IPsec / PPTP for IPX functionality

jason.dowd at us.pwcglobal.com jason.dowd at us.pwcglobal.com
Tue Aug 17 14:22:08 EDT 1999 

All true. In fact, there are a number of vendors that support internal
address assignment and RADIUS authentication for their client access
solutions. Trouble is, the standards for this type of behavior for just
IPSec are still in draft. So anyone who presently offers such functionality
for their IPSec connections is doing so in a proprietary manner. This may
or may not be an issue depending on whether or not connections with third
parties, potentially with their own client, is a requirement.

Personally, I find the standards based approach preferable, and with
minimal difficulty, it should be possible to script this to avoid giving
the users too much grief.

Jason




Eric Henriksen <eric_h at earthlink.net> on 08/17/99 10:03:05 AM

Please respond to Eric Henriksen <eric_h at earthlink.net>
To:   Jason Dowd/ABS/Price Waterhouse, vpn at listserv.secnetgroup.com
cc:
Subject:  Re: IPsec / PPTP for IPX functionality




Good synopsis.  However, the prospect of running PPTP over ESP tunnels
just to move IP traffic seems somewhat overkill.  To run RADIUS challenges,
telnet, ftp or http is all that is needed.  These can be run over an ESP or
PPTP
tunnel.  Any vendor that support DHCP over the tunnel can get the DNS,
WINS, etc that way.  As a gratiuitous plus, RedCreek supports such DHCP
over the tunnel for clients and remote extranets.  For the clients, they've
built
in a dll pop-up for presenting the RADIUS challenge recieved over the
tunnel,
irrespective of the ports opened by the cilent.

RADIUS is still wildly popular given the alternatives such as Kerberos or
PKI.  With the Kerberos being a administrative nightmare, and PKI not
baked yet, RADIUS extensible to tokens is a good alternative.

Eric

----- Original Message -----
From: <jason.dowd at us.pwcglobal.com>
To: <vpn at listserv.secnetgroup.com>
Sent: Friday, August 13, 1999 4:56 PM
Subject: Re: IPsec / PPTP for IPX functionality


> Yes, it is quite possible. The course of events starts with a user
dialing
> an ISP and establishing a PPP session. Once that is done, the IPSec
client
> is enabled and a PPTP connection is established to the PPP server. As
long
> as the policy for the IPSec client states that protection should be
applied
> to the PPTP traffic, everything will be good. Of course, it is generally
> necessary or at least desirable to either place the PPTP server behind
the
> IPSec gateway or have them both on one box.
>
> Network Alchemy (www.network-alchemy.com) supports termination of both
PPTP
> and L2TP as well as IPSec. Terminating IPSec and PPTP/L2TP session
> simultaneously is a core part of their client functionality. However,
they
> only support IP over PPTP and L2TP so you can not do this for alone for
> multiprotocol support. As went through earlier though, there are
standards
> based options for encapsulating IPX and also AppleTalk in IP. For Network
> Alchemy, this would need to be done on another box. Compatible Systems
> actually will encapsulate both IPX and AppleTalk all by itself, making it
a
> one stop shop for remote access VPNs. This sounds like what you might
want
> to check out.
>
> There are some good reasons to run PPTP over IPSec just with IP though.
> PPTP give you RADIUS authentication that a surprising number of
> organizations require as well as the ability to assign internal address,
> DNS servers and so forth. The drafts for this functionality from IPSec
are
> still brewing, but with PPTP you can have it all now.
>
> Jason
>
>
>
>
> "Chen, Ken C" <ken.c.chen at lmco.com> on 08/11/99 02:57:26 PM
> To:   vpn at listserv.secnetgroup.com
> cc:
> Subject:  IPsec / PPTP for IPX functionality
>
>
>
>
> Hmmm.... this is sort of a strange question.  Is it possible to start a
> PPTP
> tunnel after establishing an IPsec tunnel?  Since PPTP supports
> multiprotocols, this would essentially allow the transport of IPX through
> the IPsec tunnel... which is my ultimate goal for this quirky procedure.
> With the overhead of the two tunneling protocols, it may not even be
worth
> the effort... but I thought I'd ask!
>
> Thanks in advance.
>
> Ken
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>
>
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************




----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list