sebbacon
commented
2 years ago I've alerted TPP to this issue. I will follow up again.
Open bloodearnest opened 2 years ago
sebbacon
commented
2 years ago I've alerted TPP to this issue. I will follow up again.
lucyb
commented
1 year ago I've emailed TPP a couple of times about this so far this year. Will follow up again this week.
lucyb
commented
1 year ago Have now asked Matt a third time if they've been able to discuss this. If I don't have any response within the next week, I think we should come up with a new plan.
lucyb
commented
1 year ago Update from Matt
We have been looking in to this, the current VPN solution doesn’t allow for IKEv2 to be used. If we want to use IKEv2 we would need to move the VPN to a different solution which will require significant project work including testing, configuration and rollout. It may be quicker to try work around the issues with the NHS laptops but happy to discuss further.
lucyb
commented
1 year ago Details about the current VPN configuration for context.
Slack conversations about recent attempts to install a VPN client to access the TPP environment 🧵 thread.
Given that this is a potential security risk, I've now added it to the list of items to go onto our new security risk register.
lucyb
commented
1 year ago It's unlikely any work will be done on this within the next month or so, so I'm going to keep this open but move it from our board.
TPP currently provides a specific Windows x64 client to connect to the their VPN.
This is problematic for our many users who need to connect to the VPN on Mac or Linux, who have to run an x64 windows VM to run the client, which is currently not an option at all on new M1 macs.
TPP have said we can use an alternative client, although they are keen that this client is kept up to date.
The TPP VPN is currently configured to use the IPSec with IKEv1 and a pre-shared key.
On Linux, the strongswan package can do this, based on exploratory testing.
MacOSX doesn't support IKEv1, we would need to find an m1 compatible client.
However, IKEv1 is quite old, and IKEv2 is a) supported OOTB on MacOSX b) the recommended setting for IPSec.
Sonicwall 7 supports IKEv2, and AFAICS so does it's client
So, a possible route to resolve this is to ask TPP to switch the VPN to IKEv2, and then Mac and Linux support is much easier, and we are upgrading the protocol to a better version at the same time. AIUI, uses of the existing client shouldn't be affected at all.