Solved

IPSEC through Proxy server ? possible

Posted on 2010-08-30
9
552 Views
Last Modified: 2012-05-10
I have a proxy server at work and i would like to use my own 2x IPSEC VPN routers WRVS4400Nv2
1x at home and 1x here at work to be able to tunnel through the proxy ? is that possible ? or does it depend on the proxy server ?
IF that is tricky  what other solutions do i have to get though the proxy ?  Thanks
0
Comment
Question by:Andreas-NYC
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I can't say that it will not work, but I have never seen it work. IPsec needs the actual IP at the end points and I do not think it will navigate through a proxy server. ... Thinkpads_User
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
Nope. The basic functionality of a proxy means that it terminates the session and establish a new connection on behalf of the client. Thats the concept of the term "Proxy". Since ipsec is (usually) encrypted as well as integrity checked the in-between proxy cannot terminate and/or re-establish the traffic.

/Kvistofta
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
It all depends on the configuration of the firewall behind which you will be placing the WRVS4400Nv2 router.
The IPSEC connection to be establish will always have to travel from office to your home unless other changes are made to the office firewall to route the IPSEC traffic if it is not currently handled in the office to the WRVS4400Nv2.
intenet <=> office firewall port 500 requests go to the WAN side of the WRVS4400Nv2.

an IPSEC is a port 500 UDP/TCP connection and would not go through a proxy.
Companies, would likely block any outgoing IPSEC or other VPN connection from their LAN to secure their LAN.

If your home WRVS4400Nv2 does not have a static IP or you are not using one of the dynamically tracking Dynamic DNS registration services, the IPSEC Vpn connection would only be established when your work WRVS4400Nv2 is configured with the IP of the home WRVS4400Nv2
i.e. your home WRVS4400Nv2
will be setup to accept a connection from any source with any IP/segment.

The group, encryption and the passphrase will be what will limit who can connect.
Do not use aggressive mode if available only use normal mode for key exchange.
0
 

Author Comment

by:Andreas-NYC
Comment Utility
Thanks ...
so what other options do i have to tunnel through my works proxy ? any ? Putty ? SSH ?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
As we noted proxies and tunnels are not interoperable. If you can do it, get rid of the proxies. If not, consider a secondary non-proxied network for purposes of tunnels. It means a bit more expense, but it would work for you.
... Thinkpads_User
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The same exists for ssh, if you can ssh out, you can tunnel out (create a Tunnel via the SSH connection.) in certain circumstances some employers block outgoing Encrypted connections which SSH is one.  Check with your employer what options are available to you given what you are trying to do.

0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
@arnold - Do you have IPsec or SSH tunnels successfully running between two proxied locations?  Thank you.
.... Thinkpads_User
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
It all depends on how the locations are proxied.
Proxy often applies to FTP, HTTP, HTTPS where https would use the connect method to establish a TCP connection and then the client browser and the remote server negotiate terms. If you can ssh to a remote system, you can tunnel through the ssh connection (sshd on the remote side must have forwarding on).
i.e. in putty you define the tunnels local/remote. depending on the direction i.e. local if you want to use localhost:port to connect to a system predefined on the remote side.
If you want to access the other way, you would need to define a remote port tunnel.
i.e. you establish an SSH connection to the remote side and then on the remote system have something that connects to localhost:port and comeback over the ssh tunnel.

http://www.oreillynet.com/wireless/2001/02/23/wep.html
similar options are available in putty.
http://docs.cs.byu.edu/general/ssh_tunnels.html

If the issue is important to your employer/firm, they likely block any outgoing encrypted channels ssh/https and every other random port you might choose given any application/server can be configured to listen on any port.
I.e. the outgoing firewall can be configured to deny any encrypted data stream from exiting from unauthorized sources.


You should check with your employer,IT to make sure what you want to do does not clash with what they are trying to do.




0
 

Author Closing Comment

by:Andreas-NYC
Comment Utility
Thank you very much for explaining and pointing me to a possible solution
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now