Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: VPN inside a VPN

VPN inside a VPN 10 years 2 months ago #17068

  • elebel
  • elebel's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
He folks,

I have a simple question that I'm not able to verify by myself right now do to the lack of equipment for testing. The question is related to VPN.

We have many VPN with our customer and we plan on deploying additionnal servers into their infrastructure in a separate VLAN protected by firewall. In almost all case we build the VPN with our customer with our own device, but some customers want us to use their device for VPN connectivity. That fine, but since we got server isolated inside and don't want to got our traffic to go in clear on the customer network, I'm thinking of building another VPN inside the VPN to ensure that I will be fully secure. (Because we deal with confidential data here).

At the customer site we will already have a device inside to terminate the VPN, but on our site I'm wondering if I can build a config to host the two VPN on only one device (PIX, ASA and ROUTER) ? Because would like not having to deploy another pair of VPN device (PIX, ASA or ROUTER) only for those type of customer.

thanks
elebel
We can change the world if god gave us the source code.
The administrator has disabled public write access.

Re: VPN inside a VPN 10 years 2 months ago #17074

  • havohej
  • havohej's Avatar
  • Offline
  • Distinguished Member
  • Posts: 152
  • Karma: 0
so you mean encrypt again, already encrypted traffic ??
If you set up the logical path end to end correctly, you wont have problems, mean conceptually it must work.

One thing maybe it would affect is little latency brought through packet manipulation (encryp--- encrypt again --- decrypt---decrypt again) by the cloud device, that maybe could affect the apllication.
The administrator has disabled public write access.

Re: VPN inside a VPN 10 years 2 months ago #17083

  • elebel
  • elebel's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Yes I know that performance will not be has good as only one VPN. But I'm wondering if one device can encrypt the same traffic twice ?


CORP --> VPN -> INTERNET -> CUST VPN -> LAN -> CORP VPN -> CUST CORP SVRS

VPN1 : VPN <=> CUST VPN
VPN2 : VPN <=> CORP VPN

The first VPN in the chain is the one where I want to create a double VPN configuration.

THe reason that force me to think of a weird setup like this is the fact that the customer VPN need to terminate on a LAN where we cannot allow unencrypted traffic.

thanks
elebel
We can change the world if god gave us the source code.
The administrator has disabled public write access.

Re: VPN inside a VPN 10 years 2 months ago #17127

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Not too sure about your exact scenario, but I've done a VPN-within-VPN which works okay. The reason was that the customer insisted on particular encryption using hardware encryption units being used across the link. So I used a basic PPTP VPN to establish and authenticate the connection but with no encryption on it. Once that's up, I let the hardware units talk to eachother across it and establish their own encrypted channel
The administrator has disabled public write access.

Re: VPN inside a VPN 10 years 2 months ago #17235

  • elebel
  • elebel's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
What type of device you were using for your VPN ? Because I'm looking for IPSEC VPN. One one point use the same device for both but on the remote relocation use two devices. And what I was wondering is if I'll be able to create the two tunnel inside the same VPN appliance (Cisco equipment).

thanks
elebel
We can change the world if god gave us the source code.
The administrator has disabled public write access.

Re: VPN inside a VPN 10 years 2 months ago #17237

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
We are running a VPN inside a VPN for simplicity reason.

Our Active Directory is protected by a firewall, only sites that are on our Active Directory (not all sites are) are allowed access to the AD. To simplify the rules on the firewall, we decided to use a VPN which then just lets all the traffic from the sites that require it through to the back end AD.

One site however, needed to have ADSL installed. For this reason, we set them up with public ADSL and then used an IPSec VPN connection into our network.

We therefore have;
Cisco Router -> Cisco VPN Concentrator for the site to site VPN over ADSL.
Then to access the AD, we have a PPTP VPN using ISA Servers.

This seems to work ok.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.087 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup