Mobile access tunnels

In a client-to-site VPN tunnel, a mobile device with an unknown connecting IP address is interconnected with a local network. In such a setup, the mobile device is both the remote peer (which sends and receives unprotected traffic) and endpoint of the IPsec VPN tunnel that protects incoming and outgoing traffic. The IP address that carries unprotected traffic is called a red IP address, as opposed to the black IP address, which represents the tunnel endpoint.

It therefore functions differently from a site-to-site VPN tunnel, which is configured between two VPN gateways that in principle have black IP addresses known in advance; the traffic that requires encryption originates from separate subnetworks.

Mobile tunnels can be configured in Configuration > VPN > IPsec VPN > Mobile – Mobile users. The peer can either select its own red IP address, or be provided with one. In the first case, it is difficult to control routes and filter rules, while ensuring that there are no address conflicts between peers. In the second case, config mode allows the SNS firewall to send the red IP address that the client must use, which protects it from the risks mentioned.

R44 | SNS | Configure mobile tunnels in config mode
Config mode is recommended in mobile tunnels so that remote red IP addresses can be controlled. This mode can be set when the VPN access policy is created or subsequently in VPN > IPsec VPN > Mobile – Mobile users.

Setting up mobile VPN tunnels makes it possible to interconnect mobile users with local networks. It is therefore important to ensure that only explicitly authorized users can set them up. On SNS firewalls, this authorization is determined by default based on the validity of the shared key or the certificate (it cannot rely on the peer’s public IP address, which is not authenticated and not known in advance in mobile VPN tunnels).

In mobile VPN tunnels, a shared key must be defined for each client. However, this method raises a few security issues:

  • In the event of compromise or suspected compromise, this key must be changed on all mobile clients,

  • The authentication of mobile clients is not guaranteed,

  • The VPN gateway is vulnerable to brute force attacks.

R45 | SNS | Authenticate SNS firewalls and/or users with certificates
SNS firewalls and/or mobile users must be authenticated using certificates, to guarantee protection from the inherent weakness of pre-shared keys and to comply with recommendation R40.

When a certification authority is entered as accepted in Configuration > VPN > IPsec VPN > Identification, all certificates issued by this authority are allowed to set up mobile VPN tunnels.

R46 | SNS | Use a dedicated intermediate certification authority
To facilitate the management of permissions granted to mobile VPN tunnels, it is advisable to accept only intermediate certification authorities that serve to issue certificates dedicated to the use of this service.

Furthermore, certificate-based authentication makes it possible to use the UAC (User Access Control) mechanism that the SNS firewall provides when a directory is also used. With this feature, permissions to access mobile VPNs, filter rules and NAT rules can be managed granularly.