From me at nettest.dk Wed Nov 3 05:11:25 1999 From: me at nettest.dk (Michael Enk) Date: Wed, 3 Nov 1999 11:11:25 +0100 Subject: HOWTO: Encryption on local LAN Message-ID: Hi all, I have run into a bit of a problem. I am looking for a 'black box device, which I can use for encryption of normal IP based traffic on a LAN/WAN. As yet I have not been able to find any such device. If anybody have a suggestion I would appriciated all the help I can get. It is not possible to implement any software solution, since I have several different platforms including some probes, which are not running any normal OS. Best regards, Michael Enk ---------------------------------------------------------------------------- - Michael Enk, System Administrator (R&D) GN Nettest, Kirkebjerg Alle 90, DK-2605 Brondby, Denmark Mail: me at nettest.dk, Voice: +45 72112511, Fax: +45 72112450 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From david.kennedy at acm.org Tue Nov 2 17:42:12 1999 From: david.kennedy at acm.org (David Kennedy CISSP) Date: Tue, 02 Nov 1999 17:42:12 -0500 Subject: Firewall @ remote location In-Reply-To: <002201bf2008$44a0cf80$0300a8c0@ddessi.local> Message-ID: <3.0.5.32.19991102174212.009a3290@pop.compuserve.com> -----BEGIN PGP SIGNED MESSAGE----- At 07:17 PM 10/26/1999 -0400, Danilo Dessi wrote: >>>> I am planning a "VPN" to connect a bank's head office with a small rep. office. My question regards firewalls. Since there will only be one computer at the rep office it is very hard to justify a firewall which can cost more than the computer. <<<< I suggest you flip your question around...what's it worth to the bank to avoid having something bad happen via this system? The responses so far come in just a couple flavors, use a client to your corporate firewall (OBVPN) and use something cheap but of unknown effectiveness. I'll make some generalizations: it's a U$1,500 PC, with another U$500 worth of software, running on a comm line that cost U$600 a year, operated by an employee who makes U$ thousands? in salary annually, it's processing information worth U$thousands? to the bank and protecting that will either be a U$50-U$100 software program of unknown assurance or >>>> Most DSL routers have a firewall feature set. On Flowpoints its only about $200 (quite a horrible firewall implementation actually), which should do the job. <<<< Does the bank really want a "horrible" firewall implementation (see Bugtraq in both April and August of this year) just because it included in the cost of the connection? Or would the bank prefer a firewall client that costs U$hundreds or a more robust firewall appliance like PIX or Office Cable Modem or GNATbox? I'm not suggesting you spend as much as you possibly can getting the biggest, prettiest, most featurefull box available with it's own maintenance contract, a month of training for the new admin, and oh yeah, hire a full-time firewall admin for that one PC. I'm trying to suggest comparing the value of the IT to the bank and pick a more reasonable, even if more expensive, and robust solution. How much does the bank spend on the physical security of the that branch to avoid having something bad happen? -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 Comment: How long has it been since you backed up your HD? iQCVAwUBOB9ow/GfiIQsciJtAQGTlQP+LXWirSgEBIc22bb/REn+uSjtN65FgP8c kCI2r+9+saHbgGxifazyupAEy6nM4hwoqnHpY4LQrSW7ExzcFAlhWEIBSzZyzIW2 BxyFVtnafd2PvxrcwfeW2gErEHLBswuiZN6AL5TsDdvqOa9eqsmdrGquzqM6itXV 9AwSfmCJOdE= =W0Up -----END PGP SIGNATURE----- **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From kemp at indusriver.com Wed Nov 3 17:24:14 1999 From: kemp at indusriver.com (Brad Kemp) Date: Wed, 03 Nov 1999 17:24:14 -0500 Subject: PPP through ssh? In-Reply-To: <199910290428.GAA19510@localnet.hh> Message-ID: <3.0.3.32.19991103172414.03025100@pop3.indusriver.com> Helmut, There has been work on tunnels using ssh and using ssl/tls. You can run PPP through ssh, ssl/tls and have a working VPN. One problem you may find is that performance suffers greatly when the internet experiences congestion or starts dropping packets. What happens in this scenario is that the ssh, ssl/tls tcp session retransmits and your applications tcp session retransmits. This doubles the packets sent up the link so your effective throughput is halved. Additionally, you add to the congestion which cause the problem in the first place. There is a debian linux add-on that tunnels over https. (see httpstunnel) For ssh/ssl/tls tunnels check out http://www.csee.uq.edu.au/~leonard/software/ http://mike.daewoo.com.pl/computer/stunnel/ At 06:25 AM 10/29/99 +0200, Helmut Heller wrote: >Hello, > >I am rather new to the VPN field, so please excuse my ignorance. > >To couple two sites through a secure internet connection (without paying big >bucks, read: for free), shouldn't it be OK to use PPP via an ssh tunnel? Are >there any known drawbacks to that approach? > >Are there any documents out there describing what one has to do to make it work? > >Thanks for any pointers and infos! > >Helmut > >--- >Servus, Helmut (DH0MAD) ______________NeXT-mail accepted________________ >Phone: +49-8671-881665 "Knowledge must be gathered and cannot be given" >hheller at gmx.de ZEN, one of BLAKES7 >FAX: +49-8671-881665 ------------------------------------------------ >Dr. Helmut Heller, Muehldorfer Str. 72, 84503 Altoetting, GERMANY > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** > --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From SHOPE at datarange.co.uk Thu Nov 4 04:43:56 1999 From: SHOPE at datarange.co.uk (Stephen Hope) Date: Thu, 4 Nov 1999 09:43:56 -0000 Subject: HOWTO: Encryption on local LAN Message-ID: <01903665B361D211BF6700805FAD5D9325B7DC@mail.datarange.co.uk> Use a VPN box for this (or PC / NT s/w). Most VPN boxes come in an Ethernet - Ethernet version, e.g. Nortel Contivity. Although this is so that you can use the encryptor with a router, you can use these in a LAN - LAN environment as well. If you want an encryptor specifically designed for this, then Cylink make a box called the Secure Domain Unit or SDU which we use in banks etc. This is DES / 3DES, but needs to talk to another SDU rather than IPsec. Stephen Stephen Hope C. Eng, Network Consultant shope at datarange.co.uk, or shope at bcs.org.uk Datarange Communications PLC, Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)467 256 180 Fax: +44 (0)161 776 4189 -----Original Message----- From: Michael Enk [mailto:me at nettest.dk] Sent: Wednesday, November 03, 1999 10:11 AM To: cryptography at c2.net; vpn at listserv.secnetgroup.com Subject: HOWTO: Encryption on local LAN Hi all, I have run into a bit of a problem. I am looking for a 'black box device, which I can use for encryption of normal IP based traffic on a LAN/WAN. As yet I have not been able to find any such device. If anybody have a suggestion I would appriciated all the help I can get. It is not possible to implement any software solution, since I have several different platforms including some probes, which are not running any normal OS. Best regards, Michael Enk ---------------------------------------------------------------------------- - Michael Enk, System Administrator (R&D) GN Nettest, Kirkebjerg Alle 90, DK-2605 Brondby, Denmark Mail: me at nettest.dk, Voice: +45 72112511, Fax: +45 72112450 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric_h at Earthlink.Net Wed Nov 3 19:07:52 1999 From: eric_h at Earthlink.Net (Eric Henriksen) Date: Wed, 3 Nov 1999 19:07:52 -0500 Subject: Firewall @ remote location References: <3.0.3.32.19991028152317.00a6e190@pop3.indusriver.com> Message-ID: <000401bf266d$ab160120$0446f2cf@redcreek.com> You may also consider one of the appliances that offer a combo firewall/vpn gateway, terminating the inside of the vpn server in the firewall. With this, you can ont only fliter, but also launch user authentication. Otherwise, you may consider running the client or vpn gateway such that all traffic is tunneled over the vpn when it is active. This would eliminate the possiblity that the remote machine could get hijacked WHILE the vpn is connected to the head end. Access to the internet could be accommodated via the internal side of the corporate firewall as the default gateway for the corporate VPN server, and override the route for the vpns to go directly out the pbulic interface. This way, the user is able to DNS resolve and access the public internet transparently whether the vpn is up or down, minimizing phone calls or DNS copmlexities. This not only plugs a security hole, but puts the authorization and autidting back in the hands of the HQ staff, if a bit Orwelian. Also, if the user has a 'need for speed' they'll likely call, and be willing to take the extra step recommended by their support people to shutdown the vpn if they want to browse the web directly. However, with DSL connections and a fair (T1 or better) HQ link, they may be none the wiser. I recommend going the extra step with the latter config and have it launch a RADIUS/token/cert challenge for the USERs of the remote vpn gateway/client software. Even if you can keep the MIM (man in the middle) attacks to a minimum, you should still not assume the identity of the remote user unless the facility is access controlled with the same trust level as the HQ side. Another step is to avoid statically assigning the virtual ip address to the remote clients, as these can be gleaned from the machine when it is browsing the web directly and used to constructy a subsequent attack when the tunnel is up. Instead, use a private DHCP server to offer these up dynamically only when the tunnel is up, releasing them when the tunnel goes down. Not all vpn servers are capable of doing this, but I can attest that RedCreek's products can. Eric ----- Original Message ----- From: Brad Kemp To: Danilo Dessi ; Sent: Thursday, October 28, 1999 2:23 PM Subject: Re: Firewall @ remote location > A VPN extends the network perimeter. Therefore you have to take > the same precautions on a client that you would on a corporate host > exposed to the internet. > A couple of recommendations: > Do not run unessecary services (web server, ftp server....) on the remote > host. > If the remote site's OS is NT, remove the WINS binding from the > DSL adapter. This will stop Microsoft SMB traffic from reaching your host. > Run Virus protection on the remote site religiously. > > There are 'personal firewall' vendors out there that will sell you > a firewall that co-exists with your remote PC. > conceal http://www.candc1.com/conseal/ > digital robotics http://www.digitalrobotics.com/fire.htm > and many others. A web search on personal firewall should find most of them. > Brad > > At 07:17 PM 10/26/99 -0400, Danilo Dessi wrote: > >>>> > I am planning a "VPN" to connect a bank's head office with a small rep. > office. My question regards firewalls. Since there will only be one > computer at the rep office it is very hard to justify a firewall which can > cost more than the computer. The rep office will have a DSL connection to > the Internet. I would like to know if there are other considerations other > than the fact that the line is always up why I should have a firewall at > the remote location. In other words is there more risk (exposure to > hackers) at the rep office compared with a telecommuter who dials up from a > remote connection and then hangs-up when he/she is finished working? Can > a hacker actually gain access to the head office LAN by comprimising the > computer located at the rep. office? > > Thank you to all replies, > > Danilo > > <<<< > > > --- -- -- > Brad Kemp > Indus River Networks, Inc. BradKemp at indusriver.com > 31 Nagog Park 978-266-8122 > Acton, MA 01720 fax 978-266-8111 > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From misha at insync.net Thu Nov 4 05:37:04 1999 From: misha at insync.net (Misha) Date: Thu, 4 Nov 1999 04:37:04 -0600 (CST) Subject: Firewall @ remote location In-Reply-To: <3.0.5.32.19991102174212.009a3290@pop.compuserve.com> Message-ID: > Most DSL routers have a firewall feature set. On Flowpoints its only > about > $200 (quite a horrible firewall implementation actually), which should > do > the job. > > Does the bank really want a "horrible" firewall implementation (see > Bugtraq in both April and August of this year) just because it > included in the cost of the connection? Thats exactly why I included that disclaimer. I do think router based firewall is a bit better than something on the clients end. Ideally of course, all IPSec vendors would play nice with Cisco. Then despite what connection you had, you could easily drop off a Cisco 1720 with dual ethernet interfaces behind your DSL router, running the IOS firewall and acting at the IPSec gateway. Total cost of under $2k for a firewall and an IPSec device in one, plus low management costs. In fact this is exactly what we expect do be doing once we find a vendor who can promise Cisco interporability. Alternative would be a Nortel Contivity switch and their new Instant Internet box (starts at $700). Pix at every site would be great, but even at $5k per box its only reasonable at the branch offices. Misha **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From misha at insync.net Thu Nov 4 05:26:28 1999 From: misha at insync.net (Misha) Date: Thu, 4 Nov 1999 04:26:28 -0600 (CST) Subject: Firewall @ remote location In-Reply-To: <3.0.5.32.19991030123904.0083f270@mailhost.iprg.nokia.com> Message-ID: I am a little confused about the part where you mention that "DSL routers are terribly insecure". Unless you are referring to a firewall feaure set of any particular DSL box, I don't see how you can expect them to be otherwise secure. If you don't run anything as basic as packet filtering on the DSL router, then any vulnerability you refer to is simply related to the OS. I am sure you are refering to something other than just plain vanilla DSL router of course, coming from iprg.nokia.com:) You also have to be quite careful about how DSL is configured. I have seen some ISP' who run nothing but bridged connections and often get the same problems as cable modem providers. The bridged DSL connections we provide (I work for an ISP) don't allow broadcasts to other PVC's (all clients get their own PVC), for most VPN applications we suggest SDSL service which we offer as a routed option only with a dedicated PVC per each endpoint. Larger clients can even afford more advanced types of DSL service, where the options are: 1) Drop off the DSL switch (Redback, Cisco) at the main datacenter, bring up an ATM circuit to a DSL carrier (Covad, Northpoint, skip the Bell's) and run the PVC's from all DSL clients directly into the clients network. Along with any IP VPN flavor (usually IPSec) this gives you quite a nice configuration, with Layer 2 and 3 security. PVC's can either be authenticated against a Radius database for additional flexibility. This also allows you to bypass any problems with managing security on the remote client end, because they never really hit the public IP network until they use the coporate firewall, which allows you to enforce your security policy universally. No ISP's required, though you may want to use their services for deployment and management. Not really an option for small or medium sized clients. 