Solved

IPSEC through Proxy server ? possible

Posted on 2010-08-30
9
556 Views
Last Modified: 2012-05-10
I have a proxy server at work and i would like to use my own 2x IPSEC VPN routers WRVS4400Nv2
1x at home and 1x here at work to be able to tunnel through the proxy ? is that possible ? or does it depend on the proxy server ?
IF that is tricky  what other solutions do i have to get though the proxy ?  Thanks
0
Comment
Question by:Andreas-NYC
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 94

Expert Comment

by:John Hurst
ID: 33560496
I can't say that it will not work, but I have never seen it work. IPsec needs the actual IP at the end points and I do not think it will navigate through a proxy server. ... Thinkpads_User
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33560955
Nope. The basic functionality of a proxy means that it terminates the session and establish a new connection on behalf of the client. Thats the concept of the term "Proxy". Since ipsec is (usually) encrypted as well as integrity checked the in-between proxy cannot terminate and/or re-establish the traffic.

/Kvistofta
0
 
LVL 78

Expert Comment

by:arnold
ID: 33562180
It all depends on the configuration of the firewall behind which you will be placing the WRVS4400Nv2 router.
The IPSEC connection to be establish will always have to travel from office to your home unless other changes are made to the office firewall to route the IPSEC traffic if it is not currently handled in the office to the WRVS4400Nv2.
intenet <=> office firewall port 500 requests go to the WAN side of the WRVS4400Nv2.

an IPSEC is a port 500 UDP/TCP connection and would not go through a proxy.
Companies, would likely block any outgoing IPSEC or other VPN connection from their LAN to secure their LAN.

If your home WRVS4400Nv2 does not have a static IP or you are not using one of the dynamically tracking Dynamic DNS registration services, the IPSEC Vpn connection would only be established when your work WRVS4400Nv2 is configured with the IP of the home WRVS4400Nv2
i.e. your home WRVS4400Nv2
will be setup to accept a connection from any source with any IP/segment.

The group, encryption and the passphrase will be what will limit who can connect.
Do not use aggressive mode if available only use normal mode for key exchange.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Andreas-NYC
ID: 33563162
Thanks ...
so what other options do i have to tunnel through my works proxy ? any ? Putty ? SSH ?
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 33563195
As we noted proxies and tunnels are not interoperable. If you can do it, get rid of the proxies. If not, consider a secondary non-proxied network for purposes of tunnels. It means a bit more expense, but it would work for you.
... Thinkpads_User
0
 
LVL 78

Expert Comment

by:arnold
ID: 33563574
The same exists for ssh, if you can ssh out, you can tunnel out (create a Tunnel via the SSH connection.) in certain circumstances some employers block outgoing Encrypted connections which SSH is one.  Check with your employer what options are available to you given what you are trying to do.

0
 
LVL 94

Expert Comment

by:John Hurst
ID: 33563634
@arnold - Do you have IPsec or SSH tunnels successfully running between two proxied locations?  Thank you.
.... Thinkpads_User
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 33564314
It all depends on how the locations are proxied.
Proxy often applies to FTP, HTTP, HTTPS where https would use the connect method to establish a TCP connection and then the client browser and the remote server negotiate terms. If you can ssh to a remote system, you can tunnel through the ssh connection (sshd on the remote side must have forwarding on).
i.e. in putty you define the tunnels local/remote. depending on the direction i.e. local if you want to use localhost:port to connect to a system predefined on the remote side.
If you want to access the other way, you would need to define a remote port tunnel.
i.e. you establish an SSH connection to the remote side and then on the remote system have something that connects to localhost:port and comeback over the ssh tunnel.

http://www.oreillynet.com/wireless/2001/02/23/wep.html
similar options are available in putty.
http://docs.cs.byu.edu/general/ssh_tunnels.html

If the issue is important to your employer/firm, they likely block any outgoing encrypted channels ssh/https and every other random port you might choose given any application/server can be configured to listen on any port.
I.e. the outgoing firewall can be configured to deny any encrypted data stream from exiting from unauthorized sources.


You should check with your employer,IT to make sure what you want to do does not clash with what they are trying to do.




0
 

Author Closing Comment

by:Andreas-NYC
ID: 33567540
Thank you very much for explaining and pointing me to a possible solution
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question