We help IT Professionals succeed at work.

Cisco IPSEC VPN fails on Verizon MiFi

lffit
lffit asked
on
Medium Priority
7,147 Views
Last Modified: 2012-07-08
We use the Cisco IPSec VPN Client to connect to our ASA for VPN access. Most users have little problem connecting, no matter what ISP they use. The exception is Verizon Internet users, particularly FIOS users. For these users we have to clear the "Enable Transparent Tunneling" checkbox on the transport tab and the connection usually works.

The real problem we have is with the Verizon 4G MiFi 4510. When these users launch Cisco IPSec client they are able to connect to the VPN but they cannot access any internal network resources. The client shows that they are connected, but they cannot ping, RDP, open network shares or use Intranet sites.

I have tested this on the same computer using the MiFi side by side with my personal home network. I can connect to the VPN gateway from both networks, but I can only see internal network resources using my home network. When not using the Cisco VPN client both networks allow me to get to the Internet just fine.

I have confirmed that the MiFi is on the latest firmware revision. I'm using the Cisco IPSec VPN client version 5.0.07.0290 thirty-two bit client. The "Enable transparent tunneling" checkbox is cleared in the connection configuration. Our PC platform is still Windows XP SP3 with latest service packs applied.
Comment
Watch Question

CERTIFIED EXPERT

Commented:
you could try setting a smaller MTU for the connection.

Author

Commented:
ArneLovius: Is this a change that can be made to the connection profile? Do you have to edit the PCF file itself, since this setting doesn't appear in the GUI? Since other users connect on other services, I prefer to not have our Cisco Engineer make changes on the ASA. Or are you referring to the Windows Networking MTU setting on the local system?
CERTIFIED EXPERT

Commented:
This would be a change on the group policy on the ASA.

As you have an ASA and you are currently only using IPSec, I would push to move to AnyConnect Essentials, this is a licence upgrade on the ASA (~$200 for an ASA 5510) which enables you to use the AnyConnect SSL/DTLS client instead of the IPSec client.

I have found that the AnyConnect SSL/DTLS client is much better over mobile networks, you don't have to adjust transparent tunneling etc and copes with NAT in a way that IPSec just doesn't...

Author

Commented:
We do have 2 built-in AnyConnect licenses. I will get the client installed and see if it performs better.
I agree. If security is of no concern go to SSL. If you want security stick with IPsec. NCP IPsec client performs way better then Cisco's client. http://www.ncp-e.com.
CERTIFIED EXPERT

Commented:
@Allvirtual "If security is of no concern go to SSL" would you care to expand upon this ?
SSL VPN has obviously major security issues. The security of SSL VPN has two major issues today. The cryptographic strength of TLS used for confidentiality and digital certificates used for authenticity.
A good read is the white paper "Debunking the Myths of SSL VPN" which you can find here:
http://www.ncp-e.com/en/support/library/whitepapers.html
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
Allvirtual,

Very arguable. That whitepaper is created by NCP, and certainly not unbiased.

Yes, there are security issues with SSL VPNs, which are more likely to get (and easier to be) attacked than IPSec VPNs. I agree the pros of SSL VPNs are usually over-emphasized, but claiming "If security is of no concern go to SSL" is off.
The whitepaper also refers mainly to banking stuff and other high-security matter, which has a completely different security need.
It is also ignored that often SSL VPNs only provide access to published applications (like Terminal Server/Citrix sessions), which lowers the potential for successful attacks, or of revealing important info.

Also note that the cryptographic strength of TLS is no different than that of IPSec - it is a matter of the encryption chosen. A DES IPSec is unsafe, a SSL VPN using AES-256 is safe (as long as you don't get access to session tokens etc. - a local exploit).

We can agree that an IPSec VPN is both more reliable and more secure. And last but not least the client can be integrated into your IT structure, while a SSL VPN Client circumvents all your safety measures, and does not allow for any centralized control.
I agree with most what you said. Except the issue of Authenticity in SSL. IPsec uses IKE which is more secure then the fragile PKI infrastructure. I don't think the white paper is biased btw. I think it is pretty neutral pointing out real key issues.
CERTIFIED EXPERT

Commented:
As per Qlemo, that report is certainly not unbiased,  I noted that they made no mention of their own client vulnerabilities.

http://secunia.com/advisories/41388
http://secunia.com/advisories/19082

While I would agree that with recent CA issues and obvious possibilities of government level "interference", using "public" certificates is not as secure as IPSec can be as the "chain of trust" has many possible weak links, however by moving to your own PKI infrastructure much of this can be alleviated,  if you then also require your own client certificates as well, you can match the security level of IPSec, which to be at its most secure requires the same infrastructure.


The Anyconnect client is also a "full" client, just like the IPSec client, so I fail to see the relevance of much of the report that seems to contradict itself over clientless access.

The Anyconnect client can be integrated in just the same way as most IPSec clients. with the same level of control over remote access users as regards time based controls and  ACLs to control access inside the network as well as NAC.

