From tbird at PRECISION-GUESSWORK.COM Tue Aug 1 12:44:59 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 1 Aug 2000 11:44:59 -0500 Subject: IPsec mailing list Message-ID: Hi all -- Sorry for the brain spasm last week. For people who are interested in the IPsec mailing list or archive, please visit http://www.vpnc.org/ietf-ipsec for more information. thanks -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------- Forwarded message ---------- Date: Mon, 31 Jul 2000 06:45:22 -0500 From: "Brown, Theresa" To: 'Tina Bird' Subject: RE: Comments regarding IPsec NAT traversal / new proposal (fwd) Tina, I am interested in the IPsec mailing list but could not find any information on it at www.securityfocus.com. Are the archives stored anywhere? -----Original Message----- From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] Sent: Wednesday, July 26, 2000 10:30 AM To: VPN at SECURITYFOCUS.COM Subject: Comments regarding IPsec NAT traversal / new proposal (fwd) Hi all -- I'm not sure how many of you also subscribe to the IPsec mailing list. It's much more focussed on standards development and such than on the implementation topics we tend to concentrate on. However, if you are interested in the further evolution of IPsec, you may want to start tracking this thread, which is a discussion of encapsulating IPsec over TCP or UDP, to gain NAT compatibility. cheers -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------- Forwarded message ---------- Date: Wed, 26 Jul 2000 16:03:27 +0300 From: Ari Huttunen To: ipsec-list Subject: Comments regarding IPsec NAT traversal / new proposal This mail applies partly to both of these drafts: draft-aboba-nat-ipsec-02.txt draft-stenberg-ipsec-nat-traversal-00.txt We believe that using UDP encapsulation is the correct way to traverse NATs, at least in the short term. We also intend to produce an internet draft about this, however it didn't materialize before the Pittsburgh meeting. The current proposals are unnecessarily complex, and I'd like some discussion about these issues, to judge if this is indeed the case. ASSUMPTION: There is no *need* to enable AH traffic to traverse through a NAT. ESP is sufficient to provide encryption and/or authentication. By accepting this assumption, the solution can be made less complex. It has been argued that in some rare cases AH is necessary to protect the IP header. If this is so, I argue that there is no need to make this pass through a NAT as well. Thus, we can use the following encapsulation that is less complex and has less overhead than either of the referred drafts has, i.e. 8 octets. Transport mode: --------------------------------------------------------- IPv4 |orig IP hdr | UDP | ESP | | ESP | ESP| |(any options)| Hdr | Hdr | Payload Data | Trailer |Auth| --------------------------------------------------------- ASSUMPTION: We do *not* wish to use the same UDP port for both IKE and IPsec traffic encapsulated in UDP. This is because we'd loose the possibility to filter these traffic types separately in a firewall. For this purpose we've reserved the port 2797 from IANA. As draft-stenberg-ipsec-nat-traversal-00.txt mentions, there is a potential need for a keepalive to ensure NAT tables remain up-to-date. Because our proposal uses a different port than IKE, there is a need for a keepalive that sends packets along the ESPoverUDP path. This can be achieved for instance by sending empty UDP packets (i.e. without ESP contents). (Assuming the general IPsec keepalive is along the IKE SA and can't be used.) In particular, the method of negotiating and setting up UDP encapsulation as defined in draft-stenberg-ipsec-nat-traversal-00.txt is too complex. We propose the following mechanism for discussion: 1) IKE phase 1 is not modified. 2) IKE phase 2 adds a new protocol ID, Protocol ID Value ----------- ----- RESERVED 0 PROTO_ISAKMP 1 PROTO_IPSEC_AH 2 PROTO_IPSEC_ESP 3 PROTO_IPCOMP 4 PROTO_IPSEC_ESP_OVER_UDP X This is used to send proposals for plain IPsec as well as ESPoverUDP during the QM. As usual, the responder may use any proposal it wishes. The proposal shall contain parameters that say which src/dst port/addresses were used by the initiator when sending the IKE packet. If these differ from those observed by the responder, there is a NAT acting between them, and the responder SHOULD choose the ESP over UDP proposal. Unlike draft-stenberg-ipsec-nat-traversal-00.txt, this method does not leak information regarding the internal structure of the network, because QM messages are encrypted. We don't have patent applications regarding this, but I have no way of knowing whether SSH has tried to patent some it. -- Ari Huttunen phone: +358 9 859 900 Senior Software Engineer fax : +358 9 8599 0452 F-Secure Corporation http://www.F-Secure.com F-Secure products: Integrated Solutions for Enterprise Security VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From chuang at PRICESAROUNDTHEWORLD.COM Tue Aug 1 14:17:47 2000 From: chuang at PRICESAROUNDTHEWORLD.COM (chuang at PRICESAROUNDTHEWORLD.COM) Date: Tue, 1 Aug 2000 14:17:47 -0400 Subject: 128 bit PPTP Encryption and NAT Message-ID: <6159DD9C5791D211A12700902728A2A6ABD35B@MAIL2> I got Win2K PPTP work with Netscreen-10 firewall with NAT a while ago, but unfortunatelly, after I upgrade the firmware of Netscreen-10, it does not work anymore. -----Original Message----- From: Michael Medwid [mailto:Michael.Medwid at ARIBA.COM] Sent: Monday, July 31, 2000 8:59 PM To: VPN at SECURITYFOCUS.COM Subject: 128 bit PPTP Encryption and NAT Should there be any incompatibility between 128 bit PPTP encryption and users behind a NATted environment? My Altiga (Cisco 3030) seems to kick off the tunnels if they were originated from a NATted environment. Cisco TAC didn't have too much to say on the whole thing other than "uh yeah that won't work." Thanks for any insight. -Michael VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Tue Aug 1 14:16:26 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 1 Aug 2000 13:16:26 -0500 Subject: Looking for a push in the right direction with my VPN.... (fwd) Message-ID: Hi all -- Any help with Tobin's problem greatly appreciated... ---------- Forwarded message ---------- Date: Tue, 1 Aug 2000 14:20:45 -0400 From: Tobin Craig To: tbird at precision-guesswork.com Subject: Looking for a push in the right direction with my VPN.... Hi Tina, I'm wrestling with a fledgling VPN configuration on my network, and I hope you can help. We are experiencing a performance drop every time we try to use our VPN. To illustrate this, we moved an 82 MB file directly over our LAN, taking 30 seconds. By connecting to our VPN server, again over the LAN, and moving the same file, the process took 5 minutes 30 seconds. Dialing into an independent ISP and then establishing the VPN connection took even longer. Our VPN server is running NT, SP6, and Microsoft PPTP protocol. We are connecting to it via a Pentium 450 Laptop running NT, SP 6, using RAS. We have checked the processor loads on both machines, neither one is breaking a sweat during the copy process. Our VPN server is on its own node on our Checkpoint firewall. All traffic destined for it passes through the firewall, is sent to the VPN server, is passed back through the firewall, and then is sent to its destination again. We have determined that the firewall is not posing a problem, since the performance degradation is consistent if the traffic is generated from within or from outside the firewall. Do you have any suggestions about what I can do to improve the performance of this arrangement? It is currently giving us the same level of performance as our 28.8 modems! Thanks for any help or advice you might have, Tobin Craig Network Security Administrator Swales Aerospace Beltsville, MD 20705 http://www.swales.com -------------- next part -------------- A non-text attachment was scrubbed... Name: Tobin Craig.vcf Type: text/x-vcard Size: 671 bytes Desc: Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000801/22fccd73/attachment.vcf From pete at ETHER.NET Tue Aug 1 16:46:45 2000 From: pete at ETHER.NET (Pete Davis) Date: Tue, 1 Aug 2000 16:46:45 -0400 Subject: 128 bit PPTP Encryption and NAT In-Reply-To: <271DE2625FD4D311949B009027F43B9F01A9B7C1@us-mtvmail2.ariba.com> References: <271DE2625FD4D311949B009027F43B9F01A9B7C1@us-mtvmail2.ariba.com> Message-ID: <20000801164645.A4902@ether.net> You can use PPTP sessions from behind a NAT (PAT) device as long as it supports GRE PAT, which most devices do not. Many small devices do have this support and Linux does with a special patch from John Hardin. You will only be able to use 1 PPTP session at a time from behind this NAT device to a specific central site Concentrator at a time. Regards, pete On Mon, Jul 31, 2000 at 05:59:27PM -0700, Michael Medwid wrote: > Should there be any incompatibility between 128 bit PPTP encryption > and users behind a NATted environment? My Altiga (Cisco 3030) seems to kick > off the tunnels if they were originated from a NATted environment. Cisco > TAC didn't have too much to say on the whole thing other than "uh yeah that > won't work." Thanks for any insight. > > -Michael > > VPN is sponsored by SecurityFocus.COM --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From Craig.Biggerstaff at CSOCONLINE.COM Wed Aug 2 09:47:48 2000 From: Craig.Biggerstaff at CSOCONLINE.COM (Biggerstaff, Craig) Date: Wed, 2 Aug 2000 08:47:48 -0500 Subject: Looking for a push in the right direction with my VPN.... (fw d) Message-ID: <72222DC86846D411ABD300A0C9EB08A1786A7C@csoc-mail-box.csoconline.com> Sounds like a MTU (Maximum Transmissible Unit) problem to me. Tunneling VPNs encrypt the original packet contents and encapsulate them in a new packet with new headers for transport to the other end of the tunnel. This process invariably increases the size of each packet transported. The default MTU on most systems for Ethernet LANs is 1500 bytes. Routers generally default to allow larger MTUs, but this is configurable too. If your VPN is set to a 1500 byte MTU, it will fragment every packet that passes through it. Up the MTU to, say, 1600, and see if that fixes the problem. If it doesn't, check your routers to see if they have been set to limit the MTU allowed. -- Craig > -----Original Message----- > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] > Sent: Tuesday, August 01, 2000 1:16 PM > To: VPN at SECURITYFOCUS.COM > Subject: Looking for a push in the right direction with my > VPN.... (fwd) > > > Hi all -- Any help with Tobin's problem greatly > appreciated... > > ---------- Forwarded message ---------- > Date: Tue, 1 Aug 2000 14:20:45 -0400 > From: Tobin Craig > To: tbird at precision-guesswork.com > Subject: Looking for a push in the right direction with my VPN.... > > Hi Tina, > > I'm wrestling with a fledgling VPN configuration on my > network, and I hope > you can help. > > We are experiencing a performance drop every time we try to > use our VPN. To > illustrate this, we moved an 82 MB file directly over our > LAN, taking 30 > seconds. By connecting to our VPN server, again over the > LAN, and moving > the same file, the process took 5 minutes 30 seconds. Dialing into an > independent ISP and then establishing the VPN connection took > even longer. > > Our VPN server is running NT, SP6, and Microsoft PPTP > protocol. We are > connecting to it via a Pentium 450 Laptop running NT, SP 6, > using RAS. We > have checked the processor loads on both machines, neither > one is breaking a > sweat during the copy process. > > Our VPN server is on its own node on our Checkpoint firewall. > All traffic > destined for it passes through the firewall, is sent to the > VPN server, is > passed back through the firewall, and then is sent to its > destination again. > We have determined that the firewall is not posing a problem, > since the > performance degradation is consistent if the traffic is generated from > within or from outside the firewall. > > Do you have any suggestions about what I can do to improve > the performance > of this arrangement? It is currently giving us the same level of > performance as our 28.8 modems! > > Thanks for any help or advice you might have, > > Tobin Craig > > Network Security Administrator > Swales Aerospace > Beltsville, MD > 20705 > > http://www.swales.com > VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Wed Aug 2 07:34:34 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Wed, 2 Aug 2000 07:34:34 -0400 Subject: 128 bit PPTP Encryption and NAT References: <271DE2625FD4D311949B009027F43B9F01A9B7C1@us-mtvmail2.ariba.com> <20000801164645.A4902@ether.net> Message-ID: <001d01bffc75$b409af50$6803010a@dhcp.haht.com> Linux (and BSD) fully support running PPTP from behind a NAT. They are beyond the patch stage. you can run multiple incidents of PPTP from behind a Linux firewall. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Pete Davis" To: Sent: Tuesday, August 01, 2000 4:46 PM Subject: Re: 128 bit PPTP Encryption and NAT > You can use PPTP sessions from behind a NAT (PAT) device as long as it supports > GRE PAT, which most devices do not. Many small devices do have this support > and Linux does with a special patch from John Hardin. You will only be able > to use 1 PPTP session at a time from behind this NAT device to a specific > central site Concentrator at a time. > > Regards, > > pete > > On Mon, Jul 31, 2000 at 05:59:27PM -0700, Michael Medwid wrote: > > Should there be any incompatibility between 128 bit PPTP encryption > > and users behind a NATted environment? My Altiga (Cisco 3030) seems to kick > > off the tunnels if they were originated from a NATted environment. Cisco > > TAC didn't have too much to say on the whole thing other than "uh yeah that > > won't work." Thanks for any insight. > > > > -Michael > > > > VPN is sponsored by SecurityFocus.COM > > --- > Pete Davis - Product Manager (508) 541-7300 x6154 > Cisco Systems, Inc. - 124 Grove Street Suite 205 Franklin, MA 02038 > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jrdepriest at FTB.COM Wed Aug 2 14:29:49 2000 From: jrdepriest at FTB.COM (DePriest, Jason R.) Date: Wed, 2 Aug 2000 13:29:49 -0500 Subject: Looking for a push in the right direction with my VPN.... (fw d) Message-ID: I have a similar issues that I would like some opinions on. We are using PowerVPN 6.5 running on a Windows NT system. The MTU at the router is set to allow standard ethernet 1500. And, of course, the client operating systems (Windows 9x and Windows NT) automatically set the don't fragment flag on the ESP traffic. The problem is this, when using a dial-up connection with a default MTU 576, I have no problems. I can use Outlook 2000 to access my Exchange email, I can NET USE to map to shared resources, I can use IE5.01SP1 to access the Intranet, and I can use the SNA client to access mainframe sessions. When trying to through Road Runner with my cable modem, however, things change. Name resolution has a tendency to fail. My Outlook 2000 only stays up for about 60 seconds and then it locks up. NET USE says "The network name is no longer available." I can access the Intranet, but only by IP address and not by regular URL. SNA client tells me it cannot establish a connection. Any ideas? Think this is also an MTU issue? Or could it be something else? Thank you! Jason R DePriest, Network and Systems Administrator First Tennessee National Corporation InterActive Services Department ph: 901/523-5777, fax: 901/523-5527 email: jrdepriest at ftb.com Disclaimer: The views expressed in this message, while not necessarily the views of First Tennessee, are none-the-less confidential and not to be freely distributed to external sources without explicit permission from the sender of this message or from First Tennessee National Corporation. "I have never let my schooling interfere with my education." - Mark Twain "The opposite of a correct statement is a false statement. But the opposite of a profound truth may well be another profound truth." - Niels Bohr => -----Original Message----- => From: Biggerstaff, Craig [mailto:Craig.Biggerstaff at CSOCONLINE.COM] => Sent: Wednesday, August 02, 2000 8:48 AM => To: VPN at SECURITYFOCUS.COM => Subject: Re: Looking for a push in the right direction with => my VPN.... => (fw d) => => => Sounds like a MTU (Maximum Transmissible Unit) problem to => me. Tunneling => VPNs encrypt the original packet contents and encapsulate => them in a new => packet with new headers for transport to the other end of => the tunnel. This => process invariably increases the size of each packet transported. => => The default MTU on most systems for Ethernet LANs is 1500 => bytes. Routers => generally default to allow larger MTUs, but this is => configurable too. If => your VPN is set to a 1500 byte MTU, it will fragment every => packet that => passes through it. Up the MTU to, say, 1600, and see if => that fixes the => problem. If it doesn't, check your routers to see if they => have been set to => limit the MTU allowed. => => => -- Craig => => > -----Original Message----- => > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] => > Sent: Tuesday, August 01, 2000 1:16 PM => > To: VPN at SECURITYFOCUS.COM => > Subject: Looking for a push in the right direction with my => > VPN.... (fwd) => > => > => > Hi all -- Any help with Tobin's problem greatly => > appreciated... => > => > ---------- Forwarded message ---------- => > Date: Tue, 1 Aug 2000 14:20:45 -0400 => > From: Tobin Craig => > To: tbird at precision-guesswork.com => > Subject: Looking for a push in the right direction with my VPN.... => > => > Hi Tina, => > => > I'm wrestling with a fledgling VPN configuration on my => > network, and I hope => > you can help. => > => > We are experiencing a performance drop every time we try to => > use our VPN. To => > illustrate this, we moved an 82 MB file directly over our => > LAN, taking 30 => > seconds. By connecting to our VPN server, again over the => > LAN, and moving => > the same file, the process took 5 minutes 30 seconds. => Dialing into an => > independent ISP and then establishing the VPN connection took => > even longer. => > => > Our VPN server is running NT, SP6, and Microsoft PPTP => > protocol. We are => > connecting to it via a Pentium 450 Laptop running NT, SP 6, => > using RAS. We => > have checked the processor loads on both machines, neither => > one is breaking a => > sweat during the copy process. => > => > Our VPN server is on its own node on our Checkpoint firewall. => > All traffic => > destined for it passes through the firewall, is sent to the => > VPN server, is => > passed back through the firewall, and then is sent to its => > destination again. => > We have determined that the firewall is not posing a problem, => > since the => > performance degradation is consistent if the traffic is => generated from => > within or from outside the firewall. => > => > Do you have any suggestions about what I can do to improve => > the performance => > of this arrangement? It is currently giving us the same level of => > performance as our 28.8 modems! => > => > Thanks for any help or advice you might have, => > => > Tobin Craig => > => > Network Security Administrator => > Swales Aerospace => > Beltsville, MD => > 20705 => > => > http://www.swales.com => > => => VPN is sponsored by SecurityFocus.COM => VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Wed Aug 2 16:57:22 2000 From: sandy at STORM.CA (Sandy Harris) Date: Wed, 2 Aug 2000 16:57:22 -0400 Subject: Looking for a push in the right direction with my VPN.... (fwd) References: Message-ID: <39888B32.45AF7B47@storm.ca> "DePriest, Jason R." wrote: > > I have a similar issues that I would like some opinions on. > > We are using PowerVPN 6.5 running on a Windows NT system. The MTU at the > router is set to allow standard ethernet 1500. And, of course, the client > operating systems (Windows 9x and Windows NT) automatically set the don't > fragment flag on the ESP traffic. Are you saying Microsoft ignore RFC 2401, page 48? ".. an administrator should be able to configure .. treatment of the DF bit (set, clear, copy from encapsulated header) for each interface" If so, complain to their tech support. > The problem is this, when using a dial-up connection with a default MTU 576, > I have no problems. I can use Outlook 2000 to access my Exchange email, I > can NET USE to map to shared resources, I can use IE5.01SP1 to access the > Intranet, and I can use the SNA client to access mainframe sessions. > When trying to through Road Runner with my cable modem, however, things > change. Name resolution has a tendency to fail. My Outlook 2000 only stays > up for about 60 seconds and then it locks up. NET USE says "The network > name is no longer available." I can access the Intranet, but only by IP > address and not by regular URL. SNA client tells me it cannot establish a > connection. > > Any ideas? Think this is also an MTU issue? Or could it be something else? It sounds more like a DNS issue. IP addresses work, but names don't, so I would suspect broken name lookup mechanisms. VPN is sponsored by SecurityFocus.COM From matt at NEUROTRAIN.COM Wed Aug 2 17:35:55 2000 From: matt at NEUROTRAIN.COM (Matthew Harding) Date: Wed, 2 Aug 2000 17:35:55 -0400 Subject: Questions on ESP Null setting Message-ID: <3988943B.3D6D952B@neurotrain.com> Can someone give me a simple explanation of what the ESP Null setting is in IPSec? Does this refer to authentication only, or is it using IPSec with no encryption? A reference to the relevant RFC or technical literature would be most welcome. Thanks in advance, Matthew -- Matthew Harding, Director NeuroTrain ATS Inc. Tel: 1-877-58-NEURO (613-824-6397) Fax: 613-841-2158 matt at neurotrain.com VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Wed Aug 2 20:46:36 2000 From: rgm at ICSA.NET (Robert Moskowitz) Date: Wed, 2 Aug 2000 20:46:36 -0400 Subject: Questions on ESP Null setting In-Reply-To: <3988943B.3D6D952B@neurotrain.com> Message-ID: <4.3.2.7.2.20000802204351.00b49f00@homebase.htt-consult.com> At 05:35 PM 8/2/2000 -0400, Matthew Harding wrote: >Can someone give me a simple explanation of what the ESP Null setting is >in IPSec? Does this refer to authentication only, or is it using IPSec >with no encryption? > >A reference to the relevant RFC or technical literature would be most >welcome. Since this 'algorithm' happened during my 'watch' in the IPsec wg... 2410 The NULL Encryption Algorithm and Its Use With IPsec. R. Glenn, S. Kent. November 1998. (Format: TXT=11239 bytes) (Status: PROPOSED STANDARD) This is used in ESP to get authentication of the data (as opposed to AH) without encryption. Please read the RFC. You might actually enjoy it :) Robert Moskowitz ICSA.net (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From gbottani at TEICOS.IT Thu Aug 3 10:19:55 2000 From: gbottani at TEICOS.IT (Giuseppe Bottani) Date: Thu, 3 Aug 2000 16:19:55 +0200 Subject: VPN solution with IEEE802.1Q tagging Message-ID: <01BFFD66.A981A280.gbottani@teicos.it> Dear all, does anybody knows of a VPN termintation where the internal (safe) NIC, let's say a fastethernet port, could partecipate in a switched IEEE802.1q LAN? More precisely I am looking for something that supports directly on the internal LAN IEEE802.1Q frames. Also, the solution should permit to assign an internet client to one specific vlan (of course after the authentication has been completed?) and therefore a VPN termination which can send out tagged frames where the tag id is decided on the client base. thanks a lot, Giuseppe Bottani TEICOS Srl ( http://www.teicos.it ) Via Garibaldi, 17 26025 Pandino (CR) Italy Tel: + 39 0373 970648 Fax: + 39 0373 970588 VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Thu Aug 3 04:01:05 2000 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Thu, 3 Aug 2000 09:01:05 +0100 Subject: Looking for a push in the right direction with my VPN.... (fw d) Message-ID: <01903665B361D211BF6700805FAD5D934B7BFD@mail.datarange.co.uk> I suggest more baseline to isolate the problem. what performance do you get for just moving the traffic through the firewall without VPN? Actual numbers: Raw transfer = 82 * 8 / 30 = 21 Mbps VPN = 82 * 8 / 330 = 2 Mbps (a bit more than 28k!) Performance will depend on overhead. I think you may be seeing a slow down due to encryption overhead on the VPN - this number doesnt seem too unreasonable for standard software based systems. you can fit an encryption adaptor into some VPN platforms to off load encryption, but i which do you have? Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] > Sent: Tuesday, August 01, 2000 7:16 PM > To: VPN at SECURITYFOCUS.COM > Subject: Looking for a push in the right direction with my > VPN.... (fwd) > > > Hi all -- Any help with Tobin's problem greatly > appreciated... > > ---------- Forwarded message ---------- > Date: Tue, 1 Aug 2000 14:20:45 -0400 > From: Tobin Craig > To: tbird at precision-guesswork.com > Subject: Looking for a push in the right direction with my VPN.... > > Hi Tina, > > I'm wrestling with a fledgling VPN configuration on my > network, and I hope > you can help. > > We are experiencing a performance drop every time we try to > use our VPN. To > illustrate this, we moved an 82 MB file directly over our > LAN, taking 30 > seconds. By connecting to our VPN server, again over the > LAN, and moving > the same file, the process took 5 minutes 30 seconds. Dialing into an > independent ISP and then establishing the VPN connection took > even longer. > > Our VPN server is running NT, SP6, and Microsoft PPTP > protocol. We are > connecting to it via a Pentium 450 Laptop running NT, SP 6, > using RAS. We > have checked the processor loads on both machines, neither > one is breaking a > sweat during the copy process. > > Our VPN server is on its own node on our Checkpoint firewall. > All traffic > destined for it passes through the firewall, is sent to the > VPN server, is > passed back through the firewall, and then is sent to its > destination again. > We have determined that the firewall is not posing a problem, > since the > performance degradation is consistent if the traffic is generated from > within or from outside the firewall. > > Do you have any suggestions about what I can do to improve > the performance > of this arrangement? It is currently giving us the same level of > performance as our 28.8 modems! > > Thanks for any help or advice you might have, > > Tobin Craig > > Network Security Administrator > Swales Aerospace > Beltsville, MD > 20705 > > http://www.swales.com > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From Craig.Biggerstaff at CSOCONLINE.COM Thu Aug 3 09:53:15 2000 From: Craig.Biggerstaff at CSOCONLINE.COM (Biggerstaff, Craig) Date: Thu, 3 Aug 2000 08:53:15 -0500 Subject: Looking for a push in the right direction with my VPN.... (fw d) Message-ID: <72222DC86846D411ABD300A0C9EB08A1786A7F@csoc-mail-box.csoconline.com> > From: DePriest, Jason R. [mailto:jrdepriest at ftb.com] > > We are using PowerVPN 6.5 running on a Windows NT system. > The MTU at the > router is set to allow standard ethernet 1500. And, of > course, the client > operating systems (Windows 9x and Windows NT) automatically > set the don't > fragment flag on the ESP traffic. > > The problem is this, when using a dial-up connection with a > default MTU 576, > I have no problems. I can use Outlook 2000 to access my > Exchange email, I > can NET USE to map to shared resources, I can use IE5.01SP1 > to access the > Intranet, and I can use the SNA client to access mainframe sessions. > When trying to through Road Runner with my cable modem, > however, things > change. Name resolution has a tendency to fail. My Outlook > 2000 only stays > up for about 60 seconds and then it locks up. NET USE says > "The network > name is no longer available." I can access the Intranet, but > only by IP > address and not by regular URL. SNA client tells me it > cannot establish a > connection. > > Any ideas? Think this is also an MTU issue? Or could it be > something else? I don't know, but I'd suspect WINS. I'm not knowledgeable on WINS or the packet sizes therein, but if WINS packets were being fragmented by your VPN software, that'd produce what you describe. Name resolution would work, some of the time, but badly. The other alternative is that your dial-up settings use a different name server than your cable modem settings, so you're comparing apples to oranges. -- Craig VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Thu Aug 3 04:01:07 2000 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Thu, 3 Aug 2000 09:01:07 +0100 Subject: Looking for a push in the right direction with my VPN.... (fw d) Message-ID: <01903665B361D211BF6700805FAD5D934B7BFE@mail.datarange.co.uk> Or reduce the MTU on the server / client to maybe 1400 bytes that way you wont have oversize Ethernet packets via the firewall (and it sometimes easier to only alter the test kit, rather than a live firewall, router etc) Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Biggerstaff, Craig [mailto:Craig.Biggerstaff at CSOCONLINE.COM] > Sent: Wednesday, August 02, 2000 2:48 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: Looking for a push in the right direction with my VPN.... > (fw d) > > > Sounds like a MTU (Maximum Transmissible Unit) problem to me. > Tunneling > VPNs encrypt the original packet contents and encapsulate > them in a new > packet with new headers for transport to the other end of the > tunnel. This > process invariably increases the size of each packet transported. > > The default MTU on most systems for Ethernet LANs is 1500 > bytes. Routers > generally default to allow larger MTUs, but this is > configurable too. If > your VPN is set to a 1500 byte MTU, it will fragment every packet that > passes through it. Up the MTU to, say, 1600, and see if that > fixes the > problem. If it doesn't, check your routers to see if they > have been set to > limit the MTU allowed. > > > -- Craig > > > -----Original Message----- > > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] > > Sent: Tuesday, August 01, 2000 1:16 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: Looking for a push in the right direction with my > > VPN.... (fwd) > > > > > > Hi all -- Any help with Tobin's problem greatly > > appreciated... > > > > ---------- Forwarded message ---------- > > Date: Tue, 1 Aug 2000 14:20:45 -0400 > > From: Tobin Craig > > To: tbird at precision-guesswork.com > > Subject: Looking for a push in the right direction with my VPN.... > > > > Hi Tina, > > > > I'm wrestling with a fledgling VPN configuration on my > > network, and I hope > > you can help. > > > > We are experiencing a performance drop every time we try to > > use our VPN. To > > illustrate this, we moved an 82 MB file directly over our > > LAN, taking 30 > > seconds. By connecting to our VPN server, again over the > > LAN, and moving > > the same file, the process took 5 minutes 30 seconds. > Dialing into an > > independent ISP and then establishing the VPN connection took > > even longer. > > > > Our VPN server is running NT, SP6, and Microsoft PPTP > > protocol. We are > > connecting to it via a Pentium 450 Laptop running NT, SP 6, > > using RAS. We > > have checked the processor loads on both machines, neither > > one is breaking a > > sweat during the copy process. > > > > Our VPN server is on its own node on our Checkpoint firewall. > > All traffic > > destined for it passes through the firewall, is sent to the > > VPN server, is > > passed back through the firewall, and then is sent to its > > destination again. > > We have determined that the firewall is not posing a problem, > > since the > > performance degradation is consistent if the traffic is > generated from > > within or from outside the firewall. > > > > Do you have any suggestions about what I can do to improve > > the performance > > of this arrangement? It is currently giving us the same level of > > performance as our 28.8 modems! > > > > Thanks for any help or advice you might have, > > > > Tobin Craig > > > > Network Security Administrator > > Swales Aerospace > > Beltsville, MD > > 20705 > > > > http://www.swales.com > > > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From Lillian.Kulhanek at ENERGY.ON.CA Thu Aug 3 09:54:49 2000 From: Lillian.Kulhanek at ENERGY.ON.CA (Lillian Kulhanek) Date: Thu, 3 Aug 2000 09:54:49 -0400 Subject: 128 bit PPTP Encryption and NAT Message-ID: <000801bffd52$647ca860$2c02a8c0@Lillian.energy.on.ca> The only kernel I know of that has pptp masquerade built-in is with Red Hat with kernel 2.2.16-8, and that's supposed to be rawhide, ie. not for production, unless you're daring. (I haven't used it yet). Which versions of Linux with which kernels, specifically production, are you aware of that have the support built-in? Lillian -----Original Message----- From: Jon Carnes [mailto:jonc at HAHT.COM] Sent: August 2, 2000 7:35 AM Subject: Re: 128 bit PPTP Encryption and NAT Linux (and BSD) fully support running PPTP from behind a NAT. They are beyond the patch stage. you can run multiple incidents of PPTP from behind a Linux firewall. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Pete Davis" To: Sent: Tuesday, August 01, 2000 4:46 PM Subject: Re: 128 bit PPTP Encryption and NAT > You can use PPTP sessions from behind a NAT (PAT) device as long as it supports > GRE PAT, which most devices do not. Many small devices do have this support > and Linux does with a special patch from John Hardin. You will only be able > to use 1 PPTP session at a time from behind this NAT device to a specific > central site Concentrator at a time. > > Regards, > > pete > > On Mon, Jul 31, 2000 at 05:59:27PM -0700, Michael Medwid wrote: > > Should there be any incompatibility between 128 bit PPTP encryption > > and users behind a NATted environment? My Altiga (Cisco 3030) seems to kick > > off the tunnels if they were originated from a NATted environment. Cisco > > TAC didn't have too much to say on the whole thing other than "uh yeah that > > won't work." Thanks for any insight. > > > > -Michael > > > > VPN is sponsored by SecurityFocus.COM > > --- > Pete Davis - Product Manager (508) 541-7300 x6154 > Cisco Systems, Inc. - 124 Grove Street Suite 205 Franklin, MA 02038 > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Geir.Aasen at ASKPROXIMA.NO Thu Aug 3 01:12:36 2000 From: Geir.Aasen at ASKPROXIMA.NO (Geir Aasen) Date: Thu, 3 Aug 2000 07:12:36 +0200 Subject: 128 bit PPTP Encryption and NAT Message-ID: <3BAAE932A05BD411876C00A0C9DCF89C35395C@MAIL_01> Win2K NAT supports GRE(PPTP) and 3COM ISDN lanmodem, Sonicwall. Most NAT implementation don't. Geir Aasen > ---------- > From: Jon Carnes[SMTP:jonc at HAHT.COM] > Reply To: Jon Carnes > Sent: 2. august 2000 13:34 > To: VPN at SECURITYFOCUS.COM > Subject: Re: 128 bit PPTP Encryption and NAT > > Linux (and BSD) fully support running PPTP from behind a NAT. They are > beyond the patch stage. you can run multiple incidents of PPTP from > behind > a Linux firewall. > > Jon Carnes > MIS - HAHT Software > ----- Original Message ----- > From: "Pete Davis" > To: > Sent: Tuesday, August 01, 2000 4:46 PM > Subject: Re: 128 bit PPTP Encryption and NAT > > > > You can use PPTP sessions from behind a NAT (PAT) device as long as it > supports > > GRE PAT, which most devices do not. Many small devices do have this > support > > and Linux does with a special patch from John Hardin. You will only be > able > > to use 1 PPTP session at a time from behind this NAT device to a > specific > > central site Concentrator at a time. > > > > Regards, > > > > pete > > > > On Mon, Jul 31, 2000 at 05:59:27PM -0700, Michael Medwid wrote: > > > Should there be any incompatibility between 128 bit PPTP encryption > > > and users behind a NATted environment? My Altiga (Cisco 3030) seems > to > kick > > > off the tunnels if they were originated from a NATted environment. > Cisco > > > TAC didn't have too much to say on the whole thing other than "uh yeah > that > > > won't work." Thanks for any insight. > > > > > > -Michael > > > > > > VPN is sponsored by SecurityFocus.COM > > > > --- > > Pete Davis - Product Manager (508) 541-7300 x6154 > > Cisco Systems, Inc. - 124 Grove Street Suite 205 Franklin, MA > 02038 > > > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jwheatley at SWCP.COM Fri Aug 4 11:26:20 2000 From: jwheatley at SWCP.COM (John Wheatley) Date: Fri, 4 Aug 2000 08:26:20 -0700 Subject: Closing unused ports in NT Message-ID: <01BFFDED.AB659160.jwheatley@swcp.com> I use Steve Gibson's port probe at www.grc.com for checking port status on public IP machines. On a typical NT machine, the port probe shows numerous ports as existing but closed. The ports report as existing even if the corresponding service has been removed from NT. Specific ports are 21,23,25,79,80,110,113,139,143,443. For example, I removed NetBIOS services using Control Panel, Network, Services; but the NetBIOS port 139 still answers probes as closed. I want to have NO Response to unused port probes- is there a way? Help, suggestions, and comments are sure welcome. JohnW John Wheatley 505-292-4367 Voice 505-292-4387 Fax CSTI 10500 Research Road Suite 1506 Albuquerque, NM 87123 VPN is sponsored by SecurityFocus.COM From jason.zann at MARYVILLE.COM Fri Aug 4 18:10:38 2000 From: jason.zann at MARYVILLE.COM (Jason Zann) Date: Fri, 4 Aug 2000 17:10:38 -0500 Subject: Cisco Secure and personal firewalls... Message-ID: I have a situation where I have a Cisco Secure VPN client sitting on a machine behind a personal firewall. (i believe the personal firewall in this situation to be mutually exclusive because i have tested a few and i am getting ready to test a few more... and all of them are getting the same results). When the client is outside of the personal firewall, there are no negative issues to speak of; however, when brought to the internal network, it will not connect to the server (through the firewall(s)). My question stems from the fact of why will it not work. I was under the impression that the Cisco Secure client piece worked at the application level and all it was doing was forming the tunnel back to the server so that data could be passed. I can only assume that there is some kind of traffic that is sent back to the client that the firewall will not pass, and that it turn cause the connection not to work; however, Cisco denies this. If there is someone or someplace that can give me an explanation of how Cisco Secure forms its VPN (from a logical perspective interacting with other devices, like firewalls), possible reasons it will not work behind personal firewalls, and what can be done to remedy the situation would be great. VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Fri Aug 4 22:43:31 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Fri, 4 Aug 2000 22:43:31 -0400 Subject: Closing unused ports in NT References: <01BFFDED.AB659160.jwheatley@swcp.com> Message-ID: <002401bffe87$077aed80$c9e4a218@nc.rr.com> Your best bet is a DMZ. Setup a limited router/firewall that allows only the traffic you want to each specific machine behind the router/firewall. Linux or BSD makes this easy to do. Your Cisco router can also be setup to do this. Jon Carnes MIS - HAHT Commerce ----- Original Message ----- From: "John Wheatley" To: Sent: Friday, August 04, 2000 11:26 AM Subject: Closing unused ports in NT > I use Steve Gibson's port probe at www.grc.com for checking port status on > public IP machines. On a typical NT machine, the port probe shows numerous > ports as existing but closed. The ports report as existing even if the > corresponding service has been removed from NT. Specific ports are > 21,23,25,79,80,110,113,139,143,443. For example, I removed NetBIOS > services using Control Panel, Network, Services; but the NetBIOS port 139 > still answers probes as closed. I want to have NO Response to unused port > probes- is there a way? > Help, suggestions, and comments are sure welcome. > JohnW > > John Wheatley > 505-292-4367 Voice > 505-292-4387 Fax > CSTI > 10500 Research Road > Suite 1506 > Albuquerque, NM 87123 > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Fri Aug 4 22:55:50 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Fri, 4 Aug 2000 22:55:50 -0400 Subject: Cisco Secure and personal firewalls... References: Message-ID: <003001bffe88$bee43f20$c9e4a218@nc.rr.com> Just a suggestion (as I don't run Cisco Secure VPN), try Zone Alarm as the personal firewall. It has an adaptive algorithm that will allow any program you run on a computer full access to the internet - once you tell Zone Alarm that the program can be trusted. Note, you do have to define the address of the VPN connection as trusted, and also the remote network that you will be attaching to. You can define that by pressing the advanced button under the Security tab, in Zone Alarm. I've found Zone Alarm to be wonderfully different from most personal security products. It's very easy for even the most technologically challenged to setup. Of course it is a bit annoying for a day or two while it asks you questions... Jon Carnes MIS - HAHT Commerce ----- Original Message ----- From: "Jason Zann" To: Sent: Friday, August 04, 2000 6:10 PM Subject: Cisco Secure and personal firewalls... > I have a situation where I have a Cisco Secure VPN client sitting on a > machine behind a personal firewall. (i believe the personal firewall in this > situation to be mutually exclusive because i have tested a few and i am > getting ready to test a few more... and all of them are getting the same > results). When the client is outside of the personal firewall, there are no > negative issues to speak of; however, when brought to the internal network, > it will not connect to the server (through the firewall(s)). > > My question stems from the fact of why will it not work. I was under the > impression that the Cisco Secure client piece worked at the application > level and all it was doing was forming the tunnel back to the server so that > data could be passed. I can only assume that there is some kind of traffic > that is sent back to the client that the firewall will not pass, and that it > turn cause the connection not to work; however, Cisco denies this. > > If there is someone or someplace that can give me an explanation of how > Cisco Secure forms its VPN (from a logical perspective interacting with > other devices, like firewalls), possible reasons it will not work behind > personal firewalls, and what can be done to remedy the situation would be > great. > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Sat Aug 5 15:07:26 2000 From: dgillett at NIKU.COM (David Gillett) Date: Sat, 5 Aug 2000 12:07:26 -0700 Subject: Cisco Secure and personal firewalls... In-Reply-To: Message-ID: <00c501bfff10$658fb660$f30410ac@niku.com> You haven't identified what kind of personal firewall this is, or even whether it is hardware or software. But there are two kinds of issues that you might need to be aware of: 1. A firewall blocks traffic that it hasn't been authorized to pass. Has this one been authorized to pass the protocols the VPN uses? 2. Some of the encryptions used by some VPN products (others here can quote details...) incorporate the IP addresses of the endpoints. If the firewall does any kind of NAT/PAT/proxying, the server and the client may disagree about what the client's IP address "really" is -- and encryptions which depend upon this will fail. Ability of VPNs to operate through NAT is still relatively new; if it's available in your case, it might not be the default configuration. David Gillett Enterprise Networking Services Manager, Niku Corp. (650) 701-2702 "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jason Zann Sent: Friday, August 04, 2000 3:11 PM To: VPN at SECURITYFOCUS.COM Subject: Cisco Secure and personal firewalls... I have a situation where I have a Cisco Secure VPN client sitting on a machine behind a personal firewall. (i believe the personal firewall in this situation to be mutually exclusive because i have tested a few and i am getting ready to test a few more... and all of them are getting the same results). When the client is outside of the personal firewall, there are no negative issues to speak of; however, when brought to the internal network, it will not connect to the server (through the firewall(s)). My question stems from the fact of why will it not work. I was under the impression that the Cisco Secure client piece worked at the application level and all it was doing was forming the tunnel back to the server so that data could be passed. I can only assume that there is some kind of traffic that is sent back to the client that the firewall will not pass, and that it turn cause the connection not to work; however, Cisco denies this. If there is someone or someplace that can give me an explanation of how Cisco Secure forms its VPN (from a logical perspective interacting with other devices, like firewalls), possible reasons it will not work behind personal firewalls, and what can be done to remedy the situation would be great. VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Aug 7 10:04:01 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 7 Aug 2000 10:04:01 -0400 Subject: Cisco Secure and personal firewalls... Message-ID: <403626CA58D4D3119B92005004A514880FFE35@Dominus.SecureOps.com> Hi Jason, I don't know the answer to your question but perhaps I can help you figure it out. The first thing I would do in this case is look on my personal firewall logs to see if anything is being blocked. That would probably be the best place to start. Look for traffic being blocked on UDP 500 in particular. The next thing to do would be to run a TCPDUMP sniffing your traffic from outside the firewall and then compare that to the traffic from inside the firewall. Good luck, ________________ Patrick Ethier Product Development SecureOps Inc. patrick at secureops.com (514) 982-0678 x 106 (514) 982-0362 - fax -----Original Message----- From: Jason Zann [mailto:jason.zann at MARYVILLE.COM] Sent: Friday, August 04, 2000 6:11 PM To: VPN at SECURITYFOCUS.COM Subject: Cisco Secure and personal firewalls... I have a situation where I have a Cisco Secure VPN client sitting on a machine behind a personal firewall. (i believe the personal firewall in this situation to be mutually exclusive because i have tested a few and i am getting ready to test a few more... and all of them are getting the same results). When the client is outside of the personal firewall, there are no negative issues to speak of; however, when brought to the internal network, it will not connect to the server (through the firewall(s)). My question stems from the fact of why will it not work. I was under the impression that the Cisco Secure client piece worked at the application level and all it was doing was forming the tunnel back to the server so that data could be passed. I can only assume that there is some kind of traffic that is sent back to the client that the firewall will not pass, and that it turn cause the connection not to work; however, Cisco denies this. If there is someone or someplace that can give me an explanation of how Cisco Secure forms its VPN (from a logical perspective interacting with other devices, like firewalls), possible reasons it will not work behind personal firewalls, and what can be done to remedy the situation would be great. VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Mon Aug 7 05:01:46 2000 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Mon, 7 Aug 2000 10:01:46 +0100 Subject: Closing unused ports in NT Message-ID: <01903665B361D211BF6700805FAD5D93591A9C@mail.datarange.co.uk> Hide the thing behind a firewall - that is what they are for. If this is something important, then a dedicated firewall system running a mainstream firewall is my preferred option (but i work for a reseller, so i am biased). Plenty of this stuff can be done on non commercial platforms if required - that is where the firewall came form after all. If you need high bandwidth - cisco PIX. If you want the most flexible systems, and stuff with a large installed base you can find pre trained people already familiar with, then checkpoint FW-1. (and yes i do know there are lots of other options out there - i am trying to give a couple of mainstream commercial options as many companies want that for key systems) Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: John Wheatley [mailto:jwheatley at SWCP.COM] > Sent: Friday, August 04, 2000 4:26 PM > To: VPN at SECURITYFOCUS.COM > Subject: Closing unused ports in NT > > > I use Steve Gibson's port probe at www.grc.com for checking > port status on > public IP machines. On a typical NT machine, the port probe > shows numerous > ports as existing but closed. The ports report as existing > even if the > corresponding service has been removed from NT. Specific ports are > 21,23,25,79,80,110,113,139,143,443. For example, I removed NetBIOS > services using Control Panel, Network, Services; but the > NetBIOS port 139 > still answers probes as closed. I want to have NO Response > to unused port > probes- is there a way? > Help, suggestions, and comments are sure welcome. > JohnW > > John Wheatley > 505-292-4367 Voice > 505-292-4387 Fax > CSTI > 10500 Research Road > Suite 1506 > Albuquerque, NM 87123 > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From rohan.naggi at TAVANT.COM Mon Aug 7 18:08:08 2000 From: rohan.naggi at TAVANT.COM (Rohan Naggi) Date: Mon, 7 Aug 2000 15:08:08 -0700 Subject: Is PPTP supported by overloading NAT Message-ID: <33240C8EFB1F254EB11E19FD936AFA440E7DC6@Mail.CHEERS.HAATHI.COM> PROBLEM : PPTP client behind the PIX firewall cannot connect to the Server thru PPTP gateway SETUP : There are two sites SITE A ( USA ) and SITE B ( INDIA ) . SITE A has CISCO PIX firewall ( PIX -A ) acting as a PPTP gateway . It also has WINDOWS 2000 Server's SITE B has LINUX Server which is doing NAT . PPTP client is a Windows 2000 Prof edition .there are total of 10 PPTP clients which needs access to the Servers at Site A . For the Internet access at SITE B , Linux box does the address translation ( overloading NAT ) . So , all the 10 m/c goes out with one Global IP address . Purpose of the above setup : SITE B Clients should be able access Servers at SITE A Explanation : PPTP client which is behind the PIX firewall is not able to establish a PPTP session to PIX A . LINUX box @ SITE B is doing Overloading of NAT ( converting many Private addressed to Single global address ) . When a static global address is used at SITE B ( I mean to say the Windows 2000 client uses DIAL UP networking ) , the PPTP clients are able to successfully connect to the Servers at SITE A . But when the SITE B client use Overloading of NAT( i.e trying to go thru LINUX ) , the PPTP session fails . Can u help me out ...... Thanks and Regards , Rohan Rohan.naggi at tavant.com VPN is sponsored by SecurityFocus.COM From rrodrigues at DNS-DIVEO.NET.BR Mon Aug 7 18:29:24 2000 From: rrodrigues at DNS-DIVEO.NET.BR (Ramiro Rodrigues) Date: Mon, 7 Aug 2000 19:29:24 -0300 Subject: PPTP VPN over FW-1 References: <01903665B361D211BF6700805FAD5D93591A9C@mail.datarange.co.uk> Message-ID: <000c01c000be$f38c0540$f978cac8@rrodrigues> Fellows! Can i have a Site-to-Site VPN, or even, a Client-to-Site, VPN over Windows 2000 PPTP protocol over a Checkpoint Firewall-1? I mean: what protocol should i allow in rule base in order to permit a VPN over PPTP in a box inside my network? RRodrigues []s VPN is sponsored by SecurityFocus.COM From kyoung at V-ONE.COM Mon Aug 7 19:22:27 2000 From: kyoung at V-ONE.COM (Keith Young) Date: Mon, 7 Aug 2000 19:22:27 -0400 Subject: PPTP VPN over FW-1 References: <01903665B361D211BF6700805FAD5D93591A9C@mail.datarange.co.uk> <000c01c000be$f38c0540$f978cac8@rrodrigues> Message-ID: <398F44B3.37F95528@v-one.com> Ramiro Rodrigues wrote: > > Can i have a Site-to-Site VPN, or even, a Client-to-Site, VPN over Windows > 2000 > PPTP protocol over a Checkpoint Firewall-1? > I mean: what protocol should i allow in rule base in order to permit a VPN > over PPTP in > a box inside my network? Are you *sure* that you want to do this? I'd be careful, since allowing that could cause security problems... However, if you want to do it, you need to allow these: port 1723/tcp GRE (IP protocol 47) That should do it... -- --Keith Young -Director of Customer Care/Support, V-ONE Corp. -kyoung at v-one.com VPN is sponsored by SecurityFocus.COM From Ryan at TENDIGITS.COM Mon Aug 7 19:07:18 2000 From: Ryan at TENDIGITS.COM (Ryan Folstad) Date: Mon, 7 Aug 2000 16:07:18 -0700 Subject: Is PPTP supported by overloading NAT Message-ID: <51DCA36EBD1AD3119B070090277B0CAB447679@TEN01> Sounds like either your linux masquerading(not NAT) is setup incorrectly or your PIX could be setup wrong but i doubt it. If your linux kernel version is not 2.4 then all the stuff your talking about is experimental but does work. I have a Kernel 2.2 linux box setup with the appropriate patches and it works just great for masquerading vpn clients for all employees in our internal network and also works forwarding incoming pptp to our internal pptp server.. check out: http://ldp.iol.it/HOWTO/VPN-Masquerade-HOWTO.html for what patches you need and what to compile into your kernel to get this workin.. Ryan Folstad -----Original Message----- From: Rohan Naggi [mailto:rohan.naggi at TAVANT.COM] Sent: Monday, August 07, 2000 3:08 PM To: VPN at SECURITYFOCUS.COM Subject: Is PPTP supported by overloading NAT PROBLEM : PPTP client behind the PIX firewall cannot connect to the Server thru PPTP gateway SETUP : There are two sites SITE A ( USA ) and SITE B ( INDIA ) . SITE A has CISCO PIX firewall ( PIX -A ) acting as a PPTP gateway . It also has WINDOWS 2000 Server's SITE B has LINUX Server which is doing NAT . PPTP client is a Windows 2000 Prof edition .there are total of 10 PPTP clients which needs access to the Servers at Site A . For the Internet access at SITE B , Linux box does the address translation ( overloading NAT ) . So , all the 10 m/c goes out with one Global IP address . Purpose of the above setup : SITE B Clients should be able access Servers at SITE A Explanation : PPTP client which is behind the PIX firewall is not able to establish a PPTP session to PIX A . LINUX box @ SITE B is doing Overloading of NAT ( converting many Private addressed to Single global address ) . When a static global address is used at SITE B ( I mean to say the Windows 2000 client uses DIAL UP networking ) , the PPTP clients are able to successfully connect to the Servers at SITE A . But when the SITE B client use Overloading of NAT( i.e trying to go thru LINUX ) , the PPTP session fails . Can u help me out ...... Thanks and Regards , Rohan Rohan.naggi at tavant.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From darrin at SECURECONCEPT.NET Tue Aug 8 02:33:12 2000 From: darrin at SECURECONCEPT.NET (Darrin Mourer) Date: Mon, 7 Aug 2000 23:33:12 -0700 Subject: Firewall Training Message-ID: <5116D2FA031BD411B362000629293F842C25@adsl-gte-la-216-86-202-44.mminternet.com> Anyone know of a non-vendor specific firewall training courses. Could encompass general security practices as well, but would like to get hands on exp in many different firewalls. Internet courses or instructor-led in southern California. Thanks, darrin darrin at secureconcept.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000807/83c0dcd4/attachment.htm From jrdepriest at FTB.COM Tue Aug 8 15:28:23 2000 From: jrdepriest at FTB.COM (DePriest, Jason R.) Date: Tue, 8 Aug 2000 14:28:23 -0500 Subject: Firewall Training Message-ID: Yes. I just finished the excellent Firewall and Perimeter Defense course track from SANS last month. Go here http://www.sans.org/giactc.htm for more information. Thank you! Jason R DePriest, Network and Systems Administrator First Tennessee National Corporation InterActive Services Department ph: 901/523-5777, fax: 901/523-5527 email: jrdepriest at ftb.com Disclaimer: The views expressed in this message, while not necessarily the views of First Tennessee, are none-the-less confidential and not to be freely distributed to external sources without explicit permission from the sender of this message or from First Tennessee National Corporation. "I have never let my schooling interfere with my education." - Mark Twain "The opposite of a correct statement is a false statement. But the opposite of a profound truth may well be another profound truth." - Niels Bohr -----Original Message----- From: Darrin Mourer [mailto:darrin at SECURECONCEPT.NET] Sent: Tuesday, August 08, 2000 1:33 AM To: VPN at SECURITYFOCUS.COM Subject: Firewall Training Anyone know of a non-vendor specific firewall training courses. Could encompass general security practices as well, but would like to get hands on exp in many different firewalls. Internet courses or instructor-led in southern California. Thanks, darrin darrin at secureconcept.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000808/7478fab8/attachment.htm From kyoung at V-ONE.COM Tue Aug 8 15:52:29 2000 From: kyoung at V-ONE.COM (Keith Young) Date: Tue, 8 Aug 2000 15:52:29 -0400 Subject: Firewall Training References: <5116D2FA031BD411B362000629293F842C25@adsl-gte-la-216-86-202-44.mminternet.com> Message-ID: <399064FC.94325749@v-one.com> > Darrin Mourer wrote: > > Anyone know of a non-vendor specific firewall training courses. Could > encompass general security practices as well, but would like to get > hands on exp in many different firewalls. > > Internet courses or instructor-led in southern California. > Darrin, You are in luck; a group who does very good security training (IMHO and not "company official") is training in CA in the next couple of months: Network Security 2000 Monterey, CA October 15-22, 2000 Joint Computer Security Conference Monterey, CA October 17-19, 2000 More details can be found on their home page: http://www.sans.org/newlook/home.htm -- --Keith Young -Director of Customer Care/Support, V-ONE Corp. -kyoung at v-one.com VPN is sponsored by SecurityFocus.COM From gowrishankar.setty at WIPRO.COM Wed Aug 9 12:55:03 2000 From: gowrishankar.setty at WIPRO.COM (Gowri Shankar Bhogisetty) Date: Wed, 9 Aug 2000 22:25:03 +0530 Subject: VPN connection fails. Message-ID: <39918CE7.FD13154@wipro.com> Hi , We are established VPN connectivity between 2611 cisco router and Netscreen VPN . What is happening the When the SA expires at 3600 seconds, the IOS fails to negotiate a new security association and we will be getting the error 2d03h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check. We were using Cisoc IOS c2600-js56i-mz.120-5.XK1 with 45MB RAM . Can you please help me ,it willbe a great help. Thanks and regards Gowri Shankar -- ************************************************************* B.GOWRI SHANKAR NETWORK ANALYST IT MANAGEMENT GROUP WIPRO TECHNOLOGIES 72,ELECTRONICS CITY ,HOSUR MAIN ROAD, BANGALORE - 521 229,INDIA TEL: 91-80-8522280 EMAIL:gowrishankar.setty at wipro.com www.wipro.com The World's First SEI CMM level 5 Software Services Company ************************************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000809/4874e5e7/attachment.htm From tbird at PRECISION-GUESSWORK.COM Wed Aug 9 16:44:27 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Wed, 9 Aug 2000 15:44:27 -0500 Subject: VPN connection fails. In-Reply-To: <39918CE7.FD13154@wipro.com> Message-ID: Hi Gowri -- This is a known bug in the 12.0(x) versions of IOS. If you talk to the TAC, you can download a 12.1x version which definitely fixes this bug (we've done that). But be careful about PATH_MTU_DISCOVERY if you're using applications that generate large packets. Good luck -- Tina Bird On Wed, 9 Aug 2000, Gowri Shankar Bhogisetty wrote: > Date: Wed, 9 Aug 2000 22:25:03 +0530 > From: Gowri Shankar Bhogisetty > To: VPN at SECURITYFOCUS.COM > Subject: VPN connection fails. > > Hi , > > We are established VPN connectivity between 2611 cisco router and > Netscreen VPN . > > What is happening the When the SA expires at 3600 seconds, the IOS fails > to > negotiate a new security association and we will be getting the error > 2d03h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check. > > We were using Cisoc IOS c2600-js56i-mz.120-5.XK1 with 45MB RAM . > > Can you please help me ,it willbe a great help. > > Thanks and regards > > Gowri Shankar > > -- > ************************************************************* > B.GOWRI SHANKAR > NETWORK ANALYST > IT MANAGEMENT GROUP > WIPRO TECHNOLOGIES > 72,ELECTRONICS CITY ,HOSUR MAIN ROAD, > BANGALORE - 521 229,INDIA > TEL: 91-80-8522280 > EMAIL:gowrishankar.setty at wipro.com > www.wipro.com > The World's First SEI CMM level 5 Software Services Company > ************************************************************* > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Thu Aug 10 13:12:34 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Thu, 10 Aug 2000 12:12:34 -0500 Subject: VPN connection fails. In-Reply-To: Message-ID: Hi Craig -- Yes, we noticed that file transfers and database transactions started failing when we did the upgrade -- better than the keys failing to generate, but not much! Cisco has released yet another version of IOS that has a fix for the MTU issue, but I haven't tested it yet (and having gotten burned with this on the last upgrade...). For now, we're just manually disabling PATH_MTU_DISCOVERY on the systems on both ends of the VPN. Ugly, but effective. Anyone else out there had any experience with this? On Thu, 10 Aug 2000, Craig Illman wrote: > Date: Thu, 10 Aug 2000 06:25:29 -0700 > From: Craig Illman > To: 'Tina Bird' > Subject: RE: VPN connection fails. > > I've tried 12.1.1 IOS and had major interoperability issues with my Nortel > Contivity. Some applications would work fine and others fail at a given > point. Are you implying that the fragmentation of large packets for > encapsulation is a problem with 12.1.1? How did you work around it? > > -----Original Message----- > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] > Sent: Wednesday, August 09, 2000 1:44 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN connection fails. > > > Hi Gowri -- > > This is a known bug in the 12.0(x) versions of IOS. If > you talk to the TAC, you can download a 12.1x version which > definitely fixes this bug (we've done that). But be careful > about PATH_MTU_DISCOVERY if you're using applications that > generate large packets. > > Good luck -- Tina Bird > > On Wed, 9 Aug 2000, Gowri Shankar Bhogisetty wrote: > > > Date: Wed, 9 Aug 2000 22:25:03 +0530 > > From: Gowri Shankar Bhogisetty > > To: VPN at SECURITYFOCUS.COM > > Subject: VPN connection fails. > > > > Hi , > > > > We are established VPN connectivity between 2611 cisco router and > > Netscreen VPN . > > > > What is happening the When the SA expires at 3600 seconds, the IOS fails > > to > > negotiate a new security association and we will be getting the error > > 2d03h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check. > > > > We were using Cisoc IOS c2600-js56i-mz.120-5.XK1 with 45MB RAM . > > > > Can you please help me ,it willbe a great help. > > > > Thanks and regards > > > > Gowri Shankar > > > > -- > > ************************************************************* > > B.GOWRI SHANKAR > > NETWORK ANALYST > > IT MANAGEMENT GROUP > > WIPRO TECHNOLOGIES > > 72,ELECTRONICS CITY ,HOSUR MAIN ROAD, > > BANGALORE - 521 229,INDIA > > TEL: 91-80-8522280 > > EMAIL:gowrishankar.setty at wipro.com > > www.wipro.com > > The World's First SEI CMM level 5 Software Services Company > > ************************************************************* > > > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From michel.nakhla at INTELSAT.INT Thu Aug 10 20:33:26 2000 From: michel.nakhla at INTELSAT.INT (michel.nakhla at INTELSAT.INT) Date: Thu, 10 Aug 2000 20:33:26 -0400 Subject: MS Windows Networking using IPSec Message-ID: <490B4C213EC8D211851F00105A29CA5A096109C7@admex1.adm.intelsat.int> I am relatively new to MS Networking. My understanding has been that you need PPTP to be able to establish a secure MS type network over an IP network. I was able to run netbios over TCP/IP and run a peer-to-peer MS network through an IPSec tunnel across an Internet connection. Is this a standard practice and what are the limitations for such a configuration vs a PPTP configuration. I don't have a domain controller in my current set-up, is there any limitation with the domain controller(s) in the set-up. I understand that PPTP is bundled with MS so is basically free while the IPSec solution requires additional VPN security gateways. Thanks & Regards michel.nakhla at intelsat.int VPN is sponsored by SecurityFocus.COM From thepicard at HOME.COM Thu Aug 10 23:20:54 2000 From: thepicard at HOME.COM (The Picard) Date: Thu, 10 Aug 2000 23:20:54 -0400 Subject: recommended books? In-Reply-To: Message-ID: <000f01c00343$297bdf50$dd5d7218@everest> Hi all, Could anyone comment on what the recommended VPN-focused books are? Things I hope to find: - a book that one wants to keep as reference and go back to once in a while (say, like Stevens' "TCP/IP Illustrated" or Carlisle & Lloyd's "Understading PKI"). - a book that explains the technology but also the reasoning behind making decisions in the VPN space. A volume academically describing the technology, chapter after chapter, without linking it to the real world is not as good. - a book that hopefully talks about the *problems* as well, not only about things should work. A quick search at Fatbrain & Amazon reveals the following books to be worth considering. They are listed in no particular order. VPN Applications Guide : Real Solutions for Enterprise Networks (ISBN: 0471371750) Implementing Virtual Private Networks (ISBN: 007135185X) Building & Managing Virtual Private Networks (ISBN: 0471295264) Creating and Implementing Virtual Private Networks (ISBN: 1576104303) Implementing IPSec : Making Security Work on VPNs Intranets and Extranets (ISBN: 0471344672) Virtual Private Networking: A View From the Trenches (ISBN: 0130203351) Feedback on them (or others) would be appreciated. Thank you very much, --TP VPN is sponsored by SecurityFocus.COM From bet at RAHUL.NET Thu Aug 10 22:47:21 2000 From: bet at RAHUL.NET (Bennett Todd) Date: Thu, 10 Aug 2000 22:47:21 -0400 Subject: VPN connection fails. In-Reply-To: ; from tbird@PRECISION-GUESSWORK.COM on Thu, Aug 10, 2000 at 12:12:34PM -0500 References:

Message-ID: <20000810224721.B23647@oven.com> 2000-08-10-13:12:34 Tina Bird: > For now, we're just manually disabling PATH_MTU_DISCOVERY > on the systems on both ends of the VPN. Ugly, but effective. If disabling Path MTU Discovery (PMTU-D) on each end fixes the problem, then another fix would be even better: back the configured MTUs of the interfaces down by at least the overhead of the tunnel; I like to back off by like 100 or so, which gives enough headroom for a couple of layers of tunneling. And I doubt the performance difference between a 1500 MTU and a 1400 MTU is very important. I'd expect it to be less than the performance hit of having to fragment to squeeze through the tunnel. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000810/2132e9b7/attachment.pgp From john at LRF.LEEDS.AC.UK Fri Aug 11 06:10:09 2000 From: john at LRF.LEEDS.AC.UK (John Armstrong) Date: Fri, 11 Aug 2000 11:10:09 +0100 Subject: VPN across two networks Message-ID: <4.3.2.7.0.20000811103946.00b53268@basil.lrf.leeds.ac.uk> First of, as I am very new to VPNs this may be a dumb question, and the answer may well be "hidden" in all the resources I've found so far, so I'll offer my apologies in advance 8-) We have the following situation - * our group's main LAN is 'hidden' behind a firewall on Network U * Network U is connected to the rest of the world * Network T and Network U are connected via a router/firewall * we have a worker with a PC connected to Network T +--+ +------+ |PC| |Server| +--+ +--+---+ +--------+ | | +----------+ |Router/ | | -----+------| Firewall |------------|Firewall|-----+---- 'secure' +----------+ Network +--------+ Network network 'U' 'T' We need to set up secure access between our worker's PC on Network T and our server on Network U. Can a VPN run easily across multiple protected networks like this or would it be a complicated thing to set up? (I'm assuming for the moment that there are no 'bureaucratic' obstacles in the way ... 8-) Thanks __________________________________________________________________________ John Armstrong Computer System Adminstrator john at lrf.leeds.ac.uk LRF Centre at Leeds University j.d.c.armstrong at leeds.ac.uk 30 Hyde Terrace Leeds LS2 9LN 0113 233 3912 (phone) 0113 245 9806 (fax) VPN is sponsored by SecurityFocus.COM From Hugo at MICMAC.COM.BR Fri Aug 11 19:42:47 2000 From: Hugo at MICMAC.COM.BR (Hugo Caye) Date: Fri, 11 Aug 2000 20:42:47 -0300 Subject: 128 bit PPTP Encryption and NAT Message-ID: AFAIK, Eicon DIVA LAN also supports PPTP/GET NAT/PAT. Can anyboy confirm that this info is 100% correct? Cisco's IOS must be at least 12.1(3)T. See bug id CSCdk60714. Currently I have a customer with Win2K NAT with PPTP/GRE running pretty well. Hugo Caye O__ ---- c/ /'_ --- (*) \(*) -- ~~~~~~~~ ccna ccda mcne? ncip mcse cne5 -----Original Message----- From: Geir Aasen [mailto:Geir.Aasen at ASKPROXIMA.NO] Win2K NAT supports GRE(PPTP) and 3COM ISDN lanmodem, Sonicwall. Most NAT implementation don't. Geir Aasen > ---------- > From: Jon Carnes[SMTP:jonc at HAHT.COM] > > Linux (and BSD) fully support running PPTP from behind a NAT. They are > beyond the patch stage. you can run multiple incidents of PPTP from > behind > a Linux firewall. > > Jon Carnes > ----- Original Message ----- > From: "Pete Davis" > > > You can use PPTP sessions from behind a NAT (PAT) device as long as it > supports > > GRE PAT, which most devices do not. Many small devices do have this > support > > and Linux does with a special patch from John Hardin. You will only be > able > > to use 1 PPTP session at a time from behind this NAT device to a > specific > > central site Concentrator at a time. > > > > Regards, > > > > pete > > > > On Mon, Jul 31, 2000 at 05:59:27PM -0700, Michael Medwid wrote: > > > Should there be any incompatibility between 128 bit PPTP encryption > > > and users behind a NATted environment? My Altiga (Cisco 3030) seems > to > kick > > > off the tunnels if they were originated from a NATted environment. > Cisco > > > TAC didn't have too much to say on the whole thing other than "uh yeah > that > > > won't work." Thanks for any insight. > > > > > > -Michael VPN is sponsored by SecurityFocus.COM From Michael.Medwid at ARIBA.COM Fri Aug 11 20:23:24 2000 From: Michael.Medwid at ARIBA.COM (Michael Medwid) Date: Fri, 11 Aug 2000 17:23:24 -0700 Subject: 128 bit PPTP Encryption and NAT Message-ID: <271DE2625FD4D311949B009027F43B9F01A9BC2C@us-mtvmail2.ariba.com> I wonder if the Altiga will ever support 128bit encryption with PPTP to a NAT/PAT environment. -----Original Message----- From: Hugo Caye [mailto:Hugo at MICMAC.COM.BR] Sent: Friday, August 11, 2000 4:43 PM To: VPN at SECURITYFOCUS.COM Subject: Re: 128 bit PPTP Encryption and NAT AFAIK, Eicon DIVA LAN also supports PPTP/GET NAT/PAT. Can anyboy confirm that this info is 100% correct? Cisco's IOS must be at least 12.1(3)T. See bug id CSCdk60714. Currently I have a customer with Win2K NAT with PPTP/GRE running pretty well. Hugo Caye O__ ---- c/ /'_ --- (*) \(*) -- ~~~~~~~~ ccna ccda mcne? ncip mcse cne5 -----Original Message----- From: Geir Aasen [mailto:Geir.Aasen at ASKPROXIMA.NO] Win2K NAT supports GRE(PPTP) and 3COM ISDN lanmodem, Sonicwall. Most NAT implementation don't. Geir Aasen > ---------- > From: Jon Carnes[SMTP:jonc at HAHT.COM] > > Linux (and BSD) fully support running PPTP from behind a NAT. They are > beyond the patch stage. you can run multiple incidents of PPTP from > behind > a Linux firewall. > > Jon Carnes > ----- Original Message ----- > From: "Pete Davis" > > > You can use PPTP sessions from behind a NAT (PAT) device as long as it > supports > > GRE PAT, which most devices do not. Many small devices do have this > support > > and Linux does with a special patch from John Hardin. You will only be > able > > to use 1 PPTP session at a time from behind this NAT device to a > specific > > central site Concentrator at a time. > > > > Regards, > > > > pete > > > > On Mon, Jul 31, 2000 at 05:59:27PM -0700, Michael Medwid wrote: > > > Should there be any incompatibility between 128 bit PPTP encryption > > > and users behind a NATted environment? My Altiga (Cisco 3030) seems > to > kick > > > off the tunnels if they were originated from a NATted environment. > Cisco > > > TAC didn't have too much to say on the whole thing other than "uh yeah > that > > > won't work." Thanks for any insight. > > > > > > -Michael VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Fri Aug 11 22:46:57 2000 From: sandy at STORM.CA (Sandy Harris) Date: Fri, 11 Aug 2000 22:46:57 -0400 Subject: recommended books? References: <000f01c00343$297bdf50$dd5d7218@everest> Message-ID: <3994BAA1.3869DD6B@storm.ca> The Picard wrote: > Could anyone comment on what the recommended VPN-focused books are? There's a bibliography at: http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/bibliography.html It is not exclusively about VPNs and not complete, but it might help. I'm the author and would appreciate feedback, suggested additions, ... VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Sat Aug 12 12:46:15 2000 From: bekoin at GLOBEACCESS.NET (Support Technique) Date: Sat, 12 Aug 2000 16:46:15 -0000 Subject: W2K VPN Message-ID: <001601c0047c$d5437e80$9e15473f@globeaccess.net> Hi, I want to implement L2TP.IPSec vpns with W2K Server operating system. I neee certficate server and I wana use computer certificate to do authentification. ( I don't if it is the good idea, so any suggestions will be good for me?) When I try to have computer certificate via a web page, I have only the choice of user certificate ? Is it normal . Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000812/b01d9864/attachment.htm From pete at ETHER.NET Sat Aug 12 06:45:54 2000 From: pete at ETHER.NET (Pete Davis) Date: Sat, 12 Aug 2000 06:45:54 -0400 Subject: 128 bit PPTP Encryption and NAT In-Reply-To: <271DE2625FD4D311949B009027F43B9F01A9BC2C@us-mtvmail2.ariba.com> References: <271DE2625FD4D311949B009027F43B9F01A9BC2C@us-mtvmail2.ariba.com> Message-ID: <20000812064554.A28741@ether.net> The Cisco VPN 3000 Concentrator has always supported 128bit encryption with PPTP to a NAT/PAT environment, as long as your NAT/PAT device has support for GRE/PAT. 128bit PPTP requires a RADIUS server with MPPE/MSCHAP support. Funk SBR supports 128bit with MSCHAPv1 Microsoft IAS supports 128bit with MSCHAPv2 Best Regards, -pete On Fri, Aug 11, 2000 at 05:23:24PM -0700, Michael Medwid wrote: > I wonder if the Altiga will ever support 128bit encryption with PPTP to a > NAT/PAT environment. > > -----Original Message----- > From: Hugo Caye [mailto:Hugo at MICMAC.COM.BR] > Sent: Friday, August 11, 2000 4:43 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: 128 bit PPTP Encryption and NAT > > > AFAIK, Eicon DIVA LAN also supports PPTP/GET NAT/PAT. Can anyboy > confirm that this info is 100% correct? > > > Cisco's IOS must be at least 12.1(3)T. See bug id CSCdk60714. > > Currently I have a customer with Win2K NAT with PPTP/GRE running > pretty well. > > > Hugo Caye > > O__ ---- > c/ /'_ --- > (*) \(*) -- > ~~~~~~~~ > ccna ccda > mcne? ncip > mcse cne5 > > -----Original Message----- > From: Geir Aasen [mailto:Geir.Aasen at ASKPROXIMA.NO] > > Win2K NAT supports GRE(PPTP) and 3COM ISDN lanmodem, Sonicwall. > Most NAT implementation don't. > > Geir Aasen > > > ---------- > > From: Jon Carnes[SMTP:jonc at HAHT.COM] > > > > Linux (and BSD) fully support running PPTP from behind a NAT. They > are > > beyond the patch stage. you can run multiple incidents of PPTP from > > behind > > a Linux firewall. > > > > Jon Carnes > > > ----- Original Message ----- > > From: "Pete Davis" > > > > > You can use PPTP sessions from behind a NAT (PAT) device as long > as it > > supports > > > GRE PAT, which most devices do not. Many small devices do have > this > > support > > > and Linux does with a special patch from John Hardin. You will > only be > > able > > > to use 1 PPTP session at a time from behind this NAT device to a > > specific > > > central site Concentrator at a time. > > > > > > Regards, > > > > > > pete > > > > > > On Mon, Jul 31, 2000 at 05:59:27PM -0700, Michael Medwid wrote: > > > > Should there be any incompatibility between 128 bit PPTP > encryption > > > > and users behind a NATted environment? My Altiga (Cisco 3030) > seems > > to > > kick > > > > off the tunnels if they were originated from a NATted > environment. > > Cisco > > > > TAC didn't have too much to say on the whole thing other than > "uh yeah > > that > > > > won't work." Thanks for any insight. > > > > > > > > -Michael > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From kgsatam at INFOSEC.FEDEX.COM Sun Aug 13 23:11:57 2000 From: kgsatam at INFOSEC.FEDEX.COM (Kirtikumar Satam) Date: Sun, 13 Aug 2000 22:11:57 -0500 Subject: VPN connection fails. In-Reply-To: <39918CE7.FD13154@wipro.com> Message-ID: <001e01c0059d$67bae5c0$c4651818@keyuree> I was able to get IKE VPN between CISCO 12.0(7)T (in fact some other variants too) and checkpoint 2000 (aka 4.1) without much problem. I have not noticed MTU problem like the one mentioned in other post. But then, I did not specifically tried that. On the other hand, we had bunch of problems with Netscreen and Checkpoint. Luckily, Netscreen came thru' with many patched to their BIOS and after a few ones, we do have a stable VPN between the two, except netscreen does not seem to handle tunnels to multiple subnet at a time. In short, apart of upgrading the IOS as mentioned, make sure that you have latest BIOS for Netscreen. Kirtikumar Satam Technical Advisor/Information Security R&D IT Engineering FedEx Corp -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Gowri Shankar Bhogisetty Sent: Wednesday, August 09, 2000 11:55 AM To: VPN at SECURITYFOCUS.COM Subject: VPN connection fails. Hi , We are established VPN connectivity between 2611 cisco router and Netscreen VPN . What is happening the When the SA expires at 3600 seconds, the IOS fails to negotiate a new security association and we will be getting the error 2d03h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check. We were using Cisoc IOS c2600-js56i-mz.120-5.XK1 with 45MB RAM . Can you please help me ,it willbe a great help. Thanks and regards Gowri Shankar -- ************************************************************* B.GOWRI SHANKAR NETWORK ANALYST IT MANAGEMENT GROUP WIPRO TECHNOLOGIES 72,ELECTRONICS CITY ,HOSUR MAIN ROAD, BANGALORE - 521 229,INDIA TEL: 91-80-8522280 EMAIL:gowrishankar.setty at wipro.com www.wipro.com The World's First SEI CMM level 5 Software Services Company ************************************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000813/cc87b463/attachment.htm From Hugo at MICMAC.COM.BR Mon Aug 14 10:10:15 2000 From: Hugo at MICMAC.COM.BR (Hugo Caye) Date: Mon, 14 Aug 2000 11:10:15 -0300 Subject: recommended books? Message-ID: Some months ago, I read this: Good conpectual information. At least to me, 2 chapters were wasted with AltaVista Tunnel product. Well written, no errors. _Hugo -----Original Message----- From: Sandy Harris [mailto:sandy at STORM.CA] Sent: sexta-feira, 11 de agosto de 2000 23:47 To: VPN at SECURITYFOCUS.COM Subject: Re: recommended books? The Picard wrote: > Could anyone comment on what the recommended VPN-focused books are? There's a bibliography at: http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/bibliography.h tml It is not exclusively about VPNs and not complete, but it might help. I'm the author and would appreciate feedback, suggested additions, ... VPN is sponsored by SecurityFocus.COM From cindy_slosar at YAHOO.CA Mon Aug 14 12:40:19 2000 From: cindy_slosar at YAHOO.CA (Cindy Slosar) Date: Mon, 14 Aug 2000 12:40:19 -0400 Subject: Domain Controllers and VPNs Message-ID: <20000814164019.26857.qmail@web1506.mail.yahoo.com> Hi all, I have a VPN setup between two Win2K servers and was running a peer-to-peer network behind both servers. Recently, I've had all my clients log into the domain. When the VPN is connected (which I set up using the "Make a New Connection" wizard) and my users try to log in, they get an error saying that there isn't a domain controller that can verify their username and password. As soon as I disconnect the VPN, their login attept is successful. Has anyone else experienced this before? And if you have, what did you do to solve it? Thanks in advance. Cindy _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca VPN is sponsored by SecurityFocus.COM From kleon at PRIMENET.COM Mon Aug 14 18:14:34 2000 From: kleon at PRIMENET.COM (Ken Leon) Date: Mon, 14 Aug 2000 15:14:34 -0700 Subject: recommended books? References: Message-ID: <39986F4A.80B65BE3@primenet.com> "IT Manager's Guide to Virtual Private Networks," David Leon Clark, McGraw-Hill '99. Good overall reference, some good firewall discussion, but mainly high-level work; also has a good product comparison section. Ken Hugo Caye wrote: > Some months ago, I read this: > > > Good conpectual information. At least to me, 2 chapters were wasted > with AltaVista Tunnel product. Well written, no errors. > > _Hugo > > -----Original Message----- > From: Sandy Harris [mailto:sandy at STORM.CA] > Sent: sexta-feira, 11 de agosto de 2000 23:47 > To: VPN at SECURITYFOCUS.COM > Subject: Re: recommended books? > > The Picard wrote: > > > Could anyone comment on what the recommended VPN-focused books are? > > There's a bibliography at: > http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/bibliography.h > tml > > It is not exclusively about VPNs and not complete, but it might help. > > I'm the author and would appreciate feedback, suggested additions, ... > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Tue Aug 15 21:39:24 2000 From: sandy at STORM.CA (Sandy Harris) Date: Tue, 15 Aug 2000 21:39:24 -0400 Subject: [Fwd: @Home bans VPNS] Message-ID: <3999F0CC.AD62F022@storm.ca> -------- Original Message -------- Subject: @Home bans VPNS Date: Tue, 15 Aug 2000 17:02:11 -0400 (EDT) From: Matt Cramer Reply-To: Matt Cramer ,Matt Cramer To: dc-stuff at dis.org @Home has banned VPNs or encrypted tunneling protocols from their network (!). http://www.comcastonline.com/subscriber-v3-red.asp Read 6.B.viii. Use of tunneling crypto makes you a "business" customer subject to the ~10x higher fees. FOAD, Comcast. Matt, ADSL and frame relay user -- Matt Cramer http://www.voicenet.com/~cramer/ Thou art God and I am God and all that groks is God, and I am all that I have ever been or seen or felt or experienced. -Mike VPN is sponsored by SecurityFocus.COM From frank at COMPUTICA.COM Tue Aug 15 23:47:54 2000 From: frank at COMPUTICA.COM (Frank Boecherer) Date: Tue, 15 Aug 2000 20:47:54 -0700 Subject: FR v DSL Message-ID: <000901c00734$c32883c0$6640a8c0@franknb2k> I have a client with 4 or 5 branch offices. The branches are currently hooked up via Frame Relay. They wanted to start migrating to DSL since it would be cheaper. Although I am a technical person (I do PC consulting) I am not too clear on the advantages and disadvantages of FR v DSL. Are most VPN questions posed on this list running over PVC/ATM/FR or are a lot of you already using DSL VPN's? Should we stick with FR even though it costs more? Is it more reliable and faster (in general) than a VPN over DSL? The company is not in the banking industry, but it is a well established company that has the money to pay for FR as they have been doing so for several years. Another drawback is the main office can maybe only get 416K DSL and with 4 branches coming in (they need to access the NT server for most of the communication and not much Internet access) the line will probably be saturated and the main branch will be a bottleneck. Any pointers would be welcome. Thanks Frank VPN is sponsored by SecurityFocus.COM From neil.ratzlaff at UCOP.EDU Wed Aug 16 19:17:28 2000 From: neil.ratzlaff at UCOP.EDU (Neil Ratzlaff) Date: Wed, 16 Aug 2000 16:17:28 -0700 Subject: VPN and icmp In-Reply-To: <20000728134726.29103.qmail@web2304.mail.yahoo.com> Message-ID: <4.2.0.58.20000816160854.00a6b4e0@popserv.ucop.edu> We recently tried to set up a Cisco VPN with some NT servers at our end, the other end had Windows something. Parts of it worked and parts didn't, and we eventually found the cause to be the close Cisco router sending icmp type 3 code 4 packets back to the NT machines. The packets from NT had the 'Don't Fragment' bit set, and Cisco couldn't encrypt them and still fit them under the packet size limit. I suggested the NT owners stop setting the Don't Fragment bit, and they said there was no way to do that. They also cited RFC 1853: 3.1. Tunnel MTU Discovery When the Don't Fragment bit is set by the originator and copied into the outer IP header, the proper MTU of the tunnel will be learned from ICMP (Type 3 Code 4) "Datagram Too Big" errors reported to the encapsulator. To support originating hosts which use this capability, all implementations MUST support Path MTU Discovery [RFC-1191, RFC-1435] within their tunnels. So.... questions: 1. Can NT stop setting the Don't Fragment bit, and if so, how? 2. What is the best way to deal with this situation? Thanks, Neil VPN is sponsored by SecurityFocus.COM From franci.jereb at MIBO.SI Thu Aug 17 03:28:12 2000 From: franci.jereb at MIBO.SI (Franci Jereb) Date: Thu, 17 Aug 2000 09:28:12 +0200 Subject: Contivity & Instant Internet Message-ID: <399BB02C.17999.F5F20@localhost> Hello, I would like to know if anybody was configuring and conecting Contivity 1500 & Instant Internet 100 to work over IPsec. Software version of Contivity is 2.50 & Instant Internet is 7.0. I tried to configure, but the system doesn't work. I configured Contivity & Instant Internet as it is described in manuals. Is there any speciality of configuring it? Any information would be nice. Regards, Frenk VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Thu Aug 17 09:30:03 2000 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Thu, 17 Aug 2000 14:30:03 +0100 Subject: SSL vs. IPsec Message-ID: Hi, I'm looking for some arguments/reasons of why you would choose for a IPSec VPN instead of a SSL solution when the remote user is 'only' using Web based applications (could also make of DCOM, Corba, ...). Is there someone who has a clear view on this and is willing to share this ? Many thanks, Guy VPN is sponsored by SecurityFocus.COM From dipfrank at GMX.DE Tue Aug 15 04:42:52 2000 From: dipfrank at GMX.DE (Student PC) Date: Tue, 15 Aug 2000 10:42:52 +0200 Subject: recommended books? Message-ID: <01C006A5.99FC4070@STUD_FEN> Hi ! I can recommend the o'reilly book, too. Though I think it is not a book which can be used as a reference for future use it gives you a good idea of VPN's. At least it helped me, as I am a beginner. But if you already got into the topic and you are looking for more details (I assume you do, because of your requirements) it might be too basic for you. So it depends on what you want. Frank -----Original Message----- From: Hugo Caye [SMTP:Hugo at MICMAC.COM.BR] Sent: Monday, August 14, 2000 4:10 PM To: VPN at SECURITYFOCUS.COM Subject: Re: recommended books? Some months ago, I read this: Good conpectual information. At least to me, 2 chapters were wasted with AltaVista Tunnel product. Well written, no errors. _Hugo -----Original Message----- From: Sandy Harris [mailto:sandy at STORM.CA] Sent: sexta-feira, 11 de agosto de 2000 23:47 To: VPN at SECURITYFOCUS.COM Subject: Re: recommended books? The Picard wrote: > Could anyone comment on what the recommended VPN-focused books are? There's a bibliography at: http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/bibliography.h tml It is not exclusively about VPNs and not complete, but it might help. I'm the author and would appreciate feedback, suggested additions, ... VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Joakim.Aronius at CA.COM Wed Aug 16 06:05:09 2000 From: Joakim.Aronius at CA.COM (Aronius, Joakim) Date: Wed, 16 Aug 2000 11:05:09 +0100 Subject: VPN network overhead Message-ID: <3169049FA29BD311B626009027DE38BD02E68F77@ukslms03.cai.com> I am trying to find out how much network overhead that is produced by IPSEC, do you know where I can find any figures on this? Regards, Joakim Aronius VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCSS.NET Wed Aug 16 06:40:26 2000 From: bekoin at GLOBEACCSS.NET (Olivier Bekoin) Date: Wed, 16 Aug 2000 10:40:26 -0000 Subject: need certificate sserver for L2TP / IPSec vpns References: <33240C8EFB1F254EB11E19FD936AFA440E7DC6@Mail.CHEERS.HAATHI.COM> Message-ID: <006e01c0076e$69d1d490$9b15473f@support.net> Hi, I'm tring to configure computer certificate server for host authentification on W2K advanced server. Does everybody know how to do it on W2K or if it is possible to use another software program that do the same thing thanks Olivier Technical Support - Globe Access Internet ----- Original Message ----- From: "Rohan Naggi" To: Sent: Monday, August 07, 2000 10:08 PM Subject: Is PPTP supported by overloading NAT > PROBLEM : > > PPTP client behind the PIX firewall cannot connect to the Server thru PPTP > gateway > > SETUP : > > There are two sites SITE A ( USA ) and SITE B ( INDIA ) . > > SITE A has CISCO PIX firewall ( PIX -A ) acting as a PPTP gateway . It > also has WINDOWS 2000 Server's > > SITE B has LINUX Server which is doing NAT . PPTP client is a Windows 2000 > Prof edition .there are total of 10 PPTP clients which needs access to the > Servers at Site A . For the Internet access at SITE B , Linux box does the > address translation ( overloading NAT ) . So , all the 10 m/c goes out with > one Global IP address . > > Purpose of the above setup : > > SITE B Clients should be able access Servers at SITE A > > > Explanation : > > > PPTP client which is behind the PIX firewall is not able to establish a PPTP > session to PIX A . > > LINUX box @ SITE B is doing Overloading of NAT ( converting many Private > addressed to Single global address ) . > > When a static global address is used at SITE B ( I mean to say the Windows > 2000 client uses DIAL UP networking ) , the PPTP clients are able to > successfully connect to the Servers at SITE A . > > But when the SITE B client use Overloading of NAT( i.e trying to go thru > LINUX ) , the PPTP session fails . > > > Can u help me out ...... > > > Thanks and Regards , > Rohan > > Rohan.naggi at tavant.com > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCSS.NET Wed Aug 16 14:52:01 2000 From: bekoin at GLOBEACCSS.NET (Olivier Bekoin) Date: Wed, 16 Aug 2000 18:52:01 -0000 Subject: remote access vpn with PPTP server and Checkpoint FW Message-ID: <001601c007b3$129d1a00$9b15473f@support.net> Hi all, dial-up ------------- ---------< PPTP server> clients when i try to connect to my vpn server after making yhe first connexion to my ISP, the computer client said :"you have been disconnect from the computer . contact your administrator". How can I do ( I replace the adminstor for 1 month) to permit the PPTP tunnel ( TCP 1723) ? I know that i must specify the network source (any), the destination (my lan) and the services allowed ? please, help Olivierb -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000816/56b8df14/attachment.htm From david.garrard at CENTRELINK.GOV.AU Wed Aug 16 20:59:44 2000 From: david.garrard at CENTRELINK.GOV.AU (Garrard, David) Date: Thu, 17 Aug 2000 10:59:44 +1000 Subject: ipsec interoperate Solaris Windows 2000 Message-ID: Hi a quick question on something that has had me pulling my hair out. I have been playing about with IPSEC implementations in Solaris 8 and Windows 2000. So far I have achieved the following: Have gotten IPSEC with md5/3des to work between two Solaris boxes in Tunnel mode but not transport mode Have gotten IPSEc with md5/3des to work between two Windows 2000 boxes using a preshared key. All attempt to get Solaris 8 IPSEc to work in transport mode have failed, all attempts to get a secured tunnel between two Windows 2000 boxes have failed and all attempts to get IPSEC to interoperate in any mode between Windows 2000 and Solaris 8 have failed. Has anyone on the list achieved this? All help greatly appreciated. David L. Garrard VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Fri Aug 18 19:10:59 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Fri, 18 Aug 2000 18:10:59 -0500 Subject: VPN and icmp In-Reply-To: <4.2.0.58.20000816160854.00a6b4e0@popserv.ucop.edu> Message-ID: Hi Neil -- We've been struggling with this in our Cisco implementation too. Rumour has it that IOS version 12.1.1(2) fixes the problem. But I'm including the directions given by our local UNIX guru to set Path MTU discovery on Solaris and NT 4.0. Note that I haven't tested this and I take no credit or responsibility for breaking things ;-) I'll post this to the How-To page on the Web site, too. cheers -- tbird On Solaris: As root, type: /usr/sbin/ndd -set /dev/ip ip_path_mtu_discovery 0 This should be added to /etc/init.d/nddsettings or somesuch to make it happen at boot time. On NT 4.0: 1) Boot the machine and log in as a user with local administrative rights. 2) Start --> Run --> command 3) C: 4) cd WINNT 5) regedt32 6) Select the HKEY_LOCAL_MACHINE window. 7) Expand "SYSTEM" 8) Expand "CurrentControlSet" 9) Expand "Services" 10) Expand "tcpip" 11) Select "parameters" (make sure it is highlighted) 12) From the "Edit" menu, select "Add Value..." 13) For the "Value Name", type "EnablePMTUDiscovery" (case sensitive). 14) On the "Data Type" drop-down, select "REG_DWORD" and click OK. 15) In the "Data" input area, type "0" (the digit zero). 16) It shouldn't matter which radix you choose, but I select Decimal out of paranoia. 17) Click OK 18) From the "Registry" menu, select "Exit" 19) Reboot the workstation On Wed, 16 Aug 2000, Neil Ratzlaff wrote: > Date: Wed, 16 Aug 2000 16:17:28 -0700 > From: Neil Ratzlaff > To: VPN at SECURITYFOCUS.COM > Subject: VPN and icmp > > We recently tried to set up a Cisco VPN with some NT servers at our end, > the other end had Windows something. Parts of it worked and parts didn't, > and we eventually found the cause to be the close Cisco router sending icmp > type 3 code 4 packets back to the NT machines. The packets from NT had the > 'Don't Fragment' bit set, and Cisco couldn't encrypt them and still fit > them under the packet size limit. I suggested the NT owners stop setting > the Don't Fragment bit, and they said there was no way to do that. They > also cited RFC 1853: > > 3.1. Tunnel MTU Discovery > When the Don't Fragment bit is set by the originator and copied into > the outer IP header, the proper MTU of the tunnel will be learned > from ICMP (Type 3 Code 4) "Datagram Too Big" errors reported to the > encapsulator. To support originating hosts which use this > capability, all implementations MUST support Path MTU Discovery > [RFC-1191, RFC-1435] within their tunnels. > > So.... questions: > 1. Can NT stop setting the Don't Fragment bit, and if so, how? > 2. What is the best way to deal with this situation? > > Thanks, > Neil > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From rdocquois at NOMEA.FR Thu Aug 17 02:56:09 2000 From: rdocquois at NOMEA.FR (Rodolphe DOCQUOIS) Date: Thu, 17 Aug 2000 08:56:09 +0200 Subject: CISCO VPN (IOS) and F-Secure VPN+ Client interoperability References: <001e01c0059d$67bae5c0$c4651818@keyuree> Message-ID: <399B8C89.2D6D99B3@nomea.fr> Hello, I?m testing IPSec VPN with a CISCO router 2611 (as Gateway) and your VPN Client (F-Secure VPN+ 4.2). The architecture is describe just below : FTP Server <-----> CISCO 2611 IOS 11.3.9T <========>F-Secure VPN+ Client 4.2 I would like to make an IPSec Tunnel (ESP + DES + SHA with pre-shared mode) between the Cisco and the VPN +. Issues : Phase 2 negotiation failed, cause no proposal chosen even if the same proposal have been setup. Questions : Can we use VPN+ Client with a CISCO router to make an IPSec tunnel ? If it is YES : Which parameters need to be modified (on VPN+ and CISCO)? Can VPN+ make IPSec VPN with Hybrid mode ? Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: rdocquois.vcf Type: text/x-vcard Size: 319 bytes Desc: Carte pour Rodolphe Docquois Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000817/6942c78e/attachment.vcf From tbird at PRECISION-GUESSWORK.COM Fri Aug 18 19:05:56 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Fri, 18 Aug 2000 18:05:56 -0500 Subject: [fw-wiz] VPN for *DSL/CableModem Users In-Reply-To: <966546870.399c55b6d827e@64.13.193.98> Message-ID: Michael -- I'm forwarding your message to the VPN mailing list, which has rather a lot of opinions about this... cheers -- tbird On Thu, 17 Aug 2000, Michael C. Ibarra wrote: > Date: Thu, 17 Aug 2000 17:14:30 -0400 > From: Michael C. Ibarra > To: firewall-wizards at nfr.net > Subject: [fw-wiz] VPN for *DSL/CableModem Users > > Hello: > > I've been asked to perform the horrible task of allowing > in remote/home internet connections into a corporate LAN. > The firewall/s in question are a FW-1 and IPFilter (separate > machines) combo. The pipe decided upon was either DSL or > cable modems, based of course on availibilty. The present > method is an isdn/SecureID/dialback method. The present > corporate policy allows no inbound traffic from the inter- > net and allows a limited outbound connections, mainly http. > My feeling is that users, unable to reach their AOL/Napster/ > whatever type of services could place a modem into these home > PC's, corporate owned but that doesn't matter, making that > box an insecure gateway or transfer point for a virus to the > corporate network. VPN's IMO would do little to protect a > machine which has a greater chance of becoming compromised, > besides breaking corporate security policy since all non-VPN > connections would probably allow those same services not > normally allowed in the office. My question, and thank you > for reading this far, is what VPN software and/or hardware > is recommended and what can be done to enforce the present > corporate policy (aside from asking users to sign an agreement). > > Thank you all, > > -mike > > > > The information contained in this message > is not necessarily the opinion of Hawk > Technologies, Inc. > > > _______________________________________________ > Firewall-wizards mailing list > Firewall-wizards at nfr.net > http://www.nfr.net/mailman/listinfo/firewall-wizards > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From jerome.cuvilliez at SOLUCOM.FR Fri Aug 18 09:44:59 2000 From: jerome.cuvilliez at SOLUCOM.FR (=?iso-8859-1?Q?CUVILLIEZ_J=E9r=F4me?=) Date: Fri, 18 Aug 2000 15:44:59 +0200 Subject: Comparison between VPN solutions Message-ID: <00A3092E72E4D211AAF30008C79FEB983BF13D@SERVER> Hello I try to get as many information as possible about 6 VPNs products, in order to make a comparison. I'd like to know the assets and weaknesses of these VPN solutions : - VPN-1, Checkpoint Software - Cisco Secure, Cisco Systems - LanRover VPN, Shiva - Contivity Extranet Switch, Nortel Networks - F-Secure VPN +, F-Secure Thanks in advance! J?r?me Cuvilliez, consultant. PS : excuse my english, I'm French :))) VPN is sponsored by SecurityFocus.COM From trask at SJ.COUNTERPANE.COM Fri Aug 18 20:54:28 2000 From: trask at SJ.COUNTERPANE.COM (Chris Odhner) Date: Fri, 18 Aug 2000 17:54:28 -0700 Subject: VPN and icmp In-Reply-To: Message-ID: Just a quick clarification on something that Tina quoted from me... /etc/init.d/nddsettings is nothing standard on Solaris; it's just what we use at our site for this kind of thing. -Chris On Fri, 18 Aug 2000, Tina Bird wrote: > /usr/sbin/ndd -set /dev/ip ip_path_mtu_discovery 0 > > This should be added to /etc/init.d/nddsettings or somesuch to make it > happen at boot time. VPN is sponsored by SecurityFocus.COM From rhildred at FREESPACE.NET Fri Aug 18 20:55:22 2000 From: rhildred at FREESPACE.NET (Rob Hildred) Date: Fri, 18 Aug 2000 20:55:22 -0400 Subject: SSL vs. IPsec Message-ID: <01C00956.A0C55BE0.rhildred@freespace.net> In my opinion, SSL and the Corba Security Service will eventually render "crude" VPNs obsolete for trading partners and public applications. VPNs will continue to be great for legacy applications like telnet, ERP and any two tier or RPC stuff that is around now (e.g. big corporations). The perceived gaping hole that VPNs leave at unsecured network ends are likely to make their widespread acceptance tenuous. Best Regards Rob -----Original Message----- From: Raymakers, Guy [SMTP:guy.raymakers at EDS.COM] Sent: Thursday, August 17, 2000 9:30 AM To: VPN at SECURITYFOCUS.COM Subject: SSL vs. IPsec Hi, I'm looking for some arguments/reasons of why you would choose for a IPSec VPN instead of a SSL solution when the remote user is 'only' using Web based applications (could also make of DCOM, Corba, ...). Is there someone who has a clear view on this and is willing to share this ? Many thanks, Guy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lthompson at IRE.COM Fri Aug 18 21:14:36 2000 From: lthompson at IRE.COM (Larry Thompson) Date: Fri, 18 Aug 2000 21:14:36 -0400 Subject: FW: CISCO VPN (IOS) and F-Secure VPN+ Client interoperability Message-ID: Use the Cisco VPN client. Then you won't have this problem. -----Original Message----- From: Rodolphe DOCQUOIS [mailto:rdocquois at NOMEA.FR] Sent: Thursday, August 17, 2000 2:56 AM To: VPN at SECURITYFOCUS.COM Subject: CISCO VPN (IOS) and F-Secure VPN+ Client interoperability Hello, I'm testing IPSec VPN with a CISCO router 2611 (as Gateway) and your VPN Client (F-Secure VPN+ 4.2). The architecture is describe just below : FTP Server <-----> CISCO 2611 IOS 11.3.9T <========>F-Secure VPN+ Client 4.2 I would like to make an IPSec Tunnel (ESP + DES + SHA with pre-shared mode) between the Cisco and the VPN +. Issues : Phase 2 negotiation failed, cause no proposal chosen even if the same proposal have been setup. Questions : Can we use VPN+ Client with a CISCO router to make an IPSec tunnel ? If it is YES : Which parameters need to be modified (on VPN+ and CISCO)? Can VPN+ make IPSec VPN with Hybrid mode ? Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: rdocquois.vcf Type: text/x-vcard Size: 319 bytes Desc: Carte pour Rodolphe Docquois Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000818/ab2c39b7/attachment.vcf From sandy at STORM.CA Fri Aug 18 21:46:47 2000 From: sandy at STORM.CA (Sandy Harris) Date: Fri, 18 Aug 2000 21:46:47 -0400 Subject: [fw-wiz] VPN for *DSL/CableModem Users References: Message-ID: <399DE707.52105B55@storm.ca> Tina Bird wrote: > > Michael -- I'm forwarding your message to the VPN mailing > list, which has rather a lot of opinions about this... > > cheers -- tbird > > On Thu, 17 Aug 2000, Michael C. Ibarra wrote: > > > Date: Thu, 17 Aug 2000 17:14:30 -0400 > > From: Michael C. Ibarra > > To: firewall-wizards at nfr.net > > Subject: [fw-wiz] VPN for *DSL/CableModem Users > > > > Hello: > > > > I've been asked to perform the horrible task of allowing > > in remote/home internet connections into a corporate LAN. > > ... My question, and thank you > > for reading this far, is what VPN software and/or hardware > > is recommended and what can be done to enforce the present > > corporate policy (aside from asking users to sign an agreement). > > Some of these issues are discussed in a paper on AT&T Research's solution to this type of problem. Look for the "Moat" paper on Bellovin's page: http://www.research.att.com/~smb/papers/index.html VPN is sponsored by SecurityFocus.COM From arsen at CERTAINTYSOLUTIONS.COM Fri Aug 18 22:41:30 2000 From: arsen at CERTAINTYSOLUTIONS.COM (Thomas J. Arseneault) Date: Fri, 18 Aug 2000 19:41:30 -0700 Subject: ipsec interoperate Solaris Windows 2000 In-Reply-To: Message-ID: <001f01c00986$fae2a940$8901a8c0@pretty-tom-1.gnac.com> Can't help you with why the problems between two Solaris or Two Windows boxes but I dou'bt you'll be able to get it to work between Solaris and Windows. Windows uses IPSec as part of their L2TP protocol. The actual tunnel is PPP and IPSec is used more or less as a transport medium. This is different than the way IPSec is used by most VPN applications. Solaris (by the way is IPSec part of Solaris 8 now or are you using a third party application?) probably uses IPSec as the VPN itself. Also by the way I have heard of, but have not seen, some application that just just tunnel mode (mainly Security Gateways, routers and the like where transport mode does not make any sense) and maybe the Solaris implemntation is done like that? ********************************************** Tom Arseneault System Admin. Certainty Solutions, formerly Global Networking and Computing (GNAC). "Certainty in an Uncertain World" arsen at certaintysolutions.com http://web.corp.rwc.crtsol.com ********************************************** > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of > Garrard, David > Sent: Wednesday, August 16, 2000 6:00 PM > To: VPN at SECURITYFOCUS.COM > Subject: ipsec interoperate Solaris Windows 2000 > > > Hi a quick question on something that has had me pulling my hair > out. I have > been playing about with IPSEC implementations in Solaris 8 and > Windows 2000. So > far I have achieved the following: > > Have gotten IPSEC with md5/3des to work between two Solaris > boxes in Tunnel > mode but not transport mode > Have gotten IPSEc with md5/3des to work between two Windows > 2000 boxes using > a preshared key. > > All attempt to get Solaris 8 IPSEc to work in transport mode have > failed, all > attempts to get a secured tunnel between two Windows 2000 boxes > have failed and > all attempts to get IPSEC to interoperate in any mode between > Windows 2000 and > Solaris 8 have failed. > > Has anyone on the list achieved this? All help greatly appreciated. > > David L. Garrard > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From ddessi at INTERNETCONNECT.NET Fri Aug 18 23:47:21 2000 From: ddessi at INTERNETCONNECT.NET (Danilo Dessi) Date: Fri, 18 Aug 2000 23:47:21 -0400 Subject: Routing Message-ID: <5.0.0.11.0.20000818232448.009fe970@pop3.internetconnect.net> We have the following set up as follows: Internet | | | | WAN | | | | | | VPN------FW---------------100Mbps Switch--------------router LAN -IP Private Address space is being used. -All resources attached to the LAN have the router's IP address as their default gateway. -If destination address is not for the WAN then packets are routed to FW. -VPN is on a subnet of the LAN and is only used for remote connectivity. -We added static routes to the VPN device and set up static routes on the firewall. The problem we are having is that we cannot access resources in the WAN through the VPN. We are really stumped. Any help is appreciated. Thank you for all replies. Dan Dessi VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Sat Aug 19 02:50:53 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Fri, 18 Aug 2000 23:50:53 -0700 Subject: CISCO VPN (IOS) and F-Secure VPN+ Client interoperability References: <001e01c0059d$67bae5c0$c4651818@keyuree> <399B8C89.2D6D99B3@nomea.fr> Message-ID: <399E2E4D.1A0BC0B7@pacbell.net> Hello Rodolphe; Well, the F-Secure VPN 4.1 sp 1 which is the one that I have played with is one of the most interoperatable IPSec compliant VPN solutions on the market. I interoperat it with just about any VPN that is out there including the big names. However Cisco IPSec implementation 11.x and 12.0[5] have some isues, If I were you I will upgrade to Cisco IOS 12.0[7] and I bet it will work just fine. Even if you got the F-Secure VPN + working with the client you might run in to some issues while rekeying Phase 2. And the issue is with Cisco IOS not with VPN + , just upgrade. Jose Muniz. Rodolphe DOCQUOIS wrote: > > Hello, > > I?m testing IPSec VPN with a CISCO router 2611 (as Gateway) and your VPN > Client (F-Secure VPN+ 4.2). > > The architecture is describe just below : > > FTP Server <-----> CISCO 2611 IOS 11.3.9T <========>F-Secure VPN+ > Client 4.2 > > I would like to make an IPSec Tunnel (ESP + DES + SHA with pre-shared > mode) between the Cisco and the VPN +. > > Issues : > Phase 2 negotiation failed, cause no proposal chosen even if the same > proposal have been setup. > > Questions : > Can we use VPN+ Client with a CISCO router to make an IPSec tunnel ? > If it is YES : Which parameters need to be modified (on VPN+ and > CISCO)? > Can VPN+ make IPSec VPN with Hybrid mode ? > > Thanks VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Sat Aug 19 03:06:17 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Sat, 19 Aug 2000 00:06:17 -0700 Subject: Netscreen <-> Checkpoint FW-1 Message-ID: <399E31E9.253CEAFD@pacbell.net> Hello guys and girls, I am having some problems with interoperability between Netscreen NS-100 in HA mode and Checkpoint FW-1. I can get them to work just fine [IKE], and actually it performs better thatn FW-1 to FW-1. Here is the kicker: When I fail one of the NS, the rekey negotiation hangs for a few secconds, about 30 or so. I have been tweaking with the lifetimes [Phase 2] and I have tunned it to 120 secconds, on the Fw-1. Not too good!! Does anybody has a work around with this, it would be thankfully appreciated. As I said it works just fine, the problem is when the HA kicks in.. Jose Muniz VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Sat Aug 19 03:13:18 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Sat, 19 Aug 2000 00:13:18 -0700 Subject: FW: CISCO VPN (IOS) and F-Secure VPN+ Client interoperability References: Message-ID: <399E338E.6CA6B13B@pacbell.net> Well, I desagree with you cus the Cisco client does not have the same feature set as F-Secure Client, and what is bad about it is that id does not support split tunneling as well as the F-Secure. With F-Secure you can have an IPSec connection on a particular port and plain text to the same host or subnet on a different port in the plain. Also the NAT capabilities of F-Secure are outstanding, and you know how much this helps when routing is the show stoper. Jose Muniz Larry Thompson wrote: > > Use the Cisco VPN client. Then you won't have this problem. > > -----Original Message----- > From: Rodolphe DOCQUOIS [mailto:rdocquois at NOMEA.FR] > Sent: Thursday, August 17, 2000 2:56 AM > To: VPN at SECURITYFOCUS.COM > Subject: CISCO VPN (IOS) and F-Secure VPN+ Client interoperability > > Hello, > > I'm testing IPSec VPN with a CISCO router 2611 (as Gateway) and your VPN > Client (F-Secure VPN+ 4.2). > > The architecture is describe just below : > > FTP Server <-----> CISCO 2611 IOS 11.3.9T <========>F-Secure VPN+ > Client 4.2 > > I would like to make an IPSec Tunnel (ESP + DES + SHA with pre-shared > mode) between the Cisco and the VPN +. > > Issues : > Phase 2 negotiation failed, cause no proposal chosen even if the same > proposal have been setup. > > Questions : > Can we use VPN+ Client with a CISCO router to make an IPSec tunnel ? > If it is YES : Which parameters need to be modified (on VPN+ and > CISCO)? > Can VPN+ make IPSec VPN with Hybrid mode ? > > Thanks VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Sat Aug 19 04:24:54 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Sat, 19 Aug 2000 01:24:54 -0700 Subject: Comparison between VPN solutions References: <00A3092E72E4D211AAF30008C79FEB983BF13D@SERVER> Message-ID: <399E4456.46F97BE5@pacbell.net> Here is my .02 cents!! - VPN-1, Checkpoint Software Support Bad Licenceing it will kill you!!! Performance bad Setup Aren't you bussy at work? I find it to be time consumming, poor performance, Nokia HA with the VRRP monitor circuit HA, is broken! the licensing is probably the worst I could ever Imagine. It is good if you like to click your mouse a lot. - Cisco Systems Suport Excelent Licencing Good Performance bad Setup Cisco CLI Cisco IOS, you got it you love it and it works all right, performace is not very good, even with lots of ram. Get something else they got tooo much money!!! Yes big ones$$$ - LanRover VPN, Shiva Better than Checkpoint and much faster. Support is good The main developer, she is quite a nice person. You know the shiva products, this is the kind that fits the Fortune One Million in corporate America, the small medium office. Home networks... [Depends how geeky you are] - Contivity Extranet Switch, Nortel Networks [Can someone fill in this one for me?} - F-Secure VPN +, F-Secure Support Good Licencing Very fear for what you get Performance Fastest sofware based VPN Setup Interestingly nice concept This is probably the most flexible VPN, it does not matter how bad the war zone looks like the NAT and other nifty features pay off. Would any of these will be the one that I will choose.... Mmmmmm... Nope! Jose > Hello > > I try to get as many information as possible about 6 VPNs products, in order > to make a comparison. > > I'd like to know the assets and weaknesses of these VPN solutions : > - VPN-1, Checkpoint Software > - Cisco Secure, Cisco Systems > - LanRover VPN, Shiva > - Contivity Extranet Switch, Nortel Networks > - F-Secure VPN +, F-Secure > > Thanks in advance! > > J?r?me Cuvilliez, consultant. > > PS : excuse my english, I'm French :))) > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Alexei.Lesnykh at TRUSTWORKS.COM Sat Aug 19 04:44:00 2000 From: Alexei.Lesnykh at TRUSTWORKS.COM (Alexei Lesnykh) Date: Sat, 19 Aug 2000 10:44:00 +0200 Subject: SSL vs. IPsec In-Reply-To: <01C00956.A0C55BE0.rhildred@freespace.net> Message-ID: <000501c009b9$9ee3c1a0$c269fea9@nl.trustworks.com> As far as I know, several projects are now in progress on CORBA IKE/IPsec services development. After this will become reality, SSL itself will likely to be used only for web-browser <-> portal protection but not beyond. In my opinion it's better to not think about "VPN" as just encrypted pipes for LAN-LAN communications but rather on IPsec mechanisms usage in favor of application-level security. Nothing prevents people from remembering that there might be more then one domain of interpretation. Regards, Alexei _________ ()-----Original Message----- ()From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Rob ()Hildred ()Sent: Saturday, August 19, 2000 2:55 AM ()To: VPN at SECURITYFOCUS.COM ()Subject: Re: SSL vs. IPsec () () ()In my opinion, SSL and the Corba Security Service will eventually render ()"crude" VPNs obsolete for trading partners and public applications. VPNs ()will continue to be great for legacy applications like telnet, ERP and any ()two tier or RPC stuff that is around now (e.g. big corporations). The ()perceived gaping hole that VPNs leave at unsecured network ends are likely ()to make their widespread acceptance tenuous. () ()Best Regards ()Rob () ()-----Original Message----- ()From: Raymakers, Guy [SMTP:guy.raymakers at EDS.COM] ()Sent: Thursday, August 17, 2000 9:30 AM ()To: VPN at SECURITYFOCUS.COM ()Subject: SSL vs. IPsec () ()Hi, () ()I'm looking for some arguments/reasons of why you would choose for a IPSec ()VPN instead of a SSL solution when the remote user is 'only' using Web ()based ()applications (could also make of DCOM, Corba, ...). Is there someone who ()has ()a clear view on this and is willing to share this ? () ()Many thanks, ()Guy () ()VPN is sponsored by SecurityFocus.COM () ()VPN is sponsored by SecurityFocus.COM () VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Sat Aug 19 04:47:11 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Sat, 19 Aug 2000 01:47:11 -0700 Subject: SSL vs. IPsec References: Message-ID: <399E498F.5A25C88F@pacbell.net> Hello Guy, Well, SSL is very secure and it is very good thing that you brought it up, I you want to exchange content over https it a fine solution, i will say that it all depends on the kind of trust relationship between the server and the client. HTTPS is just fine for some applications, IPSec will be more secure and it will support more L4 applications,. So I am with you, why go through the hassle if we are talking about web based applications. Jose Muniz. "Raymakers, Guy" wrote: > > Hi, > > I'm looking for some arguments/reasons of why you would choose for a IPSec > VPN instead of a SSL solution when the remote user is 'only' using Web based > applications (could also make of DCOM, Corba, ...). Is there someone who has > a clear view on this and is willing to share this ? > > Many thanks, > Guy > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From cmoellenkamp at RELIANTENERGY.COM Sat Aug 19 22:38:39 2000 From: cmoellenkamp at RELIANTENERGY.COM (Moellenkamp, Chris) Date: Sat, 19 Aug 2000 21:38:39 -0500 Subject: Contivity & Instant Internet Message-ID: I have also just begun to install a Contivity 1500 Switch and am having difficulty with it working. It seems to drop the connection after authentication. I am working with an engineer from Nortel and hope to have the situation resolved soon. I will forward any information I get to you. Good Luck! Franci Jereb @SECURITYFOCUS.COM> on 08/17/2000 02:28:12 AM Please respond to Franci Jereb Sent by: VPN Mailing List From bdube at LAROCHELLE-GRATTON.COM Sun Aug 20 11:50:35 2000 From: bdube at LAROCHELLE-GRATTON.COM (=?iso-8859-1?B?QmVub+50IER1Yuk=?=) Date: Sun, 20 Aug 2000 11:50:35 -0400 Subject: FR v DSL In-Reply-To: <000901c00734$c32883c0$6640a8c0@franknb2k> Message-ID: <000c01c00abf$b78bfd10$e053fdcf@lgq-bdube> Hi Frank, The difference between FR & DSL. FR: FR is only a layer 2 protocol used to make a connection between to host, then it's not possible to use pure FR for WAN connection with multi host. FR is only present over the local loop, between your customer and the central office. The telco are converting FR protocol to a WAN protocol to be transportable, generally, they used ATM for that. The mapping & the bandwith allocation is entirely controlled by the telco. With FR, you generally have a minimum bandwith guaranteed. Then when you leased a FR service, you know exactly what you have. DSL: DSL is only a layer 1 protocol and it's purely used as point to point connection in a local area. Over DSL, you may run FR, ATM or Ethernet and over them IP. When you talk about DSL, you need to know which layer 2 & 3 protocol are used. OK, generally, it's an ethernet connection(L2) with IP protocol(L3). Fine, now what kind of IP service are you subscribing, a basic IP transport as offer by any ISP or an IP "business class" service as offer by some majors telcos. Of course, a "business class" is equivalent to a dedicated connection with full guarantee and the basic IP connection isn't. As you can see, you must not remove the FR services for a basic IP services if your customer need a minimum a guarantee. If your customer is searching for a cheaper service without any guarantee, you can recommend basic IP service. To select the best service for your customer, you must know perfectly your customer's needs. This message is just a starting point. Benoit Dube Larochelle Gratton 2600 bvd Laurier, Suite 970 Ste-Foy (Quebec) Canada G1V 4W2 Tel. (418) 650-6099 Fax (418) 650-1140 bdube at larochelle-gratton.com www.larochelle-gratton.com > -----Message d'origine----- > De: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]De la part de Frank > Boecherer > Date: mardi 15 ao?t 2000 23:48 > ?: VPN at SECURITYFOCUS.COM > Objet: FR v DSL > > > I have a client with 4 or 5 branch offices. The branches are > currently > hooked up via Frame Relay. > > They wanted to start migrating to DSL since it would be > cheaper. Although I > am a technical person (I do PC consulting) I am not too clear on the > advantages and disadvantages of FR v DSL. Are most VPN > questions posed on > this list running over PVC/ATM/FR or are a lot of you already > using DSL > VPN's? Should we stick with FR even though it costs more? Is it more > reliable and faster (in general) than a VPN over DSL? The > company is not in > the banking industry, but it is a well established company > that has the > money to pay for FR as they have been doing so for several years. > > Another drawback is the main office can maybe only get 416K > DSL and with 4 > branches coming in (they need to access the NT server for most of the > communication and not much Internet access) the line will probably be > saturated and the main branch will be a bottleneck. > > Any pointers would be welcome. > > Thanks > > Frank > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From bsmith at ARACNET.COM Sun Aug 20 14:35:24 2000 From: bsmith at ARACNET.COM (Brian Smith) Date: Sun, 20 Aug 2000 11:35:24 -0700 Subject: Comparison between VPN solutions In-Reply-To: <399E4456.46F97BE5@pacbell.net> Message-ID: 2 more cents: I've had experience with 2 small appliances. The Linksys CABLE/DSL befsr41 and the WatchGuard SOHOtc. Both intended for the small/medium office or home. The Linksys has 'features' that aren't supported by Linksys such as port forwarding. Port forwarding doesn't work correctly, so it's no surprise it's not supported. Case in point: I can't let PPTP through, although they claim to allow IPSec through after several firmware fixes. Firewalling is 'faked'. Also, DHCP cannot be used if you want to filter IP addresses. I would say this product is fair if you only want access from an internal LAN to the Internet; don't use it if you have internal services to provide (such as VPN). If I've missed something it's because the documentation is somewhat inadequate. During my initial research I read a lot about WatchGuard but decided on the Linksys for price... mistake. The WatchGuard SOHO appliance is a bit more expensive but does EVERYTHING the Linksys tried to do. ISPs are using WatchGuard and the SOHO is a relatively inexpensive, bona fide firewall that also does NAT, DHCP, IPSEC, and more... all at the same time. # -----Original Message----- # From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jose # Muniz # Sent: Saturday, August 19, 2000 1:25 AM # To: VPN at SECURITYFOCUS.COM # Subject: Re: Comparison between VPN solutions # # # Here is my .02 cents!! # # - VPN-1, Checkpoint Software # Support Bad # Licenceing it will kill you!!! # Performance bad # Setup Aren't you bussy at work? # # I find it to be time consumming, poor performance, Nokia # HA with the VRRP monitor circuit HA, is broken! # the licensing is probably the worst I could ever # Imagine. # It is good if you like to click your mouse a lot. # # - Cisco Systems # Suport Excelent # Licencing Good # Performance bad # Setup Cisco CLI # # Cisco IOS, you got it you love it and it works all right, # performace is not very good, even with lots of ram. # Get something else they got tooo much money!!! Yes big ones$$$ # # - LanRover VPN, Shiva # Better than Checkpoint and much faster. # Support is good # The main developer, she is quite a nice person. # # You know the shiva products, this is the kind that fits # the Fortune One Million in corporate America, the small medium office. # Home networks... [Depends how geeky you are] # # - Contivity Extranet Switch, Nortel Networks # [Can someone fill in this one for me?