From rgm at icsa.net Tue Aug 3 07:08:03 1999 From: rgm at icsa.net (Robert Moskowitz) Date: Tue, 03 Aug 1999 07:08:03 -0400 Subject: FW: TCPIP MTU settings (fwd) In-Reply-To: Message-ID: <4.1.19990803070137.00b49760@homebase.htt-consult.com> At 05:12 AM 7/29/99 -0500, Tina Bird wrote: >From: Gregory Perry > >Several utilities exist for Wintel platforms to reduce MTU settings >"on-the-fly" - EZMTU is one such free package >(http://members.tripod.com/~EasyMTU/easymtu/index.html). Makes a big >difference even on regular dialup sessions. > I have investigated this package. Bottom line is: For VPNs, don't bother. It only works for the Win 95/98 modem adapter. IPsec dialup clients already get the MTU right, since they are the tunnel endpoint. I have asked the author to add Ethernet control for VPNs, and he says that he is busy on another freeware project. The author really does not understand the Internet, fragmentation, and MTU. He and a few found that lowering MTU helps in some cases, saw in a few cases in europe that tehre were routers set with an MTU of 576 and extrapolated that the whole Internet runs mostly with an MTU of 576 (not true, I am close to the researchers that study things like this in the Internet). The author also claims on his web site that when a 1500 byte packet is fragmented into 576 packets, the last packet is padded out to 576, adding to the overhead. Well, the packet can help on slow dialup connections, in general. It won't help on fast connections like cable modems. Such a tool WOULD really help VPNs, but the author does not seem interested in adding this functionality. Robert Moskowitz ICSA, Inc. (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rgm at icsa.net Tue Aug 3 07:24:16 1999 From: rgm at icsa.net (Robert Moskowitz) Date: Tue, 03 Aug 1999 07:24:16 -0400 Subject: opportunistic routers? In-Reply-To: <882567BD.005AB89E.00@gwwest.sybase.com> Message-ID: <4.1.19990803071018.00b90ac0@homebase.htt-consult.com> At 09:30 AM 7/29/99 -0700, Ryan Russell wrote: >I wonder if I might be allowed to ask what may be a dumb question? > >Back to the original question for this topic: The person wants >routers to automatically set up encryption for end-nodes. I see >the topic has evolved to Linix IPSec as well, and I assume >the Linux boxen would be end-nodes. Well, actually Linux as either an end-note (as John postulates), or Linux as a gateway. Many of us want host based IPsec, not gateway. But 3 factors inhibit this: code availablity on hosts (in development), addressing (doesn't work well with private addressing), and distributed manageablity. >My question is: If you're trying to set up router-to-router >encryption for end-nodes, how do you know which router >to set up your encryption to? Certainly you're not going to want >every router along the way to set up encryption with the next >router hop. Not only would that take way too long, but then you're >back to trusting intermediate routers and their admins. > >Obviously, you want your router close to you (perhaps your access >router, perhaps the router just inside the firewall?) as "your end" and >the other router to be something similar at the far end. A number of proposals ASSUME that two routers along the natural packet path employ IPsec and will discover each other. When the packet hits the first encrypting router/gateway it would be configured to 'try and encrypt'. It would then have to discover the router to encrypt to. There have been a number of proposals for discovery. IMHO, the use of the KX record discribed in draft-moskowitz-net66-vpn-00.txt is the best way, given the 'way things work'. >There's no good way to determine a router that can "represent" an >end-node, short of having a list published somewhere. Check out the KX record. It is experimental (RFC 2230). Ran and I had a number of debates about the way the KX record could work. I know that Ran did deploy the KX record for some DOD usage while he was at NRL, but for his intended purpose, not mine :) >It's been a couple of years since I sat through a secure DNS talk, >so, again, my question may be obvious to many. Is there for each >A record supposed to be another record that is the IP address of >some gateway that can IPSec for that A record? I think the secure DNS >talk I heard was for IPSec keys for end-nodes (i.e. for itself, not others. >It may still be some piece of equipment we call a router.) Orthogonal. DNSSEC attacks the distrust of DNS so that KEY information can be safely stored in DNS. For IPsec, you either: Use KEY records for end-points as John eludes to. Use KX records for gateways as in my draft discusses. Use SRV records to find LDAP repositories as the IP Security Policy wg is discussing >Is this a missing piece for IPSec? Is there allowance for agent >encryptors? What is an agent encryptor? Robert Moskowitz ICSA, Inc. (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rgm at icsa.net Tue Aug 3 13:21:49 1999 From: rgm at icsa.net (Robert Moskowitz) Date: Tue, 03 Aug 1999 13:21:49 -0400 Subject: Nortel Contivity Branch Connections In-Reply-To: <852567BE.005B1914.00@NotesSMTP-01.cmp.com> Message-ID: <4.1.19990803131956.00ba8470@homebase.htt-consult.com> At 12:34 PM 7/30/99 -0400, dnewman at cmp.com wrote: > >I just spoke with Nortel about this yesterday. There is one tunnel per >office-to-office link. Of course, the number of tunnels will be higher if the >Contivity box also fields requests from dial-up users or other offices, or >there >are redundant physical links between offices. > Are you sure? I **THINK** you can set selectors by address so you can have separate tunnels for any host pairing that you want to spend the time defining. I know that the first release did not support configuring an address identity, only a subnet, but they added the address identity Q1 99. Robert Moskowitz ICSA, Inc. (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From dnewman at cmp.com Tue Aug 3 13:52:07 1999 From: dnewman at cmp.com (dnewman at cmp.com) Date: Tue, 3 Aug 1999 13:52:07 -0400 Subject: Nortel Contivity Branch Connections Message-ID: <852567C2.00623B61.00@NotesSMTP-01.cmp.com> Yes, quite sure. Note that the Contivity *can* support multiple tunnels between gateways (dunno about between hosts). It just isn't a typical configuration. Nortel's internal test folks sent me some "how we do it" schematic diagrams of site-to-site, multiple-branch-offices-to-headquarters, and dial-users-to-headquarters configurations. In the first two, they show only one tunnel between sites. dn Robert Moskowitz on 08/03/99 01:21:49 PM From rgm at icsa.net Tue Aug 3 14:52:01 1999 From: rgm at icsa.net (Robert Moskowitz) Date: Tue, 03 Aug 1999 14:52:01 -0400 Subject: Nortel Contivity Branch Connections In-Reply-To: <852567C2.00623B61.00@NotesSMTP-01.cmp.com> Message-ID: <4.1.19990803141237.00b9f340@homebase.htt-consult.com> At 01:52 PM 8/3/99 -0400, dnewman at cmp.com wrote: > >Yes, quite sure. Note that the Contivity *can* support multiple tunnels between >gateways (dunno about between hosts). It just isn't a typical configuration. The tunnel is between gateways, but the traffic in the tunnel is restricted by the selector. >Nortel's internal test folks sent me some "how we do it" schematic diagrams of >site-to-site, multiple-branch-offices-to-headquarters, and >dial-users-to-headquarters configurations. In the first two, they show only one >tunnel between sites. Their model was subnet to subnet, so no wonder. Robert Moskowitz ICSA, Inc. (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From fifield at ghost.nslug.ns.ca Thu Aug 5 02:52:00 1999 From: fifield at ghost.nslug.ns.ca (Jamie Fifield) Date: Thu, 5 Aug 1999 03:52:00 -0300 Subject: PPTP Port Message-ID: <19990805035200.A15009@ghost.nslug.ns.ca> Hello guys and gals, I've got a bit of a problem. I have a friend trying to break out of a fairly draconian firewall at his work. I am attempting to set up a PPTP server for him to connect to, (PPTP isn't my first choice, but he doesn't think he's allowed to install a real OS down there so I cannot add him to my existing CIPE VPN). The firewall he needs to go through only allows connections for port 80, and maybe, port 70. I can quite easily specify my PPTP server to use port 70 (#define PPTP_PORT 70 for PopTop), but how the hell can you specify the port from the client side on a Windows (98 I suspect) box? I've gone through any promising looking registry entries, grep'd for "1723" in every file on a Windows98 installation. I'm not above hex editing, or any other trickery to do this. My next attack on this problem is to build and burn a bootable linux install with cipe pre-setup on a CD and mail it to him, so anything to get PPTP going that is less effort than that is welcome. Any relevant documentation, pointers or solutions are welcome, TIA! (PS. Tina, you've got a couple broken links in PPTPrefs.html or whatever it was called). -- Jamie Fifield **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From anders.linden at kurs.perceptive.se Fri Aug 6 02:58:58 1999 From: anders.linden at kurs.perceptive.se (Anders Linden) Date: Fri, 06 Aug 1999 08:58:58 +0200 Subject: simpliest form of VPN Message-ID: <37AA87B2.BEDA4F23@kurs.perceptive.se> I have tried to run pppd and to use its input/output with a socket application that I have done myself. The problem is that I dont know how to write the command line to do that, since it does not use stdin/stdout but the terminal where pppd runs, so there will always be strange characters on the screen. Do I have to specify a IP-number on the server, or will it use the IP-number that is used to reach the default gateway automatically? None of the HOWTO:s I have read about this is good. They either speak about how to setup a modem (which is not relevant since I only want to connect two networks), or they use their time to talk about security. I only want to use unencrypted ppp over a simple network connection made by myself, just to put things simple. I have taken away some screen output on my server and called it sserver (silent server) as "incoming connection from xx.xx.xx.xx", so it will only show up data that a eventual client sends. It is invoked as sserver port. I also has done a silent client, sclient, that is invoked as sclient host port. How do I use their stdin and stdout and connect that endpoints to pppds? The simpliest answer is the most appreciated... bye for now /Anders **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From dnm at neith.net Thu Aug 5 18:33:18 1999 From: dnm at neith.net (Dan Moniz) Date: Thu, 5 Aug 1999 18:33:18 -0400 (EDT) Subject: PPTP Port In-Reply-To: <19990805035200.A15009@ghost.nslug.ns.ca> References: <19990805035200.A15009@ghost.nslug.ns.ca> Message-ID: <14250.4398.197516.299690@dnm.ix.netcom.com> Jamie Fifield writes: > Hello guys and gals, I've got a bit of a problem. I have a friend trying > to break out of a fairly draconian firewall at his work. I am attempting > to set up a PPTP server for him to connect to, (PPTP isn't my first > choice, but he doesn't think he's allowed to install a real OS down there > so I cannot add him to my existing CIPE VPN). The firewall he needs to > go through only allows connections for port 80, and maybe, port 70. I > can quite easily specify my PPTP server to use port 70 > (#define PPTP_PORT 70 for PopTop), but how the hell can you specify the > port from the client side on a Windows (98 I suspect) box? [ snip ] > Any relevant documentation, pointers or solutions are welcome, TIA! Well, it's not VPN specific, and it deals with browsers more than regular apps that bind to given ports, but HushMail (http://www.hushmail.com/) has some code specific to their anonymous web mail system that allows users to come _from_ any port. I think the idea here is to find a port that's already open (HushMail defaults to port 25, I believe) and use it. Last I knew, HushMail still had their code under some sort of open source licensing. Alternatively, you could scope around for wrapper documentation and APIs. I know some apps in Windows use a sort of local NAT paradigm to connect to stuff outside their normal realm of acceptable ports., i.e.: [ ASCII graphic ] +----------+ +----------+ +-----+ +----------+ | | | internal | | | | outside | | client | -------> | NAT | --> | fw | -----> | VPN | | | | device | | | | | +----------+ +----------+ +-----+ +----------+ ^ | | | | The internal NAT device acts as a wrapper, i.e.: changing the client's hardcoded port to bind to from 76 to 67 (hypothetical). [ end ASCII graphic ] I can't imagine this kind of thing being altogether too hard to write, but I'm not terribly familiar with PPTP or Windows' socket APIs. And this may involve more trickery than just hexediting something somewhere, as you mentioned. Then again, if you write the wrapper, you have more control. -- dnm neith.net: network evolution | http://neith.net/ | dnm at neith.net pgp2 key (RSA): B1DE 2351 7559 1759 DF2A CEC9 A566 1ADB pgp5 key (DH/DSS): 345D 648C 72EB 89AF B4DE 3684 5984 D61C 8A62 3B51 gpg key (ELG/DSA): 7220 3A6F 06E8 72FD BC29 DAD6 4D5D 58A8 2038 5E1B **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From kemp at indusriver.com Fri Aug 6 09:43:07 1999 From: kemp at indusriver.com (Brad Kemp) Date: Fri, 06 Aug 1999 09:43:07 -0400 Subject: PPTP Port In-Reply-To: <19990805035200.A15009@ghost.nslug.ns.ca> Message-ID: <3.0.3.32.19990806094307.00b20610@pop3.indusriver.com> Jamie, Using port 80 won't help even if you could change the client side. PPTP uses TCP port 1723 for the control channel. The data is carried over GRE which is protocol # 47. It is unlikely that your friends firewall will allow any protocol other than TCP or UDP through. Brad At 03:52 AM 8/5/99 -0300, Jamie Fifield wrote: >Hello guys and gals, I've got a bit of a problem. I have a friend trying >to break out of a fairly draconian firewall at his work. I am attempting >to set up a PPTP server for him to connect to, (PPTP isn't my first >choice, but he doesn't think he's allowed to install a real OS down there >so I cannot add him to my existing CIPE VPN). The firewall he needs to >go through only allows connections for port 80, and maybe, port 70. I >can quite easily specify my PPTP server to use port 70 >(#define PPTP_PORT 70 for PopTop), but how the hell can you specify the >port from the client side on a Windows (98 I suspect) box? >Jamie Fifield > --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From james.douma at finisar.com Tue Aug 10 14:29:56 1999 From: james.douma at finisar.com (James Douma) Date: Tue, 10 Aug 1999 11:29:56 -0700 Subject: PPTP Port References: <19990805035200.A15009@ghost.nslug.ns.ca> Message-ID: <37B06FA4.42AB9C34@finisar.com> Here's a trivial solution that I used to solve a similar problem: Use the ttssh (freeware) extension for TeraTerm (shareware, I think). It will allow you to connect from a Win32 box to sshd on another box (say, Linux). sshd is easy to configure to use a non-standard port, and the ttssh tool allows you to specify the outbound port in the login dialog. Then use ttssh's port forwarding capability to forward a local port from the Win32 box through the ssh connection to a port accessible to the destination box. The whole thing can be easily set up on the Win box so that it establishes the connection and turns on the port forwarding when you click the ttssh icon. Then just run whatever your local application is (like a pop email client) and point it at the local machine's IP address - it'll get forwarded through the ssh connection. I use this setup to provide encrypted road warrior access to a POP server behind a firewall, it works pretty well. Jamie Fifield wrote: > > Hello guys and gals, I've got a bit of a problem. I have a friend trying > to break out of a fairly draconian firewall at his work. I am attempting > to set up a PPTP server for him to connect to, (PPTP isn't my first > choice, but he doesn't think he's allowed to install a real OS down there > so I cannot add him to my existing CIPE VPN). The firewall he needs to > go through only allows connections for port 80, and maybe, port 70. I > can quite easily specify my PPTP server to use port 70 > (#define PPTP_PORT 70 for PopTop), but how the hell can you specify the > port from the client side on a Windows (98 I suspect) box? > > I've gone through any promising looking registry entries, grep'd for "1723" > in every file on a Windows98 installation. > > I'm not above hex editing, or any other trickery to do this. My next > attack on this problem is to build and burn a bootable linux install > with cipe pre-setup on a CD and mail it to him, so anything to get PPTP > going that is less effort than that is welcome. > > Any relevant documentation, pointers or solutions are welcome, TIA! > > (PS. Tina, you've got a couple broken links in PPTPrefs.html or whatever > it was called). > > -- > Jamie Fifield > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** -- James Douma Finisar 650.691.4000 x177 - Mountain View office (voicemail) 626.359.4010 - LA office 626.536.2725 - mobile (voicemail) -------------- next part -------------- A non-text attachment was scrubbed... Name: james.douma.vcf Type: text/x-vcard Size: 343 bytes Desc: Card for James Douma Url : http://lists.shmoo.com/pipermail/vpn/attachments/19990810/f5ab5212/attachment.vcf From james.douma at finisar.com Tue Aug 10 14:19:09 1999 From: james.douma at finisar.com (James Douma) Date: Tue, 10 Aug 1999 11:19:09 -0700 Subject: simpliest form of VPN References: <37AA87B2.BEDA4F23@kurs.perceptive.se> Message-ID: <37B06D1D.8D0297D4@finisar.com> One way to accomplish this would be to use the pty-redir command as described in the VPN-HOWTO. This can be used with pppd to redirect its I/O to a pseudo-tty. You can then open the ptty from your application to get access to the stream through pppd. Anders Linden wrote: > > I have tried to run pppd and to use its input/output with a socket > application that I have done myself. > > The problem is that I dont know how to write the command line to do > that, since it does not use stdin/stdout but the terminal where pppd > runs, so there will always be strange characters on the screen. > > Do I have to specify a IP-number on the server, or will it use the > IP-number that is used to reach the default gateway automatically? > > None of the HOWTO:s I have read about this is good. They either speak > about how to setup a modem (which is not relevant since I only want to > connect two networks), or they use their time to talk about security. I > only want to use unencrypted ppp over a simple network connection made > by myself, just to put things simple. > > I have taken away some screen output on my server and called it sserver > (silent server) as "incoming connection from xx.xx.xx.xx", so it will > only show up data that a eventual client sends. It is invoked as > > sserver port. > > I also has done a silent client, sclient, that is invoked as > > sclient host port. > > How do I use their stdin and stdout and connect that endpoints to pppds? > > The simpliest answer is the most appreciated... > > bye for now > /Anders > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** -- James Douma Finisar 650.691.4000 x177 - Mountain View office (voicemail) 626.359.4010 - LA office 626.536.2725 - mobile (voicemail) -------------- next part -------------- A non-text attachment was scrubbed... Name: james.douma.vcf Type: text/x-vcard Size: 343 bytes Desc: Card for James Douma Url : http://lists.shmoo.com/pipermail/vpn/attachments/19990810/2c441909/attachment.vcf From tbird at secnetgroup.com Tue Aug 10 15:59:45 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Tue, 10 Aug 1999 14:59:45 -0500 Subject: IPSec Questions Message-ID: <4.1.19990810145442.009a8cd0@mail.secnetgroup.com> Hi all -- Eric Zines asked me a couple of very good questions yesterday, so I'm throwing them to the rest of you for ideas and opinions. Does anyone ever use AH within IPSec in tunnel mode, rather than transport mode? If so, how did you make the decision that that was your optimal choice? How do you decide whether to use MD5 or SHA-1 for message authentication? SHA-1 has a longer key, but are there any other ways to decide between them? thanks -- tbird **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From elsepascoe at mindspring.com Tue Aug 10 16:26:44 1999 From: elsepascoe at mindspring.com (Elsworth Pascoe) Date: Tue, 10 Aug 1999 16:26:44 -0400 Subject: VPN - connect MS Exchange Sites Message-ID: <000a01bee36e$ac23fd20$e301a8c0@defiant> Hello all, You probably addressed this before, I am new to list. Does anyone use or support using a VPN to connect exchange sites? Thanks for your input. What are the drawbacks if any. - Elsworth **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rick_smith at securecomputing.com Tue Aug 10 16:58:53 1999 From: rick_smith at securecomputing.com (Rick Smith) Date: Tue, 10 Aug 1999 15:58:53 -0500 Subject: IPSec Questions In-Reply-To: <4.1.19990810145442.009a8cd0@mail.secnetgroup.com> Message-ID: <3.0.3.32.19990810155853.0094e4a0@mailhost.sctc.com> At 02:59 PM 8/10/99 -0500, Tina Bird wrote: >Hi all -- Eric Zines asked me a couple of very good questions yesterday, so >I'm throwing >them to the rest of you for ideas and opinions. > >Does anyone ever use AH within IPSec in tunnel mode, rather than transport >mode? If >so, how did you make the decision that that was your optimal choice? Security-wise you're unlikely to see a difference, but there might be a functional difference depending on the equipment you have. The best thing is to set up the equipment you're using and figure out which one works best in your network. Some products might not handle both modes effectively, or might not interoperate with other products in one mode or the other. Transport mode is slightly more efficient since you don't have to send two IP headers. If you set it up and can't tell the difference between them, then it won't matter which you use. >How do you decide whether to use MD5 or SHA-1 for message authentication? >SHA-1 >has a longer key, but are there any other ways to decide between them? Again, the security difference isn't likely to matter. The longer key is safer, but the improved safety wouldn't justify any operational inconvenience you might encounter due to software interactions or incompatabilities. If you're using IKE/ISAKMP to do periodic rekeying, the risk of someone doing a successful integrity attack is negligible even if you're using the shorter MD5 key. Rick. smith at securecomputing.com "Internet Cryptography" at http://www.visi.com/crypto/ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rk_ at mailcity.com Tue Aug 10 16:40:29 1999 From: rk_ at mailcity.com (S Ramakrishnan) Date: Tue, 10 Aug 1999 13:40:29 -0700 Subject: Tunnel Setup Autentication Message-ID: My question pertains to setup of layer 2 tunnels (especially L2TP tunnels). I understand that after a tunnel has been setup, a user may dialin to a LAC and be authenticated by the LAC and/or the LNS using RADIUS or other means and creation a new session on that tunnel. What about tunnel setup itself? What kind of authentication is performed during tunnel setup? Any info greatly appreciated. Thanks ! Rk --- S Ramakrishnan "... from the sunny shores of California ..." rk_ at mailcity.com, (408) 616.3100 Get your FREE Email at http://mailcity.lycos.com Get your PERSONALIZED START PAGE at http://my.lycos.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From ezines at telechoice.com Tue Aug 10 20:19:46 1999 From: ezines at telechoice.com (Eric Zines) Date: Tue, 10 Aug 1999 19:19:46 -0500 Subject: two more IPSec questions... Message-ID: <000601bee38f$38801860$0201a8c0@ezines.telechoice> First of all, thanks to Rick Smith for the quick response to the questions on AH transport/tunnel and authentication options. I did have two more questions, and was hoping that someone could answer them directly, or point me to a really good resource or example. Here goes... 1. I know that this would be REALLY ugly, but is it possible to use both PPTP and IPSec at the same time? Not in parallel on the same network, but serially...one after the other? I ask because alot of organizations have PPTP already (though I haven't run across too many that are pleased with that decision) and it DOES handle multiprotocol traffic, and it IS tied to the NT directory structure. So it does offer some things that IPSec doesn't at this point, but is it even possible to use both at once? If so, what does it look like from both the client and HQ sides? I suspect that the client side may be the most difficult issue. Would the overhead completely crater performance? 2. Same question, but for L2TP/IPSec. I think that this may be a little more elegant, but what does it look like? I'm curious from both a theoretical and practical/architectural standpoint. I'm afraid that there may not be a great deal of experience with this out there, as L2TP isn't in widespread use at this point...especially with end-user organizations. I'm guessing that to implement a multiprotocol solution you would have to L2TP first, then IPSec? Or is there a situation in which you'd want to do it the other way 'round? Anyway...any input would be GREATLY appreciated! Thanks in advance. Eric Zines TeleChoice, Inc. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rgm at icsa.net Tue Aug 10 18:04:51 1999 From: rgm at icsa.net (Robert Moskowitz) Date: Tue, 10 Aug 1999 18:04:51 -0400 Subject: IPSec Questions In-Reply-To: <4.1.19990810145442.009a8cd0@mail.secnetgroup.com> Message-ID: <4.1.19990810175733.00b69d60@homebase.htt-consult.com> At 02:59 PM 8/10/1999 -0500, Tina Bird wrote: > >How do you decide whether to use MD5 or SHA-1 for message authentication? >SHA-1 >has a longer key, but are there any other ways to decide between them? > The lengths for HMAC-MD5 and HMAC-SHA1 are truncated to 96 bits per our cryptographes. The same cryptographers were concerned about MD5 and have stated that for a little more computational effort SHA1 preferable. Robert Moskowitz ICSA, Inc. (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rgm at icsa.net Tue Aug 10 22:37:22 1999 From: rgm at icsa.net (Robert Moskowitz) Date: Tue, 10 Aug 1999 22:37:22 -0400 Subject: two more IPSec questions... In-Reply-To: <000601bee38f$38801860$0201a8c0@ezines.telechoice> Message-ID: <4.1.19990810223356.00ab0240@homebase.htt-consult.com> At 07:19 PM 8/10/1999 -0500, Eric Zines wrote: > >1. I know that this would be REALLY ugly, but is it possible to use both >PPTP and IPSec at the same time? YOu might be able to do this, but not even MS is spending any time on it. See below. >Not in parallel on the same network, but >serially...one after the other? I ask because alot of organizations have >PPTP already (though I haven't run across too many that are pleased with >that decision) and it DOES handle multiprotocol traffic, and it IS tied to >the NT directory structure. So it does offer some things that IPSec doesn't >at this point, but is it even possible to use both at once? If so, what >does it look like from both the client and HQ sides? I suspect that the >client side may be the most difficult issue. Would the overhead completely >crater performance? > >2. Same question, but for L2TP/IPSec. This is MS's direction. In fact if you read the RFCs, L2TP's REAL security is IPsec. It has some wrinkles to iron out. Dispite what Glen Zorn and Peter Ford have said. >I think that this may be a little >more elegant, but what does it look like? I'm curious from both a >theoretical and practical/architectural standpoint. I'm afraid that there >may not be a great deal of experience with this out there, as L2TP isn't in >widespread use at this point...especially with end-user organizations. I'm >guessing that to implement a multiprotocol solution you would have to L2TP >first, then IPSec? Or is there a situation in which you'd want to do it the >other way 'round? L2TP over IPsec. I'd rather add IKE CFG to IPsec to handle the address negotiation (10 vendors already support the Internet Draft to meet customer requirements) and GRE if you really need multiprotocol. Robert Moskowitz ICSA, Inc. (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From carlsonmail at yahoo.com Wed Aug 11 12:25:28 1999 From: carlsonmail at yahoo.com (Chris Carlson) Date: Wed, 11 Aug 1999 09:25:28 -0700 (PDT) Subject: two more IPSec questions... Message-ID: <19990811162528.17615.rocketmail@web119.yahoomail.com> Eric, Microsoft is addressing this right now with Windows 2000. It appears that they're supporting IPSec, PPTP, and L2TP clients on W2000 workstation, with the ability to embed L2TP tunnels in an IPSec tunnel. Therefore, you get multiprotocol support of L2TP, with only using IPSec as the transport mechanism. It makes sense, though. Most users have a security issue with PPTP/L2TP, but people are looking at it because of native MS support AND the ability to handle multiprotocols. So, now you get multiprotocols AND IPSec-strength security. AND, you're tied to a Microsoft W2000 client and compatible back-end. Something tells me that W2000 server will support L2TP/IPSec tunnels, but other VPN vendors won't... Hmmm... I personally feel that the biggest non-IP protocol needing support is IPX. Not too much AppleTalk in the enterprise, and certainly very little SNA, DecNet, LAT, etc., especially given all the gateways out there. IPX can be easily supported by a NetWare 5.0 acting as an IP-IPX gateway. Each server can support 1500 users. Not too shabby. I helped a customer put one in... Chris -- --- Eric Zines wrote: > First of all, thanks to Rick Smith for the quick > response to the questions > on AH transport/tunnel and authentication options. > > I did have two more questions, and was hoping that > someone could answer them > directly, or point me to a really good resource or > example. Here goes... > > 1. I know that this would be REALLY ugly, but is it > possible to use both > PPTP and IPSec at the same time? Not in parallel on > the same network, but > serially...one after the other? I ask because alot > of organizations have > PPTP already (though I haven't run across too many > that are pleased with > that decision) and it DOES handle multiprotocol > traffic, and it IS tied to > the NT directory structure. So it does offer some > things that IPSec doesn't > at this point, but is it even possible to use both > at once? If so, what > does it look like from both the client and HQ sides? > I suspect that the > client side may be the most difficult issue. Would > the overhead completely > crater performance? > > 2. Same question, but for L2TP/IPSec. I think that > this may be a little > more elegant, but what does it look like? I'm > curious from both a > theoretical and practical/architectural standpoint. > I'm afraid that there > may not be a great deal of experience with this out > there, as L2TP isn't in > widespread use at this point...especially with > end-user organizations. I'm > guessing that to implement a multiprotocol solution > you would have to L2TP > first, then IPSec? Or is there a situation in which > you'd want to do it the > other way 'round? > > Anyway...any input would be GREATLY appreciated! > > Thanks in advance. > > Eric Zines > TeleChoice, Inc. > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" > difficulties. If you > wish to unsubscribe, please send a message > containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric at redcreek.com Wed Aug 11 09:36:29 1999 From: eric at redcreek.com (Eric Henriksen) Date: Wed, 11 Aug 1999 09:36:29 -0400 Subject: IPSec Questions References: <3.0.3.32.19990810155853.0094e4a0@mailhost.sctc.com> Message-ID: <000901bee3fe$8af28320$da52fea9@training.cybg.com> Functionally, I agree with most of the response below. However, It is important to remember that running 'Mixed Mode' AH and ESP Transport will result in double encapsulation. Given the previous discussion on this forum regarding the impact of 'growing' the packets with additional header, remember the effect this has on fragmentation and inherent problem that MS and low-speed connected platforms have in dealing with fragmentation. Also AH will conduct hash authentication on every packet, which may severely limit throughput - especially for platform that so not specifically accelerate the hash function (not just DES). Additionally, the level of security added to the solution is unecessary given the resources needed to brute force attack the 3DES keys to begin with. For example, the 168 bit key space of 3DES has 3.74e+50 key combinations, estimated at at least an effective strength of 112 bit contiguous key length, or 5.2e+33. Assuming that the best effort attack by the Electronic Frontier Foundation on a DES key, with 7.21e+16 key variants, was about 3 hours. Which puts the worse case strength of 3key 3DES at 7.21e+16 times the key combos, or 216,172,782,113,783,808 hours, or over 24 trillion years. Give it 12 trillion years to average half the key space and throw a large number of parallel processes at this and it's still unlikely that the session would be cracked and hijacked given the present-day silicon processor technology (possibilities with quantum mechanics aside). AH (or even HMAC auth within ESP) is generally overkill for all but the most paranoid. UNLESS you need the encapsulation functionality and ESP protocols pose some unforeseen problem. But since the ESP tunnel mode offers encapsulation, even with no transform (unencrpted) if desired, applications for AH are limited. AH/ESP mixed seems almost superfluous, unless I am missing something. Anyone have any ideas on this? Otherwise, SHA-1 is slightly stronger and slower, but both provide excellent strength hashes to authenticate the keying processes. ISAKMP can also use 3DES to pass this authenticated key information. Not to mention that keying material is fairly far removed from the keys themselves (public key crypto), making the encrypted material not very useful even if you cold crack it. In short, either one should be fine in a well designed IPSec implementation. ----- Original Message ----- From: Rick Smith To: Tina Bird ; Sent: Tuesday, August 10, 1999 4:58 PM Subject: Re: IPSec Questions > At 02:59 PM 8/10/99 -0500, Tina Bird wrote: > > >Hi all -- Eric Zines asked me a couple of very good questions yesterday, so > >I'm throwing > >them to the rest of you for ideas and opinions. > > > >Does anyone ever use AH within IPSec in tunnel mode, rather than transport > >mode? If > >so, how did you make the decision that that was your optimal choice? > > Security-wise you're unlikely to see a difference, but there might be a > functional difference depending on the equipment you have. The best thing > is to set up the equipment you're using and figure out which one works best > in your network. Some products might not handle both modes effectively, or > might not interoperate with other products in one mode or the other. > Transport mode is slightly more efficient since you don't have to send two > IP headers. If you set it up and can't tell the difference between them, > then it won't matter which you use. > > >How do you decide whether to use MD5 or SHA-1 for message authentication? > >SHA-1 > >has a longer key, but are there any other ways to decide between them? > > Again, the security difference isn't likely to matter. The longer key is > safer, but the improved safety wouldn't justify any operational > inconvenience you might encounter due to software interactions or > incompatabilities. If you're using IKE/ISAKMP to do periodic rekeying, the > risk of someone doing a successful integrity attack is negligible even if > you're using the shorter MD5 key. > > > Rick. > smith at securecomputing.com > "Internet Cryptography" at http://www.visi.com/crypto/ > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From ken.c.chen at lmco.com Wed Aug 11 15:57:26 1999 From: ken.c.chen at lmco.com (Chen, Ken C) Date: Wed, 11 Aug 1999 15:57:26 -0400 Subject: IPsec / PPTP for IPX functionality Message-ID: <15B7999C4F94D211AAE90000F81A45E75D686E@emss20m02.ems.lmco.com> Hmmm.... this is sort of a strange question. Is it possible to start a PPTP tunnel after establishing an IPsec tunnel? Since PPTP supports multiprotocols, this would essentially allow the transport of IPX through the IPsec tunnel... which is my ultimate goal for this quirky procedure. With the overhead of the two tunneling protocols, it may not even be worth the effort... but I thought I'd ask! Thanks in advance. Ken **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rick_smith at securecomputing.com Wed Aug 11 14:22:39 1999 From: rick_smith at securecomputing.com (Rick Smith) Date: Wed, 11 Aug 1999 13:22:39 -0500 Subject: IPSec Questions In-Reply-To: <000901bee3fe$8af28320$da52fea9@training.cybg.com> References: <3.0.3.32.19990810155853.0094e4a0@mailhost.sctc.com> Message-ID: <3.0.3.32.19990811132239.0094ea70@mailhost.sctc.com> At 09:36 AM 8/11/99 -0400, Eric Henriksen wrote: > .... remember that running 'Mixed Mode' AH and ESP Transport will >result in double encapsulation. Given the previous discussion on this forum >regarding the impact of 'growing' the packets with additional header, ... One gets somewhat caught between a rock and a hard place here. IPSEC headers can protect against disclosure, modification, and replay. The encryption transforms will only protect against disclosure. If you're a likely victim of clever denial of service attacks (as opposed to pointed attempts to modify specific data items in messages) then you might want the protection of authentication. It all depends on how the level of paranoia plays against your operational needs. You can minimize packet size inflation by using the combined transforms, of course, but you still have to pay the computational overhead. >Additionally, the level of security added to the solution is unecessary >given the resources needed to brute force attack the 3DES keys to begin >with. .... You don't need to crack the key in order to replay a packet or to modify the message contents. While these tricks won't always allow someone to change a payment from a dollar to a million dollars, a vandal could easily inject garbage into your system. This could cause minor glitches or major denial of service, depending on what transaction gets corrupted. Replaying UDP (like NFS transactions) is trivial -- you just send the packet at a later time, assuming the same key is still being used, and the "read" or "write" operation is repeated. Replayed TCP is more likely to be rejected since the sequence numbers might not make sense (though Bellovin wrote up something about how an attack might circumvent this problem). Packet modification is straightforward with typical stream ciphers like RC4: you flip bits in the ciphertext and the same bits get changed in the plaintext. Fix the packet checksum and you're done. Block ciphers with CBC are also vulnerable, though you'll usually end up with several bytes of garbage at the point where the new data is spliced in. If hijacking is your only concern, then you should get by just fine with encryption. A good hijack would need to recover the key. However, the mechanisms needed for hijacking would support garbage insertion with less effort. Rick. smith at securecomputing.com "Internet Cryptography" at http://www.visi.com/crypto/ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rick_smith at securecomputing.com Wed Aug 11 14:40:23 1999 From: rick_smith at securecomputing.com (Rick Smith) Date: Wed, 11 Aug 1999 13:40:23 -0500 Subject: two more IPSec questions... In-Reply-To: <000601bee38f$38801860$0201a8c0@ezines.telechoice> Message-ID: <3.0.3.32.19990811134023.00954790@mailhost.sctc.com> At 07:19 PM 8/10/99 -0500, Eric Zines wrote: >I did have two more questions, ... > >1. I know that this would be REALLY ugly, but is it possible to use both >PPTP and IPSec at the same time? There are two questions here: a hosting question and a protocol question. I've never done this, so my observations are more theoretical than practical. But here goes. The hosting question is whether it's possible to configure a gateway machine to apply both types of encapsulation to traffic as it goes through a particular network connection. I don't know the answer to that one. The protocol question is whether or not it makes sense to do this from an operational or security standpoint. What I'd be tempted to do is use IPSEC for the security aspects and use PPTP or L2TP purely for protocol encapsulation. So, you turn off encryption in the L2TP and/or PPTP, and pipe the encapsulated data through IPSEC security encapsulation. As far as the crypto goes, you don't necessarily multiply the raw security of the encryption by applying multiple levels of conventional algorithms. If you consider the amount of processing it takes to do IPSEC crypto plus PPTP crypto, you don't get your fair share of security from the result. It's computationally more efficient to apply a stronger algorithm to one or the other than to a medium algorithm to each protocol. Rick. smith at securecomputing.com "Internet Cryptography" at http://www.visi.com/crypto/ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From evyncke at cisco.com Fri Aug 13 10:18:04 1999 From: evyncke at cisco.com (Eric Vyncke) Date: Fri, 13 Aug 1999 16:18:04 +0200 Subject: Tunnel Setup Autentication In-Reply-To: Message-ID: <4.1.19990813161655.00a0f8e0@brussels.cisco.com> At 13:40 10/08/1999 -0700, S Ramakrishnan wrote: > >My question pertains to setup of layer 2 tunnels (especially L2TP tunnels). >I understand >that after a tunnel has been setup, >a user may dialin to a LAC and be authenticated >by the LAC and/or the LNS using RADIUS >or other means and creation a new session >on that tunnel. > >What about tunnel setup itself? Both ends of the tunnel, LNS and LAC, are authenticated based on the L2TP protocol (it uses a schema similar to CHAP). This 'password' for the LNS and LAC termination points could be stored in a RADIUS server -eric >What kind of authentication >is performed during tunnel setup? > >Any info greatly appreciated. > >Thanks ! > >Rk > > > >--- >S Ramakrishnan >"... from the sunny shores of California ..." >rk_ at mailcity.com, (408) 616.3100 > > > > >Get your FREE Email at http://mailcity.lycos.com >Get your PERSONALIZED START PAGE at http://my.lycos.com > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke at cisco.com Mobile: +32-75-312.458 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From evyncke at cisco.com Fri Aug 13 10:24:31 1999 From: evyncke at cisco.com (Eric Vyncke) Date: Fri, 13 Aug 1999 16:24:31 +0200 Subject: two more IPSec questions... In-Reply-To: <000601bee38f$38801860$0201a8c0@ezines.telechoice> Message-ID: <4.1.19990813161958.00a0d270@brussels.cisco.com> >From Eric to Eric ;-) The combination of L2TP with IPSec is commonly seen as a good one (except for the throughput via double encapsulation!): - protecting LAC/LNS via IPSec can be useful specially if the LAC is the dial-in client itself: all protocols are encrypted and not only IP, no need to rely on IETF drafts for dynamic IP addressing (modecfg) and user authentication (xauth) - putting IPSec packets in L2TP can be useful as well (but probably less), L2TP is used to convey IPSec packets and you have the advantages of L2TP. This solutions will most probably be deployed by ISP for their customers Just my biased 0.01 EUR -eric At 19:19 10/08/1999 -0500, Eric Zines wrote: >First of all, thanks to Rick Smith for the quick response to the questions >on AH transport/tunnel and authentication options. > >I did have two more questions, and was hoping that someone could answer them >directly, or point me to a really good resource or example. Here goes... > >1. I know that this would be REALLY ugly, but is it possible to use both >PPTP and IPSec at the same time? Not in parallel on the same network, but >serially...one after the other? I ask because alot of organizations have >PPTP already (though I haven't run across too many that are pleased with >that decision) and it DOES handle multiprotocol traffic, and it IS tied to >the NT directory structure. So it does offer some things that IPSec doesn't >at this point, but is it even possible to use both at once? If so, what >does it look like from both the client and HQ sides? I suspect that the >client side may be the most difficult issue. Would the overhead completely >crater performance? > >2. Same question, but for L2TP/IPSec. I think that this may be a little >more elegant, but what does it look like? I'm curious from both a >theoretical and practical/architectural standpoint. I'm afraid that there >may not be a great deal of experience with this out there, as L2TP isn't in >widespread use at this point...especially with end-user organizations. I'm >guessing that to implement a multiprotocol solution you would have to L2TP >first, then IPSec? Or is there a situation in which you'd want to do it the >other way 'round? > >Anyway...any input would be GREATLY appreciated! > >Thanks in advance. > >Eric Zines >TeleChoice, Inc. > > > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke at cisco.com Mobile: +32-75-312.458 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jason.dowd at us.pwcglobal.com Fri Aug 13 16:56:21 1999 From: jason.dowd at us.pwcglobal.com (jason.dowd at us.pwcglobal.com) Date: Fri, 13 Aug 1999 15:56:21 -0500 Subject: IPsec / PPTP for IPX functionality Message-ID: <852567CC.0072DE60.00@intlnamsmtp10.us.pw.com> Yes, it is quite possible. The course of events starts with a user dialing an ISP and establishing a PPP session. Once that is done, the IPSec client is enabled and a PPTP connection is established to the PPP server. As long as the policy for the IPSec client states that protection should be applied to the PPTP traffic, everything will be good. Of course, it is generally necessary or at least desirable to either place the PPTP server behind the IPSec gateway or have them both on one box. Network Alchemy (www.network-alchemy.com) supports termination of both PPTP and L2TP as well as IPSec. Terminating IPSec and PPTP/L2TP session simultaneously is a core part of their client functionality. However, they only support IP over PPTP and L2TP so you can not do this for alone for multiprotocol support. As went through earlier though, there are standards based options for encapsulating IPX and also AppleTalk in IP. For Network Alchemy, this would need to be done on another box. Compatible Systems actually will encapsulate both IPX and AppleTalk all by itself, making it a one stop shop for remote access VPNs. This sounds like what you might want to check out. There are some good reasons to run PPTP over IPSec just with IP though. PPTP give you RADIUS authentication that a surprising number of organizations require as well as the ability to assign internal address, DNS servers and so forth. The drafts for this functionality from IPSec are still brewing, but with PPTP you can have it all now. Jason "Chen, Ken C" on 08/11/99 02:57:26 PM To: vpn at listserv.secnetgroup.com cc: Subject: IPsec / PPTP for IPX functionality Hmmm.... this is sort of a strange question. Is it possible to start a PPTP tunnel after establishing an IPsec tunnel? Since PPTP supports multiprotocols, this would essentially allow the transport of IPX through the IPsec tunnel... which is my ultimate goal for this quirky procedure. With the overhead of the two tunneling protocols, it may not even be worth the effort... but I thought I'd ask! Thanks in advance. Ken **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jflowers at hiverworld.com Sun Aug 15 18:34:40 1999 From: jflowers at hiverworld.com (John S Flowers) Date: Sun, 15 Aug 1999 15:34:40 -0700 Subject: IPsec / PPTP for IPX functionality References: <15B7999C4F94D211AAE90000F81A45E75D686E@emss20m02.ems.lmco.com> Message-ID: <37B74080.F7BDF445@hiverworld.com> Actually, (and after digging a bit) the URL is: http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html "Chen, Ken C" wrote: > > Hmmm.... this is sort of a strange question. Is it possible to start a PPTP > tunnel after establishing an IPsec tunnel? Since PPTP supports > multiprotocols, this would essentially allow the transport of IPX through > the IPsec tunnel... which is my ultimate goal for this quirky procedure. > With the overhead of the two tunneling protocols, it may not even be worth > the effort... but I thought I'd ask! > > Thanks in advance. > > Ken > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** -- John S Flowers Chief Technology Officer http://www.hiverworld.com Hiverworld, Inc. Enterprise Network Security Network Forensics, Intrusion Detection and Risk Assessment **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric_h at Earthlink.Net Mon Aug 16 13:15:17 1999 From: eric_h at Earthlink.Net (Eric Henriksen) Date: Mon, 16 Aug 1999 13:15:17 -0400 Subject: IPSec Questions References: <3.0.3.32.19990810155853.0094e4a0@mailhost.sctc.com> <3.0.3.32.19990811132239.0094ea70@mailhost.sctc.com> Message-ID: <005a01bee80a$eb784f80$02c8a8c0@redcreek.com> > > .... remember that running 'Mixed Mode' AH and ESP Transport will > >result in double encapsulation. Given the previous discussion on this forum > >regarding the impact of 'growing' the packets with additional header, ... > > One gets somewhat caught between a rock and a hard place here. > > IPSEC headers can protect against disclosure, modification, and replay. The > encryption transforms will only protect against disclosure. If you're a > likely victim of clever denial of service attacks (as opposed to pointed > attempts to modify specific data items in messages) then you might want the > protection of authentication. It all depends on how the level of paranoia > plays against your operational needs. HMAC (hash message authentication code) with the ESP transform will prevent against such hijacking, assuming you believe the crack can occur to generate a spooofe packet to begin with. Denial of service attacks are likely regardless of the transform or header, and dependent upon whether the IPSec gateway device will give buffer service to ICMP echo request/reply, or other services to 'busy out'. > > You can minimize packet size inflation by using the combined transforms, of > course, but you still have to pay the computational overhead. You save an IP header, but will need the AH, ESP, tunnel IP header (if not using transport), the original IP header, plus trailers. The additional AH may force fragmentation, if the EPS didn't already. > > >Additionally, the level of security added to the solution is unecessary > >given the resources needed to brute force attack the 3DES keys to begin > >with. .... > > You don't need to crack the key in order to replay a packet or to modify > the message contents. While these tricks won't always allow someone to > change a payment from a dollar to a million dollars, a vandal could easily > inject garbage into your system. This could cause minor glitches or major > denial of service, depending on what transaction gets corrupted. 'Replay detection' should avert this type of attack. > > Replaying UDP (like NFS transactions) is trivial -- you just send the > packet at a later time, assuming the same key is still being used, and the > "read" or "write" operation is repeated. Replayed TCP is more likely to be > rejected since the sequence numbers might not make sense (though Bellovin > wrote up something about how an attack might circumvent this problem). Actually, cracking the isakmp to get a properly constructed header (not replayed) is less likely than cracking the DES key. > > Packet modification is straightforward with typical stream ciphers like > RC4: you flip bits in the ciphertext and the same bits get changed in the > plaintext. Fix the packet checksum and you're done. Block ciphers with CBC > are also vulnerable, though you'll usually end up with several bytes of > garbage at the point where the new data is spliced in. Unless I'm missing something, a SHA HMAC should prevent this. > > If hijacking is your only concern, then you should get by just fine with > encryption. A good hijack would need to recover the key. However, the > mechanisms needed for hijacking would support garbage insertion with less > effort. I would think that authentication would better prevent the hijack, and encryption would provide the confidentiality. Garbage insertion is an interesting discussion. How would one spoof the ESP header? If this is strictly a denial of service attack on the authentication process, a hardware implementation (VLSI, Hfn) should provide more packet processing than would be necessary from OC1 or less pipes. > > > Rick. > smith at securecomputing.com > "Internet Cryptography" at http://www.visi.com/crypto/ > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rick_smith at securecomputing.com Mon Aug 16 14:15:04 1999 From: rick_smith at securecomputing.com (Rick Smith) Date: Mon, 16 Aug 1999 13:15:04 -0500 Subject: IPSec Questions In-Reply-To: <005a01bee80a$eb784f80$02c8a8c0@redcreek.com> References: <3.0.3.32.19990810155853.0094e4a0@mailhost.sctc.com> <3.0.3.32.19990811132239.0094ea70@mailhost.sctc.com> Message-ID: <3.0.3.32.19990816131504.00982880@mailhost.sctc.com> Regarding Eric Henriksen's reply... I thought I was addressing the question of whether an encryption transformation was sufficient protection for IPSEC traffic, so I was outlining the potential problem areas if one omitted the capabilities of the Authentication Header. For the purposes of this discussion, I'm addressing the practical aspects of attacks. Some attacks might be feasible for NSA when faced with a critical national security objective but prohibitively costly in a commercial setting. I prefer unconditionally strong solutions, but I'm not going to lose a lot of sleep over something that provides a reasonable trade-off in a real-world situation. > I would think that authentication would better prevent the hijack, and > encryption would provide the confidentiality. Exactly so. Authentication would solve the hijacking problem directly. On the other hand, encryption by itself will pose enough of an obstacle against hijacking to deter most attackers. The best the attacker can do is modify existing packets in transit. > Garbage insertion is an > interesting discussion. How would one spoof the ESP header? If this > is strictly a denial of service attack on the authentication process, a > hardware implementation (VLSI, Hfn) should provide more packet > processing than would be necessary from OC1 or less pipes. There are techniques to attack standard bit-oriented stream ciphers or block ciphers in certain autokey or CBC modes, as long as you're talking about a first generation ESP header without authentication. The original IPSEC transforms supported encryption only, and there's a good reason why the latest transforms incorporate authentication and anti-replay into a single transform. Rick. smith at securecomputing.com "Internet Cryptography" at http://www.visi.com/crypto/ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From chuang at icsinspections.com Mon Aug 16 16:46:56 1999 From: chuang at icsinspections.com (Huang, Charles) Date: Mon, 16 Aug 1999 16:46:56 -0400 Subject: Shiva VPN Express Message-ID: <6159DD9C5791D211A12700902728A2A61B0D59@MAIL2> Hi, everybody: I am new to this area and just did some research about the hardware VPN solution. We have seen some good comments about Shiva LanRover VPN Gateway, have anyone used Shiva VPN Express? Any comments? Thank you in advance Charles **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From sstarcevic at brak.com Tue Aug 17 08:57:11 1999 From: sstarcevic at brak.com (Steve Starcevic) Date: Tue, 17 Aug 1999 08:57:11 -0400 Subject: Tunnel Setup Autentication Message-ID: <40AF993881EFD21184C900805F29F0401D12AD@Hobbs.ho.brak.com> What's a LAC (Local Access Concentrator) ??? -----Original Message----- From: Eric Vyncke [mailto:evyncke at cisco.com] Sent: Friday, August 13, 1999 10:18 AM To: S Ramakrishnan; vpn at listserv.secnetgroup.com Subject: Re: Tunnel Setup Autentication At 13:40 10/08/1999 -0700, S Ramakrishnan wrote: > >My question pertains to setup of layer 2 tunnels (especially L2TP tunnels). >I understand >that after a tunnel has been setup, >a user may dialin to a LAC and be authenticated >by the LAC and/or the LNS using RADIUS >or other means and creation a new session >on that tunnel. > >What about tunnel setup itself? Both ends of the tunnel, LNS and LAC, are authenticated based on the L2TP protocol (it uses a schema similar to CHAP). This 'password' for the LNS and LAC termination points could be stored in a RADIUS server -eric >What kind of authentication >is performed during tunnel setup? > >Any info greatly appreciated. > >Thanks ! > >Rk > > > >--- >S Ramakrishnan >"... from the sunny shores of California ..." >rk_ at mailcity.com, (408) 616.3100 > > > > >Get your FREE Email at http://mailcity.lycos.com >Get your PERSONALIZED START PAGE at http://my.lycos.com > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke at cisco.com Mobile: +32-75-312.458 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** ----- This message was scanned by Aladdin/eSafe Protection Gateway in coordination with Check Point Firewall-1. This protection does not ensure this message is virus free, however every precaution possible has been taken on our part. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmedwid at symantec.com Tue Aug 17 14:06:28 1999 From: mmedwid at symantec.com (Michael Medwid) Date: Tue, 17 Aug 1999 11:06:28 -0700 Subject: PPTP Question Message-ID: <882567D0.0063DE37.00@uscu-smtp01.symantec.com> I have a user inside our firewall that wants to create a PPTP tunnel to a server outside of our firewall. Our policy allows traffic initiated from inside to head out tp the Internet. He says he can not create a PPTP tunnel going out through the firewall. Would inbound ports need to be enabled (we wouldn't do that) in order for his PPTP session initiated from inside to be able to be established? Thanks. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric_h at Earthlink.Net Tue Aug 17 11:03:05 1999 From: eric_h at Earthlink.Net (Eric Henriksen) Date: Tue, 17 Aug 1999 11:03:05 -0400 Subject: IPsec / PPTP for IPX functionality References: <852567CC.0072DE60.00@intlnamsmtp10.us.pw.com> Message-ID: <00ec01bee8c1$f8536660$02c8a8c0@redcreek.com> Good synopsis. However, the prospect of running PPTP over ESP tunnels just to move IP traffic seems somewhat overkill. To run RADIUS challenges, telnet, ftp or http is all that is needed. These can be run over an ESP or PPTP tunnel. Any vendor that support DHCP over the tunnel can get the DNS, WINS, etc that way. As a gratiuitous plus, RedCreek supports such DHCP over the tunnel for clients and remote extranets. For the clients, they've built in a dll pop-up for presenting the RADIUS challenge recieved over the tunnel, irrespective of the ports opened by the cilent. RADIUS is still wildly popular given the alternatives such as Kerberos or PKI. With the Kerberos being a administrative nightmare, and PKI not baked yet, RADIUS extensible to tokens is a good alternative. Eric ----- Original Message ----- From: To: Sent: Friday, August 13, 1999 4:56 PM Subject: Re: IPsec / PPTP for IPX functionality > Yes, it is quite possible. The course of events starts with a user dialing > an ISP and establishing a PPP session. Once that is done, the IPSec client > is enabled and a PPTP connection is established to the PPP server. As long > as the policy for the IPSec client states that protection should be applied > to the PPTP traffic, everything will be good. Of course, it is generally > necessary or at least desirable to either place the PPTP server behind the > IPSec gateway or have them both on one box. > > Network Alchemy (www.network-alchemy.com) supports termination of both PPTP > and L2TP as well as IPSec. Terminating IPSec and PPTP/L2TP session > simultaneously is a core part of their client functionality. However, they > only support IP over PPTP and L2TP so you can not do this for alone for > multiprotocol support. As went through earlier though, there are standards > based options for encapsulating IPX and also AppleTalk in IP. For Network > Alchemy, this would need to be done on another box. Compatible Systems > actually will encapsulate both IPX and AppleTalk all by itself, making it a > one stop shop for remote access VPNs. This sounds like what you might want > to check out. > > There are some good reasons to run PPTP over IPSec just with IP though. > PPTP give you RADIUS authentication that a surprising number of > organizations require as well as the ability to assign internal address, > DNS servers and so forth. The drafts for this functionality from IPSec are > still brewing, but with PPTP you can have it all now. > > Jason > > > > > "Chen, Ken C" on 08/11/99 02:57:26 PM > To: vpn at listserv.secnetgroup.com > cc: > Subject: IPsec / PPTP for IPX functionality > > > > > Hmmm.... this is sort of a strange question. Is it possible to start a > PPTP > tunnel after establishing an IPsec tunnel? Since PPTP supports > multiprotocols, this would essentially allow the transport of IPX through > the IPsec tunnel... which is my ultimate goal for this quirky procedure. > With the overhead of the two tunneling protocols, it may not even be worth > the effort... but I thought I'd ask! > > Thanks in advance. > > Ken > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jason.dowd at us.pwcglobal.com Tue Aug 17 14:22:08 1999 From: jason.dowd at us.pwcglobal.com (jason.dowd at us.pwcglobal.com) Date: Tue, 17 Aug 1999 13:22:08 -0500 Subject: IPsec / PPTP for IPX functionality Message-ID: <852567D0.0064ED45.00@intlnamsmtp10.us.pw.com> All true. In fact, there are a number of vendors that support internal address assignment and RADIUS authentication for their client access solutions. Trouble is, the standards for this type of behavior for just IPSec are still in draft. So anyone who presently offers such functionality for their IPSec connections is doing so in a proprietary manner. This may or may not be an issue depending on whether or not connections with third parties, potentially with their own client, is a requirement. Personally, I find the standards based approach preferable, and with minimal difficulty, it should be possible to script this to avoid giving the users too much grief. Jason Eric Henriksen on 08/17/99 10:03:05 AM Please respond to Eric Henriksen To: Jason Dowd/ABS/Price Waterhouse, vpn at listserv.secnetgroup.com cc: Subject: Re: IPsec / PPTP for IPX functionality Good synopsis. However, the prospect of running PPTP over ESP tunnels just to move IP traffic seems somewhat overkill. To run RADIUS challenges, telnet, ftp or http is all that is needed. These can be run over an ESP or PPTP tunnel. Any vendor that support DHCP over the tunnel can get the DNS, WINS, etc that way. As a gratiuitous plus, RedCreek supports such DHCP over the tunnel for clients and remote extranets. For the clients, they've built in a dll pop-up for presenting the RADIUS challenge recieved over the tunnel, irrespective of the ports opened by the cilent. RADIUS is still wildly popular given the alternatives such as Kerberos or PKI. With the Kerberos being a administrative nightmare, and PKI not baked yet, RADIUS extensible to tokens is a good alternative. Eric ----- Original Message ----- From: To: Sent: Friday, August 13, 1999 4:56 PM Subject: Re: IPsec / PPTP for IPX functionality > Yes, it is quite possible. The course of events starts with a user dialing > an ISP and establishing a PPP session. Once that is done, the IPSec client > is enabled and a PPTP connection is established to the PPP server. As long > as the policy for the IPSec client states that protection should be applied > to the PPTP traffic, everything will be good. Of course, it is generally > necessary or at least desirable to either place the PPTP server behind the > IPSec gateway or have them both on one box. > > Network Alchemy (www.network-alchemy.com) supports termination of both PPTP > and L2TP as well as IPSec. Terminating IPSec and PPTP/L2TP session > simultaneously is a core part of their client functionality. However, they > only support IP over PPTP and L2TP so you can not do this for alone for > multiprotocol support. As went through earlier though, there are standards > based options for encapsulating IPX and also AppleTalk in IP. For