From dgillett at niku.com Wed Dec 1 13:50:58 1999 From: dgillett at niku.com (David Gillett) Date: Wed, 1 Dec 1999 10:50:58 -0800 Subject: VPN Solution In-Reply-To: Message-ID: <000c01bf3c2d$01eb3590$f30410ac@niku.com> Since you need both, I'd urge you to look at products which include both firewall and VPN capabilities: 1. Cisco PIX I like this as a firewall; I haven't used its VPN features. 2. NetScreen I'm not really keen on this as a firewall, but it's fast and cheap and its VPN definitely works for connecting two sites. 3. CheckPoint (FW-1 and VPN-1) Seems expensive, but it's one of the best-rated firewalls (much more popular than the PIX).... 4. I know there are others out there.... The thing is that if you buy VPN and firewall separately, you have to decide whether the VPN box is trusted (may not work with NAT!), untrusted (may have to open unacceptable holes in firewall), or in parallel with the firewall (which looks a little odd, and requires you to "harden" the outside interface of the VPN box). Integrating the two functions gets you the topological benefits of the latter approach, while retaining a single security policy/management point, NAT implementation, and so on. [It *might* save you money, too....] David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: owner-vpn at listserv.secnetgroup.com [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Vikash Bhagchandka Sent: Tuesday, November 30, 1999 4:10 AM To: vpn at listserv.secnetgroup.com Subject: VPN Solution Hi, I would like to know which is the best product for setting up a VPN to connect two offices with 50 users over the Internet. I have the option of either Contivity Extranet Switch 1500 or Cisco 1720 VPN solution. I would like to know which one is better in terms of reliability, connectivity & security. Is there any other product which I should consider other than Cisco & Nortel. As the offices will be connected using the Internet, I would need to install a firewall too. Could you suggest something that is easy to setup & monitor. Apart from that, I would also like to know if 128bit encryption is allowed outside US. TIA, Vikash **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Fred.Golder at cendant.com Wed Dec 1 13:40:21 1999 From: Fred.Golder at cendant.com (Golder, Fred) Date: Wed, 1 Dec 1999 13:40:21 -0500 Subject: VPN Solution Message-ID: Nortel by far. Both products have firewalling abilities built in for additional $. To Checkpoint in the case of Nortel and to Cisco for their product. Both products can terminate the ISP connection (provide you get a Contivity 2500 or better). 128 bit appliances should no longer have an export problem once the maker has passed it's one time review by the NSA. double check with the company on that to be safe. Nortel has the best VPN product out there IMHO. -Fred Golder -----Original Message----- From: Vikash Bhagchandka [mailto:eyeque-india at telebot.net] Sent: Tuesday, November 30, 1999 7:10 AM To: vpn at listserv.secnetgroup.com Subject: VPN Solution Hi, I would like to know which is the best product for setting up a VPN to connect two offices with 50 users over the Internet. I have the option of either Contivity Extranet Switch 1500 or Cisco 1720 VPN solution. I would like to know which one is better in terms of reliability, connectivity & security. Is there any other product which I should consider other than Cisco & Nortel. As the offices will be connected using the Internet, I would need to install a firewall too. Could you suggest something that is easy to setup & monitor. Apart from that, I would also like to know if 128bit encryption is allowed outside US. TIA, Vikash **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991201/62605c6e/attachment.htm From jason.dowd at us.pwcglobal.com Wed Dec 1 18:27:57 1999 From: jason.dowd at us.pwcglobal.com (jason.dowd at us.pwcglobal.com) Date: Wed, 01 Dec 1999 17:27:57 -0600 Subject: VPN Solution Message-ID: <8525683A.0080F49E.00@intlnamsmtp10.us.pw.com> These are all good suggestions. I would also suggest looking at Watchguard. I have had good experiences with this product. I think for ease of administration, price, and functionality, this product is a nice package. They have a proprietary VPN solution, but they offer IPSec as an option. Definitely go IPSec. In addition, you have to get the strong encryption version to get Triple DES. Jason David Gillett on 12/01/99 12:50:58 PM To: vpn at listserv.secnetgroup.com cc: Subject: RE: VPN Solution Since you need both, I'd urge you to look at products which include both firewall and VPN capabilities: 1. Cisco PIX I like this as a firewall; I haven't used its VPN features. 2. NetScreen I'm not really keen on this as a firewall, but it's fast and cheap and its VPN definitely works for connecting two sites. 3. CheckPoint (FW-1 and VPN-1) Seems expensive, but it's one of the best-rated firewalls (much more popular than the PIX).... 4. I know there are others out there.... The thing is that if you buy VPN and firewall separately, you have to decide whether the VPN box is trusted (may not work with NAT!), untrusted (may have to open unacceptable holes in firewall), or in parallel with the firewall (which looks a little odd, and requires you to "harden" the outside interface of the VPN box). Integrating the two functions gets you the topological benefits of the latter approach, while retaining a single security policy/management point, NAT implementation, and so on. [It *might* save you money, too....] David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: owner-vpn at listserv.secnetgroup.com [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Vikash Bhagchandka Sent: Tuesday, November 30, 1999 4:10 AM To: vpn at listserv.secnetgroup.com Subject: VPN Solution Hi, I would like to know which is the best product for setting up a VPN to connect two offices with 50 users over the Internet. I have the option of either Contivity Extranet Switch 1500 or Cisco 1720 VPN solution. I would like to know which one is better in terms of reliability, connectivity & security. Is there any other product which I should consider other than Cisco & Nortel. As the offices will be connected using the Internet, I would need to install a firewall too. Could you suggest something that is easy to setup & monitor. Apart from that, I would also like to know if 128bit encryption is allowed outside US. TIA, Vikash **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From twolsey at realtech.com Wed Dec 1 15:33:49 1999 From: twolsey at realtech.com (TC Wolsey) Date: Wed, 01 Dec 1999 15:33:49 -0500 Subject: MS PPTP Message-ID: > "Golder, Fred" 11/30/99 08:36AM >>> >This isn't something unique to Cisco. Every Radius Server package I have >seen can authenticate against an NT Domain. MS has to large an install base >for NT Domains to not be supported by a product. > >-Fred Golder > >-----Original Message----- >From: David Klann [mailto:dklann at berbee.com] >Sent: Monday, November 29, 1999 10:44 PM >To: vpn at listserv.secnetgroup.com; Misha >Subject: Re: MS PPTP > > >Yes, > >Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and >TACACS protocols and can use the NT domain user database for authentication. > >-David Typically in my experience only AAA servers installed on a NT platform will do NT domain authentication. It seems that many NT platform AAA servers will support NDS/NetWare bindery authentication also, as will AAA servers on a NetWare platform (wouldn't it be strange if they didn't?). I have not worked with any commercial AAA server packages that support NT domain or NDS authentication on a Unix platform, but it would seem feasible with a Linux/Merit AAA/Samba/nwclient combo. FWIW I do not think that the CiscoSecure ACS/Unix supports NT domain or NDS authentication, but the CiscoSecure ACS/NT product supports both. (BTW for anybody looking at these products, it looks to me like they do not share much but a name, the installation and operation of these packages is very different.) Regards, --tcw **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From twolsey at realtech.com Wed Dec 1 17:54:07 1999 From: twolsey at realtech.com (TC Wolsey) Date: Wed, 01 Dec 1999 17:54:07 -0500 Subject: MS PPTP Message-ID: > Steve Cundall 11/30/99 11:47AM >>> >One hitch when using NT domain database and Radius with the current version >of Cisco secure, is that is doesn't support CHAP, just PAP and MS-CHAP. CHAP >works fine if the users are in the CS database, just not if they are in NT. >I am not sure if they are going to fix this or not, as I have my Cisco >people looking into this issue. > >-Steve I do not think that Cisco (or any other vendor) will fix it as it is not really their problem. CHAP requires access to the cleartext password to generate the challenge to the client; NT, NDS, /etc/shadow, etc all store a one-way hash of the password, not the password itself. If cleartext transmissions of long-term authentication secrets makes you uneasy (and it should) than use a one time password or two-factor authentication scheme, eg. S/Key, SecurID, CryptoCard, etc. If you do use a local file with cleartext (or equivalent) passwords in it, you should take extreme measures to keep it restricted to only the accounts that need to use it, especially as many users given a choice will use duplicate passwords for various authentication methods. Regards, --tcw > >-----Original Message----- >From: David Klann [mailto:dklann at berbee.com] >Sent: Monday, November 29, 1999 7:44 PM >To: vpn at listserv.secnetgroup.com; Misha >Subject: Re: MS PPTP > > >Yes, > >Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and >TACACS protocols and can use the NT domain user database for authentication. > >-David > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From misha at insync.net Thu Dec 2 02:37:05 1999 From: misha at insync.net (Misha) Date: Thu, 2 Dec 1999 01:37:05 -0600 (CST) Subject: VPN Solution In-Reply-To: <000c01bf3c2d$01eb3590$f30410ac@niku.com> Message-ID: > 1. Cisco PIX > I like this as a firewall; I haven't used its VPN features. We have been pounding on both Pix and Contivity boxes for the last month, so Contivity is miles ahead in ease of use. Pix is not for the faint of heart, but in my opinion may be a better solution epending on your skill set. The Contivity boxes were a breeze to set up and were running within 2 hours. Everything, including adding users and setting up PPTP and IPSec settings in done through a web interface, so its as painless as it gets. The software client is quite polished, and worked without a glitch. We have been waiting for IPSec on the Pix for about a year now, so we started playing with it almost as soon as it came out. The IPSec setup i quite raw, and aside from quite a bit of IOS experience (its very close to IOS IPSec implementation), requires a very thorough understanding of what IPSec is and how its negotiated. For our Pix admins it was quite a shock for a while, due to very shifty docs, so we had to spend some quality time tracking down internal documents from Cisco to get the necessary information. The most painless mode if to terminate IPSec on the Pix before hitting NAT, allowing remote nodes to talk to internal machines through statics and conduits. All thats required is setting up the crypto maps and access lists to trigger IPSec, which any Cisco engineer should be able to figure out. I would actually prefer this, because you gain control over what IPSec nodes get to see on a pretty granular level, but for people looking for a true RAS replacement, it won't work. They will most likely want to terminate IPSec on the inside interface, bypassing NAT processing entirely. Problem is the Pix isn't quite there yet, so there is a feature that sort of fakes internal interface termination, while they sort things out with the code. Using the pl-compatible command, you should be able to terminate IPSec tunnels on the inside, but have to jump through hoops to keep the Pix working, such as adding static routes for all internally connected IP subnets. Makes things very interesting to say the least if all you have to go on it Cisco's 5.0 release notes and set up guides. We have also tested the Cisco IPSec client, which seems to work quite well, but is very far from intuitive. We almost had to wait for a manual before we figured out that it is policy driven, and sits a bit above the IP stack, with an ability to parse data flow and know if an SA should be negotiated. We have tested normal IPSec mode, the pl-compatible mode, IP distribution to remote clients with mystery source addresses, and everything seems to work as advertised if you know what you are doing. With both products, we are at the PKI testing phase, which we haven't event started on, but given that we have moved through all of Cisco and Contivity testing within 2 weeks, I would say its well within our reach. All in all, I would recommend the Contivity switch to people who have heavier budgets and very little tolerance for a steep learning curve. The Contivity should allow you drop in a VPN solution and to have to spend much time and effort learning finer points of IPSec. Looking at Houstons biggest oil and gas enterprises, they almost all use Contivity, because its so easy to deploy. If you are looking into the long term and really want to leverage your existing equipment, I would definitely stick to Cisco. IPSec images are available for most routers now, recent PIX releases and software support is getting better as well. You will need a few bitheads who find IPSec really damn cool to get it working well and be able to troubleshoot it without turning to TAC every 5 seconds. If you are building an extranet that will have to deal with multiple IPSec vendors on other ends, I would really stick with Cisco. We have pretty much chosen them as a standard, and measure compatibility to IOS IPSec first and foremost. The raw implementation also allows you much more flexibility that most other VPN boxes, so you will have much better of a chance of getting IKE and SA negotiation issues out of the way with Cisco, than with Nortel. There is only so far the web interface can take you. I'll stop ranting now. If anyone else has played with Pix IPSec, I would definitely like to heard from you. Misha Insync Internet Services **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From SCundall at ariba.com Wed Dec 1 19:00:23 1999 From: SCundall at ariba.com (Steve Cundall) Date: Wed, 1 Dec 1999 16:00:23 -0800 Subject: MS PPTP Message-ID: <8B04D64DD534D311994D00A0C989C5E153E51A@mtvmail.ariba.com> Thanks for the input TC. What I am hearing from other sources, is that if I use Internet Connection Services for Microsoft Remote Access Service, Commercial Edition (ICS for RAS), it will work with CHAP. I suppose if its Microsoft software, they can work around the problem you describe below. Any comments? Has anyone tried this in this configuration. I am using (more like trying to use) UUnet's Corporate dial solution which allows you to dial into any of UUnet's global access points to gain access to the Internet and then use any VPN technology to tunnel back. They are sending Proxy RADIUS requests back to my RADIUS servers over the Internet from theirs. They don't recommend using PAP, as some of the NAS's don't prompt for a Login: and since we are using NT DUN, it trys to use CHAP unless scripted to do otherwise. They are saying they don't currently support MS-CHAP in this configuration. Steve -----Original Message----- From: TC Wolsey [mailto:twolsey at realtech.com] Sent: Wednesday, December 01, 1999 2:54 PM To: SCundall at ariba.com Cc: vpn at listserv.secnetgroup.com Subject: RE: MS PPTP > Steve Cundall 11/30/99 11:47AM >>> >One hitch when using NT domain database and Radius with the current version >of Cisco secure, is that is doesn't support CHAP, just PAP and MS-CHAP. CHAP >works fine if the users are in the CS database, just not if they are in NT. >I am not sure if they are going to fix this or not, as I have my Cisco >people looking into this issue. > >-Steve I do not think that Cisco (or any other vendor) will fix it as it is not really their problem. CHAP requires access to the cleartext password to generate the challenge to the client; NT, NDS, /etc/shadow, etc all store a one-way hash of the password, not the password itself. If cleartext transmissions of long-term authentication secrets makes you uneasy (and it should) than use a one time password or two-factor authentication scheme, eg. S/Key, SecurID, CryptoCard, etc. If you do use a local file with cleartext (or equivalent) passwords in it, you should take extreme measures to keep it restricted to only the accounts that need to use it, especially as many users given a choice will use duplicate passwords for various authentication methods. Regards, --tcw > >-----Original Message----- >From: David Klann [mailto:dklann at berbee.com] >Sent: Monday, November 29, 1999 7:44 PM >To: vpn at listserv.secnetgroup.com; Misha >Subject: Re: MS PPTP > > >Yes, > >Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and >TACACS protocols and can use the NT domain user database for authentication. > >-David > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From SHOPE at datarange.co.uk Thu Dec 2 04:54:07 1999 From: SHOPE at datarange.co.uk (Stephen Hope) Date: Thu, 2 Dec 1999 09:54:07 -0000 Subject: VPN Solution Message-ID: <01903665B361D211BF6700805FAD5D9325B87C@mail.datarange.co.uk> Note that the Nortel Contivity supports using checkpoint Firewall 1 embedded in the VPN gateway - i think there is an extra license cost. Stephen Stephen Hope C. Eng, Network Consultant shope at datarange.co.uk, or shope at bcs.org.uk Datarange Communications PLC, Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 -----Original Message----- From: David Gillett [mailto:dgillett at niku.com] Sent: Wednesday, December 01, 1999 6:51 PM To: vpn at listserv.secnetgroup.com Subject: RE: VPN Solution Since you need both, I'd urge you to look at products which include both firewall and VPN capabilities: 1. Cisco PIX I like this as a firewall; I haven't used its VPN features. 2. NetScreen I'm not really keen on this as a firewall, but it's fast and cheap and its VPN definitely works for connecting two sites. 3. CheckPoint (FW-1 and VPN-1) Seems expensive, but it's one of the best-rated firewalls (much more popular than the PIX).... 4. I know there are others out there.... The thing is that if you buy VPN and firewall separately, you have to decide whether the VPN box is trusted (may not work with NAT!), untrusted (may have to open unacceptable holes in firewall), or in parallel with the firewall (which looks a little odd, and requires you to "harden" the outside interface of the VPN box). Integrating the two functions gets you the topological benefits of the latter approach, while retaining a single security policy/management point, NAT implementation, and so on. [It *might* save you money, too....] David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: owner-vpn at listserv.secnetgroup.com [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Vikash Bhagchandka Sent: Tuesday, November 30, 1999 4:10 AM To: vpn at listserv.secnetgroup.com Subject: VPN Solution Hi, I would like to know which is the best product for setting up a VPN to connect two offices with 50 users over the Internet. I have the option of either Contivity Extranet Switch 1500 or Cisco 1720 VPN solution. I would like to know which one is better in terms of reliability, connectivity & security. Is there any other product which I should consider other than Cisco & Nortel. As the offices will be connected using the Internet, I would need to install a firewall too. Could you suggest something that is easy to setup & monitor. Apart from that, I would also like to know if 128bit encryption is allowed outside US. TIA, Vikash **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From noam.gruber at radguard.com Thu Dec 2 02:56:15 1999 From: noam.gruber at radguard.com (Noam Gruber) Date: Thu, 02 Dec 1999 09:56:15 +0200 Subject: VPN Solution References: Message-ID: <3846261F.88EE3E61@radguard.com> Hello Vikash, Today's VPN market offers a great variety of products, other then the ones you have mentioned. It all depends on your needs: How much security do you need? Are the applications you want to use bandwidth intensive? Is survivability and hot backup important to you? Do you intend to scale up your network in the future? The Cisco and Nortel VPNs are somewhat problematic, because they are based on router platforms which weren't build for security. As such they have security and low performance problems. I'd recommend you to visit these sites: http://kubarb.phsx.ukans.edu/~tbird/vpn.html http://www.dtool.com/vpn.html where you can find data sheets to compare the products with. I'd also recommend that you make sure the products are ICSA certified. That will insure their interoperability with other products, which will give you more flexibility in the future (in case you'll want to change vendors): http://www.icsa.net/services/product_cert/ipsec/certified_products.shtml As for the firewall and encryption issues: Many of the products come with an integral firewall, and most can work with a separate firewall. Encryption of 128 bit and more (168 bit 3DES) is allowed outside the US - only that the US government hasn't until recently allowed US companies to export it. However, non US companies sell it freely, and even the US is now in the process of drafting a law to alleviate some of its export restrictions. During your market research, i recommend that you also visit my company's site, www.radguard.com, and check our products as well. I hope i helped! Noam Gruber Vikash Bhagchandka wrote: > > Hi, > > I would like to know which is the best product for setting up a VPN to > connect two offices with 50 users over the Internet. > > I have the option of either Contivity Extranet Switch 1500 or Cisco 1720 VPN > solution. I would like to know which one is better in terms of reliability, > connectivity & security. Is there any other product which I should consider > other than Cisco & Nortel. > > As the offices will be connected using the Internet, I would need to install > a firewall too. Could you suggest something that is easy to setup & monitor. > Apart from that, I would also like to know if 128bit encryption is allowed > outside US. > > TIA, > Vikash > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: noam.gruber.vcf Type: text/x-vcard Size: 286 bytes Desc: Card for Noam Gruber Url : http://lists.shmoo.com/pipermail/vpn/attachments/19991202/75f8050f/attachment.vcf From lhebert at netesys.com Thu Dec 2 09:56:58 1999 From: lhebert at netesys.com (Laurent Hebert) Date: Thu, 2 Dec 1999 09:56:58 -0500 Subject: MS PPTP Message-ID: <19991202145253800.AAA270@bacchus2.netesys.com@gvl-12364> We did not test the IRE client from Cisco but I would be surprise that it could execute the NT login script mainly if the PC O/S is NT. So far, we have not found any VPN client that can execute the NT login script if the PC client have an the NT O/S. However, with a client running W95, the Altiga product, Shiva and the ADI (Assured-Digital) product work fine with NT. Usually, it is easier to use the VPN client that comes with the VPN Gateway since the interoperability between products is not there yet. Laurent ---------- > De : Steve Cundall > A : vpn at listserv.secnetgroup.com > Objet : RE: MS PPTP > Date?: 30 novembre, 1999 11:47 > > One hitch when using NT domain database and Radius with the current version > of Cisco secure, is that is doesn't support CHAP, just PAP and MS-CHAP. CHAP > works fine if the users are in the CS database, just not if they are in NT. > I am not sure if they are going to fix this or not, as I have my Cisco > people looking into this issue. > > -Steve > > -----Original Message----- > From: David Klann [mailto:dklann at berbee.com] > Sent: Monday, November 29, 1999 7:44 PM > To: vpn at listserv.secnetgroup.com; Misha > Subject: Re: MS PPTP > > > Yes, > > Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and > TACACS protocols and can use the NT domain user database for authentication. > > -David > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From twolsey at realtech.com Fri Dec 3 10:08:15 1999 From: twolsey at realtech.com (TC Wolsey) Date: Fri, 03 Dec 1999 10:08:15 -0500 Subject: MS PPTP Message-ID: > Steve Cundall 12/01/99 07:00PM >>> >Thanks for the input TC. What I am hearing from other sources, is that if I >use Internet Connection Services for Microsoft >Remote Access Service, Commercial Edition (ICS for RAS), it will work with >CHAP. I suppose if its Microsoft software, they can work around the problem >you describe below. Any comments? Has anyone tried this in this >configuration. It does not need to be Microsoft software, l0phtcrack will "work around" the problem also :-) What CHAP support boils down to is having the cleartext password stored somewhere or a transform of the password that can be manipulated to output the password in a feasible timeframe. >I am using (more like trying to use) UUnet's Corporate dial solution which >allows you to dial into any of UUnet's global access points to gain access >to the Internet and then use any VPN technology to tunnel back. They are >sending Proxy RADIUS requests back to my RADIUS servers over the Internet >from theirs. They don't recommend using PAP, as some of the NAS's don't >prompt for a Login: and since we are using NT DUN, it trys to use CHAP >unless scripted to do otherwise. They are saying they don't currently >support MS-CHAP in this configuration. I am not sure what having an interactive authentcation prompt has to do with PAP or CHAP (or any other PPP authentication method). Thinking about what you want to do here, I believe that you may have a more basic issue than the PPP authentication method alone. Assuming that you want to use the NT domain accounts/passwords for dial up authentication to your provider you will also be using those same accounts/passwords for the MS PPTP authentication, but more importantly the initial crypto keys for the PPTP connection will be some derivative of the account password. If an attacker can get the password by passively monitoring the dial up connection during PPP authentication they can probably use that to disrupt or inject data into your PPTP sessions also. Even if you use CHAP for PPP authentication an offline dictionary attack may expose weak passwords when can then be used to disrupt future PPTP sessions (assuming the password has not changed). Using separate passwords (with sep! arate accounts if possible) for PPP and PPTP authentication may make you sleep better at night. Regards, --tcw >Steve > >-----Original Message----- >From: TC Wolsey [mailto:twolsey at realtech.com] >Sent: Wednesday, December 01, 1999 2:54 PM >To: SCundall at ariba.com >Cc: vpn at listserv.secnetgroup.com >Subject: RE: MS PPTP > > >> Steve Cundall 11/30/99 11:47AM >>> >>One hitch when using NT domain database and Radius with the current version >>of Cisco secure, is that is doesn't support CHAP, just PAP and MS-CHAP. >CHAP >>works fine if the users are in the CS database, just not if they are in NT. >>I am not sure if they are going to fix this or not, as I have my Cisco >>people looking into this issue. >> >>-Steve > >I do not think that Cisco (or any other vendor) will fix it as it is not >really their problem. CHAP requires access to the cleartext password to >generate the challenge to the client; NT, NDS, /etc/shadow, etc all store a >one-way hash of the password, not the password itself. If cleartext >transmissions of long-term authentication secrets makes you uneasy (and it >should) than use a one time password or two-factor authentication scheme, >eg. S/Key, SecurID, CryptoCard, etc. If you do use a local file with >cleartext (or equivalent) passwords in it, you should take extreme measures >to keep it restricted to only the accounts that need to use it, especially >as many users given a choice will use duplicate passwords for various >authentication methods. > >Regards, > >--tcw >> >>-----Original Message----- >>From: David Klann [mailto:dklann at berbee.com] >>Sent: Monday, November 29, 1999 7:44 PM >>To: vpn at listserv.secnetgroup.com; Misha >>Subject: Re: MS PPTP >> >> >>Yes, >> >>Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and > >>TACACS protocols and can use the NT domain user database for >authentication. >> >>-David >> > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Fri Dec 3 08:57:46 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Fri, 3 Dec 1999 07:57:46 -0600 (CST) Subject: New Export Regulations Message-ID: For those of you in search of a little light reading this weekend, the Electronic Privacy Information Center has published the draft version of the Clinton administrations revisions to US crypto export policy. To no one's surprise, it's not quite so liberal as the early press releases suggested. http://www.epic.org/crypto/export_controls/draft_regs_11_99.html cheers -- Tina **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From drj at lamar.colostate.edu Fri Dec 3 12:17:04 1999 From: drj at lamar.colostate.edu (Joseph Williams) Date: Fri, 3 Dec 1999 10:17:04 -0700 Subject: VPN vs. SSL Message-ID: <000f01bf3db2$3903b300$4d355281@home> Hi folks. What are your favorite on-line resources that evaluate the pros/cons of VPN vs. SSL? Thanks, joseph joseph at e-prime.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From carlsonmail at yahoo.com Fri Dec 3 12:27:39 1999 From: carlsonmail at yahoo.com (Chris Carlson) Date: Fri, 3 Dec 1999 09:27:39 -0800 (PST) Subject: Nortel-Cisco, was: Re: VPN Solution Message-ID: <19991203172739.6412.qmail@web118.yahoomail.com> --- Noam Gruber wrote: ... > The Cisco and Nortel VPNs are somewhat problematic, > because they are > based on router platforms which weren't build for > security. As such they > have security and low performance problems. ... Noam is grossly incorrect in his statement regarding the Nortel Contivity platform. The Contivity, which Nortel bought from New Oak Communications, uses a real-time OS for Intel written by Wind River. This real-time OS is extremely small, efficient, with custom routing and IPSec drivers written specifically for the VPN application. It is *NOT* based on the Bay Network router line. In fact, the Tolly Group did a performance bake-off between the Contivity 4000 and Cisco 7200 router. The Contivity blew its doors off. Noam is correct regarding the Cisco VPN boxes -- they are IOS routers with VPN code, but hardly bad products. As always, carefully research and test any product before implementing it into your environment. Note that Noam's email is from "radguard.com", a VPN vendor. As such, take his alleged "statements of fact" with a grain of salt with regard competiting products... Regards, Chris __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one place. Yahoo! Shopping: http://shopping.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jneedle at nortelnetworks.com Fri Dec 3 14:25:13 1999 From: jneedle at nortelnetworks.com (Jeffrey Needle) Date: Fri, 03 Dec 1999 14:25:13 -0500 Subject: VPN Solution In-Reply-To: <3846261F.88EE3E61@radguard.com> References: Message-ID: <4.2.2.19991203141311.05715d90@zbl6c000.corpeast.baynetworks.com> I beg to differ strongly with some of your statements, Noam. The Nortel VPN product (formerly the Bay VPN product, originally the Newoak VPN product) is not based on any router platform. It was built from scratch to be a VPN product. It was designed to be a security product from the beginning. Performance has never been an issue for the Contivity family either. Vikash, as for strong encryption abroad, US-based companies are allowed to use strong encryption for their branch offices abroad, I believe. You should always verify these types of questions with the proper legal authorities, of course. A few more words on Contivity since I have the floor :-). It is ICSA certified and interoperates with most everything we've come across, and certainly everything that has implemented to the IPsec specifications. Due to this flexibility, if you choose to implement Contivity in some of your branches, you can still feel free to choose other platforms for other offices that might have a better "cultural" fit, knowing that Contivity will interoperate with it. If you have any specific questions about Contivity, feel free to contact me. Jeff Needle, Nortel Networks At 09:56 AM 12/2/99 +0200, Noam Gruber wrote: >The Cisco and Nortel VPNs are somewhat problematic, because they are >based on router platforms which weren't build for security. As such they >have security and low performance problems. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Eric.Jeffery at edwards.af.mil Fri Dec 3 16:52:42 1999 From: Eric.Jeffery at edwards.af.mil (Jeffery Eric Contr 95CS/TYBRIN) Date: Fri, 3 Dec 1999 13:52:42 -0800 Subject: Source Address Message-ID: <02A65223388ED31195060090276D349617B759@FSFSPM15> Scenario: VPN set up has External Router connected to a Firewall via port 1 and a VPN Device via port 2. The VPN Device is connected to the Firewall as well, but NOT to the Enterprise WAN. The Firewall is connected to an Internal switch and from there reaches the Enterprise WAN. A VPN user located across the country establishes a successful VPN connection with the VPN Device. The user then makes a SQL call to a server inside the Enterprise. The External Router will send the packet to the VPN Device. Router-----------------------------------------------VPN Device | | | | | | |--------Firewall---------------------------------------Internal Network Question: The VPN device will then forward the packet to the Firewall. Is the source address on this packet from the User across the country or is it the source address from the VPN Device. Assume all VPN traffic uses IPSec. Eric Jeffery, MCSE Network Systems Analyst **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From taco.de.vries at trustworks.com Sat Dec 4 05:56:49 1999 From: taco.de.vries at trustworks.com (Taco de Vries) Date: Sat, 4 Dec 1999 11:56:49 +0100 Subject: VPN Solution References: <3846261F.88EE3E61@radguard.com> Message-ID: <006a01bf3e46$441f5480$2ddfced4@trustworks.com> with regards to ICSA certification. It claims are good, the status of the ICSA as well, but as far as compatability issues go, I received this update from them last Friday (in green below). To help you understand the magnitude of the problem consider that we are testing nearly 40 products. Now that doesn't mean we will not announce certified products till all 40 are interoperable with each other. But we have to reach reasonable confidence in the conclusion that they are interoperable within the criteria before we announce any certified products. We have more than 20 tests that average 1/2 hour to 3/4 hour to complete for a product as an initiator and as a responder. And it is taking us from 24 to 48 hours to complete a cycle for a product. If no glitches appear we could arrive at the first credible set of interoperable 1.0A products within the next few days. But, so far we are experiencing daily, with one product or another, some glitch that makes it impossible for us to credibly claim any set of products meets the criteria. We will keep working at it and we are confident that you will also. Everyone at ICSA wants to see certified products announced as soon as possible. We know the pressure on you is tremendous, because you have been increasing the pressure on us. The following list repeats some of what was previously reported, but the list is still valid and is growing. Problems that surfaced during the testing: some products - will not allow their packets to be fragmented - have problems sizing their packets - delete SAs during a MM negotiation - have problems renegotiating an ISAKMP SA in large volumes of traffic - submitted management station software that didn't correspond/match with the rest of the product software on hand - are able to form a tunnel when acting as an initiator, but not as a responder (and vice versa) - simply will not interoperate with one another at the ping level - have problems negotiating DH groups - have licenses that expire during testing - have no current Product Testing Guide on file with ICSA - do not support a basic criteria requirement, such as ESP NULL mode or SHA-1 for hashes. Some of you have responded to the last notice on this subjsct, but we still do not have current Product Testing Guides for several of the candidate products. Some products have more than one of the problems listed above. Again, old words, but still true: "This is not a complete list of problems the lab is finding. Every product tested beyond the initial interoperability stages has had at least one problem and some have basic interoperability problems. Lab personnel are in contact with the vendor POCs who have products for which the Lab discovered problems that require patches." ICSA is making every attempt to perform some level of testing against all candidate products we have in the lab, but we have some products that we haven't begun to test yet. Generally, for these products, we have not received hardware, software, Product Testing Guide, or some administrative requirement has not been met. In each case, ICSA has sent notices to the appropriate vendor POCs. I should tell you that there are products that have been tested and now are not being tested. Generally they fall into two categories: - ICSA has informed the Technical POC of a deficiency and we have waited more than a week for a patch and we haven't received it yet. - We have no valid license for operating and testing the product. ----- Original Message ----- From: Noam Gruber To: Cc: Sent: Thursday, December 02, 1999 8:56 AM Subject: Re: VPN Solution > Hello Vikash, > Today's VPN market offers a great variety of products, other then the > ones you have mentioned. It all depends on your needs: How much security > do you need? Are the applications you want to use bandwidth intensive? > Is survivability and hot backup important to you? Do you intend to scale > up your network in the future? > > The Cisco and Nortel VPNs are somewhat problematic, because they are > based on router platforms which weren't build for security. As such they > have security and low performance problems. > > I'd recommend you to visit these sites: > http://kubarb.phsx.ukans.edu/~tbird/vpn.html > http://www.dtool.com/vpn.html > where you can find data sheets to compare the products with. > > I'd also recommend that you make sure the products are ICSA certified. > That will insure their interoperability with other products, which will > give you more flexibility in the future (in case you'll want to change > vendors): > http://www.icsa.net/services/product_cert/ipsec/certified_products.shtml > > As for the firewall and encryption issues: > Many of the products come with an integral firewall, and most can work > with a separate firewall. > Encryption of 128 bit and more (168 bit 3DES) is allowed outside the US > - only that the US government hasn't until recently allowed US companies > to export it. However, non US companies sell it freely, and even the US > is now in the process of drafting a law to alleviate some of its export > restrictions. > > During your market research, i recommend that you also visit my > company's site, www.radguard.com, and check our products as well. > > I hope i helped! > > Noam Gruber > > Vikash Bhagchandka wrote: > > > > Hi, > > > > I would like to know which is the best product for setting up a VPN to > > connect two offices with 50 users over the Internet. > > > > I have the option of either Contivity Extranet Switch 1500 or Cisco 1720 VPN > > solution. I would like to know which one is better in terms of reliability, > > connectivity & security. Is there any other product which I should consider > > other than Cisco & Nortel. > > > > As the offices will be connected using the Internet, I would need to install > > a firewall too. Could you suggest something that is easy to setup & monitor. > > Apart from that, I would also like to know if 128bit encryption is allowed > > outside US. > > > > TIA, > > Vikash > > > > **************************************************************** > > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > > We are currently experiencing "unsubscribe" difficulties. If you > > wish to unsubscribe, please send a message containing the single line > > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > > > **************************************************************** > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991204/f6e411b6/attachment.htm From taco.de.vries at trustworks.com Sat Dec 4 05:47:30 1999 From: taco.de.vries at trustworks.com (Taco de Vries) Date: Sat, 4 Dec 1999 11:47:30 +0100 Subject: VPN Solution References: <01903665B361D211BF6700805FAD5D9325B87C@mail.datarange.co.uk> Message-ID: <003301bf3e44$f6e0f760$2ddfced4@trustworks.com> Yes, extra license costs involved, Nokia with FW1 extra license costs as well Have you considered pure software VPN solution, probably cheaper with this amount of users Taco Taco B. de Vries Director of Operations and Customer Care TrustWorks Systems www.trustworks.com ----- Original Message ----- From: Stephen Hope To: 'David Gillett' ; Sent: Thursday, December 02, 1999 10:54 AM Subject: RE: VPN Solution > Note that the Nortel Contivity supports using checkpoint Firewall 1 embedded > in the VPN gateway - i think there is an extra license cost. > > Stephen > > Stephen Hope C. Eng, Network Consultant > shope at datarange.co.uk, or shope at bcs.org.uk > Datarange Communications PLC, Carrington Business Park, Carrington, > Manchester , UK. M31 4ZU > Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 > 4189 > > > > > -----Original Message----- > From: David Gillett [mailto:dgillett at niku.com] > Sent: Wednesday, December 01, 1999 6:51 PM > To: vpn at listserv.secnetgroup.com > Subject: RE: VPN Solution > > > Since you need both, I'd urge you to look at products which include both > firewall and VPN capabilities: > > 1. Cisco PIX > I like this as a firewall; I haven't used its VPN features. > > 2. NetScreen > I'm not really keen on this as a firewall, but it's fast and cheap and its > VPN definitely works for connecting two sites. > > 3. CheckPoint (FW-1 and VPN-1) > Seems expensive, but it's one of the best-rated firewalls (much more > popular than the PIX).... > > 4. I know there are others out there.... > > The thing is that if you buy VPN and firewall separately, you have to > decide whether the VPN box is trusted (may not work with NAT!), untrusted > (may have to open unacceptable holes in firewall), or in parallel with the > firewall (which looks a little odd, and requires you to "harden" the outside > interface of the VPN box). Integrating the two functions gets you the > topological benefits of the latter approach, while retaining a single > security policy/management point, NAT implementation, and so on. [It > *might* save you money, too....] > > David Gillett > Enterprise Server Manager, Niku Corp. > (650) 701-2702 > > > -----Original Message----- > From: owner-vpn at listserv.secnetgroup.com > [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Vikash > Bhagchandka > Sent: Tuesday, November 30, 1999 4:10 AM > To: vpn at listserv.secnetgroup.com > Subject: VPN Solution > > > Hi, > > I would like to know which is the best product for setting up a VPN to > connect two offices with 50 users over the Internet. > > I have the option of either Contivity Extranet Switch 1500 or Cisco 1720 VPN > solution. I would like to know which one is better in terms of reliability, > connectivity & security. Is there any other product which I should consider > other than Cisco & Nortel. > > As the offices will be connected using the Internet, I would need to install > a firewall too. Could you suggest something that is easy to setup & monitor. > Apart from that, I would also like to know if 128bit encryption is allowed > outside US. > > TIA, > Vikash > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From dgillett at niku.com Tue Dec 7 12:47:49 1999 From: dgillett at niku.com (David Gillett) Date: Tue, 7 Dec 1999 09:47:49 -0800 Subject: Source Address In-Reply-To: <02A65223388ED31195060090276D349617B759@FSFSPM15> Message-ID: <007c01bf40db$2e779e70$f30410ac@niku.com> The VPN device appears as destination of the encrypted packet. The payload, when unencrypted, carries its original source and destination addresses. Typically, however, the source address will refer to a *virtual* adapter in the originating machine, rather than the machine's "real" address. This virtual address can be one issued via DHCP at the time the tunnel is connected. Since you've chosen to terminate the tunnel in front of the firewall, if you use DHCP this way, I would designate a particular block of addresses to be issued to VPN connections (and recognized by the firewall policies). [Many VPN devices can serve DHCP for precisely this purpose.] If the tunnel terminated behind the firewall, then remote users could be issued addresses from the same DHCP scope (and server) as users directly on the internal network. David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: owner-vpn at listserv.secnetgroup.com [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Jeffery Eric Contr 95CS/TYBRIN Sent: Friday, December 03, 1999 1:53 PM To: 'vpn at listserv.secnetgroup.com' Subject: Source Address Scenario: VPN set up has External Router connected to a Firewall via port 1 and a VPN Device via port 2. The VPN Device is connected to the Firewall as well, but NOT to the Enterprise WAN. The Firewall is connected to an Internal switch and from there reaches the Enterprise WAN. A VPN user located across the country establishes a successful VPN connection with the VPN Device. The user then makes a SQL call to a server inside the Enterprise. The External Router will send the packet to the VPN Device. Router-----------------------------------------------VPN Device | | | | | | |--------Firewall---------------------------------------Internal Network Question: The VPN device will then forward the packet to the Firewall. Is the source address on this packet from the User across the country or is it the source address from the VPN Device. Assume all VPN traffic uses IPSec. Eric Jeffery, MCSE Network Systems Analyst **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From pdavis at altiga.com Tue Dec 7 10:42:20 1999 From: pdavis at altiga.com (Davis, Peter) Date: Tue, 7 Dec 1999 10:42:20 -0500 Subject: Source Address Message-ID: <71B30BC67510D31184030090277A3DDE5FAF7C@mail.altiga.com> Eric, This really depends on your VPN device. There are three possibilities. Some products can do any of the 3 below. 1) VPN device does not perform NAT and does not assign IP addresses - IP is that of remote user 2) VPN device assigns client addresses - IP is another IP address (local) for that customer 3) VPN device performs NAT (either way) - IP is that of the VPN device private interface Best regards, -pete -----Original Message----- From: Jeffery Eric Contr 95CS/TYBRIN [mailto:Eric.Jeffery at edwards.af.mil] Sent: Friday, December 03, 1999 4:53 PM To: 'vpn at listserv.secnetgroup.com' Subject: Source Address Scenario: VPN set up has External Router connected to a Firewall via port 1 and a VPN Device via port 2. The VPN Device is connected to the Firewall as well, but NOT to the Enterprise WAN. The Firewall is connected to an Internal switch and from there reaches the Enterprise WAN. A VPN user located across the country establishes a successful VPN connection with the VPN Device. The user then makes a SQL call to a server inside the Enterprise. The External Router will send the packet to the VPN Device. Router-----------------------------------------------VPN Device | | | | | | |--------Firewall---------------------------------------Internal Network Question: The VPN device will then forward the packet to the Firewall. Is the source address on this packet from the User across the country or is it the source address from the VPN Device. Assume all VPN traffic uses IPSec. Eric Jeffery, MCSE Network Systems Analyst **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From lrenn at etci.com Tue Dec 7 13:27:43 1999 From: lrenn at etci.com (Luke Renn) Date: Tue, 7 Dec 1999 13:27:43 -0500 Subject: PGPnet/isakmpd/ipsec/OpenBSD telecommuting vpn?? Message-ID: <003101bf40e0$c02efca0$047ba8c0@localnet> Hi all, I originally posted this to an OpenBSD mailing list, but someone there suggested i post it here. Any help or insight would be greatly appriciated. Thanks. ------------- I was wondering if it would be possible to set up a vpn that users from home could connect to using the above mentioned programs. Not like two different openbsd machines in different offices, but more of the M$ PPTP solution, more of a telelcomuters vpn. PGPnet is a freeware vpn-client (non-commercial users only win98/NT and Mac!!) and supports IKE and IPSEC with cast, 3des and the rest. It looks like it would work, but I've been trying and i can't seem to get PGPnet to talk to isakmpd (IKE always times out). Has anyone tried using PGPnet with isakmpd, ipsecadm and openbsd? anyone get it working? http://web.mit.edu/network/pgp.html Thanks, Luke **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at KUSPY.PHSX.UKANS.EDU Thu Dec 9 09:32:37 1999 From: tbird at KUSPY.PHSX.UKANS.EDU (Tina Bird) Date: Thu, 9 Dec 1999 08:32:37 -0600 Subject: List Move! Message-ID: Hi all -- As you will notice from this message, the VPN Mailing List has a new home. It's now being hosted at securityfocus.com, along with Bugtraq and several other lists -- and a wonderful collection of security tools, advisories and databases. Many thanks to Aleph1 for volunteering to host for us. The VPN resources Web site remains at http://kubarb.phsx.ukans.edu/~tbird/vpn.html and the list FAQ is at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html. Cheers -- Tina Bird VPN is sponsored by SecurityFocus.COM From tbird at KUSPY.PHSX.UKANS.EDU Fri Dec 10 15:48:13 1999 From: tbird at KUSPY.PHSX.UKANS.EDU (Tina Bird) Date: Fri, 10 Dec 1999 14:48:13 -0600 Subject: Administrivia Message-ID: Hi all -- If you've submitted a message to the VPN list in the last couple of days, and it hasn't been posted, please resubmit it to vpn at securityfocus.com We've experienced a small lapse of service in the transition. Thanks for your patience -- Tina VPN is sponsored by SecurityFocus.COM From Azim.Ferchichi at swisscom.com Fri Dec 10 06:47:54 1999 From: Azim.Ferchichi at swisscom.com (Azim.Ferchichi at swisscom.com) Date: Fri, 10 Dec 1999 12:47:54 +0100 Subject: Nortel-Cisco, was: Re: VPN Solution Message-ID: <7E46AF731AD5D111BF4F0000F830C63D03A107FD@gd3i5w.swissptt.ch> Hi all, Let me react on few points: -Unfortunately I don't know the Contivity product, but even if it was very well designed, if you have a software solution it is normally slower than the hardware solution, because hardware solution uses dedicated crypto-processor especially for asymmetric crypto. -For the VPN on the router, as it implemented on IOS platform, we all know that they are a security nightmares with many backdoors and bugs, (even if new products are better), so it is not the best solution (this is my point of view of course) in terms of security to implement a VPN only on Cisco routers! - We have tested some VPN products (both HW and software) in our company, and it is difficult to say that one product is better than the other, because it greatly depends on your requirements, but basically here are some points: 1- hw or soft solution. It's a trade-off between flexibility and speed and security: normally hw should be faster and secure, and soft solution might suffer from the platform security (how the OS is or can be hardened) and limitation (processor speed, memory capacity, etc.). On the opposite, soft solution are more flexible especially if you have special needs, or if you want to interact with other VPN products. Concerning the costs HW are generally more expensive than soft solution but if for your soft installation you have to buy a machine like a SUN, then costs become more or less the same... 2- The product shall be fully IPSEC compatible to ensure you the possibility to work with other IPSEC products. IPSEC lefts open many options (concerning the algo, concerning the mode), the more options the product have the more chances you will have for an integration with another IPSEC product. 3- Is it possible to make a central management of your VPN system? Remember that easy and understandable management leads to better security. You have to test this!!! 4- Finally, if you work with ceritificates, you will have to look closely on how they provide the possibility to generate certificate to dowload them to the right place and to verify them. Investigate also the possibility to import third party certificates. X.509 is a standard for certificate format, however if one product accept an X.509 certificate it doesn't mean that it will accept all other X.509 compatible certificate. Concerning US IPSEC products. We know that we have a large choice of VPN products that are not US products. Because of the US export law restrictions, when we (in our company) have to look for an IPSEC product, it is very very seldom that we are interested by US products!! And the new text proposed for the modification of this law article won't change anything!! Cheers Azim Ferchichi ___________________ CIT-CT-TPM IT security and Smart-cards Swisscom AG CH-3050 BERN Phone: +41 31 342 09 22 Mobile: +41 79 301 55 56 Fax: +41 31 342 00 08 ______________________ > ---------- > From: Chris Carlson[SMTP:carlsonmail at yahoo.com] > Sent: vendredi, 3. d?cembre 1999 18:27 > To: Noam Gruber; eyeque-india at telebot.net > Cc: vpn at listserv.secnetgroup.com > Subject: Nortel-Cisco, was: Re: VPN Solution > > > --- Noam Gruber wrote: > ... > > The Cisco and Nortel VPNs are somewhat problematic, > > because they are > > based on router platforms which weren't build for > > security. As such they > > have security and low performance problems. > ... > > > Noam is grossly incorrect in his statement regarding > the Nortel Contivity platform. > > The Contivity, which Nortel bought from New Oak > Communications, uses a real-time OS for Intel written > by Wind River. This real-time OS is extremely small, > efficient, with custom routing and IPSec drivers > written specifically for the VPN application. It is > *NOT* based on the Bay Network router line. > > In fact, the Tolly Group did a performance bake-off > between the Contivity 4000 and Cisco 7200 router. The > Contivity blew its doors off. Noam is correct > regarding the Cisco VPN boxes -- they are IOS routers > with VPN code, but hardly bad products. > > As always, carefully research and test any product > before implementing it into your environment. Note > that Noam's email is from "radguard.com", a VPN > vendor. As such, take his alleged "statements of > fact" with a grain of salt with regard competiting > products... > > Regards, > Chris > __________________________________________________ > Do You Yahoo!? > Thousands of Stores. Millions of Products. All in one place. > Yahoo! Shopping: http://shopping.yahoo.com > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From ken.c.chen at lmco.com Thu Dec 9 18:41:28 1999 From: ken.c.chen at lmco.com (Chen, Ken C) Date: Thu, 09 Dec 1999 18:41:28 -0500 Subject: 1- to -1 NAT and IPsec Tunnels Message-ID: <15B7999C4F94D211AAE90000F81A45E701204721@emss20m02.ems.lmco.com> This may have been touched upon, but I just wanted a clarification. Can you establish an IPsec (triple-DES) tunnel when using one-to-one NAT? I know NAT overload scheme disrupts the header information, and prohibits IPsec tunnels. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From lrenn at ETCI.COM Fri Dec 10 16:11:04 1999 From: lrenn at ETCI.COM (Luke Renn) Date: Fri, 10 Dec 1999 16:11:04 -0500 Subject: PGPnet/isakmpd/ipsec/OpenBSD telecommuting vpn?? References: <003101bf40e0$c02efca0$047ba8c0@localnet> Message-ID: <00b301bf4353$11687c30$047ba8c0@localnet> I'm resubmitting this because Tina Bird said it might not have gone through. Luke > Hi all, > > I originally posted this to an OpenBSD mailing list, but someone there > suggested i post it here. Any help or insight would be greatly appriciated. > Thanks. > > ------------- > > I was wondering if it would be possible to set up a vpn that users from home > could connect to using the above mentioned programs. Not like two different > openbsd machines in different offices, but more of the M$ PPTP solution, > more of a telelcomuters vpn. PGPnet is a freeware vpn-client > (non-commercial users only win98/NT and Mac!!) and supports IKE and IPSEC > with cast, 3des and the rest. It looks like it would work, but I've been > trying and i can't seem to get PGPnet to talk to isakmpd (IKE always times > out). Has anyone tried using PGPnet with isakmpd, ipsecadm and openbsd? > anyone get it working? > > http://web.mit.edu/network/pgp.html > > Thanks, > > Luke > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > VPN is sponsored by SecurityFocus.COM From tbird at KUSPY.PHSX.UKANS.EDU Fri Dec 10 16:05:46 1999 From: tbird at KUSPY.PHSX.UKANS.EDU (Tina Bird) Date: Fri, 10 Dec 1999 15:05:46 -0600 Subject: 1- to -1 NAT and IPsec Tunnels (fwd) Message-ID: This may have been touched upon, but I just wanted a clarification. Can you establish an IPsec (triple-DES) tunnel when using one-to-one NAT? I know NAT overload scheme disrupts the header information, and prohibits IPsec tunnels. VPN is sponsored by SecurityFocus.COM From goldy at COMPATIBLE.COM Fri Dec 10 16:47:41 1999 From: goldy at COMPATIBLE.COM (Steve Goldhaber) Date: Fri, 10 Dec 1999 14:47:41 -0700 Subject: 1- to -1 NAT and IPsec Tunnels In-Reply-To: <15B7999C4F94D211AAE90000F81A45E701204721@emss20m02.ems.lmco.com> Message-ID: On Thu, 9 Dec 1999, Chen, Ken C wrote: > Date: Thu, 09 Dec 1999 18:41:28 -0500 > From: "Chen, Ken C" > To: vpn at listserv.secnetgroup.com > Subject: 1- to -1 NAT and IPsec Tunnels > > This may have been touched upon, but I just wanted a clarification. > > Can you establish an IPsec (triple-DES) tunnel when using one-to-one NAT? > > I know NAT overload scheme disrupts the header information, and prohibits > IPsec tunnels. There are several IPSec products which will go through NAT, especially if it is 1-to-1. You have to satisfy two basic requirements. One is to have a vendor which doesn't force you to configure in the IP addresses of the endpoints. If your IKE authentication is based on user names or if you know the correct addresses to use at all stages of the negotiation, you can negotiate an IPSec tunnel through a NAT. The second requirement is to use ESP packet protection. NAT+IPSec got a bad name during the days of the original IPSec where the only data-authentication algorithm (AH) didn't allow changing the IP addresses through a NAT. With ESP, many vendors have no trouble with NAT. Some vendors also have special, non-interoperable, features which allow IPSec transport even through a many-to-one NAT. Ask around, or convince Tina to add that info to the VPN product page :-) Steve Goldhaber goldy at compatible.com Compatible Systems Corp. (303) 444-9532 www.compatible.com VPN is sponsored by SecurityFocus.COM From tbird at KUSPY.PHSX.UKANS.EDU Fri Dec 10 16:08:15 1999 From: tbird at KUSPY.PHSX.UKANS.EDU (Tina Bird) Date: Fri, 10 Dec 1999 15:08:15 -0600 Subject: Nortel-Cisco, was: Re: VPN Solution (fwd) Message-ID: Hi all, Let me react on few points: -Unfortunately I don't know the Contivity product, but even if it was very well designed, if you have a software solution it is normally slower than the hardware solution, because hardware solution uses dedicated crypto-processor especially for asymmetric crypto. -For the VPN on the router, as it implemented on IOS platform, we all know that they are a security nightmares with many backdoors and bugs, (even if new products are better), so it is not the best solution (this is my point of view of course) in terms of security to implement a VPN only on Cisco routers! - We have tested some VPN products (both HW and software) in our company, and it is difficult to say that one product is better than the other, because it greatly depends on your requirements, but basically here are some points: 1- hw or soft solution. It's a trade-off between flexibility and speed and security: normally hw should be faster and secure, and soft solution might suffer from the platform security (how the OS is or can be hardened) and limitation (processor speed, memory capacity, etc.). On the opposite, soft solution are more flexible especially if you have special needs, or if you want to interact with other VPN products. Concerning the costs HW are generally more expensive than soft solution but if for your soft installation you have to buy a machine like a SUN, then costs become more or less the same... 2- The product shall be fully IPSEC compatible to ensure you the possibility to work with other IPSEC products. IPSEC lefts open many options (concerning the algo, concerning the mode), the more options the product have the more chances you will have for an integration with another IPSEC product. 3- Is it possible to make a central management of your VPN system? Remember that easy and understandable management leads to better security. You have to test this!!! 4- Finally, if you work with ceritificates, you will have to look closely on how they provide the possibility to generate certificate to dowload them to the right place and to verify them. Investigate also the possibility to import third party certificates. X.509 is a standard for certificate format, however if one product accept an X.509 certificate it doesn't mean that it will accept all other X.509 compatible certificate. Concerning US IPSEC products. We know that we have a large choice of VPN products that are not US products. Because of the US export law restrictions, when we (in our company) have to look for an IPSEC product, it is very very seldom that we are interested by US products!! And the new text proposed for the modification of this law article won't change anything!! Cheers Azim Ferchichi ___________________ CIT-CT-TPM IT security and Smart-cards Swisscom AG CH-3050 BERN Phone: +41 31 342 09 22 Mobile: +41 79 301 55 56 Fax: +41 31 342 00 08 ______________________ > ---------- > From: Chris Carlson[SMTP:carlsonmail at yahoo.com] > Sent: vendredi, 3. d?cembre 1999 18:27 > To: Noam Gruber; eyeque-india at telebot.net > Cc: vpn at listserv.secnetgroup.com > Subject: Nortel-Cisco, was: Re: VPN Solution > > > --- Noam Gruber wrote: > ... > > The Cisco and Nortel VPNs are somewhat problematic, > > because they are > > based on router platforms which weren't build for > > security. As such they > > have security and low performance problems. > ... > > > Noam is grossly incorrect in his statement regarding > the Nortel Contivity platform. > > The Contivity, which Nortel bought from New Oak > Communications, uses a real-time OS for Intel written > by Wind River. This real-time OS is extremely small, > efficient, with custom routing and IPSec drivers > written specifically for the VPN application. It is > *NOT* based on the Bay Network router line. > > In fact, the Tolly Group did a performance bake-off > between the Contivity 4000 and Cisco 7200 router. The > Contivity blew its doors off. Noam is correct > regarding the Cisco VPN boxes -- they are IOS routers > with VPN code, but hardly bad products. > > As always, carefully research and test any product > before implementing it into your environment. Note > that Noam's email is from "radguard.com", a VPN > vendor. As such, take his alleged "statements of > fact" with a grain of salt with regard competiting > products... > > Regards, > Chris > __________________________________________________ > Do You Yahoo!? > Thousands of Stores. Millions of Products. All in one place. > Yahoo! Shopping: http://shopping.yahoo.com > > ****************************************** VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Fri Dec 10 16:35:06 1999 From: dgillett at NIKU.COM (David Gillett) Date: Fri, 10 Dec 1999 13:35:06 -0800 Subject: 1- to -1 NAT and IPsec Tunnels In-Reply-To: <15B7999C4F94D211AAE90000F81A45E701204721@emss20m02.ems.lmco.com> Message-ID: <000701bf4356$6d697720$f30410ac@niku.com> I expect not. My understanding -- possibly flawed -- of the issue with NAT is that the NATted machine knows itself by a different (local) address than the remote machine knows it as. I don't believe whether the NAT is one-to-one makes any difference. David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: owner-vpn at listserv.secnetgroup.com [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Chen, Ken C Sent: Thursday, December 09, 1999 3:41 PM To: vpn at listserv.secnetgroup.com Subject: 1- to -1 NAT and IPsec Tunnels This may have been touched upon, but I just wanted a clarification. Can you establish an IPsec (triple-DES) tunnel when using one-to-one NAT? I know NAT overload scheme disrupts the header information, and prohibits IPsec tunnels. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** VPN is sponsored by SecurityFocus.COM From pdavis at ALTIGA.COM Fri Dec 10 16:31:41 1999 From: pdavis at ALTIGA.COM (Davis, Peter) Date: Fri, 10 Dec 1999 16:31:41 -0500 Subject: 1- to -1 NAT and IPsec Tunnels Message-ID: <71B30BC67510D31184030090277A3DDE5FAFDC@mail.altiga.com> Yes, as long as you're using ESP and not AH. You should also make sure that your firewall is not dumping fragmented packets. -Pete -----Original Message----- From: Chen, Ken C [mailto:ken.c.chen at lmco.com] Sent: Thursday, December 09, 1999 6:41 PM To: vpn at listserv.secnetgroup.com Subject: 1- to -1 NAT and IPsec Tunnels This may have been touched upon, but I just wanted a clarification. Can you establish an IPsec (triple-DES) tunnel when using one-to-one NAT? I know NAT overload scheme disrupts the header information, and prohibits IPsec tunnels. VPN is sponsored by SecurityFocus.COM From misha at INSYNC.NET Sat Dec 11 12:17:08 1999 From: misha at INSYNC.NET (Misha) Date: Sat, 11 Dec 1999 11:17:08 -0600 Subject: 1- to -1 NAT and IPsec Tunnels In-Reply-To: <71B30BC67510D31184030090277A3DDE5FAFDC@mail.altiga.com> Message-ID: Do ESP packets get fragemented often? We have fragguard turned on with most of the firewalls we run, but it does not simply drop them. Fragguard on the Pix usually makes sure that the fragments have a beginning and an end, and do not overlap. Misha On Fri, 10 Dec 1999, Davis, Peter wrote: > Yes, as long as you're using ESP and not AH. You should also make sure that > your firewall is not dumping fragmented packets. > > -Pete > > -----Original Message----- > From: Chen, Ken C [mailto:ken.c.chen at lmco.com] > Sent: Thursday, December 09, 1999 6:41 PM > To: vpn at listserv.secnetgroup.com > Subject: 1- to -1 NAT and IPsec Tunnels > > > This may have been touched upon, but I just wanted a clarification. > > Can you establish an IPsec (triple-DES) tunnel when using one-to-one NAT? > > I know NAT overload scheme disrupts the header information, and prohibits > IPsec tunnels. > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From andreisv at ISDN.NET.IL Sat Dec 11 18:15:31 1999 From: andreisv at ISDN.NET.IL (Andrei Sava) Date: Sun, 12 Dec 1999 01:15:31 +0200 Subject: AtmPvc option in PPTP Client for Linux Message-ID: <199912112317.BAA15816@mail.barak.net.il> I am connecting to the Internet through an ADSL connection, using PPTP. In order to configure my connection in Windows, i set up a VPN PPTP dialup, specifying as IP address "10.10.20.62 0510". The parameter 0510 that follows the IP is called ATM-PVC port, and is required in order to establish the connection. I would like to connect to the internet using my linux box, but the linux PPTP client (www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/) does not support sending the AtmPvc parameter. Following is some information about AtmPvc: I am using an Orckit FastInternet ADSL modem (www.orckit.com). This parameter is actually a string that is being sent by the dialup adapter to the modem. It is not treated by the modem as a number but as a string. Different configurations require a parameter that contains letters. The paramter is used for ISP selection. I can telnet into my modem and watch connection status (using the command 'event show'). This is the status output when using the linux client, that does not send the ATM parameter: MSG_R_LISTEN new r NEW RX type (1 ) send_packet size 156 new_server_socket f 5932896 pptp MSG_R_RECVr NEW RX type (7 ) TU:set_ipmac ip = 10.10.20.35 r - 23140a0a l- 3e140a0a TU:get_atmPvc lenght- 0 adddres = <------------ handle_new_outcall atm pvc short <------------ send_packet size 32 pptp MSG_R_RECVr NEW RX type (3 ) handle_con_msg (0):PPTP_STOP_SESSION_REQUEST reason=3 TU:closetunnel (0) send_packet size 16 closeTCP f 5951392 As you can see the modem refused conection without the atm pvc option. When the parameter is specified (using "10.10.20.62 0510" as the IP in Windows dialup adapter), connection is established: pptp: MSG_R_LISTEN new r NEW RX type (1 ) send_packet size 156 new_server_socket f 5914400 pptp MSG_R_RECVr NEW RX type (7 ) TU:set_ipmac ip = 10.10.20.35 r - 23140a0a l- 3e140a0a TU:get_atmPvc lenght- 4 adddres = 0510 <--------------- TU succes new call on pvc L.I= 1 F.I 0 GRE.I 1 <--------------- send_packet size 32 pptp MSG_R_RECVr NEW RX type (15 ) ... Please inform me if you have any ideas how i can patch the PPTP linux client to send the atmPvc parameter to the modem. Thanks. VPN is sponsored by SecurityFocus.COM From rng at NETSCREEN.COM Mon Dec 13 00:22:44 1999 From: rng at NETSCREEN.COM (Ronald Ng) Date: Sun, 12 Dec 1999 21:22:44 -0800 Subject: 1- to -1 NAT and IPsec Tunnels References: Message-ID: <001301bf452a$199e2200$6f020a0a@netscreen.com> All IPSec packets should be fragmented, I would think. There is not enough room in the packet for it not to be fragmented. The firewall just needs to make sure it doesn't do a tear drop, which is the overlap condition you described. ----- Original Message ----- From: "Misha" To: Sent: Saturday, December 11, 1999 9:17 AM Subject: Re: 1- to -1 NAT and IPsec Tunnels > Do ESP packets get fragemented often? We have fragguard turned on with > most of the firewalls we run, but it does not simply drop them. Fragguard > on the Pix usually makes sure that the fragments have a beginning and an > end, and do not overlap. > > Misha > > > > On Fri, 10 Dec 1999, Davis, Peter wrote: > > > Yes, as long as you're using ESP and not AH. You should also make sure that > > your firewall is not dumping fragmented packets. > > > > -Pete > > > > -----Original Message----- > > From: Chen, Ken C [mailto:ken.c.chen at lmco.com] > > Sent: Thursday, December 09, 1999 6:41 PM > > To: vpn at listserv.secnetgroup.com > > Subject: 1- to -1 NAT and IPsec Tunnels > > > > > > This may have been touched upon, but I just wanted a clarification. > > > > Can you establish an IPsec (triple-DES) tunnel when using one-to-one NAT? > > > > I know NAT overload scheme disrupts the header information, and prohibits > > IPsec tunnels. > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Fred.Golder at CENDANT.COM Mon Dec 13 08:22:37 1999 From: Fred.Golder at CENDANT.COM (Golder, Fred) Date: Mon, 13 Dec 1999 08:22:37 -0500 Subject: Nortel-Cisco, was: Re: VPN Solution (fwd) Message-ID: Check out the Gartner Group report from 13 September entitled "The Remote Access VPN Magic Quadrant Criteria for 2H99" if you want an independent assessment of positioning in the market place. The sales info I was told by both companies 12/3/99 for # of users per box is as follows. Product without hardware crypto with hardware crypto Nortel 4500 2000 5500 Cisco 7140 100 700 ("VPN router") It should be noted that Cisco claims they can stack any number of routers together and there by handle any number of sessions. I don't know if I believe that or not. Further the sales man said if the router was also routing performance would be lower. Nortel can load balance between 2 boxes at once and IF you use failure craftily you can get 8 boxes supporting your load at once. It should also be noted that Nortel hasn't yet released it's crypto card so that number is a guess work albeit educated guesswork. -Fred Golder -----Original Message----- From: Tina Bird [mailto:tbird at KUSPY.PHSX.UKANS.EDU] Sent: Friday, December 10, 1999 4:08 PM To: VPN at SECURITYFOCUS.COM Subject: Re: Nortel-Cisco, was: Re: VPN Solution (fwd) Hi all, Let me react on few points: -Unfortunately I don't know the Contivity product, but even if it was very well designed, if you have a software solution it is normally slower than the hardware solution, because hardware solution uses dedicated crypto-processor especially for asymmetric crypto. -For the VPN on the router, as it implemented on IOS platform, we all know that they are a security nightmares with many backdoors and bugs, (even if new products are better), so it is not the best solution (this is my point of view of course) in terms of security to implement a VPN only on Cisco routers! - We have tested some VPN products (both HW and software) in our company, and it is difficult to say that one product is better than the other, because it greatly depends on your requirements, but basically here are some points: 1- hw or soft solution. It's a trade-off between flexibility and speed and security: normally hw should be faster and secure, and soft solution might suffer from the platform security (how the OS is or can be hardened) and limitation (processor speed, memory capacity, etc.). On the opposite, soft solution are more flexible especially if you have special needs, or if you want to interact with other VPN products. Concerning the costs HW are generally more expensive than soft solution but if for your soft installation you have to buy a machine like a SUN, then costs become more or less the same... 2- The product shall be fully IPSEC compatible to ensure you the possibility to work with other IPSEC products. IPSEC lefts open many options (concerning the algo, concerning the mode), the more options the product have the more chances you will have for an integration with another IPSEC product. 3- Is it possible to make a central management of your VPN system? Remember that easy and understandable management leads to better security. You have to test this!!! 4- Finally, if you work with ceritificates, you will have to look closely on how they provide the possibility to generate certificate to dowload them to the right place and to verify them. Investigate also the possibility to import third party certificates. X.509 is a standard for certificate format, however if one product accept an X.509 certificate it doesn't mean that it will accept all other X.509 compatible certificate. Concerning US IPSEC products. We know that we have a large choice of VPN products that are not US products. Because of the US export law restrictions, when we (in our company) have to look for an IPSEC product, it is very very seldom that we are interested by US products!! And the new text proposed for the modification of this law article won't change anything!! Cheers Azim Ferchichi ___________________ CIT-CT-TPM IT security and Smart-cards Swisscom AG CH-3050 BERN Phone: +41 31 342 09 22 Mobile: +41 79 301 55 56 Fax: +41 31 342 00 08 ______________________ > ---------- > From: Chris Carlson[SMTP:carlsonmail at yahoo.com] > Sent: vendredi, 3. d?cembre 1999 18:27 > To: Noam Gruber; eyeque-india at telebot.net > Cc: vpn at listserv.secnetgroup.com > Subject: Nortel-Cisco, was: Re: VPN Solution > > > --- Noam Gruber wrote: > ... > > The Cisco and Nortel VPNs are somewhat problematic, > > because they are > > based on router platforms which weren't build for > > security. As such they > > have security and low performance problems. > ... > > > Noam is grossly incorrect in his statement regarding > the Nortel Contivity platform. > > The Contivity, which Nortel bought from New Oak > Communications, uses a real-time OS for Intel written > by Wind River. This real-time OS is extremely small, > efficient, with custom routing and IPSec drivers > written specifically for the VPN application. It is > *NOT* based on the Bay Network router line. > > In fact, the Tolly Group did a performance bake-off > between the Contivity 4000 and Cisco 7200 router. The > Contivity blew its doors off. Noam is correct > regarding the Cisco VPN boxes -- they are IOS routers > with VPN code, but hardly bad products. > > As always, carefully research and test any product > before implementing it into your environment. Note > that Noam's email is from "radguard.com", a VPN > vendor. As such, take his alleged "statements of > fact" with a grain of salt with regard competiting > products... > > Regards, > Chris > __________________________________________________ > Do You Yahoo!? > Thousands of Stores. Millions of Products. All in one place. > Yahoo! Shopping: http://shopping.yahoo.com > > ****************************************** VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991213/38e6ab3e/attachment.htm From collum at NETWORK-ALCHEMY.COM Mon Dec 13 10:15:54 1999 From: collum at NETWORK-ALCHEMY.COM (Jim Collum) Date: Mon, 13 Dec 1999 07:15:54 -0800 Subject: Nortel-Cisco, was: Re: VPN Solution (fwd) In-Reply-To: Message-ID: <4.2.0.58.19991213071017.009d3610@argentum.network-alchemy.com> I've been reading, the posts, but since i work for the company in their QA department, I've been quiet. I work for Network Alchemy, and we develop VPN gateways that use a clustering technology.. that allows for transparent failover between nodes (as well as being scaleable). For more info, http://www.network-alchemy.com . I'd be happy to answer additional questions, but I'm a little hesitant to start a sales pitch (since this is a technical forum.. not an opportunity for me to sell our product) Jim Collum Network Alchemy Santa Cruz, Ca. At 08:22 AM 12/13/99 -0500, Golder, Fred wrote: >Check out the Gartner Group report from 13 September entitled "The Remote >Access VPN Magic Quadrant Criteria for 2H99" if you want an independent >assessment of positioning in the market place. > >The sales info I was told by both companies 12/3/99 for # of users per box >is as follows. >Product without hardware crypto with hardware crypto >Nortel 4500 2000 5500 >Cisco 7140 100 700 >("VPN router") > >It should be noted that Cisco claims they can stack any number of routers >together and there by handle any number of sessions. I don't know if I >believe that or not. Further the sales man said if the router was also >routing performance would be lower. > >Nortel can load balance between 2 boxes at once and IF you use failure >craftily you can get 8 boxes supporting your load at once. It should also >be noted that Nortel hasn't yet released it's crypto card so that number >is a guess work albeit educated guesswork. > >-Fred Golder > >-----Original Message----- >From: Tina Bird >[mailto:tbird at KUSPY.PHSX.UKANS.EDU] >Sent: Friday, December 10, 1999 4:08 PM >To: VPN at SECURITYFOCUS.COM >Subject: Re: Nortel-Cisco, was: Re: VPN Solution (fwd) > >Hi all, >Let me react on few points: >-Unfortunately I don't know the Contivity product, but even if it was very >well designed, if you have a software solution it is normally slower than >the hardware solution, because hardware solution uses dedicated >crypto-processor especially for asymmetric crypto. >-For the VPN on the router, as it implemented on IOS platform, we all know >that they are a security nightmares with many backdoors and bugs, (even if >new products are better), so it is not the best solution (this is my point >of view of course) in terms of security to implement a VPN only on Cisco >routers! >- We have tested some VPN products (both HW and software) in our company, >and it is difficult to say that one product is better than the other, >because it greatly depends on your requirements, but basically here are some >points: >1- hw or soft solution. It's a trade-off between flexibility and speed and >security: normally hw should be faster and secure, and soft solution might >suffer from the platform security (how the OS is or can be hardened) and >limitation (processor speed, memory capacity, etc.). On the opposite, soft >solution are more flexible especially if you have special needs, or if you >want to interact with other VPN products. Concerning the costs HW are >generally more expensive than soft solution but if for your soft >installation you have to buy a machine like a SUN, then costs become more or >less the same... >2- The product shall be fully IPSEC compatible to ensure you the possibility >to work with other IPSEC products. IPSEC lefts open many options (concerning >the algo, concerning the mode), the more options the product have the more >chances you will have for an integration with another IPSEC product. >3- Is it possible to make a central management of your VPN system? Remember >that easy and understandable management leads to better security. You have >to test this!!! >4- Finally, if you work with ceritificates, you will have to look closely on >how they provide the possibility to generate certificate to dowload them to >the right place and to verify them. Investigate also the possibility to >import third party certificates. X.509 is a standard for certificate format, >however if one product accept an X.509 certificate it doesn't mean that it >will accept all other X.509 compatible certificate. > >Concerning US IPSEC products. We know that we have a large choice of VPN >products that are not US products. Because of the US export law >restrictions, when we (in our company) have to look for an IPSEC product, it >is very very seldom that we are interested by US products!! And the new text >proposed for the modification of this law article won't change anything!! > >Cheers > > >Azim Ferchichi >___________________ >CIT-CT-TPM >IT security and Smart-cards >Swisscom AG >CH-3050 BERN >Phone: +41 31 342 09 22 >Mobile: +41 79 301 55 56 >Fax: +41 31 342 00 08 >______________________ > > > ---------- > > From: Chris Carlson[SMTP:carlsonmail at yahoo.com] > > Sent: vendredi, 3. d?cembre 1999 18:27 > > To: Noam Gruber; eyeque-india at telebot.net > > Cc: vpn at listserv.secnetgroup.com > > Subject: Nortel-Cisco, was: Re: VPN Solution > > > > > > --- Noam Gruber wrote: > > ... > > > The Cisco and Nortel VPNs are somewhat problematic, > > > because they are > > > based on router platforms which weren't build for > > > security. As such they > > > have security and low performance problems. > > ... > > > > > > Noam is grossly incorrect in his statement regarding > > the Nortel Contivity platform. > > > > The Contivity, which Nortel bought from New Oak > > Communications, uses a real-time OS for Intel written > > by Wind River. This real-time OS is extremely small, > > efficient, with custom routing and IPSec drivers > > written specifically for the VPN application. It is > > *NOT* based on the Bay Network router line. > > > > In fact, the Tolly Group did a performance bake-off > > between the Contivity 4000 and Cisco 7200 router. The > > Contivity blew its doors off. Noam is correct > > regarding the Cisco VPN boxes -- they are IOS routers > > with VPN code, but hardly bad products. > > > > As always, carefully research and test any product > > before implementing it into your environment. Note > > that Noam's email is from "radguard.com", a VPN > > vendor. As such, take his alleged "statements of > > fact" with a grain of salt with regard competiting > > products... > > > > Regards, > > Chris > > __________________________________________________ > > Do You Yahoo!? > > Thousands of Stores. Millions of Products. All in one place. > > Yahoo! Shopping: http://shopping.yahoo.com > > > > ****************************************** > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From goldy at COMPATIBLE.COM Mon Dec 13 13:08:06 1999 From: goldy at COMPATIBLE.COM (Steve Goldhaber) Date: Mon, 13 Dec 1999 11:08:06 -0700 Subject: 1- to -1 NAT and IPsec Tunnels In-Reply-To: <001301bf452a$199e2200$6f020a0a@netscreen.com> Message-ID: On Sun, 12 Dec 1999, Ronald Ng wrote: > Date: Sun, 12 Dec 1999 21:22:44 -0800 > From: Ronald Ng > To: VPN at SECURITYFOCUS.COM > Subject: Re: 1- to -1 NAT and IPsec Tunnels > > All IPSec packets should be fragmented, I would think. There is not enough > room in the packet for it not to be fragmented. The firewall just needs to > make sure it doesn't do a tear drop, which is the overlap condition you > described. First, only large packets are ever subject to fragmentation. For large packets, there are a couple of different scenarios: 1) The packet is sent to the IPSec system (internal stack or IPSec gateway) without the DF-bit set. In this case, the IPSec system can fragment the packet and protect each fragment. For IPSec transport mode (typical in host-to-host IPSec connections), this results in two IP fragments which need to get through whatever fragment filters you have. For tunnel mode (required for host-to-gateway or gateway-to-gateway connections), the resulting two packets are *not* IP fragments, but regular IPSec IP packets. 2) If the packet gets to the IPSec system with the DF-bit set (e.g., most FTP servers), the IPSec system is supposed to send an ICMP error message back to the originating server. A well-behaved server will then resend the data in smaller packets which do not need fragmentation. At this point, each data packet gets sent in one IPSec packet with no fragmentation going on at all. So the upshot is that it is usually possible to avoid fragmentation problems. If some things work while others seem to have problems, check the servers for the applications that don't work, they may need updating. For a while, there were many web servers which didn't handle the "lower your MTU" ICMP messages described in item 2 above. Updated server code should fix most of your problems. You may also need to fiddle a bit with the settings on your IPSec boxes to make sure they handle things correctly. Steve Goldhaber goldy at compatible.com Compatible Systems Corp. (303) 444-9532 www.compatible.com VPN is sponsored by SecurityFocus.COM From rng at NETSCREEN.COM Mon Dec 13 14:38:36 1999 From: rng at NETSCREEN.COM (Ronald Ng) Date: Mon, 13 Dec 1999 11:38:36 -0800 Subject: 1- to -1 NAT and IPsec Tunnels References: Message-ID: <38554B3C.29968BC2@netscreen.com> I stand corrected. I think the reason I've been seeing this is due to the application end of things. Thanks. Steve Goldhaber wrote: > > On Sun, 12 Dec 1999, Ronald Ng wrote: > > > Date: Sun, 12 Dec 1999 21:22:44 -0800 > > From: Ronald Ng > > To: VPN at SECURITYFOCUS.COM > > Subject: Re: 1- to -1 NAT and IPsec Tunnels > > > > All IPSec packets should be fragmented, I would think. There is not enough > > room in the packet for it not to be fragmented. The firewall just needs to > > make sure it doesn't do a tear drop, which is the overlap condition you > > described. > > First, only large packets are ever subject to fragmentation. For large > packets, there are a couple of different scenarios: > > 1) The packet is sent to the IPSec system (internal stack or IPSec > gateway) without the DF-bit set. In this case, the IPSec system can > fragment the packet and protect each fragment. For IPSec transport mode > (typical in host-to-host IPSec connections), this results in two IP > fragments which need to get through whatever fragment filters you have. > For tunnel mode (required for host-to-gateway or gateway-to-gateway > connections), the resulting two packets are *not* IP fragments, but > regular IPSec IP packets. > > 2) If the packet gets to the IPSec system with the DF-bit set (e.g., most > FTP servers), the IPSec system is supposed to send an ICMP error message > back to the originating server. A well-behaved server will then resend the > data in smaller packets which do not need fragmentation. At this point, > each data packet gets sent in one IPSec packet with no fragmentation going > on at all. > > So the upshot is that it is usually possible to avoid fragmentation > problems. If some things work while others seem to have problems, check > the servers for the applications that don't work, they may need updating. > For a while, there were many web servers which didn't handle the "lower > your MTU" ICMP messages described in item 2 above. Updated server code > should fix most of your problems. You may also need to fiddle a bit with > the settings on your IPSec boxes to make sure they handle things > correctly. > > Steve Goldhaber goldy at compatible.com > Compatible Systems Corp. (303) 444-9532 www.compatible.com > > VPN is sponsored by SecurityFocus.COM -- Ronald Ng rng at netscreen.com VPN is sponsored by SecurityFocus.COM From twolsey at REALTECH.COM Mon Dec 13 13:05:23 1999 From: twolsey at REALTECH.COM (TC Wolsey) Date: Mon, 13 Dec 1999 13:05:23 -0500 Subject: 1- to -1 NAT and IPsec Tunnels (fwd) Message-ID: > Tina Bird 12/10/99 04:05PM >>> >This may have been touched upon, but I just wanted a clarification. > >Can you establish an IPsec (triple-DES) tunnel when using one-to-one NAT? Maybe. Assuming that you are using IKE to negotiate the tunnel the security gateways must be able to bind the NAT'ed address of the remote gateway to the correct identity. Using quick mode for IKE negotiations may help if you are using certs for authentication because the gateway gets the cert (identity) of the peer before it has to produce the key material that authenticates that peer. AFAIK, NAT will always break AH communications, tunnel or transport mode, although the RFC does not necessarily forbid this arrangement. If your ESP tunnel can be established then the packets should sail happily through the NAT with no ill effects. > >I know NAT overload scheme disrupts the header information, and prohibits >IPsec tunnels. All NAT disrupts the network (IP) header information, NAT overload (or PAT, masquerade, etc..) mangle the transport headers as well, specifically the port numbers for TCP and UDP. Of course ESP and AH do not have ports to multiplex multiple datastreams to one IP address, they use SPIs in the AH/ESP header to do something similar. You can play with the port numbers for most TCP/UDP communications and the upper layer payload will still be usable. Play with the SPIs in a AH/ESP packet while it is in transit and the receiving end will either drop it on the floor (almost always) or decrypt it just to have it fail authentication (the chance of this very small). Regards, --tcw VPN is sponsored by SecurityFocus.COM From aldiss at CJAS.ORG Tue Dec 14 17:54:55 1999 From: aldiss at CJAS.ORG (Indiana Zephyr) Date: Tue, 14 Dec 1999 17:54:55 -0500 Subject: solaris -> nt -> vpn Message-ID: If anyone out there could provide comments and pointers on the following, thanks much in advance. obviously I'm a beginner, so not sure why I got stuck with this, but anyway... My company needs to connect to someone else's VPN. Both networks are behind CheckPoint FW-1. Instead of setting up a VPN server on our end (which we probably can't afford) we're going to try connecting using a VPN client, the way many laptop users connect using dialup networking. The trick is, it's our dev server (Solaris) which needs to trade data through the VPN link. Currently only NT VPN clients are available (aside: does anyone know if F-Secure's VPN client would work with CheckPoint's VPN or is there proprietary stuff going on?). Someone came up with the great idea of setting up an NT box as a router and installing the NT VPN client on there, then routing all traffic from the Solaris box through the NT VPN client. Does this sound possible to people on this newsgroup? I'd like a sanity check here. Theoretically it sounds like we can implement it, but who knows. Thanks for your help. VPN is sponsored by SecurityFocus.COM From matthew.patton at NETSEC.NET Tue Dec 14 09:40:24 1999 From: matthew.patton at NETSEC.NET (Matthew Patton) Date: Tue, 14 Dec 1999 09:40:24 -0500 Subject: IPsec Tunnels and fragmentation References: Message-ID: <385656D8.9DF9DCFA@netsec.net> This 'frag' issue caught me by surprise with some sessions we had going. The symptom was hanging active mode ftp uploads to a server. The *only* time I saw fragmented esp packets was when the client started the upload process. I was rather bizare. right now I have issues with high letency networks not being able to upload. Even playing with MTU size and disabling PathMTUDiscover is not having the desired effect. Client is NT. Server is NT. VPN gateway is OpenBSD. ============== Network Security Technologies Inc. - Commercial support for OpenBSD www.netsec.net matthew.patton at netsec.net "Government is not reason; it is not eloquence; it is force! Like fire, it is a dangerous servant and a fearful master." - George Washington VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Tue Dec 14 11:39:34 1999 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Tue, 14 Dec 1999 11:39:34 -0500 Subject: ISAKMPD and Variable IP addresses Message-ID: Hi gang, Ok, I've been confronted with a strange request. I'm using OpenBSD 2.6 with their implementation of ISAKMPD. I was asked if we could implement a VPN between our office and a laptop that will be moving all around the world. Now, in the config files, it asks for the IP address of the Peer. I figured "This is free software and doesn't support this feature" but then I checked out our VPN-1 setup and it doesn't either. Can somebody please explain how the theory how this is done or will I have to develop my own client/server to modify my setups every time an IP changes. Thanks, Patrick Ethier patrick at secureops.com VPN is sponsored by SecurityFocus.COM From angelos at DSL.CIS.UPENN.EDU Tue Dec 14 15:36:25 1999 From: angelos at DSL.CIS.UPENN.EDU (Angelos D. Keromytis) Date: Tue, 14 Dec 1999 15:36:25 -0500 Subject: ISAKMPD and Variable IP addresses In-Reply-To: Your message of "Tue, 14 Dec 1999 11:39:34 EST." Message-ID: <199912142036.PAA10585@nyarlathotep> > Ok, I've been confronted with a strange request. I'm using OpenBSD 2.6 with >their implementation of ISAKMPD. I was asked if we could implement a VPN >between our office and a laptop that will be moving all around the world. >Now, in the config files, it asks for the IP address of the Peer. I figured >"This is free software and doesn't support this feature" but then I checked >out our VPN-1 setup and it doesn't either. Can somebody please explain how >the theory how this is done or will I have to develop my own client/server >to modify my setups every time an IP changes. In fact, it does support empty Peer address; there's a default Phase-1 entry you can use for any that don't match an ID: [Phase 1] Default= VPN-peer-client-default -Angelos VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Tue Dec 14 16:01:16 1999 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Tue, 14 Dec 1999 16:01:16 -0500 Subject: ISAKMPD and Variable IP addresses Message-ID: Cool, I tried it and it works fine. But what if you have more than one IPless peer? Will the isakmpd identify them by the PEER name that gets sent? BTW, I've documented most of my wall-headbashing experience, so if you guys want to post it as a faq I'll send it to the misc list. -----Original Message----- From: Angelos D. Keromytis [mailto:angelos at dsl.cis.upenn.edu] Sent: Tuesday, December 14, 1999 3:36 PM To: Patrick Ethier Cc: 'vpn at securityfocus.com'; 'misc at openbsd.org' Subject: Re: ISAKMPD and Variable IP addresses > Ok, I've been confronted with a strange request. I'm using OpenBSD 2.6 with >their implementation of ISAKMPD. I was asked if we could implement a VPN >between our office and a laptop that will be moving all around the world. >Now, in the config files, it asks for the IP address of the Peer. I figured >"This is free software and doesn't support this feature" but then I checked >out our VPN-1 setup and it doesn't either. Can somebody please explain how >the theory how this is done or will I have to develop my own client/server >to modify my setups every time an IP changes. In fact, it does support empty Peer address; there's a default Phase-1 entry you can use for any that don't match an ID: [Phase 1] Default= VPN-peer-client-default -Angelos VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Wed Dec 15 13:29:32 1999 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Wed, 15 Dec 1999 13:29:32 -0500 Subject: IPsec Tunnels and fragmentation Message-ID: Hi Matt, I'm not sure if this helps at all, be we noticed a while back that inside the kernel config file, the actual GENERIC one in the sys/conf directory, that the MTU size of IPSec packets was something like 1536... I never figured it out, because my MTU for everything else is set to 1500 because I'm running off of ethernet. Our SysAdmin here suggested we change the number. I haven't and I don't get any fragments whatsoever. Maye this has something to do with it. Patrick Ethier patrick at secureops.com -----Original Message----- From: Matthew Patton [mailto:matthew.patton at NETSEC.NET] Sent: Tuesday, December 14, 1999 9:40 AM To: VPN at SECURITYFOCUS.COM Subject: Re: IPsec Tunnels and fragmentation This 'frag' issue caught me by surprise with some sessions we had going. The symptom was hanging active mode ftp uploads to a server. The *only* time I saw fragmented esp packets was when the client started the upload process. I was rather bizare. right now I have issues with high letency networks not being able to upload. Even playing with MTU size and disabling PathMTUDiscover is not having the desired effect. Client is NT. Server is NT. VPN gateway is OpenBSD. ============== Network Security Technologies Inc. - Commercial support for OpenBSD www.netsec.net matthew.patton at netsec.net "Government is not reason; it is not eloquence; it is force! Like fire, it is a dangerous servant and a fearful master." - George Washington VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From matthewr at MORETON.COM.AU Tue Dec 14 18:48:07 1999 From: matthewr at MORETON.COM.AU (Matthew Ramsay) Date: Wed, 15 Dec 1999 09:48:07 +1000 Subject: solaris -> nt -> vpn References: Message-ID: <99121509485108.13906@gibberling> if the VPN server is MS compatible you should be able to get the Linux PPTP client running on Solaris (I think ports are already available) -matt On Wed, 15 Dec 1999, Indiana Zephyr wrote: >If anyone out there could provide comments and pointers on the following, >thanks much in advance. obviously I'm a beginner, so not sure why I got >stuck with this, but anyway... > >My company needs to connect to someone else's VPN. Both networks are >behind CheckPoint FW-1. Instead of setting up a VPN server on our end >(which we probably can't afford) we're going to try connecting using a VPN >client, the way many laptop users connect using dialup networking. The >trick is, it's our dev server (Solaris) which needs to trade data through >the VPN link. Currently only NT VPN clients are available (aside: does >anyone know if F-Secure's VPN client would work with CheckPoint's VPN or >is there proprietary stuff going on?). > >Someone came up with the great idea of setting up an NT box as a router >and installing the NT VPN client on there, then routing all traffic from >the Solaris box through the NT VPN client. Does this sound possible to >people on this newsgroup? I'd like a sanity check here. Theoretically it >sounds like we can implement it, but who knows. Thanks for your help. > >VPN is sponsored by SecurityFocus.COM -- Matthew Ramsay VPN is sponsored by SecurityFocus.COM From Azim.Ferchichi at SWISSCOM.COM Wed Dec 15 03:42:05 1999 From: Azim.Ferchichi at SWISSCOM.COM (Azim.Ferchichi at SWISSCOM.COM) Date: Wed, 15 Dec 1999 09:42:05 +0100 Subject: solaris -> nt -> vpn Message-ID: <7E46AF731AD5D111BF4F0000F830C63D03A10806@gd3i5w.swissptt.ch> Hi, The Trustworks company sells IPSEC server for Solaris machine. So if U have to set up a secure connection between this solaris machine (your dev server), and a partner site, you only need to buy the IPSEC software for solaris machine which costs around 2,000 US$. The first thing U have to check it's if the partner's VPN is IPSEC compliant or not. If it is then you can work with the product I mentionned (and other same products should exist). Of course you will have to open the port for IKE in the firewall and let pass the IPSEC traffic between the 2 machines... Another problem is the management. As VPN management is not standardised, it's quite sure that it won't be possible to manage your IPSEC server with the management tools of your partner's VPN. But you will be able to manage your IPSEC dev server directly from the console (if any), and maybe it's better for U because you keep control on the security of your machine, even if it's part of a partner's VPN.... Concerning the solution you mentionned "NT router with VPN software", theoretically it's possible, but we had in the past some surprise with the routing and NT, and I think if you want to avoid problems you better choose the solution I mentioned... Hope it helps Azim Ferchichi ___________________ CIT-CT-TPM IT security and Smart-cards Swisscom AG CH-3050 BERN Phone: +41 31 342 09 22 Mobile: +41 79 301 55 56 Fax: +41 31 342 00 08 ______________________ > ---------- > From: Indiana Zephyr[SMTP:aldiss at cjas.org] > Sent: mardi, 14. d?cembre 1999 23:54 > To: VPN at SECURITYFOCUS.COM > Subject: solaris -> nt -> vpn > > If anyone out there could provide comments and pointers on the following, > thanks much in advance. obviously I'm a beginner, so not sure why I got > stuck with this, but anyway... > > My company needs to connect to someone else's VPN. Both networks are > behind CheckPoint FW-1. Instead of setting up a VPN server on our end > (which we probably can't afford) we're going to try connecting using a VPN > client, the way many laptop users connect using dialup networking. The > trick is, it's our dev server (Solaris) which needs to trade data through > the VPN link. Currently only NT VPN clients are available (aside: does > anyone know if F-Secure's VPN client would work with CheckPoint's VPN or > is there proprietary stuff going on?). > > Someone came up with the great idea of setting up an NT box as a router > and installing the NT VPN client on there, then routing all traffic from > the Solaris box through the NT VPN client. Does this sound possible to > people on this newsgroup? I'd like a sanity check here. Theoretically it > sounds like we can implement it, but who knows. Thanks for your help. > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From ajh at THIS.NET Wed Dec 15 05:51:21 1999 From: ajh at THIS.NET (Andreas Haug) Date: Wed, 15 Dec 1999 11:51:21 +0100 Subject: NT and VPN: Chicken and egg problem? Message-ID: <001101bf46ea$5288eca0$116bfec3@this.net> First of all I'm sorry for asking such a basic question, but since nobody (read: no vendor) could point me to a solution... Anyway, here it goes: Most Windows NT VPN products use some Program to establish the VPN. To use this program, one has to be logged into the machine. Now, what if the user has to log into the domain which is "behind" the VPN because his user credentials are stored there? He can't log in because the VPN isn't running and he can't establish the VPN because he can't log in. The simple solution would be to (a) have NT cache the login information, which would mean to put the machine on the CN once and have the user log in, or (b) to create a local account for the user. I don't like any of them. Sincerely puzzled, Andreas Haug -- HOME ajh at this.net http://this.net/me Phone +49 7127 972454 Fax 972451 NEW PGP Key 3/99 www.keyserver.net 9EBB4647C7741CE3ADE112B7B82995DAE4F0CD75 VPN is sponsored by SecurityFocus.COM From eric_h at EARTHLINK.NET Wed Dec 15 09:18:26 1999 From: eric_h at EARTHLINK.NET (Eric Henriksen) Date: Wed, 15 Dec 1999 09:18:26 -0500 Subject: ISAKMPD and Variable IP addresses References: Message-ID: <002701bf4707$449c4b60$02c8a8c0@redcreek.com> Not sure if this helps, but other products allow for dynamic ip addresses on remote 'initiator' peers, as long as they're using certificates for the Phase I authentication. The settings I've seen usually are to put a 0.0.0.0 address in the VPN-Peer-Client field. Good luck. ----- Original Message ----- From: Patrick Ethier To: Sent: Tuesday, December 14, 1999 4:01 PM Subject: Re: ISAKMPD and Variable IP addresses > Cool, I tried it and it works fine. But what if you have more than one > IPless peer? Will the isakmpd identify them by the PEER name that gets sent? > > > > > BTW, I've documented most of my wall-headbashing experience, so if you guys > want to post it as a faq I'll send it to the misc list. > > > > > -----Original Message----- > From: Angelos D. Keromytis [mailto:angelos at dsl.cis.upenn.edu] > Sent: Tuesday, December 14, 1999 3:36 PM > To: Patrick Ethier > Cc: 'vpn at securityfocus.com'; 'misc at openbsd.org' > Subject: Re: ISAKMPD and Variable IP addresses > > > > > Ok, I've been confronted with a strange request. I'm using OpenBSD 2.6 > with > >their implementation of ISAKMPD. I was asked if we could implement a VPN > >between our office and a laptop that will be moving all around the world. > >Now, in the config files, it asks for the IP address of the Peer. I figured > >"This is free software and doesn't support this feature" but then I checked > >out our VPN-1 setup and it doesn't either. Can somebody please explain how > >the theory how this is done or will I have to develop my own client/server > >to modify my setups every time an IP changes. > > In fact, it does support empty Peer address; there's a default Phase-1 entry > you can use for any that don't match an ID: > > [Phase 1] > Default= VPN-peer-client-default > > -Angelos > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Thu Dec 16 10:52:06 1999 From: jonc at HAHT.COM (Jon Carnes) Date: Thu, 16 Dec 1999 10:52:06 -0500 Subject: solaris -> nt -> vpn References: Message-ID: <010c01bf47dd$92e81110$6803010a@dhcp.haht.com> Using the NT as a router dialed into their network should work fine. The only gotcha to worry about is that you may have to add a route to the remote network on your Solaris box (the default gateway would be the NT box), and they may have to add a route to your machine on their network (the default gateway would be your NT box). Of course, if you set the NT box up to act as a proxy server (masquerading) then they will see all requests as coming from the NT box, and they won't have to add a route to respond to your network requests. I've never played with CheckPoint, but I've built a lot of VPN's and routing always seems to be the biggest hurdle for novices. Good Luck! Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Indiana Zephyr" To: Sent: Tuesday, December 14, 1999 5:54 PM Subject: solaris -> nt -> vpn > If anyone out there could provide comments and pointers on the following, > thanks much in advance. obviously I'm a beginner, so not sure why I got > stuck with this, but anyway... > > My company needs to connect to someone else's VPN. Both networks are > behind CheckPoint FW-1. Instead of setting up a VPN server on our end > (which we probably can't afford) we're going to try connecting using a VPN > client, the way many laptop users connect using dialup networking. The > trick is, it's our dev server (Solaris) which needs to trade data through > the VPN link. Currently only NT VPN clients are available (aside: does > anyone know if F-Secure's VPN client would work with CheckPoint's VPN or > is there proprietary stuff going on?). > > Someone came up with the great idea of setting up an NT box as a router > and installing the NT VPN client on there, then routing all traffic from > the Solaris box through the NT VPN client. Does this sound possible to > people on this newsgroup? I'd like a sanity check here. Theoretically it > sounds like we can implement it, but who knows. Thanks for your help. > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Thu Dec 16 12:01:35 1999 From: jonc at HAHT.COM (Jon Carnes) Date: Thu, 16 Dec 1999 12:01:35 -0500 Subject: NT and VPN: Chicken and egg problem? References: <001101bf46ea$5288eca0$116bfec3@this.net> Message-ID: <023601bf47e7$483280b0$6803010a@dhcp.haht.com> Actually, there is a check box (after you install RAS access on an NT machine) in the log on screen that asks if you are logging on via dial-up. The dial-up can be either via phone or VPN. You use this for access to the local machine using your credentials stored on the remote network. Hope that un-puzzles you! Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Andreas Haug" To: Sent: Wednesday, December 15, 1999 5:51 AM Subject: NT and VPN: Chicken and egg problem? > First of all I'm sorry for asking such a basic question, but since nobody (read: no vendor) could point me to a solution... Anyway, here it goes: > > Most Windows NT VPN products use some Program to establish the VPN. To use this program, one has to be logged into the machine. Now, what if the user has to log into the domain which is "behind" the VPN because his user credentials are stored there? He can't log in because the VPN isn't running and he can't establish the VPN because he can't log in. > > The simple solution would be to (a) have NT cache the login information, which would mean to put the machine on the CN once and have the user log in, or (b) to create a local account for the user. I don't like any of them. > > Sincerely puzzled, > > Andreas Haug > -- > HOME ajh at this.net http://this.net/me Phone +49 7127 972454 Fax 972451 > NEW PGP Key 3/99 www.keyserver.net 9EBB4647C7741CE3ADE112B7B82995DAE4F0CD75 > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From kemp at INDUSRIVER.COM Thu Dec 16 11:41:13 1999 From: kemp at INDUSRIVER.COM (Brad Kemp) Date: Thu, 16 Dec 1999 11:41:13 -0500 Subject: NT and VPN: Chicken and egg problem? In-Reply-To: <001101bf46ea$5288eca0$116bfec3@this.net> Message-ID: <3.0.3.32.19991216114113.03b97d30@pop3.indusriver.com> Andreas, In some limited situations, you could use the 'Logon using dialup networking' checkbox on the logon screen. If you are on a cable modem or DSL line, this may work, however, even with autodial set up correctly, I have not been able to get the tunnel connectoid to call the ISP connectoid to get an Internet connection. (autodial and connectoid information is stored per user, when the tunnel tries to use autodial, there is no user information on which connectoid to use or credentials for that connectoid). NT does cache credentials. If you log on to a disconnected box using cached credentials you will get a message box saying that all network resources may not be available. When a tunnel is established, logon scripts are not run. NT believes it has already authenticated and does not need to logon to the network again. There are a few ways around this, some vendors provide the capability to run the login scripts after the tunnel is established (indus river). You can wrap the connection in a script that calls the logon script after the tunnel is established or you may be able to use the scripting capabilites of the connectoid to run the login scripts. However all of these require the user to have previously logged on to the corporate network. The best way to do what you want is to write a new GINA. This would replace the NT logon. I do not know of any vendors that have done this. (Novell has, but it does not support tunnels or any kind of dialup networking). Brad At 11:51 AM 12/15/99 +0100, Andreas Haug wrote: >First of all I'm sorry for asking such a basic question, but since nobody (read: no vendor) could point me to a solution... Anyway, here it goes: > >Most Windows NT VPN products use some Program to establish the VPN. To use this program, one has to be logged into the machine. Now, what if the user has to log into the domain which is "behind" the VPN because his user credentials are stored there? He can't log in because the VPN isn't running and he can't establish the VPN because he can't log in. > >The simple solution would be to (a) have NT cache the login information, which would mean to put the machine on the CN once and have the user log in, or (b) to create a local account for the user. I don't like any of them. > >Sincerely puzzled, > >Andreas Haug >-- >HOME ajh at this.net http://this.net/me Phone +49 7127 972454 Fax 972451 >NEW PGP Key 3/99 www.keyserver.net 9EBB4647C7741CE3ADE112B7B82995DAE4F0CD75 > >VPN is sponsored by SecurityFocus.COM > --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 VPN is sponsored by SecurityFocus.COM From Joe.M.Hoffman at MAIL.SPRINT.COM Thu Dec 16 15:22:21 1999 From: Joe.M.Hoffman at MAIL.SPRINT.COM (Joe M Hoffman) Date: Thu, 16 Dec 1999 14:22:21 -0600 Subject: solaris -> nt -> vpn Message-ID: Why don't you just use CheckPoints Secure Remote (VPN) solution. It comes with the CheckPoint FW-1 package ???? Basically this is a von client...... -----Original Message----- From: jonc [mailto:jonc at haht.com] Sent: Thursday, December 16, 1999 7:52 AM To: VPN Cc: jonc Subject: Re: solaris -> nt -> vpn Using the NT as a router dialed into their network should work fine. The only gotcha to worry about is that you may have to add a route to the remote network on your Solaris box (the default gateway would be the NT box), and they may have to add a route to your machine on their network (the default gateway would be your NT box). Of course, if you set the NT box up to act as a proxy server (masquerading) then they will see all requests as coming from the NT box, and they won't have to add a route to respond to your network requests. I've never played with CheckPoint, but I've built a lot of VPN's and routing always seems to be the biggest hurdle for novices. Good Luck! Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Indiana Zephyr" To: Sent: Tuesday, December 14, 1999 5:54 PM Subject: solaris -> nt -> vpn > If anyone out there could provide comments and pointers on the following, > thanks much in advance. obviously I'm a beginner, so not sure why I got > stuck with this, but anyway... > > My company needs to connect to someone else's VPN. Both networks are > behind CheckPoint FW-1. Instead of setting up a VPN server on our end > (which we probably can't afford) we're going to try connecting using a VPN > client, the way many laptop users connect using dialup networking. The > trick is, it's our dev server (Solaris) which needs to trade data through > the VPN link. Currently only NT VPN clients are available (aside: does > anyone know if F-Secure's VPN client would work with CheckPoint's VPN or > is there proprietary stuff going on?). > > Someone came up with the great idea of setting up an NT box as a router > and installing the NT VPN client on there, then routing all traffic from > the Solaris box through the NT VPN client. Does this sound possible to > people on this newsgroup? I'd like a sanity check here. Theoretically it > sounds like we can implement it, but who knows. Thanks for your help. > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Joe.M.Hoffman at MAIL.SPRINT.COM Thu Dec 16 15:24:44 1999 From: Joe.M.Hoffman at MAIL.SPRINT.COM (Joe M Hoffman) Date: Thu, 16 Dec 1999 14:24:44 -0600 Subject: solaris -> nt -> vpn Message-ID: PPTP sends some information in clear text, better stick with Ipsec or fwz(Checkpoints proprietary).... -----Original Message----- From: matthewr [mailto:matthewr at moreton.com.au] Sent: Tuesday, December 14, 1999 3:48 PM To: VPN Cc: matthewr Subject: Re: solaris -> nt -> vpn if the VPN server is MS compatible you should be able to get the Linux PPTP client running on Solaris (I think ports are already available) -matt On Wed, 15 Dec 1999, Indiana Zephyr wrote: >If anyone out there could provide comments and pointers on the following, >thanks much in advance. obviously I'm a beginner, so not sure why I got >stuck with this, but anyway... > >My company needs to connect to someone else's VPN. Both networks are >behind CheckPoint FW-1. Instead of setting up a VPN server on our end >(which we probably can't afford) we're going to try connecting using a VPN >client, the way many laptop users connect using dialup networking. The >trick is, it's our dev server (Solaris) which needs to trade data through >the VPN link. Currently only NT VPN clients are available (aside: does >anyone know if F-Secure's VPN client would work with CheckPoint's VPN or >is there proprietary stuff going on?). > >Someone came up with the great idea of setting up an NT box as a router >and installing the NT VPN client on there, then routing all traffic from >the Solaris box through the NT VPN client. Does this sound possible to >people on this newsgroup? I'd like a sanity check here. Theoretically it >sounds like we can implement it, but who knows. Thanks for your help. > >VPN is sponsored by SecurityFocus.COM -- Matthew Ramsay VPN is sponsored by SecurityFocus.COM From jgl at MAPFRE.COM Sun Dec 19 07:37:19 1999 From: jgl at MAPFRE.COM (=?iso-8859-1?Q?=22Gonz=E1lez_L=F3pez=2C_Joaqu=EDn_Javier=22?=) Date: Sun, 19 Dec 1999 13:37:19 +0100 Subject: Trying to connect to NT domain Message-ID: Hello: I?m trying to connect to a Windows NT domain with a Linux machine. I?m sure that the VPN in NT is correct because I can connect with W9x. My problem is when I try with a Linux machine. My kernel is 2.2.13 and below are the script that I use, the chap-secrets and the log. Can somebody help me? Thanks in advanced. BEGIN (script) pptp 195.255.200.1 debug noauth name dom1\\user1 remotename 195.255.200.1 END BEGIN (chap-secrets) # Secrets for authentication using CHAP # client server secret IP addresses dom1\\user1 195.255.200.1 xxxxx * 195.255.200.1 dom1\\user1 xxxxx * END BEGIN (log generadted by script) (unknown)[20814]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connection established. (unknown)[20814]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]: Outgoing call established. Using interface ppp1 Connect: ppp1 <--> /dev/ttya0 sent [LCP ConfReq id=0x1 ] rcvd [LCP ConfReq id=0x0 ] sent [LCP ConfNak id=0x0 ] rcvd [LCP ConfAck id=0x1 ] rcvd [LCP ConfReq id=0x1 ] sent [LCP ConfAck id=0x1 ] rcvd [CHAP Challenge id=0x64 <15d40ade8fd97bc7>, name = "PDCdom1"] sent [CHAP Response id=0x64 <000000000000000000000000000000000000000000000000a97d0f7b3657f75c906915440a1 09188bb11f2720e16a6d201>, name = "dom1\\user1"] rcvd [CHAP Success id=0x64 ""] sent [IPCP ConfReq id=0x1 ] sent [CCP ConfReq id=0x1 ] rcvd [CCP ConfReq id=0x3 < 12 06 01 00 00 31>] sent [CCP ConfRej id=0x3 < 12 06 01 00 00 31>] rcvd [IPCP ConfReq id=0x4 ] sent [IPCP ConfAck id=0x4 ] rcvd [IPCP ConfRej id=0x1 ] sent [IPCP ConfReq id=0x2 ] rcvd [CCP ConfRej id=0x1 ] sent [CCP ConfReq id=0x2] rcvd [CCP TermReq id=0x5 00 00 70 e5 00 3c cd 74 00 00 02 dc] sent [CCP TermAck id=0x5] rcvd [IPCP ConfNak id=0x2 ] sent [IPCP ConfReq id=0x3 ] rcvd [LCP TermReq id=0x6 00 00 70 e5 00 3c cd 74 00 00 02 e6] LCP terminated by peer (^@^@pM-e^@ I have been trying to get the program VNC, which is a remote control program for NT, similar to pcANYWHERE, to function across an IPSEC tunnel terminating at a FW-1 firewall. There appears to be something wrong with the protocol that the application uses, since it won't set up tcp sessions. I have tried it from both another FW-1 box and the RealSecure product, neither works. Has anyone gotten this program to work? If not, does anyone have any recommendations for an NT remote control product that they have had good luck using over IPSEC? Thanks VPN is sponsored by SecurityFocus.COM From rizal at MIMOS.MY Fri Dec 17 22:40:59 1999 From: rizal at MIMOS.MY (Mohammad Rizal Othman) Date: Sat, 18 Dec 1999 11:40:59 +0800 Subject: ISAKMPD and Variable IP addresses References: <199912142036.PAA10585@nyarlathotep> Message-ID: <385B024B.7F2804B2@mimos.my> "Angelos D. Keromytis" wrote: > > > Ok, I've been confronted with a strange request. I'm using OpenBSD 2.6 with > >their implementation of ISAKMPD. I was asked if we could implement a VPN > >between our office and a laptop that will be moving all around the world. > >Now, in the config files, it asks for the IP address of the Peer. I figured > >"This is free software and doesn't support this feature" but then I checked > >out our VPN-1 setup and it doesn't either. Can somebody please explain how > >the theory how this is done or will I have to develop my own client/server > >to modify my setups every time an IP changes. > > In fact, it does support empty Peer address; there's a default Phase-1 entry > you can use for any that don't match an ID: > > [Phase 1] > Default= VPN-peer-client-default > > -Angelos I tried this on an OpenBSD 2.6 with PGPNet 6.5.2 and recieved the following in my log Dec 17 17:11:55 TheDragon isakmpd: exchange_setup_p1: no configuration for peer "VPN-peer-client-default" Can somebody point out what stupid thing I had done? -- ,-----------------------------------------------------------------------. > Mohammad Rizal Othman | If it doesn't work, force it. < > rizal at mimos.my | If it breaks, it needed replacing anyway. < `-----------------------------------------------------------------------' VPN is sponsored by SecurityFocus.COM From matthewr at MORETON.COM.AU Sun Dec 19 18:13:37 1999 From: matthewr at MORETON.COM.AU (Matthew Ramsay) Date: Mon, 20 Dec 1999 09:13:37 +1000 Subject: solaris -> nt -> vpn References: Message-ID: <99122009222703.26628@gibberling> For some people PPTP is secure enough. The biggest plus in my book is that it is *free*.. and the reality of the situation is there is always a trade off between cost and security.. and if someone really wants to get in to ***any*** system it's going to happen no matter what VPN software/hardware you use. All i'm saying is PPTP remains a valid solution for this very reason. Cheers, -matt On Fri, 17 Dec 1999, Joe M Hoffman wrote: >>PPTP sends some information in clear text, better stick with Ipsec or >fwz(Checkpoints proprietary).... > >-----Original Message----- >From: matthewr [mailto:matthewr at moreton.com.au] >Sent: Tuesday, December 14, 1999 3:48 PM >To: VPN >Cc: matthewr >Subject: Re: solaris -> nt -> vpn > > >if the VPN server is MS compatible you should be able to get the Linux >PPTP >client running on Solaris (I think ports are already available) > >-matt > > >On Wed, 15 Dec 1999, Indiana Zephyr wrote: >>If anyone out there could provide comments and pointers on the >following, >>thanks much in advance. obviously I'm a beginner, so not sure why I >got >>stuck with this, but anyway... >> >>My company needs to connect to someone else's VPN. Both networks are >>behind CheckPoint FW-1. Instead of setting up a VPN server on our end >>(which we probably can't afford) we're going to try connecting using a >VPN >>client, the way many laptop users connect using dialup networking. The >>trick is, it's our dev server (Solaris) which needs to trade data >through >>the VPN link. Currently only NT VPN clients are available (aside: does >>anyone know if F-Secure's VPN client would work with CheckPoint's VPN >or >>is there proprietary stuff going on?). >> >>Someone came up with the great idea of setting up an NT box as a router >>and installing the NT VPN client on there, then routing all traffic >from >>the Solaris box through the NT VPN client. Does this sound possible to >>people on this newsgroup? I'd like a sanity check here. Theoretically >it >>sounds like we can implement it, but who knows. Thanks for your help. >> >>VPN is sponsored by SecurityFocus.COM >-- >Matthew Ramsay > >VPN is sponsored by SecurityFocus.COM > > -- Matthew Ramsay Moreton Bay VPN is sponsored by SecurityFocus.COM From toddw at LIGHTMAIL.COM Sun Dec 19 19:01:30 1999 From: toddw at LIGHTMAIL.COM (Todd Wilburn) Date: Sun, 19 Dec 1999 16:01:30 -0800 Subject: VPN and Internet access Message-ID: I'm am the IT Technician for a company that is just starting to get a network, server and VPN set up and going. I got the job because I know the most about computers and networks in the company, so we are learning as we are going with VPN's. Our router/firewall is a Shiva LAN Rover VPN Express on a ADSL line. We have 15 workstations, 3 remote workstations and 10 wireless vehicle workstations. We need to tie in our vehicles, via wireless VPN, and remote stations, VIA dialup ISP, into our server. We have experienced some problems with employees, in the past, accessing the internet with their own ISP's. Our management dealt with it by removing the modems. I am concerned that once our VPN is in place that they will begin "playing" on the internet when they should be doing their work. Most of the time our employees are unsupervised and it is difficult to monitor their activities. We are running Win 95/98 on all our work stations. I have been unsuccessful in getting our management to go to Winblows NT. Does anyone know of a way to block internet access but still allow intranet and VPN access? I would prefer to control their internet access through our firewall. Thanks, Todd Wilburn VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Mon Dec 20 03:31:53 1999 From: jonc at HAHT.COM (Jon Carnes) Date: Mon, 20 Dec 1999 03:31:53 -0500 Subject: VPN and Internet access References: Message-ID: <019301bf4ac4$bd520de0$6803010a@dhcp.haht.com> There are some easy answers my friend. Routing is one: if your data is coming from known addresses, only allow routes to those know addresses. A second answer is to block the ports you don't want folks to use, such as port 80 (for web access). Personally, I believe the best answer is to treat people like responsible adults, if they get their jobs done on time and they don't clog up the net with too much play, let them be. my 2? - Jon Carnes, MIS HAHT Software ----- Original Message ----- From: "Todd Wilburn" To: Sent: Sunday, December 19, 1999 7:01 PM Subject: VPN and Internet access > I'm am the IT Technician for a company that is just starting to get a > network, server and VPN set up and going. I got the job because I know the > most about computers and networks in the company, so we are learning as we > are going with VPN's. Our router/firewall is a Shiva LAN Rover VPN Express > on a ADSL line. We have 15 workstations, 3 remote workstations and 10 > wireless vehicle workstations. > > We need to tie in our vehicles, via wireless VPN, and remote stations, VIA > dialup ISP, into our server. We have experienced some problems with > employees, in the past, accessing the internet with their own ISP's. Our > management dealt with it by removing the modems. I am concerned that once > our VPN is in place that they will begin "playing" on the internet when they > should be doing their work. Most of the time our employees are unsupervised > and it is difficult to monitor their activities. We are running Win 95/98 > on all our work stations. I have been unsuccessful in getting our > management to go to Winblows NT. > > Does anyone know of a way to block internet access but still allow intranet > and VPN access? I would prefer to control their internet access through our > firewall. > > Thanks, > Todd Wilburn > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From mag at BUNUEL.TII.MATAV.HU Mon Dec 20 02:18:33 1999 From: mag at BUNUEL.TII.MATAV.HU (Magosanyi Arpad) Date: Mon, 20 Dec 1999 08:18:33 +0100 Subject: solaris -> nt -> vpn In-Reply-To: <99122009222703.26628@gibberling> References: <99122009222703.26628@gibberling> Message-ID: <19991220081833.D1598@bunuel.tii.matav.hu> A levelez?m azt hiszi, hogy Matthew Ramsay a k?vetkez?eket ?rta: > For some people PPTP is secure enough. The biggest plus in my book > is that it is *free*.. and the reality of the situation is there is always a > trade off between cost and security.. and if someone really wants to get in to > ***any*** system it's going to happen no matter what VPN software/hardware you > use. > > All i'm saying is PPTP remains a valid solution for this very reason. > 1. In my book a security software should be open source, not just free in the price sense. If you get a software for free, which you don't have the sources for, from a company which just can't make a real OS, you can be absolutely sure that what you have is a crap. The findings of L0pth are confirm the above. 2. There is no tradeoff between cost and security (=quality), at least not in this level. You can use open source which you can audit and already went through extensive peer review, and if some bug turns out you can just patch it in an hour. And you will have the only costs associated with its support and operation. Or you can buy something for big money in which you can't be absolutely sure, no real support, slow bugfixes (I LOVE NAI), and the costs: product fee, for support (which you don't really have), and operations. Or you just dig out some crap from the rubbish heaps of Internet. And you will have no support, and have to keep operating a thing you don't know about. 3. I don't think that using a tcp based VPN is a Good Thing(TM) except in rare situation (where you want to create a hole in a firewall.) Packet based VPN's are more robust and don't have those special performance problems. (Yes, I don't use my VPN implementation). -- GNU GPL: csak tiszta forr?sb?l VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Mon Dec 20 10:30:43 1999 From: JJones at NWNETS.COM (Jeremy Jones) Date: Mon, 20 Dec 1999 08:30:43 -0700 Subject: MS PPTP Weirdness Message-ID: <4128C0428F94D3118F1E00902773CED201B337@NNSBOIS1> Hi all, I have a client with several sites, all with 256k+ Internet connections. The central site has an ms vpn server behind a proxy, and two sattellite sites make pptp calls from behind nat firewalls to the central site. The two sattellites are able to connect just fine, and the connection is as stable as the DSL connections. The problem is that the vpn client servers in the sattellite sites cannot see eachother. The vpn client in sattellite site 1 can ping the central site, and the vpn client in sattellite site 2 can ping the central site. The vpn server in the central site can ping either vpn client. The vpn connections are used for routing between the sites, and the vpn-wan cloud has its own subnet. The bizzarre thing, and the thing that makes me think that routing is NOT the problem, is that workstations in sattellite site 1 can ping the workstation machines in sattellite site 2 as well as the vpn machine in sattellite site 2. Likewise, workstations in sattellite site 2 can ping anything. The workstations in each sattellite site are using the vpn machines on their local subnet as default gateways. Now why would the workstations be able to get around just fine, using the routing tables set up on the vpn machines, when the vpn machines themselves cannot communicate? If routing tables would be helpful, I'd be happy to send them along... Thanks in advance, Jeremy Jones, MA, MCSE, CCNA Systems Analyst Northwest Network Services (208) 343-5260 x106 http://www.nwnets.com mailto:jjones at nwnets.com VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Mon Dec 20 14:59:00 1999 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Mon, 20 Dec 1999 14:59:00 -0500 Subject: MS PPTP Weirdness In-Reply-To: <4128C0428F94D3118F1E00902773CED201B337@NNSBOIS1>; from Jeremy Jones on Mon, Dec 20, 1999 at 08:30:43AM -0700 References: <4128C0428F94D3118F1E00902773CED201B337@NNSBOIS1> Message-ID: <19991220145900.K20708@adams.cospo.osis.gov> On Mon, Dec 20, 1999 at 08:30:43AM -0700, Jeremy Jones wrote: > I have a client with several sites, all with 256k+ Internet connections. > The central site has an ms vpn server behind a proxy, and two sattellite > sites make pptp calls from behind nat firewalls to the central site. The > two sattellites are able to connect just fine, and the connection is as > stable as the DSL connections. The problem is that the vpn client servers > in the sattellite sites cannot see eachother. The vpn client in sattellite > site 1 can ping the central site, and the vpn client in sattellite site 2 > can ping the central site. The vpn server in the central site can ping > either vpn client. The vpn connections are used for routing between the > sites, and the vpn-wan cloud has its own subnet. > > The bizzarre thing, and the thing that makes me think that routing is NOT > the problem, is that workstations in sattellite site 1 can ping the > workstation machines in sattellite site 2 as well as the vpn machine in > sattellite site 2. Likewise, workstations in sattellite site 2 can ping > anything. The workstations in each sattellite site are using the vpn > machines on their local subnet as default gateways. > > Now why would the workstations be able to get around just fine, using the > routing tables set up on the vpn machines, when the vpn machines themselves > cannot communicate? It may yet be routing. We had a similar situation, albeit with different tunneling software. Our device was accepting only type-50 packets from the "far" interface, and ignoring everything else sent to it except packets to be sent from the "near" side through the tunnel ... because that was what the routing and filtering rules told it to. In particular, there were no rules that allowed something sent in through the tunnel to the device itself to be seen. We had to add in rules that allowed it to accept certain other limited types of packets from the "far" side, and a bit more from the "near" side and from the tunnel itself. [Reviewing this, I am actually mixing together two different but similar problems we have had ... but the effect is similar.] -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Mon Dec 20 15:43:32 1999 From: jonc at HAHT.COM (Jon Carnes) Date: Mon, 20 Dec 1999 15:43:32 -0500 Subject: MS PPTP Weirdness References: <4128C0428F94D3118F1E00902773CED201B337@NNSBOIS1> Message-ID: <00c501bf4b2a$f38b5e50$6803010a@dhcp.haht.com> Okay. It is routing... Each VPN server has to have as their default route, the DSL connection. The other local machines use the VPN as the default. Setup a route on VPN1 server to the VPN2 network via the VPN1 connection. Mirror that for your VPN2 server. Basically, print out the routes on VPN1 Server. Do you see a route for the VPN2 network? No - it goes down the default route. Yes - Well that's where the packets go! Note: you cannot change the default, as that will mean the box can no longer find the internet and therefore not find the VPN connection (unless you add a 255.255.255.255 route that just points to the other endpoint address using the DSL connection). Good Luck Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Jeremy Jones" To: Sent: Monday, December 20, 1999 10:30 AM Subject: MS PPTP Weirdness > Hi all, > > I have a client with several sites, all with 256k+ Internet connections. > The central site has an ms vpn server behind a proxy, and two sattellite > sites make pptp calls from behind nat firewalls to the central site. The > two sattellites are able to connect just fine, and the connection is as > stable as the DSL connections. The problem is that the vpn client servers > in the sattellite sites cannot see eachother. The vpn client in sattellite > site 1 can ping the central site, and the vpn client in sattellite site 2 > can ping the central site. The vpn server in the central site can ping > either vpn client. The vpn connections are used for routing between the > sites, and the vpn-wan cloud has its own subnet. > > The bizzarre thing, and the thing that makes me think that routing is NOT > the problem, is that workstations in sattellite site 1 can ping the > workstation machines in sattellite site 2 as well as the vpn machine in > sattellite site 2. Likewise, workstations in sattellite site 2 can ping > anything. The workstations in each sattellite site are using the vpn > machines on their local subnet as default gateways. > > Now why would the workstations be able to get around just fine, using the > routing tables set up on the vpn machines, when the vpn machines themselves > cannot communicate? > > If routing tables would be helpful, I'd be happy to send them along... > > Thanks in advance, > Jeremy Jones, MA, MCSE, CCNA > Systems Analyst > Northwest Network Services > (208) 343-5260 x106 > http://www.nwnets.com > mailto:jjones at nwnets.com > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Mon Dec 20 16:09:06 1999 From: JJones at NWNETS.COM (Jeremy Jones) Date: Mon, 20 Dec 1999 14:09:06 -0700 Subject: MS PPTP Weirdness Message-ID: <4128C0428F94D3118F1E00902773CED201B339@NNSBOIS1> Here's a little more detail... Well, alot more detail, actually. The setup is a little complex to put in words, but I'll give it a shot: 1. Central Site's RRAS server is multihomed w/first nic on Internet and second on LAN 2. Central Site's RRAS server runs MS Proxy Server 3. Central Site LAN subnet is 10.0.0.0/24 4. LAN IP address of Central Site's RRAS server is 10.0.0.1/24 5. VPN interface IP address of Central Site's RRAS server is 10.1.0.1/24 6. VPN WAN cloud subnet is 10.1.0.0/24 7. Sattellite Site #1 uses NAT on Cisco 675 ADSL router 8. Sattellite Site #1 LAN subnet is 10.0.1.0/24 9. Sattellite Site #1 DSL router LAN interface IP address is 10.0.1.1/24 10. Sattellite Site #1 RRAS server's LAN IP address is 10.0.1.5/24 11. Sattellite Site #1 RRAS server's VPN IP address is 10.1.0.2/24 12. Workstations in Sattellite Site #1 use local RRAS Server as Default Gateway 13. Sattellite Site #2 uses NAT on FlowPoint 2200 SDSL router 14. Sattellite Site #2 LAN subnet is 10.0.2.0/24 15. Sattellite Site #2 DSL router LAN interface IP address is 10.0.2.1/24 16. Sattellite Site #2 RRAS server's LAN IP address is 10.0.2.5/24 17. Sattellite Site #2 RRAS server's VPN IP address is 10.1.0.3/24 18. Workstations in Sattellite Site #2 use local RRAS Server as Default Gateway The Sattellite Sites are both able to connect to the RRAS VPN server at the Central Site, and the DSL routers pass the PPTP pipes through just fine. Host/Client Workstations at each site have full connectivity to resources in each subnet. I.e. a workstation in Sattellite Site #1 can ping all three RRAS servers and any other workstation in any subnet. However, workstations in Sattellite Site #1 CANNOT ping the VPN IP address of the RRAS server in Sattellite Site #2; likewise, workstations in Sattellite Site #2 CANNOT ping the VPN IP address of the RRAS server in Sattellite Site #1. The RRAS server at the Central Site can ping both the Sattellite Sites' RRAS servers and any workstation in any site, as well as the VPN IP addresses of both Sattellite Sites' RRAS servers. The DSL router in Sattellite Site #1 can ping anything EXCEPT the VPN IP address of the RRAS server in Sattellite Site #2; and the DSL router in Sattellite Site #2 can ping anything EXCEPT the VPN IP address of the RRAS server in Sattellite Site #1. The real problem is this: the RRAS server in Sattellite Site #1 cannot ping ANYTHING in Sattellite Site #2, including the VPN IP address of the RRAS server in Sattellite Site #2; and likewise, the RRAS server in Sattellite Site #2 cannot ping ANYTHING in Sattellite Site #1, including the VPN IP address of the RRAS server in Sattellite Site #1. The mystery to me is that the routing tables appear correct. I've poured over them for hours. Here's a routing table for the RRAS server in Sattellite Site #1: To 10.0.0.0/24 via 10.1.0.1 metric 1 (traffic to Central Site goes through Central Site's RRAS server's VPN interface) To 10.0.2.0/24 via 10.1.0.3 metric 1 (traffic to Sattellite Site #2 goes through Sattellite Site #2's RRAS server's VPN interface) To 0.0.0.0/0 via 10.0.1.1 metric 1 (all other traffic goes through DSL/NAT router) And for RRAS server in Sattellite Site #2: To 10.0.0.0/24 via 10.1.0.1 metric 1 (traffic to Central Site goes through Central Site's RRAS server's VPN interface) To 10.0.1.0/24 via 10.1.0.2/24 metric 1 (traffic to Sattellite Site #1goes through Sattellite Site #1s RRAS server's VPN interface) To 0.0.0.0/0 via 10.0.2.1 metric 1 (all other traffic goes through DSL/NAT router) And on Central Site's RRAS server: To 10.0.1.0/24 via 10.1.0.2 metric 1 (traffic to Sattellite Site #1goes through Sattellite Site #1s RRAS server's VPN interface) To 10.0.2.0/24 via 10.1.0.3 metric 1 (traffic to Sattellite Site #2 goes through Sattellite Site #2's RRAS server's VPN interface) To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes through the ISP's default gateway) The DSL routes in both Sattellite Sites direct traffic for the each private subnet back through the RRAS servers. I.e. in Sattellite Site #1, the DSL router's table looks like this: To 10.0.0.0/24 via 10.0.1.5 metric 2 (traffic to Central Sitegoes through Sattellite Site #1's RRAS server's LAN interface) To 10.0.2.0/24 via 10.0.1.5 metric 2 (traffic to Sattellite Site #2 goes through Sattellite Site #1's RRAS server's LAN interface) To 10.1.0.0/24 via 10.0.1.5 metric 1 (traffic to VPN-WAN subnet goes through Sattellite Site #1's RRAS Server's LAN interface) To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes through the ISPs default gateway) and in Sattellite Site #2, the DSL router's table looks like this: To 10.0.0.0/24 via 10.0.2.5 metric 2 (traffic to Central Sitegoes through Sattellite Site #2's RRAS server's LAN interface) To 10.0.1.0/24 via 10.0.2.5 metric 2 (traffic to Sattellite Site #1 goes through Sattellite Site #2's RRAS server's LAN interface) To 10.1.0.0/24 via 10.0.2.5 metric 1 (traffic to VPN-WAN subnet goes through Sattellite Site #2's RRAS Server's LAN interface) To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes through the ISPs default gateway) I know this is a little difficult to visualize, so if anyone interested in helping would like a diagram, I could send one. The problem with the two Sattellite Sites' servers' communication is bizzarre to me, mainly because the rest of the machines on each local subnet are able to connect to the remote servers just fine, using the RRAS servers as their default gatway. --Jeremy -----Original Message----- From: Jon Carnes [mailto:jonc at HAHT.COM] Sent: Monday, December 20, 1999 1:44 PM To: VPN at SECURITYFOCUS.COM Subject: Re: MS PPTP Weirdness Okay. It is routing... Each VPN server has to have as their default route, the DSL connection. The other local machines use the VPN as the default. Setup a route on VPN1 server to the VPN2 network via the VPN1 connection. Mirror that for your VPN2 server. Basically, print out the routes on VPN1 Server. Do you see a route for the VPN2 network? No - it goes down the default route. Yes - Well that's where the packets go! Note: you cannot change the default, as that will mean the box can no longer find the internet and therefore not find the VPN connection (unless you add a 255.255.255.255 route that just points to the other endpoint address using the DSL connection). Good Luck Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Jeremy Jones" To: Sent: Monday, December 20, 1999 10:30 AM Subject: MS PPTP Weirdness > Hi all, > > I have a client with several sites, all with 256k+ Internet connections. > The central site has an ms vpn server behind a proxy, and two sattellite > sites make pptp calls from behind nat firewalls to the central site. The > two sattellites are able to connect just fine, and the connection is as > stable as the DSL connections. The problem is that the vpn client servers > in the sattellite sites cannot see eachother. The vpn client in sattellite > site 1 can ping the central site, and the vpn client in sattellite site 2 > can ping the central site. The vpn server in the central site can ping > either vpn client. The vpn connections are used for routing between the > sites, and the vpn-wan cloud has its own subnet. > > The bizzarre thing, and the thing that makes me think that routing is NOT > the problem, is that workstations in sattellite site 1 can ping the > workstation machines in sattellite site 2 as well as the vpn machine in > sattellite site 2. Likewise, workstations in sattellite site 2 can ping > anything. The workstations in each sattellite site are using the vpn > machines on their local subnet as default gateways. > > Now why would the workstations be able to get around just fine, using the > routing tables set up on the vpn machines, when the vpn machines themselves > cannot communicate? > > If routing tables would be helpful, I'd be happy to send them along... > > Thanks in advance, > Jeremy Jones, MA, MCSE, CCNA > Systems Analyst > Northwest Network Services > (208) 343-5260 x106 > http://www.nwnets.com > mailto:jjones at nwnets.com > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From JanisM at ICMTO.COM Mon Dec 20 16:16:00 1999 From: JanisM at ICMTO.COM (Janis MacIsaac) Date: Mon, 20 Dec 1999 16:16:00 -0500 Subject: clarification please? Message-ID: <915D374A3F62D311A5D400C04F2D308E04CC42@TOREX01> I have been speaking with several industry people in the last two weeks, and I often hear point-to-point VPNs and remote access VPNs are different things. What is the difference? What are the defining characteristics that make a particular iinfrastructure one or the other? VPN is sponsored by SecurityFocus.COM From Ryan.Russell at SYBASE.COM Mon Dec 20 16:30:41 1999 From: Ryan.Russell at SYBASE.COM (Ryan Russell) Date: Mon, 20 Dec 1999 13:30:41 -0800 Subject: clarification please? Message-ID: <8825684D.00763E94.00@gwwest.sybase.com> >I have been speaking with several industry people in the last two weeks, >and I often hear point-to-point VPNs and remote access VPNs are >different things. What is the difference? What are the defining >characteristics that make a particular iinfrastructure one or the other? The two main ways VPNs are used currently are for remote access replacement, and for WAN replacement. The technologies are about the same, but the usage and support model differ quite a bit. Remote access style VPN normally dictates a piece of software that lives on an end-user computer. The software typically prompts for username and password to authenticate the user, and the user can usually bring the VPN up and down at will. WAN style VPN is usually implemented in a gateway type of external box, often a router. The gateway is usually the device that is authenticated, not individual users. The gateway will usually VPN multiple machines instead of just one. Normally, there is no requirement for special software on the machines behind the gateway. Most WAN VPN solutions need fullt-ime Internet links. There is lots of room for overlap and blurring of lines. Ryan VPN is sponsored by SecurityFocus.COM From john.d.fulmer at MAIL.SPRINT.COM Mon Dec 20 16:32:40 1999 From: john.d.fulmer at MAIL.SPRINT.COM (John Fulmer) Date: Mon, 20 Dec 1999 15:32:40 -0600 Subject: clarification please? References: <915D374A3F62D311A5D400C04F2D308E04CC42@TOREX01> Message-ID: <385EA078.83332848@mail.sprint.com> In a gross over-simplification, a point-to-point VPN connects two networks together, such as a VPN between two firewalls or two routers and routes traffic between the two networks. A remote access VPN connects a single machine/user to a network, so that the remote user has access similar to a dial-up connection into a network. Close enough of a definition for most purposes.... jf JanisM at ICMTO.COM wrote: > > I have been speaking with several industry people in the last two weeks, > and I often hear point-to-point VPNs and remote access VPNs are > different things. What is the difference? What are the defining > characteristics that make a particular iinfrastructure one or the other? > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Dec 20 16:50:27 1999 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 20 Dec 1999 16:50:27 -0500 Subject: ISAKMP and OpenBSD Message-ID: Hey guys and gals, I took my first attempt at writing this HOWTO for ISAKMP and OpenBSD 2.6. I'd really appreciate it if some of you people would proof read it and especially correct where I'm giving out totally false information(I interpreted some things and I'm really not sure if I understood most of it.) Your feedback would be most welcome, actually I'd really really appreciate it. I'm hoping the guys from the OBSD FAQ might want to use this for their site. Anyways, the URL is http://www.secureops.com/drbones/vpn.htm It's going through some intense modification because I have done the original work in MS Word. Bare with me as we take the time to turn it into a proper website that will eventually be officially posted at www.secureops.com in the resources section.(Our webteam is overworked and the holidays are coming...:) Merry Christmas, Patrick Ethier patrick at secureops.com VPN is sponsored by SecurityFocus.COM From shinobi at MONKEY.ORG Mon Dec 20 16:47:06 1999 From: shinobi at MONKEY.ORG (eric jackson) Date: Mon, 20 Dec 1999 16:47:06 -0500 Subject: ISAKMP and OpenBSD In-Reply-To: Message-ID: On Mon, 20 Dec 1999, Patrick Ethier wrote: > Hey guys and gals, > > I took my first attempt at writing this HOWTO for ISAKMP and OpenBSD 2.6. > I'd really appreciate it if some of you people would proof read it and > especially correct where I'm giving out totally false information(I > interpreted some things and I'm really not sure if I understood most of it.) > > Your feedback would be most welcome, actually I'd really really appreciate > it. I'm hoping the guys from the OBSD FAQ might want to use this for their > site. > > > Anyways, the URL is http://www.secureops.com/drbones/vpn.htm > Correction, url is http://www.secureops.com/drbones/VPN.htm Eric Jackson > > It's going through some intense modification because I have done the > original work in MS Word. Bare with me as we take the time to turn it into a > proper website that will eventually be officially posted at > www.secureops.com in the resources section.(Our webteam is overworked and > the holidays are coming...:) > > > > > Merry Christmas, > > Patrick Ethier > patrick at secureops.com > > VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Dec 20 17:06:25 1999 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 20 Dec 1999 17:06:25 -0500 Subject: ISAKMP and OpenBSD Message-ID: Yeah, Like I mentioned, I posted it straight from my MS Word document(That doesn't export the pictures.) I'm creating a simple HTML version(MS Word puts in a lot of useless stuff). The SecureOps Webteam wanted to take a hack at it first. I just put it there so people could go through it quickly and correct any misinformation. Thanks for pointing that out though. Pat patrick at secureops.com -----Original Message----- From: Tina Bird [mailto:tbird at precision-guesswork.com] Sent: Monday, December 20, 1999 4:38 PM To: Patrick Ethier Subject: RE: ISAKMP and OpenBSD It looks really good -- but were you aware that the figures aren't coming up? On Mon, 20 Dec 1999, Patrick Ethier wrote: > Date: Mon, 20 Dec 1999 17:00:21 -0500 > From: Patrick Ethier > To: 'Tina Bird' > Subject: RE: ISAKMP and OpenBSD > > Sure. I'll send you the final URL when I'm done. For now, it should remain > at the current URL for a few more days. > > > > > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: Monday, December 20, 1999 4:35 PM > To: Patrick Ethier > Subject: Re: ISAKMP and OpenBSD > > > Patrick -- > > Well done! I haven't had a chance to check this out yet, > but I was looking for this kind of document just last > week. > > Can I link to it from the VPN web site once you think it's > in final form? > > thanks -- tina bird > > On Mon, 20 Dec 1999, Patrick Ethier wrote: > > > Date: Mon, 20 Dec 1999 16:50:27 -0500 > > From: Patrick Ethier > > To: VPN at SECURITYFOCUS.COM > > Subject: ISAKMP and OpenBSD > > > > Hey guys and gals, > > > > I took my first attempt at writing this HOWTO for ISAKMP and OpenBSD 2.6. > > I'd really appreciate it if some of you people would proof read it and > > especially correct where I'm giving out totally false information(I > > interpreted some things and I'm really not sure if I understood most of > it.) > > > > Your feedback would be most welcome, actually I'd really really appreciate > > it. I'm hoping the guys from the OBSD FAQ might want to use this for their > > site. > > > > > > Anyways, the URL is http://www.secureops.com/drbones/vpn.htm > > > > > > It's going through some intense modification because I have done the > > original work in MS Word. Bare with me as we take the time to turn it into > a > > proper website that will eventually be officially posted at > > www.secureops.com in the resources section.(Our webteam is overworked and > > the holidays are coming...:) > > > > > > > > > > Merry Christmas, > > > > Patrick Ethier > > patrick at secureops.com > > > > VPN is sponsored by SecurityFocus.COM > > > VPN is sponsored by SecurityFocus.COM From matthewr at MORETON.COM.AU Mon Dec 20 18:38:19 1999 From: matthewr at MORETON.COM.AU (Matthew Ramsay) Date: Tue, 21 Dec 1999 09:38:19 +1000 Subject: solaris -> nt -> vpn References: <19991220081833.D1598@bunuel.tii.matav.hu> Message-ID: <99122110051207.31445@gibberling> >1. In my book a security software should be open source, not just free in the > price sense. If you get a software for free, which you don't have > the sources for, from a company which just can't make a real OS, > you can be absolutely sure that what you have is a crap. I totally agree with this. **BUT** you incorrectly relate it to PPTP! PPTP is an open specification (IETF draft).. Although MS doesn't release their source code, their PPTP implementation does follow the draft. PoPToP (the PPTP VPN server for linux) follows the draft and works seamlessly with windows clients and vice versa (NT server, and linux pptp-client). MSCHAPv2 and MPPE are both public accessible drafts also! So I argue that PPTP is open and free. > The findings of L0pth are confirm the above. Never did I suggest that PPTP wasn't fool proof. I simply argue that for a lot of people PPTP is secure enough,.. and it is ready now.. >2. There is no tradeoff between cost and security (=quality), at least > not in this level. Are you kidding me?! In the *real* world there is tradeoff between cost and security. Perhaps we have different ideas about what a VPN is supposed to do... All I'm saying is the PPTP is a valid and cost-effective VPN solution that for many people is secure enough for their purposes. Cheers, Matt. VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Mon Dec 20 20:32:55 1999 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Mon, 20 Dec 1999 19:32:55 -0600 Subject: SANS BoF -- VPN Security Risks Message-ID: Hi all -- After my SANS class last week, I led a Birds of a Feather session on the various security risks introduced into corporate networks by having remote access VPNs based out of people's houses -- and bounced around a few ideas about how to address them. Most of the "solutions" addressed home connectivity equipment -- cable modems, DSL, etc -- with firewall capabilities, firewall-like software (controllable by the corporate security administrators) that runs on VPN client devices, and tightly configured access controls lists on corporate firewalls and VPN devices. We didn't come to a whole lot of conclusions, tho' most people agreed on the notion that PCs >owned< by the corporation were usually easier to secure and manage. This whole issue is clearly one of the most important things we're struggling with at the moment -- most vendors aren't addressing the risks of "piggy back attacks." So my question is, how are people dealing with it in the "wild"? I'd like to add this to the FAQ. TIA -- Tina VPN is sponsored by SecurityFocus.COM From zen at IPDEVICES.COM Mon Dec 20 21:07:30 1999 From: zen at IPDEVICES.COM (zen kishimoto) Date: Mon, 20 Dec 1999 18:07:30 -0800 Subject: management of VPN References: Message-ID: <385EE0E1.A29F1AEE@ipdevices.com> If this is a wrong forum to ask the following question, I will appologize. I am looking for a solution to manage and maintain VPNs (site-to site and remote). Is there any place I can get the information on the vendors providing such solutions? Zen -- Zen Kishimoto 408 433-1266 zen at ipdevices.com 408 433-1226 (FAX) 5339 Prospect Rd, #250 San Jose, CA 95129 VPN is sponsored by SecurityFocus.COM From rizal at MIMOS.MY Mon Dec 27 00:18:51 1999 From: rizal at MIMOS.MY (Mohammad Rizal Othman) Date: Mon, 27 Dec 1999 13:18:51 +0800 Subject: Dial-up VPN References: <386332A4.66CB0768@mimos.my> Message-ID: <3866F6BB.746A431B@mimos.my> Mohammad Rizal Othman wrote: > > Patrick Ethier wrote: > > > My attempt to configure IPSec between PGPNet and OpenBSD 2.6 still hasn't succeeded :( Right now I'm reading some configuration examples on NAI's website, and stumble upon this paper detailing IPSec setup between Cisco and PGPNet. Quoting from the paper, "There are two basic steps for configuring PGP for IPSec: a. Obtain an IPSec certificate from VeriSign and set it as your X.509 Authentication cert in PGPNet's Options panel. b. Configure the Cisco router as a Secure Host or Secure Gateway depending on how you plan to use it." Now, if it is required to use X.509 certificate, how can I still setup an IPSec VPN without having to pay Verisign. I tried using openssl as in /usr/src/sbin/isakmpd/README.PKI (the last four steps of openssl). FTPing the files produced by this steps into PGPNet's PGP Keyrings directory fails because PGPNet didn't recognize them. Can somebody give some tips on this issue. Regards, -- ,-----------------------------------------------------------------------. > Mohammad Rizal Othman | If it doesn't work, force it. < > rizal at mimos.my | If it breaks, it needed replacing anyway. < `-----------------------------------------------------------------------' VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Dec 27 10:35:18 1999 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 27 Dec 1999 10:35:18 -0500 Subject: Dial-up VPN Message-ID: Hi Mohammed, Are you sure that it doesn't support pre-shared secret??? Did you also try not specifying anything to see if that would work.? Last thing to try is to generate the certificate with PGPNet and then send it to OpenBSD....(If this is supported by PGPNet.) The only other thing I can see here is that it is PGPNet that is not working here, the NO_PROPOSAL_CHOSEN is equivalent to BAD USERNAME OR PASSWORD. So, the x.509 and/or encryption schemes are definately the problem at this point,(You are not getting past Phase 1). IKE stands for Internet Key Exchange, ISAKMP is a variant of this. They are both used in Phase 1 and Phase 2. Phase 1 sets up IPSec tunnel between 2 gateways, Phase 2 opens that tunnel to the networks behind the gateways, IKE manages the encryption keys for both processes. I'll have to download PGPNet and try it here. Can you give me the URL? Happy Holidays, Patrick Ethier patrick at secureops.com -----Original Message----- From: Mohammad Rizal Othman [mailto:rizal at mimos.my] Sent: Monday, December 27, 1999 12:19 AM To: Mohammad Rizal Othman Cc: misc at openbsd.org; vpn at securityfocus.com Subject: Re: Dial-up VPN Mohammad Rizal Othman wrote: > > Patrick Ethier wrote: > > > My attempt to configure IPSec between PGPNet and OpenBSD 2.6 still hasn't succeeded :( Right now I'm reading some configuration examples on NAI's website, and stumble upon this paper detailing IPSec setup between Cisco and PGPNet. Quoting from the paper, "There are two basic steps for configuring PGP for IPSec: a. Obtain an IPSec certificate from VeriSign and set it as your X.509 Authentication cert in PGPNet's Options panel. b. Configure the Cisco router as a Secure Host or Secure Gateway depending on how you plan to use it." Now, if it is required to use X.509 certificate, how can I still setup an IPSec VPN without having to pay Verisign. I tried using openssl as in /usr/src/sbin/isakmpd/README.PKI (the last four steps of openssl). FTPing the files produced by this steps into PGPNet's PGP Keyrings directory fails because PGPNet didn't recognize them. Can somebody give some tips on this issue. Regards, -- ,-----------------------------------------------------------------------. > Mohammad Rizal Othman | If it doesn't work, force it. < > rizal at mimos.my | If it breaks, it needed replacing anyway. < `-----------------------------------------------------------------------' VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Tue Dec 28 10:43:04 1999 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Tue, 28 Dec 1999 10:43:04 -0500 Subject: Dial-up VPN Message-ID: Hi Mohammed, Here's what I did: 1 - Added a HOST to PGPNet with the wizard, select "Host", "Enforce Security" , "Use shared key then fall back to certificate" , type mekmitasdigoat or whatever you are using..." 2 - Go into view/options. Remove the timestamps 3 - In the advanced section, Create the following proposals Shared key/SHA/3DES/1024 for IKE AH none ESP SHA,3DES None Set PFS to 1024 Make sure this proposal appears at the top of the list. 4 - Click ok, click on the host, click on the connect button at the bottom. 5 - Check your log tab, it should say created for both IKE and IPSec. By looking at the tcpdump -v -s1500 port 500 output, I saw that the proposals being given to ISAKMP were wrong. PGPNet was giving CAST or something like that. Since it didn't match up with any encryption scheme it wouldn't work. So I resolved the problem by getting rid of all the other proposals on the PGPNet side. Then I noticed that it was only sending 3 proposals, all identical but it still wasn't geting through Phase 1. I dumped the timestamps(Because they weren't the same on both ends) and it worked. My guess is Phase 1 connections need to have identical proposals in order for it to work. Use the TCPDUMP, it's a lot of help. On the ISAKMP side, all I had to do was add the following [Phase 1] default= VariableDude [Phase 2] default= MyHost-VariableDude [VariableDude] [Ragweed] Phase= 1 Transport= udp Local-address= MyHostIP Address= 0.0.0.0 Configuration= Default-main-mode Authentication= mekmitasdigoat #Flags= [MyHost-VariableDude] Phase= 2 ISAKMP-peer= VariableDude Configuration= Default-quick-mode Local-ID= Net-MyNet Remote-ID= Net-Variable [Net-Variable] ID-type= IPV4_ADDR Address= 0.0.0.0 netmask= 255.255.255.255 All the IP stuff gets filled in with the incoming Proposal from the remote host. Good luck, Patrick Ethier patrick at secureops.com -----Original Message----- From: Mohammad Rizal Othman [mailto:rizal at mimos.my] Sent: Monday, December 27, 1999 7:36 PM To: Patrick Ethier Cc: 'misc at openbsd.org'; 'vpn at securityfocus.com' Subject: Re: Dial-up VPN Patrick Ethier wrote: > > Hi Mohammed, > > Are you sure that it doesn't support pre-shared secret??? Did you also try > not specifying anything to see if that would work.? Last thing to try is to > generate the certificate with PGPNet and then send it to OpenBSD....(If this > is supported by PGPNet.) > That's what I'm trying to do since I couldn't use their certificate generator (Net Tools PKI Server) due to ITAR. You however might be able to use it. > The only other thing I can see here is that it is PGPNet that is not working > here, the NO_PROPOSAL_CHOSEN is equivalent to BAD USERNAME OR PASSWORD. > > So, the x.509 and/or encryption schemes are definately the problem at this > point,(You are not getting past Phase 1). > > IKE stands for Internet Key Exchange, ISAKMP is a variant of this. They are > both used in Phase 1 and Phase 2. Phase 1 sets up IPSec tunnel between 2 > gateways, Phase 2 opens that tunnel to the networks behind the gateways, IKE > manages the encryption keys for both processes. > > I'll have to download PGPNet and try it here. Can you give me the URL? > Sure. http://www.nai.com/asp_set/products/tns/pgp_vpn.asp. I on the other hand will try Ashley Laurent's. > Happy Holidays, > > Patrick Ethier > patrick at secureops.com > -- ,-----------------------------------------------------------------------. > Mohammad Rizal Othman | If it doesn't work, force it. < > rizal at mimos.my | If it breaks, it needed replacing anyway. < `-----------------------------------------------------------------------' VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Tue Dec 28 13:14:23 1999 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Tue, 28 Dec 1999 13:14:23 -0500 Subject: OpenBSD ISAKMP and PGPNet Message-ID: Hey guys, Just a note, I'm using the trial version of PGPVPN from NAI. I just installed the PGPNet from the MIT website, it doesn't support subnets through security gateways. (Look in the help, then search for gateway, it says it in black and white). Regards, Patrick Ethier patrick at secureops.com VPN is sponsored by SecurityFocus.COM From angelos at DSL.CIS.UPENN.EDU Mon Dec 27 19:00:32 1999 From: angelos at DSL.CIS.UPENN.EDU (Angelos D. Keromytis) Date: Mon, 27 Dec 1999 19:00:32 -0500 Subject: Dial-up VPN In-Reply-To: Your message of "Mon, 27 Dec 1999 10:35:18 EST." Message-ID: <199912280000.TAA02684@adk.gr> In message , Patric k Ethier writes: > >The only other thing I can see here is that it is PGPNet that is not working >here, the NO_PROPOSAL_CHOSEN is equivalent to BAD USERNAME OR PASSWORD. NO_PROPOSAL_CHOSEN means the initiator didn't provide an acceptable SA to the responder. This happens either after the first message in the protocol (so, before any authentication takes place), or in Phase 2 (after authentication has taken place). It is rather unlikely that it happened in Phase 1, as those SAs are fairly generic (but you can and should double-check it). If it happened in Phase 2, it's purely a configuration/policy matter. -Angelos VPN is sponsored by SecurityFocus.COM From rizal at MIMOS.MY Mon Dec 27 19:35:42 1999 From: rizal at MIMOS.MY (Mohammad Rizal Othman) Date: Tue, 28 Dec 1999 08:35:42 +0800 Subject: Dial-up VPN References: Message-ID: <386805DE.F97034C6@mimos.my> Patrick Ethier wrote: > > Hi Mohammed, > > Are you sure that it doesn't support pre-shared secret??? Did you also try > not specifying anything to see if that would work.? Last thing to try is to > generate the certificate with PGPNet and then send it to OpenBSD....