VPN

24K

Solutions

23K

Contributors

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have DMVPN with two hubs and an EIGRP relationship to a firewall (as well as to the spokes.)
The problem I am running into is that all of the DMVPN traffic is trying to egress Via one of the two VPN  hubs - HUB 1 - it's at capacity for passing encrypted traffic.

SPOKE----HUB 1----FW
SPOKE----HUB 2----FW

HUB1 is assigning a metric to the routes it learns from the spokes which is preferable to HUB2.
So that's why the FW is sending all the traffic to HUB1.

HUB1
 redistribute eigrp 300 metric 100000 0 255 1 1500 route-map EIGRP300-TO-EIGRP100

HUB2
 redistribute eigrp 300 metric 100000 10 255 1 1500 route-map EIGRP300-TO-EIGRP100

The firewall and the HUB DMVPN routers speak via EIGRP100. Hub to spokes via 300.

What I want to do is for the firewall to prefer one hub for half of the sites roughly. I could put in some static routes as a quick fix out of the traffic jam. I could remove HUB 1 from half of the spokes and that would make the HUB 2 the best path for half of the spokes. But surely there's a more elegant approach using route maps.

Something to the effect of..

If you match ACL SAVE-MY-DMVPN, you have a better metric than HUB 1. Otherwise you keep the same metric you have now and let HUB 1 keep doing its thing.

???
spiker.png
0
Hi All,

We have a Branch Office VPN established to one of our third party suppliers for support purposes (We use a WatchGuard at our End). They would like a secondary tunnel establishing with different settings,  that will run side by side of the existing one. Am I ok to use the existing external IP (Ours) as the external IP of the new tunnel. Will this work if both tunnels are required to be active at the same time or does each tunnel have to have its own external IP assigned?

Cheers,
Paul
0
How big does AD have to be (and how slow does the link need to be) to justify installing a new domain controller in a regional office using the IFM (Install From Media) method?

I think we'll have a 50 mbps symmetrical site-to-site VPN.

Our NTDS folder is 375 megs in size.

Should I use IFM or just do it the regular way?

I'm no pro so picking the easy method is very much preferable.

Reading about IFM here:
https://social.technet.microsoft.com/wiki/contents/articles/8630.step-by-step-guide-to-install-an-additional-domain-controller-by-using-ifm.aspx

I became concerned reading this passage:

"Important :
The next steps are required to change the SYSVOL folder security settings. These steps change the file hash, which will become the same file hash as in the IFM. If you use DFS Replication, SYSVOL will keep the presided data only if the file hash on the source domain controller and the destination server are the same
On the destination server, right-click the SYSVOL folder, and then click Properties.
Click the Security tab, and then click Advanced.
Click the Auditing tab, and then click Edit.
Clear the Include inheritable auditing entries from this object’s parent check box, and then select it again.
Click Apply, and then click OK.
"

The existing domain controllers are Server 2012 and the new one will be Server 2016.  The functional level will remain at Server 2008 R2
0
I need help to set up Fortinet Firewall with NPS and Azure MFA, idea is to have NPS send for MFA request when signing into VPN.
Is this possible?
0
Dear Experts,

What is the requirement for a vpn access for a new office with just internet?

Any feedback will be helpful.
0
Hi Guys,
I'm planning to build a VPN HA.
To do it I must have a 2 firewalls in HA and 2 wan connetions, one via xDSL and one via 4G.
Because the two connections have different IP address, only solution I've found is to configure a DDNS.
What are industrials topology for VPN HA?

Thanks
0
I download some time back the apps for my iPhone 11 called  WARP VPN or 1.1.1.1. from Cloudflare.

WarpCloudFlarePROBLEM
It's been working fine but noticed that for some apps or web pages it blocks it.  I have to disabled it for an hour or entirely.  The apps with the problem is YouTube.  If I have it enable, YouTube wont work.

Is there a setup I have overlooked?

Help Please
0
In view of the pandemic, 300-500 staff are to work from home
using VPN.

I'll need an assessment if GPO update (push down to those
remote PCs that are company-owned PCs) should be disabled
or enforced  so need assessments from experts here.

a) if we don't push down the latest policies, NAC requirements
    like AV signatures & patches may not be up-to-date & this
    work-from-home arrangement can last 1-2 months (subject
    to how long the health authority retain the alert level)

b) however, if we enforce &  critical PCs are blocked from
    accessing due to outdated signatures/patches, it will be a
    service disruption to those critical users.  Or if it's blocked,
    feasible for the support guys to exempt those PCs to
    enable them to temporarily connect (to get AV updates
    from our internal AV server) & WSUS?

