vpn interview questions
Top vpn frequently asked interview questions
While there's a wide variety of private non-routable networks across 192.168/16 or even 10/8, sometimes in being thoughtful of potential conflict, it still occurs. For example, I set up an installation OpenVPN once with the internal VPN network on 192.168.27. This was all fine and dandy until a hotel used that subnet for floor 27 on their wifi.
I re-IP'd the VPN network to a 172.16 network, since that seems to be all but unused by hotels and internet café's. But is that an appropriate solution to the problem?
While I mention OpenVPN, I'd love to hear thoughts about this problem on other VPN deployments, including plain ol' IPSEC.
Source: (StackOverflow)
In an XP Pro workstation, is there a way to start the native Windows VPN client and open/close a connection from the command line so it can be scripted in a batch file?
Source: (StackOverflow)
For the past week I've been getting a huge stream of traffic from a wide range of Chinese IP addresses. This traffic appears to be from normal people and their HTTP requests indicate that they think I'm:
- Facebook
- The Pirate Bay
- various BitTorrent trackers,
- porn sites
All of which sounds like things people would use a VPN for. Or things that would make Great Wall of China angry.
User-agents include web browsers, Android, iOS, FBiOSSDK, Bittorrent. The IP addresses are normal commercial Chinese providers.
I have Nginx returning 444 if the host is incorrect or the user agent is obviously wrong:
## Deny illegal Host headers
if ($host !~* ^({{ www_domain }})$ ) {
return 444;
}
## block bad agents
if ($http_user_agent ~* FBiOSSDK|ExchangeWebServices|Bittorrent) {
return 444;
}
I can handle the load now, but there were some bursts of up to 2k/minute. I want to find out why they are coming to me and stop it. We also have legitimate CN traffic, so banning 1/6th of planet earth is not an option.
It is possible that its malicious and even personal, but it may just be a misconfigured DNS over there.
My theory is that its a misconfigured DNS server or possibly some VPN services that people are using to get around Great Fire Wall.
Given a client IP address:
183.36.131.137 - - [05/Jan/2015:04:44:12 -0500] "GET /announce?info_hash=%3E%F3%0B%907%7F%9D%E1%C1%CB%BAiF%D8C%DE%27vG%A9&peer_id=%2DSD0100%2D%96%8B%C0%3B%86n%8El%C5L%11%13&ip=183.36.131.137&port=11794&uploaded=4689970239&downloaded=4689970239&left=0&numwant=200&key=9085&compact=1 HTTP/1.0" 444 0 "-" "Bittorrent"
I can know:
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
- How can I find out what DNS server those customers are using ?
- Is there anyway to determine if an HTTP request is coming from a VPN ?
- What is really going on here ?
Source: (StackOverflow)
The Windows users have a new client "Juniper Pulse" to connect to the Juniper VPN server.
On Linux, what VPN client do we have to connect to that Juniper VPN, with maximum compatibility?
Please mention the necessary parameters that have to be provided.
Source: (StackOverflow)
After having just spent months setting up a fairly complex VPN, I'm beginning to look at alternatives for the future. Some of my network providers use MPLS to connect to us, and I suppose it works fairly well. I know many ATM (automated teller machine) networks use MPLS, which I suppose it a vote of confidence for its security properties.
http://en.wikipedia.org/wiki/MPLS%5FVPN is rather succinct:
"MPLS VPN is a family of methods for
harnessing the power of Multiprotocol
Label Switching (MPLS) to create
Virtual Private Networks (VPNs). MPLS
is well suited to the task as it
provides traffic isolation and
differentiation without substantial
overhead.[citation needed]
Layer 3 MPLS VPN
A layer 3 MPLS VPN, also known as
L3VPN, combines enhanced BGP
signaling, MPLS traffic isolation and
router support for VRFs (Virtual
Routing/Forwarding) to create an IP
based VPN. Compared to other types of
VPN such as IPSec VPN or ATM, MPLS
L3VPN is more cost efficient and can
provide more services to customers."
