Keep failing Trustwave scan :-(

Running the latest firmware on the Balance One.
All the instructions I can find are referring to the 6.x firmware.
Where o where can I disable TLS 1.0 ???

Also the SSL cert what domain name should I obtain the SSL for to avoid problems with the web site and email server?

And what about the weak cyphers?

If I can’t solve this I have to replace the router with a Sophos.

1 Like

You need to change the PepVPN Backward Compatibility settings to “Restricted (firmware 6.2+)” to enforce TLS v1.2.

First, go to the Speedfusion section on the Web Admin Interface (Network >Speedfusion).
Below the PepVPN Local ID section on that page, you’ll see a section titled PepVPN Settings. Click the blue ? mark in the title bar and the Backward compatibility row will appear.
TLS

This was first mentioned in this forum post:

2 Likes

Thanks for your quick reply, I already changed this setting last night and ran a new scan. Indeed the TLS is no longer failing but I do still have the following issues causing the Trustwave still to fail.

  1. SSL Certificate not valid (Not going to bother with that until the other issues can be resolved first)
  2. Weak Encryption Ciphers identified on VPN Device
  3. Weak Diffie-Hellman groups unidentified on VPN device
  4. Remote Access Service Detected

All these issues came up after enabling the VPN access.

1 Like

@Erik_deBie
Sorry to side track a little but what did you use to make capture your screen and turn it into that image?

3 Likes

On a Mac do this:

Command + Shift + 4

This will turn the cursor into a crosshair that you can drag around the desired area, once you release the mouse it will snap a screenshot of the selected area.

Pro Tip:

If you press the space bar after releasing the above mentioned key combination the cursor will turn into a camera. Place the camera on the window you would like to screenshot and click once.

Screenshots will end up on the desktop.
Open them with Preview for further manipulation like placing a grey block over the public facing iP addresses, draw arrows , add text etc.

Hope this helps,

Rogier

1 Like

I “borrowed” it from a comment from Martin Langmaid in the post mentioned above, but I know he used Snagit or Camtasia from TechSmith.

3 Likes

Three other options:

  1. Built in SNIP on windows 7/10
  2. Xbox built in windows 10 has some nice screen recording options
  3. Or the one I use https://picpick.app/en/
2 Likes

Hi ScooterIT,

Back to your main question:

The warnings in the Trustwave scan report are expected when L2TP Remote Access is enabled because some L2TP clients are only able to support weak(er) encryption ciphers and weak(er) Diffie-Hellman groups.

For the Trustwave scan to pass, you need to temporarily disable L2TP remote access, or set up another L2TP server.

I guess I have to switch routers then since we only have 2 options. L2TP over iP Sec is the better one but will not pass the Trustwave scan that is required by my clients credit card processor and hippa compliancy… :frowning:

1 Like

I had the same error message and did disable L2TP over IP Sec because no one is using it consistently.

It would be great if there is a way to enable something similar to the “Restricted (firmware 6.2+)” option above for PepVPN but for L2TP. Something like Restricted L2TP that excludes the weak ciphers and Diffie-Hellman groups.

Sadly I ended up replacing the Peplink Balance one with a Sophos firewall.

Sorry. That stinks. I do think Peplink can do better with being proactive with the Trustwave scan failings, but maybe they think it is the end users responsibility to do that.

I’ve had 3 or 4 instances where I get failing notices and then there is a process to research and resolve them. The most recent was the SSL cert is not valid (shows the captive.portal) and I had to create my own instead of use the default. Thankfully the instructions to do it were easy.

Hopefully the replacement product works well for you. Plus I believe it offers AD integration.

I’m beating my head against the wall with this one also. Can’t pass the Trustwave scan.

I tried to restrict the 32015 port to only one IP ( that of the other side of the PepVPN ) but even GRC scan shows this port as open.

Where can I find out the best way to setup the SSL cert that you described as working.

I also don’t want to have to change two routers just to fix this.

Tom

Non of the VPN protocols available on your Peplink router are accepted by Trustwave. I ended up switching to a Sophos firewall router using “Open VPN”. Regardless despite that this is non public facing VPN Trustwave refuses to accept the self signed SSL cert. So you still have to purchase this.

Frankly I think Trustwave is a ripoff and is just a bot going trough the motions since I have been unable to reason with them.

@tomswenson

You can import the valid signed CA certificate via the certificate manager page:

By default the “default self signed cert” is used hence you won’t able to pass the vulnerability scanning. This is same with other vendor products that self-signed cert will be loaded by default and won’t able to pass the vulnerability scanning.

Please check explanation given below for Self-Signed Certificate vs. Signed Certificate from a CA:

They are a lots of users asking, why don’t Peplink loaded the CA cert by default for the device and this will definitely pass the vulnerability scanner ? The answer for this is that the CA Certificate must be signed base on the customer domains & IP for the locations, hence impossible to have a single cert that able to achieve this. Let’s us make a assumption that able to be achieved then the “CA cert” will no longer have the validity on it and work exactly like the self signed cert.

Peplink device always provide highest security update for all the features in the latest firmware version. Please make sure you are running using latest firmware This will make sure the device is secure in the network.

1 Like

I have installed quite a few certs over the years, but so far the instructions I have seen for the Peplink aren’t quite clear to me. Maybe I’m too tired to look at this now, IDK.

I’m now at the “How many more hours do I spend at this at my customer’s expense”. I could just buy two Meraki Z1’s, put them in each location, setup AutoVPN ( super easy ) and be done with it. Not free, but neither is all the time I’m spending on this trying to get this Trustwave scan to work. I think we are already in this for 5 hours or more

Hopefully I can get the resolved tomorrow.

Tom

1 Like

@tomswenson

Would you able to share the Trustwave scan results here ? I mean regarding to port 32015 ?

1 Like

FYI, tomorrow, I’m going to this customer. I’m going to take a Mikrotik and build a bridge with firewalling and put it in front of the Peplink and only allow 32015 access from the other side fo the VPN.

Wish me luck.

Tom

@tomswenson

Base on the scan results, look like CA cert is not uploaded to the device yet. The device still need a valid CA cert if the scan is intended to TCP32015 and looking for the missing security settings parts.

Base on the above reply, look like your scanning is more to external scanning, just need to avoid the port TCP30215 to be scanned.

Coming firmware we will have feature to define the access… No detail ETA yet for this. I will post again if get latest information from Engineering team.

1 Like