c) is the GPO update going to consume a lot of bandwidth?
    we have 50Mbps dedicated for VPN users

d) for some reason (I don't know why), we permit split
    tunnelling on our VPN  though the PCs'  browsers are
    locked (greyed out & users can't change) to go thru
    our company proxy so they can't browse public Internet
    using IE/Chrome/FFox but an ultra-secure browser (that
    disallows upload/downloads): only for trusted sites like
    our Intranet, zoom.us (for remote conferencing) & O365
    URLs, we whitelist in the GPO (ie the 'exclusion' URLs/
    IP section in IE/Chrome) & proxy to enable IE/Chrome to
   …
0
We are having some issues with a couple of users accounts that login to a terminal server via vpn.
The server is running 2012 R2
So what I need to do is delete the users profiles of which they use roaming profiles.
So do I delete this on the Terminal server I would think, and if so, what are the steps that I need to perform to delete these?
I am thinking there is a folder location some place for the roaming profiles that needs deleted?
Thanks
0
We a couple of users that each time they login to the VPN, their AD accounts get locked out after they login. (server 2012 R2)
So there able to login but their AD do lockout after that.
If we reset their accounts after a few minutes their AD account locks out again.
They are using Cisco VPN.
Anyone have any idea on why it keeps locking out their AD account when logging into the VPN?
If they don't login to the vpn, their AD does not ever lock.
0
I have a client that is running Windows Server 2016. They have two FTP sites (behind a VPN firewall) on Ports 21 and 21000. The reason they have 2 FTP sites to to accommodate different aspects of their business.

These FTP sites recently stopped working for no obvious reason and I've set-up SFTP for them.

Following an online set of directions I found [1], I am able to have certain users land in a given folder (e.g. ~\ProgramData\ssh\sshd_config) with the directive:

ChrootDirectory D:\FTPSites\Site

Open in new window


Otherwise it defaults to C:\Users\UserName, which is not acceptable to them long-term.

Is there a way to have SFTP go to a different directory based on the local user accessing the server? Or is SFTP limited to only one folder a user can "Chroot" to?

Thanks!

[1] https://tech.xenit.se/installing-and-configuring-sftp-server-on-windows-server-2016/
0
We have been using the VPN that is built into Windows. Our server is Windows Server 2016 and our workstations are Windows 10 Pro.  Most of us are remote, so we VPN to connect and work.  Some users are having issues where the VPN keeps dropping and not related to internet, the internet service is fine, just the VPN will randomly disconnect.  Would it be better to use a VPN router and if so, which one and do we just need one at the data center where the server is, or does every remote person need a matching VPN router?
0
Dear Experts
We have main office with Windows AD as DNS and DHCP server, we have following requirement
1.      Branch office is connected over MPLS network to main office, branch office IP subnet is 192.168.114.0/24 and main office network is 109.0/24 both the networks can talk to each other, we would like to join the branch office systems to the main office Windows AD domain. Please suggest how and where to add this IP subnet in the windows AD so that branch office different IP subnet gets resolved with main office Windows AD, please help with steps on “HOW TO”
2.      Few home users connect to the office network using Cisco Anyconnect client VPN software with the IP pool 172.0.0.0 series. please suggest where in windows AD to configure this IP pool so that this gets resolved via windows AD DNS.
Thanks in advance.
0
I have a meraki MS225 attached to a Cisco 2900 router configured for NAT. I can see the Meraki has a private IP and I can ping it locally and over VPN. I see NAT translations from it. But it fails to register to Meraki cloud. Any thoughts?

I also notice that sho cdp nei is failing to show it. But I can see the arp entries.
0
Is there a way to secure a VPN client settings?  Just want to know so that if a computer is stolen, how can we prevent the VPN client settings from the thief?
0
Hi

We have at the moment Server 2008 R2 Standard and are going to replace it soon with Server 2019 Standard. We would like to introduce Two-Factor Authentication for our VPN connections. We would also like to introduce Two-Factor Authentication for our Office 365 subscriptions. We do not mind having two separate ones but would be nice to just have one solution for these two - could be texts or the app. I know Microsoft has free Authenticator app.

I assume that we will have to pay for the Two-Factor Authentication for our VPN connections so as long as it is within our budget it is okay. It would be perfect if we could introduce it now on Server 2008 R2 too.

What would you suggest? What are you using yourself?
1
I need help to establish a VPN connection from my home Linux box (Debian 10) to office's SonicWall TZ300 using strongswan ipsec.
Here is my config files:/etc/ipsec.conf
conn GroupVPN
        auto=add
        left=%any
        leftid=@GroupVPN
        leftsourceip=%config4
        leftsubnet=192.168.1.2/32
        leftfirewall=yes

        right=<SW_IPaddress>
        rightid=@<UniqueFirewallIdentifier>
        rightsubnet=10.0.0.0/24

        keyexchange=ikev1
        keyingtries=0
# aggressive=yes disabled by default when auth by PSK. It's enabled by setting
# charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes in strongswan.conf
# see https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode
        aggressive=yes
# see https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
        ike=3des-sha1-modp1536!
        esp=3des-sha1-modp1536!
        authby=xauthpsk
        xauth_identity=<MyUserName>
        ikelifetime=8h