Network > Alchemy, this would need to be done on another box. Compatible Systems > actually will encapsulate both IPX and AppleTalk all by itself, making it a > one stop shop for remote access VPNs. This sounds like what you might want > to check out. > > There are some good reasons to run PPTP over IPSec just with IP though. > PPTP give you RADIUS authentication that a surprising number of > organizations require as well as the ability to assign internal address, > DNS servers and so forth. The drafts for this functionality from IPSec are > still brewing, but with PPTP you can have it all now. > > Jason > > > > > "Chen, Ken C" on 08/11/99 02:57:26 PM > To: vpn at listserv.secnetgroup.com > cc: > Subject: IPsec / PPTP for IPX functionality > > > > > Hmmm.... this is sort of a strange question. Is it possible to start a > PPTP > tunnel after establishing an IPsec tunnel? Since PPTP supports > multiprotocols, this would essentially allow the transport of IPX through > the IPsec tunnel... which is my ultimate goal for this quirky procedure. > With the overhead of the two tunneling protocols, it may not even be worth > the effort... but I thought I'd ask! > > Thanks in advance. > > Ken > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rgm at icsa.net Tue Aug 17 20:51:54 1999 From: rgm at icsa.net (Robert Moskowitz) Date: Tue, 17 Aug 1999 20:51:54 -0400 Subject: IPSec Questions Message-ID: <4.1.19990817205141.00b77930@homebase.htt-consult.com> At 01:22 PM 8/11/1999 -0500, Rick Smith wrote: > >You can minimize packet size inflation by using the combined transforms, of >course, but you still have to pay the computational overhead. Um, this text SEEMs to imply that ESP CAN be done with out authentication. If you read the RFCs, you will see that the INTENT is that ENCRYPTION IS NEVER USED WITHOUT AUTHENTICATION. Dr. Orman was aghast that this was allowed in RFCs 1825-9 (she seems to know of attacks much worst than Dr. Bellovin's documented one). Dr. Kent allowed for ESP with encryption and without authentication only for the case where ESP is inside of AH (this is to provide header protection and encryption). Any implementation that allows for ESP encryption without authentication without enforcing AH should have warning labels on it. IMHBO If you question this, talk to me offline. Just as a point; I AM the co-chair and delt with these issues. If you want textual changes in the RFCs to clarify this, talk to me now. Ted and I a reving all of the docs for DC. Robert Moskowitz ICSA, Inc. (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From ielayoubi at shl.com Tue Aug 17 22:23:57 1999 From: ielayoubi at shl.com (ELAYOUBI, Issam) Date: Tue, 17 Aug 1999 20:23:57 -0600 Subject: Tunnel Setup Authentication Message-ID: <61DFFB631AA0D1118CC900805F6FAE730359476E@OTTFW02> G'day all, Here's a definition of what a LAC is: L2TP access concentrator (LAC)---An L2TP device that the client directly connects to and whereby PPP frames are tunneled to the L2TP network server (LNS). The LAC needs only implement the media over which L2TP is to operate to pass traffic to one or more LNSs. It may tunnel any protocol carried within PPP. The LAC is the initiator of incoming calls and the receiver of outgoing calls. Analogous to the Layer 2 Forwarding (L2F) network access server (NAS). For more information on the layer 2 tunnel protocol, as used by Cisco on some Access Routers, please follow this link: http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113aa/113a a_5/l2tp.htm Not sure if accessible by non CCO users. I'm sure Steve will be able to provide more information to interested members. Cheers, Issam. -----Original Message----- From: Steve Starcevic [mailto:sstarcevic at brak.com] Sent: Tuesday, August 17, 1999 8:57 AM To: vpn at listserv.secnetgroup.com Subject: RE: Tunnel Setup Autentication What's a LAC (Local Access Concentrator) ??? -----Original Message----- From: Eric Vyncke [mailto:evyncke at cisco.com] Sent: Friday, August 13, 1999 10:18 AM To: S Ramakrishnan; vpn at listserv.secnetgroup.com Subject: Re: Tunnel Setup Autentication At 13:40 10/08/1999 -0700, S Ramakrishnan wrote: > >My question pertains to setup of layer 2 tunnels (especially L2TP tunnels). >I understand >that after a tunnel has been setup, >a user may dialin to a LAC and be authenticated >by the LAC and/or the LNS using RADIUS >or other means and creation a new session >on that tunnel. > >What about tunnel setup itself? Both ends of the tunnel, LNS and LAC, are authenticated based on the L2TP protocol (it uses a schema similar to CHAP). This 'password' for the LNS and LAC termination points could be stored in a RADIUS server -eric >What kind of authentication >is performed during tunnel setup? > >Any info greatly appreciated. > >Thanks ! > >Rk > > > >--- >S Ramakrishnan >"... from the sunny shores of California ..." >rk_ at mailcity.com, (408) 616.3100 > > > > >Get your FREE Email at http://mailcity.lycos.com >Get your PERSONALIZED START PAGE at http://my.lycos.com > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke at cisco.com Mobile: +32-75-312.458 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** ----- This message was scanned by Aladdin/eSafe Protection Gateway in coordination with Check Point Firewall-1. This protection does not ensure this message is virus free, however every precaution possible has been taken on our part. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Wed Aug 18 21:59:43 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Wed, 18 Aug 1999 20:59:43 -0500 (CDT) Subject: Glossary Message-ID: I'm in the process of revamping (and updating) the VPN Web page -- I will be happy to add a glossary to the Frequently Asked Questions page as people donate definitions. I've also started coding up my "firewall how-to" page, that explains how to pass various sorts of VPN protocols (IPSec and PPTP) through various and sundry commercial firewalls. Donations also gratefully accepted. thanks -- Tina **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From martin at signal.nl Wed Aug 18 06:44:58 1999 From: martin at signal.nl (Martin de Gier) Date: Wed, 18 Aug 1999 12:44:58 +0200 Subject: Tunnel Setup Autentication In-Reply-To: <40AF993881EFD21184C900805F29F0401D12AD@Hobbs.ho.brak.com> Message-ID: <10423908808387@signal.nl> Is there a list of term like LNS , LAC, ESP etc. Ik know a lot off these terms but no all of them So people like me (no expert on encryption) can follow this or can trying to understand it Thanks Martin de Gier At 08:57 17-8-99 -0400, you wrote: >What's a LAC (Local Access Concentrator) ??? > > >-----Original Message----- >From: Eric Vyncke [mailto:evyncke at cisco.com] >Sent: Friday, August 13, 1999 10:18 AM >To: S Ramakrishnan; vpn at listserv.secnetgroup.com >Subject: Re: Tunnel Setup Autentication > > >At 13:40 10/08/1999 -0700, S Ramakrishnan wrote: >> >>My question pertains to setup of layer 2 tunnels (especially L2TP tunnels). > >>I understand >>that after a tunnel has been setup, >>a user may dialin to a LAC and be authenticated >>by the LAC and/or the LNS using RADIUS >>or other means and creation a new session >>on that tunnel. >> >>What about tunnel setup itself? > >Both ends of the tunnel, LNS and LAC, are authenticated based >on the L2TP protocol (it uses a schema similar to CHAP). This >'password' for the LNS and LAC termination points could be >stored in a RADIUS server > >-eric > >>What kind of authentication >>is performed during tunnel setup? >> >>Any info greatly appreciated. >> >>Thanks ! >> >>Rk >> >> >> >>--- >>S Ramakrishnan >>"... from the sunny shores of California ..." >>rk_ at mailcity.com, (408) 616.3100 >> >> >> >> >>Get your FREE Email at http://mailcity.lycos.com >>Get your PERSONALIZED START PAGE at http://my.lycos.com >> >>**************************************************************** >>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com >> >>The VPN FAQ (under construction) is available at >>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html >> >>We are currently experiencing "unsubscribe" difficulties. If you >>wish to unsubscribe, please send a message containing the single line >>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com >> >>**************************************************************** > >Eric Vyncke >Consulting Engineer Cisco Systems EMEA >Phone: +32-2-778.4677 Fax: +32-2-778.4300 >E-mail: evyncke at cisco.com Mobile: +32-75-312.458 > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** >----- >This message was scanned by Aladdin/eSafe Protection Gateway in >coordination with Check Point Firewall-1. This protection does not ensure >this message is virus free, however every precaution possible has been >taken on our part. > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** > ------------------------------------------------------ Signal Networking B.V. Martin de Gier Morsestraat 40, 4004 JP Tiel Product Specialist Postbus 6327, 4000 HH Tiel mailto:martin at signal.nl tel. +31 (0)344 640430 http://www.signal.nl fax. +31 (0)344 640431 ------------------------------------------------------ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jason.dowd at us.pwcglobal.com Tue Aug 17 23:58:08 1999 From: jason.dowd at us.pwcglobal.com (jason.dowd at us.pwcglobal.com) Date: Tue, 17 Aug 1999 22:58:08 -0500 Subject: PPTP Question Message-ID: <852567D1.0015AD37.00@intlnamsmtp10.us.pw.com> Michael, The problem your user is having is transporting GRE across the firewall. This is a seperate protocol from TCP or UDP and has no concept of "ports." Find out whether your firewall will support this first. Jason Michael Medwid on 08/17/99 01:06:28 PM To: vpn at listserv.secnetgroup.com cc: Subject: PPTP Question I have a user inside our firewall that wants to create a PPTP tunnel to a server outside of our firewall. Our policy allows traffic initiated from inside to head out tp the Internet. He says he can not create a PPTP tunnel going out through the firewall. Would inbound ports need to be enabled (we wouldn't do that) in order for his PPTP session initiated from inside to be able to be established? Thanks. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From evyncke at cisco.com Wed Aug 18 08:05:58 1999 From: evyncke at cisco.com (Eric Vyncke) Date: Wed, 18 Aug 1999 14:05:58 +0200 Subject: Tunnel Setup Autentication In-Reply-To: <40AF993881EFD21184C900805F29F0401D12AD@Hobbs.ho.brak.com> Message-ID: <4.1.19990818140503.00a19730@brussels.cisco.com> LAC= L2TP Access Concentrator (usually the access server/modem pool located at an Internet Service Provider) LNS= L2TP Network Server (the L2TP tunnels termination point in the entreprise) -eric At 08:57 17/08/1999 -0400, Steve Starcevic wrote: >What's a LAC (Local Access Concentrator) ??? > > >-----Original Message----- >From: Eric Vyncke [mailto:evyncke at cisco.com] >Sent: Friday, August 13, 1999 10:18 AM >To: S Ramakrishnan; vpn at listserv.secnetgroup.com >Subject: Re: Tunnel Setup Autentication > > >At 13:40 10/08/1999 -0700, S Ramakrishnan wrote: >> >>My question pertains to setup of layer 2 tunnels (especially L2TP tunnels). > >>I understand >>that after a tunnel has been setup, >>a user may dialin to a LAC and be authenticated >>by the LAC and/or the LNS using RADIUS >>or other means and creation a new session >>on that tunnel. >> >>What about tunnel setup itself? > >Both ends of the tunnel, LNS and LAC, are authenticated based >on the L2TP protocol (it uses a schema similar to CHAP). This >'password' for the LNS and LAC termination points could be >stored in a RADIUS server > >-eric > >>What kind of authentication >>is performed during tunnel setup? >> >>Any info greatly appreciated. >> >>Thanks ! >> >>Rk >> >> >> >>--- >>S Ramakrishnan >>"... from the sunny shores of California ..." >>rk_ at mailcity.com, (408) 616.3100 >> >> >> >> >>Get your FREE Email at http://mailcity.lycos.com >>Get your PERSONALIZED START PAGE at http://my.lycos.com >> >>**************************************************************** >>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com >> >>The VPN FAQ (under construction) is available at >>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html >> >>We are currently experiencing "unsubscribe" difficulties. If you >>wish to unsubscribe, please send a message containing the single line >>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com >> >>**************************************************************** > >Eric Vyncke >Consulting Engineer Cisco Systems EMEA >Phone: +32-2-778.4677 Fax: +32-2-778.4300 >E-mail: evyncke at cisco.com Mobile: +32-75-312.458 > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** >----- >This message was scanned by Aladdin/eSafe Protection Gateway in >coordination with Check Point Firewall-1. This protection does not ensure >this message is virus free, however every precaution possible has been >taken on our part. > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke at cisco.com Mobile: +32-75-312.458 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric at redcreek.com Wed Aug 18 10:15:03 1999 From: eric at redcreek.com (Eric Henriksen) Date: Wed, 18 Aug 1999 10:15:03 -0400 Subject: IPsec / PPTP for IPX functionality References: <852567D0.0064ED45.00@intlnamsmtp10.us.pw.com> Message-ID: <004801bee984$12494860$02c8a8c0@redcreek.com> Correct. We are participating in trying to move such discussions as DHCP, NAT, cert portability (moving it to 'something you have' from something the IPSec peer has), and RADIUS interoperability forward in the standards. These issues are not all that is not quite baked, including ISAKMP hash and AES recommendations to replace DES. For these reasons, as well as CA root cert interopererability, the near term prospect for IPSec VPNs looks to be primarily single-vendor, unless pre-shared key, external address management, and either RADIUS or limited CA auth functions are acceptable. Most customers seem to demand a richer feature set which will only be likely working within a single vendor implementation - at this time. Eric ----- Original Message ----- From: To: Sent: Tuesday, August 17, 1999 2:22 PM Subject: Re: IPsec / PPTP for IPX functionality > All true. In fact, there are a number of vendors that support internal > address assignment and RADIUS authentication for their client access > solutions. Trouble is, the standards for this type of behavior for just > IPSec are still in draft. So anyone who presently offers such functionality > for their IPSec connections is doing so in a proprietary manner. This may > or may not be an issue depending on whether or not connections with third > parties, potentially with their own client, is a requirement. > > Personally, I find the standards based approach preferable, and with > minimal difficulty, it should be possible to script this to avoid giving > the users too much grief. > > Jason > > > > > Eric Henriksen on 08/17/99 10:03:05 AM > > Please respond to Eric Henriksen > To: Jason Dowd/ABS/Price Waterhouse, vpn at listserv.secnetgroup.com > cc: > Subject: Re: IPsec / PPTP for IPX functionality > > > > > Good synopsis. However, the prospect of running PPTP over ESP tunnels > just to move IP traffic seems somewhat overkill. To run RADIUS challenges, > telnet, ftp or http is all that is needed. These can be run over an ESP or > PPTP > tunnel. Any vendor that support DHCP over the tunnel can get the DNS, > WINS, etc that way. As a gratiuitous plus, RedCreek supports such DHCP > over the tunnel for clients and remote extranets. For the clients, they've > built > in a dll pop-up for presenting the RADIUS challenge recieved over the > tunnel, > irrespective of the ports opened by the cilent. > > RADIUS is still wildly popular given the alternatives such as Kerberos or > PKI. With the Kerberos being a administrative nightmare, and PKI not > baked yet, RADIUS extensible to tokens is a good alternative. > > Eric > > ----- Original Message ----- > From: > To: > Sent: Friday, August 13, 1999 4:56 PM > Subject: Re: IPsec / PPTP for IPX functionality > > > > Yes, it is quite possible. The course of events starts with a user > dialing > > an ISP and establishing a PPP session. Once that is done, the IPSec > client > > is enabled and a PPTP connection is established to the PPP server. As > long > > as the policy for the IPSec client states that protection should be > applied > > to the PPTP traffic, everything will be good. Of course, it is generally > > necessary or at least desirable to either place the PPTP server behind > the > > IPSec gateway or have them both on one box. > > > > Network Alchemy (www.network-alchemy.com) supports termination of both > PPTP > > and L2TP as well as IPSec. Terminating IPSec and PPTP/L2TP session > > simultaneously is a core part of their client functionality. However, > they > > only support IP over PPTP and L2TP so you can not do this for alone for > > multiprotocol support. As went through earlier though, there are > standards > > based options for encapsulating IPX and also AppleTalk in IP. For Network > > Alchemy, this would need to be done on another box. Compatible Systems > > actually will encapsulate both IPX and AppleTalk all by itself, making it > a > > one stop shop for remote access VPNs. This sounds like what you might > want > > to check out. > > > > There are some good reasons to run PPTP over IPSec just with IP though. > > PPTP give you RADIUS authentication that a surprising number of > > organizations require as well as the ability to assign internal address, > > DNS servers and so forth. The drafts for this functionality from IPSec > are > > still brewing, but with PPTP you can have it all now. > > > > Jason > > > > > > > > > > "Chen, Ken C" on 08/11/99 02:57:26 PM > > To: vpn at listserv.secnetgroup.com > > cc: > > Subject: IPsec / PPTP for IPX functionality > > > > > > > > > > Hmmm.... this is sort of a strange question. Is it possible to start a > > PPTP > > tunnel after establishing an IPsec tunnel? Since PPTP supports > > multiprotocols, this would essentially allow the transport of IPX through > > the IPsec tunnel... which is my ultimate goal for this quirky procedure. > > With the overhead of the two tunneling protocols, it may not even be > worth > > the effort... but I thought I'd ask! > > > > Thanks in advance. > > > > Ken > > **************************************************************** > > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > > > We are currently experiencing "unsubscribe" difficulties. If you > > wish to unsubscribe, please send a message containing the single line > > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > > > **************************************************************** > > > > > > > > **************************************************************** > > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > > > We are currently experiencing "unsubscribe" difficulties. If you > > wish to unsubscribe, please send a message containing the single line > > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > > > **************************************************************** > > > > > ---------------------------------------------------------------- > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon, this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and delete the material from any > computer. > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmedwid at symantec.com Wed Aug 18 13:59:46 1999 From: mmedwid at symantec.com (Michael Medwid) Date: Wed, 18 Aug 1999 10:59:46 -0700 Subject: Personal Firewalls Message-ID: <882567D1.00626B34.00@uscu-smtp01.symantec.com> I was wondering if many on the list have end users employing personal firewall such as AtGuard or SyGate? I have more and more users that across North America directly connecting to the Internet via DSL or cable modem. They then use these connections to VPN into the corporate network (I disallow split-tunneling to prevent breach into the network and they use IPsec.) The more fore-sightful users are employing some kind of firewall to protect their home systems from attack. I am interested in any experiences good or bad with personal firewalls in this kind of environment. And I am interested in hearing how these have played together with various VPN platforms. I haven't had a chance to test these personal firewalls myself. Thanks. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From neil.todd at db.com Fri Aug 20 11:03:06 1999 From: neil.todd at db.com (neil.todd at db.com) Date: Fri, 20 Aug 1999 15:03:06 +0000 Subject: Personal Firewalls Message-ID: <002567D3.0052E3C6.00@sdbo1003.srv.uk.deuba.com> Using AtGuard personally, generally very pleased with it. Its also a useful tool to discover exactly what that "new" application is trying to do networkwise. Neil ---------------------------------------- Message History ---------------------------------------- From: mmedwid at symantec.com on 18/08/99 05:59 PM From elsepascoe at mindspring.com Wed Aug 18 15:49:57 1999 From: elsepascoe at mindspring.com (EL) Date: Wed, 18 Aug 1999 15:49:57 -0400 Subject: Software VPN Solutions Message-ID: <000c01bee9b2$daf21020$e301a8c0@defiant> What are your views on software only VPN such as using Microsoft NT PPTP with SP4 w/128-bit encryption? I am thinking of using it to connect regional offices. Thanks for you insights. - Elsworth Pascoe ________________________________________________________ NetZero - We believe in a FREE Internet. Shouldn't you? Get your FREE Internet Access and Email at http://www.netzero.net/download/index.html **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From doc at zwecker.de Sun Aug 22 18:45:15 1999 From: doc at zwecker.de (Christophe Zwecker) Date: 23 Aug 1999 00:45:15 +0200 Subject: traffic doesnt pass ipsec0 Message-ID: <7ppuhr$aid$1@dumbo.zoff.de> Hi, Im totally new to this, I use Freeswan snapshot 22 August on Linux 2.2.10 I got it compiled all well. To test it I wanted to try between to computers directly connected via ISDN. 1) 192.168.1.154 2) 192.168.5.99 so I setup the ipsec0=isdn1 interfaces in /etc/ipsec.conf, the rest looks like this: conn sample for computer 2) type=tunnel # left security gateway (public-network address) left=192.168.5.99 # next hop to reach right #leftnexthop=10.44.55.66 # subnet behind left (omit if there is no subnet) leftsubnet=192.168.5.0/24 # right s.g., subnet behind it, and next hop to reach left right=192.168.1.154 #rightnexthop=10.88.77.66 rightsubnet=192.168.1.0/24 I left out the hops, I think I dont need that, do I ? Anyway, now I have this in routing table: 192.168.1.154 * 255.255.255.255 UH 0 0 0 ipsec0 192.168.1.154 * 255.255.255.255 UH 0 0 0 isdn1 When I ping 192.168.1.154 and check /proc/net/dev after there has not been any traffic on the ipsec0 device, only the isdn1 device. So I suppose nothing is going thru ? Id appreciate any hints, thx alot. bye -- Christophe Zwecker mail: doc at zwecker.de Hamburg, Germany fon: +49 179 3994867 UNIX is user-friendly. It's just not ignorant-friendly and idiot-friendly.Build a system even a fool can use,and only a fool will want to use it. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmarinb at usa.net Sat Aug 21 11:09:48 1999 From: mmarinb at usa.net (Mauricio Marin) Date: 21 Aug 99 09:09:48 MDT Subject: PPTP Protocol Message-ID: <19990821150948.22702.qmail@www0j.netaddress.usa.net> Hi i'm a university student from Peru, i'm working right now with PPTP and i need help in that , here in Peru i can't found anyone who knows that i hope someone response my mail, so we can contact by e-mail Mauricio Marin. ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From misha at insync.net Mon Aug 23 04:15:23 1999 From: misha at insync.net (Misha) Date: Mon, 23 Aug 1999 03:15:23 -0500 (CDT) Subject: Cisco PIX 5.0 IPSec support Message-ID: Does anyone have any idea when the 5.0 version of the Pix software is coming out? I know it will finally include support for IPSec based VPN's, and while I am fairly comfortable with IPSec running on IOS, the Pix may be a whole other animal. I am particularly interested to hear from any people who have used the beta 5.0 code, performance issues with or without the encryption card, etc. Misha Insync Internet Services **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jcaspen at iname.com Mon Aug 23 21:10:56 1999 From: jcaspen at iname.com (C. Javier Castro =?iso-8859-1?Q?Pe=F1a?