My question is : how cumbersome / expensive is it to set up an MPLS network? Is it the kind of thing where you can buy the hardware and DIY, or do you really need to go to a service provider? I can get "managed" VPN's for $100/month right now (which I have no idea if this is good or bad), my five partner IPSEC "hairpin" topology thereby costs me 6,000 a year. Would that be better invested in MPLS?
Source: (StackOverflow)
I have a Ubuntu Lucid Lynx VM which I've been tinkering with. I want to set up a VPN and I am happy to learn how to do it on my own but the vastness of options makes my head spin, so I'm just looking for pointers.
Factors I want considered for my setup
- Each user needs personal authentication (not one password for all)
- I want know what OS the client is using (android / iphone other)
- I want to track how much bandwidth is being used by each individual
- Although security is important, it's mainly for bypassing China's great firewall (reach facebook / twitter) so I'm not trying to protect pentagon files. Security is good, as long as it doesn't involve hours of complicated configurations.
- Prevent the same user from using multiple devices to access vpn at the same time
- Any sugggestions?
So my questions are:
- What protocol should i use to be compatible with Android (say 1.6+) and iPhones?
- What administrative software should I use (free preferably but willing to invest a little)?
- What guides / tutorials can you recommend that are a little bit less confusing than this?
Android:
16 IPSec VPN Tunnels
8 L2TP VPN Tunnels (Dial-in: 4, Dial-out: 4)
8 PPTP VPN Tunnels (Dial-in: 4, Dial-out: 4)
- Embedded IPSec & PPTP client/server
- IKE key management
- DES, 3DES and AES encryption for IPSec
- Embedded powerful 3DES accelerator
- MPPE Encryption for PPTP
- L2TP within IPSec
- L2TP/PPTP/IPSec pass-through
iPhone
- L2TP / IPSec
- MSChapV2 Password
- RSA SecurID
- CRYPTOCard
- PPTP
- MSChapV2 Password
- RSA SecurID
- CRYPTOCard
- Cisco IPSec VPN
- Password
- RSA SecurID
- CRYPTOCard
- Certificate
NOTES
- I'll be sure to add a bounty after the 2 day period, hope this question can help other people who would like to create a similar setup.
- The title of this question is not that great, feel free to edit
- I don't need all answers answered any pointers would help :)
Source: (StackOverflow)
I use Hyper-V on a development machine for multiple reasons and one of my biggest annoyances is that I can't cut and paste to/from the virtual machines.
I've been through all the options and can't find anything that seems like it would allow this. Does anyone have any good solutions?
I have considered connecting via RDP to the VM instead of using the VPN Client, but one of my VMs is primarily used to connect via VPN to another network, and when I tried to RDP into that machine and then connect to the VPN (using Cisco AnyConnect), I got an error saying I could not connect to the VPN through an RDP session).
Source: (StackOverflow)
I have a Windows 7 PC on our company network (which is a member of our Active Directory). Everything works fine until I open a VPN connection to a customer's site.
When I do connect, I lose network access to shares on the network, including directories such as 'Application Data' that we have a folder redirection policy for. As you can imagine, this makes working on the PC very difficult, as desktop shortcuts stop working, software stops working properly due to having 'Application Data' pulled from under it.
Our network is routed (10.58.5.0/24), with other local subnets existing within the scope of 10.58.0.0/16. The remote network is on 192.168.0.0/24.
I've tracked the issue down to being DNS related. As soon as I open the VPN tunnel, all my DNS traffic goes via the remote network, which explains the loss of local resources, but my question is, how can I force local DNS queries to go to our local DNS servers rather than our customers?
