From guy.raymakers at europe.eds.com Wed Sep 1 03:53:13 1999 From: guy.raymakers at europe.eds.com (guy.raymakers at europe.eds.com) Date: Wed, 1 Sep 1999 08:53:13 +0100 Subject: routing table on the client Message-ID: <412567DF.002B50D1.00@beanmg01.cyberlink.eds.com> Hi all, When connecting the Nortel IPsec client to the CES over the Internet, we have noticed that the management IP address of the CES is added in the routing table of the client when the IPsec connection is established. Is there a way to get the IP address out of the routing table ? Here's an example output : Active Routes: Network Address Netmask Gateway Address Interface Metric 0.0.0.0 0.0.0.0 194.7.250.57 194.7.250.58 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 194.7.187.90 255.255.255.255 194.7.250.57 194.7.250.58 1 194.7.250.56 255.255.255.252 194.7.250.58 194.7.250.58 1 194.7.250.58 255.255.255.255 127.0.0.1 127.0.0.1 1 194.7.250.255 255.255.255.255 194.7.250.58 194.7.250.58 1 198.123.141.58 255.255.255.255 204.172.252.13 204.172.252.13 1 204.172.252.0 255.255.255.0 204.172.252.13 204.172.252.13 1 204.172.252.8 255.255.255.248 204.172.252.13 204.172.252.13 1 204.172.252.13 255.255.255.255 127.0.0.1 127.0.0.1 1 224.0.0.0 224.0.0.0 194.7.250.58 194.7.250.58 1 255.255.255.255 255.255.255.255 194.7.250.58 194.7.250.58 1 198.123.141.58 = the management IP address. Thanks, Guy **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From fishin11 at yahoo.com Wed Sep 1 21:05:22 1999 From: fishin11 at yahoo.com (fishin) Date: Wed, 1 Sep 1999 18:05:22 -0700 (PDT) Subject: VPN vs SSL Message-ID: <19990902010522.17671.rocketmail@send205.yahoomail.com> Hello, I work at a fortune 500 company where we receive many request to connect our network with business partners over the Internet. We have both VPN's and SSL connections. What I'm looking for is a trade-off matrix (I'll be creating one probably) that will include when you use VPN or SSL and why. I realize that VPN's will encrypt all traffic while SSL will take care of HTTP application traffic. I also know that SSL is easier is to implement because everyone has browsers today. I know that VPN's seem to have better authentication (assuming we don't use certs with SSL), but again our HTTP users want to use SSLbecause its easier. I also understand once IPSec clients are provided on each desktop (Windows 2000 for example) that VPN's will probably become even easier to deploy from aclient standpoint. Any comments would be greatly appreciated!! Thanks,Doug __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Wed Sep 1 21:51:34 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Wed, 1 Sep 1999 20:51:34 -0500 (CDT) Subject: Cisco IPSEc VPN Configs.. (fwd) Message-ID: Okay, all you Cisco people out there -- any ideas here? I'll happily add them to the How-To page... thanks -- Tina ---------- Forwarded message ---------- Date: Thu, 2 Sep 1999 13:08:25 +1200 From: "A. Charan" Reply-To: charan at is.com.fj To: tbird at secnetgroup.com Subject: Cisco IPSEc VPN Configs.. Hi.. I was wondering if there are links available for cisco ipsec configs for setting up VPNS using Cisco VPN Enabled routers... Thanx. Atish C. Charan, Engineer Internet Services - Telecom Fiji Limited Email : charan at is.com.fj Fax : +679 307237, Phone : +679 300100, Pager : 295284 cat /dev/null > `find / -type f -print` **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From guy.raymakers at europe.eds.com Thu Sep 2 03:43:50 1999 From: guy.raymakers at europe.eds.com (guy.raymakers at europe.eds.com) Date: Thu, 2 Sep 1999 08:43:50 +0100 Subject: Cisco IPSEc VPN Configs.. (fwd) Message-ID: <412567E0.002A6E39.00@beanmg01.cyberlink.eds.com> IPsec configuration information can be found at the cisco website. This URL will bring you to the 'IP Security and Encryption' documentation of IOS 12.0 : http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt4/index.htm Anyway, here's a example using pre-shared secrets to authenticate (also NAT is included in this config) : ! version 12.0 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname C1605-REMOTE ! enable password 7 060901264347071E ! ! ! ! ! ip subnet-zero no ip domain-lookup ! isdn switch-type basic-net3 ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key eds address 197.71.25.58 ! ! crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac ! ! crypto map cm-cryptomap local-address Dialer1 crypto map cm-cryptomap 1 ipsec-isakmp set peer 197.71.25.58 set transform-set cm-transformset-1 match address 100 ! ! process-max-time 200 ! interface Ethernet0 ip address 199.227.10.1 255.255.255.0 no ip directed-broadcast ! interface Ethernet1 description connected to LAN ip address 204.173.190.1 255.255.255.0 no ip directed-broadcast ip nat inside ! interface BRI0 description connected to Internet no ip address no ip directed-broadcast ip nat outside encapsulation ppp dialer rotary-group 1 isdn switch-type basic-net3 crypto map cm-cryptomap ! interface Dialer1 description connected to Internet ip address 198.132.229.216 255.255.255.0 no ip directed-broadcast ip nat outside encapsulation ppp no ip route-cache no ip split-horizon no ip mroute-cache dialer in-band dialer string 034141850 dialer hold-queue 10 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname jhsjdhuh ppp chap password 7 18881777377733245E ppp pap sent-username jhsjdhuh password 7 18881777377733245F crypto map cm-cryptomap ! router rip version 2 timers basic 5 15 15 30 passive-interface Dialer1 network 199.227.10.0 network 204.173.190.0 distribute-list 10 out Ethernet0 no auto-summary ! ip nat inside source list 101 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server ! access-list 10 deny any access-list 100 permit ip host 194.7.229.216 host 194.7.250.58 access-list 100 permit ip host 194.7.229.216 206.165.25.0 0.0.0.255 access-list 100 permit ip 204.173.190.0 0.0.0.255 206.165.25.0 0.0.0.255 access-list 101 deny ip 204.173.190.0 0.0.0.255 206.165.25.0 0.0.0.255 access-list 101 permit ip 204.173.190.0 0.0.0.255 any dialer-list 1 protocol ip permit snmp-server engineID local 00000009020000507305B450 snmp-server community public RO ! line con 0 exec-timeout 0 0 password 7 1041071E0A1E1C0C login transport input none line vty 0 4 password 7 050408082E45400E login ! end Good Luck, Guy From Ryan.Russell at sybase.com Wed Sep 1 22:38:05 1999 From: Ryan.Russell at sybase.com (Ryan Russell) Date: Wed, 1 Sep 1999 19:38:05 -0700 Subject: VPN vs SSL Message-ID: <882567E0.000E7AB4.00@gwwest.sybase.com> >I work at a fortune 500 company where we receive many >request to connect our network with business partners >over the Internet. We have both VPN's and SSL >connections. What I'm looking for is a trade-off >matrix (I'll be creating one probably) that will >include when you use VPN or SSL and why. I realize >that VPN's will encrypt all traffic while SSL will >take care of HTTP application traffic. Well, there's the key differentiator there. For practical purposes, SSL is only good for HTTP (and possibly IMAP and FTP). VPNs can do arbitrary protocols, dependng on product chosen. SSH also fits into a similar good-for-a-handful-of-protocols category. >I also know >that SSL is easier is to implement because everyone >has browsers today. Most VPN software is fairly intrusive in the client. It would be no fun supporting external people with your VPN client. >I know that VPN's seem to have >better authentication (assuming we don't use certs >with SSL), but again our HTTP users want to use >SSLbecause its easier. I think that's an assumption, and possibly not correct. You ought to be able to use even OTP mechanisms if you do a clever, well-designed cookie mechanism. >I also understand once IPSec clients are provided on >each desktop (Windows 2000 for example) that VPN's >will probably become even easier to deploy from >aclient standpoint. We can hope. I wouldn't count on it being real easy for some time still. MS can do wonders to advance certain makets by including something in their OS, but then you get it MS's way. Ryan **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From sbrown at cw.net Thu Sep 2 11:05:29 1999 From: sbrown at cw.net (Steve Brown) Date: Thu, 2 Sep 1999 11:05:29 -0400 Subject: VPN Scaling Questions Message-ID: <000e01bef554$98426a60$372547cc@sbrown> Hello, I was wondering if anyone has done any research/work in the scaling and single sign on issues. I've currently worked on 3 VPN designs,1 20K, 1 30K+, and 1 over 50K remote access VPN designs, but there are still problems in these areas, and while customers want to use VPN technology, they cannot afford the manpower to support the technology. 1 - Scaling, customers have so many old legacy laptops, but in order to allow them to use a remote access VPN, they need to upgrade, which many organizations do not have the staff to do. I was wondering if some combination of VPN software and compulsatory modes are the answer, so many legacy application do not work on Win95,Win98, etc. 2 - Single sign on, I know there has been some work, but a typical user has to sign in to his/her ISP, sign on to the VPN device (hopefully using some kind of authenticaion/authorization schemes, or by the use of digital certificates, but that doesn't solve authorization, which may mean adding LDAP servers, again it goes back to the companies support staff. It would better if we could provide seamless integration, instead of bits and pieces of different technologies, both from a support standpoint and a security standpoint Thanks Steven A. Brown, MBA., CCSA, CCSE, VPN/Firewall & Internet Security Engineer Cable&Wireless, 9000 Regency Parkway Research Triangle Park, NC, 27511 sbrown at cw.net, Steven.Brown at cwusa.com =================================== Author: Implementing Virtual Private Networks, McGraw-Hill CoAuthor: CheckPoint Firewall-1, McGraw-Hill http://www.itdiffusions.com "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -- Albert Einstein" Steven A. Brown, MBA., CCSA, CCSE, VPN/Firewall & Internet Security Engineer Cable&Wireless, 9000 Regency Parkway Research Triangle Park, NC, 27511 sbrown at cw.net, Steven.Brown at cwusa.com =================================== Author: Implementing Virtual Private Networks, McGraw-Hill CoAuthor: CheckPoint Firewall-1, McGraw-Hill http://www.itdiffusions.com "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -- Albert Einstein" **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From guy.raymakers at europe.eds.com Thu Sep 2 11:53:01 1999 From: guy.raymakers at europe.eds.com (guy.raymakers at europe.eds.com) Date: Thu, 2 Sep 1999 16:53:01 +0100 Subject: Cisco IPSEc VPN Configs.. (fwd) Message-ID: <412567E0.005737B8.00@beanmg01.cyberlink.eds.com> IPsec configuration information can be found at the cisco website. This URL will bring you to the 'IP Security and Encryption' documentation of IOS 12.0 : http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt4/index.htm Anyway, here's a example using pre-shared secrets to authenticate (also NAT is included in this config) : ! version 12.0 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname C1605-REMOTE ! enable password 7 060901264347071E ! ! ! ! ! ip subnet-zero no ip domain-lookup ! isdn switch-type basic-net3 ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key eds address 197.71.25.58 ! ! crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac ! ! crypto map cm-cryptomap local-address Dialer1 crypto map cm-cryptomap 1 ipsec-isakmp set peer 197.71.25.58 set transform-set cm-transformset-1 match address 100 ! ! process-max-time 200 ! interface Ethernet0 ip address 199.227.10.1 255.255.255.0 no ip directed-broadcast ! interface Ethernet1 description connected to LAN ip address 204.173.190.1 255.255.255.0 no ip directed-broadcast ip nat inside ! interface BRI0 description connected to Internet no ip address no ip directed-broadcast ip nat outside encapsulation ppp dialer rotary-group 1 isdn switch-type basic-net3 crypto map cm-cryptomap ! interface Dialer1 description connected to Internet ip address 198.132.229.216 255.255.255.0 no ip directed-broadcast ip nat outside encapsulation ppp no ip route-cache no ip split-horizon no ip mroute-cache dialer in-band dialer string 034141850 dialer hold-queue 10 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname jhsjdhuh ppp chap password 7 18881777377733245E ppp pap sent-username jhsjdhuh password 7 18881777377733245F crypto map cm-cryptomap ! router rip version 2 timers basic 5 15 15 30 passive-interface Dialer1 network 199.227.10.0 network 204.173.190.0 distribute-list 10 out Ethernet0 no auto-summary ! ip nat inside source list 101 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server ! access-list 10 deny any access-list 100 permit ip host 194.7.229.216 host 194.7.250.58 access-list 100 permit ip host 194.7.229.216 206.165.25.0 0.0.0.255 access-list 100 permit ip 204.173.190.0 0.0.0.255 206.165.25.0 0.0.0.255 access-list 101 deny ip 204.173.190.0 0.0.0.255 206.165.25.0 0.0.0.255 access-list 101 permit ip 204.173.190.0 0.0.0.255 any dialer-list 1 protocol ip permit snmp-server engineID local 00000009020000507305B450 snmp-server community public RO ! line con 0 exec-timeout 0 0 password 7 1041071E0A1E1C0C login transport input none line vty 0 4 password 7 050408082E45400E login ! end Good Luck, Guy From mmedwid at symantec.com Thu Sep 2 11:57:33 1999 From: mmedwid at symantec.com (Michael Medwid) Date: Thu, 2 Sep 1999 08:57:33 -0700 Subject: Cisco IPSEc Client Message-ID: <882567E0.005778C6.00@uscu-smtp01.symantec.com> Has Cisco released their Win NT/9X IPsec client software? Anyone have any experience with it? Care to feedback how it compares to others on the market like the Extranet IPsec client? Thanks. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Thu Sep 2 13:37:26 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Thu, 02 Sep 1999 12:37:26 -0500 Subject: Cisco configs Message-ID: <4.1.19990902123624.009d9b40@mail.secnetgroup.com> Hi all -- I got a flurry of Cisco configuration examples after yesterday's posting -- to see them, go to http://kubarb.phsx.ukans.edu/~tbird/vpn.html and hit the "How-To" button. Let me know if there are any corrections, and remember, YMMV. cheers -- t. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eyeque-india at telebot.net Thu Sep 2 13:55:22 1999 From: eyeque-india at telebot.net (Vikash Bhagchandka) Date: Thu, 2 Sep 1999 23:25:22 +0530 Subject: Help needed regarding VPN In-Reply-To: <000e01bef554$98426a60$372547cc@sbrown> Message-ID: Dear Friends: I needed your advice to decide on the type of network that should be used for remote data processing in India. I have two basic requirements: 1. I need remote access to my clients database. 2. I need to remotely update my clients database on real time basis from a remote site like India. I have researched on the two possibilities. VPN over IP (Internet) or VPN over Frame Relay (Point to Point). However, I am confused because all my clients have different network structure, use different software's, are located all over the US and use different formats of database at their respective end. Moreover, the process that is to be done by me in India is the same. The current network details of my clients are as follows: 1. The client is using Novell 3.12 running IPX. Citrix Winframe 1.7 is used for their WAN connectivity between offices. They are running TCP/IP over the WAN, but IPX on the LAN. The database used is a 16 bit DOS application. Data can be imported in an HL-7 format. Data can also be exported in this format, or in ASCII. 