Re: QuickVPN can connect to RV042 without certificate

johanvermeij · ‎02-24-2011

I have a RV042 VPN router set up (firmware 1.3.12.6-tm)

I connect to it using QuickVPN 1.4.1.2 from a PC running Windows using a wireless modem (Blackberry)

Scenario 1

I drop the certificate that was generated by the RV042 into Program Files\Cisco Business Systems\QuickVPN Client

I connect

All ok

Scenario 2

I drop the certificate that was generated by the RV042 into Program Files\Cisco Business Systems\QuickVPN Client

I corrupt the certificate (edit and delete some characters)

I connect

I get a Windows error

All ok

Scenario 3

I remove the certificate

I reboot the PC

In reinstall the VPN client

(I have tried everything under the sun for days)

I connect

I get warning "Server's certificate doesn't exist on your local computer. Do you want to quit this connection ?"

I click No

The client happily connects to RV042

And that is WRONG, it defeats the purpose of having a certificate.

My question: what do I set on the RV042 side to prevent this from happening.

johanvermeij · ‎02-25-2011

I have seen one or two similar complaints about this unexpected auto connect and they were always ignored.

Unless I am very wrong (and I hope so) this goes to the very basics of what a VPN is supposed to do.

We have lots and lots of Cisco gear where I work (a bank with 1000+ branches).

I spoke to one of the Cisco engineers and he also could not believe that this was happening.

I really hope that there is a solution.

This is not about the $175 I paid for the router but about the thousands of RV042's out there.

johanvermeij · ‎02-25-2011

Explanation accepted:

Regarding clients connecting without the certificate, are you referring to QuickVPN clients? If so, clients will always be able to connect without the certificate. Downloading the certificate to the client PC is for the benefit of the client only. It is designed to provide a warning message to the end user if they attempt to connect to the wrong router. If they have placed the certificate in the QuickVPN Program Files folder and connect to the right router the warning should not appear.

Closed

jon liljegren · ‎03-08-2011

This message leads me to believe that anyone with quickVPN can hit anyone's router and only have to get past a basic username and password to establish a vpn tunnel?

I'm fairly ignorant when it comes to hacking but I have witnessed how easy WEP and WPA are to crack and a few other things. Is quickVPN that easy to intercept or decrypt a username and password?

If so, is there a more secure way to connect? (I can't have my clients exposed to easy crackers)

Jon

David Carr · ‎03-09-2011

The rv042 has a pptp server with five client accounts built in. Its not as secure, but not using the Quickvpn utility to connect.

You could try authenicating to a server and forwarding ports needed to authenticate. Ideally that is the most secure.

Te-Kai Liu · ‎03-09-2011

When a hacker tries to do a password attack on QuickVPN Server, RV042 will delay the prompt for authentication after multiple authentication failures. To mitigate secrity risk, it's recommended that the administrator allows QuickVPN users to change their passwords periodically. (Changing passwords can be done while a QuickVPN tunnel is connected.)