} # # - F-Secure VPN +, F-Secure # Support Good # Licencing Very fear for what you get # Performance Fastest sofware based VPN # Setup Interestingly nice concept # # This is probably the most flexible VPN, it does not matter how bad the # war zone looks like the NAT and other nifty features pay off. # # Would any of these will be the one that I will choose.... # Mmmmmm... Nope! # # Jose # # # > Hello # > # > I try to get as many information as possible about 6 VPNs # products, in order # > to make a comparison. # > # > I'd like to know the assets and weaknesses of these VPN solutions : # > - VPN-1, Checkpoint Software # > - Cisco Secure, Cisco Systems # > - LanRover VPN, Shiva # > - Contivity Extranet Switch, Nortel Networks # > - F-Secure VPN +, F-Secure # > # > Thanks in advance! # > # > J?r?me Cuvilliez, consultant. # > # > PS : excuse my english, I'm French :))) # > # > VPN is sponsored by SecurityFocus.COM # # VPN is sponsored by SecurityFocus.COM # # VPN is sponsored by SecurityFocus.COM From mgmyers at DREYERS.COM Sun Aug 20 17:34:57 2000 From: mgmyers at DREYERS.COM (Mark Myers) Date: Sun, 20 Aug 2000 14:34:57 -0700 Subject: Comparison between VPN solutions Message-ID: - Contivity Extranet Switch, Nortel Networks Support Good Licencing Appliance expensive, no per-client fees Performance Very good Setup Excellent Compared to FW-1 this solution was a dream to set up and maintain. Cool interface, rock-solid reliability, no W2K client, although you can make it work with standard protocols. The box is not cheap, but price/performance/features makes it a good choice. --Mark >>> "Jose Muniz" 08/19/00 21:25 PM >>> Here is my .02 cents!! - VPN-1, Checkpoint Software Support Bad Licenceing it will kill you!!! Performance bad Setup Aren't you bussy at work? I find it to be time consumming, poor performance, Nokia HA with the VRRP monitor circuit HA, is broken! the licensing is probably the worst I could ever Imagine. It is good if you like to click your mouse a lot. - Cisco Systems Suport Excelent Licencing Good Performance bad Setup Cisco CLI Cisco IOS, you got it you love it and it works all right, performace is not very good, even with lots of ram. Get something else they got tooo much money!!! Yes big ones$$$ - LanRover VPN, Shiva Better than Checkpoint and much faster. Support is good The main developer, she is quite a nice person. You know the shiva products, this is the kind that fits the Fortune One Million in corporate America, the small medium office. Home networks... [Depends how geeky you are] - Contivity Extranet Switch, Nortel Networks [Can someone fill in this one for me?} - F-Secure VPN +, F-Secure Support Good Licencing Very fear for what you get Performance Fastest sofware based VPN Setup Interestingly nie concept This is probably the most flexible VPN, it does not matter how bad the war zone looks like the NAT and other nifty features pay off. Would any of these will be the one that I will choose.... Mmmmmm... Nope! Jose > Hello > > I try to get as many information as possible about 6 VPNs products, in order > to make a comparison. > > I'd like to know the assets and weaknesses of these VPN solutions : > - VPN-1, Checkpoint Software > - Cisco Secure, Cisco Systems > - LanRover VPN, Shiva > - Contivity Extranet Switch, Nortel Networks > - F-Secure VPN +, F-Secure > > Thanks in advance! > > J?r?me Cuvilliez, consultant. > > PS : excuse my english, I'm French :))) > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jason_morrow at BCBST.COM Sun Aug 20 21:32:02 2000 From: jason_morrow at BCBST.COM (Jason Morrow) Date: Sun, 20 Aug 2000 21:32:02 -0400 Subject: Comparison between VPN solutions Message-ID: <597EBA246E61D3118A730004ACE52FAE04B4B63F@helios.bcbst.com> Mark, I agree with you about the Nortel Contivity switch. I am beta testing the W2K client now. It should be out to the public before to long. > -----Original Message----- > From: Mark Myers [SMTP:mgmyers at DREYERS.COM] > Sent: Sunday, August 20, 2000 5:35 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: Comparison between VPN solutions > > - Contivity Extranet Switch, Nortel Networks > Support Good > Licencing Appliance expensive, no per-client fees > Performance Very good > Setup Excellent > > Compared to FW-1 this solution was a dream to set up and maintain. Cool > interface, rock-solid reliability, no W2K client, although you can make it > work with standard protocols. The box is not cheap, but > price/performance/features makes it a good choice. > > --Mark > > >>> "Jose Muniz" 08/19/00 21:25 PM >>> > Here is my .02 cents!! > > - VPN-1, Checkpoint Software > Support Bad > Licenceing it will kill you!!! > Performance bad > Setup Aren't you bussy at work? > > I find it to be time consumming, poor performance, Nokia > HA with the VRRP monitor circuit HA, is broken! > the licensing is probably the worst I could ever > Imagine. > It is good if you like to click your mouse a lot. > > - Cisco Systems > Suport Excelent > Licencing Good > Performance bad > Setup Cisco CLI > > Cisco IOS, you got it you love it and it works all right, > performace is not very good, even with lots of ram. > Get something else they got tooo much money!!! Yes big ones$$$ > > - LanRover VPN, Shiva > Better than Checkpoint and much faster. > Support is good > The main developer, she is quite a nice person. > > You know the shiva products, this is the kind that fits > the Fortune One Million in corporate America, the small medium office. > Home networks... [Depends how geeky you are] > > - Contivity Extranet Switch, Nortel Networks > [Can someone fill in this one for me?} > > - F-Secure VPN +, F-Secure > Support Good > Licencing Very fear for what you get > Performance Fastest sofware based VPN > Setup Interestingly nie concept > > This is probably the most flexible VPN, it does not matter how bad the > war zone looks like the NAT and other nifty features pay off. > > Would any of these will be the one that I will choose.... > Mmmmmm... Nope! > > Jose > > > > Hello > > > > I try to get as many information as possible about 6 VPNs products, in > order > > to make a comparison. > > > > I'd like to know the assets and weaknesses of these VPN solutions : > > - VPN-1, Checkpoint Software > > - Cisco Secure, Cisco Systems > > - LanRover VPN, Shiva > > - Contivity Extranet Switch, Nortel Networks > > - F-Secure VPN +, F-Secure > > > > Thanks in advance! > > > > J?r?me Cuvilliez, consultant. > > > > PS : excuse my english, I'm French :))) > > > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > > The information contained in this message and any attached documents is intended only for the personal and confidential use of the designated recipient(s). This message may be a confidential and privileged communication. If the reader of this message is not the intended recipient (or an agent responsible for delivering it to the intended recipient), you are hereby notified that any unauthorized distribution or copying of this email or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. BlueCross BlueShield of Tennessee, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made do not necessarily reflect the views of BlueCross BlueShield of Tennessee, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000820/896d3338/attachment.htm From theresa at TI.COM Mon Aug 21 12:54:51 2000 From: theresa at TI.COM (Brown, Theresa) Date: Mon, 21 Aug 2000 11:54:51 -0500 Subject: VPN - Broadband service providers limiting access for work purpos es Message-ID: For those of you who have deployed VPN's in your companies, have you encountered issues with the Cable or DSL service providers limiting users access to personal use only? I have seen several clauses from service provider contracts that have things like the one in the news flash below. What are your plans to address this issue? Monday, August 21, 2000 Bandwith Strategy ---------------------------------------------------------------------------- ---- Source: CableFAX CableFAX via NewsEdge Corporation : Comcast [CMCSA] refined its cable modem policy to prohibit customers from connecting cable modems to virtual private networks and extended its authority over the customer's use of cable modem service in the interest of getting a better handle on bandwidth hogs. The practice could spell trouble for cable marketing campaigns and feeds DSL criticism, points out Kagan's Broadband, and it could get worse. "Allowing access for multiple ISPs promises to exacerbate the issue because MSOs will have even less control over their networks," writes Ian Olgeirson. The solution: deeper fiber and more nodes dictated by penetration concentrations. VPN is sponsored by SecurityFocus.COM From fredy at ORION.CL Mon Aug 21 18:15:45 2000 From: fredy at ORION.CL (Fredy Santana) Date: Mon, 21 Aug 2000 17:15:45 -0500 Subject: IPSec conceptual question In-Reply-To: References: Message-ID: Hi everybody: I have a conceptual question about IPSec VPN. What is the difference between a IPSec tunnel Host-IPSec gateway and IPSec gateway - IPSec gateway? Background: I'm trying to connect a IPSec gateway to another, but one of this it hasn?t a fix IP and my question is how this works when you use a VPN client Regards from Chile Saludos Fredy R. Santana V. Ingeniero Civil El?ctrico Orion 2000 - Servicios Profesionales en Seguridad Inform?tica La Concepcion 322 piso 12, Providencia. Santiago, Chile Fono: 6403944 - e-mail: fredy at orion.cl VPN is sponsored by SecurityFocus.COM From rrodrigues at DNS-DIVEO.NET.BR Mon Aug 21 15:20:02 2000 From: rrodrigues at DNS-DIVEO.NET.BR (Ramiro Rodrigues) Date: Mon, 21 Aug 2000 16:20:02 -0300 Subject: PPTP Gateway References: <00A3092E72E4D211AAF30008C79FEB983BF13D@SERVER> <399E4456.46F97BE5@pacbell.net> Message-ID: <000801c00ba4$d09176b0$f978cac8@rrodrigues> People: What exactly pptp gateway does/means? Do you know any URL that explaina this better? Can Checkpoint Firewall-1 acts like a PPTP GATEWAY for a Windows 2000 server? If not, what equipments can? VPN is sponsored by SecurityFocus.COM From mark at MOTLEYNET.COM Mon Aug 21 18:02:32 2000 From: mark at MOTLEYNET.COM (Mark Motley) Date: Mon, 21 Aug 2000 15:02:32 -0700 Subject: Contivity & Instant Internet Message-ID: Well, it's kinda hit-and-miss and it is VERY pedantic. Here's what you can try: 1) Make sure the name on the Instant Internet box matches the branch office tunnel name *exactly*. 2) When defining the networks on both sides of the branch office connection, make sure they match on both the Contivity and the II box. All of them. Otherwise you won't get SAs. 3) Try deleting the branch office connection on the Contivity and recreating it. I know this sounds funky, but trust me, it fixed a problem we were having with one (after we pulled many hairs from our heads). 4) DON'T use the "ping X.X.X.X monitor source ethx" command. Instead, use "ping interval 10 background start source ". 5) Upgrade the Contivity software to 2.60 (or latest). 2.60 seems to be much more interoperable and stable from an IPSec perspective. Overall, the II boxes are a pain in the butt. But once you get them working, they do work fairly well. Hope this helps... - MBM -----Original Message----- From: Franci Jereb To: VPN at SECURITYFOCUS.COM Sent: 8/17/00 12:28 AM Subject: Contivity & Instant Internet Hello, I would like to know if anybody was configuring and conecting Contivity 1500 & Instant Internet 100 to work over IPsec. Software version of Contivity is 2.50 & Instant Internet is 7.0. I tried to configure, but the system doesn't work. I configured Contivity & Instant Internet as it is described in manuals. Is there any speciality of configuring it? Any information would be nice. Regards, Frenk VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dana at INTERPRISE.COM Mon Aug 21 18:27:15 2000 From: dana at INTERPRISE.COM (Dana J. Dawson) Date: Mon, 21 Aug 2000 17:27:15 -0500 Subject: VPN and icmp References: <4.2.0.58.20000816160854.00a6b4e0@popserv.ucop.edu> Message-ID: <39A1ACC3.D70BD6DB@interprise.com> Neil Ratzlaff wrote: > We recently tried to set up a Cisco VPN with some NT servers at our end, > the other end had Windows something. Parts of it worked and parts didn't, > and we eventually found the cause to be the close Cisco router sending icmp > type 3 code 4 packets back to the NT machines. The packets from NT had the > 'Don't Fragment' bit set, and Cisco couldn't encrypt them and still fit > them under the packet size limit. I suggested the NT owners stop setting > the Don't Fragment bit, and they said there was no way to do that. They > also cited RFC 1853: > > 3.1. Tunnel MTU Discovery > When the Don't Fragment bit is set by the originator and copied into > the outer IP header, the proper MTU of the tunnel will be learned > from ICMP (Type 3 Code 4) "Datagram Too Big" errors reported to the > encapsulator. To support originating hosts which use this > capability, all implementations MUST support Path MTU Discovery > [RFC-1191, RFC-1435] within their tunnels. > > So.... questions: > 1. Can NT stop setting the Don't Fragment bit, and if so, how? > 2. What is the best way to deal with this situation? > > Thanks, > Neil > > VPN is sponsored by SecurityFocus.COM If the NT box is setting the DF bit (presumably with the intent of doing MTU Path Discovery), and the local Cisco box is replying with Datagram Too Big errors, then it's the NT box's responsibility to fall back to a smaller MTU until the packets get through. If this isn't happening, it's an NT problem, not a Cisco problem. I don't understand where the Cisco bug is, unless there's a part of the picture I haven't picked up on. Dana -- Dana J. Dawson dana at interprise.com Distinguished Principal Engineer CCIE #1937 Qwest Communications International, Inc. (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.COM From steve.anderson at BMS.COM Tue Aug 22 08:09:24 2000 From: steve.anderson at BMS.COM (Steve Anderson) Date: Tue, 22 Aug 2000 08:09:24 -0400 Subject: VPN - Broadband service providers limiting access for work purpos es References: Message-ID: <39A26D74.87D6B793@bms.com> Theresa, I have been battling that same issue at my client site while trying to implement a VPN solution for High Speed Internet Access clients. What I have discovered however, is that in some cases, the VPN usage policy is just that: A policy created to prevent abuse of their bandwidth. Here is my suggestion: The local cable internet company near me suggested that I write a letter explaining what I intended to do with the VPN because they will most likely grant permission to that user. My feeling is that Cable and DSL companies have enough to worry about trying to get this new service out to as many customers as possible. They don't have time to track bandwidth use (and probably don't want to get into a legal battle over packet tracking, etc.), therefore they are probably not likely to do anything about VPN users. To be save however, I would look into getting a special exception from the provider before breaking policy. Good luck, Steven Anderson Complete Business Solutions, Inc. "Brown, Theresa" wrote: > For those of you who have deployed VPN's in your companies, have you > encountered issues with the Cable or DSL service providers limiting users > access to personal use only? I have seen several clauses from service > provider contracts that have things like the one in the news flash below. > What are your plans to address this issue? > > Monday, August 21, 2000 > Bandwith Strategy > ---------------------------------------------------------------------------- > ---- > Source: CableFAX > > CableFAX via NewsEdge Corporation : Comcast [CMCSA] refined its cable modem > policy to prohibit customers from connecting cable modems to virtual private > networks and extended its authority over the customer's use of cable modem > service in the interest of getting a better handle on bandwidth hogs. The > practice could spell trouble for cable marketing campaigns and feeds DSL > criticism, points out Kagan's Broadband, and it could get worse. "Allowing > access for multiple ISPs promises to exacerbate the issue because MSOs will > have even less control over their networks," writes Ian Olgeirson. The > solution: deeper fiber and more nodes dictated by penetration > concentrations. > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From clheureu at STANDARD.COM Tue Aug 22 12:48:33 2000 From: clheureu at STANDARD.COM (Colette L'Heureux) Date: Tue, 22 Aug 2000 09:48:33 -0700 Subject: Need help please Message-ID: I have been setting up Funk Steel Belted Radius with my Unix server and need a script that will enable me to use the Unix password aging feature without requiring my users to make a separate connection to the Unix server to change their passwords. We are also using a contivity vpn switch. Any help will be appreciated Colette L'Heureux Senior Systems Integration Specialist The Standard Insurance Company 1100 SW 6th Ave MS P8A Portland, Oregon 97207 (503)321-8181 Phone (503)321-7290 or (503)478-5830 Fax VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Tue Aug 22 05:55:03 2000 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Tue, 22 Aug 2000 10:55:03 +0100 Subject: IPSec dead peer detection Message-ID: Hi, Does someone know about solutions, IPSec implementations that will detect weather the remote peer is down or unreachable. I know that e.g. Cisco is supporting this, but that's only when the IPsec sessions is setup or renewed. I'm more looking for a solution that will detect a 'dead' peer at any time whithou having to set a very low SA lifetime . Thanks for your answers, Best regards, Guy VPN is sponsored by SecurityFocus.COM From kyoung at V-ONE.COM Tue Aug 22 10:32:32 2000 From: kyoung at V-ONE.COM (Keith Young) Date: Tue, 22 Aug 2000 10:32:32 -0400 Subject: VPN - Broadband service providers limiting access for work purposes References: Message-ID: <39A28F00.91FE316D@v-one.com> "Brown, Theresa" wrote: > > For those of you who have deployed VPN's in your companies, have you > encountered issues with the Cable or DSL service providers limiting users > access to personal use only? I have seen several clauses from service > provider contracts that have things like the one in the news flash below. > What are your plans to address this issue? The bigger problem is with providers who have NATting firewalls which block anything but TCP/UDP/ICMP traffic, or with providers who install their own network drivers to support their own network config (such as with PPPoE - PPP over Ethernet) so that you can't install protocol drivers like IPSEC. My best guess (and I may be wrong ;-), but you are going to see VPN vendors come up with solutions to "get around" the above problems, or you'll see vendors which do have "workarounds" touting those features. -- --Keith Young -Director of Customer Care/Support, V-ONE Corp. -kyoung at v-one.com VPN is sponsored by SecurityFocus.COM From rdonkin at ORCHESTREAM.COM Wed Aug 23 11:12:17 2000 From: rdonkin at ORCHESTREAM.COM (Donkin, Richard) Date: Wed, 23 Aug 2000 16:12:17 +0100 Subject: VPN and icmp Message-ID: > -----Original Message----- > From: Dana J. Dawson [mailto:dana at INTERPRISE.COM] > Sent: Mon 21 August 2000 23:27 > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN and icmp > > > Neil Ratzlaff wrote: > > > We recently tried to set up a Cisco VPN with some NT > servers at our end, > > the other end had Windows something. Parts of it worked > and parts didn't, > > and we eventually found the cause to be the close Cisco > router sending icmp > > type 3 code 4 packets back to the NT machines. The packets > from NT had the > > 'Don't Fragment' bit set, and Cisco couldn't encrypt them > and still fit > > them under the packet size limit. I suggested the NT > owners stop setting > > the Don't Fragment bit, and they said there was no way to > do that. They > > also cited RFC 1853: > > > > 3.1. Tunnel MTU Discovery > > When the Don't Fragment bit is set by the originator > and copied into > > the outer IP header, the proper MTU of the tunnel will > be learned > > from ICMP (Type 3 Code 4) "Datagram Too Big" errors > reported to the > > encapsulator. To support originating hosts which use this > > capability, all implementations MUST support Path MTU Discovery > > [RFC-1191, RFC-1435] within their tunnels. > > > > So.... questions: > > 1. Can NT stop setting the Don't Fragment bit, and if so, how? > > 2. What is the best way to deal with this situation? > > > > Thanks, > > Neil > > > > VPN is sponsored by SecurityFocus.COM > > If the NT box is setting the DF bit (presumably with the > intent of doing MTU > Path Discovery), and the local Cisco box is replying with > Datagram Too Big > errors, then it's the NT box's responsibility to fall back to > a smaller MTU > until the packets get through. If this isn't happening, it's > an NT problem, not > a Cisco problem. I don't understand where the Cisco bug is, > unless there's a > part of the picture I haven't picked up on. > > Dana This is true if the Cisco tunnel start point router is generating the ICMP message (but I think NT would respond to that). It may be that a mid-tunnel router has a smaller MTU than that of the IPSec tunnel start point; when this mid-tunnel router generates the Datagram Too Big ICMP packet, it goes to the tunnel start point, not to the host. So the host never sees that its MTU is too big, and in fact the tunnel start point may not be able to find out the actual source of the offending packet, since the ICMP packet doesn't include enough header information. Options are to either turn off Path MTU discovery (search the MS Knowledge Base for articles on this, it's definitely possible) or to explicitly set the MTU lower on the host's NIC. Richard -- rdonkin at orchestream.com http://www.orchestream.com Tel: +44 (0)20 7348 1507 (direct) Orchestream Ltd. +44 (0)20 7348 1500 (switchboard) Avon