Squid HTTPS/SSL killing Cisco VPN client connection

asterix

So after trying to find the right way to activate Squid HTTPS/SSL filtering and get it working (I think) I am having an issue with my company Cisco VPN client connection. It slaps a "the certificate on the secure gateway is invalid" error and disconnects.

Basically all I have done is create a Root CA in pfSense and then turned on HTTPS/SSL option in Squid. No other option selected in the Squid HTTPS/SSL section, though I did try "Accept remote server cert errors" to troubleshoot this VPN issue but it hasn't helped.

Any insights on what I may be doing wrong at my end?

I have to turn off SSL filtering totally to get the office laptop connect. If there is no other way to rectify this Cisco VPN certificate issue, how can I get just the office laptop to be on the un-filtered squid list so that it connects without going thru Squid filtering.

marcelloc

bypass transparent proxy for these destination ips.

asterix

Hmm… destination or source ip? I am not sure about the destination vpn addresses as they have multiple ips

Cino

destination ip

Are you using CiscoAnyConnect? If so, put a site and stay with that.. If you can't… When try to enter all destination ips as you find them.. Or ask your vpn administrator for the list?

edit: assign a static IP to your company laptop and setup a source rule to bypass your proxy completely. That should work for you. Not like you need to use your proxy since the traffic from the laptop should route thru the vpn tunnel

asterix

Yes I have already done the latter. Don't think the vpn admin will give out ant ips. The cisco profiles are encrypted so there is no way I can even open the file to check the DNS names for the vpn servers

Cino

Well if you can pick your vpn location… Connect and check your state table in pfsense. There will be the IPs..

The company I work for has 10 different locations which I can let CiscoAnyConnect auto choose or I pick.

marcelloc

Log client activities on firewall rules or via tcpdump.  Soon or later you will get most of them.

asterix

Have another issue with ssl filtering. Android apps fail to connect to the Internet. Play store, ebay… apps are useless unless I add them to the unfiltered list as well.
Kinda beats the purpose of https/ssl if I can't use it effectively.

Cino

Have you researched how MITM works?

You need to add the cert to every android device also like you do for your PCs, which IIRC you will to have to add a pin to every device to store the cert. Down the road MITM may not work for Google sites. I recall reading an article about that subject.

marcelloc

I think the same way as cino.  Read before implementing anything.

Ssl filtering is not done by magic or a pfsense package invention.

Cino

A couple links on how its works and such… They are different but same concept

https://mitmproxy.org/doc/index.html
http://docs.diladele.com/faq/squid/index.html