The output of ipconfig /all when not connected to the VPN is below:
Windows IP Configuration
Host Name . . . . . . . . . . . . : 7k5xy4j
Primary Dns Suffix . . . . . . . : mydomain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mydomain.local
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : F0-4D-A2-DB-3B-CA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9457:c5e0:6f10:b298%10(Preferred)
IPv4 Address. . . . . . . . . . . : 10.58.5.89(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 31 January 2012 15:55:47
Lease Expires . . . . . . . . . . : 10 February 2012 10:11:30
Default Gateway . . . . . . . . . : 10.58.5.1
DHCP Server . . . . . . . . . . . : 10.58.3.32
DHCPv6 IAID . . . . . . . . . . . : 250629538
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-AC-76-2D-F0-4D-A2-DB-3B-CA
DNS Servers . . . . . . . . . . . : 10.58.3.32
10.58.3.33
NetBIOS over Tcpip. . . . . . . . : Enabled
This is the output of the same command with the VPN tunnel connected:
Windows IP Configuration
Host Name . . . . . . . . . . . . : 7k5xy4j
Primary Dns Suffix . . . . . . . : mydomain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.local
PPP adapter Customer Domain:
Connection-specific DNS Suffix . : customerdomain.com
Description . . . . . . . . . . . : CustomerDomain
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.85(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.16
192.168.0.17
Primary WINS Server . . . . . . . : 192.168.0.17
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mydomain.local
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : F0-4D-A2-DB-3B-CA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9457:c5e0:6f10:b298%10(Preferred)
IPv4 Address. . . . . . . . . . . : 10.58.5.89(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 31 January 2012 15:55:47
Lease Expires . . . . . . . . . . : 10 February 2012 10:11:30
Default Gateway . . . . . . . . . : 10.58.5.1
DHCP Server . . . . . . . . . . . : 10.58.3.32
DHCPv6 IAID . . . . . . . . . . . : 250629538
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-AC-76-2D-F0-4D-A2-DB-3B-CA
DNS Servers . . . . . . . . . . . : 10.58.3.32
10.58.3.33
NetBIOS over Tcpip. . . . . . . . : Enabled
Routing table
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.58.5.1 10.58.5.89 20
10.58.5.0 255.255.255.0 On-link 10.58.5.89 276
10.58.5.89 255.255.255.255 On-link 10.58.5.89 276
10.58.5.255 255.255.255.255 On-link 10.58.5.89 276
91.194.153.42 255.255.255.255 10.58.5.1 10.58.5.89 21
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 192.168.0.95 192.168.0.85 21
192.168.0.85 255.255.255.255 On-link 192.168.0.85 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.58.5.89 276
224.0.0.0 240.0.0.0 On-link 192.168.0.85 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.58.5.89 276
255.255.255.255 255.255.255.255 On-link 192.168.0.85 276
The binding order for the interfaces is as follows:
I've not configured the VPN tunnel to use the default gateway at the remote end, and network comms to nodes on both networks are fine. (i.e. I can ping any node on our network or the remote network).
I've modified the PPTP connection properties to use the DNS servers 10.58.3.32 followed by 192.168.0.16, yet the query still goes to 192.168.0.16.
Edit:
The local resources that disappear are hosted on domain DFS roots, which might (or might not) be relevant.
Further Edit:
This only seems to be affecting domain DFS roots. If I reference the share via the server name (i.e. \\server\share instead of \\dfsroot\share), I can access the shares.
As per my comment against this answer, I've found I can add the DNS name of the domain to my hosts file which stops my (DFS) network drives from disappearing, but I'd still like the bold part of my question (above) answering if anyone has any ideas.
Source: (StackOverflow)
I want to set up a VPN on a remote server to route all my Internet traffic for privacy reasons. I can set up an incoming connection and connect to it successfully. The problem is, I can just see the remote computer and no other Web sites will open. I want the remote server to act like a NAT. How can I do that?
Note that I don't want to split Internet traffic. I actually want to send all the traffic to the remote server but need to make it relay the traffic.
For the record, my remote server is Windows Web Server 2008 which does not have routing and remote access service.
Clarification
I'm mostly interested in server configuration. I don't have any problems configuring the client. By the way, Windows Web Server 2008 seems to have the same VPN features built in client OSes (like Vista) and specifically, it doesn't include the RRAS console in MMC. I'm also open to suggestions regarding third party PPTP/L2TP daemons available, if they are free.
