Hardware Appliance for Connection to Cisco AnyConnect Gateway?

[IlDavo]

My company mandates the use of AnyConnect client software for VPN connectivity to corporate resources from my home office. I understand that the purpose/value of AnyConnect is the avoidance of any need for remote VPN hardware to achieve VPN access; however, I'd very much like to avoid the need to run even AnyConnect's small VPN client on my devices. It would be very convenient if I could sign into the AnyConnect VPN, once, yet use that connection from multiple company client machines in my home office.

Does there exist a hardware appliance that can run AnyConnect software -- thus appearing to an AnyConnect gateway reached via its WAN interface as a software AnyConnect client -- yet can effectively serve as a home-based VPN gateway that serves up its VPN connection to any device that's connected to its client (non-WAN) side?

Thanks in advance!

 

[Privacy Nut]

It depends on which protocols are supported in VPN Policy on your company's Cisco servers. It could be configured to support IKEv1, IKEv2 and L2TP over IPSec. These are all standard protocols supported by some routers with VPN client firmware.

Keep in mind though that the AnyConnect client comes with a routing configuration defining which traffic belongs to VPN and which one does not. You might need to reproduce this configuration in VPN routing setup on your VPN router.

 

[sfx2000]

Keep in mind that in the enterprise environment - AnyConnect can and often does tie into other policy management and controls for the end-point - e.g. corporate laptop for remote employees (teleworkers and road warriors).

What OP is asking would negate that - and this might be in conflict with IT rules at the company.

Best approach would be to discuss the issue with the IT team, and see if there's a suitable solution for Site-to-Site tunnels vs. end-point.

 

[MichaelCG]

As an IT security guy....this question makes me cringe. By moving the VPN to the router, that puts the assumption that all devices on your LAN are trusted managed corporate assets.

Generally, the VPN client is doing other checks to confirm the posture of the client. Sometime this confirms it is a company asset. Sometimes it checks patch level and AV status...depends on what the admin has configured.

Now I do have a VPN router at my house that let's me access work from multiple devices. However it was provided by IT and is configured for 802.1x to properly authenticate and authorize each device before forwarding any of that traffic down the VPN back to work.

So yes...there are options...but your first step should be a discussion with your IT staff to find out what they are willing to support and allow that falls within their risk acceptance levels.

Sent from my Moto G (5) Plus using Tapatalk

 

[sfx2000]

As an IT security guy....this question makes me cringe. By moving the VPN to the router, that puts the assumption that all devices on your LAN are trusted managed corporate assets.

I agree - for a site-to-site tunnel - the assumption is that all end-points are managed, and the ingress/egress from Corporate LAN is in according to policy.

OP is suggesting something which is really not good - as the end-points may not be managed.

Which brings back the whole discussion of why have a VPN client in the router in the first place... VPN server, I get it, but VPN client, that's a huge risk to one's internal LAN from the public internet.

VPN assumes a level of trust, and reading thru the threads - many find it convenient without understanding that a VPN cuts both ways as a trusted connection.

 

[ColinTaylor]

Which brings back the whole discussion of why have a VPN client in the router in the first place... VPN server, I get it, but VPN client, that's a huge risk to one's internal LAN from the public internet.

As originally implemented a VPN was literally that, a virtual-private-network, an extension of your trusted LAN. The key word here being "trusted". As you point out, this makes sense in a corporate/business setting for connecting to remote offices, etc.

Unfortunately nowadays VPN is synonymous with: "a magic service that lets me hide/disguise my location so that I can illegally stream movies and download pirated content". Whilst obviously there are some people that use VPN services for legitimate purposes I would hazard a guess that they are in the minority.

So VPNs are (mostly) nothing to do with trusted local networks and everything to do with avoiding the prying eyes of <insert organisation here>. What I find surprising is that companies like Asus don't get any blow-back from rights holders for heavily promoting this feature along with their built-in bittorrent, NZB and ed2k server. The intended use is obvious.

 

[RMerlin]

but VPN client, that's a huge risk to one's internal LAN from the public internet.

VPN clients in a router is how you can actually connect remote branch offices to the main office.

 

[sfx2000]

Unfortunately nowadays VPN is synonymous with: "a magic service that lets me hide/disguise my location so that I can illegally stream movies and download pirated content". Whilst obviously there are some people that use VPN services for legitimate purposes I would hazard a guess that they are in the minority.

Being ex-Telco with a big 3 letter provider - VPN for those "magic services" doesn't hide anything - it highlights activity - and we had deep packet inspection that allowed us to observe and track content to the providers and to the endpoints - VPN is distinct in that way...

 

[RMerlin]

Being ex-Telco with a big 3 letter provider - VPN for those "magic services" doesn't hide anything - it highlights activity - and we had deep packet inspection that allowed us to observe and track content to the providers and to the endpoints - VPN is distinct in that way...

And it also aggregate all your traffic through a single central point, which is the tunnel provider, and whichever uplink they use to send your traffic to the rest of the Internet. Even if the tunnel provider doesn't log, can they say the same about their own peering partners through which all your traffic is being sent?

 

[IlDavo]

Many thanks to all for thoughtful replies to my original question: "Does there exist a hardware appliance that can run AnyConnect software -- thus appearing to an AnyConnect gateway reached via its WAN interface as a software AnyConnect client -- yet can effectively serve as a home-based VPN gateway that serves up its VPN connection to any device that's connected to its client (non-WAN) side?"

I greatly appreciate and acknowledge the security concerns from an "IT Security" point of view raised by sfx2000 and MichaelCG.

Note: As interesting and I find the "... magic service that lets me hide/disguise my location so that I can illegally stream movies and download pirated content" discussion that ColinTaylor introduces -- as I also use a personal VPN for purposes of (hopefully) reducing the activity logging that my ISP might otherwise conduct and sell to 3rd parties (though I should note that my interests solely involve protecting basic privacy, as I don't "illegally stream movies and download private content"), thanks to Congress' overturning FCC Internet Privacy rules under the Congressional Review Act (rule text, here): discussion of these interests mis-directs this thread from its original purpose.​

Nevertheless, I was hopeful that one or more hobbyists on this forum might have arrived at a way to use a single AnyConnect session from a single device (ideally, a hardware appliance, such as a router, but a purpose-built mini-pc or other device would also suffice) to serve its single VPN tunnel up to multiple machines -- thus eliminating the need for each of my company machines to run its own copy of Cisco AnyConnect in order to access company resources (and requiring me to re-load and re-run AnyConnect on multiple devices, each day, as their gateway connections time-out).

Again -- I understand why IT security folks might not like this approach, but I'm really just wondering if it can/has been done. Any further tips before I abandon the notion?

 

[ColinTaylor]

discussion of these interests mis-directs this thread from its original purpose.

Apologies for that, my post was in reply to sfx and was indeed off-topic. Also, I was in no way suggesting that you were doing such things.

Back in the day we used Cisco VPN routers at our remote sites to connect back to our VPN Concentrator using IPsec. There's been some discussion here in the past about using the router for Cisco AnyConnect but I don't remember anyone having success. Cisco provide a Linux client but I doubt that would work on the router.

I think OpenConnect was ported to entware-ng so that might be worth investigating.

 

[MichaelCG]

I would say your first place to look is your IT staff. AnyConnect can mean many things depending on what appliance it terminates to and how the administrator has configured it. Quite often it is just an ASA which can support client VPNs as well as standard Site-to-Site IPSEC VPN tunnels if IT wants to support it. You really must know more about what checks and policies are in place to understand if there are any router options out there.

I am not aware of an AnyConnect capable client router....however I have never really needed one so I haven't put a lot of effort into any research. The last time I looked for something like this was in the older Cisco 3000 VPN hardware...and there were several 3rd party clients which could connect....but from a router perspective, it was still just straight up IPSEC tunnels.