Odeslat dotaz

Prohledat fóra:

• Prohledat fórum Forefront Threat Management Gateway
• Prohledat všechna fóra Microsoft TechNet

 

A couple of questions regarding some VPN features

• 25. června 2008 14:10adimcev

   
  

  0

  Přihlásit se a hlasovat
  Hi,
  I have a couple of questions regarding VPN:
  
   - Will we be able to specify which certificate on TMG will be used for IKE authentication for L2TP/IPsec connections ?
  Right now with ISA 2006, we can only specify which certificate on ISA can be used for EAP-TLS from RRAS.
  Assuming that we want to use Vista with "The Verify name and usage attributes of the server’s certificate" option(http://support.microsoft.com/kb/926182) and there are multiple certificates on TMG from the same internal CA, it would be useful to specify which certificate we want TMG to use for IKE authentication.
  
   - Will we be able to specify on which IP address from the external NIC is TMG listening for VPN connections when we have multiple IP addresses on that NIC ?
  Right now we can only specify on which Networks is ISA 2006 listening for incoming VPN connections.
  
   - Will we be able to specify which VPN users can use PPTP and which can use L2TP/IPsec from the TMG GUI ?
  With ISA we can do that using IAS for example, but not from ISA's GUI.
  
   - An annoying problem with ISA 2006 was related to IPsec tunnel mode site-to-site connections. In many cases, we do not need to specify as local subnet the entire Internal Network. Only a few servers need to be accessible from the remote site.
  While is not a problem to specify that the remote site include only a few IP addresses, the site-to-site wizard does not ask us about the local subnet. It is "assumed" that the entire range of IP addresses from the Internal Network is to be used.
  The IPsec tunnel mode site-to-site connections depend on the proxy identities (QM filters) presented during IKE Quick Mode negotiations. Thus, we  end up having a "situation"...
  I wrote about it here:
  http://www.carbonwind.net/ISA/IPsecTunnelModeNotSupportedThings/IPsecTunnelModeNotSupportedThings.htm
  
   - regarding L2TP/IPsec VPN connections, will be a separation between the IPsec policies used for remote access and site-to-site connections, thus will we be able to adjust the L2TP/IPsec site-to-site connections to use PFS for session keys or to set a lifetime in MB for the IPsec SAs ?
  These are, I would say sensitive settings for a site-to-site connection.
  Also with IPsec tunnel mode site-to-site connections we can use AES 258, SHA 256...
  I see(with Wireshark) that Elliptic Curve Diffie-Hellman 384-bit Group is used(equals AES 192 strength) by default with L2TP/IPsec. And IPsec Monitor shows no PFS for session keys.
  But it looks(from Firewall with Advanced Security/Monitoring/SAs/MM or QM) that with L2TP/IPsec, SHA-1 is used, although AES 256 for IPsec SAs is available if we select maximum encryption strength...
  ("There is a significant implementation problem with AES in that the key requirement for DH is very large and few implementations can support generation of a key that size.", http://www.microsoft.com/technet/community/chats/trans/network/net0610.mspx)
  According to this, http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf, SHA-1 is not quite up to the "task" of "playing" with EC DH 384-bit group or AES 256.
  So will we be able to modify the default IPsec policy for L2TP/IPsec site-to-site connections ?
  
   - Interesting, in the RRAS console on Win 2008 "The Verify name and usage attributes of the server’s certificate" option is available. Assuming that we check this checkbox(or maybe we should stay away from it), and it works, we may fall into the certificate selection for IKE authentication problem ?
  
   - I'll throw this one in, although it not seems feasible to me right now, will we get dynamic routing support(say OSPF) for L2TP/IPsec site-to-site connections, thus benefit from what some may call dynamic site-to-site VPNs ?
  
  Thanks,
  Adrian
  
  • Reagovat
  • Citovat