House, Kensington Village, Fax: +44 (0)20 7348 1501 Avonmore Road >>>> IP Service Activation >>>> London W14 8TS, UK VPN is sponsored by SecurityFocus.COM From icakmakli at YKB.COM Wed Aug 23 03:26:59 2000 From: icakmakli at YKB.COM (Cakmakli, Ihsan) Date: Wed, 23 Aug 2000 10:26:59 +0300 Subject: Vpn SLA Message-ID: Hi, I am looking for info about international Vpn SLAs. Vpns from Technical side and cost side are very good. Just setup the Vpn, and it works. However, when you're dealing with help desk management and ISP side, you see the side effects. Example: my manager asks the downtime, performance and reliability of Vpn. I can not gurantee these criterias on the International Vpns. What do you suggest for these issues, when your ISP don't want to make SLA about the Vpn and your Internet connection? Regards. Ihsan Cakmakli Bilpa A.S. VPN is sponsored by SecurityFocus.COM From neil.ratzlaff at UCOP.EDU Thu Aug 24 16:56:26 2000 From: neil.ratzlaff at UCOP.EDU (Neil Ratzlaff) Date: Thu, 24 Aug 2000 13:56:26 -0700 Subject: VPN and icmp In-Reply-To: <39A1ACC3.D70BD6DB@interprise.com> References: <4.2.0.58.20000816160854.00a6b4e0@popserv.ucop.edu> Message-ID: <4.2.0.58.20000824134550.00a6f400@popserv.ucop.edu> It isn't exactly a Cisco bug - I think it is an NT bug, but M$ doesn't agree. Cisco can't encrypt the packet and complains using icmp as it should. The firewall was blocking traffic originating at the Cisco router as we never expected traffic from that source, so the NT machines never saw the icmp traffic. This means we have to allow icmp traffic from ANY source into our network, though we can restrict the type of icmp. (Loki attacks are always lurking around the back of my mind.) I thought a better solution would be to have NT stop setting the DF, and then Cisco could fragment and encrypt the packet. Secondhand information from M$ says it is not possible to turn off DF, and even if you could the performance degradation would be unacceptible since NT would convert to using very small packets. Does internet traffic usually have packets with DF set? I would expect that to be a nuisance as packets traverse so many MTU paths. Neil At 05:27 PM 8/21/00 -0500, Dana J. Dawson wrote: >Neil Ratzlaff wrote: > > > We recently tried to set up a Cisco VPN with some NT servers at our end, > > the other end had Windows something. Parts of it worked and parts didn't, > > and we eventually found the cause to be the close Cisco router sending icmp > > type 3 code 4 packets back to the NT machines. The packets from NT had the > > 'Don't Fragment' bit set, and Cisco couldn't encrypt them and still fit > > them under the packet size limit. I suggested the NT owners stop setting > > the Don't Fragment bit, and they said there was no way to do that. They > > also cited RFC 1853: > > > > 3.1. Tunnel MTU Discovery > > When the Don't Fragment bit is set by the originator and copied into > > the outer IP header, the proper MTU of the tunnel will be learned > > from ICMP (Type 3 Code 4) "Datagram Too Big" errors reported to the > > encapsulator. To support originating hosts which use this > > capability, all implementations MUST support Path MTU Discovery > > [RFC-1191, RFC-1435] within their tunnels. > > > > So.... questions: > > 1. Can NT stop setting the Don't Fragment bit, and if so, how? > > 2. What is the best way to deal with this situation? > > > > Thanks, > > Neil > > > > VPN is sponsored by SecurityFocus.COM > >If the NT box is setting the DF bit (presumably with the intent of doing MTU >Path Discovery), and the local Cisco box is replying with Datagram Too Big >errors, then it's the NT box's responsibility to fall back to a smaller MTU >until the packets get through. If this isn't happening, it's an NT >problem, not >a Cisco problem. I don't understand where the Cisco bug is, unless there's a >part of the picture I haven't picked up on. > >Dana > >-- >Dana J. Dawson dana at interprise.com >Distinguished Principal Engineer CCIE #1937 >Qwest Communications International, Inc. (612) 664-3364 >600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) >Minneapolis MN 55413-2620 > >"Hard is where the money is." > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From hammond9705 at HOTMAIL.COM Thu Aug 24 12:36:08 2000 From: hammond9705 at HOTMAIL.COM (Bob Hammond) Date: Thu, 24 Aug 2000 09:36:08 PDT Subject: @Home bans VPNS Message-ID: In practice, how can they detect or prevent VPN users? Doesn't it just look like IP traffic? Bob -----Original Message----- From: Sandy Harris [mailto:sandy at STORM.CA] Sent: Tuesday, August 15, 2000 6:39 PM To: VPN at SECURITYFOCUS.COM Subject: [Fwd: @Home bans VPNS] -------- Original Message -------- Subject: @Home bans VPNS Date: Tue, 15 Aug 2000 17:02:11 -0400 (EDT) From: Matt Cramer Reply-To: Matt Cramer ,Matt Cramer To: dc-stuff at dis.org @Home has banned VPNs or encrypted tunneling protocols from their network (!). http://www.comcastonline.com/subscriber-v3-red.asp Read 6.B.viii. Use of tunneling crypto makes you a "business" customer subject to the ~10x higher fees. FOAD, Comcast. Matt, ADSL and frame relay user -- Matt Cramer http://www.voicenet.com/~cramer/ Thou art God and I am God and all that groks is God, and I am all that I have ever been or seen or felt or experienced. -Mike VPN is sponsored by SecurityFocus.COM ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM From david.garrard at CENTRELINK.GOV.AU Tue Aug 22 23:17:23 2000 From: david.garrard at CENTRELINK.GOV.AU (Garrard, David) Date: Wed, 23 Aug 2000 13:17:23 +1000 Subject: PGPNET/Solaris Message-ID: Has anyone gotten the pgpnet ipsec client to talk to the ipsec implementation in Solaris 8? David L. Garrard VPN is sponsored by SecurityFocus.COM From Michael.Medwid at ARIBA.COM Wed Aug 23 13:33:03 2000 From: Michael.Medwid at ARIBA.COM (Michael Medwid) Date: Wed, 23 Aug 2000 10:33:03 -0700 Subject: Win2K IPsec Native & Cisco CVPN 3030 (Altiga) Message-ID: <271DE2625FD4D311949B009027F43B9F01A9BED1@us-mtvmail2.ariba.com> Has anyone gotten the native IPsec abilities in Windows 2000 working with the Cisco CVPN 3030? Cisco TAC was not able to give me the recipe to make this work. This - despite the fact that in Cisco's VPN seminar in Mountain View a few months back they said they had co-developed the IPsec abilities that were going to be native in Win2K (arrrgh.) Can anyone shed some light? Thanks. Michael Medwid Communications Analyst Ariba Corp. VPN is sponsored by SecurityFocus.COM From tcraig at SWALES.COM Thu Aug 24 09:21:19 2000 From: tcraig at SWALES.COM (Tobin Craig) Date: Thu, 24 Aug 2000 09:21:19 -0400 Subject: A plea for help : Nortels Contivity Extranet 1500 series switch Message-ID: First of all, thank you to all who responded to my question about Microsoft PPTP implementation. The information was sufficient to cause us to look at a hardware solution. We are currently evaluating Nortel Networks' Contivity Extranet Switch 1500 series. I'm muddling through the configuration, but would really appreciate knowing if anyone on the group has used or is using this product. Can you email me privately at tcraig at swales.com and let me know of anything I should look out for? Thanks! Tobin Craig VPN is sponsored by SecurityFocus.COM From mhw at WITTSEND.COM Thu Aug 24 19:33:09 2000 From: mhw at WITTSEND.COM (Michael H. Warfield) Date: Thu, 24 Aug 2000 19:33:09 -0400 Subject: @Home bans VPNS In-Reply-To: ; from hammond9705@HOTMAIL.COM on Thu, Aug 24, 2000 at 09:36:08AM -0700 References: Message-ID: <20000824193309.B9174@alcove.wittsend.com> On Thu, Aug 24, 2000 at 09:36:08AM -0700, Bob Hammond wrote: > In practice, how can they detect or prevent VPN users? Doesn't it just look > like IP traffic? Depends upon the VPN. IPSec is protocol 50 so that's REAL easy to spot. PPTP is also real easy to spot. If someone is doing SSL or SSH tunnel based VPN's, that could be extremely difficult, but they're not nearly as good for general purpose VPN's. > Bob > -----Original Message----- > From: Sandy Harris [mailto:sandy at STORM.CA] > Sent: Tuesday, August 15, 2000 6:39 PM > To: VPN at SECURITYFOCUS.COM > Subject: [Fwd: @Home bans VPNS] > > > -------- Original Message -------- > Subject: @Home bans VPNS > Date: Tue, 15 Aug 2000 17:02:11 -0400 (EDT) > From: Matt Cramer > Reply-To: Matt Cramer ,Matt Cramer > > To: dc-stuff at dis.org > > > @Home has banned VPNs or encrypted tunneling protocols from their network > (!). > > http://www.comcastonline.com/subscriber-v3-red.asp > Read 6.B.viii. Use of tunneling crypto makes you a "business" customer > subject to the ~10x higher fees. Counter point, filtering based on protocol types or content means they no longer qualify for common carrier status. Threaten to complain to the FCC! > FOAD, Comcast. > Matt, ADSL and frame relay user > > -- > Matt Cramer > http://www.voicenet.com/~cramer/ > Thou art God and I am God and all that groks is God, > and I am all that I have ever been or seen or felt > or experienced. > -Mike > VPN is sponsored by SecurityFocus.COM Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Thu Aug 24 19:24:21 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Thu, 24 Aug 2000 19:24:21 -0400 Subject: @Home bans VPNS In-Reply-To: ; from hammond9705@HOTMAIL.COM on Thu, Aug 24, 2000 at 09:36:08AM -0700 References: Message-ID: <20000824192421.X10047@washington.cospo.osis.gov> On Thu, Aug 24, 2000 at 09:36:08AM -0700, Bob Hammond wrote: > In practice, how can they detect or prevent VPN users? Doesn't it just look > like IP traffic? > > Bob While you could put VPN traffic on any port, in practice it is likely to be on port 50 or one of the other IPsec ports. Don't you think? -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Fri Aug 25 12:52:53 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Fri, 25 Aug 2000 12:52:53 -0400 Subject: @Home bans VPNS In-Reply-To: <31933968789DD111BEAB0080C81D384C31A734@CT_NT>; from Dante@webcti.com on Fri, Aug 25, 2000 at 09:00:51AM -0400 References: <31933968789DD111BEAB0080C81D384C31A734@CT_NT> Message-ID: <20000825125253.C17721@washington.cospo.osis.gov> On Fri, Aug 25, 2000 at 09:00:51AM -0400, Dante Mercurio wrote: > IPSec uses IP Protocol 50, not TCP port 50. It also uses a TCP or UDP port, > but I don't have the listing handy. You can not change the IP protocol it is > running over. A scanner looking for IP Protocol 50 can find the packets > fairly easily, or block them altogether. > > --Dante Sorry, responded too late at night, of course you are right, I have corrected people on that myself. ;-) Certainly you could change it! SMOP - Simple Matter Of Programming - provided you had both sides with the same mods. Unless you use closed-source software. ;-> -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From rick.blanchard at KORTECO.COM Fri Aug 25 09:36:31 2000 From: rick.blanchard at KORTECO.COM (Rick Blanchard) Date: Fri, 25 Aug 2000 08:36:31 -0500 Subject: @Home bans VPNS Message-ID: The rules referenced are for Comcast at Home. Is this Subscriber Agreement only for Comcast, or have all @Home providers also changed their Subscriber Agreements to outlaw VPN traffic? Rick -------- Original Message -------- Subject: @Home bans VPNS Date: Tue, 15 Aug 2000 17:02:11 -0400 (EDT) From: Matt Cramer Reply-To: Matt Cramer ,Matt Cramer To: dc-stuff at dis.org @Home has banned VPNs or encrypted tunneling protocols from their network (!). http://www.comcastonline.com/subscriber-v3-red.asp Read 6.B.viii. Use of tunneling crypto makes you a "business" customer subject to the ~10x higher fees. VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Fri Aug 25 02:31:18 2000 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Fri, 25 Aug 2000 07:31:18 +0100 Subject: IPSec dead peer detection Message-ID: Hi Dante, I'm more looking for a solution where you have two central VPN Servers (peer1 and peer2). If a remote VPN peer is connected to peer1 and peer1 dies, then the remote peer should automatically switch to the second peer or peer2. Do you know whether such things exists ? Best regards, Guy -----Original Message----- From: Dante Mercurio [mailto:Dante at webcti.com] Sent: vrijdag 25 augustus 2000 00:00 To: Raymakers, Guy Subject: RE: IPSec dead peer detection I haven't seen it implemented into a tunnel monitor, though WatchGuard's implementation with VPN Manager installed comes close to what you are asking. What it won't do, however, is send any kind of notification if the connection is down, though it will show it in the VPN manager screen. One solution you may look into is an AlertPage, pinger, or similiar program that will contact a host on the far side of the tunnel at given intervals and send an alert if they can not reach it, thus indicating either that host or the tunnel is down. -Dante > -----Original Message----- > From: Raymakers, Guy [mailto:guy.raymakers at EDS.COM] > Sent: Tuesday, August 22, 2000 5:55 AM > To: VPN at SECURITYFOCUS.COM > Subject: IPSec dead peer detection > > > Hi, > > Does someone know about solutions, IPSec implementations that > will detect > weather the remote peer is down or unreachable. I know that > e.g. Cisco is > supporting this, but that's only when the IPsec sessions is setup or > renewed. I'm more looking for a solution that will detect a > 'dead' peer at > any time whithou having to set a very low SA lifetime . > > Thanks for your answers, > > Best regards, > Guy > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From truman at RESEARCH.SUSPICIOUS.ORG Fri Aug 25 03:29:17 2000 From: truman at RESEARCH.SUSPICIOUS.ORG (Truman Boyes) Date: Fri, 25 Aug 2000 03:29:17 -0400 Subject: @Home bans VPNS In-Reply-To: <20000824192421.X10047@washington.cospo.osis.gov> Message-ID: On Thu, 24 Aug 2000, Joseph S D Yao wrote: > On Thu, Aug 24, 2000 at 09:36:08AM -0700, Bob Hammond wrote: > > In practice, how can they detect or prevent VPN users? Doesn't it just look > > like IP traffic? > > > > Bob > > While you could put VPN traffic on any port, in practice it is likely > to be on port 50 or one of the other IPsec ports. Don't you think? I think you mean to say Protocol 50/51 and possibly udp 500 for isakmpd. keep in mind, you could always move your secure channels to port 443 and employ filtering, so they cant test your ports. this would probably look like secure http for the most part. .t. VPN is sponsored by SecurityFocus.COM From yoni at US.RADGUARD.COM Fri Aug 25 14:23:15 2000 From: yoni at US.RADGUARD.COM (Yoni Lebowitsch) Date: Fri, 25 Aug 2000 11:23:15 -0700 Subject: IPSec dead peer detection In-Reply-To: Message-ID: Radguard's IPSec VPN boxes detect each other's state automatically, irrespective of the SAs lifetime. They do do by using keepalives. Best Yoni -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Raymakers, Guy Sent: Tuesday, August 22, 2000 2:55 AM To: VPN at SECURITYFOCUS.COM Subject: IPSec dead peer detection Hi, Does someone know about solutions, IPSec implementations that will detect weather the remote peer is down or unreachable. I know that e.g. Cisco is supporting this, but that's only when the IPsec sessions is setup or renewed. I'm more looking for a solution that will detect a 'dead' peer at any time whithou having to set a very low SA lifetime . Thanks for your answers, Best regards, Guy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From johnb at SOLITON.COM Fri Aug 25 15:15:06 2000 From: johnb at SOLITON.COM (john benjamins) Date: Fri, 25 Aug 2000 15:15:06 -0400 Subject: @Home bans VPNS In-Reply-To: ; from hammond9705@HOTMAIL.COM on Thu, Aug 24, 2000 at 09:36:08AM -0700 References: Message-ID: <20000825151506.C8423@edge.tor.soliton.com> On Thu, Aug 24, 2000 around 09:36 +0000 Bob Hammond may have written: } In practice, how can they detect or prevent VPN users? Doesn't it just look } like IP traffic? remember that there are a number of IP protocols: TCP is IP protocol 6 UDP is IP protocol 17 ICMP is IP protocol 1 IPSec ESP is IP protocol 50 IPSec AH is IP protocol 51 PPTP uses TCP port 1723, but also IP protocol 43 (GRE) so now your ISP just has to allow only protocols 1, 6 and 17. note these are protocol numbers, not TCP/UDP port numbers, which are a different thing altogether (e.g. on Unix, see /etc/protocols, as opposed to /etc/services). hope this helps, -john ----- john benjamins johnb at soliton.com ----- The authorities on whom I depend suggest that we are all warped and that only Pat Boone is not. I am comfortable with that. - Padgett Powell, Mississippi Review, Vol. 27, No. 3 VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Fri Aug 25 09:30:33 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Fri, 25 Aug 2000 06:30:33 -0700 Subject: @Home bans VPNS Message-ID: <20000825133033.15499.qmail@web2302.mail.yahoo.com> While IPSec traffic is easy to spot (IP types 50, 51 and UDP port 500), vendor support of NAT transparency masks this. Most IPSec vendors NAT transparency implementation use a UDP packet to transmit the IPSec packet. Check Point has registered some high port (UDP 2746) for this use, and Isolation Systems (bought by Shiva) used UDP 2233. So, while broadband providers can easily block IPSec and PPTP/L2TP tunnels at their edge or core routers, they'll be hard-pressed to research, discover, and continually update the NAT transparency UDP ports. Not to mention other non-IPSec VPNs, like Michael mentioned: SSH, SSL, SOCKS, or even SKIP. Imagine client sofware that behaves like a virtual IP adapter but tunnels the connection in SSL over port 443. There's NO WAY that broadband providers can filter that. Hmmm... any VPN vendors out there? Why not make SSL/443 one of the ports used by your IPSec NAT transparency? We can bypass this ridiculous service agreement once and for all! Regards, Chris -- --- "Michael H. Warfield" wrote: > On Thu, Aug 24, 2000 at 09:36:08AM -0700, Bob > Hammond wrote: > > In practice, how can they detect or prevent VPN > users? Doesn't it just look > > like IP traffic? > > Depends upon the VPN. IPSec is protocol 50 so > that's REAL easy > to spot. PPTP is also real easy to spot. If > someone is doing SSL or > SSH tunnel based VPN's, that could be extremely > difficult, but they're > not nearly as good for general purpose VPN's. > > > Bob > > > -----Original Message----- > > From: Sandy Harris [mailto:sandy at STORM.CA] > > Sent: Tuesday, August 15, 2000 6:39 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: [Fwd: @Home bans VPNS] > > > > > > -------- Original Message -------- > > Subject: @Home bans VPNS > > Date: Tue, 15 Aug 2000 17:02:11 -0400 (EDT) > > From: Matt Cramer > > Reply-To: Matt Cramer > ,Matt Cramer > > > > To: dc-stuff at dis.org > > > > > > @Home has banned VPNs or encrypted tunneling > protocols from their network > > (!). > > > > http://www.comcastonline.com/subscriber-v3-red.asp > > > Read 6.B.viii. Use of tunneling crypto makes you > a "business" customer > > subject to the ~10x higher fees. > > Counter point, filtering based on protocol types or > content means > they no longer qualify for common carrier status. > Threaten to complain > to the FCC! > > > FOAD, Comcast. > > > Matt, ADSL and frame relay user > > > > -- > > Matt Cramer > > http://www.voicenet.com/~cramer/ > > Thou art God and I am God and all that groks is > God, > > and I am all that I have ever been or seen or felt > > or experienced. > > -Mike > > > VPN is sponsored by SecurityFocus.COM > > Mike > -- > Michael H. Warfield | (770) 985-6132 | > mhw at WittsEnd.com > (The Mad Wizard) | (678) 463-0932 | > http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we > live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A > pessimist is sure of it! > > VPN is sponsored by SecurityFocus.COM __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From cfinney at NETEXPRESS.NET Fri Aug 25 14:27:24 2000 From: cfinney at NETEXPRESS.NET (Charles Finney*) Date: Fri, 25 Aug 2000 13:27:24 -0500 Subject: @Home bans VPNS Message-ID: <967228044.39a6ba8ced9db@www.secureserver.com> As I understand things, ESP is protocol 50 and ISAKMP is typically UDP=500. under IPsec. Encryption under IPsec for any purpose, VPN or otherwise would must utilize protocol 50 and likely will use UDP=500. To filter VPN traffic would require the invalid premise that any IPsec encrypted traffic must be VPN traffic. The truth of the matter is my ISP sold me bandwidth. How I use it is none of their business. I understand the desire to cripple the service provided for financial gain, however the ISP marketed bandwidth and Internet connectivity and sold bandwidth and Internet connectivity. That's what I expect to use. VPN is sponsored by SecurityFocus.COM From smorison at TEXT100.COM.AU Thu Aug 24 23:33:32 2000 From: smorison at TEXT100.COM.AU (Stephen Morison (TEXT100 AU)) Date: Fri, 25 Aug 2000 13:33:32 +1000 Subject: @Home bans VPNS Message-ID: @home in Australia use "heart beat" packets. Its part of their custom software that you install and if the packet is not returned within X seconds they drop the connection. However they do allow VPN's at this time we just have to manually set routing on each computer which is a real pain in the neck Stephen Morison IT manager Asia Pacific Text 100 Public Relations Global High Technology Public Relations Level 28, Northpoint 100 Miller Street North Sydney NSW 2060 Australia Telephone: +61 2 9956 5733 Facsimile: +61 2 9956 5406 Mobile: +61 416 224 669 Email: smorison at text100.com.au http://www.text100.com.au -----Original Message----- From: Michael H. Warfield [mailto:mhw at WITTSEND.COM] Sent: Friday, 25 August 2000 7:33 AM To: VPN at SECURITYFOCUS.COM Subject: Re: @Home bans VPNS On Thu, Aug 24, 2000 at 09:36:08AM -0700, Bob Hammond wrote: > In practice, how can they detect or prevent VPN users? Doesn't it just look > like IP traffic? Depends upon the VPN. IPSec is protocol 50 so that's REAL easy to spot. PPTP is also real easy to spot. If someone is doing SSL or SSH tunnel based VPN's, that could be extremely difficult, but they're not nearly as good for general purpose VPN's. > Bob > -----Original Message----- > From: Sandy Harris [mailto:sandy at STORM.CA] > Sent: Tuesday, August 15, 2000 6:39 PM > To: VPN at SECURITYFOCUS.COM > Subject: [Fwd: @Home bans VPNS] > > > -------- Original Message -------- > Subject: @Home bans VPNS > Date: Tue, 15 Aug 2000 17:02:11 -0400 (EDT) > From: Matt Cramer > Reply-To: Matt Cramer ,Matt Cramer > > To: dc-stuff at dis.org > > > @Home has banned VPNs or encrypted tunneling protocols from their network > (!). > > http://www.comcastonline.com/subscriber-v3-red.asp > Read 6.B.viii. Use of tunneling crypto makes you a "business" customer > subject to the ~10x higher fees. Counter point, filtering based on protocol types or content means they no longer qualify for common carrier status. Threaten to complain to the FCC! > FOAD, Comcast. > Matt, ADSL and frame relay user > > -- > Matt Cramer > http://www.voicenet.com/~cramer/ > Thou art God and I am God and all that groks is God, > and I am all that I have ever been or seen or felt > or experienced. > -Mike > VPN is sponsored by SecurityFocus.COM Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From cyanboy at YAHOO.COM Thu Aug 24 21:25:45 2000 From: cyanboy at YAHOO.COM (Scott S) Date: Thu, 24 Aug 2000 18:25:45 -0700 Subject: netscreen opinions.. Message-ID: <20000825012545.5356.qmail@web3005.mail.yahoo.com> I am currently evaluating using netscreens to replace the PIX firewalls I am using now as I expand my vpn based WAN. two things I have noticed so far is the virtual IP internal/external ip mapping function seems a bit limited. It seems I can only redirect certain services, ssh is one that seems to be missing. Is the alternative just to use the ip mapping function and do access-lists? Also, on the PIX one IP address is reserved for doing PAT, the netscreen doesn't seem to have that option. Anyway, if anyone out there has real world experience with these boxes I'd love to hear opinions about them in terms of reliability, speed and other little problems like the two I mentioned above. -Scott __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From dana at INTERPRISE.COM Fri Aug 25 15:43:21 2000 From: dana at INTERPRISE.COM (Dana J. Dawson) Date: Fri, 25 Aug 2000 14:43:21 -0500 