2) Allow the ISP to terminate the DSL PVC's (yes I am talking about ATM btw). Bring up an ATM connection to an ATM enabled router at the clients side and handoff the ATM traffic, which still have more management than usually offered at Layer 2, along with IP based encryption at Layer 3. All remote clients still have to get IP through the corporate firewall, though you loose the benefit of knowing that the PVC's never touch the ISP's equipment. 3) Do the most basic thing most ISP's could do and provide the PVC and IP. In this case you are faced with bringing up IP based encryption and enforcing the security policy through something as lame as personal firewalls. Personally I would probably look at something like Network Ice as an alternative. Do your homework with your ISP. DSL may be a great choice for any application other than mobile users. Most carriers offer a national option, and some even offer it to the ISP's for free (Covad does), so you may be able to get all the remote branches connected through the same ISP. Misha On Sat, 30 Oct 1999, Kelly Robertson wrote: > Danilo, > > > The answer for me is that DSL routers are terribly insecure and the > typical client computing environments are no better. I ran basic recon > probes and attacks against my own DSL router and SOHO and had two > colleagues do the same. We were all successful in breaching my DSL > Router. I had Linux, Free BSD, NT, 98, and 95 behind the router and got a > lot further with all of them than I care to tell. > > > DSL is nailed up all of the time and therefore vulnerable to scans. I > would look to VPNet, Netscreen, or perhaps others for solutions under > $1,000. End user machines can be hardened in many ways as well, without a > lot of cost. Since my tests showed vulnerabilities that did not require > an expert knowledge to exploit, I needed to take reasonable measures. One > thing, for example, is that I now use PGP disk on every box with > sensitive data on it. I have it configured to shut down any virtual disk > after five minutes of inactivity. This in itself does not constitute a > secure environment, as it only assures the confidentiality of my > information when I am not using it, but it is a layer of security that > begins to give me assurance. > > > As for the cost of the solution and the cost of the computer, I find this > to be a fallacious comparison, frankly. I would recommend to my customer > that they quantify the value of their data, not the value of the pc, and > take reasonable precautions to protect it. A $1,000 solution seems > reasonable for a financial institution, in my humble opinion, even if > they are rolling out 2,000 kiosks... > > > As for whether there is a path to the corporate LAN from the < > compromised machine in the field, there is indeed reason for concern on > your part. This is relative to the trust level between machines, which > any skript kiddey with time and some tools can exploit. > > > Reasonable precautions with a reasonable budget work well. Let common > sense prevail over the bean counters... > > > <<2 cents for nothing> > > > Kelly Robertson > > > > > At 07:17 PM 10/26/99 -0400, Danilo Dessi wrote: > > >>>> > > ArialI am planning a "VPN" > to connect a bank's head office with a small rep. office. My question > regards firewalls. Since there will only be one computer at the rep > office it is very hard to justify a firewall which can cost more than the > computer. The rep office will have a DSL connection to the Internet. I > would like to know if there are other considerations other than the fact > that the line is always up why I should have a firewall at the remote > location. In other words is there more risk (exposure to hackers) at the > rep office compared with a telecommuter who dials up from a remote > connection and then hangs-up when he/she is finished working? Can a > hacker actually gain access to the head office LAN by comprimising the > computer located at the rep. office? > > > > ArialThank you to all replies, > > > > ArialDanilo > > > <<<<<<<< > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From kfannon at nextgeninter.net Thu Nov 4 08:58:26 1999 From: kfannon at nextgeninter.net (Kevin Fannon) Date: Thu, 04 Nov 1999 08:58:26 -0500 Subject: Firewall @ remote location References: <3.0.5.32.19991102174212.009a3290@pop.compuserve.com> Message-ID: <382190FE.6E40BC8F@nextgeninter.net> David, I agree that selecting a security based upon price is not reasonable. The Money issued should be from a savings point of view. If the bank installs a less then adequate solution they are wasting money. If on the other hand they institute an effective policy based security system with intrusion detection they will realize significant savings. This can be done either on sight, but this is where cost savings comes in. To hire, train and maintain a security person is extremely costly. Replacing that person when they quit to go to a better paying job will be even more costly. Utilizing a company that provides managed security services can give you the security that the bank needs at a cost significantly less then doing it all themselves. A Check Point based solution with their Real Secure intrusion detection product would be a perfect solution at a reasonable price. Kevin Fannon Technical Consultant Innovative Technology David Kennedy CISSP wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > At 07:17 PM 10/26/1999 -0400, Danilo Dessi wrote: > >>>> > I am planning a "VPN" to connect a bank's head office with a small > rep. office. My question regards firewalls. Since there will only be > one computer at the rep office it is very hard to justify a firewall > which can cost more than the computer. > <<<< > > I suggest you flip your question around...what's it worth to the bank > to avoid having something bad happen via this system? > > The responses so far come in just a couple flavors, use a client to > your corporate firewall (OBVPN) and use something cheap but of unknown > effectiveness. I'll make some generalizations: it's a U$1,500 PC, > with another U$500 worth of software, running on a comm line that cost > U$600 a year, operated by an employee who makes U$ thousands? in > salary annually, it's processing information worth U$thousands? to the > bank and protecting that will either be a U$50-U$100 software program > of unknown assurance or > >>>> > Most DSL routers have a firewall feature set. On Flowpoints its only > about > $200 (quite a horrible firewall implementation actually), which should > do > the job. > > <<<< > > Does the bank really want a "horrible" firewall implementation (see > Bugtraq in both April and August of this year) just because it > included in the cost of the connection? > > Or would the bank prefer a firewall client that costs U$hundreds or a > more robust firewall appliance like PIX or Office Cable Modem or > GNATbox? I'm not suggesting you spend as much as you possibly can > getting the biggest, prettiest, most featurefull box available with > it's own maintenance contract, a month of training for the new admin, > and oh yeah, hire a full-time firewall admin for that one PC. I'm > trying to suggest comparing the value of the IT to the bank and pick a > more reasonable, even if more expensive, and robust solution. > > How much does the bank spend on the physical security of the that > branch to avoid having something bad happen? > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.0.2 > Comment: How long has it been since you backed up your HD? > > iQCVAwUBOB9ow/GfiIQsciJtAQGTlQP+LXWirSgEBIc22bb/REn+uSjtN65FgP8c > kCI2r+9+saHbgGxifazyupAEy6nM4hwoqnHpY4LQrSW7ExzcFAlhWEIBSzZyzIW2 > BxyFVtnafd2PvxrcwfeW2gErEHLBswuiZN6AL5TsDdvqOa9eqsmdrGquzqM6itXV > 9AwSfmCJOdE= > =W0Up > -----END PGP SIGNATURE----- > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: kfannon.vcf Type: text/x-vcard Size: 387 bytes Desc: Card for Kevin Fannon Url : http://lists.shmoo.com/pipermail/vpn/attachments/19991104/b77db645/attachment.vcf From kemp at indusriver.com Thu Nov 4 09:54:12 1999 From: kemp at indusriver.com (Brad Kemp) Date: Thu, 04 Nov 1999 09:54:12 -0500 Subject: Firewall @ remote location In-Reply-To: <000401bf266d$ab160120$0446f2cf@redcreek.com> References: <3.0.3.32.19991028152317.00a6e190@pop3.indusriver.com> Message-ID: <3.0.3.32.19991104095412.030d35b0@pop3.indusriver.com> At 07:07 PM 11/3/99 -0500, Eric Henriksen wrote: >Otherwise, you may consider running the client or vpn gateway such that all >traffic is tunneled over the vpn when it is active. This would eliminate >the possiblity that the remote machine could get hijacked WHILE the vpn is >connected to the head end. Access to the internet could be accommodated via >the internal side of the corporate firewall as the default gateway for the >corporate VPN server, and override the route for the vpns to go directly out >the pbulic interface. Most products that do this do not protect you from an attacker on the same subnet. The routing tables forward all traffic to the VPN server except that which is destined for the local subnet. To make this work the route to the local subnet must be removed and replaced with a host route to the VPN server. Even if the product you use does not directly support this, you could put the necessary route commands in a script that is used to launch the tunnel. --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Christopher_St_Clair at mail.bankone.com Thu Nov 4 09:17:41 1999 From: Christopher_St_Clair at mail.bankone.com (Christopher_St_Clair at mail.bankone.com) Date: Thu, 4 Nov 1999 09:17:41 -0500 Subject: HOWTO: Encryption on local LAN Message-ID: <8525681F.004DCB6D.00@cmhsmtp1.dc.bankone.net> Cylink makes hardware link encryptors that sit on both sides of a line. Check out http://www.cylink.com/products/widevpn/link/link.htm Be prepared to shell out some cash, I think they go for around $9 grand a piece. "Michael Enk" on 11/03/99 05:11:25 AM From lhebert at netesys.com Thu Nov 4 16:31:48 1999 From: lhebert at netesys.com (Laurent Hebert) Date: Thu, 4 Nov 1999 16:31:48 -0500 Subject: PPP through ssh? Message-ID: <19991104212805405.AAA240@bacchus2.netesys.com@gvl-12364> This is what I found on the subject. See http://www.employees.org/~satch/ssh/faq/ssh-faq-5.html LH 5.4. Can I use ssh to securely connect two subnets across the Internet? You can run PPP over a regular ssh connection. See http://www.inka.de/~bigred/sw/ssh-ppp-new.txt for a working solution. It's a good idea to enable compression for this. However, this may cause problems for forwarding TCP connections, because both the TCP connection over which ssh runs and a TCP connection forwarded over the PPP/ssh tunnel may retransmit at the same time. In this case, it is better to use encrypted IP tunneling via UDP. A possible implementation of this is http://www.inka.de/~bigred/devel/cipe.html . ---------- > De : Helmut Heller > A : vpn at listserv.secnetgroup.com > Cc?: heller at localnet.hh > Objet : PPP through ssh? > Date?: 28 octobre, 1999 23:25 > > Hello, > > I am rather new to the VPN field, so please excuse my ignorance. > > To couple two sites through a secure internet connection (without paying big > bucks, read: for free), shouldn't it be OK to use PPP via an ssh tunnel? Are > there any known drawbacks to that approach? > > Are there any documents out there describing what one has to do to make it work? > > Thanks for any pointers and infos! > > Helmut > > --- > Servus, Helmut (DH0MAD) ______________NeXT-mail accepted________________ > Phone: +49-8671-881665 "Knowledge must be gathered and cannot be given" > hheller at gmx.de ZEN, one of BLAKES7 > FAX: +49-8671-881665 ------------------------------------------------ > Dr. Helmut Heller, Muehldorfer Str. 72, 84503 Altoetting, GERMANY > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From davidm at mdli.com Fri Nov 5 18:26:11 1999 From: davidm at mdli.com (David Mostardi) Date: Fri, 5 Nov 1999 15:26:11 -0800 Subject: Linux/Mac IPsec into Contivity? Message-ID: <9911051526.ZM329988@hawk.mdli.com> I've got a BayNetworks/Nortel Contivity 1500 box. The IPsec client that comes with it only supports Win95/Win98/WinNT. I've got users who want to get in through Linux or Macintosh. Has anyone successfully gotten into Contivity over these platforms? TIA, ------------------------------------------------------------------------ David Mostardi Web: http://www.mdli.com Unix Systems Manager Email: davidm at mdli.com MDL Information Systems, Inc. Voice: (510) 357-2222 x1420 14600 Catalina St., San Leandro CA 94577 Fax: (510) 352-2870 -- "When in danger or in doubt, run in circles, scream and shout" **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Torx at tm.net.my Sat Nov 6 02:34:30 1999 From: Torx at tm.net.my (Saravana Ram) Date: Sat, 6 Nov 1999 15:34:30 +0800 Subject: PPP through ssh? References: <199910290428.GAA19510@localnet.hh> Message-ID: <006d01bf2829$5d691080$edc4bcca@galena> > To couple two sites through a secure internet connection (without paying big > bucks, read: for free), shouldn't it be OK to use PPP via an ssh tunnel? Are > there any known drawbacks to that approach? Exactly this is described in one of the Linux mini-HOWTO's (Firewall+VPN mini-HOWTO, if memory serves me right). Advantages? Easy to set up, and PPP and ssh are already available on most Linux boxes without the need to redo kernels. Disadvantages? If you want multiple vpn connections between multiple networks (ie star configuration), you will need to set up separate point-to-point links, which will suck up memory (think 6 instances of ppp and ssh running, pumping data at full bandwidth) and is routing-hell. Alternatives are CIPE, S/WAN, and the IP tunnels that come with Linux. (I don't know how to use that though) If you intend to expand, go IPSec with S/WAN. howto's: http://www.linux.org/help/ s/wan: http://www.toad.com/gnu/swan.html cipe: http://sites.inka.de/sites/bigred/devel/cipe.html **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From j_dauncey at hotmail.com Thu Nov 4 14:48:55 1999 From: j_dauncey at hotmail.com (Joe Dauncey) Date: Thu, 4 Nov 1999 19:48:55 -0000 Subject: HOWTO: Encryption on local LAN