Is it possible to use the Client Authentication Agent through an IPSec VPN tunnel

Shunze,

it should work like UTM does in the same way. Did you add the magic IP in the remote network objects?

1. I have forward all traffic from branch to HQ.
   So the magic IP should be forwarded to HQ too.
   
   
2. The branch office use XG's Wifi too, and controlled by branch's XG.
   So the magic IP should stop at branch's XG.

It conflicts between the them.

Is it possible to resolve the issue?

Hi ShunzeLee :

It will not create a conflict issue as CAA use 1.2.3.4 on port 9922 while Wifi use 1.2.3.4 on port 2712.

So packet will route correctly based on destination port binded with 1.2.3.4

Please ensure that "Client Authentication" is on under Appliance access settings over VPN zone. 

Hi, 

I already do that, but it doesn't work.

HQ IPsec

Branch IPsec

HQ

Branch

Although traffic to 1.2.3.4 will pass through IPsec Tunnel IP 10.81.234.6.

But authentication from branch failed.

No any log can be find on HQ's authentication log...

Shunze

Hi ShunzeLee 

As updated by  ,Please update magic IP as well in tunnel subnet.

On BO end along with 10.1.1.52/32 add 1.2.3.4/32 on local network end and vice versa on HO end and make the tunnel up and verify the status.

Are you sure??

Magic IP for branch user should forward to HQ. 

Branch local network add the magic IP? 

I think you are wrong!

Are you sure??

Magic IP for branch user should forward to HQ. 

Branch local network add the magic IP? 

I think you are wrong!

Hi ShunzeLee 

Yes you are correct and please ignore the last comment on adding magic IP over IPSec as that is not needed.

I have checked setup similar to yours in my LAB and I have confirmed below details.

BO XG IPSec SA:

HO XG IPSec SA:



BO XG Authentication Agent settings:

HO XG Authentication Agent settings:




BO XG will not forward 1.2.3.4 traffic over IPSec to HO XG as BO XG will listen traffic on port 9922. So BO will consider that request is for BO firewall it self though Authentication agent is off on all zone and further it will not take any action on that packet as we have not set authentication agent on BO.

So to confirm more on that further I have stopped the authentication service on BO XG and checked again however iptable chains for 1.2.3.4 still remain present on BO XG with authentication service status off and due to that reason magic IP traffic will be intercepted by BO XG device only for 1.2.3.4. so CAA will not work with the setup which you would like to achieve.

Workaround:

I have checked the login via captive portal and it is working and user is reflecting under live user.

Manually Access Captive portal from BO machine to check login.



User reflected on HO with live user with BO system IP.

Hi Vishal_R,

I know the web portal is worked, and the STAS is worked too.

But client want to use the CAA to restrict the way to identify.

Only users that have the CAA agent can complete the verification.

Other users without agent will be consider as guest, and can't access the DMZ zone in HQ.

Anyway, thanks for your information.

Shunze