=) Date: Mon, 23 Aug 1999 20:10:56 -0500 Subject: PPTP Protocol References: <19990821150948.22702.qmail@www0j.netaddress.usa.net> Message-ID: <37C1F120.AD41AFEA@iname.com> If you are using PPTP + Linux take a look here: http://www.moretonbay.com/vpn/pptp.html Mauricio Marin wrote: > Hi i'm a university student from Peru, i'm working right now with PPTP > and i need help in that , here in Peru i can't found anyone who knows that > i hope someone response my mail, so we can contact by e-mail > > Mauricio Marin. > > ____________________________________________________________________ > Get free email and a permanent address at http://www.netaddress.com/?N=1 > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Ashok_Sivaram at amu.yokogawa.co.jp Thu Aug 26 11:21:51 1999 From: Ashok_Sivaram at amu.yokogawa.co.jp (Ashok Kumar B S) Date: Thu, 26 Aug 1999 15:21:51 -0000 Subject: Cisco 1720 - VPN Access Message-ID: <01BEEFD6.B92DAA10.Ashok_Sivaram@amu.yokogawa.co.jp> Hai all, Has anybody tried out VPN using Cisco 1720 Access VPN ? Apart from export control of Encryption key-length any information/suggestion/comments regarding performance, interoperability, scalability, configuration and maintenance are welcome. We are planning to implement VPN solution between branch offices. Many Thanks in Advance, Regards, Ashok. \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-Ashok Kumar B S AOTS Trainee Yokogawa Electric Corporation mailto:ashok_shivaram at bigfoot.com TEL : 81-422-52-5506 Extn: 26405 FAX : 81-422-52-0513 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From misha at insync.net Sat Aug 28 20:16:25 1999 From: misha at insync.net (Misha) Date: Sat, 28 Aug 1999 19:16:25 -0500 (CDT) Subject: Cisco 1720 - VPN Access In-Reply-To: <01BEEFD6.B92DAA10.Ashok_Sivaram@amu.yokogawa.co.jp> Message-ID: We have a couple of sites using it and it works great. IOS IPSec seems to be working fine now, after all the initial bugs have been worked out. You may need a Flash memory upgrade, because the latest IOS images have gotten bigger. The maximum encrypted traffic you should be able to put out now is about 512k, before the hardware encryption card comes out. As far as management, we have not had to touch it since it was set up. Misha On Thu, 26 Aug 1999, Ashok Kumar B S wrote: > Hai all, > > Has anybody tried out VPN using Cisco 1720 Access VPN ? > > Apart from export control of Encryption key-length any > information/suggestion/comments regarding > performance, interoperability, scalability, configuration and maintenance are > welcome. > We are planning to implement VPN solution between branch offices. > Many Thanks in Advance, > > Regards, > Ashok. > \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-> Ashok Kumar B S > AOTS Trainee > Yokogawa Electric Corporation > mailto:ashok_shivaram at bigfoot.com > TEL : 81-422-52-5506 Extn: 26405 > FAX : 81-422-52-0513 > \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-> > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From blackhat-announce at defcon.org Sun Aug 29 22:33:22 1999 From: blackhat-announce at defcon.org (Announce) Date: Mon, 30 Aug 1999 03:33:22 +0100 Subject: Security Conference Announcement - The Black Hat Briefings EUROPE '99 Message-ID: <4.2.0.58.19990830033235.00b132a0@165.87.194.210> The Black Hat Briefings Europe '99 http://www.blackhat.com/ October 28 - 29, 1999 Amsterdam. Computer Security Conference Announcement DESCRIPTION AND OVERVIEW It's late. You're in the office alone, catching up on some system administration tasks {Yawn}. Behind you, your network servers hum along quietly, reliably. Life is good. No one can get to your data or disrupt your information world. Your network is secure. Or is it? While we could create more fear, uncertainty, and doubt (FUD), we would rather announce the first European Black Hat Briefings conference, held in Amsterdam on October 28-29! We created The Black Hat Briefings conference series to provide in-depth information about current and potential threats against computer systems by the people who discover the threats. To do this, we assemble a group of vendor neutral security professionals and let them talk candidly about the security problems businesses face and the solutions they see to those problems. No gimmicks, just straight talk by people who make it their business to explore the ever-changing security space. While many conferences focus on information and network security, only The Black Hat Briefings will put your managers, engineers, and software programmers face-to-face with today's cutting edge computer security experts and "underground" security specialists. Our goal is to provide your technical staff with nitty-gritty technical information about current and potential threats to your computer systems and its associated environments and the CEO/CIO/CTO with no-nonsense information about what issues to be aware of, and what they can ignore. Only The Black Hat Briefings will provide your staff with the pragmatic tools and knowledge they need to help thwart those lurking in the shadows of your fire wall or the depths of your company's WAN. The reality is they are out there [back to the FUD]. The choice is yours--you can live in fear of them, or you can learn from people like them. CONFERENCE OVERVIEW Spanning two days The Black Hat Briefings Europe will focus on the vital security issues facing organizations with large Enterprise networks and mixed network operating systems. Topics will include Intrusion Detection Systems (IDS), Computer Forensics (CF) systems, Incident Response, Hostile Mobile Code, Vulnerability Analysis, secure programming techniques, tool selection for creating and effectively monitoring your networks, and management issues related to computer security. You will sit face-to-face with the people developing the tools used by and against hackers. The Black Hat Briefings has developed a reputation for lively and in-depth presentations and discussions between "underground" security celebrities, vendors, and attendees. We encourage audience interaction, and design the schedule to allow you to spend time with the speakers in a more relaxed social setting. Technical networking during the day . . . and social networking into the night. What more could you want? You will receive outstanding visual demonstrations, as well as speakers who are authoritative in their fields. And, as always, an excellent time! Speakers & Speeches - Please see the web site for a complete list. http//www.blackhat.com/html/bh-europe-99/bh-europe-99-index.html There will be 12-14 speakers over the course of two days. CURRENT "Black Hat" SPEAKERS INCLUDE THE FOLLOWING - Marcus Ranum, CEO of Network Flight Recorder and designer of the first commercial fire wall. - Greg Hogland, Author of the Asmodeus NT scanner and the Web Trends security scanner. - Mnemonix, Security Analyst, Arca Systems, Inc. Author of the NTIS IIS security scanning tool. - Padgett Peterson, Chief Information Protection Architect for Lockheed-Martin Corporation. - J.D. Glasser, CEO of NT OBJECTives, Inc. - Andrew Stewart, - George Kurtz and George Shultze, Senior Manager, ISS, Ernst & Young. TOPICS FOR SPEECHES CURRENTLY INCLUDE Buffer overruns and their exploitation on the NT platform Evolution in Network Contour Detection Over the Firewall and through the Woods, Version 2.0 Intrusion forensics on Windows NT: Catching Greg Hogland, Part II Hacking the NT Kernel to create and exploit security problems LOCATION The first Black Hat Briefings Europe will be located at The Golden Tulip, Barbazon Palace. Prince Hendrikkade 59-70 1012 AD, Amsterdam, 020-556-4584 (Phone) REGISTRATION COSTS Registration costs are $1,195 US on or before October 1st 1999. Late registration fees are $1,495 after October 1st 1999. You may cancel your registration before October 7th for a full refund. This fee includes two days attendance at the speaking sessions, materials, a reception, and meals. To register, please visit https//www.convmgmt.com/registration/blackhat.html The Black Hat Briefings '99 Sponsors Secure Computing Corporation (http//www.securecomputing.com/) FOR MORE INFORMATION EMAIL blackhat at defcon.org with email questions. MAIN URL http//www.blackhat.com/ for the latest speakers and events listings. Past materials and speeches are available free on-line now. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Mon Aug 30 23:10:08 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Mon, 30 Aug 1999 22:10:08 -0500 (CDT) Subject: VPN Web site revamp Message-ID: Hi all -- I am >delighted< to announce that the VPN Web site has just survived a face lift. Thanks to my co-worker Daryl Fallin, we now have subcategories and much easier reading, rather than all that information crowded onto one long page. Check it out: http://kubarb.phsx.ukans.edu/~tbird/vpn.html In conjunction with this, I'm also publishing the (long awaited?) VPN How-to page. This page provides a central location for instructions on configuring several commercial firewalls (including Sidewinder, Gauntlet, PIX and Firewall-1) to pass different types of VPN protocols (IPSec and PPTP, and a couple of others). This information is provided without guarantees -- but I'm hoping it will save us a few of those "how to I get PPTP through Firewall X" type of questions. If you have information on VPN products that aren't listed in the features list (http://kubarb.phsx.ukans.edu/~tbird/vpn/vpnfeatures.html), please send me the relevant details! As usual, comments, questions and flames to me -- Tina **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmarinb at usa.net Tue Aug 24 15:56:17 1999 From: mmarinb at usa.net (Mauricio Marin) Date: 24 Aug 99 13:56:17 MDT Subject: PPTP Question Message-ID: <19990824195617.11680.qmail@www0a.netaddress.usa.net> Hi friends, i have a VPN server configured with PPTP technology. I'm testing this protocol just with one user (me), the remote user connect to a ISP that don't have PPTP configuration, i made the call to the ISP, and i'm in Internet, then imade a call with the MSDUN12.exe, and then a message show me some error like the server disconnect me!, . The server have a dedicate connection to internet at 128 kbps (so slow i think), i think this is the reason for a remote disconnect. I'll try to connect Two Lan's One of then is the VPN server contained, and i made the connection, but the user can't see the network (PC, server, Printer, etc). Mauricio marin Fics-Data Lima-Peru ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Mon Aug 30 23:47:19 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Mon, 30 Aug 1999 22:47:19 -0500 (CDT) Subject: PPTP Question In-Reply-To: <19990824195617.11680.qmail@www0a.netaddress.usa.net> Message-ID: Hi Mauricio -- In this situation the culprit is usually a problem with name resolution. If a user is directly connected to the LAN, how does their PC tell where network resources are located: WINS, DNS or LMHOST? There are often problems with getting a PC client to route WINS requests over a VPN connection. One way to test whether that's your problem is to hard-code an IP address for one of your network servers into the PC LMHOST file. If the machine can connect to that server once the VPN is up, name resolution is your problem. hope this is a help -- Tina On 24 Aug 1999, Mauricio Marin wrote: > Date: 24 Aug 99 13:56:17 MDT > From: Mauricio Marin > To: vpn at listserv.secnetgroup.com > Subject: PPTP Question > > Hi friends, i have a VPN server configured with PPTP technology. > I'm testing this protocol just with one user (me), the remote user connect > to a ISP that don't have PPTP configuration, i made the call to the ISP, and > i'm in Internet, then imade a call with the MSDUN12.exe, and then a message > show me some error like the server disconnect me!, . > The server have a dedicate connection to internet at 128 kbps (so slow i > think), i think this is the reason for a remote disconnect. > > I'll try to connect Two Lan's One of then is the VPN server contained, and i > made the connection, but the user can't see the network (PC, server, Printer, > etc). > > > Mauricio marin > Fics-Data > Lima-Peru > > ____________________________________________________________________ > Get free email and a permanent address at http://www.netaddress.com/?N=1 > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From MLittle at bhsi.com Tue Aug 31 09:25:24 1999 From: MLittle at bhsi.com (Little, Mike (BHS)) Date: Tue, 31 Aug 1999 09:25:24 -0400 Subject: PPTP Question Message-ID: <99Aug31.091648edt.32267@pcbhi266.bhsi.com> Mauricio, This is in response to your DUN disconnects. Is there a way to check log files on the VPN server? A couple of possible reasons for the disconnect could be either a failure to authenticate or perhaps a failure to negotiate a method or level of encryption. This would just be a matter of checking client and server settings. Sorry I can't be more specific. Maybe someone else has some ideas. Also, I'm not clear what you are trying to do with the second scenario. Is this strictly an IP connection? Sincerely, Mike Little Network Control Tech Baptist Healthcare System Louisville, KY > -----Original Message----- > From: Mauricio Marin [SMTP:mmarinb at usa.net] > Sent: Tuesday, August 24, 1999 3:56 PM > To: vpn at listserv.secnetgroup.com > Subject: PPTP Question > > Hi friends, i have a VPN server configured with PPTP technology. > I'm testing this protocol just with one user (me), the remote user connect > > to a ISP that don't have PPTP configuration, i made the call to the ISP, > and > i'm in Internet, then imade a call with the MSDUN12.exe, and then a > message > show me some error like the server disconnect me!, . > The server have a dedicate connection to internet at 128 kbps (so slow i > think), i think this is the reason for a remote disconnect. > > I'll try to connect Two Lan's One of then is the VPN server contained, and > i > made the connection, but the user can't see the network (PC, server, > Printer, > etc). > > > Mauricio marin > Fics-Data > Lima-Peru > > ____________________________________________________________________ > Get free email and a permanent address at http://www.netaddress.com/?N=1 > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com ****************************************************************