Shiva LanRover VPN - tunnel access

Kruse, Darren darren.kruse at EDS.COM
Sun Jan 23 18:50:17 EST 2000 

Steve,
you can't to my knowledge stop people from *trying* to authenticate to a
tunnel profile, but you CAN stop them successfully authenticating by the use
of VPN groups at the back end authentication server.

I'm not sure if this is a Shiva Access Manager 4.5 / 5.0 feature only - or
if it is also available on other RADIUS back ends - like Cisco Secure - can
anyone answer this ?

VPN Groups are the association or glue that bind LRVG tunnels to
Authentication server User templates.

Create VPN-groups on the SAM that match the name of the LRVG tunnel profile
group names on the tunnels tab. 

It is important that the VPN groups-name that are set up have EXACTLY the
same name ( case sensitive ) as the LRVG tunnel profiles. Refer to the
attached , zipped pictures. I've had to airbrush over the sensitive bits ..
sorry. 

This will allow you to set up as many tunnel profiles as you like, and only
have selected people use the vpn tunnels profiles YOU want.

Note the bug with SAM 4.5p1 that is fixed in 4.51p2 - deleted vpn groups are
not really deleted ...get the 4.51p2 release notes.

Additionally, we are setting up different client IP pools per tunnel profile
so that we can limit through router packet filtering the ports (ie HTTP,
telnet ect ) that users can go to. This is personal preference and may be
overkill for you. I'm more comfortable using Cisco ACLs to do the packet
filtering than the Shiva's firewall features. It's ( IMHO ) , also good
security practice to separate these functions to give us greater defence in
depth.

hope this helps,
regards,

Darren Kruse 
Advanced Communications Engineer
EDS (Australia)
tel: + 61 8 8301 5322 <<-- !! **Note new phone number** !!
PGP Fingerprint (valid to 31/12/2000) 
6CD809275B6777820D61888AF84DEF004AF40E9F mailto://darren.kruse@eds.com 



> -----Original Message-----
> From: Steve J Kuo [mailto:steve_j_kuo at EMAIL.MOBIL.COM]
> Sent: Friday, January 21, 2000 10:14 AM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: Shiva LanRover VPN - tunnel access
> > 
> Darren,
> 
> This is a different question.  With a Shiva Access Manager, 
> can you limit which
> tunnel a user can access?  For example, there is 10 multiuser 
> tunnels defined
> all using the same authentication server.  If I have a valid 
> id/password to pass
> the authentication, and I know all the tunnel names, can you 
> limit me to only
> connect to one tunnel but not the other 9?  I know Shiva VPN 
> box does not have
> that user-tunnel association.
> 
> Steve Kuo
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn groups.zip
Type: application/octet-stream
Size: 18751 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000124/ed7812f5/attachment.obj

More information about the VPN mailing list