Investigate alternative TPP VPN clients #31
Comments
|
I've alerted TPP to this issue. I will follow up again. |
|
I've emailed TPP a couple of times about this so far this year. Will follow up again this week. |
|
Have now asked Matt a third time if they've been able to discuss this. If I don't have any response within the next week, I think we should come up with a new plan. |
|
Update from Matt
|
|
Details about the current VPN configuration for context. Slack conversations about recent attempts to install a VPN client to access the TPP environment 🧵 thread. Given that this is a potential security risk, I've now added it to the list of items to go onto our new security risk register. |
|
It's unlikely any work will be done on this within the next month or so, so I'm going to keep this open but move it from our board. |
TPP currently provides a specific Windows x64 client to connect to the their VPN.
This is problematic for our many users who need to connect to the VPN on Mac or Linux, who have to run an x64 windows VM to run the client, which is currently not an option at all on new M1 macs.
TPP have said we can use an alternative client, although they are keen that this client is kept up to date.
The TPP VPN is currently configured to use the IPSec with IKEv1 and a pre-shared key.
On Linux, the strongswan package can do this, based on exploratory testing.
MacOSX doesn't support IKEv1, we would need to find an m1 compatible client.
However, IKEv1 is quite old, and IKEv2 is a) supported OOTB on MacOSX b) the recommended setting for IPSec.
Sonicwall 7 supports IKEv2, and AFAICS so does it's client
So, a possible route to resolve this is to ask TPP to switch the VPN to IKEv2, and then Mac and Linux support is much easier, and we are upgrading the protocol to a better version at the same time. AIUI, uses of the existing client shouldn't be affected at all.
The text was updated successfully, but these errors were encountered: