLS/SSL for key exchange.
It is NAT- and firewall-friendly. Though it offers strong security but it slows down the speed as compared to its counterparts. Apple has removed PPTP support for its built-in VPN, but it doesn’t limit you from installing third-party VPN client software. However, even with third-party VPN client, it is suggested not to use a PPTP VPN connection (as it has become outdated and vulnerable to cyber attacks) when other strong security protocols are available. About the Author: Peter Buttler is a professional security expert and lecturer. He serves as a digital content editor for different security organizations.
While writing he likes to emphasize on recent security trends and some other technology stuff. You can follow him on. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.