Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid HTTPS/SSL killing Cisco VPN client connection

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asterix
      last edited by

      So after trying to find the right way to activate Squid HTTPS/SSL filtering and get it working (I think) I am having an issue with my company Cisco VPN client connection. It slaps a "the certificate on the secure gateway is invalid" error and disconnects.

      Basically all I have done is create a Root CA in pfSense and then turned on HTTPS/SSL option in Squid. No other option selected in the Squid HTTPS/SSL section, though I did try "Accept remote server cert errors" to troubleshoot this VPN issue but it hasn't helped.

      Any insights on what I may be doing wrong at my end?

      I have to turn off SSL filtering totally to get the office laptop connect. If there is no other way to rectify this Cisco VPN certificate issue, how can I get just the office laptop to be on the un-filtered squid list so that it connects without going thru Squid filtering.

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        bypass transparent proxy for these destination ips.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • A
          asterix
          last edited by

          Hmm… destination or source ip? I am not sure about the destination vpn addresses as they have multiple ips

          1 Reply Last reply Reply Quote 0
          • C
            Cino
            last edited by

            destination ip

            Are you using CiscoAnyConnect? If so, put a site and stay with that.. If you can't… When try to enter all destination ips as you find them.. Or ask your vpn administrator for the list?

            edit: assign a static IP to your company laptop and setup a source rule to bypass your proxy completely. That should work for you. Not like you need to use your proxy since the traffic from the laptop should route thru the vpn tunnel

            1 Reply Last reply Reply Quote 0
            • A
              asterix
              last edited by

              Yes I have already done the latter. Don't think the vpn admin will give out ant ips. The cisco profiles are encrypted so there is no way I can even open the file to check the DNS names for the vpn servers

              1 Reply Last reply Reply Quote 0
              • C
                Cino
                last edited by

                Well if you can pick your vpn location… Connect and check your state table in pfsense. There will be the IPs..

                The company I work for has 10 different locations which I can let CiscoAnyConnect auto choose or I pick.

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  Log client activities on firewall rules or via tcpdump.  Soon or later you will get most of them.

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • A
                    asterix
                    last edited by

                    Have another issue with ssl filtering. Android apps fail to connect to the Internet. Play store, ebay… apps are useless unless I add them to the unfiltered list as well.
                    Kinda beats the purpose of https/ssl if I can't use it effectively.

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cino
                      last edited by

                      Have you researched how MITM works?

                      You need to add the cert to every android device also like you do for your PCs, which IIRC you will to have to add a pin to every device to store the cert. Down the road MITM may not work for Google sites. I recall reading an article about that subject.

                      1 Reply Last reply Reply Quote 0
                      • marcellocM
                        marcelloc
                        last edited by

                        I think the same way as cino.  Read before implementing anything.

                        Ssl filtering is not done by magic or a pfsense package invention.

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • C
                          Cino
                          last edited by

                          A couple links on how its works and such… They are different but same concept

                          https://mitmproxy.org/doc/index.html
                          http://docs.diladele.com/faq/squid/index.html

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.