As NCP are a supplier of IPSec VPN technology, I think it is very difficult for them to be unbiased.
The client vulnerabilities were not mentioned in the white paper as they no longer apply I guess. The paper is newer and the vulnerabilities are rather old. Also NCP does have a hybrid IPsec /SSL VPN solution which is superior to Cisco Anyconnect in many ways such as much more advanced client features, true VPN management, etc. Plus the NCP products are more stable and scalable then the Cisco stuff. Last not least they cover all client platforms and the client really works. I have customers that abandoned Cisco Anyconnect because it is so flaky and poorly designed and implemented. If I want a robust and secure VPN solution I trust an expert company, not Cisco which tries to be anything to everyone. The do everything but nothing really well. Maybe the Catalysts are still ok but that is about it.
CERTIFIED EXPERT

Commented:
they were quite happy to mention older vulnerabilities for other solutions.

what exactly do you mean by "true VPN management"

I would welcome a list of features/functionality that you believe is missing from the Cisco AnyConnect client, but that are available in the NCP client.
Sorry but I am a consultant and quite busy. I get paid top dollars by my customers so I don't spend much time typing long answers. I can give you pointers. You can go to the NCP site and look for yourself. The client alone has tons of usable features that my customers like such as Profile locking, Hotspot logon, Friendly Net Detection, dynamic client firewall, Seamless roaming, connects fast and reliable against all major IPsec VPN gateways (important for consultants), etc. too many to list.
With true management I mean the Enterprise solution which has a Management Server that allows me to manage ALL my VPN components: Clients, users, VPN software, VPN gateways, PKI management, Endpoint policy enforcement, Client configuration and Client firewall, etc. This is true best of breed stuff. Many customers replace their Cisco VPN stuff with this solution. It is way superior. Best go to the NCP web site and check it out. Also they just released to first of its kind true IPsec Android client. Sweet.
CERTIFIED EXPERT

Commented:
Oddly enough, I'm also a Consultant :-)

I don't doubt that you have many clients that have migrated away from Cisco, I have too, I've also had clients that have migrated to Cisco from many other platforms.

All of the actual features above (i'm excluding the pure marketing ones) would appear to be present on the current Cisco product range apart from the Android client.

I do find it amusing that NCP now sell an SSL solution...

If only to be able demonstrate to somebody that actively uses and manages Cisco products that the product that you sell is superior, it might be good for you to gain some experience  with current Cisco hardware and current Cisco management platforms.
You are obviously Cisco biased because I guess that is all you know. Cisco has not even close to the features I mentioned. Add to that a very sluggish and unstable client and NCP solution is a no brainer.
CERTIFIED EXPERT

Commented:
A little investigation would show I know more than just Cisco.

Why the personal attack ?

Author

Commented:
Ok. Interesting new wrinkle in this problem:
I've installed the AnyConnect client and have successfully connected to the VPN Gateway using it over my home network.

When I switch to the Verizon MiFi and try to connect to the gateway using the AnyConnect client, the connection times out. In fact I can't even connect to the SSL gateway via web browser nor can I ping it.

However, I can still connect to the VPN gateway using the IPSEC client (same IP address). I continue to have the problem where I can't connect to any network computers or Intranet resources.

It may be important to note that our Certificate needs to be reissued as it is coming up as invalid currently.
CERTIFIED EXPERT

Commented:
I would guess that your inability to connect using Anyconnect was a transient DNS error.

When you attempted to ping the ASA did you ping by name or IP address ?

What was the error that you saw ?

Is ICMP enabled on the outside interface of the ASA ?

It might be useful to post a suitably sanitized copy of the ASA config

Author

Commented:
I am connecting to the IP address of the gateway. We are not using a DNS name. I tried to connected repeatedly over the MiFi to confirm that it was a consistent problem.

The error message we get in the AnyConnect client is "Connection Attempt has timed out. Please verify Internet connectivity."

ICMP is enabled and I can ping the gateway when on other networks.


I suspect that our next step will be to contact Verizon.
CERTIFIED EXPERT

Commented:
Speaking to Verizon would appear to be your next step, I wish you luck.

Two "stupid" questions, you are using port 443 for the DTLS connection? are you able to connect to any sites over HTTPS on the MiFi?

Author

Commented:
Yes to both questions.
CERTIFIED EXPERT

Commented:
Granted I don't use Verizon (wrong country), but I've had never issues establishing a connection from a mobile device to an ASA for AnyConnect.

I've had issues with MTU once the VPN has been established, but its always been able to connect...
Very funny how people desperately trying to get Cisco to work because that's all they know. Instead of using a software from an established VPN security specialist that has been in the VPN security business for over 25 years (way longer then Cisco) and actually knows what they are doing. I understand, the advantages of Cisco is that they do everything. Although they don't do anything particularly good, but they do it all. I look at them as the Walmart in the IT industry. Lots of cheap stuff that sort of works until it breaks, which is usually quickly. And if you must rely on the solution you end up throwing it away sooner or later and replacing it with something that actually works.
Commented:
This issue was never successfully resolved and I am closing the question

Author

Commented:
Issue was never resolved. Appears to be a Verizon Network issue with how they configure their routing for 4G devices.