Squid HTTPS/SSL killing Cisco VPN client connection
-
bypass transparent proxy for these destination ips.
-
Hmm… destination or source ip? I am not sure about the destination vpn addresses as they have multiple ips
-
destination ip
Are you using CiscoAnyConnect? If so, put a site and stay with that.. If you can't… When try to enter all destination ips as you find them.. Or ask your vpn administrator for the list?
edit: assign a static IP to your company laptop and setup a source rule to bypass your proxy completely. That should work for you. Not like you need to use your proxy since the traffic from the laptop should route thru the vpn tunnel
-
Yes I have already done the latter. Don't think the vpn admin will give out ant ips. The cisco profiles are encrypted so there is no way I can even open the file to check the DNS names for the vpn servers
-
Well if you can pick your vpn location… Connect and check your state table in pfsense. There will be the IPs..
The company I work for has 10 different locations which I can let CiscoAnyConnect auto choose or I pick.
-
Log client activities on firewall rules or via tcpdump. Soon or later you will get most of them.
-
Have another issue with ssl filtering. Android apps fail to connect to the Internet. Play store, ebay… apps are useless unless I add them to the unfiltered list as well.
Kinda beats the purpose of https/ssl if I can't use it effectively. -
Have you researched how MITM works?
You need to add the cert to every android device also like you do for your PCs, which IIRC you will to have to add a pin to every device to store the cert. Down the road MITM may not work for Google sites. I recall reading an article about that subject.
-
I think the same way as cino. Read before implementing anything.
Ssl filtering is not done by magic or a pfsense package invention.
-
A couple links on how its works and such… They are different but same concept
https://mitmproxy.org/doc/index.html
http://docs.diladele.com/faq/squid/index.html