(If this > is supported by PGPNet.) > That's what I'm trying to do since I couldn't use their certificate generator (Net Tools PKI Server) due to ITAR. You however might be able to use it. > The only other thing I can see here is that it is PGPNet that is not working > here, the NO_PROPOSAL_CHOSEN is equivalent to BAD USERNAME OR PASSWORD. > > So, the x.509 and/or encryption schemes are definately the problem at this > point,(You are not getting past Phase 1). > > IKE stands for Internet Key Exchange, ISAKMP is a variant of this. They are > both used in Phase 1 and Phase 2. Phase 1 sets up IPSec tunnel between 2 > gateways, Phase 2 opens that tunnel to the networks behind the gateways, IKE > manages the encryption keys for both processes. > > I'll have to download PGPNet and try it here. Can you give me the URL? > Sure. http://www.nai.com/asp_set/products/tns/pgp_vpn.asp. I on the other hand will try Ashley Laurent's. > Happy Holidays, > > Patrick Ethier > patrick at secureops.com > -- ,-----------------------------------------------------------------------. > Mohammad Rizal Othman | If it doesn't work, force it. < > rizal at mimos.my | If it breaks, it needed replacing anyway. < `-----------------------------------------------------------------------' VPN is sponsored by SecurityFocus.COM From nate_21 at HOTMAIL.COM Tue Dec 28 10:03:08 1999 From: nate_21 at HOTMAIL.COM (Nate C) Date: Tue, 28 Dec 1999 07:03:08 PST Subject: VPN vs. Telnet for Higher Ed? Message-ID: <19991228150308.72110.qmail@hotmail.com> I am in a sales situation with a university concerning VPN. One of the questions brought up was what would be the major differences between instituting a VPN versus the current access method of telnet? Are there any major differences? Security? Functionality? Any input would be appreciated. Thanks. Nate ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM From Fred.Golder at CENDANT.COM Wed Dec 29 08:14:49 1999 From: Fred.Golder at CENDANT.COM (Golder, Fred) Date: Wed, 29 Dec 1999 08:14:49 -0500 Subject: VPN vs. Telnet for Higher Ed? Message-ID: Telnet and "VPN" are quite different. They really don't overlap at all except in one case which I mention latter Telnet provides no security. It is clear text so anybody can see what is being done. Telnet is also terminal emulation which allows a person to work on a given machine remotely. A VPN would secure the communications but it doesn't provide the ability to work on a machine remotely. A VPN is a network level security of packets. Telnet is a method of access a specific machine remotely. No overlap. SSH (Secure SHell) is a way of encrypting a telnet session and maybe a good option to consider. What solution is best depends on the specific needs, the specific environment and what they expect they will want to do in the future. -Fred Golder PS have fun with the rest of the research :) -----Original Message----- From: Nate C [mailto:nate_21 at HOTMAIL.COM] Sent: Tuesday, December 28, 1999 10:03 AM To: VPN at SECURITYFOCUS.COM Subject: VPN vs. Telnet for Higher Ed? I am in a sales situation with a university concerning VPN. One of the questions brought up was what would be the major differences between instituting a VPN versus the current access method of telnet? Are there any major differences? Security? Functionality? Any input would be appreciated. Thanks. Nate ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991229/a7c5690c/attachment.htm From JJones at NWNETS.COM Wed Dec 29 08:32:56 1999 From: JJones at NWNETS.COM (Jeremy Jones) Date: Wed, 29 Dec 1999 06:32:56 -0700 Subject: MS PPTP Weirdness Message-ID: <4128C0428F94D3118F1E00902773CED201B359@NNSBOIS1> Edgardo (and group), PPTP and NAT can co-exist if your NAT router can handle directing GRE and TCP port 1723 traffic to an internal private host. At both Sattellite Sites, the PPTP clients are able to make the PPTP call to the server in the Central Site. On the DSL routers that handle NAT for the Sattellite Sites, the GRE protocol (protocol 47) and TCP port 1723 are mapped to the PPTP clients. The RRAS/PPTP server at the Central Site is the same box as the Proxy Server, which has a routable, globally unique IP address. So making the connection between the Sattellite Sites and the Central Site hasn't been the problem. It's the communication between the two RRAS/PPTP machines at the Sattellite Sites--which are not making calls to eachother, but which ought to be able to communictate. The Sattellite Site PPTP clients are both on the same WAN-VPN subnet (10.1.0.0/24), since they both make calls to the PPTP server at the Central Site. (private net 10.0.0.0/24) | | | Central Site Proxy/RRAS/PPTP server private IP: 10.0.0.1 public IP: 204.x.x.x VPN IP: 10.1.0.1 / / (Internet) (WAN-VPN Cloud [10.1.0.0/24]) / / Sattellite Site 1 NAT/DSL Sattellite Site 2 NAT/DSL private IP: 10.0.1.1 private IP: 10.0.2.1 public IP: 204.y.y.y public IP: 204.z.z.z / / (private net 10.0.1.0/24)------(hub) (hub)-----(private net 10.0.2.0/24) / RRAS/PPTP client RRAS/PPTP client private IP: 10.0.1.5 private IP: 10.0.2.5 VPN IP: 10.1.0.2 VPN IP: 10.1.0.3 Again, the two PPTP clients make the calls to the PPTP server at the Central Site just fine, but cannot communicate with one another. Workstations in both Sattellite Sites can communicate with everything with one exception: workstations at Sattellite Site #1 cannot ping the VPN IP of the RRAS machine in Sattellite Site #2, and workstations at Sattellite Site #2 cannot ping the VPN IP of the RRAS machine in Sattellite Site #1. NAT, I think, is not the culprit here... Unless there's something about it I'm missing. Jeremy -----Original Message----- From: Edgardo Yu [mailto:Edgardo.Yu at wfp.org] Sent: Wednesday, December 22, 1999 1:23 AM To: Jeremy Jones Subject: Re: MS PPTP Weirdness Jeremy, I think PPTP does not work over a translated route. Check the archives of this discussion group for details. We have the same configuration as yours, and we find that the PPTP client must have a clear non-NATed route to the RRAS server. Regards, Edgardo Yu Jeremy Jones on 20-12-99 10:09:06 PM Please respond to Jeremy Jones To: VPN at SECURITYFOCUS.COM cc: (bcc: Edgardo Yu/FS/WFP) Subject Re: MS PPTP Weirdness : Here's a little more detail... Well, alot more detail, actually. The setup is a little complex to put in words, but I'll give it a shot: 1. Central Site's RRAS server is multihomed w/first nic on Internet and second on LAN 2. Central Site's RRAS server runs MS Proxy Server 3. Central Site LAN subnet is 10.0.0.0/24 4. LAN IP address of Central Site's RRAS server is 10.0.0.1/24 5. VPN interface IP address of Central Site's RRAS server is 10.1.0.1/24 6. VPN WAN cloud subnet is 10.1.0.0/24 7. Sattellite Site #1 uses NAT on Cisco 675 ADSL router 8. Sattellite Site #1 LAN subnet is 10.0.1.0/24 9. Sattellite Site #1 DSL router LAN interface IP address is 10.0.1.1/24 10. Sattellite Site #1 RRAS server's LAN IP address is 10.0.1.5/24 11. Sattellite Site #1 RRAS server's VPN IP address is 10.1.0.2/24 12. Workstations in Sattellite Site #1 use local RRAS Server as Default Gateway 13. Sattellite Site #2 uses NAT on FlowPoint 2200 SDSL router 14. Sattellite Site #2 LAN subnet is 10.0.2.0/24 15. Sattellite Site #2 DSL router LAN interface IP address is 10.0.2.1/24 16. Sattellite Site #2 RRAS server's LAN IP address is 10.0.2.5/24 17. Sattellite Site #2 RRAS server's VPN IP address is 10.1.0.3/24 18. Workstations in Sattellite Site #2 use local RRAS Server as Default Gateway The Sattellite Sites are both able to connect to the RRAS VPN server at the Central Site, and the DSL routers pass the PPTP pipes through just fine. Host/Client Workstations at each site have full connectivity to resources in each subnet. I.e. a workstation in Sattellite Site #1 can ping all three RRAS servers and any other workstation in any subnet. However, workstations in Sattellite Site #1 CANNOT ping the VPN IP address of the RRAS server in Sattellite Site #2; likewise, workstations in Sattellite Site #2 CANNOT ping the VPN IP address of the RRAS server in Sattellite Site #1. The RRAS server at the Central Site can ping both the Sattellite Sites' RRAS servers and any workstation in any site, as well as the VPN IP addresses of both Sattellite Sites' RRAS servers. The DSL router in Sattellite Site #1 can ping anything EXCEPT the VPN IP address of the RRAS server in Sattellite Site #2; and the DSL router in Sattellite Site #2 can ping anything EXCEPT the VPN IP address of the RRAS server in Sattellite Site #1. The real problem is this: the RRAS server in Sattellite Site #1 cannot ping ANYTHING in Sattellite Site #2, including the VPN IP address of the RRAS server in Sattellite Site #2; and likewise, the RRAS server in Sattellite Site #2 cannot ping ANYTHING in Sattellite Site #1, including the VPN IP address of the RRAS server in Sattellite Site #1. The mystery to me is that the routing tables appear correct. I've poured over them for hours. Here's a routing table for the RRAS server in Sattellite Site #1: To 10.0.0.0/24 via 10.1.0.1 metric 1 (traffic to Central Site goes through Central Site's RRAS server's VPN interface) To 10.0.2.0/24 via 10.1.0.3 metric 1 (traffic to Sattellite Site #2 goes through Sattellite Site #2's RRAS server's VPN interface) To 0.0.0.0/0 via 10.0.1.1 metric 1 (all other traffic goes through DSL/NAT router) And for RRAS server in Sattellite Site #2: To 10.0.0.0/24 via 10.1.0.1 metric 1 (traffic to Central Site goes through Central Site's RRAS server's VPN interface) To 10.0.1.0/24 via 10.1.0.2/24 metric 1 (traffic to Sattellite Site #1goes through Sattellite Site #1s RRAS server's VPN interface) To 0.0.0.0/0 via 10.0.2.1 metric 1 (all other traffic goes through DSL/NAT router) And on Central Site's RRAS server: To 10.0.1.0/24 via 10.1.0.2 metric 1 (traffic to Sattellite Site #1goes through Sattellite Site #1s RRAS server's VPN interface) To 10.0.2.0/24 via 10.1.0.3 metric 1 (traffic to Sattellite Site #2 goes through Sattellite Site #2's RRAS server's VPN interface) To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes through the ISP's default gateway) The DSL routes in both Sattellite Sites direct traffic for the each private subnet back through the RRAS servers. I.e. in Sattellite Site #1, the DSL router's table looks like this: To 10.0.0.0/24 via 10.0.1.5 metric 2 (traffic to Central Sitegoes through Sattellite Site #1's RRAS server's LAN interface) To 10.0.2.0/24 via 10.0.1.5 metric 2 (traffic to Sattellite Site #2 goes through Sattellite Site #1's RRAS server's LAN interface) To 10.1.0.0/24 via 10.0.1.5 metric 1 (traffic to VPN-WAN subnet goes through Sattellite Site #1's RRAS Server's LAN interface) To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes through the ISPs default gateway) and in Sattellite Site #2, the DSL router's table looks like this: To 10.0.0.0/24 via 10.0.2.5 metric 2 (traffic to Central Sitegoes through Sattellite Site #2's RRAS server's LAN interface) To 10.0.1.0/24 via 10.0.2.5 metric 2 (traffic to Sattellite Site #1 goes through Sattellite Site #2's RRAS server's LAN interface) To 10.1.0.0/24 via 10.0.2.5 metric 1 (traffic to VPN-WAN subnet goes through Sattellite Site #2's RRAS Server's LAN interface) To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes through the ISPs default gateway) I know this is a little difficult to visualize, so if anyone interested in helping would like a diagram, I could send one. The problem with the two Sattellite Sites' servers' communication is bizzarre to me, mainly because the rest of the machines on each local subnet are able to connect to the remote servers just fine, using the RRAS servers as their default gatway. --Jeremy -----Original Message----- From: Jon Carnes [mailto:jonc at HAHT.COM] Sent: Monday, December 20, 1999 1:44 PM To: VPN at SECURITYFOCUS.COM Subject: Re: MS PPTP Weirdness Okay. It is routing... Each VPN server has to have as their default route, the DSL connection. The other local machines use the VPN as the default. Setup a route on VPN1 server to the VPN2 network via the VPN1 connection. Mirror that for your VPN2 server. Basically, print out the routes on VPN1 Server. Do you see a route for the VPN2 network? No - it goes down the default route. Yes - Well that's where the packets go! Note: you cannot change the default, as that will mean the box can no longer find the internet and therefore not find the VPN connection (unless you add a 255.255.255.255 route that just points to the other endpoint address using the DSL connection). Good Luck Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Jeremy Jones" To: Sent: Monday, December 20, 1999 10:30 AM Subject: MS PPTP Weirdness > Hi all, > > I have a client with several sites, all with 256k+ Internet connections. > The central site has an ms vpn server behind a proxy, and two sattellite > sites make pptp calls from behind nat firewalls to the central site. The > two sattellites are able to connect just fine, and the connection is as > stable as the DSL connections. The problem is that the vpn client servers > in the sattellite sites cannot see eachother. The vpn client in sattellite > site 1 can ping the central site, and the vpn client in sattellite site 2 > can ping the central site. The vpn server in the central site can ping > either vpn client. The vpn connections are used for routing between the > sites, and the vpn-wan cloud has its own subnet. > > The bizzarre thing, and the thing that makes me think that routing is NOT > the problem, is that workstations in sattellite site 1 can ping the > workstation machines in sattellite site 2 as well as the vpn machine in > sattellite site 2. Likewise, workstations in sattellite site 2 can ping > anything. The workstations in each sattellite site are using the vpn > machines on their local subnet as default gateways. > > Now why would the workstations be able to get around just fine, using the > routing tables set up on the vpn machines, when the vpn machines themselves > cannot communicate? > > If routing tables would be helpful, I'd be happy to send them along... > > Thanks in advance, > Jeremy Jones, MA, MCSE, CCNA > Systems Analyst > Northwest Network Services > (208) 343-5260 x106 > http://www.nwnets.com > mailto:jjones at nwnets.com > VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Wed Dec 29 11:41:03 1999 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Wed, 29 Dec 1999 11:41:03 -0500 Subject: VPN vs. Telnet for Higher Ed? In-Reply-To: <19991228150308.72110.qmail@hotmail.com>; from Nate C on Tue, Dec 28, 1999 at 07:03:08AM -0800 References: <19991228150308.72110.qmail@hotmail.com> Message-ID: <19991229114103.A9172@adams.cospo.osis.gov> On Tue, Dec 28, 1999 at 07:03:08AM -0800, Nate C wrote: > I am in a sales situation with a university concerning VPN. One of the > questions brought up was what would be the major differences between > instituting a VPN versus the current access method of telnet? > > Are there any major differences? Security? Functionality? > > Any input would be appreciated. Thanks. Get somebody from the software engineering side of your company, who knows something about your product, to go with you before you try to make any sales. They are about as different as night and day. Well, twilight and day, anyway. Telnet is character-only. It's the equivalent of having a glass TTY in front of you, and being able to type text in and get text back. NOTHING ELSE. No web. No FTP, except as based on the remote host. No e-mail, except same. No local access to network services from the remote host whatsoever. Therefore, your access to network services is exactly the access of the remote host - IF you can find a character- based client program, and know how to use it. With VPNs, there is no need for a remote host - you are attaching to a remote network. For the school, this means that there is no need to have shell login accounts for all students on some machine. The school can also assign network access based on the student logging in [this is product-dependent]. From the user's point of view, he or she has just connected the local system [probably a PC running Linux or BSD or MacOS or MSjunk] to the whole [presumably] protected school network, and all of the regularly available school network services are now directly available. -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From yawl at TELEKBIRD.COM.CN Wed Dec 29 02:34:36 1999 From: yawl at TELEKBIRD.COM.CN (yawl) Date: Wed, 29 Dec 1999 15:34:36 +0800 Subject: need help about ppp+ssh Message-ID: <199912291514.XAA20796@smtp3.zj.cninfo.net> I know the question may be too old,but I am confused by it for a week, I really need some people to help me: I am now going to set up a VPN with PPP and ssh on my Linux. But after reading lots of documents(including VPN howto,and other things)I still get lots of problems. At last, I solved most of them, the PPP device appeared on both sides, route table is set correct, HOWEVER, I can not ping them through. I am really confused about this situation, and can not get helpful information on the web.If somebody have some experience of ssh+ppp VPN solution,I hope you can give me some hints. Maybe a detail explanation of the ssh & PPP mechanism would help me. Thank you very much. yours yawl VPN is sponsored by SecurityFocus.COM From rk_ at MAILCITY.COM Wed Dec 29 13:18:16 1999 From: rk_ at MAILCITY.COM (S Ramakrishnan) Date: Wed, 29 Dec 1999 10:18:16 -0800 Subject: Use of Preshared Secret vs Certificates Message-ID: Hi - Considering the two applications of IPSec VPNs, viz., remote access and Intranet, which mode of Phase I authentication is more widely used? My understanding is that remote access applications cannot use preshared secrets since their IP addresses are not known in advance. Furthermore, it does not scale. Is it also true that in most practical deployments of Intranet VPNs (gateway to gateway IPsec based), certs are preferred to preshared secrets? Thanks, Rk LYCOShop is now open. On your mark, get set, SHOP!!! http://shop.lycos.com/ VPN is sponsored by SecurityFocus.COM From neil.ratzlaff at UCOP.EDU Wed Dec 29 19:52:35 1999 From: neil.ratzlaff at UCOP.EDU (Neil Ratzlaff) Date: Wed, 29 Dec 1999 16:52:35 -0800 Subject: VPN vs. Telnet for Higher Ed? In-Reply-To: <19991228150308.72110.qmail@hotmail.com> Message-ID: <4.2.2.19991229164439.00a4cbd0@popserv.ucop.edu> At 07:03 12/28/99 -0800, Nate C wrote: >I am in a sales situation with a university concerning VPN. One of the >questions brought up was what would be the major differences between >instituting a VPN versus the current access method of telnet? > >Are there any major differences? Security? Functionality? > >Any input would be appreciated. Thanks. > >Nate >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com > >VPN is sponsored by SecurityFocus.COM A good VPN will not have any effect on functionality, but it covers much more than telnet. Any protocol can be used through a vpn - http, smtp, telnet, etc. etc. Under some Network Address Translation situations some vpns will fail or require special tweaks since the IP addresses are changed. Interoperability between different vendors' vpns that claim to be compatible is not yet something to take for granted - test it yourself before buying. There is likely to be a slight loss in speed since the packets are encrypted and decrypted on both ends. The major difference is that telnet is very insecure since the user ID and password are sent in clear text, vulnerable to sniffing. If you just want to do telnet in a more secure fashion, you might consider ssh, which in its simplest form just does encryption of packets but behaves exactly like telnet. You can go further by adding certificates or creating an encrypted tunnel for other protocols, but you don't need to. Neil VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Thu Dec 30 13:20:44 1999 From: jonc at HAHT.COM (Jon Carnes) Date: Thu, 30 Dec 1999 13:20:44 -0500 Subject: need help about ppp+ssh References: <199912291514.XAA20796@smtp3.zj.cninfo.net> Message-ID: <00e701bf52f2$a890d310$6803010a@dhcp.haht.com> If this is on your firewall (firewall to firewall), you will have to enable the rights so that traffic, including icmp (ping) packets can travel across that interface. I have a script that brings up my firewalling and lets me drop it (so that anything is accepted). To test, I would run the rc.firewall_off script and then ping and traceroute across the vpn to various machines. Then, of course I would run rc.firewall_on, to turn on the firewalling. Since you have secure shell running on both sides, it also makes it a snap to have two sessions open on one box so that you can see what's going on. I *love* secure shell! I'm sorry that I've been remiss in updating the Linux HowTo. My company has been keeping me running: we just moved to a new location, and now we are prepping for Y2k. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "yawl" To: Sent: Wednesday, December 29, 1999 2:34 AM Subject: need help about ppp+ssh > I know the question may be too old,but I am confused by it for a week, > I really need some people to help me: > > I am now going to set up a VPN with PPP and ssh on my Linux. > But after reading lots of documents(including VPN howto,and other > things)I still get lots of problems. At last, I solved most of them, the PPP > device appeared on both sides, route table is set correct, HOWEVER, I can not > ping them through. I am really confused about this situation, and can not get > helpful information on the web.If somebody have some experience of ssh+ppp > VPN solution,I hope you can give me some hints. Maybe a detail explanation of > the ssh & PPP mechanism would help me. > > Thank you very much. > yours yawl > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From ifox100 at HOTMAIL.COM Thu Dec 30 11:48:54 1999 From: ifox100 at HOTMAIL.COM (Ivan Fox) Date: Thu, 30 Dec 1999 11:48:54 -0500 Subject: NFS in a VPN Message-ID: <19991230164854.21696.qmail@hotmail.com> Can we run NFS within a VPN? Any comments are appreciated. Thanks and regards, Ivan VPN is sponsored by SecurityFocus.COM From rick_smith at SECURECOMPUTING.COM Thu Dec 30 17:52:52 1999 From: rick_smith at SECURECOMPUTING.COM (Rick Smith) Date: Thu, 30 Dec 1999 16:52:52 -0600 Subject: NFS in a VPN In-Reply-To: <19991230164854.21696.qmail@hotmail.com> Message-ID: <3.0.3.32.19991230165252.0099c120@mailhost.sctc.com> At 11:48 AM 12/30/1999 -0500, Ivan Fox wrote: >Can we run NFS within a VPN? Should be OK, assuming that you really trust all the sites that are hooking in to the VPN. Be sure you're using the latest version of IPSEC with anti-replay protections enabled Rick. smith at securecomputing.com "Internet Cryptography" at http://www.visi.com/crypto/ VPN is sponsored by SecurityFocus.COM From chouanard at PARC.XEROX.COM Thu Dec 30 19:29:19 1999 From: chouanard at PARC.XEROX.COM (Jean Chouanard) Date: Thu, 30 Dec 1999 16:29:19 PST Subject: NFS in a VPN In-Reply-To: <19991230164854.21696.qmail@hotmail.com> References: <19991230164854.21696.qmail@hotmail.com> Message-ID: <99Dec30.162927pst."298164"@trouble.parc.xerox.com> It should be OK. One of the problem I found on buggy VPN implementation was some fragmentation issue with NFS v3. On 30 December 1999 at 8:48, someone using the login of "Ivan Fox " wrote: > Can we run NFS within a VPN? > > Any comments are appreciated. > > Thanks and regards, > > Ivan > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jinsong at INTERNETAPPLIANCE.COM Thu Dec 30 20:16:19 1999 From: jinsong at INTERNETAPPLIANCE.COM (Du Jinsong) Date: Fri, 31 Dec 1999 09:16:19 +0800 Subject: Use of Preshared Secret vs Certificates Message-ID: <386C03E3.BB300221@internetappliance.com> S Ramakrishnan wrote: > Hi - > > Considering the two applications > of IPSec VPNs, viz., > remote access and Intranet, > which mode of Phase I authentication > is more widely used? > > My understanding is that remote access > applications cannot use preshared secrets > since their IP addresses are not known in > advance. Furthermore, it does not scale. > Remote users *can* use preshared secrets, and the user profile can be something other than IP address. The only problem with preshared secrets is that, if there are 100 users, the server/SG must keep 100 preshared secrets. > > Is it also true that in most practical > deployments of Intranet VPNs (gateway > to gateway IPsec based), certs are > preferred to preshared secrets? many VPN products do implement PKI but a lot (if not most) customers still use preshared secrets because of its simplicity. // jinsong VPN is sponsored by SecurityFocus.COM From chouanard at PARC.XEROX.COM Fri Dec 31 12:41:12 1999 From: chouanard at PARC.XEROX.COM (Jean Chouanard) Date: Fri, 31 Dec 1999 09:41:12 PST Subject: NFS in a VPN In-Reply-To: References: Message-ID: <99Dec31.094121pst."298164"@trouble.parc.xerox.com> What I was referring too was *buggy* VPN implementation, which will not re-assemble correctly these frags. This is a bug. On 31 December 1999 at 4:41, someone using the login of ""Golder, Fred" " wrote: > This message is in MIME format. Since your mail reader does not understand > this format, some or all of this message may not be legible. > > ------_=_NextPart_001_01BF538D.6DD711EE > Content-Type: text/plain; > charset="iso-8859-1" > > The fragmentation is a fact of life with a VPN and maximum sized packets. > any tunneling type protocol has to add bytes to the packet during the > encapsulation. Also any data integrity scheme will have to add bytes to the > message. This will cause packet fragmentation, but it isn't a bug. > > -Fred Golder > > -----Original Message----- > From: Jean Chouanard [mailto:chouanard at PARC.XEROX.COM] > Sent: Thursday, December 30, 1999 7:29 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: NFS in a VPN > > > It should be OK. One of the problem I found on buggy VPN implementation was > some fragmentation issue with NFS v3. > > On 30 December 1999 at 8:48, someone using the login of "Ivan Fox > " wrote: > > Can we run NFS within a VPN? > > > > Any comments are appreciated. > > > > Thanks and regards, > > > > Ivan > > > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > > ------_=_NextPart_001_01BF538D.6DD711EE > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > > > charset=3Diso-8859-1"> > 5.5.2448.0"> > RE: NFS in a VPN > > > >

