IPSec VPN help needed- how does this work?

Posted on 2005-04-25
Last Modified: 2010-05-18
Ok, well at my company we are using a hardware firewall (Smoothwall Express 2.0- fix6, with the VPN IPSec3.1.1 pack).

I succesfully configured my firewall with the VPN IPSec mod- and a client (my laptop- a test road-warrior) using SSHSentinel as the IPSec client for the laptop. Successfully made the connection with shared secret etc... I just have a couple questions- I am a complete newbie to VPN's and need some guidance.

- Here at work we are an Active Directory Integrated domain (Win2003and 2k servers)

1) Now that I can succesfully connect to the firewall from the laptop using SSHSentinel, what do I need to do next on my domain (internal) side to allow for individual users to authenticate and access pre-determined resources via the VPN tunnel?
Since the Firewall is the VPN endpoint, I guess I do not need to configure a Routing and remote access server. I want to allow only pre-determined users (which will be mobile users and a couple at-home users) to:
a.) Access their User Folders
b.) Remote Desktop Connection to their individual work computer

2) I want to make these connections as SECURE as possible- Is a shared secret enough security for the client (SSHSentinel) to authenticate to the firewall?

3) I gave this a test run from my house and succesfully connected to the domain. Since I know the IP addresses of my domain, I tried accessing a file server's shares and was succesful (and was prompted for username and password before it let me) as logging in as the admin. Is this how the users will be doing it? I need a push in the right direction here!!!

I want to keep security in mind as I am setting this up, and very much appreciate any and all help.

Question by:Trihimbulus
    LVL 79

    Expert Comment

    Looks like you're definately on the right track. You've already noted that users can accomplish both 1a and 1b.
    Regarding #2, yes, it is secure. The shared secret is only used as a hash to establish the encrypted tunnel. Assuming that you are using 3DES or AES encryption level, then all traffic between the client and the LAN is encrypted within this tunnel, so it is very secure.
    #3 - yep, that's exactly how I would expect it to work, with the security of the AD domain username/password protecting individual hosts within the LAN. If you use a VPn client that allows you to start the tunnel session before logging in to the computer, then you can log in just like you're on the local lan and only be authenticated once. I don't know that the SSH Sentinel can do that. I do know that the Cisco VPN client can, but you probably can't use that client with the smoothwall..

    Nice job!
    LVL 27

    Expert Comment

    2) I want to make these connections as SECURE as possible- Is a shared secret enough security for the client (SSHSentinel) to authenticate to the firewall?

    It depends.  It's "ok" ... but you could do more.  It depends on how much you want to spend on a better solution, or what the risk is like and what is the value of the risk being realized.  We use two factor authentication - something you have, and something you know.  With your shared secret - if someone loses their laptop, the secret goes with it.  A third party could find the laptop and use the VPN to connect to the last connection they did without being prompted to identify themselves - since the laptop has the shared secret.  Whereas, if they had a SecureID token - this token changes every 60 seconds and requires the user to enter a PIN also.  So, it's something they have and something they know.  You could get fancier and make it three factor with biometrics - so it could be have, know, and something they ARE - (finger scan, iris scan, type writing analysis, etc).

    So, as lr mentioned, your encryption is good (3DES or AES), but your authentication is a little weak.

    Author Comment

    Great posts so far! So now where I am at is I have established that secure tunnel to both endpoints. Now I need user Authentication, which I have learned requires help from a Routing and Remote Access Server on my LAN.

    Ok, so once the IPSec tunnel is established between the client and the firewall endpoints, I am going to need to forward some ports to my RRAS. Here at my company we use Outlook Web Access over HTTPS which means we are port forwarding ports 25, 80, and 443 to the exchange server.

    1) What traffic do I forward to my Routing and Remote Access server? As I mentioned, this will provide for the Authentication part of this process. I am guessing once Authenticated into the domain, they will be able to access only what I have set permissions on (making a VPN Users Group and assigning permissions to objects that they may r/w/x)

    This is where I am lost... I am almost there...

    Author Comment

    Ok I think I get it- so now that I have created an IPSec tunnel between remote workstation and the firewall (endpoint), I should set up a PPTP connection inside this tunnel. This will provide for Authentication and added security. Is this correct???
    LVL 79

    Accepted Solution

    Once you have a tunnel, that's it. You don't need to create yet another pptp connection within that tunnel.

    >I tried accessing a file server's shares and was succesful (and was prompted for username and password before it let me)
    This *is* your authentication and security - the OS of every box that you're trying to touch once you have created the VPN tunnel.

    You *could* forward the initial authentication of the VPN tunnel over to Windows using Radius, but it won't buy you much. SSH Sentinel is not a "windows" networking client, and will not carry the credentials over to the other systems that you want to touch. You'll still get prompted for username/password each time.


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now