• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 598
  • Last Modified:

IPSEC through Proxy server ? possible

I have a proxy server at work and i would like to use my own 2x IPSEC VPN routers WRVS4400Nv2
1x at home and 1x here at work to be able to tunnel through the proxy ? is that possible ? or does it depend on the proxy server ?
IF that is tricky  what other solutions do i have to get though the proxy ?  Thanks
0
Andreas-NYC
Asked:
Andreas-NYC
  • 3
  • 3
  • 2
  • +1
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
I can't say that it will not work, but I have never seen it work. IPsec needs the actual IP at the end points and I do not think it will navigate through a proxy server. ... Thinkpads_User
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Nope. The basic functionality of a proxy means that it terminates the session and establish a new connection on behalf of the client. Thats the concept of the term "Proxy". Since ipsec is (usually) encrypted as well as integrity checked the in-between proxy cannot terminate and/or re-establish the traffic.

/Kvistofta
0
 
arnoldCommented:
It all depends on the configuration of the firewall behind which you will be placing the WRVS4400Nv2 router.
The IPSEC connection to be establish will always have to travel from office to your home unless other changes are made to the office firewall to route the IPSEC traffic if it is not currently handled in the office to the WRVS4400Nv2.
intenet <=> office firewall port 500 requests go to the WAN side of the WRVS4400Nv2.

an IPSEC is a port 500 UDP/TCP connection and would not go through a proxy.
Companies, would likely block any outgoing IPSEC or other VPN connection from their LAN to secure their LAN.

If your home WRVS4400Nv2 does not have a static IP or you are not using one of the dynamically tracking Dynamic DNS registration services, the IPSEC Vpn connection would only be established when your work WRVS4400Nv2 is configured with the IP of the home WRVS4400Nv2
i.e. your home WRVS4400Nv2
will be setup to accept a connection from any source with any IP/segment.

The group, encryption and the passphrase will be what will limit who can connect.
Do not use aggressive mode if available only use normal mode for key exchange.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Andreas-NYCAuthor Commented:
Thanks ...
so what other options do i have to tunnel through my works proxy ? any ? Putty ? SSH ?
0
 
John HurstBusiness Consultant (Owner)Commented:
As we noted proxies and tunnels are not interoperable. If you can do it, get rid of the proxies. If not, consider a secondary non-proxied network for purposes of tunnels. It means a bit more expense, but it would work for you.
... Thinkpads_User
0
 
arnoldCommented:
The same exists for ssh, if you can ssh out, you can tunnel out (create a Tunnel via the SSH connection.) in certain circumstances some employers block outgoing Encrypted connections which SSH is one.  Check with your employer what options are available to you given what you are trying to do.

0
 
John HurstBusiness Consultant (Owner)Commented:
@arnold - Do you have IPsec or SSH tunnels successfully running between two proxied locations?  Thank you.
.... Thinkpads_User
0
 
arnoldCommented:
It all depends on how the locations are proxied.
Proxy often applies to FTP, HTTP, HTTPS where https would use the connect method to establish a TCP connection and then the client browser and the remote server negotiate terms. If you can ssh to a remote system, you can tunnel through the ssh connection (sshd on the remote side must have forwarding on).
i.e. in putty you define the tunnels local/remote. depending on the direction i.e. local if you want to use localhost:port to connect to a system predefined on the remote side.
If you want to access the other way, you would need to define a remote port tunnel.
i.e. you establish an SSH connection to the remote side and then on the remote system have something that connects to localhost:port and comeback over the ssh tunnel.

http://www.oreillynet.com/wireless/2001/02/23/wep.html
similar options are available in putty.
http://docs.cs.byu.edu/general/ssh_tunnels.html

If the issue is important to your employer/firm, they likely block any outgoing encrypted channels ssh/https and every other random port you might choose given any application/server can be configured to listen on any port.
I.e. the outgoing firewall can be configured to deny any encrypted data stream from exiting from unauthorized sources.


You should check with your employer,IT to make sure what you want to do does not clash with what they are trying to do.




0
 
Andreas-NYCAuthor Commented:
Thank you very much for explaining and pointing me to a possible solution
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now