I certainly agree that the ASA is the better approach. However on the RA client if it is deployed with PSK, the keys are always available to the user. If you open up the PCF file, the key is there but it is *sort of* encrypted. CAIN can reverse that as quickly as a type 7 password. I've probably way over thought this, but I am just trying find all of the knobs that might need turned. I guess the solution is really not deploy the clients without certificates and make sure that only appropriate parties have access to VPN HW clients.
On Sat, Oct 24, 2009 at 12:26 PM, Shawn Mesiatowsky <[email protected] > wrote: > If you want that type of control you should use an Asa as a termination > point for the VPN. You can specify to allow nem in a group policy. As well, > users shoul never have the pass key available to them. You should be > creating a deployment installation file that already contains the config > > Sent from my iPod > > On Oct 23, 2009, at 8:03 PM, Paul Stewart <[email protected]> wrote: > > If I define a split tunnel acl on my router, the ASA only seems to honor > the "remote" side when it builds the SA. The IOS inserts the SA into the > SADB. Regardless of what you do, it seems to insert the inside interface of > the ASA. So in theory I could set up a easy vpn with intention on it being > used in client mode, or on a pc. A user could pick up an ASA and configure > it to connect in "network extension mode". In which case, I have > unauthorized SA's being added to my router unless I'm missing something > (which I probably am). It just seems that you could restrict EZ VPN on the > router to client or nem. It also seems that there would be some way to > define what are permitted remote networks from the perspective of the IOS > based EZ VPN Server. Like I said, I am probably missing something. > > On Thu, Oct 22, 2009 at 11:30 PM, Tyson Scott < <[email protected]> > [email protected]> wrote: > >> Your split tunnel list should be able to define what networks you will >> allow in. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* <[email protected]> >> [email protected] >> [mailto:<[email protected]> >> [email protected]] *On Behalf Of *Paul Stewart >> *Sent:* Thursday, October 22, 2009 10:07 PM >> *To:* <[email protected]> >> [email protected] >> *Subject:* [OSL | CCIE_Security] EZ VPN on IOS >> >> >> >> I have been messing around with EZ VPN and various configurations. With >> the EZ VPN client in NEM, it inserts the SA's into my router as expected. >> My question is is there a way on the router acting as a EZ VPN Server to >> restrict what SA's can be inserted by an EZ VPN client in network extension >> mode? Just thinking there must be a way to prevent NEM from the server, or >> restrict the SA's that can be automatically created on the server by the >> client. I think there is a group-policy for this on the ASA (like nem >> disable), but I am overlooking something similar on the router platform. If >> anyone knows how this is done, let me know. If not, I'll post back when I >> figure it out. >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit <http://www.ipexpert.com>www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