#include /var/lib/strongswan/ipsec.conf.inc

Open in new window

/etc/ipsec.secret
#include /var/lib/strongswan/ipsec.secrets.inc

@GroupVPN @<UniqueFirewallIdentifier> : PSK <SharedSecret>
<MyUserName> : XAUTH "<MyUserPassword>"

Open in new window



# ipsec statusall
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.19.75+, armv6l):
  uptime: 2 seconds, since Jan 28 19:02:33 2020
  malloc: sbrk 811008, mmap 0, used 468032, free 342976
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
  192.168.1.2
Connections:
    GroupVPN:  %any...<SW_IPaddress>  IKEv1 Aggressive
    GroupVPN:   local:  [GroupVPN] uses pre-shared key authentication
    GroupVPN:   local:  [GroupVPN] uses XAuth authentication: any with XAuth identity '<MyUserName>'
    GroupVPN:   remote: [<UniqueFirewallIdentifier>] uses pre-shared key authentication
    GroupVPN:   child:  192.168.1.2/32 === 10.0.0.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
  none

Open in new window

GroupVPN policy/AdvancedVPN/Advanced SettingsFrom SonicWall log (most recent at the top):

Open in new window

0
Mysql VPN.
HI..how do I share or connect Mysql using a Internet private VPN?   NOTE: I ms access as a front end....also Work bench to manage
0
Which model of Meraki SD WAN (MX I think) device best suits the data center in a dual-hub and spoke toplogy? The MX84 I believe would work find in the remote office. Thank you.
0
Hi Please see the topology ASA1------internet -------ASA2 --------router1--------router2 or server. The two ASA are connected by point to point VPN. My question is if or how ASA1 or users behind the ASA1 can access router2 or server? Thank you
0
Is there a way to lock down the certificate issued from the ASA to a specific host?   I love the ease of a VPN client, but an worried that the certificate can be copied and put on other systems.


Fox
0
I have an Azure VPN established to my on-prem firewall where my single domain AD Forest is. My goal is to get a Domain Controller VM up and running in Azure. I can already connect to the VM from on-site and vice versa, but I haevn't promoted to a DC yet.
My question is, would I need to configure the DNS settings at the VM level to point to an on-prem DC for it to see and join the domain? It's a single VNet with multiple subnets so I don't want the whole VNet using an on-prem DC as DNS.
I was going to also setup Windows Virtual Desktop in Azure and I'm not sure if those VMs that join this Domain would need to be using it as a DNS server or not.
And should I set the Azure VM DC to a static IP in its NIC properties?
0
I have a TS-215 running firmware 4.4.1.1146.  I am trying to setup a VPN connection to the device following this article:

https://www.qnap.com/en/how-to/tutorial/article/how-to-set-up-and-use-qvpn-2-0/

I have the firewall port setup for the VPN connection and correct internal IP of the QNAS.  I have the QBELT server enabled, User privilege assigned,  and setup the connection profile.  I then downloaded the installer/config file and installed to a Windows 10 system.  When I go to connect, I can watch the process of dialing, then see it try to authenticate.  At that point I get an error "Unabel to create a VPN connection" I went back through the setup steps again, and do not see where I have missed anything.

Has anyone setup a VPN to a QNAS?  Is there something I have overlooked?
0
Hi,

Please see https://www.experts-exchange.com/questions/29169605/Synology-router-and-or-nas-on-permanent-vpn-split-vpn.html

I now have UnlimitedVPN but how can I manage tractor/route f.e.my home network that only Netflix goed through the vpn (I have a Synology NAS which could run a virtual Synology or a Synology router which has vpn server). I could setup a pptp VPN on my router but how-to split then only the Netflix traffic? Also I d like to keep the lotion to connect from my Android or Windows to my Synology router vpn, also connect to my Synology lezing DsFile (no vpn) ...
Iow I d like to granularely control network traffic also securing network using the vpn (like the occasional torrent download: run on my virtual nas and use the vpn there too? secure full network by routing everything through vpn ... not sure) and like to know how to approach.

Thanks :-)

J
0
I have a group of outsourced workers that work for me from India.  We are wanting them to be able to send PDF documents directly to a printer in our office in the US, but.... do not want to have them connecting to our office via a VPN or anything like that.

With that being said, I am wondering if it is possible to have them email the PDF to an email address that uses Outlook 2016 and setup a script or something that would run every 30 seconds or so looking for all new emails and automatically printing any attachments, then marking the email as read and moving to another folder?

If so, can I get assistance with the code/script or any software that would do this?  In pretty bad need as this was just added to my plate and they want it ready by Monday.
Any assistance is appreciated.  Operating System is Windows 10 Pro, 64 Bit
0

VPN

24K

Solutions

23K

Contributors

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.