Disable SSL - IPSEC only

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Disable SSL - IPSEC only

L4 Transporter

Hi,

a quick one: is it possible to disable SSL VPN at GP? So users can only connect via IPSEC...

I know its possible to do it the other way but we like to have a IPSEC only portal/gateway.

12 REPLIES 12

L6 Presenter

Hello HitHead,

Portal runs on SSL, but you can configure gateway for IPsec. Please configure following settings on Gateway for IPsec.

IPsec.png

Regards,

Hardik Shah

thanks,

I know, but the failover mechanism is still active (if IPSEC fails, GP is trying to connect via SSL).

Hi Hithead,

Than you can block SSL for Gateway IP address in Policy. That way failover will not take place in reality.

This will work only if portal is on another firewall.

Regards,

Hardik Shah

Hi Hithead,

Let me know if this helps, there is no inbuilt way or command to disable SSL.

I didnt find any existing Feature Request to disable SSL, I would suggest to contact Sales Engineer to open new Feature Request.

Regards,

Hardik Shah

Hi hshah,

Portal = Gateway in our installations. So not possible.

Will contact SE for a feature request. Thanks.

L6 Presenter

only way for now, just to create GP , GW config(empty portal config) and make clients connect with cisco client,ort etc.instead of GP client.

Hi HitHead,

In that case you can assign loopback IP to Portal and loopback should be part of untrust network.

Now you car restrict traffic on Gateway.

Let me know if thats a good work around.

Regards,

Hardik Shah

sorry but how should that work?

(We have one public IP (gateway = portal) NATed to the Portal. At the Portal we configured the public DNS as gateway for the client config.)

Do you have any free public IP from the pool. That can be configured on Loopback.

Thanks

No sadly not.

But I really like to know, how the loopback config works...

As I know, we have to authenticate at the Portal and Gateway with SSL (client certificate authentication). So I have to open (and NAT) SSL to the Portal/Gateway IP (IP is the same; private range).

So, and if the Portal IP is the loopback interface in a untrusted zone and my client gets the IP or DNS name of the gateway from the portal, SSL is still required for the authentication at the gateway. SSL is still open. - Hope its clear enough...? Understood my concern?

THX

HULK,

your answer is helpful but please correct me if I'm wrong or misunderstand the configuration:

Fist, a citation: " This request can be received either by Split tunnel on the physical interface ethernet 1/1, or by Full tunnel on the loopback interface by NATing 88.88.88.88:4501 to 1.1.1.1:4501. Both Split and Full tunnel cannot receive the IPSec request."

If I will configure our Portal/Gateway with the loopback solution, the authentication against the gateway is still necessary with SSL (port doesn't matter). Ok, my clients will connect with IPSEC but the SSL failover mechanism configured at the agent is still enable and also possible, because you have to authenticate against the gateway with SSL.

So in my opinion there is no way to disable a SSL tunnel, because of the SSL failover mechanism and authentication against the gateway.

Please correct me, if I'm wrong!

  • 6023 Views
  • 12 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!