2. The second client is using Mumps for networking on a Windows 95 operating system. The software being used for claims processing is DOS based. Most of the clients are dumb terminals with a few of them having hard disks. All the terminals are connected to the file server where all the information is stored and processed using a central board and CAT 5 cables. 3. The third clients system is based on a NETBIOS network (clone of DECNET) of four DOS based PC database servers and four combination application server/terminal server DOS based PCs. Total storage approximates 50 GB across the four database servers. They are using Intersystems Cache for the database which supports the web and TCP/IP protocols. Any help in this regard would be appreciated. Regards, Vikash Bhagchandka **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rgm at icsa.net Thu Sep 2 13:53:17 1999 From: rgm at icsa.net (Robert Moskowitz) Date: Thu, 02 Sep 1999 13:53:17 -0400 Subject: Cisco IPSEc Client In-Reply-To: <882567E0.005778C6.00@uscu-smtp01.symantec.com> Message-ID: <4.1.19990902135056.00b51e50@homebase.htt-consult.com> At 08:57 AM 9/2/1999 -0700, Michael Medwid wrote: > >Has Cisco released their Win NT/9X IPsec client software? Anyone have >any experience with it? Care to feedback how it compares to others on the >market like the Extranet IPsec client? Thanks. > Cisco has a relationship with IRE. Both are using CEP to get Verisign certs. We have put both of them through our 1.0 certification (which does not include cert testing). Robert Moskowitz ICSA.NET (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From lum at infoexpress.com Thu Sep 2 14:15:18 1999 From: lum at infoexpress.com (lum) Date: Thu, 02 Sep 1999 11:15:18 -0700 Subject: VPN vs SSL In-Reply-To: <19990902010522.17671.rocketmail@send205.yahoomail.com> Message-ID: <4.1.19990902095710.046db020@10.0.0.3> >I work at a fortune 500 company where we receive many >request to connect our network with business partners >over the Internet. We have both VPN's and SSL >connections. What I'm looking for is a trade-off >matrix (I'll be creating one probably) that will >include when you use VPN or SSL and why. I realize >that VPN's will encrypt all traffic while SSL will >take care of HTTP application traffic. I also know >that SSL is easier is to implement because everyone >has browsers today. I know that VPN's seem to have >better authentication (assuming we don't use certs >with SSL), but again our HTTP users want to use >SSLbecause its easier. There doesn't need to be a tradeoff since some VPNs, like ours, can tunnel though SSL from corporate networks. We've found that remote access from business partners is somewhat different from remote access for internal users because the administrative domain is different, the configuration is much more challenging, and the level of transparency has to be much higher. >I also understand once IPSec clients are provided on >each desktop (Windows 2000 for example) that VPN's >will probably become even easier to deploy from >aclient standpoint. For remote access extranets, Windows 2000 will make it easier only if companies open up their firewalls to allow bidirectional AH, ESP, and UDP for IKE. Of course, these protocols are all stateless which creates all sorts of interesting security scenarios. Because features in the operating system shouldn't drive security policy at the firewall, I suspect that Win2000 won't change much in the way of deployment for your scenario. Even ignoring the security issues, there's the issues involved with merging Microsoft's authentication infrastructure between corporations over a very public Internet. Regards, Stacey Lum InfoExpress **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From dklann at berbee.com Thu Sep 2 14:39:28 1999 From: dklann at berbee.com (David Klann) Date: Thu, 02 Sep 1999 13:39:28 -0500 Subject: Cisco IPSEc Client In-Reply-To: Your message of "Thu, 02 Sep 1999 08:57:33 PDT." <882567E0.005778C6.00@uscu-smtp01.symantec.com> Message-ID: <199909021839.NAA01088@grunch.binc.net> Hi Michael, I've heard that the IPSec Windows client will be release in early to mid September. The last pre-release with which I worked was in pretty good shape (such as it is with digital certs at the present time...). (not speaking for Cisco in any way) -David Klann Berbee Information Networks www.berbee.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rk_ at mailcity.com Thu Sep 2 18:10:12 1999 From: rk_ at mailcity.com (S Ramakrishnan) Date: Thu, 02 Sep 1999 15:10:12 -0700 Subject: Cisco IPSEc Client Message-ID: Where can I get some info on the Extranet IPSec client? Thanks, Rk On Thu, 2 Sep 1999 08:57:33 Michael Medwid wrote: >Has Cisco released their Win NT/9X IPsec client software? Anyone have >any experience with it? Care to feedback how it compares to others on the >market like the Extranet IPsec client? Thanks. --- S Ramakrishnan "... from the sunny shores of California ..." rk_ at mailcity.com, (408) 616.3100 Get your FREE Email at http://mailcity.lycos.com Get your PERSONALIZED START PAGE at http://my.lycos.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From plawyer at aventail.com Thu Sep 2 20:43:16 1999 From: plawyer at aventail.com (Paul Lawyer) Date: Thu, 2 Sep 1999 17:43:16 -0700 Subject: VPN vs SSL Message-ID: <71DE5436FE60D311B8F60050043207B50F0D95@leo.in.aventail.com> Doug, There are several challenges you will face when connecting un-trusted or semi-trusted third parties: 1) How to eliminate the impact on your partners' desktop PCs 2) How to traverse the firewall at partner sites without modifying their firewall configuration or security policy 3) How to strongly authenticate users when they're behind another firewall 4) How to differentiate permissions for users based on who they are and what resources they need 5) How to provide them all the application functionality they need Today, the vast majority of VPN clients will make some sort of TCP stack or OS change. Your partners will be very reluctant to accept an NDIS shim or a client that replaces .DLLs. The support implications of making a proprietary client work with every conceivable network and OS permutation is enormous. You should either find a VPN/extranet client that makes no TCP stack modifications or go client-less (using just a browser). Requiring your partners to modify their firewall or security policy to do business with you is impractical from both a political and technical perspective. You need a solution that will allow applications to traverse the firewall securely, or use a standard Web proxy to exit the network. It is an obvious challenge to pass user authentication credentials through a partner's firewall to a VPN/Extranet server on your internal network. But in order to make intelligent decisions about who can access your network from a partner site, this is a critical of a successful Extranet deployment. Obviously strong authentication like tokens or certificates should be a requirement. It is also essential to do user authentication in order to make critical policy and access decisions based on those users' identities. E.g. Your employee who happens to be located at a partner site will have different permissions than your partner's employees. In some cases you may have both employees and non-employees accessing from the same partner network. Are your applications webified already? Will a webified version of the application provide all the functionality the users need? If so, this is the optimal deployment environment for a web-only solution. Unfortunately most of the firms we deal with are not there yet or have application requirements that will prevent a web-only panacea. I hope this is useful to you. If you are interested, we have both client-less (web only) and client/server solutions that address the issues as outlined above. Regards, Paul Lawyer Aventail Corporation Aventail Corporation, the leader in Extranet Management and Security Solutions http://www.aventail.com/ -----Original Message----- From: fishin [mailto:fishin11 at yahoo.com] Sent: Wednesday, September 01, 1999 6:05 PM To: vpn at listserv.secnetgroup.com Subject: VPN vs SSL Hello, I work at a fortune 500 company where we receive many request to connect our network with business partners over the Internet. We have both VPN's and SSL connections. What I'm looking for is a trade-off matrix (I'll be creating one probably) that will include when you use VPN or SSL and why. I realize that VPN's will encrypt all traffic while SSL will take care of HTTP application traffic. I also know that SSL is easier is to implement because everyone has browsers today. I know that VPN's seem to have better authentication (assuming we don't use certs with SSL), but again our HTTP users want to use SSLbecause its easier. I also understand once IPSec clients are provided on each desktop (Windows 2000 for example) that VPN's will probably become even easier to deploy from aclient standpoint. Any comments would be greatly appreciated!! Thanks,Doug __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rick_smith at securecomputing.com Fri Sep 3 12:21:11 1999 From: rick_smith at securecomputing.com (Rick Smith) Date: Fri, 03 Sep 1999 11:21:11 -0500 Subject: VPN vs SSL In-Reply-To: <19990902010522.17671.rocketmail@send205.yahoomail.com> Message-ID: <3.0.3.32.19990903112111.009baa80@mailhost.sctc.com> The choice really depends on the business requiements - what must you achieve and how much flexibility do you have to modify work processes. It sounds as if you already have SSL in place, or at least you realize it's off the shelf today so you could start using it tomorrow. Today, IPSEC seems better suited for site to site crypto. It puts the fewest restrictions on application protocols. Road warriors can use it on laptops, of course, but it's still much harder to manage than SSL, which makes it less reliable. Client based public key authentication is available in both IPSEC and SSL, but it's not common enough that people in general understand how to use it reliably and safely. So it's best to restrict On the other hand, you need to be clever about structuring your network if you're giving your business partners IPSEC access to it. Ideally, you neet internal firewalls to keep company sensitive information and services away from the outsiders. If the business partners are mostly going to access Web based resources, then SSL is an obvious choice. Most information these days can be twisted into something that can live on a web page. That might be easier than managing the security implications of giving outsiders access to your internal proprietary network. If you're concerned about password sharing in Web accesses, you can buy third party authentication solutions (like the tokens from Safeword and SecureID). People can't give access to other people without giving up their token as well. Rick. smith at securecomputing.com "Internet Cryptography" at http://www.visi.com/crypto/ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From cynthia at xerox.com.ni Fri Sep 3 14:29:34 1999 From: cynthia at xerox.com.ni (Cynthia Tercero) Date: Fri, 03 Sep 1999 14:29:34 Subject: VPN and PPTP Message-ID: <3.0.5.32.19990903142934.008fab70@xerox.com.ni> Hi! I'm having some problems trying to configure the communication to a VPN using PPTP. The scenario is as follows. In order to establish communication to the VPN we have to use PPTP and FireWall-1 Session Authentication. First we use dial-up to our node and then we call the host number of the VPN. Our router has firewall configured through access-lists. I've read that if there are access-lists configured is necessary to add an entry to the TCP port 1723 and one entry to GRE IP protocolo 47. I've done this as follows: access-list 115 permit tcp any HOST-NUMBER 0.0.0.191 eq 1723 access-list 115 permit udp any HOST-NUMBER 0.0.0.191 eq 1723 The last one just testing. And also to allow GRE I've added this one access-list 111 permit gre any any But there's still no answer. Does anybody has any idea on how to proceed?. Thank you very much for your attention. Cynthia Webmaster, Xerox de Nicaragua, S.A. ?Internet, la tecnolog?a a su servicio! **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric_h at Earthlink.Net Fri Sep 3 10:36:51 1999 From: eric_h at Earthlink.Net (Eric Henriksen) Date: Fri, 3 Sep 1999 10:36:51 -0400 Subject: VPN vs SSL References: <71DE5436FE60D311B8F60050043207B50F0D95@leo.in.aventail.com> Message-ID: <005301bef619$c3569800$02c8a8c0@redcreek.com> Excellent points. I think that standalone VPN gateways also serve to solve these same issues by circumventing or augmenting the firewall to elminate configuration headaches. Our industry has come a long way in understanding how to configure the VPN servers such that they compliment and not complicate the firewall configs. The biggest issue is how to ensure the identity of the users on the other end of the secure VPN are themselves secure. RADIUS-based client-authentication mechanisms seem to be well accepted at this time, and are supported by a number of VPN gateway vendors and can provide the strong authentication via tokens as well. Eric Henriksen RedCreek Communications ----- Original Message ----- From: Paul Lawyer To: 'fishin' ; Cc: Information Sent: Thursday, September 02, 1999 8:43 PM Subject: RE: VPN vs SSL > Doug, > > There are several challenges you will face when connecting un-trusted or > semi-trusted third parties: > > 1) How to eliminate the impact on your partners' desktop PCs > 2) How to traverse the firewall at partner sites without modifying their > firewall configuration or security policy > 3) How to strongly authenticate users when they're behind another firewall > 4) How to differentiate permissions for users based on who they are and what > resources they need > 5) How to provide them all the application functionality they need > > Today, the vast majority of VPN clients will make some sort of TCP stack or > OS change. Your partners will be very reluctant to accept an NDIS shim or a > client that replaces .DLLs. The support implications of making a > proprietary client work with every conceivable network and OS permutation is > enormous. You should either find a VPN/extranet client that makes no TCP > stack modifications or go client-less (using just a browser). > > Requiring your partners to modify their firewall or security policy to do > business with you is impractical from both a political and technical > perspective. You need a solution that will allow applications to traverse > the firewall securely, or use a standard Web proxy to exit the network. > > It is an obvious challenge to pass user authentication credentials through a > partner's firewall to a VPN/Extranet server on your internal network. But > in order to make intelligent decisions about who can access your network > from a partner site, this is a critical of a successful Extranet deployment. > Obviously strong authentication like tokens or certificates should be a > requirement. > > It is also essential to do user authentication in order to make critical > policy and access decisions based on those users' identities. E.g. Your > employee who happens to be located at a partner site will have different > permissions than your partner's employees. In some cases you may have both > employees and non-employees accessing from the same partner network. > > Are your applications webified already? Will a webified version of the > application provide all the functionality the users need? If so, this is > the optimal deployment environment for a web-only solution. Unfortunately > most of the firms we deal with are not there yet or have application > requirements that will prevent a web-only panacea. > > I hope this is useful to you. If you are interested, we have both > client-less (web only) and client/server solutions that address the issues > as outlined above. > > Regards, > Paul Lawyer > Aventail Corporation > > Aventail Corporation, the leader in Extranet Management and Security > Solutions > http://www.aventail.com/ > > > -----Original Message----- > From: fishin [mailto:fishin11 at yahoo.com] > Sent: Wednesday, September 01, 1999 6:05 PM > To: vpn at listserv.secnetgroup.com > Subject: VPN vs SSL > > > Hello, > > I work at a fortune 500 company where we receive many > request to connect our network with business partners > over the Internet. We have both VPN's and SSL > connections. What I'm looking for is a trade-off > matrix (I'll be creating one probably) that will > include when you use VPN or SSL and why. I realize > that VPN's will encrypt all traffic while SSL will > take care of HTTP application traffic. I also know > that SSL is easier is to implement because everyone > has browsers today. I know that VPN's seem to have > better authentication (assuming we don't use certs > with SSL), but again our HTTP users want to use > SSLbecause its easier. > > I also understand once IPSec clients are provided on > each desktop (Windows 2000 for example) that VPN's > will probably become even easier to deploy from > aclient standpoint. > > Any comments would be greatly appreciated!! > > Thanks,Doug > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric_h at Earthlink.Net Fri Sep 3 10:26:29 1999 From: eric_h at Earthlink.Net (Eric Henriksen) Date: Fri, 3 Sep 1999 10:26:29 -0400 Subject: VPN vs SSL References: <4.1.19990902095710.046db020@10.0.0.3> Message-ID: <001f01bef618$526a51a0$02c8a8c0@redcreek.com> ----- Original Message ----- From: lum To: fishin ; Sent: Thursday, September 02, 1999 2:15 PM Subject: Re: VPN vs SSL > >I work at a fortune 500 company where we receive many > >request to connect our network with business partners > >over the Internet. We have both VPN's and SSL > >connections. What I'm looking for is a trade-off > >matrix (I'll be creating one probably) that will > >include when you use VPN or SSL and why. I realize > >that VPN's will encrypt all traffic while SSL will > >take care of HTTP application traffic. I also know > >that SSL is easier is to implement because everyone > >has browsers today. I know that VPN's seem to have > >better authentication (assuming we don't use certs > >with SSL), but again our HTTP users want to use > >SSLbecause its easier. > > There doesn't need to be a tradeoff since some VPNs, like ours, can tunnel > though SSL from corporate networks. We've found that remote access from > business partners is somewhat different from remote access for internal > users because the administrative domain is different, the configuration is > much more challenging, and the level of transparency has to be much higher. Why would you want to tunnel VPN (IPSec?) through an SSL connection? Seems that IPSec would handle the browser traffic, but not necessarily the reverse, as lum indicates. I'd love to see the trade-off matrix, as I believe there are real applications for thin client, limited security when the remote clients are not under direct adminstrative control, and web services can address the needs. However, as Stacey indicates, EDI, or extranet partner links tend to be more demanding in the breadth of applications (ports and services) that are required, as well as needing stronger authentication due to the more 'direct' interconnection between the peer networks. > > >I also understand once IPSec clients are provided on > >each desktop (Windows 2000 for example) that VPN's > >will probably become even easier to deploy from > >aclient standpoint. > > For remote access extranets, Windows 2000 will make it easier only if > companies open up their firewalls to allow bidirectional AH, ESP, and UDP > for IKE. Of course, these protocols are all stateless which creates all > sorts of interesting security scenarios. > > Because features in the operating system shouldn't drive security policy at > the firewall, I suspect that Win2000 won't change much in the way of > deployment for your scenario. Even ignoring the security issues, there's > the issues involved with merging Microsoft's authentication infrastructure > between corporations over a very public Internet. Don't hold you breath for IPSec under W2000. It's not baked yet, and will likely have some issues upon general availability. However, once here, (and assuming CA technology is broadly available or shared keys are sufficient) this will relieve a major burden from the VPN market - vendors and customers alike. Keeping up with MS code updates and lack of forward compatibilty across their own stuff is not fun for anyone. Firewall issues are currently being addressed through both the integration of firewall and VPN technology, as well as the continued acceptance of VPN gateways as secure devices with public and private interfaces to serve private extranet traffic in much the same way that firewalls server public Internet traffic. > > Regards, > Stacey Lum > InfoExpress > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From eric_h at Earthlink.Net Fri Sep 3 13:58:08 1999 From: eric_h at Earthlink.Net (Eric Henriksen) Date: Fri, 3 Sep 1999 13:58:08 -0400 Subject: routing table on the client References: <412567DF.002B50D1.00@beanmg01.cyberlink.eds.com> Message-ID: <016c01bef635$e3035aa0$02c8a8c0@redcreek.com> Looks like 204.172.252.13 is the Virtual IP address of the client. It also appears that the 198.123.141.58 is being forwarded to this address, and would be routed down the tunnel. If you do not need to secure this connection, simply take this address out of the 'protected networks' access list for the tunnel. However, given that it is not over the tunnel, it would be routed out what appears to be you public ip address of 194.7.250.58 and would be exposed to the public network and possibly unable to reach it's destination if ti's deastination is in the secure peer network (with the 204.172.252 network. BTW, not having the route of '0.0.0.0 mask 0.0.0.0 gateway 204.17.252.13' leaves you exposed to attack from the public network, and even worse allows the attacker to hijack the tunnel to the corporate network. Eric ----- Original Message ----- From: To: Sent: Wednesday, September 01, 1999 3:53 AM Subject: routing table on the client > > > > Hi all, > > When connecting the Nortel IPsec client to the CES over the Internet, we have > noticed that the management IP address of the CES is added in the routing table > of the client when the IPsec connection is established. Is there a way to get > the IP address out of the routing table ? > > Here's an example output : > > Active Routes: > > Network Address Netmask Gateway Address Interface Metric > 0.0.0.0 0.0.0.0 194.7.250.57 194.7.250.58 1 > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 > 194.7.187.90 255.255.255.255 194.7.250.57 194.7.250.58 1 > 194.7.250.56 255.255.255.252 194.7.250.58 194.7.250.58 1 > 194.7.250.58 255.255.255.255 127.0.0.1 127.0.0.1 1 > 194.7.250.255 255.255.255.255 194.7.250.58 194.7.250.58 1 > 198.123.141.58 255.255.255.255 204.172.252.13 204.172.252.13 1 > 204.172.252.0 255.255.255.0 204.172.252.13 204.172.252.13 1 > 204.172.252.8 255.255.255.248 204.172.252.13 204.172.252.13 1 > 204.172.252.13 255.255.255.255 127.0.0.1 127.0.0.1 1 > 224.0.0.0 224.0.0.0 194.7.250.58 194.7.250.58 1 > 255.255.255.255 255.255.255.255 194.7.250.58 194.7.250.58 1 > > 198.123.141.58 = the management IP address. > > Thanks, > Guy > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Ryan.Russell at sybase.com Fri Sep 3 18:22:01 1999 From: Ryan.Russell at sybase.com (Ryan Russell) Date: Fri, 3 Sep 1999 15:22:01 -0700 Subject: VPN vs SSL Message-ID: <882567E1.007AE0A0.00@gwwest.sybase.com> >Why would you want to tunnel VPN (IPSec?) through an SSL connection? >Seems that IPSec would handle the browser traffic, but not necessarily the >reverse, as lum indicates. I'd love to see the trade-off matrix, as I >believe >there are real applications for thin client, limited security when the >remote >clients are not under direct adminstrative control, and web services can >address >the needs. The VPN that InfoExpress (where Stacey works) produces is PPP over an encrypted TCP connection. This works quite differently from a lot of IPSec-type VPNs, in that's it's flexible about the ports and such that it runs on. In practice, that means it's a lot more firewall friendly. You can NAT it, or run it over arbitrary ports, or through proxies, and it's perfectly happy. Those will kill most other VPNs. This is good or bad depending on whether you're trying to enable it or stop it. He's pointing out that it will run over SSL, too. So, if SSL (only?) is allowed in or out, and the appropriate client or gateway is installed, then the product can function. I think he's answering the problem about getting other firewall admins to open the world. My company uses the InfoExpress product (VTP/Secure) and we like it a lot. Again, some of the "features" allow use in environments where it's possible the local security folk would prefer that it weren't. I instruct my users to get permission before using the VPN from someone else's corporate net. Ryan **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From pbryan at acrux.net Sat Sep 4 09:16:07 1999 From: pbryan at acrux.net (Pat Bryan) Date: Sat, 4 Sep 1999 08:16:07 -0500 Subject: Sidewinder 4.01 and GRE References: <3.0.3.32.19990903112111.009baa80@mailhost.sctc.com> Message-ID: <001301bef6d7$a7149ca0$58cc33cf@home> Howdy, I am attempting to configure PPTP through my SC Sidewinder. I have allowed specific class "C" addresses designated by my ISP, into the external side of the firewall. I have opened port 1723 and get the initial connection, but GRE seems unable to pass.. I.E., when I do a tcpdump on the external side of the firewall.. I get something like this.. #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE (51 is the dialup node, 10 is the firewall).. And then I am disconnected... Any ideas would be greatly appreciated.. Thanks, Pat **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Sat Sep 4 13:09:42 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Sat, 4 Sep 1999 12:09:42 -0500 (CDT) Subject: Sidewinder 4.01 and GRE In-Reply-To: <001301bef6d7$a7149ca0$58cc33cf@home> Message-ID: Hi Pat -- Did you configure the Sidewinder packet filters to allow the GRE traffic? That involves a combination of COBRA work and command line editing. The specific instructions are available at http://kubarb.phsx.ukans.edu/~tbird/vpn.html (click on How-To). I actually wrote the Sidewinder PPTP doc myself, so feel free to ask if this doesn't work. One caveat -- information from the packet filters doesn't make it into /var/log/audit.asc, so debugging can be a little awkward... hope this helps -- Tina On Sat, 4 Sep 1999, Pat Bryan wrote: > Date: Sat, 4 Sep 1999 08:16:07 -0500 > From: Pat Bryan > To: vpn at listserv.secnetgroup.com > Subject: Sidewinder 4.01 and GRE > > Howdy, > > I am attempting to configure PPTP through my SC Sidewinder. I have allowed > specific class "C" addresses designated by my ISP, into the external side of > the firewall. I have opened port 1723 and get the initial connection, but > GRE seems unable to pass.. I.E., when I do a tcpdump on the external side of > the firewall.. I get something like this.. > > > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > > (51 is the dialup node, 10 is the firewall).. And then I am disconnected... > Any ideas would be greatly appreciated.. > > Thanks, > Pat > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tweil at rpm.com Tue Sep 7 11:04:40 1999 From: tweil at rpm.com (tweil at rpm.com) Date: Tue, 7 Sep 1999 11:04:40 -0400 Subject: VPN On Demand ?? Message-ID: <852567E5.0052FA21.00@xchange2.rpm.com> Hello VPN-Listers - I have a client who would like a VPN on Demand solution comparable to ISDN DDR for Frame Relay WANs. Can we get there from here with COTS products today? We are starting out by surveying the Cisco VPN product line but we are not limited by that option. Router-based, fail-over capability, with comparable recovery times to ISDN solutions. Please respond to - Tim Weil RPM Consulting, Inc. email:tweil at rpm.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rk_ at mailcity.com Mon Sep 6 22:56:33 1999 From: rk_ at mailcity.com (S Ramakrishnan) Date: Mon, 06 Sep 1999 19:56:33 -0700 Subject: IPSec Implementation Questions Message-ID: Hi - I have the following questions on implementation of IPSec: 1. IKE requires policies to be asymmetric. Yet, real-life deployments require asymmetric asymmetric policies. Eg: Consider a Server-Client link. While the Client queries ("What is my account balance?") to the server need not be encrypted, the Server responses to these queries ("Your balance is US$ 0") should be encrypted. Why then does IKE require symnmetric policies? 2. Host A (local gateway Ra) wants to tunnel to Host B (local gateway Rb). How does Ra figure out that Rb is the tunnel-endpoint for Host B? Host A <---> Ra <==tunnel==> Rb <---> Hb 3. At the receiver, is an SPI required to be unique by itself? Or is it that alone is required to be unique (to conserver SPIs perhaps) ? 4. When the IPSec kernel at the sender finds no SADB entry for a policy selector, it (the IPSec layer) triggers IKE to set up an SA for the destination. At this point, does the IPSec layer drop the incoming TCP packet and require the transport layer to resend the packet? Or does it queue the packet? Is this left to the implementation? Any hints, suggestions or pointers greatly appreciated ! Also, if you could point to me some IPSec implementation notes that may be available online, pl do let me know ! Thanks, Rk --- S Ramakrishnan "... from the sunny shores of California ..." rk_ at mailcity.com, (408) 616.3100 Get your FREE Email at http://mailcity.lycos.com Get your PERSONALIZED START PAGE at http://my.lycos.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From rafal.jacyna at aienergy.com.au Tue Sep 7 19:11:24 1999 From: rafal.jacyna at aienergy.com.au (Rafal Jacyna) Date: Wed, 8 Sep 1999 08:41:24 +0930 Subject: Newbie Message-ID: <811BF67DB4B1D2119F1D00A0C9D394CF03C342@mail.aienergy.com.au> Hi, My boss just asked me to consider using VPN on MS platform that will connect our main office with a couple of remote ones. I read a little bit about, but would not mind getting a better all round view of the issues involved. We currently use TCP/IP, IPX, and NETBeui protocols. Thanx in advance, R **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From lhebert at netesys.com Wed Sep 8 09:39:03 1999 From: lhebert at netesys.com (Laurent Hebert) Date: Wed, 8 Sep 1999 09:39:03 -0400 Subject: Build a site to site VPN without static address? Message-ID: <19990908133530865.AAA248@bacchus2.netesys.com@gvl-12364> I am looking for VPN architecture (products) that could be implemented on an ISP (cable modem) network for which IP addresses are assigned by DHCP. Most of the products I see on the market are using static IP addresses to build reliable VPN. There are less products using DHCP. So far, I have think about the following solutions: 1- Use PPTP (or eventually L2TP) with a S/W client that could handle DHCP and update a DDNS server that could be installed with a dedicated connection to the Internet. My problem with this solution is the on-going support. I do not think that it is robust enough to address the Business market. On top of that, it does not follow the IPsec (unless we use IPsec within L2TP for which I believe it is not mature). 2- Use a central VPN Hub concept for which all client sites would use a VPN access device that support DHCP. These access devices would then establish a VPN session with a central VPN hub. At that VPN hub, we would be able to "interconnect" the various VPN sessions together to create a site to site Intranet. Different companies would then be able to share this VPN hub and we (the ISP) would be able to offer other IP services (behind the VPN Hub) using this architecture. I know that 3COM offer products that seems to do that kind of job (Tunel Switch) but I do not know other products and I do not know what are the draw backs of that solution. Is there other alternatives that could be used that are robust and manageable? Another aspect of the problem is to find a solution that support the client to site. On that side, most of the VPN client are not well integrated with the NT or Novell Security and Authentification tools. Any recommendations? Laurent Hebert Consultant at Netesys **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tchase at frii.com Wed Sep 8 10:10:53 1999 From: tchase at frii.com (Tricia chase) Date: Wed, 08 Sep 1999 08:10:53 -0600 Subject: VPN & DSL Message-ID: <37D66E6D.26B05B4A@frii.com> We are setting up a VPN using Novell BorderManager 3.5. Our BorderManager Servers are running NW 5.0. We are accessing the Internet via DSL connection. We are having trouble with the BorderManagers talking thru the DSL. Can anyone help me? **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From evyncke at cisco.com Wed Sep 8 16:14:29 1999 From: evyncke at cisco.com (Eric Vyncke) Date: Wed, 08 Sep 1999 22:14:29 +0200 Subject: Build a site to site VPN without static address? In-Reply-To: <19990908133530865.AAA248@bacchus2.netesys.com@gvl-12364> Message-ID: <4.1.19990908221059.00a2d890@brussels.cisco.com> Laurent, More and more products are on the market that support fairly dynamic IPSec VPN: - that uses strong authentication based on X.509 certificates for IKE - or that uses weaker authentication based on pre-shared keys for IKE - or that uses weaker and unknown authentication for IKE - that relies on an IETF draft called 'mode config' to allocate dynamic parameter to the remote party (very similar to IPCP for PPP connection), hence no more need for L2TP and IPSec combination for dynamic config of the client It's being late here, so, I'm perhaps too succint and unclear. Feel free to ask for further info Just my biased 0.01 EUR ;-) -eric At 09:39 08/09/1999 -0400, Laurent Hebert wrote: >I am looking for VPN architecture (products) that could be implemented on >an ISP (cable modem) network for which IP addresses are assigned by DHCP. >Most of the products I see on the market are using static IP addresses to >build reliable VPN. There are less products using DHCP. > >So far, I have think about the following solutions: > >1- Use PPTP (or eventually L2TP) with a S/W client that could handle DHCP >and update a DDNS server that could be installed with a dedicated >connection to the Internet. My problem with this solution is the on-going >support. I do not think that it is robust enough to address the Business >market. On top of that, it does not follow the IPsec (unless we use IPsec >within L2TP for which I believe it is not mature). > >2- Use a central VPN Hub concept for which all client sites would use a VPN >access device that support DHCP. These access devices would then establish >a VPN session with a central VPN hub. At that VPN hub, we would be able to >"interconnect" the various VPN sessions together to create a site to site >Intranet. Different companies would then be able to share this VPN hub and >we (the ISP) would be able to offer other IP services (behind the VPN Hub) >using this architecture. I know that 3COM offer products that seems to do >that kind of job (Tunel Switch) but I do not know other products and I do >not know what are the draw backs of that solution. > >Is there other alternatives that could be used that are robust and >manageable? > >Another aspect of the problem is to find a solution that support the client >to site. On that side, most of the VPN client are not well integrated with >the NT or Novell Security and Authentification tools. Any recommendations? > >Laurent Hebert >Consultant at Netesys > > > > > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke at cisco.com Mobile: +32-75-312.458 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Thu Sep 9 00:41:52 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Wed, 8 Sep 1999 23:41:52 -0500 (CDT) Subject: VPN Performance Study Message-ID: HI all -- Having found myself with a rare bit of time to browse the Web, I've just discovered a wonderful piece of non-commercial VPN performance testing. I'm adding a link to this on the Web page, of course, but just in case you don't check that out on a daily basis: http://www.epm.ornl.gov/~dunigan/vpnperf.html Tom Dunigan et al. compare a variety of hardware and software based solutions, and vary things including encrytion algorithm, traffic types and sizes of packets. Wow. cheers -- tbird **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From wjiang at fore.com Thu Sep 9 05:01:48 1999 From: wjiang at fore.com (Wilson Jiang) Date: Thu, 9 Sep 1999 17:01:48 +0800 Subject: ATM VPN and CUG References: <37D66E6D.26B05B4A@frii.com> Message-ID: <000b01befaa1$f6bcce80$52a990a9@fore.com> Hi everyone, Does anyone know CUG (closed user group) for ATM VPN? Could anyone provide some brief materials for my understanding? I need to understand it before I present to my customer. Thanks in advance! **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From dnewman at cmp.com Thu Sep 9 10:30:33 1999 From: dnewman at cmp.com (dnewman at cmp.com) Date: Thu, 9 Sep 1999 10:30:33 -0400 Subject: VPN Performance Study Message-ID: <852567E7.004FBA36.00@NotesSMTP-01.cmp.com> Thanks very much for this pointer. Good stuff indeed--I'd yet to see any latency numbers, and the comparisons of various algorithms are fascinating. A couple of follow-up questions for Tom: 1. Have you performed any tests with newer Linux kernels? The IP stack in the 1.X.X kernels was significantly slower than the 2.X.X stuff ( or than most versions of *BSD, for that matter ), and that may be a factor when using a tool like TTCP. 2. Have you tried a UDP-based traffic generator and very short packets, or some mix of long and short packets? TCP and relatively long packets alone give the devices a fair amount of breathing room. Again, thanks for this excellent resource. Regards, David Newman Data Communications magazine Tina Bird on 09/09/99 12:41:52 AM From ecyr at tns-inc.com Thu Sep 9 09:47:40 1999 From: ecyr at tns-inc.com (Ed Cyr) Date: Thu, 9 Sep 1999 09:47:40 -0400 Subject: Build a site to site VPN without static address? In-Reply-To: <19990908133530865.AAA248@bacchus2.netesys.com@gvl-12364> Message-ID: <000301befac9$e29a3500$0501a8c0@ecyr> Laurent: I have implemented both the Nortel Contivity Extranet Access Switch and the Altiga VPN Concentrators. After evaluating products from Checkpoint, Cisco and others, Nortel and ALtiga clearly have the best technology. Both products are IPSec compliant and support DHCP and NT authentication. Altiga supports NT authentication to your domain directly from the concentrator or via pass-thru RADIUS; Nortel supports NT authentication via pass-thru RADIUS only. If you are looking at clients accessing the VPN via 56K dial access only, the Nortel solution performs better because of their compression feature. Nortel compresses the data before it is encrypted and provides 50-100% performance over the Altiga solution at speeds 56K or below. If you require site-to-site or high speed access such as DSL or Cable Modem, the Altiga box would be the right choice. It is much more scalable and offers better overall throughput. Each solution is extremely easy to setup and configure, both the VPN box and client software. Hope this helps... Regards, Ed Cyr Internetwork Solutions Engineer Total Network Solutions, Inc. > -----Original Message----- > From: owner-vpn at listserv.secnetgroup.com > [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Laurent Hebert > Sent: Wednesday, September 08, 1999 9:39 AM > To: vpn at listserv.secnetgroup.com > Subject: Build a site to site VPN without static address? > > > I am looking for VPN architecture (products) that could be implemented on > an ISP (cable modem) network for which IP addresses are assigned by DHCP. > Most of the products I see on the market are using static IP addresses to > build reliable VPN. There are less products using DHCP. > > So far, I have think about the following solutions: > > 1- Use PPTP (or eventually L2TP) with a S/W client that could handle DHCP > and update a DDNS server that could be installed with a dedicated > connection to the Internet. My problem with this solution is the on-going > support. I do not think that it is robust enough to address the Business > market. On top of that, it does not follow the IPsec (unless we use IPsec > within L2TP for which I believe it is not mature). > > 2- Use a central VPN Hub concept for which all client sites would > use a VPN > access device that support DHCP. These access devices would then > establish > a VPN session with a central VPN hub. At that VPN hub, we would > be able to > "interconnect" the various VPN sessions together to create a site to site > Intranet. Different companies would then be able to share this > VPN hub and > we (the ISP) would be able to offer other IP services (behind the VPN Hub) > using this architecture. I know that 3COM offer products that seems to do > that kind of job (Tunel Switch) but I do not know other products and I do > not know what are the draw backs of that solution. > > Is there other alternatives that could be used that are robust and > manageable? > > Another aspect of the problem is to find a solution that support > the client > to site. On that side, most of the VPN client are not well > integrated with > the NT or Novell Security and Authentification tools. Any > recommendations? > > Laurent Hebert > Consultant at Netesys > > > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From pbryan at acrux.net Thu Sep 9 16:03:57 1999 From: pbryan at acrux.net (Pat Bryan) Date: Thu, 9 Sep 1999 15:03:57 -0500 Subject: Sidewinder 4.01 and GRE In-Reply-To: Message-ID: Hi, Just a couple of thoughts.. The Sidewinder is capable of proxying UDP traffic, it is also possible to allow UDP traffic through the Sidewinder via an IP filter, and Tina thanks, your documentation paid off, I am now able to pass GRE through my firewall. Now, what do you know about performance problems with PPTP? (I.E. simple telnet traffic is sporadic(?) at best..) :-) Pat -----Original Message----- From: Muniz, Jose [mailto:Jose.Muniz at US.DataFellows.COM] Sent: Wednesday, September 08, 1999 11:13 PM To: Tina Bird; Pat Bryan Cc: vpn at listserv.secnetgroup.com Subject: RE: Sidewinder 4.01 and GRE Hello Tina: I am having kind of the same problem with a VPN IPsec connection that is trying to go through the firewall, using Port 50 UDP for the ESP traffic and Port 500 UDP for IKE, apparently the datagrams are not flowing through, and I do not know why, you see this is not my firewall and the firewall people claim for it to be open. Is it that the sidewinder is a proxy firewall and it is not capable of proxying the UDP datagrams??? I do not think so, however your thoughts will be greatly appreciated. Yours, Jose. > -----Original Message----- > From: Tina Bird [mailto:tbird at secnetgroup.com] > Sent: Saturday, September 04, 1999 10:10 AM > To: Pat Bryan > Cc: vpn at listserv.secnetgroup.com > Subject: Re: Sidewinder 4.01 and GRE > > > Hi Pat -- > > Did you configure the Sidewinder packet filters to allow > the GRE traffic? That involves a combination of COBRA > work and command line editing. The specific instructions > are available at > > http://kubarb.phsx.ukans.edu/~tbird/vpn.html > (click on How-To). I actually wrote the Sidewinder PPTP > doc myself, so feel free to ask if this doesn't work. > > One caveat -- information from the packet filters doesn't > make it into /var/log/audit.asc, so debugging can be a little > awkward... > > hope this helps -- Tina > > On Sat, 4 Sep 1999, Pat Bryan wrote: > > > Date: Sat, 4 Sep 1999 08:16:07 -0500 > > From: Pat Bryan > > To: vpn at listserv.secnetgroup.com > > Subject: Sidewinder 4.01 and GRE > > > > Howdy, > > > > I am attempting to configure PPTP through my SC Sidewinder. > I have allowed > > specific class "C" addresses designated by my ISP, into the > external side of > > the firewall. I have opened port 1723 and get the initial > connection, but > > GRE seems unable to pass.. I.E., when I do a tcpdump on the > external side of > > the firewall.. I get something like this.. > > > > > > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > > #.#.#.51 > #.#.#.10 IP-PROTO-47 GRE > > > > (51 is the dialup node, 10 is the firewall).. And then I am > disconnected... > > Any ideas would be greatly appreciated.. > > > > Thanks, > > Pat > > > > **************************************************************** > > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > > > The VPN FAQ (under construction) is available at > > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > > > We are currently experiencing "unsubscribe" difficulties. If you > > wish to unsubscribe, please send a message containing the > single line > > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > > > **************************************************************** > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2191 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/19990909/503c9e64/attachment.bin From clung at hotmail.com Thu Sep 9 19:45:07 1999 From: clung at hotmail.com (C. K. Lung) Date: Thu, 9 Sep 1999 19:45:07 -0400 Subject: Functions of VPN? Message-ID: <19990909234515.63439.qmail@hotmail.com> Am I correct to say: VPN is used to authenticate users, encrypt and authenticate data travelling through Internet using IPSec. Once a user is allowed into a protected network by VPN, his/her access is controlled by, in NT's terms, user rights, file/directory level access permission, as well as application's access control. Any comments and info are greatly appreciated. Thanks, C.K. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From edi.cortesi at cablecom.ch Fri Sep 10 02:09:19 1999 From: edi.cortesi at cablecom.ch (Edi Cortesi) Date: Fri, 10 Sep 1999 08:09:19 +0200 Subject: VPN and cable modems Message-ID: <37D8A08F.91F7689B@cablecom.ch> I'm looking for a test procedure to test VPN using cable modems and cisco equipment. Does anyone have any ideas for a test procedure (more than just ping,telnet) or more informations ? thanks Ed -------------- next part -------------- A non-text attachment was scrubbed... Name: edi.cortesi.vcf Type: text/x-vcard Size: 185 bytes Desc: Visitenkarte f?r Edi Cortesi Url : http://lists.shmoo.com/pipermail/vpn/attachments/19990910/771759ce/attachment.vcf From pete at ether.net Thu Sep 9 23:38:08 1999 From: pete at ether.net (Pete Davis) Date: Thu, 9 Sep 1999 23:38:08 -0400 Subject: VPN & DSL In-Reply-To: <37D66E6D.26B05B4A@frii.com>; from Tricia chase on Wed, Sep 08, 1999 at 08:10:53AM -0600 References: <37D66E6D.26B05B4A@frii.com> Message-ID: <19990909233808.A4035@ether.net> Tricia, Have you confirmed that your DSL provider does not have a firewall applied to your DSL router? In most cases, a default firewall filter on a DSL router will prevent IPSec from functioning through it. There also appears to be cases where DSL providers are performing NAT (Network Address Translation) either on the DSL router itself or on their whole network (for outgoing traffic). In the case that you are receiving an "internal" IP address (ie. Network 10.x) and this translation is being done on your DSL router, confirm with your provider that the implementation of NAT on your DSL router supports Pass-Through for IPSec. If they are performing NAT on their whole network, it is a whole different story. Regards, -pete On Wed, Sep 08, 1999 at 08:10:53AM -0600, Tricia chase wrote: > We are setting up a VPN using Novell BorderManager 3.5. Our > BorderManager Servers are running NW 5.0. We are accessing the Internet > via DSL connection. We are having trouble with the BorderManagers > talking thru the DSL. Can anyone help me? --- Pete Davis - Product Manager (508) 541-7300 x154 Altiga Networks - 124 Grove Street Suite 309 Franklin, MA 02038 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From clung at hotmail.com Sat Sep 11 21:08:54 1999 From: clung at hotmail.com (C. K. Lung) Date: Sat, 11 Sep 1999 21:08:54 -0400 Subject: Functions of VPN? References: <97FD7417E8C9D111AB4100805FADB6A20388DB4B@pariah.cncx.com> Message-ID: <19990912010809.50645.qmail@hotmail.com> Andrew; Thank you for taking time to response my post. What I really look for is if I can deploy VPN for an extranet. Here is the scenario: A company wants to setup an e-somthing for its 10,000 suppliers. When the company needs something, it will broadcast a "request for quotations" to all qualified suppliers through e-mail. Interested parties then access the company's web site, in a DMZ, and complete a form(s) on an oracle server, which is behind a firewall, on-line. The security officer wants only qualified suppliers can access the web site, only they can log onto the web site in the DMZ, and complete the form on the oracle server behind the firewall. Noone else can use any one of the services as a spring board to any other servers behind the firewall. In short, their access is extremely limited. An option is to deploy digital certificates, say VeriSign On-site. The company also wants to explore VPN solution. I have just attended a 2-day VPN conference. I got an impression that VPN is effective for mobile employees (users) and branch offices. One of the speakers felt that VPN is not ready for Extranet yet. In fact, we have briefly looked at Aventail's Extranet Centre. It seems that it would provide the application level authentication we want. Any comments/suggestions are greatly appreciated. Thanks, C.K. ----- Original Message ----- From: Andrew Paul To: C. K. Lung Sent: Thursday, September 09, 1999 9:51 PM Subject: RE: Functions of VPN? > C.K. > > Your explanation would be one view of what a VPN is. To an extent it > depends on a persons techno religious biases. Some people say a VPN must > include encryption to be a VPN. The simplest explaination is that a VPN is > the creation of a "private" network over a shared network. Shared, doesn't > have to mean the public Internet but most people think of it in terms of the > public internet. It can involve technologies such as IPSec, L2TP, L2F, PPTP > and some could even make a case for Frame Relay. > > In general though a VPN is over the public internet, use some form of > tunneling, include some form of encryption of the data (most commonly DES or > triple DES), can include dedicated sites and/or mobile users, provides user > authentication which can be as simple as user-id/password up to challenge > response token cards, digital certificates and smart cards. > > Most VPNs don't go down to the level of application authentication. Most > provide secure communications between IP addresses but there are systems > such as Aventail's www.aventail.com that can create VPNs which can control > this type of access. > > There are many companies that provide VPN hardware and software and more > seem to pop up every day. > > BTW - Here is a glossary definition from the CNET web site: A Virtual > Private Network, or VPN, is a private network of computers that's at least > partially connected by public phone lines. A good example would be a private > office LAN that allows users to log in remotely over the Internet (an open, > public system). VPNs use encryption and secure protocols like PPTP to ensure > that data transmissions are not intercepted by unauthorized parties. > > > I hope that helps > > Andy > > -----Original Message----- > From: C. K. Lung [mailto:clung at hotmail.com] > Sent: Thursday, September 09, 1999 4:45 PM > To: vpn at listserv.secnetgroup.com > Subject: Functions of VPN? > > > Am I correct to say: > > VPN is used to authenticate users, encrypt and authenticate data travelling > through Internet using IPSec. Once a user is allowed into a protected > network by VPN, his/her access is controlled by, in NT's terms, user rights, > file/directory level access permission, as well as application's access > control. > > Any comments and info are greatly appreciated. > > Thanks, > > C.K. > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From pbryan at acrux.net Wed Sep 8 18:03:27 1999 From: pbryan at acrux.net (Pat Bryan) Date: Wed, 8 Sep 1999 17:03:27 -0500 Subject: PPTP Very Slow Message-ID: Hi, I recently configured PPTP to pass through our Sidewinder firewall.. everything is well, except it is VERY slow.. I was wondering if there were any tweaks that needed to be done to the PPTP machine...? (The PPTP server is NT4SP5-128ENC) Thanks, Pat Bryan -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2191 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/19990908/393ffa9b/attachment.bin From Ryan.Russell at sybase.com Sun Sep 12 04:11:57 1999 From: Ryan.Russell at sybase.com (Ryan Russell) Date: Sun, 12 Sep 1999 01:11:57 -0700 Subject: Functions of VPN? Message-ID: <882567EA.002D0C14.00@gwwest.sybase.com> >A company wants to setup an e-somthing for its 10,000 suppliers. When the >company needs something, it will broadcast a "request for quotations" to all >qualified suppliers through e-mail. Interested parties then access the >company's web site, in a DMZ, and complete a form(s) on an oracle server, >which is behind a firewall, on-line. The security officer wants only >qualified suppliers can access the web site, only they can log onto the web >site in the DMZ, and complete the form on the oracle server behind the >firewall. Noone else can use any one of the services as a spring board to >any other servers behind the firewall. In short, their access is extremely >limited. > >An option is to deploy digital certificates, say VeriSign On-site. The >company also wants to explore VPN solution. I have just attended a 2-day >VPN conference. I got an impression that VPN is effective for mobile >employees (users) and branch offices. One of the speakers felt that VPN is >not ready for Extranet yet. If you think that you're going to be able to specify that 10,000 people who don't work for you have to install a piece of software as intrusive as a VPN client, then clearly you're insane. :) Your requirements scream 128-bit SSL. Buy international people Fortify if you have to. If you're worried about strong authentication, then look at managing client certificates for them, or better yet, distribute OTP hardware. That will be the easiest by far. Of course, your life will still suck, I'm just trying to make it suck as little as possible. Ryan **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From APaul at cncx.com Sun Sep 12 16:07:13 1999 From: APaul at cncx.com (Andrew Paul) Date: Sun, 12 Sep 1999 13:07:13 -0700 Subject: Functions of VPN? Message-ID: <97FD7417E8C9D111AB4100805FADB6A20388DDDE@pariah.cncx.com> Hi C.K. I liked Mr. Russell's reply, it was a bit tongue in cheek, but there was a lot of truth in his statement. The issues will be scalability, support and procedures. Why don't you use SSL and browsers? There is no special software to distribute. There is a little more limited security outside of the US but you'd run into that problem if you used a specific VPN client technology. Besides the real issue has to do with knowing if the real supplier submitted the order, not whether a 19 year old bored college student could read the packets as they go over the internet, which btw isn't too likely even if the data was in the clear. VPNs work a lot better when you have control over all the remote systems. In a heterogeneous system environment of thousands of suppliers I would tend to stick to providing access through browsers. If you make it difficult for the suppliers to gain access to the application then you will have defeated the purpose of the system you will be installing. Also, if you make a system that is difficult to maintain then that defeats the business problem you are trying to solve. You could look at token cards, such as secur-id for strong user authentication but better bring a lot of money. Besides people generally are not thrilled to use token cards. K.I.S.S., scalability and ongoing support are things I would be concerned about. Good luck with the project. Andy -----Original Message----- From: Ryan Russell [mailto:Ryan.Russell at sybase.com] Sent: Sunday, September 12, 1999 1:12 AM To: C. K. Lung Cc: Andrew Paul; vpn at listserv.secnetgroup.com Subject: Re: Functions of VPN? >A company wants to setup an e-somthing for its 10,000 suppliers. When the >company needs something, it will broadcast a "request for quotations" to all >qualified suppliers through e-mail. Interested parties then access the >company's web site, in a DMZ, and complete a form(s) on an oracle server, >which is behind a firewall, on-line. The security officer wants only >qualified suppliers can access the web site, only they can log onto the web >site in the DMZ, and complete the form on the oracle server behind the >firewall. Noone else can use any one of the services as a spring board to >any other servers behind the firewall. In short, their access is extremely >limited. > >An option is to deploy digital certificates, say VeriSign On-site. The >company also wants to explore VPN solution. I have just attended a 2-day >VPN conference. I got an impression that VPN is effective for mobile >employees (users) and branch offices. One of the speakers felt that VPN is >not ready for Extranet yet. If you think that you're going to be able to specify that 10,000 people who don't work for you have to install a piece of software as intrusive as a VPN client, then clearly you're insane. :) Your requirements scream 128-bit SSL. Buy international people Fortify if you have to. If you're worried about strong authentication, then look at managing client certificates for them, or better yet, distribute OTP hardware. That will be the easiest by far. Of course, your life will still suck, I'm just trying to make it suck as little as possible. Ryan **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From SHOPE at datarange.co.uk Tue Sep 14 10:50:21 1999 From: SHOPE at datarange.co.uk (Stephen Hope) Date: Tue, 14 Sep 1999 15:50:21 +0100 Subject: Functions of VPN? Message-ID: <01903665B361D211BF6700805FAD5D9325B6BC@mail.datarange.co.uk> There is one assumption that needs to be pointed out - browsers work well if there is an end user who will drive the remote end manually for you. You can probably fix this for a simple browser interface, but Token cards and some other types of security need a user to drive them. If the 10k clients want to integrate their end as well, then they will want to use something that can be automated or integrated into their existing processing schemes. Otherwise, your customer gets a better system, at the expense of the other companies in the supply chain. Stephen Hope C. Eng, Network Consultant shope at datarange.co.uk, or shope at bcs.org.uk Datarange Communications PLC, Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)467 256 180 Fax: +44 (0)161 776 4189 -----Original Message----- From: Andrew Paul [mailto:APaul at cncx.com] Sent: Sunday, September 12, 1999 9:07 PM To: C. K. Lung Cc: vpn at listserv.secnetgroup.com Subject: RE: Functions of VPN? Hi C.K. I liked Mr. Russell's reply, it was a bit tongue in cheek, but there was a lot of truth in his statement. The issues will be scalability, support and procedures. Why don't you use SSL and browsers? There is no special software to distribute. There is a little more limited security outside of the US but you'd run into that problem if you used a specific VPN client technology. Besides the real issue has to do with knowing if the real supplier submitted the order, not whether a 19 year old bored college student could read the packets as they go over the internet, which btw isn't too likely even if the data was in the clear. VPNs work a lot better when you have control over all the remote systems. In a heterogeneous system environment of thousands of suppliers I would tend to stick to providing access through browsers. If you make it difficult for the suppliers to gain access to the application then you will have defeated the purpose of the system you will be installing. Also, if you make a system that is difficult to maintain then that defeats the business problem you are trying to solve. You could look at token cards, such as secur-id for strong user authentication but better bring a lot of money. Besides people generally are not thrilled to use token cards. K.I.S.S., scalability and ongoing support are things I would be concerned about. Good luck with the project. Andy -----Original Message----- From: Ryan Russell [mailto:Ryan.Russell at sybase.com] Sent: Sunday, September 12, 1999 1:12 AM To: C. K. Lung Cc: Andrew Paul; vpn at listserv.secnetgroup.com Subject: Re: Functions of VPN? >A company wants to setup an e-somthing for its 10,000 suppliers. When the >company needs something, it will broadcast a "request for quotations" to all >qualified suppliers through e-mail. Interested parties then access the >company's web site, in a DMZ, and complete a form(s) on an oracle server, >which is behind a firewall, on-line. The security officer wants only >qualified suppliers can access the web site, only they can log onto the web >site in the DMZ, and complete the form on the oracle server behind the >firewall. Noone else can use any one of the services as a spring board to >any other servers behind the firewall. In short, their access is extremely >limited. > >An option is to deploy digital certificates, say VeriSign On-site. The >company also wants to explore VPN solution. I have just attended a 2-day >VPN conference. I got an impression that VPN is effective for mobile >employees (users) and branch offices. One of the speakers felt that VPN is >not ready for Extranet yet. If you think that you're going to be able to specify that 10,000 people who don't work for you have to install a piece of software as intrusive as a VPN client, then clearly you're insane. :) Your requirements scream 128-bit SSL. Buy international people Fortify if you have to. If you're worried about strong authentication, then look at managing client certificates for them, or better yet, distribute OTP hardware. That will be the easiest by far. Of course, your life will still suck, I'm just trying to make it suck as little as possible. Ryan **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From harry at sanwafp.com Tue Sep 14 16:09:26 1999 From: harry at sanwafp.com (Harry Kaplan) Date: Tue, 14 Sep 1999 16:09:26 -0400 Subject: ISAKMP negotiation error Checkpoint <-> Free S/WAN Message-ID: <199909142009.QAA00767@curiosity.sanwafp.com> Hi. I am configuring a VPN between Checkpoint VPN-1 on Solaris and a Linux Free S/WAN installation using ISAKMP with a pre-shared secret. Unfortunately, the Checkpoint seems to provide very little in the way debugging messages. The error we are getting is: ISAKMP Log: Sent Notification: no proposal chosen Negotiation ID: blah blah blah I have a case open with Checkpoint but the most so far they have indicated is that I may have too many options checked for ISAKMP, I have tried every combination of reduction/adding them all but to no avail. What is not clear to me is whether this message indicates there are not enough parameters in common or two few or if it is ambiguous in this regard. I have tried the config indicated in the very useful site http://www.opus1.com/vpn/index.html but still don't get any further than this message. Any pointers would be greatly appreciated, I am completely new to this. Thanks. -- Harry -------------------------------- Harry A. Kaplan, Ph.D., Vice President Sanwa Financial Products Co., LLC 1185 Avenue of the Americas, 19th Floor New York City, New York 10036 voice (212) 407-3559 fax (212) 997-3650 e-mail harry at sanwafp.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From kgsatam at sa.fedex.com Tue Sep 14 22:11:09 1999 From: kgsatam at sa.fedex.com (Kirtikumar Satam) Date: Tue, 14 Sep 1999 21:11:09 -0500 Subject: Functions of VPN? References: <97FD7417E8C9D111AB4100805FADB6A20388DDDE@pariah.cncx.com> Message-ID: <007901beff1f$a8b42580$da475c18@midsouth.rr.com> Have a look at SUN/Netscape Alliances new product called I-Planet webtop. It allows arbirtrary protocols to tunnel via SSL. And has no foot-print on the client. It is a software that they got when they aquired a company called Remote passage. Kirtikumar Satam Technical Advisor Data Protection ----- Original Message ----- From: Andrew Paul To: C. K. Lung Cc: Sent: Sunday, September 12, 1999 3:07 PM Subject: RE: Functions of VPN? > Hi C.K. > > I liked Mr. Russell's reply, it was a bit tongue in cheek, but there was a > lot of truth in his statement. > > The issues will be scalability, support and procedures. > > Why don't you use SSL and browsers? There is no special software to > distribute. There is a little more limited security outside of the US but > you'd run into that problem if you used a specific VPN client technology. > Besides the real issue has to do with knowing if the real supplier submitted > the order, not whether a 19 year old bored college student could read the > packets as they go over the internet, which btw isn't too likely even if the > data was in the clear. > > VPNs work a lot better when you have control over all the remote systems. > In a heterogeneous system environment of thousands of suppliers I would tend > to stick to providing access through browsers. > > If you make it difficult for the suppliers to gain access to the application > then you will have defeated the purpose of the system you will be > installing. Also, if you make a system that is difficult to maintain then > that defeats the business problem you are trying to solve. > > You could look at token cards, such as secur-id for strong user > authentication but better bring a lot of money. Besides people generally > are not thrilled to use token cards. > > K.I.S.S., scalability and ongoing support are things I would be concerned > about. > > Good luck with the project. > > Andy > > > -----Original Message----- > From: Ryan Russell [mailto:Ryan.Russell at sybase.com] > Sent: Sunday, September 12, 1999 1:12 AM > To: C. K. Lung > Cc: Andrew Paul; vpn at listserv.secnetgroup.com > Subject: Re: Functions of VPN? > > > > > > >A company wants to setup an e-somthing for its 10,000 suppliers. When the > >company needs something, it will broadcast a "request for quotations" to > all > >qualified suppliers through e-mail. Interested parties then access the > >company's web site, in a DMZ, and complete a form(s) on an oracle server, > >which is behind a firewall, on-line. The security officer wants only > >qualified suppliers can access the web site, only they can log onto the web > >site in the DMZ, and complete the form on the oracle server behind the > >firewall. Noone else can use any one of the services as a spring board to > >any other servers behind the firewall. In short, their access is extremely > >limited. > > > >An option is to deploy digital certificates, say VeriSign On-site. The > >company also wants to explore VPN solution. I have just attended a 2-day > >VPN conference. I got an impression that VPN is effective for mobile > >employees (users) and branch offices. One of the speakers felt that VPN is > >not ready for Extranet yet. > > If you think that you're going to be able to specify that 10,000 people who > don't > work for you have to install a piece of software as intrusive as a VPN > client, then clearly you're insane. :) > > Your requirements scream 128-bit SSL. Buy international people Fortify if > you have to. If you're worried about strong authentication, then look > at managing client certificates for them, or better yet, distribute > OTP hardware. That will be the easiest by far. Of course, your life > will still suck, I'm just trying to make it suck as little as possible. > > Ryan > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Azim.Ferchichi at swisscom.com Wed Sep 15 04:28:51 1999 From: Azim.Ferchichi at swisscom.com (Azim.Ferchichi at swisscom.com) Date: Wed, 15 Sep 1999 10:28:51 +0200 Subject: IPSEC & smartcard Message-ID: <7E46AF731AD5D111BF4F0000F830C63D03A10744@gd3i5w.swissptt.ch> Hi all, For one of my projects, I need to build-up a VPN. I'm wondering if there is on the market some products that fit the following requirements: - mobile users with non-fixed IP address. - IPSEC compliant/compatible system - No export restrictions for strong cryptography (I'm located in Switzerland) - Use of smartcard for the authentication (Certificate in the smartcard) and maybe session key generation (of course the encryption has to be done on the computer itself by the sofware client) - Tunneling mode - Possibility to have only Authentication (Option switch) - In phase 1 (negotiation of IKE SA), authentication using PKI (no pre-shared secret) - Software client for Win95/98/NT If you know few products that fit these requirements It would be helpful for me... Thanks Azim _____________________________ Azim Ferchichi Swisscom AG CIT- CT- TPM Smart-Cards & IT Security Ostermundigenstrasse 99 CH-3050 Bern Phone:+41 31 342 09 22 Mobile:+41 79 301 55 56 Fax:+41 31 342 00 08 E-mail: azim.ferchichi at swisscom.com ______________________________ **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tweil at rpm.com Wed Sep 15 08:29:59 1999 From: tweil at rpm.com (tweil at rpm.com) Date: Wed, 15 Sep 1999 08:29:59 -0400 Subject: VPN/NAT Toplogy Message-ID: <852567ED.0044D046.00@xchange2.rpm.com> Steve - Chapter 5 of your VPN book has a section called VPN/NAT Topology. This is a specific design area I am investigating for a client. The desired scenario is this Internet -- Gateway Router --- VPN Peer Router on Untrusted DMZ --- Nat Firewall I have been 'strongly advised' by a well-known (big 'C') network company to establish direct routes between the NAT Firewall Device (Gauntlet 4.2) and VPN Peer Router so that every inbound/outbound packet is inspect by VPN device. The justification (I'm told) is that FW forwarding of outbound traffic might select Gateway Router as preferred route (thus ignoring IPSEC encryption on the VPN router). If this scenario makes any sense, I'm looking for some '2nd opinions'. Specifically, some Firewall logic that would forward outbound IPSec-targeted packets to the VPN device and establish 'pass-thru' routes for general Web Surfing traffic. In my mind routing all IP traffic through a VPN device is bad design. We should be able to DIFFERENIATE between normal Web Surfing and Encrytped IPSec packets on the same network Tim Weil - CCNA/CCDA InterNetwork Consultant RPM Consulting, Inc. email:tweil at rpm.com. **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From sdurette at TimeStep.com Wed Sep 15 09:00:05 1999 From: sdurette at TimeStep.com (Stephane Durette) Date: Wed, 15 Sep 1999 09:00:05 -0400 Subject: ISAKMP negotiation error Checkpoint <-> Free S/WAN Message-ID: <319A1C5F94C8D11192DE00805FBBADDFDB6441@exchange> Harry, Take a look at the security descriptors. For example with CP FW1 to interoperate with the TimeStep products, CP must initiate communication and the descriptor " IDENTITY " can not be included in the descriptor file. I've received the same error message when trying to initiate communications with CP FW1 products, and by removing this descriptor, have managed to set up the ISAKMP. Cheers Steph axW--------------------------------------------------------------- Stephane Y Durette- Applications Engineer, TimeStep Corp. (613) 599-3610 x:4682 Voice (613) 599-9560 - FAX mailto:sdurette at timestep.com http://www.timestep.com --------------------------------------------------------------------- "Two possibilities exist: either we are alone in the universe or we are not. Both are equally terrifying." Arthur C.Clarke --------------------------------------------------------------------- -----Original Message----- From: harry at sanwafp.com [mailto:harry at sanwafp.com] Sent: September 14, 1999 4:09 PM To: vpn at listserv.secnetgroup.com Subject: ISAKMP negotiation error Checkpoint <-> Free S/WAN Hi. I am configuring a VPN between Checkpoint VPN-1 on Solaris and a Linux Free S/WAN installation using ISAKMP with a pre-shared secret. Unfortunately, the Checkpoint seems to provide very little in the way debugging messages. The error we are getting is: ISAKMP Log: Sent Notification: no proposal chosen Negotiation ID: blah blah blah I have a case open with Checkpoint but the most so far they have indicated is that I may have too many options checked for ISAKMP, I have tried every combination of reduction/adding them all but to no avail. What is not clear to me is whether this message indicates there are not enough parameters in common or two few or if it is ambiguous in this regard. I have tried the config indicated in the very useful site http://www.opus1.com/vpn/index.html but still don't get any further than this message. Any pointers would be greatly appreciated, I am completely new to this. Thanks. -- Harry -------------------------------- Harry A. Kaplan, Ph.D., Vice President Sanwa Financial Products Co., LLC 1185 Avenue of the Americas, 19th Floor New York City, New York 10036 voice (212) 407-3559 fax (212) 997-3650 e-mail harry at sanwafp.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jpc at geosys.fr Wed Sep 15 11:24:09 1999 From: jpc at geosys.fr (Jean-Paul CHAVANT) Date: Wed, 15 Sep 1999 17:24:09 +0200 Subject: looking for white paper Message-ID: <001e01beff8e$5b415600$7d03a8c0@pcjpc> hello, i am new on the mailling list ... i am looking for white papers on IPSec , L2F and L2TP other then draft or rfc of ietf. Someone knows where i can find a such thing ? thanks Jean-Paul CHAVANT === GEOSYS SA Service Informatique http://www.geosys.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19990915/d29c4db3/attachment.htm From jcaspen at ittc.ukans.edu Wed Sep 15 18:02:39 1999 From: jcaspen at ittc.ukans.edu (Carlos Javier Castro Pena) Date: Wed, 15 Sep 1999 17:02:39 -0500 Subject: looking for white paper References: <001e01beff8e$5b415600$7d03a8c0@pcjpc> Message-ID: <37E0177F.496439DB@ittc.ukans.edu> All companies that seel VPN products offer white papers. Also, you can go to www.ietf.org and do a search for IPSec documents. You can begin here: http://kubarb.phsx.ukans.edu/~tbird/vpn.html Jean-Paul CHAVANT wrote: > hello,i am new on the mailling list ...i am looking for white papers > on IPSec , L2F and L2TP other then draft or rfc of ietf.Someone knows > where i can find a such thing ?thanksJean-Paul CHAVANT > > === > > GEOSYS SA > Service Informatique > http://www.geosys.fr **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From misha at insync.net Thu Sep 16 02:34:58 1999 From: misha at insync.net (Misha) Date: Thu, 16 Sep 1999 01:34:58 -0500 (CDT) Subject: VPN placement Message-ID: Is there is a clear consensus on where an IPSec tunnel should be terminated in relation to a firewall? My first choice would be to use an intergrated firewall/VPN, but I am still not clear on what would be the best thing to do with stand alone boxes. With remote access and lan-to-lan VPN's I am a little worried about terminating the tunnel on a protected interface of a firewall (not to mention that NAT will pose a problem with IPSec). The most logical solution would be to terminate the tunnel on a separate interface of the firewall and control access to internal resources with packet filtering. This presents a huge management headache for large or growing networks. Another option would be to get a box that can be placed parallel to the firewall, which accepts only IPSec traffic and allows me to create paket filters controlling access to the internal resources. Is there any equipment that actually does this? Does anyone have any real life suggestions or am I just asking a really dumb question in the first place? I am looking primarily at VPNet, Timestep and Nortel. Misha **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From jpc at geosys.fr Thu Sep 16 04:51:12 1999 From: jpc at geosys.fr (Jean-Paul CHAVANT) Date: Thu, 16 Sep 1999 10:51:12 +0200 Subject: possible attacks on a network Message-ID: <003501bf0020$a0978020$7d03a8c0@pcjpc> hello, i am also looking for web sites that relates all possibles attacks on a network (IP Spoofing, strong attacks , etc ...) Does someone know where i can find this ? thanks Jean-Paul CHAVANT === GEOSYS SA Service Informatique http://www.geosys.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19990916/bc54f8d3/attachment.htm From APaul at cncx.com Thu Sep 16 12:04:02 1999 From: APaul at cncx.com (Andrew Paul) Date: Thu, 16 Sep 1999 09:04:02 -0700 Subject: possible attacks on a network Message-ID: <97FD7417E8C9D111AB4100805FADB6A203906E5A@pariah.cncx.com> Jean-Paul, Here are a couple of web sites to check out..... Andy http://www.cert.org/ http://www.securityportal.com/framesettopnews.html http://www.securityfocus.com/ -----Original Message----- From: Jean-Paul CHAVANT [mailto:jpc at geosys.fr] Sent: Thursday, September 16, 1999 1:51 AM To: Vpn Subject: possible attacks on a network hello, i am also looking for web sites that relates all possibles attacks on a network (IP Spoofing, strong attacks , etc ...) Does someone know where i can find this ? thanks Jean-Paul CHAVANT === GEOSYS SA Service Informatique http://www.geosys.fr **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From chomsky at dor.state.ma.us Thu Sep 16 11:40:11 1999 From: chomsky at dor.state.ma.us (John Smith) Date: Thu, 16 Sep 1999 11:40:11 -0400 (EDT) Subject: Nortel VPN Solution Message-ID: <199909161540.LAA0000021852@news.dor.state.ma.us> Has anyone used Nortel's Contivity VPN solution? Any input? Thanks JPS MDOR Chelsea, MA **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mmedwid at symantec.com Thu Sep 16 13:47:52 1999 From: mmedwid at symantec.com (Michael Medwid) Date: Thu, 16 Sep 1999 10:47:52 -0700 Subject: Nortel VPN Solution Message-ID: <882567EE.0062037E.00@uscu-smtp01.symantec.com> When it works (most of the time) it works great. Nice GUI for managing the VPN and lots of useful reports. Performance-wise it does very well. We use IP sec for client to LAN from DSL, Cable modem etc. I have users in Kuala Lomport, Russia, Poland, Hungary, Venezuela (to name a few) using IPsec over local dialup Internet connection as well. And this is a life-saver as International calls for messaging and file transfer get hecka costly. For most of my users they wax enthusiastic. BUT... their client has installation problems in about 5% of PCs - be they NT or 95 or 98. Sometimes it causes clients to boot up to blue screen, sometimes they have to remove all network drivers, sometimes they have to completely rebuild their system. Nortel (Bay) has been painfully slow in getting out bug fixes to resolve the client. Also note that they do NOT have a Windows 2000 compatible client. This is a real bug-bear for my developers working with the Win 2000 beta and attempting to develop product. -Michael Medwid Symantec Corp. "John Smith" on 09/16/99 08:40:11 AM From rk_ at mailcity.com Thu Sep 16 14:41:28 1999 From: rk_ at mailcity.com (S Ramakrishnan) Date: Thu, 16 Sep 1999 11:41:28 -0700 Subject: Nortel VPN Solution Message-ID: Hi - Thanks for the useful info. Can I get a prototype or at least a set of screen shots to see how they manage it? Does the GUI manage the client or the gateway ? How about CA management (CA traffic tracking, certificate footprint in memiry and so forth). Does it manage L2TP tunnels? Do they have an L2TP client? Is it instrumented by SNMP? If so what versions of the IPSEC nad L2TP MIB are used? Thanks ! Rk On Thu, 16 Sep 1999 10:47:52 Michael Medwid wrote: > > >When it works (most of the time) it works great. Nice GUI for managing the VPN >and >lots of useful reports. Performance-wise it does very well. We use IP sec for >client to >LAN from DSL, Cable modem etc. I have users in Kuala Lomport, Russia, Poland, >Hungary, Venezuela (to name a few) using IPsec over local dialup Internet >connection >as well. And this is a life-saver as International calls for messaging and file >transfer >get hecka costly. For most of my users they wax enthusiastic. BUT... > >their client has installation problems in about 5% of PCs - be they NT or 95 or >98. >Sometimes it causes clients to boot up to blue screen, sometimes they have >to remove all network drivers, sometimes they have to completely rebuild >their system. Nortel (Bay) has been painfully slow in getting out bug fixes to >resolve the client. Also note that they do NOT have a Windows 2000 compatible >client. This is a real bug-bear for my developers working with the Win 2000 >beta and attempting to develop product. > >-Michael Medwid >Symantec Corp. --- S Ramakrishnan "... from the sunny shores of California ..." rk_ at mailcity.com, (408) 616.3100 Get your FREE Email at http://mailcity.lycos.com Get your PERSONALIZED START PAGE at http://my.lycos.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From misha at insync.net Thu Sep 16 14:57:07 1999 From: misha at insync.net (Misha) Date: Thu, 16 Sep 1999 13:57:07 -0500 (CDT) Subject: Nortel VPN Solution In-Reply-To: <882567EE.0062037E.00@uscu-smtp01.symantec.com> Message-ID: Does Nortel have any docs on their products other than the sales drivel thats on their site? I have tried to find some white papers or manuals, but they seem to only be provided for older versions of the hardware. Misha On Thu, 16 Sep 1999, Michael Medwid wrote: > > > When it works (most of the time) it works great. Nice GUI for managing the VPN > and > lots of useful reports. Performance-wise it does very well. We use IP sec for > client to > LAN from DSL, Cable modem etc. I have users in Kuala Lomport, Russia, Poland, > Hungary, Venezuela (to name a few) using IPsec over local dialup Internet > connection > as well. And this is a life-saver as International calls for messaging and file > transfer > get hecka costly. For most of my users they wax enthusiastic. BUT... > > their client has installation problems in about 5% of PCs - be they NT or 95 or > 98. > Sometimes it causes clients to boot up to blue screen, sometimes they have > to remove all network drivers, sometimes they have to completely rebuild > their system. Nortel (Bay) has been painfully slow in getting out bug fixes to > resolve the client. Also note that they do NOT have a Windows 2000 compatible > client. This is a real bug-bear for my developers working with the Win 2000 > beta and attempting to develop product. > > -Michael Medwid > Symantec Corp. > > > > > > "John Smith" on 09/16/99 08:40:11 AM > > > To: vpn at listserv.secnetgroup.com > cc: (bcc: Michael Medwid/Cupertino/Cal/SYMANTEC) > Subject: Nortel VPN Solution > > > > > Has anyone used Nortel's Contivity VPN solution? Any input? > > Thanks > > JPS > MDOR > Chelsea, MA > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > > > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Mon Sep 20 08:26:30 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Mon, 20 Sep 1999 07:26:30 -0500 (CDT) Subject: LINUX How-to Message-ID: Hi all -- If you're interested in seeing how to set up a PPP/SSH based VPN on Linux, check out the following: www.uni-erlangen.de/docs/RRZE/dezentral/unix/linux/HOWTOS/mini/VPN-4.html cheers -- Tina **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From edi.cortesi at cablecom.ch Mon Sep 20 01:13:05 1999 From: edi.cortesi at cablecom.ch (Edi Cortesi) Date: Mon, 20 Sep 1999 07:13:05 +0200 Subject: possible attacks on a network References: <003501bf0020$a0978020$7d03a8c0@pcjpc> Message-ID: <37E5C261.7436EB57@cablecom.ch> Hi Jean-Paul look at www.iss.com regards Edi Jean-Paul CHAVANT schrieb: > hello, i am also looking for web sites that relates all possibles > attacks on a network (IP Spoofing, strong attacks , etc ...)Does > someone know where i can find this ?thanksJean-Paul CHAVANT > > === > > GEOSYS SA > Service Informatique > http://www.geosys.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19990920/95ef3864/attachment.htm From mhw at wittsend.com Mon Sep 20 14:27:48 1999 From: mhw at wittsend.com (Michael H. Warfield) Date: Mon, 20 Sep 1999 14:27:48 -0400 (EDT) Subject: possible attacks on a network In-Reply-To: <37E5C261.7436EB57@cablecom.ch> from Edi Cortesi at "Sep 20, 1999 07:13:05 am" Message-ID: <199909201827.OAA18681@alcove.wittsend.com> Edi Cortesi enscribed thusly: > Hi Jean-Paul > look at www.iss.com I think you will have better luck if you look at "www.iss.net". www.iss.com is a outfit that makes "fluorescence instrumentation for research". Internet Security Systems (were I work as Senior Researcher) is at www.iss.net. Last I heard, the gang over at iss.com are less than thrilled with all the extra traffic they've been getting thanks to us. :-/ > regards > Edi > Jean-Paul CHAVANT schrieb: > > hello, i am also looking for web sites that relates all possibles > > attacks on a network (IP Spoofing, strong attacks , etc ...)Does > > someone know where i can find this ?thanksJean-Paul CHAVANT > > > > === > > > > GEOSYS SA > > Service Informatique > > http://www.geosys.fr -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From ikertesz at asec-md2.com Tue Sep 21 11:36:59 1999 From: ikertesz at asec-md2.com (Kertesz, Imre) Date: Tue, 21 Sep 1999 11:36:59 -0400 Subject: VPN & Shared Secret testing Message-ID: <5B31C38B2AE1D111832700A0C9AB275F852AEE@skylark.asec-md2.com> List folks, I am on a quest for resources. I am currently writing a test plan for security testing involving hardware VPNs. Being a scantly-explored frontier, VPN and the associated cryptographic enhancements have few published vulnerabilities besides the classic TCP/IP issues that may survive the translation to the IPSec realm. I have also failed to find anything of value regarding Shared Secret authentication. If anyone can point me toward some resources that may be of value in these areas, I will return a compiled listing of all of the resources that I receive to those who are interested. Thanks - IK Imre Kertesz III Senior Consultant Booz-Allen & Hamilton 410.540.4798 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From sdurette at TimeStep.com Tue Sep 21 08:51:46 1999 From: sdurette at TimeStep.com (Stephane Durette) Date: Tue, 21 Sep 1999 08:51:46 -0400 Subject: looking for white paper Message-ID: <319A1C5F94C8D11192DE00805FBBADDFDDFC39@exchange> Jean-Paul, ??? Take a look at the following url: http://www.timestep.com/Html/ReWhite.htm ? ? Cheers ? Steph ? axW--------------------------------------------------------------- Stephane Y Durette-? Applications Engineer, TimeStep Corp. (613) 599-3610 x:4682 Voice????????? (613) 599-9560 - FAX mailto:sdurette at timestep.com ?? http://www.timestep.com --------------------------------------------------------------------- "Two possibilities exist: either we are alone in the universe or ?we are not. Both are equally terrifying." Arthur C.Clarke --------------------------------------------------------------------- ? -----Original Message----- From: Jean-Paul CHAVANT [mailto:jpc at geosys.fr] Sent: September 15, 1999 11:24 AM To: Vpn Subject: looking for white paper hello, ? i am new on the mailling list ... i am looking for white papers on IPSec , L2F and L2TP other then draft or rfc of ietf. Someone knows where i can find a such thing ? ? thanks Jean-Paul CHAVANT === GEOSYS SA??????????? Service Informatique http://www.geosys.fr ? **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From twolsey at realtech.com Wed Sep 22 10:07:54 1999 From: twolsey at realtech.com (TC Wolsey) Date: Wed, 22 Sep 1999 10:07:54 -0400 Subject: VPN & Shared Secret testing Message-ID: > "Kertesz, Imre" 09/21/99 11:36AM >>> > >List folks, > >I am on a quest for resources. I am currently writing a test plan for >security testing involving hardware VPNs. Being a scantly-explored >frontier, VPN and the associated cryptographic enhancements have few >published vulnerabilities besides the classic TCP/IP issues that may >survive the translation to the IPSec realm. I have also failed to find >anything of value regarding Shared Secret authentication. If anyone can >point me toward some resources that may be of value in these areas, I >will return a compiled listing of all of the resources that I receive to >those who are interested. > > >Thanks - IK > > >Imre Kertesz III >Senior Consultant >Booz-Allen & Hamilton >410.540.4798 Several references wrt IPSec are available at http://www.research.att.com/~smb/papers/index.html. I have not looked extensively, but I have always been concerned that IKE implementations that do not allow an arbritrary bit string to be specified for a pre-shared key may be vulnerable to either dictionary or brute force attacks. Regards, tcw **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From markus at hofmar.de Thu Sep 23 02:12:30 1999 From: markus at hofmar.de (Markus Hofmann) Date: Thu, 23 Sep 1999 08:12:30 +0200 (MEST) Subject: L2F and L2TP Tunnels with Cisco Message-ID: Hello! Is it possible to establish a L2TP/PPTP/L2F Tunnel between two Cisco Routers, where on router is the L2TP Network Server (LNS) and the other router is the L2TP Access Concentrator (LAC) and the PPP Client together? If yes, could someone please mail me a sample configuration? Another question? Is it possible on a cisco to enable compression, maybe on a tunnel interface, before encrypting takes place? If yes, could someone please mail me a sample configuration, too? thanks M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tbird at secnetgroup.com Mon Sep 27 09:50:27 1999 From: tbird at secnetgroup.com (Tina Bird) Date: Mon, 27 Sep 1999 08:50:27 -0500 (CDT) Subject: Web site updates Message-ID: Hi all -- We've received a couple of postings to the list which include large images. Rather than distributing them to everyone and hoping that you'll all receive them in useful format, I thought I'd put them on the Web site. I'm hoping to get that done this week (thanks for your patience). In addition, Rick Smith has graciously donated the glossary from his book, "Internet Cryptography," to be the basis for a VPN glossary -- also on my to-do list for my ever diminishing free time. cheers -- Tina **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From littlefoot141 at icqmail.com Tue Sep 28 04:02:06 1999 From: littlefoot141 at icqmail.com (NA) Date: Tue, 28 Sep 1999 16:02:06 +0800 Subject: Inquiry Message-ID: <005a01bf0987$f0951400$2e69ffcc@mnl.sequel.net> Greetings! I am a student of the University of Asia & the Pacific. I am currently taking up my masters and doing a thesis. My thesis is regarding Virtual Private Network. I came upon your website and I found it very interesting. Also, I am hoping that you could help me out. I have researched various information on VPN but I am still having a hard time understanding the processes behind the technology. Would you know the processes and how they work in general? Also, would you have any suggestions on how to create a VPN simulation? I was thinking of using WinNT's PPTP via RAS but I am not sure if it can be considered a VPN. Thank you for your time and hoping for your kind consideration. Natalie -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/19990928/08c77faf/attachment.htm From mmarinb at usa.net Tue Sep 28 20:04:27 1999 From: mmarinb at usa.net (Mauricio Marin) Date: 28 Sep 99 18:04:27 MDT Subject: DSL & VPN Message-ID: <19990929000427.10917.qmail@nwcst290.netaddress.usa.net> I don`t understand what is DSL, if someone can teach me i will really appreciate with some PDF or some doc, link,..... Mauricio Marin Lima-Peru ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From tgeiss at thewarrengroup.com Wed Sep 29 11:48:53 1999 From: tgeiss at thewarrengroup.com (Tim Geiss) Date: Wed, 29 Sep 1999 11:48:53 -0400 Subject: DSL & VPN Message-ID: www.whatis.com >>> Mauricio Marin 09/28 8:04 PM >>> I don`t understand what is DSL, if someone can teach me i will really appreciate with some PDF or some doc, link,..... Mauricio Marin Lima-Peru ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From alaramee at mitre.org Wed Sep 29 11:48:11 1999 From: alaramee at mitre.org (Art Laramee) Date: Wed, 29 Sep 1999 11:48:11 -0400 Subject: DSL & VPN References: <19990929000427.10917.qmail@nwcst290.netaddress.usa.net> Message-ID: <37F234BB.BBE7C854@mitre.org> see www.dslreports.com Mauricio Marin wrote: > > I don`t understand what is DSL, if someone can teach me i will really > appreciate with some PDF or some doc, link,..... > > Mauricio Marin > Lima-Peru > > ____________________________________________________________________ > Get free email and a permanent address at http://www.netaddress.com/?N=1 > > **************************************************************** > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > > **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From mhark at insync.net Wed Sep 29 13:41:26 1999 From: mhark at insync.net (Matthew Harkrider) Date: Wed, 29 Sep 1999 10:41:26 -0700 Subject: DSL & VPN Message-ID: <003101bf0aa1$db44e100$4ad0fdcc@matt> Mauricio, A basic site that you can go check out for info. on Digital Subscriber Lines is: http://www.whatis.com/dsl.htm Good Luck, Matthew This message is from: Matthew Harkrider Sales Engineer Insync Internet Services Office: (713) 407-7056 Pager: (713) 891-8393 mhark at insync.net -----Original Message----- From: Mauricio Marin To: vpn at listserv.secnetgroup.com Date: Wednesday, September 29, 1999 8:34 AM Subject: DSL & VPN >I don`t understand what is DSL, if someone can teach me i will really >appreciate with some PDF or some doc, link,..... > >Mauricio Marin >Lima-Peru > >____________________________________________________________________ >Get free email and a permanent address at http://www.netaddress.com/?N=1 > >**************************************************************** >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com > >The VPN FAQ (under construction) is available at >http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > >We are currently experiencing "unsubscribe" difficulties. If you >wish to unsubscribe, please send a message containing the single line >"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com > >**************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From AdamN at frontier-risk.com Wed Sep 29 13:06:09 1999 From: AdamN at frontier-risk.com (Adam Northern) Date: Wed, 29 Sep 1999 12:06:09 -0500 Subject: Virtual Private Network Question Message-ID: <8BF54630DEC4D211B41C00A0C9C85F6E07BD1C@mail.fronter-risk.com> I am interested in implementing a vpn at my work locations and have done some research, even though it is hard to find a good reliable source of unbiased information about vpns. This is what I came up with, and I want to run it by you peeps to make sure I'm not smoking crack or missing some fundemental law of the universe. use for vpn: mainly for file sharing for embedded work (microsofty) documents and secure communication channels. stuff already there: Nt servers for authentication / userlogin(ugh) microsoft exchange (ugh) and lots of microsoft stuff. The previous it person here was a big fan of microsoft. I am not. All locations have a switch and router/firewall. My idea. build a dual homed linux or freebsd machine (2 nic cards) to act as a bridge between the router and the switch. it will use free s/wan to create the encrypted tunnels between the locations. Filtering rules would be implemented on the vpn bridge to forward packets destined for one of the other locations' ip addressed to be encapsulated and sent to it via the 'real' router. This will be used for tcp/ip, udp/ip, and *possibly* ipx/ncp and ipx/sxp, even though I hope to replace the aging novel servers, which are very slow at what they do (but stable, one of them has an uptime of 2 years) with more up to date equipment and possible samba. I am not sure what protocal netbios uses, but I would probably want to send those through the tunnel as well so all the locations can play evil games and stick tons of pr0n on the other locations' file servers just by going into network neighborhood. Also, the vpn bridges will be set to deny anything coming in on the encrypted tunnel that is not from a trusted ip address. Then I will get some bread, a knife, and some peanut butter and jelly. Eat it (sans the knife, of course). all other outgoing/incoming packers will be done as normal, going through the main firewall. the routers and vpn machines will have 'real' ip addresses, everything else will be assigned ip addresses in the private range, most likely the class A range, with a NAT. Does this sound right? is there a better way to do it? Am I missing something? Is my fly unzipped? [network] S [network] W [network] I [network] T --> VPN-----router---{ internet }---router-----VPN--- . . . [network] C Bridge< . . . . . . . . . . . . . . . . . >Bridge [network] H (encrypted data tunnel) Adam Northern **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From ssproston at home.com Wed Sep 29 13:02:16 1999 From: ssproston at home.com (steve sproston) Date: Wed, 29 Sep 1999 10:02:16 -0700 Subject: running a vpn client Message-ID: <000a01bf0a9c$63311440$6401a8c0@s975396bf> Hi. Relatively new linux user - just set up firewall with ip masq to run multiple boxes on a single cable ip address. Everything is working great except for one thing: I need to access a remote vpn server outbound from my lan. I can't get a connection. i have set an ipfwadm rule to allow inbound tcpip from the vpn server. It works from the other side of my firewall but not from behind it. does anyone know how what i need to do to set this up? looked around VPN stuff for linux but it is all on how to set up server side stuff. Thanks. Steve **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From marcus at TechPlanet.com Wed Sep 29 14:23:52 1999 From: marcus at TechPlanet.com (Marcus Castro) Date: Wed, 29 Sep 1999 11:23:52 -0700 Subject: VPN and Linux Message-ID: Has anyone implemented the FreeS/WAN product under Linux yet? Any comments, concerns, problems, bugs? Does it seem to work well for LAN to LAN VPNs? My company plans to have 60 U.S. offices within the next year, each having DSL/cable/ISDN. Networks are NT server based. Also, has anyone used MultiTech Dual Ethernet Proxy server or CheckPoint FireWall 1 in a VPN situation? Marcus Castro TechPlanet 1-877-TECH-PLANET http://www.techplanet.com "We make your life easier or you don't pay us." **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From carlsonmail at yahoo.com Thu Sep 30 01:31:42 1999 From: carlsonmail at yahoo.com (Chris Carlson) Date: Wed, 29 Sep 1999 22:31:42 -0700 (PDT) Subject: running a vpn client Message-ID: <19990930053142.28866.rocketmail@web108.yahoomail.com> Depends on what VPN you're running. If it's IPSec, then network address translation (NAT) using linux's ip masq will break the protocol and it won't work! What VPN product/protocol are you using? Some IPSec implementations may be configured for one-to-one static NAT mappings, but your mileage may vary. Plus the SysAdmin on the other end may not want to set up all those maps. There are other VPN protocols that aren't affected by NAT: PPTP, L2TP, L2F (no encryption, though), SSL, SOCKS, SSH, and other proprietary stuff. Good luck! Chris -- --- steve sproston wrote: > Hi. > > Relatively new linux user - just set up firewall > with ip masq to run > multiple boxes on a single cable ip address. > Everything is working great > except for one thing: > > I need to access a remote vpn server outbound from > my lan. I can't get a > connection. i have set an ipfwadm rule to allow > inbound tcpip from the vpn > server. It works from the other side of my firewall > but not from behind it. > > does anyone know how what i need to do to set this > up? looked around VPN > stuff for linux but it is all on how to set up > server side stuff. > > Thanks. > > Steve > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" > difficulties. If you > wish to unsubscribe, please send a message > containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Ryan.Russell at sybase.com Wed Sep 29 14:30:33 1999 From: Ryan.Russell at sybase.com (Ryan Russell) Date: Wed, 29 Sep 1999 11:30:33 -0700 Subject: running a vpn client Message-ID: <882567FB.006799C6.00@gwwest.sybase.com> >Relatively new linux user - just set up firewall with ip masq to run >multiple boxes on a single cable ip address. Everything is working great >except for one thing: > >I need to access a remote vpn server outbound from my lan. I can't get a >connection. i have set an ipfwadm rule to allow inbound tcpip from the vpn >server. It works from the other side of my firewall but not from behind it. Many VPNs don't work well with NAT. Which VPN client are you trying to get working? Ryan **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From AdamN at frontier-risk.com Wed Sep 29 16:26:51 1999 From: AdamN at frontier-risk.com (Adam Northern) Date: Wed, 29 Sep 1999 15:26:51 -0500 Subject: Virtual Private Network Question Message-ID: <8BF54630DEC4D211B41C00A0C9C85F6E07BD1D@mail.fronter-risk.com> We should probably reply to the mailing list, so other peoples whore care to see can see sea shells by the sea shore. As for using an embedded system, that is a nice idea, except I'm kinda edgey around black box solutions. Sure, I don't mind a 'plug it in and it works' deal, would make my job tons easier - but it is all closed source and proprietary stuff going on. Plus the manufacturers do stupid things sometimes. Are you aware that a good portion of 3com's superstack routers/switches have a default 'backdoor' password that can be used to change the admin passwords and configuration? Apparently they added those for all the people that 'forget' their passwords. Not the sorta thing I look forward to finding out, considering my company uses those. Good thing I changed that password once I found out about it. Then there's the dsl provider we are signing up with, the router they recommend to us offers vpn and firewall capabilities built in, but it is based on microsoft's pptp, which I hope everyone knows about it's fallacity (I don't even know what that word means, just fealt like a good word to say) and shortcomings. Plus the tech there was straightforward with me and said that a competant hacker like himself or me (I had to blush at this) could get past the firewall fairly easy. As for reliability, except under unrealistic extreme stress due to stupidity on my part, I have yet to have a linux machine go down without me telling it to go down. Unless you count the time that my brother spilt beer into our home server, but suprisingly the computer kept on chugging. While I am sure that dedicated equipment will have 100% uptimes compared to 99.99 or .97 or whatever, that is acceptable for us. Sure, while a software solution may not be as fast as an embedded hardware one, I think there is more flexibility, plus I have the equipment all here (and I can get great deals on computer equipment if I need more state of the art stuff), and I can make sure there are none of the manufacture added 'features'. And the most amount of data I will be encrypting to other locations is .7 mb/s, because the other locations are going to have dsl with half t1 speeds. I am going to have to test it out before doing a full blown implementation to see how well it can encrypt and decrypt the data and test the reliability of the thingies. plus i can be leet c at use i yews leenux (just kidding) I wonder if I can load linux into a palm pilot, find some way to wire 2 nics into it, and use it as a vpn machine... nahhh. But thanks for your advice. Now to figure out whether I want leenux or bsd on this thing, never played with any of the bsd's, so I might stick with linux for the time being. Long live debian! Butter! Heaping GOBS of butter! I am interested in writing a TFM for vpns, TFM as in RTFM! - If I do, it will be open source and I will let you peeps in the know. -----Original Message----- From: Eric Henriksen [mailto:eric_h at earthlink.net] Sent: Wednesday, September 29, 1999 3:03 PM To: Adam Northern Subject: Re: Virtual Private Network Question For the most part, you've got it 'zipped up'. However, if reliability and performance are issues, you should look at VPN bridges build in embedded systems, rather than run on PCs (yesy, even Linux-based). Unlike your Novell server, these things usually can't achieve near the reliability of hardware appliances. The performace will never match that capable of accelerating the crypto math in fPGA or ASICs. Not to mention that the cost for such appliances are sometimes less that the cost for a typical computer to run the software on. RedCreek has Personal Ravlins that run up to 2 Mbps for less than $750, about the size of a palm pilot, plug and play and remotely manageable. This trend doesn't bode well for your idea as a marketable one. As a science project, great. Later... **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From bkeepper at home.com Wed Sep 29 21:24:32 1999 From: bkeepper at home.com (Ben Keepper) Date: Wed, 29 Sep 1999 18:24:32 -0700 Subject: Solaris IPSec client Message-ID: <002a01bf0ae2$8d00f4c0$d9990018@cv1.sdca.home.com> Any body seen an IPSec VPN compatible client for Solaris (SPARC). Freeware would be cool, but I am willing to entertain paying for the clients. Also, has anybody successfully run FreeS/WAN under LXRUN on Solaris 7(Intel). Any thoughts or solutions would be appreciated. Ben **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Jose.Muniz at US.DataFellows.COM Thu Sep 30 23:16:21 1999 From: Jose.Muniz at US.DataFellows.COM (Muniz, Jose) Date: Thu, 30 Sep 1999 20:16:21 -0700 Subject: Solaris IPSec client Message-ID: Hello Ben: There is an IPSec VPN for Solaris, there is a beta available and it is really stable, it supports X.509 Certs as well as PreShared keys. You can find more information at http://www.datafellows.com > -----Original Message----- > From: Ben Keepper [mailto:bkeepper at home.com] > Sent: Wednesday, September 29, 1999 6:25 PM > To: vpn at listserv.secnetgroup.com > Subject: Solaris IPSec client > > > Any body seen an IPSec VPN compatible client for Solaris > (SPARC). Freeware > would be cool, but I am willing to entertain paying for the clients. > > Also, has anybody successfully run FreeS/WAN under LXRUN on Solaris > 7(Intel). > > Any thoughts or solutions would be appreciated. > > Ben > > **************************************************************** > TO POST A MESSAGE on this list, send it to > vpn at listserv.secnetgroup.com > > The VPN FAQ (under construction) is available at > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html > > We are currently experiencing "unsubscribe" difficulties. If you > wish to unsubscribe, please send a message containing the single line > "unsubscribe vpn your-e-mail-address" to > owner-vpn at listserv.secnetgroup.com > > **************************************************************** > **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** From Ken.Ford at sierra.com Thu Sep 30 16:42:23 1999 From: Ken.Ford at sierra.com (Ken Ford) Date: Thu, 30 Sep 1999 13:42:23 -0700 Subject: running a vpn client Message-ID: <83A2A724F77FD211A0B30008C78CDACEA6A354@CRATER> You might want to have a look at VPN Masquerade, sounds like it might be what you are looking for. I haven't actually used it, so I can't testify to its functionality. ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html - KF -----Original Message----- From: steve sproston [mailto:ssproston at home.com] Sent: Wednesday, September 29, 1999 10:02 AM To: vpn at listserv.secnetgroup.com Subject: running a vpn client Hi. Relatively new linux user - just set up firewall with ip masq to run multiple boxes on a single cable ip address. Everything is working great except for one thing: I need to access a remote vpn server outbound from my lan. I can't get a connection. i have set an ipfwadm rule to allow inbound tcpip from the vpn server. It works from the other side of my firewall but not from behind it. does anyone know how what i need to do to set this up? looked around VPN stuff for linux but it is all on how to set up server side stuff. Thanks. Steve **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com **************************************************************** **************************************************************** TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com The VPN FAQ (under construction) is available at http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html We are currently experiencing "unsubscribe" difficulties. If you wish to unsubscribe, please send a message containing the single line "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com ****************************************************************