Source: (StackOverflow)
I'm having trouble finding concrete, up-to-date information for how to set up strongswan or openswan to be used by the iphone's VPN client. My server is behind a budget linksys NAT router.
I found this, but it mentions a whole bunch of .pem files with no reference for how to create them. Unfortunately, the "fine" manuals for both packages were quite inscrutable and unfriendly to a novice. I've set up OpenVPN before and managed to get serviceable results very quickly, but after a day and a half of reading out of date docs, I barely even know where to start.
Any help would be greatly appreciated!
Source: (StackOverflow)
Many admins keep perpetuating - on ServerFault and elsewhere - how bad of an idea TCP-over-TCP is, e.g. in VPNs. That even the slightest packet loss will make one suffer from at least severe throughput degradation if not TCP meltdown, and that TCP-over-TCP is therefore strictly to be avoided. And that probably was once all true, e.g. 2001 when this article was written that is still referred to.
But since then we've seen major advances in technology and protocols. Nowadays we have 'Selective ACK' implemented almost everywhere, and Moore's law has given us so much more memory, and with it came large TCP buffers optimized for Gbit uplinks. Also packet loss is much less of an issue these days on non-radio links. All this should alleviate the TCP-over-TCP problem significantly, shouldn't it?
Note that there are real-world scenarios where e.g. TCP-based VPNs are easier to implement and operate than UDP/ESP-based ones (see more below). Therefore my question:
Under what circumstances (link packet loss & latency) is TCP-over-TCP performing significantly worse that TCP alone, assuming SACK support and decently sized TCP buffers on both ends?
It would be great so see some measurements that show the correlations between (outer connection) packet loss/latency, and (inner connection) throughput/jitter - for TCP-over-TCP, and for TCP alone. I found this interesting article, but it seems to be concerned about latency only, and to not address (outer) packet loss.
Also: Are there recommended settings (e.g. TCP options, buffer settings, reducing MTU/MSS, etc) to narrow the performance gap between TCP and TCP-over-TCP?
Update: Our rationale.
This question is still very relevant in some real-world scenarios. E.g. we deploy embedded devices in large buildings that collect sensor data and feed it into our platform via VPN. The problem we are facing is firewalls and improperly configured uplinks that our not under our control, combined with reluctant IT departments. See a detailed example discussed here.
In a lot of such cases, switching from non-TCP to a TCP-based VPN (very easy if you use OpenVPN like us) is a quick fix that allows us to evade uphill finger-pointing battles. E.g. often TCP port 443 is generally allowed (at least via proxy), or we can overcome Path-MTU issues by simply reducing TCP's MSS option.
It would be good to know under what circumstances a TCP-based VPN can be considered a viable alternative, so we can make an informed decision outweighing the pros and cons of either option. For example we know that TCP-VPN is ok for us on non-radio links, but we do have a fair share of remote clients on 3G uplinks with significant packet loss and high latency - how would a TCP-VPN perform there?
I tried to improve the title and the central question accordingly; i hope it makes sense.
Source: (StackOverflow)
Cisco VPN client (IPsec) does not support 64bit Windows.
Worse, Cisco does not even plan to release a 64-bit version, instead they say that
"For x64 (64-bit) Windows support, you must utilize Cisco's next-generation Cisco AnyConnect VPN Client."
But SSL VPN licences cost extra. For example, most new ASA firewalls come with plenty of IPSec VPN licences but only a few SSL VPN licences.
What alternatives do you have for 64-bit Windows? So far, I know two:
- 32-bit Cisco VPN Client on a virtual
machine
- NCP Secure Entry Client on 64-bit Windows
Any other suggestions or experiences?
Source: (StackOverflow)
What are the differences between using dev tap and dev tun for openvpn? I know the different modes cannot inter-operate. What is the technical differences, other then just layer 2 vs 3 operation. Are there different performance characteristics, or different levels of overhead. Which mode is better. What functionality is exclusively available in each mode.
Source: (StackOverflow)