The fragmentation is a fact of life with a VPN and = > maximum sized packets.  any tunneling type protocol has to add = > bytes to the packet during the encapsulation.  Also any data = > integrity scheme will have to add bytes to the message.  This will = > cause packet fragmentation, but it isn't a bug.

> >

-Fred Golder >

> >

-----Original Message----- >
From: Jean Chouanard [ HREF=3D"mailto:chouanard at PARC.XEROX.COM">mailto:chouanard at PARC.XEROX.COM= > ] >
Sent: Thursday, December 30, 1999 7:29 PM >
To: VPN at SECURITYFOCUS.COM >
Subject: Re: NFS in a VPN >

>
> >

It should be OK. One of the problem I found on buggy = > VPN implementation was >
some fragmentation issue with NFS v3. >

> >

On 30 December 1999 at 8:48, someone using the login = > of "Ivan Fox >
<ifox100 at HOTMAIL.COM> " wrote: >
> Can we run NFS within a VPN? >
> >
> Any comments are appreciated. >
> >
> Thanks and regards, >
> >
> Ivan >
> >
> VPN is sponsored by SecurityFocus.COM >

> >

VPN is sponsored by SecurityFocus.COM >

> > > > ------_=_NextPart_001_01BF538D.6DD711EE-- VPN is sponsored by SecurityFocus.COM From Fred.Golder at CENDANT.COM Fri Dec 31 07:41:43 1999 From: Fred.Golder at CENDANT.COM (Golder, Fred) Date: Fri, 31 Dec 1999 07:41:43 -0500 Subject: NFS in a VPN Message-ID: The fragmentation is a fact of life with a VPN and maximum sized packets. any tunneling type protocol has to add bytes to the packet during the encapsulation. Also any data integrity scheme will have to add bytes to the message. This will cause packet fragmentation, but it isn't a bug. -Fred Golder -----Original Message----- From: Jean Chouanard [mailto:chouanard at PARC.XEROX.COM] Sent: Thursday, December 30, 1999 7:29 PM To: VPN at SECURITYFOCUS.COM Subject: Re: NFS in a VPN It should be OK. One of the problem I found on buggy VPN implementation was some fragmentation issue with NFS v3. On 30 December 1999 at 8:48, someone using the login of "Ivan Fox " wrote: > Can we run NFS within a VPN? > > Any comments are appreciated. > > Thanks and regards, > > Ivan > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991231/9ade9459/attachment.htm From rng at NETSCREEN.COM Fri Dec 31 14:50:05 1999 From: rng at NETSCREEN.COM (Ronald Ng) Date: Fri, 31 Dec 1999 11:50:05 -0800 Subject: NFS in a VPN References: <99Dec31.094121pst."298164"@trouble.parc.xerox.com> Message-ID: <001001bf53c8$3d1341a0$8536fea9@netscreen.com> Fragmentation could also be mishandled by a badly written application. My .02. ----- Original Message ----- From: "Jean Chouanard" To: Sent: Friday, December 31, 1999 9:41 AM Subject: Re: NFS in a VPN > What I was referring too was *buggy* VPN implementation, which will not > re-assemble correctly these frags. > This is a bug. > > > On 31 December 1999 at 4:41, someone using the login of ""Golder, Fred" > " wrote: > > This message is in MIME format. Since your mail reader does not understand > > this format, some or all of this message may not be legible. > > > > ------_=_NextPart_001_01BF538D.6DD711EE > > Content-Type: text/plain; > > charset="iso-8859-1" > > > > The fragmentation is a fact of life with a VPN and maximum sized packets. > > any tunneling type protocol has to add bytes to the packet during the > > encapsulation. Also any data integrity scheme will have to add bytes to the > > message. This will cause packet fragmentation, but it isn't a bug. > > > > -Fred Golder > > > > -----Original Message----- > > From: Jean Chouanard [mailto:chouanard at PARC.XEROX.COM] > > Sent: Thursday, December 30, 1999 7:29 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: Re: NFS in a VPN > > > > > > It should be OK. One of the problem I found on buggy VPN implementation was > > some fragmentation issue with NFS v3. > > > > On 30 December 1999 at 8:48, someone using the login of "Ivan Fox > > " wrote: > > > Can we run NFS within a VPN? > > > > > > Any comments are appreciated. > > > > > > Thanks and regards, > > > > > > Ivan > > > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > > > > ------_=_NextPart_001_01BF538D.6DD711EE > > Content-Type: text/html; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > > > > > > > > charset=3Diso-8859-1"> > > > 5.5.2448.0"> > > RE: NFS in a VPN > > > > > > > >

The fragmentation is a fact of life with a VPN and = > > maximum sized packets.  any tunneling type protocol has to add = > > bytes to the packet during the encapsulation.  Also any data = > > integrity scheme will have to add bytes to the message.  This will = > > cause packet fragmentation, but it isn't a bug.

> > > >

-Fred Golder > >

> > > >

-----Original Message----- > >
From: Jean Chouanard [ > HREF=3D"mailto:chouanard at PARC.XEROX.COM">mailto:chouanard at PARC.XEROX.COM= > > ] > >
Sent: Thursday, December 30, 1999 7:29 PM > >
To: VPN at SECURITYFOCUS.COM > >
Subject: Re: NFS in a VPN > >

> >
> > > >

It should be OK. One of the problem I found on buggy = > > VPN implementation was > >
some fragmentation issue with NFS v3. > >

> > > >

On 30 December 1999 at 8:48, someone using the login = > > of "Ivan Fox > >
<ifox100 at HOTMAIL.COM> " wrote: > >
> Can we run NFS within a VPN? > >
> > >
> Any comments are appreciated. > >
> > >
> Thanks and regards, > >
> > >
> Ivan > >
> > >
> VPN is sponsored by SecurityFocus.COM > >

> > > >

VPN is sponsored by SecurityFocus.COM > >

> > > > > > > > ------_=_NextPart_001_01BF538D.6DD711EE-- > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From chouanard at PARC.XEROX.COM Fri Dec 31 15:12:21 1999 From: chouanard at PARC.XEROX.COM (Jean Chouanard) Date: Fri, 31 Dec 1999 12:12:21 PST Subject: NFS in a VPN In-Reply-To: <001001bf53c8$3d1341a0$8536fea9@netscreen.com> References: <99Dec31.094121pst."298164"@trouble.parc.xerox.com> <001001bf53c8$3d1341a0$8536fea9@netscreen.com> Message-ID: <99Dec31.121222pst."298164"@trouble.parc.xerox.com> Yes, Don't Frag bit and firewall denying ICMP (3/4) don't work well together for example. On 31 December 1999 at 11:50, someone using the login of ""Ronald Ng" " wrote: > Fragmentation could also be mishandled by a badly written application. My > .02. > ----- Original Message ----- > From: "Jean Chouanard" > To: > Sent: Friday, December 31, 1999 9:41 AM > Subject: Re: NFS in a VPN > > > > What I was referring too was *buggy* VPN implementation, which will not > > re-assemble correctly these frags. > > This is a bug. > > > > > > On 31 December 1999 at 4:41, someone using the login of ""Golder, Fred" > > " wrote: > > > This message is in MIME format. Since your mail reader does not > understand > > > this format, some or all of this message may not be legible. > > > > > > ------_=_NextPart_001_01BF538D.6DD711EE > > > Content-Type: text/plain; > > > charset="iso-8859-1" > > > > > > The fragmentation is a fact of life with a VPN and maximum sized > packets. > > > any tunneling type protocol has to add bytes to the packet during the > > > encapsulation. Also any data integrity scheme will have to add bytes to > the > > > message. This will cause packet fragmentation, but it isn't a bug. > > > > > > -Fred Golder > > > > > > -----Original Message----- > > > From: Jean Chouanard [mailto:chouanard at PARC.XEROX.COM] > > > Sent: Thursday, December 30, 1999 7:29 PM > > > To: VPN at SECURITYFOCUS.COM > > > Subject: Re: NFS in a VPN > > > > > > > > > It should be OK. One of the problem I found on buggy VPN implementation > was > > > some fragmentation issue with NFS v3. > > > > > > On 30 December 1999 at 8:48, someone using the login of "Ivan Fox > > > " wrote: > > > > Can we run NFS within a VPN? > > > > > > > > Any comments are appreciated. > > > > > > > > Thanks and regards, > > > > > > > > Ivan > > > > > > > > VPN is sponsored by SecurityFocus.COM > > > > > > VPN is sponsored by SecurityFocus.COM > > > > > > ------_=_NextPart_001_01BF538D.6DD711EE > > > Content-Type: text/html; > > > charset="iso-8859-1" > > > Content-Transfer-Encoding: quoted-printable > > > > > > > > > > > > > > > > > charset=3Diso-8859-1"> > > > > > 5.5.2448.0"> > > > RE: NFS in a VPN > > > > > > > > > > > >

The fragmentation is a fact of life with a VPN and = > > > maximum sized packets.  any tunneling type protocol has to add = > > > bytes to the packet during the encapsulation.  Also any data = > > > integrity scheme will have to add bytes to the message.  This will > = > > > cause packet fragmentation, but it isn't a bug.

> > > > > >

-Fred Golder > > >

> > > > > >

-----Original Message----- > > >
From: Jean Chouanard [ > > > HREF=3D"mailto:chouanard at PARC.XEROX.COM">mailto:chouanard at PARC.XEROX.COM= > > > ] > > >
Sent: Thursday, December 30, 1999 7:29 PM > > >
To: VPN at SECURITYFOCUS.COM > > >
Subject: Re: NFS in a VPN > > >

> > >
> > > > > >

It should be OK. One of the problem I found on buggy = > > > VPN implementation was > > >
some fragmentation issue with NFS v3. > > >

> > > > > >

On 30 December 1999 at 8:48, someone using the login = > > > of "Ivan Fox > > >
<ifox100 at HOTMAIL.COM> " wrote: > > >
> Can we run NFS within a VPN? > > >
> > > >
> Any comments are appreciated. > > >
> > > >
> Thanks and regards, > > >
> > > >
> Ivan > > >
> > > >
> VPN is sponsored by SecurityFocus.COM > > >

> > > > > >

VPN is sponsored by SecurityFocus.COM > > >

> > > > > > > > > > > > ------_=_NextPart_001_01BF538D.6DD711EE-- > > > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM