OpenVPN and ISA 2006 - OpenVPN on a DMZ

We have installed ISA 2006 as our network firewall, Web Proxy and VPN server.

We have as VPN options PPTP, L2TP/IPsec for remote access plus IPsec tunnel mode for site-to-site VPN.

PPTP is not a real choice these days due to security flaws. And it does not provide per-packet data integrity(proof that the data was not modified in transit), per-packet data origin authentication(proof that the data was sent by the legitimate source) or protection against replay attacks. PPTP provides only per-packet data confidentiality. This is stated on Microsoft's site too.

With L2TP/IPsec we might experience connection problems through some NAT devices or some network admins might block IPsec.
So we are thinking about a SSL VPN option. IAG can do that, but right now we might not have the resources to invest in IAG.

Fortunetely we have OpenVPN which according to its site:
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.”
OpenVPN has Diffie-Hellman key agreement, RSA authentication, HMAC-SHA1 integrity checks(for data origin authentication and data integrity per-packet, the usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext), explicit IV, replay attacks protection(by using a variant of the sliding-window algorithm, same algorithm used by IPsec, where each packet is tagged with a unique, incrementing sequence). Please reffer to this presentation. And the symmetric encryption algorithm can be even AES-256-CBC. Plus the " --tls-auth" which when used will enable OpenVPN to(see OpenVPN's Man Page).


Comments (2) -

  • So last year I was running OpenVPN on my ISA server. This year I got a chance to rebuild my ISA box and include a DMZ. So I will be following this guide to install Openvpn onto a host in the DMZ.

    But I did have a question?

    You have another article out there setting up ISA 2006 in a hub an spoke scenario. Id like to accomplish that with OpenVPN so the Hub will have OpenVPN
    and the spokes will have a router running OpenVPN.

    Id like for the spokes to be able to talk to one another.

    Your thoughts ? Or maybe your next article  ?
Comments are closed