References: Message-ID: <19991105101056.14643.qmail@hotmail.com> Michael, The CyLink Encryptor will encrypt any traffic that goes between the two encryptor/decryptors. Basically you stick one encryptor/decryptor at each end of your WAN link and it encrypts the traffic between the two. You also have a management console called PrivaCy Manager, though I don't know how essential it is. It seems to do a good job. Cheers, Joe Dauncey j_dauncey at hotmail.com ----- Original Message ----- From: Michael Enk To: ; Sent: Wednesday, November 03, 1999 10:11 AM Subject: HOWTO: Encryption on local LAN > Hi all, > > I have run into a bit of a problem. I am looking for a 'black box device, > which I can use for encryption of normal IP based traffic on a LAN/WAN. As > yet I have not been able to find any such device. If anybody have a > suggestion I would appriciated all the help I can get. It is not possible to > implement any software solution, since I have several different platforms > including some probes, which are not running any normal OS. > > Best regards, > > Michael Enk > -------------------------------------------------------------------------- -- > - > Michael Enk, System Administrator (R&D) > GN Nettest, Kirkebjerg Alle 90, DK-2605 Brondby, Denmark > Mail: me at nettest.dk, Voice: +45 72112511, Fax: +45 72112450 > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From matthewr at moreton.com.au Sun Nov 7 23:02:15 1999 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Mon, 8 Nov 1999 14:02:15 +1000 Subject: Linux PPTP VPN goes to COMDEX Message-ID: <99110814100708.07059@gibberling.moretonbay> Gday all, If anyone is interested I will be at COMDEX (15-19 November) answering questions about The Linux PPTP VPN server (aka PoPToP). I'll be at the Moreton Bay stand.. we are releasing a VPN router product (called a NETtel) which uses PoPToP.. I'll also be giving away a limited number of NETtels so be sure to come talk to me! Looking forward to meeting any fellow VPNers Cheers, Matt Ramsay More info on NETtel: http://www.moreton.com.au/MBWEB/product/nettel/nettel.htm -- Matthew Ramsay Moreton Bay **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Tue Nov 9 19:49:21 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Tue, 9 Nov 1999 18:49:21 -0600 (CST) Subject: Service Interruption Message-ID: Hi all -- I'm going to be off-line for a few days and not able to moderate the VPN list. Sorry for the disruption. Cheers -- Tina Bird **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From nhdung at yahoo.com Sun Nov 7 23:43:15 1999 From: nhdung at yahoo.com (Dung Nguyen) Date: Sun, 7 Nov 1999 20:43:15 -0800 (PST) Subject: software based VPN Message-ID: <19991108044315.19118.rocketmail@web124.yahoomail.com> Hello! I am new. May I ask you a question ? Can I Establish a software based VPN without supported by ISP (Internet service Provider) ? Thank you very much . Dung. ===== __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmueller at tercom.ch Wed Nov 10 01:50:43 1999 From: mmueller at tercom.ch (Michel Mueller) Date: Wed, 10 Nov 1999 07:50:43 +0100 Subject: Linux/Mac IPsec into Contivity? Message-ID: <174767FC6455D311B2CC00500443895909342F@tercom1.tercom.ch> Use the IPSec PERMIT/Client from TimeStep which supports following plattforms. Win 95/98/NT and Mac. This Client works with any IPSec compatible unit like Cisco, Bay Gandalf etc. Have a look on www.timestep.com Michel Michel Mueller /TERCOM SA ----------------------------------------------------------- Technical Support TERCOM SA, Rte Andre-Piller 33a, 1762 GIVISIEZ, Switzerland phone: +41 26 460 33 00 fax: +41 26 460 33 99 info at tercom.ch support at tercom.ch www.tercom.ch ftp.tercom.ch ----------------------------------------------------------- -----Original Message----- From: David Mostardi [mailto:davidm at mdli.com] Sent: Samstag, 6. November 1999 00:26 To: vpn at listserv.secnetgroup.com Subject: Linux/Mac IPsec into Contivity? I've got a BayNetworks/Nortel Contivity 1500 box. The IPsec client that comes with it only supports Win95/Win98/WinNT. I've got users who want to get in through Linux or Macintosh. Has anyone successfully gotten into Contivity over these platforms? TIA, ------------------------------------------------------------------------ David Mostardi Web: http://www.mdli.com Unix Systems Manager Email: davidm at mdli.com MDL Information Systems, Inc. Voice: (510) 357-2222 x1420 14600 Catalina St., San Leandro CA 94577 Fax: (510) 352-2870 -- "When in danger or in doubt, run in circles, scream and shout" **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991110/fcd25c64/attachment.htm From xvo at ozu.es Tue Nov 9 14:57:46 1999 From: xvo at ozu.es (xvo xvo) Date: Tue, 9 Nov 99 20:57:46 +0100 Subject: No subject Message-ID: Hi all! I want to end tunnels in a Cisco router, and I would like to know which router to use given the following parameters: - Number of simultaneous L2TP that must be supported. - Number of GRE tunnels that must be supported. Does anybody have any documentation or experience that would help for this purpose? Another question, now about security. Asume a VPN built over a public IP network. This public IP network is a subset of the Internet, but totally owned by one company. I don't care if that company can see the information that I send over that VPN, but I don't want that other clientes of this company or people from the Internet can see that information. Questions: - Do I still need encryption? Why? - If I use GRE tunneling and I drop packets that don't come through the tunnel (using filters in the routers), is that secure enough to keep out intruders? Greetings, Xvo Enviado desde http://correo.ozu.es/ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From carlsonmail at yahoo.com Tue Nov 9 16:37:04 1999 From: carlsonmail at yahoo.com (Chris Carlson) Date: Tue, 9 Nov 1999 13:37:04 -0800 (PST) Subject: Linux/Mac IPsec into Contivity? Message-ID: <19991109213704.4562.rocketmail@web112.yahoomail.com> David, You have a couple of (limited) options: 1) Use a PPTP or L2TP client for Macintosh. Network Telesystems (www.nts.com) makes such a client. 2) Linux can use Free S/WAN to tunnel to the Contivity, but it creates a branch office tunnel, and not an end-user tunnel. I think you must turn off Perfect Forward Secrecy on Contivity v2.50 for this to work. Hope this helps! Chris -- --- David Mostardi wrote: > I've got a BayNetworks/Nortel Contivity 1500 box. > The IPsec client that comes with it only supports > Win95/Win98/WinNT. I've got users who want to get > in > through Linux or Macintosh. Has anyone successfully > gotten into Contivity over these platforms? > > TIA, > ------------------------------------------------------------------------ > David Mostardi Web: > http://www.mdli.com > Unix Systems Manager Email: > davidm at mdli.com > MDL Information Systems, Inc. Voice: > (510) 357-2222 x1420 > 14600 Catalina St., San Leandro CA 94577 Fax: > (510) 352-2870 > > -- "When in danger or in doubt, run in > circles, scream and shout" > ===== __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From lhebert at netesys.com Wed Nov 10 09:22:40 1999 From: lhebert at netesys.com (Laurent Hebert) Date: Wed, 10 Nov 1999 09:22:40 -0500 Subject: software based VPN Message-ID: <19991110141840024.AAA243@bacchus2.netesys.com@gvl-12364> The fact that you build your own VPN service on top of the ISP network infrastructure should be transparent to them. However, be sure that you follow the international regulations in terms of cryptography. On the management side, be sure you select a VPN product that can be managed in-band. Laurent ---------- > De : Dung Nguyen > A : vpn at listserv.secnetgroup.com > Objet : software based VPN > Date?: 7 novembre, 1999 23:43 > > > Hello! > I am new. May I ask you a question ? > Can I Establish a software based VPN without supported > by ISP (Internet service Provider) ? > > Thank you very much . > Dung. > > ===== > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From markus at hofmar.de Wed Nov 10 03:46:55 1999 From: markus at hofmar.de (Markus Hofmann) Date: Wed, 10 Nov 1999 09:46:55 +0100 (MET) Subject: PPTP and Routing Message-ID: Hello! Some Routing Questions: Assume we have the follwoing network: Internal1---InternalRouter---Internal2---PPTPRAS-Server---FW---> <---Internet---ISP---Windows_PPTP_Client When I use an ISP that does not support PPTP, I have to use the Microsoft VPN Adapter. To reach the Network Internal1 I have 1) to set the "Default Gateway" through the PPTPRAS-Server in the PPTP-Dial-Up-TCP-Properties. But if I do this, I couldn't reach my PPTPRAS-Server for my PPTP-Tunnel, because I would need a Default Gateway through my ISP for it. But the ISP Default Gateway incommodes with the PPTPRAS Default Gateway. Finally this would not work... 2) Manually set a route on the client for internal1 network through the PPTPRAS-Server. But how to do this automatically? I dont' want use static routes (i.e. through a startup script). First I got a problem if I don't know all my internal networks (i.e. on large sites running ospf or something). A further problem with static routes would be, that you always would have the routes - even if your are not comming over the internet and you are connected to one of the internal networks (like notebook users "road warriors")... So my question: is there a possibility to set up routes if you connect with pptp and to delete the routes if you disconnect? And maybe you could administrate the routes only on the PPTPRAS-Server? yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From SHOPE at datarange.co.uk Wed Nov 10 08:22:33 1999 From: SHOPE at datarange.co.uk (Stephen Hope) Date: Wed, 10 Nov 1999 13:22:33 -0000 Subject: Linux/Mac IPsec into Contivity? Message-ID: <01903665B361D211BF6700805FAD5D9325B803@mail.datarange.co.uk> Nortel talk about MAC and win 3.1 clients from a 3rd party company in the manuals for the contivity. No experience with it though. 2 lines from the admin manual: Network TeleSystems (www.nts.com) provides tunneling product support for Windows 3.1 and Macintosh operating systems. (Apologies to Nortel for the plagarism / advertising) Stephen Hope C. Eng, Network Consultant shope at datarange.co.uk, or shope at bcs.org.uk Datarange Communications PLC, Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)467 256 180 Fax: +44 (0)161 776 4189 -----Original Message----- From: David Mostardi [mailto:davidm at mdli.com] Sent: Friday, November 05, 1999 11:26 PM To: vpn at listserv.secnetgroup.com Subject: Linux/Mac IPsec into Contivity? I've got a BayNetworks/Nortel Contivity 1500 box. The IPsec client that comes with it only supports Win95/Win98/WinNT. I've got users who want to get in through Linux or Macintosh. Has anyone successfully gotten into Contivity over these platforms? TIA, ------------------------------------------------------------------------ David Mostardi Web: http://www.mdli.com Unix Systems Manager Email: davidm at mdli.com MDL Information Systems, Inc. Voice: (510) 357-2222 x1420 14600 Catalina St., San Leandro CA 94577 Fax: (510) 352-2870 -- "When in danger or in doubt, run in circles, scream and shout" **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Torx at tm.net.my Wed Nov 10 04:37:39 1999 From: Torx at tm.net.my (Saravana Ram) Date: Wed, 10 Nov 1999 17:37:39 +0800 Subject: PPP through ssh? References: <199910290428.GAA19510@localnet.hh> Message-ID: <001b01bf2b5f$3c4f9840$edc4bcca@galena> > To couple two sites through a secure internet connection (without paying big > bucks, read: for free), shouldn't it be OK to use PPP via an ssh tunnel? Are > there any known drawbacks to that approach? Exactly this is described in one of the Linux mini-HOWTO's (Firewall+VPN mini-HOWTO, if memory serves me right). Advantages? Easy to set up, and PPP and ssh are already available on most Linux boxes without the need to redo kernels. Disadvantages? If you want multiple vpn connections between multiple networks (ie star configuration), you will need to set up separate point-to-point links, which will suck up memory (think 6 instances of ppp and ssh running, pumping data at full bandwidth) and is routing-hell. Alternatives are CIPE, S/WAN, and the IP tunnels that come with Linux. (I don't know how to use that though) If you intend to expand, go IPSec with S/WAN. howto's: http://www.linux.org/help/ s/wan: http://www.toad.com/gnu/swan.html cipe: http://sites.inka.de/sites/bigred/devel/cipe.html **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From MLittle at bhsi.com Wed Nov 10 10:29:26 1999 From: MLittle at bhsi.com (Little, Mike (BHS)) Date: Wed, 10 Nov 1999 10:29:26 -0500 Subject: CES 2000 b-to-b with a 3COM Netbuilder? Message-ID: <99Nov10.102851est.115217@pcbhi266.bhsi.com> Hi, everyone! I've had a recent request to setup a branch-to-branch connection between a Nortel CES 2000 and a 3COM Netbuilder 142u. So far, I've stood by my first response that it isn't possible to do this, and that we would need the same make of equipment at both locations to do branch-to-branch. Essentially, they want the 3COM to establish the tunnel (IPSec, PPTP, or other) and have 5 users access our network over it. (To hit the public network, the 3COM uses ISDN and we are using frame through a router.) Before totally ruling out the possibility of doing this, however, I wanted to run it by the group in case there was something that I'm missing that might work getting these two to talk. I'm thinking that it's not possible, for one reason, because the different authentication approaches that the devices take - the 3COM uses manually configured keys to authenticate while the CES 2000 uses a pre-shared secret. I'm just needing to confirm that there isn't any way to get this to work. Any input is appreciated. Thanks, Mike Little Network Control Tech. Baptist Healthcare System **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From peter.frame at softlab.ch Wed Nov 10 11:24:43 1999 From: peter.frame at softlab.ch (Frame Peter) Date: Wed, 10 Nov 1999 17:24:43 +0100 Subject: AW: PPP through ssh? Message-ID: <41EF1366B4B9D2119AB000805FC7BD5201A4F3AD@pcsrv006.be.softlab.ch> This reply has been bothering me for some time, at the risk of looking foolish here goes: PPP is a Layer 2 protocol while ssh is used to secure TCP connections. I can imagine that you could possibly encapsulate PPP and send it via ssh but why would you want to? Peter > ---------- > Von: Brad Kemp[SMTP:kemp at indusriver.com] > Gesendet: Mittwoch, 3. November 1999 23:24 > An: hheller at gmx.de; vpn at listserv.secnetgroup.com > Cc: heller at localnet.hh > Betreff: Re: PPP through ssh? > > Helmut, > There has been work on tunnels using ssh and using ssl/tls. > You can run PPP through ssh, ssl/tls and have a working VPN. One problem > you may find is that performance suffers greatly when the internet > experiences congestion or starts dropping packets. > What happens in this scenario is that the ssh, ssl/tls tcp session > retransmits > and your applications tcp session retransmits. This doubles the packets > sent up the link so your effective throughput is halved. Additionally, you > add > to the congestion which cause the problem in the first place. > There is a debian linux add-on that tunnels over https. (see httpstunnel) > > For ssh/ssl/tls tunnels check out > http://www.csee.uq.edu.au/~leonard/software/ > http://mike.daewoo.com.pl/computer/stunnel/ > > At 06:25 AM 10/29/99 +0200, Helmut Heller wrote: > >Hello, > > > >I am rather new to the VPN field, so please excuse my ignorance. > > > >To couple two sites through a secure internet connection (without paying > big > >bucks, read: for free), shouldn't it be OK to use PPP via an ssh tunnel? > Are > >there any known drawbacks to that approach? > > > >Are there any documents out there describing what one has to do to make > it > work? > > > >Thanks for any pointers and infos! > > > >Helmut > > > >--- > >Servus, Helmut (DH0MAD) ______________NeXT-mail > accepted________________ > >Phone: +49-8671-881665 "Knowledge must be gathered and cannot be > given" > >hheller at gmx.de ZEN, one of BLAKES7 > >FAX: +49-8671-881665 > ------------------------------------------------ > >Dr. Helmut Heller, Muehldorfer Str. 72, 84503 Altoetting, GERMANY > > > >**************************************************************** > >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > > >The VPN FAQ (under construction) is available at > >http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > >We are currently experiencing "unsubscribe" difficulties. If you > >wish to unsubscribe, please send a message containing the single line > >"unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > > >**************************************************************** > > > --- -- -- > Brad Kemp > Indus River Networks, Inc. BradKemp at indusriver.com > 31 Nagog Park 978-266-8122 > Acton, MA 01720 fax 978-266-8111 > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Jose.Muniz at US.DataFellows.COM Wed Nov 10 11:11:44 1999 From: Jose.Muniz at US.DataFellows.COM (Muniz, Jose) Date: Wed, 10 Nov 1999 08:11:44 -0800 Subject: software based VPN Message-ID: Well, my friend yes you can!! The real question will be.. Is the ISP doing any pocket filtering or firewalling for you? I do not think so therefore IPSec should do its job just fine. Remember IPSec uses IKE that utilizes port 500 UDP, and also it could use protocol #50 and 51 for AH and ESP mode. Now, obviously you are not reffering about establishing an IPSec tunnel "To your ISP" because this will not work if they do not have IPSec enabled [gateway for you]. Hope this helps..! Pep Anton. > -----Original Message----- > From: Dung Nguyen [mailto:nhdung at yahoo.com] > Sent: Sunday, November 07, 1999 8:43 PM > To: vpn at listserv.secnetgroup.com > Subject: software based VPN > > > > Hello! > I am new. May I ask you a question ? > Can I Establish a software based VPN without supported > by ISP (Internet service Provider) ? > > Thank you very much . > Dung. > > ===== > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmedwid at symantec.com Tue Nov 16 13:33:25 1999 From: mmedwid at symantec.com (Michael Medwid) Date: Tue, 16 Nov 1999 10:33:25 -0800 Subject: Linux/Mac IPsec into Contivity? Message-ID: <8825682A.0065D0F8.00@uscu-smtp01.symantec.com> But does it work with the Bay Networks Contivity Switch? Thanks. Michel Mueller on 11/09/99 10:50:43 PM From mhw at wittsend.com Tue Nov 16 11:13:36 1999 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue, 16 Nov 1999 11:13:36 -0500 Subject: PPP through ssh? In-Reply-To: <001b01bf2b5f$3c4f9840$edc4bcca@galena> References: <199910290428.GAA19510@localnet.hh> <001b01bf2b5f$3c4f9840$edc4bcca@galena> Message-ID: <19991116111336.C8321@alcove.wittsend.com> On Wed, Nov 10, 1999 at 05:37:39PM +0800, Saravana Ram wrote: > > To couple two sites through a secure internet connection (without paying big > > bucks, read: for free), shouldn't it be OK to use PPP via an ssh tunnel? Are > > there any known drawbacks to that approach? > Exactly this is described in one of the Linux mini-HOWTO's (Firewall+VPN > mini-HOWTO, if memory serves me right). > Advantages? Easy to set up, and PPP and ssh are already available on most > Linux boxes without the need to redo kernels. > Disadvantages? If you want multiple vpn connections between multiple networks > (ie star configuration), you will need to set up separate point-to-point > links, which will suck up memory (think 6 instances of ppp and ssh running, > pumping data at full bandwidth) and is routing-hell. I have not been able to get this to work with the 2.2.x kernels. The routing, the tunnels, and a bunch of other things changed, and the instructions in that HOWTO are simply out of date for recent kernels. That's assuming that it hasn't been updated in the last two months. I gave up on that approach two months ago and haven't looked at it since. > Alternatives are CIPE, S/WAN, and the IP tunnels that come with Linux. (I > don't know how to use that though) > If you intend to expand, go IPSec with S/WAN. > howto's: http://www.linux.org/help/ > s/wan: http://www.toad.com/gnu/swan.html > cipe: http://sites.inka.de/sites/bigred/devel/cipe.html Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From kelly.robertson at iprg.nokia.com Mon Nov 15 07:21:15 1999 From: kelly.robertson at iprg.nokia.com (Kelly Robertson) Date: Mon, 15 Nov 1999 04:21:15 -0800 Subject: SyShield by Sybergen Networks, Inc. Message-ID: <3.0.5.32.19991115042115.0092c100@mailhost.iprg.nokia.com> Last week, there was a thread going around about SOHO's and desktop protection when a nailed up circuit, such as a DSL or cable modem, is in use. The persons inquiring about desktop security were interested in a low cost measure. I have found out about the above named product, installed it and read the dox. It seems reasonable at first blush. It turns off FTP, TELNET, SMTP, DNS, HTTP, POS3, and Secure HTTP by default. You can run a scheduler that automatically sets up higher security during certain times, disabling all ports by default. Logging is minimal, but adequate for most users. I would think that a user should check the log weekly, whenever they download a package from the Internet, and if their systems misbehave. It is not comprehensive, nor is the firewall highly configurable, but it allows for DHCP. It does not allow for the default security level with NT dial ups. Products like PC Anywhere do not work with the default security policy as well. I see it as a nice little program, but have not taken the time to run CyberCop against it yet. This might be a good start for a SOHO, if they turn off Java in their browsers, set cool passwords, and take other simple security measures. It is a $30 download... Comments? Best Regards, Kelly Robertson Technology Advocate Nokia IP Routing Group 650-625-2132 408-504-4250 mobile **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Azim.Ferchichi at swisscom.com Wed Nov 10 18:02:54 1999 From: Azim.Ferchichi at swisscom.com (Azim.Ferchichi at swisscom.com) Date: Thu, 11 Nov 1999 00:02:54 +0100 Subject: IKE and certificates Message-ID: <7E46AF731AD5D111BF4F0000F830C63D03A107B3@gd3i5w.swissptt.ch> Dear all, I went through some IPSEC RFCs. I particularly took a look at the rfc2409 which concerns the Internet Key Exchange (IKE). IKE is used to exchange keys and define SA between peers. In the main mode, digital signature or RSA encryption can be used. In both cases to be sure of the validity of the public keys, we need to have certificates for them. These certificate (like X.509) are generated by a CA and contained a signature by the CA of the public keys used by peers. However, in this RFC I found nothing about such certificate verification. Is there any IPSEC RFC describing how to integrate such certificate verification with the use of IKE ? If yes can someone tell me which one it is? Thanks for your help Azim Ferchichi ___________________ CIT-CT-TPM IT security and Smart-cards Swisscom AG CH-3050 BERN Phone: +41 31 342 09 22 Mobile: +41 79 301 55 56 Fax: +41 31 342 00 08 ______________________ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric_h at Earthlink.Net Wed Nov 10 11:34:35 1999 From: eric_h at Earthlink.Net (Eric Henriksen) Date: Wed, 10 Nov 1999 11:34:35 -0500 Subject: Firewall @ remote location References: <3.0.3.32.19991028152317.00a6e190@pop3.indusriver.com> <3.0.3.32.19991104095412.030d35b0@pop3.indusriver.com> Message-ID: <008e01bf2b9a$afe45d00$03c8a8c0@redcreek.com> Always consider your trusted domain 1st. If you LAN is not trusted, your security should start inside the workstation. If you run a software or internal hardware VPN peer, and set the default gateway to the virtual IP address when the VPN is active, no clear traffic will go out on the LAN. With regard to local subnet route, that should be removed by the VPN product if either 0.0.0.0 or the local subnet is included in the 'protected network' list. Products that don't do this can be handled by manual route modifications only if these are allowed. Our client hashes the route table as we set it, and will not run if the route table is modified while the VPN is up. Eric Henriksen Field SE Manager RedCreek Communications, Inc Tel 336-297-4544 Fax 336-297-4644 Msg 3362101498 at mobile.att.net RedCreek Named #1 VPN Market share: http://www.redcreek.com/news/frost.html ----- Original Message ----- From: Brad Kemp To: Eric Henriksen ; Danilo Dessi ; Sent: Thursday, November 04, 1999 9:54 AM Subject: Re: Firewall @ remote location > At 07:07 PM 11/3/99 -0500, Eric Henriksen wrote: > >Otherwise, you may consider running the client or vpn gateway such that all > >traffic is tunneled over the vpn when it is active. This would eliminate > >the possiblity that the remote machine could get hijacked WHILE the vpn is > >connected to the head end. Access to the internet could be accommodated via > >the internal side of the corporate firewall as the default gateway for the > >corporate VPN server, and override the route for the vpns to go directly out > >the pbulic interface. > > Most products that do this do not protect you from an attacker on the same > subnet. The routing tables forward all traffic to the VPN server except that > which is destined for the local subnet. To make this work the route to > the local subnet must be removed and replaced with a host route to the > VPN server. Even if the product you use does not directly support this, > you could put the necessary route commands in a script that is used to launch > the tunnel. > > --- -- -- > Brad Kemp > Indus River Networks, Inc. BradKemp at indusriver.com > 31 Nagog Park 978-266-8122 > Acton, MA 01720 fax 978-266-8111 > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From ken.c.chen at lmco.com Tue Nov 16 14:25:39 1999 From: ken.c.chen at lmco.com (Chen, Ken C) Date: Tue, 16 Nov 1999 14:25:39 -0500 Subject: Linux/Mac IPsec into Contivity? Message-ID: <15B7999C4F94D211AAE90000F81A45E701204666@emss20m02.ems.lmco.com> Does the Linux client create an IPsec tunnel? -----Original Message----- From: Chris Carlson [mailto:carlsonmail at yahoo.com] Sent: Tuesday, November 09, 1999 4:37 PM To: David Mostardi; vpn at listserv.secnetgroup.com Subject: Re: Linux/Mac IPsec into Contivity? David, You have a couple of (limited) options: 1) Use a PPTP or L2TP client for Macintosh. Network Telesystems (www.nts.com) makes such a client. 2) Linux can use Free S/WAN to tunnel to the Contivity, but it creates a branch office tunnel, and not an end-user tunnel. I think you must turn off Perfect Forward Secrecy on Contivity v2.50 for this to work. Hope this helps! Chris -- --- David Mostardi wrote: > I've got a BayNetworks/Nortel Contivity 1500 box. > The IPsec client that comes with it only supports > Win95/Win98/WinNT. I've got users who want to get > in > through Linux or Macintosh. Has anyone successfully > gotten into Contivity over these platforms? > > TIA, > ------------------------------------------------------------------------ > David Mostardi Web: > http://www.mdli.com > Unix Systems Manager Email: > davidm at mdli.com > MDL Information Systems, Inc. Voice: > (510) 357-2222 x1420 > 14600 Catalina St., San Leandro CA 94577 Fax: > (510) 352-2870 > > -- "When in danger or in doubt, run in > circles, scream and shout" > ===== __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmarinb at usa.net Sat Nov 13 12:51:36 1999 From: mmarinb at usa.net (Mauricio Marin) Date: 13 Nov 99 10:51:36 MST Subject: University VPN Message-ID: <19991113175136.29221.qmail@nwcst281.netaddress.usa.net> Hi i`m a student of a university of Peru and i want to study all about VPN TECHNOLOGY, i want to be an expert in this case, so i do`nt know if there area some universitys in U.S.A, EUROPA, FRANCE, i really don`t know. I hope some of you can help me! Mauricio Mar?n ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From kemp at indusriver.com Tue Nov 16 15:19:21 1999 From: kemp at indusriver.com (Brad Kemp) Date: Tue, 16 Nov 1999 15:19:21 -0500 Subject: AW: PPP through ssh? In-Reply-To: <41EF1366B4B9D2119AB000805FC7BD5201A4F3AD@pcsrv006.be.softl ab.ch> Message-ID: <3.0.3.32.19991116151921.00c352f0@pop3.indusriver.com> PPP provides a few benefits over running IP over ssh. 1) you get compression (although once IPCOMP is deployed this is less important). You can even run stateful compression without the lost packet penalty. 2) You can run other protocols (ipx, appletalk) 3) You get authorization. ssh/ssl/tls only authenticates (unless you use your own CA and only issue certs to your VPN users). Brad At 05:24 PM 11/10/99 +0100, Frame Peter wrote: >This reply has been bothering me for some time, at the risk of looking >foolish here goes: > >PPP is a Layer 2 protocol while ssh is used to secure TCP connections. I can >imagine that you could possibly encapsulate PPP and send it via ssh but why >would you want to? > >Peter > >> ---------- >> Von: Brad Kemp[SMTP:kemp at indusriver.com] >> Gesendet: Mittwoch, 3. November 1999 23:24 >> An: hheller at gmx.de; vpn at listserv.secnetgroup.com >> Cc: heller at localnet.hh >> Betreff: Re: PPP through ssh? >> >> Helmut, >> There has been work on tunnels using ssh and using ssl/tls. >> You can run PPP through ssh, ssl/tls and have a working VPN. One problem >> you may find is that performance suffers greatly when the internet >> experiences congestion or starts dropping packets. >> What happens in this scenario is that the ssh, ssl/tls tcp session >> retransmits >> and your applications tcp session retransmits. This doubles the packets >> sent up the link so your effective throughput is halved. Additionally, you >> add >> to the congestion which cause the problem in the first place. >> There is a debian linux add-on that tunnels over https. (see httpstunnel) >> >> For ssh/ssl/tls tunnels check out >> http://www.csee.uq.edu.au/~leonard/software/ >> http://mike.daewoo.com.pl/computer/stunnel/ >> >> At 06:25 AM 10/29/99 +0200, Helmut Heller wrote: >> >Hello, >> > >> >I am rather new to the VPN field, so please excuse my ignorance. >> > >> >To couple two sites through a secure internet connection (without paying >> big >> >bucks, read: for free), shouldn't it be OK to use PPP via an ssh tunnel? >> Are >> >there any known drawbacks to that approach? >> > >> >Are there any documents out there describing what one has to do to make >> it >> work? >> > >> >Thanks for any pointers and infos! >> > >> >Helmut >> > >> >--- >> >Servus, Helmut (DH0MAD) ______________NeXT-mail >> accepted________________ >> >Phone: +49-8671-881665 "Knowledge must be gathered and cannot be >> given" >> >hheller at gmx.de ZEN, one of BLAKES7 >> >FAX: +49-8671-881665 >> ------------------------------------------------ >> >Dr. Helmut Heller, Muehldorfer Str. 72, 84503 Altoetting, GERMANY >> > >> >**************************************************************** >> >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com >> > >> >The VPN FAQ (under construction) is available at >> >http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html >> > >> >We are currently experiencing "unsubscribe" difficulties. If you >> >wish to unsubscribe, please send a message containing the single line >> >"unsubscribe vpn your-e-mail-address" to >> owner-vpn at listserv.secnetgroup.com >> > >> >**************************************************************** >> > >> --- -- -- >> Brad Kemp >> Indus River Networks, Inc. BradKemp at indusriver.com >> 31 Nagog Park 978-266-8122 >> Acton, MA 01720 fax 978-266-8111 >> >> **************************************************************** >> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com >> >> The VPN FAQ (under construction) is available at >> http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html >> >> We are currently experiencing "unsubscribe" difficulties. If you >> wish to unsubscribe, please send a message containing the single line >> "unsubscribe vpn your-e-mail-address" to >> owner-vpn at listserv.secnetgroup.com >> >> **************************************************************** >> > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** > --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Angelo.Speranza at crescendo-tech.com Tue Nov 16 16:03:51 1999 From: Angelo.Speranza at crescendo-tech.com (Angelo.Speranza at crescendo-tech.com) Date: Tue, 16 Nov 1999 16:03:51 -0500 Subject: No subject Message-ID: Hello Everyone, I would like to get your thoughts/recommendation on which VPN solution and firewall could best fit my environment. I was tasked to deploy a VPN and firewall solution. I have outlined the requirements (I hope I got all of them). There are approximate 20 to 25 users, working out of home. I would like to deploy a VPN and firewall to support these users. The data that the users will be accessing is work order info, graphics, e-mail, office documents and pricing info. The operating system is NT and the protocol in use TCP/IP, e-mail is outlook. The users will be establishing a VPN session via dial up or via DSL. Within 6-8 months a second office is expected to open, which could double the number of users. Currently there is a BRI in place connected to an ascend pipeline 75 router. My budget is approx. 10k and security is very important. My question is: - From your experience, do you have any suggestions on what type of VPN and firewall solution could best fit these requirements? I would like to have a firewall solution that is not incorporated within the VPN. Also, keeping in mind scalability and budget. Thank you in advance for your thoughts and recommendations, A.M.S **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmueller at tercom.ch Wed Nov 17 10:01:32 1999 From: mmueller at tercom.ch (Michel Mueller) Date: Wed, 17 Nov 1999 16:01:32 +0100 Subject: Linux/Mac IPsec into Contivity? Message-ID: <174767FC6455D311B2CC005004438959093467@tercom1.tercom.ch> I think so, but I did not test myself. You have to try to be sure. Michel Michel Mueller /TERCOM SA ----------------------------------------------------------- Technical Support TERCOM SA, Rte Andre-Piller 33a, 1762 GIVISIEZ, Switzerland phone: +41 26 460 33 00 fax: +41 26 460 33 99 info at tercom.ch support at tercom.ch www.tercom.ch ftp.tercom.ch ----------------------------------------------------------- -----Original Message----- From: Michael Medwid [mailto:mmedwid at symantec.com] Sent: Dienstag, 16. November 1999 19:33 To: Michel Mueller Cc: 'David Mostardi'; vpn at listserv.secnetgroup.com Subject: RE: Linux/Mac IPsec into Contivity? But does it work with the Bay Networks Contivity Switch? Thanks. Michel Mueller on 11/09/99 10:50:43 PM From Ken.Ford at sierra.com Wed Nov 17 13:52:31 1999 From: Ken.Ford at sierra.com (Ken Ford) Date: Wed, 17 Nov 1999 10:52:31 -0800 Subject: SyShield by Sybergen Networks, Inc. Message-ID: <83A2A724F77FD211A0B30008C78CDACEA6A4BA@crater.northwest.sierra.com> Another low cost security product, that I have been using at home, is called BlackIce (www.networkice.com). It is an Intrusion Detection/Prevention tool, and costs less than $40. I am impressed with what I have seen of the product. It might surprise those that have cable modems/DSL connections how much probing of your systems there is via that constant connection. It has 4 levels of security pre-defined, and by default locks down all TCP/UDP ports below 1024. It also "knows" about specific types of attacks, and will detect/block the attack, and attempt to backtrace attackers, and can even do a packet capture of attacks. A pretty nice product, it is simple to use and it's cheap. ---- Ken Ford Network Administrator Sierra On Line -----Original Message----- From: Kelly Robertson [mailto:kelly.robertson at iprg.nokia.com] Sent: Monday, November 15, 1999 4:21 AM To: vpn at listserv.secnetgroup.com; scott_parsons at pacmono.com Subject: SyShield by Sybergen Networks, Inc. Last week, there was a thread going around about SOHO's and desktop protection when a nailed up circuit, such as a DSL or cable modem, is in use. The persons inquiring about desktop security were interested in a low cost measure. I have found out about the above named product, installed it and read the dox. It seems reasonable at first blush. It turns off FTP, TELNET, SMTP, DNS, HTTP, POS3, and Secure HTTP by default. You can run a scheduler that automatically sets up higher security during certain times, disabling all ports by default. Logging is minimal, but adequate for most users. I would think that a user should check the log weekly, whenever they download a package from the Internet, and if their systems misbehave. It is not comprehensive, nor is the firewall highly configurable, but it allows for DHCP. It does not allow for the default security level with NT dial ups. Products like PC Anywhere do not work with the default security policy as well. I see it as a nice little program, but have not taken the time to run CyberCop against it yet. This might be a good start for a SOHO, if they turn off Java in their browsers, set cool passwords, and take other simple security measures. It is a $30 download... Comments? Best Regards, Kelly Robertson Technology Advocate Nokia IP Routing Group 650-625-2132 408-504-4250 mobile **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From sdurette at TimeStep.com Wed Nov 17 10:15:39 1999 From: sdurette at TimeStep.com (Stephane Durette) Date: Wed, 17 Nov 1999 10:15:39 -0500 Subject: Linux/Mac IPsec into Contivity? Message-ID: <319A1C5F94C8D11192DE00805FBBADDFF7B0DF@exchange> Michael, With the MAC client we have had no luck connecting to Nortel's Contivity Switch. As recently as two weeks ago we were talking with the Nortel engineers. As far as the Win platforms go, there were no issues but we did not manage to interoperate with the MAC client. On Linux, we do have a customer that as setup a shared secret application using the FreeSwan client connecting to a TimeStep PERMIT/Gate. We do not yet have any configuration data available and I don't know if it has been tested with Nortel's Contivity. Might be worth a try. My 0.02? Cheers Steph axW--------------------------------------------------------------- Stephane Y Durette- Applications Engineer, TimeStep Corp. (613) 599-3610 x:4682 Voice (613) 599-9560 - FAX mailto:sdurette at timestep.com http://www.timestep.com --------------------------------------------------------------------- "Two possibilities exist: either we are alone in the universe or we are not. Both are equally terrifying." Arthur C.Clarke --------------------------------------------------------------------- -----Original Message----- From: Michael Medwid [mailto:mmedwid at symantec.com] Sent: November 16, 1999 1:33 PM To: Michel Mueller Cc: 'David Mostardi'; vpn at listserv.secnetgroup.com Subject: RE: Linux/Mac IPsec into Contivity? But does it work with the Bay Networks Contivity Switch? Thanks. Michel Mueller on 11/09/99 10:50:43 PM From holger.fahner at danet-consult.de Thu Nov 18 12:21:11 1999 From: holger.fahner at danet-consult.de (Holger Fahner) Date: Thu, 18 Nov 1999 18:21:11 +0100 Subject: IKE and certificates Message-ID: <001d01bf31e9$4f5d5180$59966586@tschaikowsky.is.danet.de> Dear Azim, > However, in this RFC I found nothing about such > certificate verification. Is there any IPSEC RFC describing how to > integrate > such certificate verification with the use of IKE ? If yes can someone > tell me which one it is? Did you check out this Internet draft draft-ietf-ipsec-pki-req-03.txt "A PKIX Profile for IKE" and the related RFC 2459 "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" Hope, this helps. Best regards, Holger -- Holger Fahner Danet Consult GmbH Waldburgstra?e 17-19 Tel +49-(0)711-13353-83 D-70563 Stuttgart Fax +49-(0)711-13353-53 mailto:fahner at danet-consult.de http://www.danet-consult.de **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From carlsonmail at yahoo.com Thu Nov 18 10:55:05 1999 From: carlsonmail at yahoo.com (Chris Carlson) Date: Thu, 18 Nov 1999 07:55:05 -0800 (PST) Subject: Linux/Mac IPsec into Contivity? Message-ID: <19991118155505.14436.rocketmail@web124.yahoomail.com> Ken, Yes, the Linux Free S/WAN is IPSec. It definately supports 56-bit DES, not sure about 168-bit 3-DES. Chris -- --- "Chen, Ken C" wrote: > Does the Linux client create an IPsec tunnel? > > > -----Original Message----- > From: Chris Carlson [mailto:carlsonmail at yahoo.com] > Sent: Tuesday, November 09, 1999 4:37 PM > To: David Mostardi; vpn at listserv.secnetgroup.com > Subject: Re: Linux/Mac IPsec into Contivity? > > > David, > > You have a couple of (limited) options: > > 1) Use a PPTP or L2TP client for Macintosh. Network > Telesystems (www.nts.com) makes such a client. > > 2) Linux can use Free S/WAN to tunnel to the > Contivity, but it creates a branch office tunnel, > and > not an end-user tunnel. I think you must turn off > Perfect Forward Secrecy on Contivity v2.50 for this > to > work. > > > Hope this helps! > Chris > -- > > --- David Mostardi wrote: > > I've got a BayNetworks/Nortel Contivity 1500 box. > > The IPsec client that comes with it only supports > > Win95/Win98/WinNT. I've got users who want to get > > in > > through Linux or Macintosh. Has anyone > successfully > > gotten into Contivity over these platforms? > > > > TIA, > > > ------------------------------------------------------------------------ > > David Mostardi > Web: > > http://www.mdli.com > > Unix Systems Manager > Email: > > davidm at mdli.com > > MDL Information Systems, Inc. > Voice: > > (510) 357-2222 x1420 > > 14600 Catalina St., San Leandro CA 94577 > Fax: > > (510) 352-2870 > > > > -- "When in danger or in doubt, run in > > circles, scream and shout" > > > > ===== > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" > difficulties. If you > wish to unsubscribe, please send a message > containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" > difficulties. If you > wish to unsubscribe, please send a message > containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From hheller at gmx.de Thu Nov 18 02:42:54 1999 From: hheller at gmx.de (Helmut Heller) Date: Thu, 18 Nov 1999 08:42:54 +0100 Subject: AW: PPP through ssh? In-Reply-To: <41EF1366B4B9D2119AB000805FC7BD5201A4F3AD@pcsrv006.be.softlab.ch> References: <41EF1366B4B9D2119AB000805FC7BD5201A4F3AD@pcsrv006.be.softlab.ch> Message-ID: <199911180742.IAA00949@localnet.hh> You wrote: > PPP is a Layer 2 protocol while ssh is used to secure TCP connections. I > can imagine that you could possibly encapsulate PPP and send it via ssh but > why would you want to? Well, I know that it is kind of wasteful, but the idea is to have a cheap and yet secure VPN: encrypt the PPP trafic via ssh. If the trafic volume is not too high, this should work out fine and come for free. Bye, Helmut --- Servus, Helmut (DH0MAD) ___________NeXT-mail welcome________________ FAX: +49-8671-881665 "Knowledge must be gathered and cannot be given" hheller at gmx.de ZEN, one of BLAKES7 Phone: +49-8671-881665 --------------------------------------------------------------------------- Dr. Helmut Heller, Muhldorfer Str. 72, 84503 Altotting, GERMANY **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jneedle at nortelnetworks.com Thu Nov 18 13:44:44 1999 From: jneedle at nortelnetworks.com (Jeffrey Needle) Date: Thu, 18 Nov 1999 13:44:44 -0500 Subject: Linux/Mac IPsec into Contivity? In-Reply-To: <19991118155505.14436.rocketmail@web124.yahoomail.com> Message-ID: <4.2.2.19991118134357.05db9b80@zbl6c000.corpeast.baynetworks.com> 3DES is what it does by default. To get support for DES, you need to have an add-on piece. Jeff At 07:55 AM 11/18/99 -0800, Chris Carlson wrote: >Ken, > >Yes, the Linux Free S/WAN is IPSec. It definately >supports 56-bit DES, not sure about 168-bit 3-DES. > >Chris **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mhw at wittsend.com Thu Nov 18 13:23:24 1999 From: mhw at wittsend.com (Michael H. Warfield) Date: Thu, 18 Nov 1999 13:23:24 -0500 Subject: Linux/Mac IPsec into Contivity? In-Reply-To: <19991118155505.14436.rocketmail@web124.yahoomail.com> References: <19991118155505.14436.rocketmail@web124.yahoomail.com> Message-ID: <19991118132324.A14990@alcove.wittsend.com> On Thu, Nov 18, 1999 at 07:55:05AM -0800, Chris Carlson wrote: > Ken, > Yes, the Linux Free S/WAN is IPSec. It definately > supports 56-bit DES, not sure about 168-bit 3-DES. No... It doesn't support 56 bit DES any more. They removed that support after DES was broken repeatedly and proven too insecure. They refuse to even make it easy to put it back in (although, technically you can do the same job with 3des where the keys are identical - the 3des/des compatibilty mode in the cypher). They definitely support 3des with 112 bit keys. Don't know if they have full 3des where all three keys are independent (168 bit keys). The 112 bit varient, you encrypt with the first key, decrypt with the second key, and then encrypt again with the first key (EDE mode). That's algorithmically equivalent to des if both 56 bit keys are the same. That's normally what's referred to when someone simply mentions 3DES (the 112 bit varient, that is). Reference: Applied Cryptography, 2nd ed, Bruce Schneier, pp 359 > Chris > -- > > --- "Chen, Ken C" wrote: > > Does the Linux client create an IPsec tunnel? > > > > > > -----Original Message----- > > From: Chris Carlson [mailto:carlsonmail at yahoo.com] > > Sent: Tuesday, November 09, 1999 4:37 PM > > To: David Mostardi; vpn at listserv.secnetgroup.com > > Subject: Re: Linux/Mac IPsec into Contivity? > > > > > > David, > > > > You have a couple of (limited) options: > > > > 1) Use a PPTP or L2TP client for Macintosh. Network > > Telesystems (www.nts.com) makes such a client. > > > > 2) Linux can use Free S/WAN to tunnel to the > > Contivity, but it creates a branch office tunnel, > > and > > not an end-user tunnel. I think you must turn off > > Perfect Forward Secrecy on Contivity v2.50 for this > > to > > work. > > > > > > Hope this helps! > > Chris > > -- > > > > --- David Mostardi wrote: > > > I've got a BayNetworks/Nortel Contivity 1500 box. > > > The IPsec client that comes with it only supports > > > Win95/Win98/WinNT. I've got users who want to get > > > in > > > through Linux or Macintosh. Has anyone > > successfully > > > gotten into Contivity over these platforms? > > > > > > TIA, > > > > > > ------------------------------------------------------------------------ > > > David Mostardi > > Web: > > > http://www.mdli.com > > > Unix Systems Manager > > Email: > > > davidm at mdli.com > > > MDL Information Systems, Inc. > > Voice: > > > (510) 357-2222 x1420 > > > 14600 Catalina St., San Leandro CA 94577 > > Fax: > > > (510) 352-2870 > > > > > > -- "When in danger or in doubt, run in > > > circles, scream and shout" > > > > > > > ===== > > > > __________________________________________________ > > Do You Yahoo!? > > Bid and sell for free at http://auctions.yahoo.com > > > > > **************************************************************** > > TO POST A MESSAGE on this list, send it to > > vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > > We are currently experiencing "unsubscribe" > > difficulties. If you > > wish to unsubscribe, please send a message > > containing the single line > > "unsubscribe vpn your-e-mail-address" to > > owner-vpn at listserv.secnetgroup.com > > > > > **************************************************************** > > > > > **************************************************************** > > TO POST A MESSAGE on this list, send it to > > vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > > We are currently experiencing "unsubscribe" > > difficulties. If you > > wish to unsubscribe, please send a message > > containing the single line > > "unsubscribe vpn your-e-mail-address" to > > owner-vpn at listserv.secnetgroup.com > > > > > **************************************************************** > > > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Fred.Golder at cendant.com Thu Nov 18 13:48:40 1999 From: Fred.Golder at cendant.com (Golder, Fred) Date: Thu, 18 Nov 1999 13:48:40 -0500 Subject: Linux/Mac IPsec into Contivity? Message-ID: FreeS/Wan doesn't support 56 bit DES with out modifying the code. The FreeS/Wan folks feel that 56 bit DES isn't secure so they don't have it as an option. Last I knew (about 4 weeks ago) you could modify the C Code to enable 56 bit DES. FreeS/Wan has been tested with the Nortel Contivity Switch, but not by myself personally yet. -Fred Golder -----Original Message----- From: Chris Carlson [mailto:carlsonmail at yahoo.com] Sent: Thursday, November 18, 1999 10:55 AM To: Chen, Ken C; vpn at listserv.secnetgroup.com Subject: RE: Linux/Mac IPsec into Contivity? Ken, Yes, the Linux Free S/WAN is IPSec. It definately supports 56-bit DES, not sure about 168-bit 3-DES. Chris -- --- "Chen, Ken C" wrote: > Does the Linux client create an IPsec tunnel? > > > -----Original Message----- > From: Chris Carlson [mailto:carlsonmail at yahoo.com] > Sent: Tuesday, November 09, 1999 4:37 PM > To: David Mostardi; vpn at listserv.secnetgroup.com > Subject: Re: Linux/Mac IPsec into Contivity? > > > David, > > You have a couple of (limited) options: > > 1) Use a PPTP or L2TP client for Macintosh. Network > Telesystems (www.nts.com) makes such a client. > > 2) Linux can use Free S/WAN to tunnel to the > Contivity, but it creates a branch office tunnel, > and > not an end-user tunnel. I think you must turn off > Perfect Forward Secrecy on Contivity v2.50 for this > to > work. > > > Hope this helps! > Chris > -- > > --- David Mostardi wrote: > > I've got a BayNetworks/Nortel Contivity 1500 box. > > The IPsec client that comes with it only supports > > Win95/Win98/WinNT. I've got users who want to get > > in > > through Linux or Macintosh. Has anyone > successfully > > gotten into Contivity over these platforms? > > > > TIA, > > > ------------------------------------------------------------------------ > > David Mostardi > Web: > > http://www.mdli.com > > Unix Systems Manager > Email: > > davidm at mdli.com > > MDL Information Systems, Inc. > Voice: > > (510) 357-2222 x1420 > > 14600 Catalina St., San Leandro CA 94577 > Fax: > > (510) 352-2870 > > > > -- "When in danger or in doubt, run in > > circles, scream and shout" > > > > ===== > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" > difficulties. If you > wish to unsubscribe, please send a message > containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" > difficulties. If you > wish to unsubscribe, please send a message > containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991118/e2a5a818/attachment.htm From jonc at haht.com Thu Nov 18 19:29:45 1999 From: jonc at haht.com (Jon Carnes) Date: Thu, 18 Nov 1999 19:29:45 -0500 Subject: References: Message-ID: <01e001bf3225$4089e1a0$6803010a@dhcp.haht.com> Amazingly enough, I would recommend you use the MS PPTP. Since you are already using MS on the client side and probably on the corporate side, the cost is free. The security is only moderate, but probably enough for what you want. (if someone wants your data, they are more likely to get it via social engineering than by intercepting and decoding your data streams...) If you go with the MS VPN solution, then the MS box will have to sit parallel to a Masquerading Firewall, but can run from behind a Routing Firewall (router to a valid Class C which regulates routed traffic). A decent P3-450 with 256Mb of Ram running NT4.0 with Service Pack 5 applied will handle the load you specified, and is fairly secure. SP5 fixes most of the security problems that the MS VPN was prone to. The beauty of the MS solution is that it is fully integrated with your NT Domain (that is if you are using an NT Domain - otherwise you add individual accounts on the MS box). Its also very simple to setup on the clients. As to a Firewall, I always recommend Linux on an ordinary PC running either ipfwadm or ipchains (depending on which version of Linux you are running). The cost is the cost of the box, and that is normally a low-end box that is floated down via an upgrade to a Corporate end-user. If you don't know Linux, you may be able to find a local users group that will build the box for you for free and then train you on firewall setup. There are some very simple how-to's for basic firewall configuration. In my area (Raleigh NC) there are several fine Linux users groups which gladly lend a hand to folks getting started in Linux. Hope this helps, Jon Carnes MIS - HAHT Software ----- Original Message ----- From: To: Sent: Tuesday, November 16, 1999 4:03 PM > Hello Everyone, > I would like to get your thoughts/recommendation on which VPN solution and > firewall could best fit my environment. > > I was tasked to deploy a VPN and firewall solution. I have outlined the > requirements (I hope I got all of them). > There are approximate 20 to 25 users, working out of home. I would like to > deploy a VPN and firewall to support these users. The data that the users > will be accessing is work order info, graphics, e-mail, office documents > and pricing info. The operating system is NT and the protocol in use > TCP/IP, e-mail is outlook. > The users will be establishing a VPN session via dial up or via DSL. Within > 6-8 months a second office is expected to open, which could double the > number of users. > Currently there is a BRI in place connected to an ascend pipeline 75 > router. > My budget is approx. 10k and security is very important. > > My question is: > - From your experience, do you have any suggestions on what type of VPN and > firewall solution could best fit these requirements? I would like to have > a firewall solution that is not incorporated within the VPN. Also, keeping > in mind scalability and budget. > > > Thank you in advance for your thoughts and recommendations, > > > A.M.S > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From lhebert at netesys.com Fri Nov 19 09:16:41 1999 From: lhebert at netesys.com (Laurent Hebert) Date: Fri, 19 Nov 1999 09:16:41 -0500 Subject: Message-ID: <19991119141248039.AAA96@bacchus2.netesys.com@gvl-12364> Angelo, Based on what you mentioned, why do you want a Firewall? As I see this, you only need a good VPN Gateway at your central site and associated S/W client on telecommuters to extend you local network as an Intranet (since they do not have a need to go on the Internet (for Web surfing...)). There is a lot of good products on the market that follow IPsec standards. We have tested Altiga and ADI and both are working fine (Altiga seems to to be more standard...). Note however that both of them cannot support the NT login script if the end-user's O/S is NT (your end user will have to map their drives manually...). Furthermore, since you do not have a terminal server in your solution (Citrix), the response time may be very bad on dial-up access. You should consider AADSL or Cable Modem for you end users. Laurent ---------- > De : Angelo.Speranza at crescendo-tech.com > A : vpn at listserv.secnetgroup.com > Objet : > Date?: 16 novembre, 1999 16:03 > > Hello Everyone, > I would like to get your thoughts/recommendation on which VPN solution and > firewall could best fit my environment. > > I was tasked to deploy a VPN and firewall solution. I have outlined the > requirements (I hope I got all of them). > There are approximate 20 to 25 users, working out of home. I would like to > deploy a VPN and firewall to support these users. The data that the users > will be accessing is work order info, graphics, e-mail, office documents > and pricing info. The operating system is NT and the protocol in use > TCP/IP, e-mail is outlook. > The users will be establishing a VPN session via dial up or via DSL. Within > 6-8 months a second office is expected to open, which could double the > number of users. > Currently there is a BRI in place connected to an ascend pipeline 75 > router. > My budget is approx. 10k and security is very important. > > My question is: > - From your experience, do you have any suggestions on what type of VPN and > firewall solution could best fit these requirements? I would like to have > a firewall solution that is not incorporated within the VPN. Also, keeping > in mind scalability and budget. > > > Thank you in advance for your thoughts and recommendations, > > > A.M.S > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmarinb at fics.edu.pe Fri Nov 19 17:20:11 1999 From: mmarinb at fics.edu.pe (Mauricio) Date: Fri, 19 Nov 1999 17:20:11 -0500 Subject: VPN STUDY References: <19991119141248039.AAA96@bacchus2.netesys.com@gvl-12364> Message-ID: <3835CD1B.DBBD583C@fics.edu.pe> Where can i study all about VPN, i'm from PERU and i could travel to anyway to learn it. Maybe CISCO, 3COM ,....etc bring some courses about it?????? Mauricio Mar?n **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at listserv.secnetgroup.com Fri Nov 19 15:58:37 1999 From: tbird at listserv.secnetgroup.com (Tina Bird) Date: Fri, 19 Nov 1999 14:58:37 -0600 (CST) Subject: Two choices for VPN. (fwd) Message-ID: ---------- Forwarded message ---------- Date: Wed, 3 Nov 1999 08:00:47 -0800 From: "Frank R. Boecherer" To: owner-vpn at listserv.secnetgroup.com Subject: Two choices for VPN. Hi... I would like to ask the question below (shortened to make the reading quicker) again as I received only one posted reply (thank you Eric Henriksen). If it's not good manners to post the same question again, please feel free to delete it moderator. I read comments earlier that the FlowPoint VPN is very weak. I understand security is important and worth spending on, but does higher cost always mean better product? Frank ======================================================================= I have a client looking into setting up a VPN (from 1 or 2 homes to the office) once they get their Verio DSL line installed. Two options they were presented with for VPN are: SafeNet. Offered and recommended by Verio. Apparently a high quality VPN solution in that it offers data level encryption through the use of a hardware box attached to the DSL router, plus a software client that runs on the remote PC. They also offer 24/7/365 customer support. Verio offers the VPN hardware for $250/mo, plus a $15/mo license for EACH remote user. SafeNet www.ire.com. FlowPoint. Flowpoint offers for a one-time charge of $199 a software product called "FlowPoint Secure VPN" for the FlowPoint 2200. Flowpoint www.flowpoint.com. Any feedback on these two options would be greatly appreciated. Or is there something better that should be used independently of what the ISP offers? Would something independent make support issues tougher if the ISP is not familiar with the product? Frank -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991119/24090c68/attachment.htm From rng at netscreen.com Fri Nov 19 19:14:20 1999 From: rng at netscreen.com (Ronald Ng) Date: Fri, 19 Nov 1999 16:14:20 -0800 Subject: Linux/Mac IPsec into Contivity? References: Message-ID: <3835E7DC.6FD74F12@netscreen.com> Additionally, the upcoming RFCs require a minimum of 3DES. It makes more sense to go towards the 3DES requirement. > "Golder, Fred" wrote: > > FreeS/Wan doesn't support 56 bit DES with out modifying the code. The > FreeS/Wan folks feel that 56 bit DES isn't secure so they don't have > it as an option. Last I knew (about 4 weeks ago) you could modify the > C Code to enable 56 bit DES. FreeS/Wan has been tested with the > Nortel Contivity Switch, but not by myself personally yet. > > -Fred Golder > > -----Original Message----- > From: Chris Carlson [mailto:carlsonmail at yahoo.com] > Sent: Thursday, November 18, 1999 10:55 AM > To: Chen, Ken C; vpn at listserv.secnetgroup.com > Subject: RE: Linux/Mac IPsec into Contivity? > > Ken, > > Yes, the Linux Free S/WAN is IPSec. It definately > supports 56-bit DES, not sure about 168-bit 3-DES. > > Chris > -- > > --- "Chen, Ken C" wrote: > > Does the Linux client create an IPsec tunnel? > > > > > > -----Original Message----- > > From: Chris Carlson [mailto:carlsonmail at yahoo.com] > > Sent: Tuesday, November 09, 1999 4:37 PM > > To: David Mostardi; vpn at listserv.secnetgroup.com > > Subject: Re: Linux/Mac IPsec into Contivity? > > > > > > David, > > > > You have a couple of (limited) options: > > > > 1) Use a PPTP or L2TP client for Macintosh. Network > > Telesystems (www.nts.com) makes such a client. > > > > 2) Linux can use Free S/WAN to tunnel to the > > Contivity, but it creates a branch office tunnel, > > and > > not an end-user tunnel. I think you must turn off > > Perfect Forward Secrecy on Contivity v2.50 for this > > to > > work. > > > > > > Hope this helps! > > Chris > > -- > > > > --- David Mostardi wrote: > > > I've got a BayNetworks/Nortel Contivity 1500 box. > > > The IPsec client that comes with it only supports > > > Win95/Win98/WinNT. I've got users who want to get > > > in > > > through Linux or Macintosh. Has anyone > > successfully > > > gotten into Contivity over these platforms? > > > > > > TIA, > > > > > > ------------------------------------------------------------------------ > > > > David Mostardi > > Web: > > > http://www.mdli.com > > > Unix Systems Manager > > Email: > > > davidm at mdli.com > > > MDL Information Systems, Inc. > > Voice: > > > (510) 357-2222 x1420 > > > 14600 Catalina St., San Leandro CA 94577 > > Fax: > > > (510) 352-2870 > > > > > > -- "When in danger or in doubt, run in > > > circles, scream and shout" > > > > > > > ===== > > > > __________________________________________________ > > Do You Yahoo!? > > Bid and sell for free at http://auctions.yahoo.com > > > > > **************************************************************** > > TO POST A MESSAGE on this list, send it to > > vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > > We are currently experiencing "unsubscribe" > > difficulties. If you > > wish to unsubscribe, please send a message > > containing the single line > > "unsubscribe vpn your-e-mail-address" to > > owner-vpn at listserv.secnetgroup.com > > > > > **************************************************************** > > > > > **************************************************************** > > TO POST A MESSAGE on this list, send it to > > vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > > We are currently experiencing "unsubscribe" > > difficulties. If you > > wish to unsubscribe, please send a message > > containing the single line > > "unsubscribe vpn your-e-mail-address" to > > owner-vpn at listserv.secnetgroup.com > > > > > **************************************************************** > > > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** -- Ronald Ng rng at netscreen.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From carlsonmail at yahoo.com Sat Nov 20 16:47:55 1999 From: carlsonmail at yahoo.com (Chris Carlson) Date: Sat, 20 Nov 1999 13:47:55 -0800 (PST) Subject: Linux/Mac IPsec into Contivity? Message-ID: <19991120214755.2681.rocketmail@web109.yahoomail.com> Whoops! Looks like I'm eating my words! Thanks for the correction. How is 3DES handled for export on Linux Free S/WAN? Chris -- --- Jeffrey Needle wrote: > 3DES is what it does by default. To get support for > DES, you > need to have an add-on piece. > > Jeff > > At 07:55 AM 11/18/99 -0800, Chris Carlson wrote: > >Ken, > > > >Yes, the Linux Free S/WAN is IPSec. It definately > >supports 56-bit DES, not sure about 168-bit 3-DES. > > > >Chris > > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jehorton at erols.com Fri Nov 19 23:33:32 1999 From: jehorton at erols.com (John E. Horton) Date: Fri, 19 Nov 1999 23:33:32 -0500 Subject: Linux/Mac IPsec into Contivity? In-Reply-To: <19991118132324.A14990@alcove.wittsend.com> References: <19991118155505.14436.rocketmail@web124.yahoomail.com> <19991118155505.14436.rocketmail@web124.yahoomail.com> Message-ID: <4.2.0.58.19991119231713.00a48a90@pop.erols.com> FYI. There is 2 key 3DES and 3 Key 3DES. If I recall correctly, 2 key 3DES ( A = C, B != A & B != C) has a key space of 112 bits (2 x 56), with an effective key space of ~80 bits. 3 Key 3DES (A != B, B != C, A != C) has a key space of 168 bits (3 x 56) with an effective key space of ~112 bits. According to Applied Cryptography, Inner-CBC or Outer-CBC Mode (pg. 360) can be applied to triple key encryption algorithms. Cheers. At 01:23 PM 11/18/99 -0500, Michael H. Warfield wrote: >On Thu, Nov 18, 1999 at 07:55:05AM -0800, Chris Carlson wrote: > > Ken, > > > Yes, the Linux Free S/WAN is IPSec. It definately > > supports 56-bit DES, not sure about 168-bit 3-DES. > > No... It doesn't support 56 bit DES any more. They removed that >support after DES was broken repeatedly and proven too insecure. They >refuse to even make it easy to put it back in (although, technically you >can do the same job with 3des where the keys are identical - the 3des/des >compatibilty mode in the cypher). They definitely support 3des with >112 bit keys. Don't know if they have full 3des where all three keys >are independent (168 bit keys). The 112 bit varient, you encrypt with >the first key, decrypt with the second key, and then encrypt again with >the first key (EDE mode). That's algorithmically equivalent to des if >both 56 bit keys are the same. That's normally what's referred to when >someone simply mentions 3DES (the 112 bit varient, that is). > > Reference: Applied Cryptography, 2nd ed, Bruce Schneier, pp 359 > > > Chris > > -- > > > > --- "Chen, Ken C" wrote: > > > Does the Linux client create an IPsec tunnel? > > > > > > > > > -----Original Message----- > > > From: Chris Carlson [mailto:carlsonmail at yahoo.com] > > > Sent: Tuesday, November 09, 1999 4:37 PM > > > To: David Mostardi; vpn at listserv.secnetgroup.com > > > Subject: Re: Linux/Mac IPsec into Contivity? > > > > > > > > > David, > > > > > > You have a couple of (limited) options: > > > > > > 1) Use a PPTP or L2TP client for Macintosh. Network > > > Telesystems (www.nts.com) makes such a client. > > > > > > 2) Linux can use Free S/WAN to tunnel to the > > > Contivity, but it creates a branch office tunnel, > > > and > > > not an end-user tunnel. I think you must turn off > > > Perfect Forward Secrecy on Contivity v2.50 for this > > > to > > > work. > > > > > > > > > Hope this helps! > > > Chris > > > -- > > > > > > --- David Mostardi wrote: > > > > I've got a BayNetworks/Nortel Contivity 1500 box. > > > > The IPsec client that comes with it only supports > > > > Win95/Win98/WinNT. I've got users who want to get > > > > in > > > > through Linux or Macintosh. Has anyone > > > successfully > > > > gotten into Contivity over these platforms? > > > > > > > > TIA, > > > > > > > > > ------------------------------------------------------------------------ > > > > David Mostardi > > > Web: > > > > http://www.mdli.com > > > > Unix Systems Manager > > > Email: > > > > davidm at mdli.com > > > > MDL Information Systems, Inc. > > > Voice: > > > > (510) 357-2222 x1420 > > > > 14600 Catalina St., San Leandro CA 94577 > > > Fax: > > > > (510) 352-2870 > > > > > > > > -- "When in danger or in doubt, run in > > > > circles, scream and shout" > > > > > > > > > > ===== > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Bid and sell for free at http://auctions.yahoo.com > > > > > > > > **************************************************************** > > > TO POST A MESSAGE on this list, send it to > > > vpn at listserv.secnetgroup.com > > > > > > The VPN FAQ (under construction) is available at > > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > > > > We are currently experiencing "unsubscribe" > > > difficulties. If you > > > wish to unsubscribe, please send a message > > > containing the single line > > > "unsubscribe vpn your-e-mail-address" to > > > owner-vpn at listserv.secnetgroup.com > > > > > > > > **************************************************************** > > > > > > > > **************************************************************** > > > TO POST A MESSAGE on this list, send it to > > > vpn at listserv.secnetgroup.com > > > > > > The VPN FAQ (under construction) is available at > > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > > > > We are currently experiencing "unsubscribe" > > > difficulties. If you > > > wish to unsubscribe, please send a message > > > containing the single line > > > "unsubscribe vpn your-e-mail-address" to > > > owner-vpn at listserv.secnetgroup.com > > > > > > > > **************************************************************** > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Bid and sell for free at http://auctions.yahoo.com > > > > **************************************************************** > > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > > > We are currently experiencing "unsubscribe" difficulties. If you > > wish to unsubscribe, please send a message containing the single line > > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > > > **************************************************************** > >-- > Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com > (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991119/96372923/attachment.htm From john.d.fulmer at mail.sprint.com Mon Nov 22 09:37:28 1999 From: john.d.fulmer at mail.sprint.com (John Fulmer) Date: Mon, 22 Nov 1999 08:37:28 -0600 Subject: Linux/Mac IPsec into Contivity? References: <19991118155505.14436.rocketmail@web124.yahoomail.com> Message-ID: <38395528.2AED4B0E@mail.sprint.com> carlsonmail at yahoo.com wrote: > > Ken, > > Yes, the Linux Free S/WAN is IPSec. It definately > supports 56-bit DES, not sure about 168-bit 3-DES. > As of the current distribution, 1.0x, Linux S/WAN really only supports 3DES, and 1DES is pretty much broken. From the CHANGES file: Support for single-DES (as opposed to 3DES) has been largely discontinued. (The timing of this was a management decision which not all members of the technical team agree with.) 1DES MAY work if manually setting keys, but IKE only supports 3DES. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From pdavis at altiga.com Tue Nov 23 12:09:19 1999 From: pdavis at altiga.com (Davis, Peter) Date: Tue, 23 Nov 1999 12:09:19 -0500 Subject: Two choices for VPN. Message-ID: <71B30BC67510D31184030090277A3DDE5FAECE@mail.altiga.com> Frank, Your best bet is to check out www.vpnc.org in addition to other resources you have looked at. You will see a list of many vendors who are also working to cooperatively test interoperability. There are atleast 2 or 3 vendors that focus on low-end VPN solutions. Deciding whether you should go for a managed VPN service or for one that you control yourself is really up to how comfortable you feel with delegating network security to a third party. In addition, $250/mt is a significant price to pay for a low-end solution. You will find that there are many different ways that solutions are priced including some that include an unlimited client license and others that charge a per client fee. Hi... I would like to ask the question below (shortened to make the reading quicker) again as I received only one posted reply (thank you Eric Henriksen). If it's not good manners to post the same question again, please feel free to delete it moderator. I read comments earlier that the FlowPoint VPN is very weak. I understand security is important and worth spending on, but does higher cost always mean better product? Frank ======================================================================= I have a client looking into setting up a VPN (from 1 or 2 homes to the office) once they get their Verio DSL line installed. Two options they were presented with for VPN are: SafeNet. Offered and recommended by Verio. Apparently a high quality VPN solution in that it offers data level encryption through the use of a hardware box attached to the DSL router, plus a software client that runs on the remote PC. They also offer 24/7/365 customer support. Verio offers the VPN hardware for $250/mo, plus a $15/mo license for EACH remote user. SafeNet www.ire.com . FlowPoint. Flowpoint offers for a one-time charge of $199 a software product called "FlowPoint Secure VPN" for the FlowPoint 2200. Flowpoint www.flowpoint.com . Any feedback on these two options would be greatly appreciated. Or is there something better that should be used independently of what the ISP offers? Would something independent make support issues tougher if the ISP is not familiar with the product? Frank **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmandel at postproperties.com Mon Nov 22 15:37:29 1999 From: mmandel at postproperties.com (mmandel at postproperties.com) Date: Mon, 22 Nov 1999 15:37:29 -0500 Subject: MS PPTP Message-ID: <85256831.00714C26.00@notes1.postproperties.com> I have setup an NT VPN server for MS PPTP behind a Cisco PIX firewall. All works well, but ..when the user gets authenticated by my domain, the logon scripts (Kixtart32) do not run? Thus, my users do not get their mapped network drives. Is there a fix for this, or some sort of config I need to add? Please help! Also, will Cisco's IPSec client support NT domain authentication? TIA, Michael Mandel Network Administrator Post Corporate Services "Jon Carnes" on 11/18/1999 07:29:45 PM Please respond to "Jon Carnes" From adamz at econet.com Mon Nov 22 18:02:56 1999 From: adamz at econet.com (Adam P. Zimmerer) Date: Mon, 22 Nov 1999 17:02:56 -0600 Subject: Two choices for VPN. (fwd) Message-ID: <015c01bf353d$b965d8c0$0205a8c0@bigdude> Tina, Have you checked out the SonicWall (www.sonicwall.com). It is another box that sets between the DSL splitter and your hub that functions as a router, internet content filter & VPN terminator. It uses IPSec w/ up to 3DES encryption. I've installed one but have not set-up the VPN part of it yet for my client. The "Pro" model has a 233MHz RISC processor, retails for about $2995, and the VPN client software for the home users runs about $79 per User License. Does anyone else have any comments about this device? Sincerely, Adam P. Zimmerer www.EcoNet.Com adamz at econet.com Good Quote... Transport of the mails, transport of the human voice, transport of flickering pictures-in this century as in others our highest accomplishments still have the single aim of bringing men together. Antoine de Saint-Exup?ry (1900-1944), French aviator, writer. Wind, Sand, and Stars, ch. 3 (published in Terre des Hommes, 1939). -----Original Message----- From: Tina Bird To: vpn at listserv.secnetgroup.com Date: Monday, November 22, 1999 4:41 PM Subject: Two choices for VPN. (fwd) Hi... I would like to ask the question below (shortened to make the reading quicker) again as I received only one posted reply (thank you Eric Henriksen). If it's not good manners to post the same question again, please feel free to delete it moderator. I read comments earlier that the FlowPoint VPN is very weak. I understand security is important and worth spending on, but does higher cost always mean better product? Frank ======================================================================= I have a client looking into setting up a VPN (from 1 or 2 homes to the office) once they get their Verio DSL line installed. Two options they were presented with for VPN are: SafeNet. Offered and recommended by Verio. Apparently a high quality VPN solution in that it offers data level encryption through the use of a hardware box attached to the DSL router, plus a software client that runs on the remote PC. They also offer 24/7/365 customer support. Verio offers the VPN hardware for $250/mo, plus a $15/mo license for EACH remote user. SafeNet www.ire.com. FlowPoint. Flowpoint offers for a one-time charge of $199 a software product called "FlowPoint Secure VPN" for the FlowPoint 2200. Flowpoint www.flowpoint.com. Any feedback on these two options would be greatly appreciated. Or is there something better that should be used independently of what the ISP offers? Would something independent make support issues tougher if the ISP is not familiar with the product? Frank -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991122/c81f73a6/attachment.htm From jneedle at nortelnetworks.com Tue Nov 23 13:29:38 1999 From: jneedle at nortelnetworks.com (Jeffrey Needle) Date: Tue, 23 Nov 1999 13:29:38 -0500 Subject: Linux/Mac IPsec into Contivity? In-Reply-To: <19991120214755.2681.rocketmail@web109.yahoomail.com> Message-ID: <4.2.2.19991123132850.0538ecd0@zbl6c000.corpeast.baynetworks.com> Free S/WAN is produced and distributed outside the US, so I don't believe it's subject to the US Export laws. j. At 01:47 PM 11/20/99 -0800, Chris Carlson wrote: >Whoops! Looks like I'm eating my words! Thanks for >the correction. > >How is 3DES handled for export on Linux Free S/WAN? > >Chris >-- **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmarinb at fics.edu.pe Tue Nov 23 15:08:26 1999 From: mmarinb at fics.edu.pe (Mauricio =?iso-8859-1?Q?Mar=EDn?=) Date: Tue, 23 Nov 1999 15:08:26 -0500 Subject: FIREWALL VPN References: Message-ID: <383AF439.257E5919@fics.edu.pe> If we have a Firewall in a company,........for example CheckPoint, when i connect by PPTP will i pass through jumping the firewall?? Mauricio Mar?n **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From schlitt at world.std.com Wed Nov 24 08:39:48 1999 From: schlitt at world.std.com (Dan Schlitt) Date: Wed, 24 Nov 1999 08:39:48 -0500 (EST) Subject: VPN for secure access the MS Exchange server In-Reply-To: Message-ID: Back in October I asked about this. Thanks to everyone who provided helpful information. We did find a solution using ssh. This messages is delayed because we wanted to make sure it really worked. We were not able to get Exchange to work with port forwarding. Evidently they keep some information about the hostname which makes things fail. We are using Notes which does not have that problem. /dan -- Dan Schlitt schlitt at world.std.com On Mon, 18 Oct 1999, Dan Schlitt wrote: We may have a requirement to setup a VPN to provide access to a MS Exchange server or a Lotus Notes server. OUr current mechanisms do not seem to be adequate to the task. We need to provide this access to remote mobile users. The remote users should be able to dial into a local (to them) ISP and after establishing a PPP connection to the ISP set up a secure encrypted connection to our network. We are in general agreement that PPTP is not adequate so solutions involving that are not useful to us. Thanks for any suggestions you can make. /dan -- Dan Schlitt schlitt at world.std.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From fercho at telesat.com.co Thu Nov 25 15:09:29 1999 From: fercho at telesat.com.co (Fernando Arevalo) Date: Thu, 25 Nov 1999 15:09:29 -0500 Subject: L2TP and IPSec White Papers Message-ID: <383D9779.2C86CC41@telesat.com.co> Hi I?m doing a VPN study. But, I need compare layer 2 and layer 3 tunneling protocols. Some one knows where can I find about how works L2TP and IPSec?? Technical information. no commerce. : ) -------------- next part -------------- A non-text attachment was scrubbed... Name: fercho.vcf Type: text/x-vcard Size: 303 bytes Desc: Card for Fernando Arevalo Url : http://lists.shmoo.com/pipermail/vpn/attachments/19991125/4cc928e6/attachment.vcf From misha at insync.net Thu Nov 25 17:56:08 1999 From: misha at insync.net (Misha) Date: Thu, 25 Nov 1999 16:56:08 -0600 (CST) Subject: MS PPTP In-Reply-To: <85256831.00714C26.00@notes1.postproperties.com> Message-ID: > Also, will Cisco's IPSec client support NT domain authentication? I haven't checked into it further, but Cisco supports RADIUS or TACACS for user authentication. You should be able to get a RADIUS server which can pull user info from a domain controller, in fact I believe Cisco sells one. Misha **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From guy.raymakers at europe.eds.com Thu Nov 25 02:48:11 1999 From: guy.raymakers at europe.eds.com (guy.raymakers at europe.eds.com) Date: Thu, 25 Nov 1999 08:48:11 +0100 Subject: CRYPTO-6-IKMP_NOT_ENCRYPTED Message-ID: <41256834.002AE83D.00@beanmg01.lneu.emea.eds.com> Hi All, I'm testing now a cisco 1603 with IOS12.5 running IPsec and trying to connect this to a Nortel CES 1500. Most of the time this is working, but sometimes I get the following error : %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 194.7.187.90 was not encrypted and it should've been. Does someone know what is going wrong and what I need to do to fix this ? Many thanks, Guy **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From s845 at drone.ii.uib.no Fri Nov 26 08:39:46 1999 From: s845 at drone.ii.uib.no (Kristian Amlie) Date: Fri, 26 Nov 1999 14:39:46 +0100 Subject: VPN PPTP client for the Macintosh? Message-ID: <383E8DA4.931894EE@lstud.ii.uib.no> Hi, all! I'm new to the vpn mailing list. I have read the FAQ and the last months archive, but my question is still not answered: Is there a VPN PPTP Macintosh client available? I have found NTS's LAN TunnelBuilderTM for Mac OS to be great until the eval. period of 15 days was out.( there is an unspoken cry for help here ) After some time and lots of frustration I checked the price on http://www.nts.com/order.html :TunnelBuilder individual license $395 I am a student, enough said. Is there another client available? My university, University of Bergen, Norway, is building a WLAN (Breezecom) and is using a VPN with PPTP. I think that the solution they use is from this company : http://www.moretonbay.com/vpn/pptp.html on a Linux server. Maybe PPTP is not the best choice, but I don't think I can persuade them into choosing something else ( safer(?!) and with a Mac client :-) ). The WLAN consists mostly of single computers running WinXX or Linux with an antenna. I would really appreciate some help on what available Mac clients there are, besides the very good, but extremely costly TunnelBuilder from NTS. I hope my question fits this group. Best regards -- Kristian Amlie Natland Studentby I-57, N-5081 Bergen, Norway Tel: +47 55 27 10 29 Fax: +1 (603) 949-8931 E-mail: mailto:kristian.amlie at iname.com Mail-to-pager: mailto:kmobil at email.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jfranco at mundo-R.net Fri Nov 26 12:52:31 1999 From: jfranco at mundo-R.net (Franco Sabaris, Javier) Date: Fri, 26 Nov 1999 18:52:31 +0100 Subject: Firewall and VPN Device Message-ID: <77A1E4F21F59D211862600805F650FD8512FAC@COR0000S001> What about having the router and the vpn in the same box? Javier > -----Mensaje original----- > De: Ricardo de la Torre [SMTP:ibusaife at adinet.com.uy] > Enviado el: mi?rcoles 27 de octubre de 1999 20:12 > Para: > Asunto: RE: Firewall and VPN Device > > Following this lead. From a price-performance point of view, the best > solution should be to have the firewall and the vpn in the same box. > > > > |----------------- vpn>----------------| > > --- | > |--- > > > Unsecure Zone DMZ Secure > Zone > > >From a security point of view: what are the pros and cons of this > configuration? > > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From dklann at berbee.com Mon Nov 29 22:44:20 1999 From: dklann at berbee.com (David Klann) Date: Mon, 29 Nov 1999 21:44:20 -0600 Subject: MS PPTP In-Reply-To: Your message of "Thu, 25 Nov 1999 16:56:08 CST." Message-ID: <199911300344.VAA01178@grunch.binc.net> Yes, Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and TACACS protocols and can use the NT domain user database for authentication. -David **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jgerrits at enteract.com Sat Nov 27 22:40:00 1999 From: jgerrits at enteract.com (Jonus Gerrits) Date: Sat, 27 Nov 1999 21:40:00 -0600 Subject: FIREWALL VPN Message-ID: <002401bf3952$40a4b1e0$5df1fea9@lindyhop> Mauricio, It depends if you have a RAS Server with modems and your user are connecting to the network via the modems you will bypass the firewall. But, if they are connecting to your PPTP Server via the Internet then you will have to open ports on the Firewall. Jonus -----Original Message----- From: Mauricio Mar?n Cc: vpn at listserv.secnetgroup.com Date: Friday, November 26, 1999 12:05 PM Subject: FIREWALL VPN >If we have a Firewall in a company,........for example CheckPoint, when >i connect by PPTP will i pass through jumping the firewall?? > >Mauricio Mar?n > > > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** > __________________________________________ NetZero - Defenders of the Free World Get your FREE Internet Access and Email at http://www.netzero.net/download/index.html **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eyeque-india at telebot.net Tue Nov 30 07:10:10 1999 From: eyeque-india at telebot.net (Vikash Bhagchandka) Date: Tue, 30 Nov 1999 17:40:10 +0530 Subject: VPN Solution In-Reply-To: <71B30BC67510D31184030090277A3DDE5FAECE@mail.altiga.com> Message-ID: Hi, I would like to know which is the best product for setting up a VPN to connect two offices with 50 users over the Internet. I have the option of either Contivity Extranet Switch 1500 or Cisco 1720 VPN solution. I would like to know which one is better in terms of reliability, connectivity & security. Is there any other product which I should consider other than Cisco & Nortel. As the offices will be connected using the Internet, I would need to install a firewall too. Could you suggest something that is easy to setup & monitor. Apart from that, I would also like to know if 128bit encryption is allowed outside US. TIA, Vikash **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Fred.Golder at cendant.com Tue Nov 30 08:36:01 1999 From: Fred.Golder at cendant.com (Golder, Fred) Date: Tue, 30 Nov 1999 08:36:01 -0500 Subject: MS PPTP Message-ID: This isn't something unique to Cisco. Every Radius Server package I have seen can authenticate against an NT Domain. MS has to large an install base for NT Domains to not be supported by a product. -Fred Golder -----Original Message----- From: David Klann [mailto:dklann at berbee.com] Sent: Monday, November 29, 1999 10:44 PM To: vpn at listserv.secnetgroup.com; Misha Subject: Re: MS PPTP Yes, Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and TACACS protocols and can use the NT domain user database for authentication. -David **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991130/36b3ad60/attachment.htm From twolsey at realtech.com Tue Nov 30 11:27:12 1999 From: twolsey at realtech.com (TC Wolsey) Date: Tue, 30 Nov 1999 11:27:12 -0500 Subject: L2TP and IPSec White Papers Message-ID: > Fernando Arevalo 11/25/99 03:09PM >>> > >Hi > >I m doing a VPN study. But, I need compare layer 2 and layer 3 tunneling >protocols. >Some one knows where can I find about how works L2TP and IPSec?? >Technical information. no commerce. : ) If you really want the technical information with no commercial interruptions the place to go is the RFCs that define L2TP and the environment of IPSec. RFC 2661 defines L2TP and there is a IETF working group that is chartered with extensions to that protocol. The IPSec working group has produced some light reading material :-) published as RFCs 2401-2412. There will most likely be a working group chartered to address issues with regard to using IPSec as a remote access technology, the list for this activity is maintained at http://www.vpnc.org. If you really do want white papers as opposed to standards there are several references listed on the site maintained by the list moderator at http://kubarb.phsx.ukans.edu/~tbird/vpn.html. Good luck with your study. Regards, --tcw **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From SCundall at ariba.com Tue Nov 30 11:47:03 1999 From: SCundall at ariba.com (Steve Cundall) Date: Tue, 30 Nov 1999 08:47:03 -0800 Subject: MS PPTP Message-ID: <8B04D64DD534D311994D00A0C989C5E153E4ED@mtvmail.ariba.com> One hitch when using NT domain database and Radius with the current version of Cisco secure, is that is doesn't support CHAP, just PAP and MS-CHAP. CHAP works fine if the users are in the CS database, just not if they are in NT. I am not sure if they are going to fix this or not, as I have my Cisco people looking into this issue. -Steve -----Original Message----- From: David Klann [mailto:dklann at berbee.com] Sent: Monday, November 29, 1999 7:44 PM To: vpn at listserv.secnetgroup.com; Misha Subject: Re: MS PPTP Yes, Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and TACACS protocols and can use the NT domain user database for authentication. -David **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com ****************************************************************