Subject: IPSec dead peer detection References: Message-ID: <39A6CC58.68B55FB8@interprise.com> "Raymakers, Guy" wrote: > Hi, > > Does someone know about solutions, IPSec implementations that will detect > weather the remote peer is down or unreachable. I know that e.g. Cisco is > supporting this, but that's only when the IPsec sessions is setup or > renewed. I'm more looking for a solution that will detect a 'dead' peer at > any time whithou having to set a very low SA lifetime . > > Thanks for your answers, > > Best regards, > Guy > > VPN is sponsored by SecurityFocus.COM Cisco now supports IKE SA keepalives to address exactly this problem. You can read about it here: HTH Dana -- Dana J. Dawson dana at interprise.com Distinguished Principal Engineer CCIE #1937 Qwest Communications International, Inc. (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.COM From mark at MOTLEYNET.COM Fri Aug 25 16:41:00 2000 From: mark at MOTLEYNET.COM (Mark Motley) Date: Fri, 25 Aug 2000 13:41:00 -0700 Subject: @Home bans VPNS Message-ID: Hey, just an access-list is all that's needed... block UDP 500 (ISAKMP) and IP Protocol 50 (ESP) and you're dead. I'm running IPSEC across MediaOne cable modem now, but I haven't checked their policies lately to see what they have to say about it. Frankly, I think most of this stuff is just documented so they can bust people who abuse it... case in point, MediaOne bans the installation of any server on the customer's equipment, but you still can. However, I bet if you decided to start another yahoo.com using your cable modem, they would pull out that agreement.... - MBM -----Original Message----- From: Bob Hammond [mailto:hammond9705 at HOTMAIL.COM] Sent: Thursday, August 24, 2000 9:36 AM To: VPN at SECURITYFOCUS.COM Subject: @Home bans VPNS In practice, how can they detect or prevent VPN users? Doesn't it just look like IP traffic? Bob -----Original Message----- From: Sandy Harris [mailto:sandy at STORM.CA] Sent: Tuesday, August 15, 2000 6:39 PM To: VPN at SECURITYFOCUS.COM Subject: [Fwd: @Home bans VPNS] -------- Original Message -------- Subject: @Home bans VPNS Date: Tue, 15 Aug 2000 17:02:11 -0400 (EDT) From: Matt Cramer Reply-To: Matt Cramer ,Matt Cramer To: dc-stuff at dis.org @Home has banned VPNs or encrypted tunneling protocols from their network (!). http://www.comcastonline.com/subscriber-v3-red.asp Read 6.B.viii. Use of tunneling crypto makes you a "business" customer subject to the ~10x higher fees. FOAD, Comcast. Matt, ADSL and frame relay user -- Matt Cramer http://www.voicenet.com/~cramer/ Thou art God and I am God and all that groks is God, and I am all that I have ever been or seen or felt or experienced. -Mike VPN is sponsored by SecurityFocus.COM ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Thu Aug 24 22:25:31 2000 From: sandy at STORM.CA (Sandy Harris) Date: Thu, 24 Aug 2000 22:25:31 -0400 Subject: VPN and icmp References: <4.2.0.58.20000816160854.00a6b4e0@popserv.ucop.edu> <4.2.0.58.20000824134550.00a6f400@popserv.ucop.edu> Message-ID: <39A5D91B.C75D2C4C@storm.ca> Neil Ratzlaff wrote: > > It isn't exactly a Cisco bug - I think it is an NT bug, but M$ doesn't > agree. Cisco can't encrypt the packet and complains using icmp as it > should. RFC 2401, has a 10-page discussion of path MTU issues. ... an administrator should be able to configure the router's treatment of the DF bit (set, clear, copy from inner header) for each interface. ... If required, IP fragmentation occurs after IPSEC processing ... My reading is that it should be possible to configure the Cisco to clear DF and, if necessary, fragment the outgoing packet. This is a "should", not a "must". Check Cisco docs. > The firewall was blocking traffic originating at the Cisco router > as we never expected traffic from that source, so the NT machines never saw > the icmp traffic. I'd say that was a mis-configured firewall. > This means we have to allow icmp traffic from ANY source into our network, > though we can restrict the type of icmp. (Loki attacks are always lurking > around the back of my mind.) I thought a better solution would be to have > NT stop setting the DF, and then Cisco could fragment and encrypt the > packet. Secondhand information from M$ says it is not possible to turn off > DF, and even if you could the performance degradation would be unacceptible > since NT would convert to using very small packets. > > Does internet traffic usually have packets with DF set? I would expect > that to be a nuisance as packets traverse so many MTU paths. This is very common. See RFC 1191. > Neil > > At 05:27 PM 8/21/00 -0500, Dana J. Dawson wrote: > >Neil Ratzlaff wrote: > > > > > We recently tried to set up a Cisco VPN with some NT servers at our end, > > > the other end had Windows something. Parts of it worked and parts didn't, > > > and we eventually found the cause to be the close Cisco router sending icmp > > > type 3 code 4 packets back to the NT machines. The packets from NT had the > > > 'Don't Fragment' bit set, and Cisco couldn't encrypt them and still fit > > > them under the packet size limit. I suggested the NT owners stop setting > > > the Don't Fragment bit, and they said there was no way to do that. They > > > also cited RFC 1853: > > > > > > 3.1. Tunnel MTU Discovery > > > When the Don't Fragment bit is set by the originator and copied into > > > the outer IP header, the proper MTU of the tunnel will be learned > > > from ICMP (Type 3 Code 4) "Datagram Too Big" errors reported to the > > > encapsulator. To support originating hosts which use this > > > capability, all implementations MUST support Path MTU Discovery > > > [RFC-1191, RFC-1435] within their tunnels. > > > > > > So.... questions: > > > 1. Can NT stop setting the Don't Fragment bit, and if so, how? > > > 2. What is the best way to deal with this situation? > > > > > > Thanks, > > > Neil > > > > > > VPN is sponsored by SecurityFocus.COM > > > >If the NT box is setting the DF bit (presumably with the intent of doing MTU > >Path Discovery), and the local Cisco box is replying with Datagram Too Big > >errors, then it's the NT box's responsibility to fall back to a smaller MTU > >until the packets get through. If this isn't happening, it's an NT > >problem, not > >a Cisco problem. I don't understand where the Cisco bug is, unless there's a > >part of the picture I haven't picked up on. > > > >Dana > > > >-- > >Dana J. Dawson dana at interprise.com > >Distinguished Principal Engineer CCIE #1937 > >Qwest Communications International, Inc. (612) 664-3364 > >600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) > >Minneapolis MN 55413-2620 > > > >"Hard is where the money is." > > > >VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From mhw at WITTSEND.COM Thu Aug 24 20:40:54 2000 From: mhw at WITTSEND.COM (Michael H. Warfield) Date: Thu, 24 Aug 2000 20:40:54 -0400 Subject: @Home bans VPNS In-Reply-To: <20000824192421.X10047@washington.cospo.osis.gov>; from jsdy@COSPO.OSIS.GOV on Thu, Aug 24, 2000 at 07:24:21PM -0400 References: <20000824192421.X10047@washington.cospo.osis.gov> Message-ID: <20000824204054.C9174@alcove.wittsend.com> On Thu, Aug 24, 2000 at 07:24:21PM -0400, Joseph S D Yao wrote: > On Thu, Aug 24, 2000 at 09:36:08AM -0700, Bob Hammond wrote: > > In practice, how can they detect or prevent VPN users? Doesn't it just look > > like IP traffic? > > Bob > While you could put VPN traffic on any port, in practice it is likely > to be on port 50 or one of the other IPsec ports. Don't you think? No no no... Repeat after me... IPSec is not on port 50. IPsec is not on a port at all. IPSec is IP protocol 50. Just like UDP is protocol 17, TCP is protocol 6, and ICMP is protocol 1, IPSec is protocol 50. It can not on be put on another port because it is not on a port to begin with. You are off by an entire layer. > -- > Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao > COSPO/OSIS Computer Support EMT-B > ----------------------------------------------------------------------- > This message is not an official statement of COSPO policies. Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! VPN is sponsored by SecurityFocus.COM From marcvh at AVENTAIL.COM Fri Aug 25 17:42:43 2000 From: marcvh at AVENTAIL.COM (Marc VanHeyningen) Date: Fri, 25 Aug 2000 14:42:43 -0700 Subject: @Home bans VPNS In-Reply-To: Your message of "Fri, 25 Aug 2000 12:52:53 EDT." <20000825125253.C17721@washington.cospo.osis.gov> Message-ID: <28133.967239763@aventail.com> Joseph S D Yao sed: > On Fri, Aug 25, 2000 at 09:00:51AM -0400, Dante Mercurio wrote: > > IPSec uses IP Protocol 50, not TCP port 50. It also uses a TCP or UDP port, > > but I don't have the listing handy. You can not change the IP protocol it is > > running over. A scanner looking for IP Protocol 50 can find the packets > > fairly easily, or block them altogether. > > Sorry, responded too late at night, of course you are right, I have > corrected people on that myself. ;-) Certainly you could change it! > SMOP - Simple Matter Of Programming - provided you had both sides with > the same mods. Unless you use closed-source software. ;-> They also block other mechanisms of doing things they think might qualify as VPNs; for example, they block port 1080 (SOCKS) which can be used for remote access and the like. I would guess they also have blocks for PPTP (GRE), L2TP, and possibly SSH. Of course, as you say, "hiding" services by changing their characteristics to something non-standard is possible, though implementations (particularly those involving appliances or other hardware) may not make it easy. - Marc -- Marc VanHeyningen marcvh at aventail.com Internet Security Architect Aventail http://www.aventail.com/ VPN is sponsored by SecurityFocus.COM From jehorton at EROLS.COM Fri Aug 25 18:10:01 2000 From: jehorton at EROLS.COM (John Horton) Date: Fri, 25 Aug 2000 18:10:01 -0400 Subject: @Home bans VPNS In-Reply-To: <967228044.39a6ba8ced9db@www.secureserver.com> Message-ID: <4.3.2.7.2.20000825180715.0494aed0@pop.erols.com> I wonder if it would be a valid lawsuit to sue @Home on the grounds of abridging your first amendment rights - namely that to free speech, much in the same way that suits were brought against the HOA's for prohibiting the use of Satellite Dishes in one's yard. At 02:27 PM 08/25/2000, Charles Finney* wrote: >As I understand things, ESP is protocol 50 and ISAKMP is typically UDP=500. >under IPsec. Encryption under IPsec for any purpose, VPN or otherwise would >must utilize protocol 50 and likely will use UDP=500. To filter VPN traffic >would require the invalid premise that any IPsec encrypted traffic must be VPN >traffic. > >The truth of the matter is my ISP sold me bandwidth. How I use it is none of >their business. I understand the desire to cripple the service provided for >financial gain, however the ISP marketed bandwidth and Internet >connectivity and >sold bandwidth and Internet connectivity. That's what I expect to use. > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Fri Aug 25 18:22:39 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Fri, 25 Aug 2000 18:22:39 -0400 Subject: @Home bans VPNS In-Reply-To: ; from rick.blanchard@korteco.com on Fri, Aug 25, 2000 at 08:36:31AM -0500 References: Message-ID: <20000825182239.I17721@washington.cospo.osis.gov> On Fri, Aug 25, 2000 at 08:36:31AM -0500, Rick Blanchard wrote: > The rules referenced are for Comcast at Home. > > Is this Subscriber Agreement only for Comcast, or have all @Home providers > also changed their Subscriber Agreements to outlaw VPN traffic? > > Rick You may have to enlighten most of us as to the differences. Are you saying that there are @Home "franchisees"? -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From Michael.Medwid at ARIBA.COM Fri Aug 25 18:07:36 2000 From: Michael.Medwid at ARIBA.COM (Michael Medwid) Date: Fri, 25 Aug 2000 15:07:36 -0700 Subject: IPSec dead peer detection Message-ID: <271DE2625FD4D311949B009027F43B9F01A9BFA2@us-mtvmail2.ariba.com> I just ran into a very similar situation. I have two Cisco CVPN3030s (Altiga) at a corporate hub and a spoke office. The two make an IPsec LAN to LAN connection, 3DES, MD5 yadayada. But then the near side 3030 crashed. I waited nearly an hour but the LAN-LAN connection never came back. So I had to call the remote office and they had to reboot the 3030. Then the tunnel came back. I have a ticket open in Cisco Forum on this also. -----Original Message----- From: Yoni Lebowitsch [mailto:yoni at US.RADGUARD.COM] Sent: Friday, August 25, 2000 11:23 AM To: VPN at SECURITYFOCUS.COM Subject: Re: IPSec dead peer detection Radguard's IPSec VPN boxes detect each other's state automatically, irrespective of the SAs lifetime. They do do by using keepalives. Best Yoni -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Raymakers, Guy Sent: Tuesday, August 22, 2000 2:55 AM To: VPN at SECURITYFOCUS.COM Subject: IPSec dead peer detection Hi, Does someone know about solutions, IPSec implementations that will detect weather the remote peer is down or unreachable. I know that e.g. Cisco is supporting this, but that's only when the IPsec sessions is setup or renewed. I'm more looking for a solution that will detect a 'dead' peer at any time whithou having to set a very low SA lifetime . Thanks for your answers, Best regards, Guy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rick.blanchard at KORTECO.COM Fri Aug 25 21:28:37 2000 From: rick.blanchard at KORTECO.COM (Rick Blanchard) Date: Fri, 25 Aug 2000 20:28:37 -0500 Subject: @Home bans VPNS Message-ID: I may be mistaken in this, but it is how I understand it. The original referenced Usage Agreement was from Comcast's website. Comcast is a cable TV provider in some regional area. Where I live we have AT&T Cable. We also have AT&T at Home. Same @Home, different cable provider. At http://www.comcastonline.com/aboutus.asp it says that Comcast and @Home are partners. This is the question: Does each cable provider can make up their own access rules, or do all the @Home services use the same set of rules? Since the only one I've seen to be restrictive is Comcast at Home. I am assuming each cable provider sets their own rules. I could be wrong. Just my $.02 Rick -----Original Message----- From: Joseph S D Yao [mailto:jsdy at cospo.osis.gov] Sent: Friday, August 25, 2000 5:23 PM To: Rick Blanchard Cc: VPN at SECURITYFOCUS.COM Subject: Re: @Home bans VPNS On Fri, Aug 25, 2000 at 08:36:31AM -0500, Rick Blanchard wrote: > The rules referenced are for Comcast at Home. > > Is this Subscriber Agreement only for Comcast, or have all @Home providers > also changed their Subscriber Agreements to outlaw VPN traffic? > > Rick You may have to enlighten most of us as to the differences. Are you saying that there are @Home "franchisees"? -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From rizal at MIMOS.MY Sat Aug 26 00:17:32 2000 From: rizal at MIMOS.MY (Mohammad Rizal Othman) Date: Sat, 26 Aug 2000 12:17:32 +0800 Subject: Bridge VPN Message-ID: We have deployed two OpenBSD based IPSec VPN bridges. They both work perfectly. However, now we need to implement a host to gateway VPN, in which travelling employees can use a VPN client installed in their notebooks to set VPN tunnels to one of the two bridges. Has anyone done this? We tried this with NAI's PGPNet. We could establish a tunnel to the bridge, however anything behind the bridge is unreachable. A tcpdump shows that request to services on hosts behind the bridge are encapsulated in esp, whereas replies are not. If somebody has done a similar thing, please provide me with some details on what you have done. TIA. Perfection consists not in doing extraordinary things but in doing "ordinary things extraordinarily well." -- Antonio Stradivari VPN is sponsored by SecurityFocus.COM From pbryan at ACRUX.NET Sat Aug 26 00:27:51 2000 From: pbryan at ACRUX.NET (Pat Bryan) Date: Fri, 25 Aug 2000 23:27:51 -0500 Subject: @Home bans VPNS References: Message-ID: <000a01c00f16$007293e0$85f11618@ct614069a> I believe each provider makes their own bandwidth limitation rules. I believe this is that case because it is the cable provider that actually owns the fiber and the copper... ----- Original Message ----- From: "Rick Blanchard" To: Sent: Friday, August 25, 2000 8:28 PM Subject: Re: @Home bans VPNS > I may be mistaken in this, but it is how I understand it. > > The original referenced Usage Agreement was from Comcast's website. Comcast > is a cable TV provider in some regional area. Where I live we have AT&T > Cable. We also have AT&T at Home. Same @Home, different cable provider. > > At http://www.comcastonline.com/aboutus.asp it says that Comcast and @Home > are partners. > > This is the question: Does each cable provider can make up their own access > rules, or do all the @Home services use the same set of rules? > > Since the only one I've seen to be restrictive is Comcast at Home. I am > assuming each cable provider sets their own rules. I could be wrong. > > Just my $.02 > > Rick > > > -----Original Message----- > From: Joseph S D Yao [mailto:jsdy at cospo.osis.gov] > Sent: Friday, August 25, 2000 5:23 PM > To: Rick Blanchard > Cc: VPN at SECURITYFOCUS.COM > Subject: Re: @Home bans VPNS > > > On Fri, Aug 25, 2000 at 08:36:31AM -0500, Rick Blanchard wrote: > > The rules referenced are for Comcast at Home. > > > > Is this Subscriber Agreement only for Comcast, or have all @Home providers > > also changed their Subscriber Agreements to outlaw VPN traffic? > > > > Rick > > You may have to enlighten most of us as to the differences. Are you > saying that there are @Home "franchisees"? > > -- > Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao > COSPO/OSIS Computer Support EMT-B > ----------------------------------------------------------------------- > This message is not an official statement of COSPO policies. > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Sat Aug 26 06:55:08 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Sat, 26 Aug 2000 05:55:08 -0500 Subject: Bridge VPN In-Reply-To: Message-ID: Have you taken a look at Patrick Ethier's document on configuring OpenBSD VPNs? It's definitely got a section on making client-to-server connections. It's linked on the "How To" page of the VPN site at http://kubarb.phsx.ukans.edu/~tbird/vpn.html Good luck -- tbird On Sat, 26 Aug 2000, Mohammad Rizal Othman wrote: > Date: Sat, 26 Aug 2000 12:17:32 +0800 > From: Mohammad Rizal Othman > To: VPN at SECURITYFOCUS.COM > Subject: Bridge VPN > > We have deployed two OpenBSD based IPSec VPN bridges. They both work > perfectly. However, now we need to implement a host to gateway VPN, in > which travelling employees can use a VPN client installed in their > notebooks to set VPN tunnels to one of the two bridges. Has anyone done > this? We tried this with NAI's PGPNet. We could establish a tunnel to > the bridge, however anything behind the bridge is unreachable. A tcpdump > shows that request to services on hosts behind the bridge are encapsulated > in esp, whereas replies are not. > > If somebody has done a similar thing, please provide me with some details > on what you have done. > > TIA. > > Perfection consists not in doing extraordinary things but in > doing "ordinary things extraordinarily well." > -- Antonio Stradivari > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From mm_basha at YAHOO.COM Sat Aug 26 00:31:56 2000 From: mm_basha at YAHOO.COM (Mohamed Mohaideen Basha) Date: Fri, 25 Aug 2000 21:31:56 -0700 Subject: VPN & DSL Message-ID: <20000826043156.8930.qmail@web1609.mail.yahoo.com> Hi Everybody Can anyone help me. I have a DSL connection at my office My office is connected to Internet thru DSL connection and my head office at USA also has a DSL connection.Both the networks are in Windows plateform and have static IP address. Can I connect both the networks using VPN using PPTP in Windows NT, or whether I should have H/W based. -Basha __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Mon Aug 28 09:34:45 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Mon, 28 Aug 2000 09:34:45 -0400 Subject: @Home bans VPNS In-Reply-To: <000a01c00f16$007293e0$85f11618@ct614069a>; from pbryan@ACRUX.NET on Fri, Aug 25, 2000 at 11:27:51PM -0500 References: <000a01c00f16$007293e0$85f11618@ct614069a> Message-ID: <20000828093445.C26704@washington.cospo.osis.gov> On Fri, Aug 25, 2000 at 11:27:51PM -0500, Pat Bryan wrote: > I believe each provider makes their own bandwidth limitation rules. I > believe this is that case because it is the cable provider that actually > owns the fiber and the copper... I don't remember in which forum this was mentioned earlier, but it's not as if a tunnel contributes MASSIVELY to bandwidth use. Nowhere near as much as, say, downloading all the latest jpeg's and mp3's of your latest fave rave. ;-/ -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Sat Aug 26 23:03:21 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Sat, 26 Aug 2000 20:03:21 -0700 Subject: IPSec dead peer detection References: Message-ID: <39A884F9.A60E9F30@pacbell.net> Well, I know that Netscreen Has a VPN monitor tool build in to it so you can turn this feature on and it will monitor the actual conectivity via ICMP. An existing SA, however is not a reliable variable to gather real-time data of the state of a particular peer. Does not work quiet righ, just like you said, you have to set the lifetimes to a short period of time, and sending keepalives. Jose "Raymakers, Guy" wrote: > > Hi, > > Does someone know about solutions, IPSec implementations that will detect > weather the remote peer is down or unreachable. I know that e.g. Cisco is > supporting this, but that's only when the IPsec sessions is setup or > renewed. I'm more looking for a solution that will detect a 'dead' peer at > any time whithou having to set a very low SA lifetime . > > Thanks for your answers, > > Best regards, > Guy > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From kyoung at V-ONE.COM Mon Aug 28 00:40:45 2000 From: kyoung at V-ONE.COM (Keith Young) Date: Mon, 28 Aug 2000 00:40:45 -0400 Subject: hiding VPN traffic (was: @Home bans VPNS) References: <20000825133033.15499.qmail@web2302.mail.yahoo.com> Message-ID: <39A9ED4D.87D24BB7@v-one.com> Chris Carlson wrote: > > Not to mention other non-IPSec VPNs, like Michael > mentioned: SSH, SSL, SOCKS, or even SKIP. Imagine > client sofware that behaves like a virtual IP adapter > but tunnels the connection in SSL over port 443. > There's NO WAY that broadband providers can filter > that. > > Hmmm... any VPN vendors out there? Why not make > SSL/443 one of the ports used by your IPSec NAT > transparency? We can bypass this ridiculous service > agreement once and for all! While we don't "wrap" IPSEC in SSL, we do mimic SSL & HTTP headers in order to pass through proxy-based firewalls such as Gauntlet, Raptor, and (my favorite ;-) FWTK. However, (unwittingly) giving people access through your firewall to an external VPN server running on port 443 and then out to anywhere on the Internet might not make many firewall admins too happy, but I'll leave that for another thread.... :-) See my last posting no this list about this very same topic for my feelings... more and more VPN vendors are going to realize that getting through local firewalls is nearly impossible with "normal" IPSEC and are going to diverge from the IPSEC specs in order to make firewall traversal (and hiding VPN traffic) easier... just my personal thoughts and not "V-ONE official"..... -- --Keith Young -Director of Customer Care/Support, V-ONE Corp. -kyoung at v-one.com VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Mon Aug 28 09:32:03 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Mon, 28 Aug 2000 09:32:03 -0400 Subject: @Home bans VPNS In-Reply-To: <4.3.2.7.2.20000825180715.0494aed0@pop.erols.com>; from jehorton@erols.com on Fri, Aug 25, 2000 at 06:10:01PM -0400 References: <967228044.39a6ba8ced9db@www.secureserver.com> <4.3.2.7.2.20000825180715.0494aed0@pop.erols.com> Message-ID: <20000828093203.B26704@washington.cospo.osis.gov> On Fri, Aug 25, 2000 at 06:10:01PM -0400, John Horton wrote: > I wonder if it would be a valid lawsuit to sue @Home on the grounds of > abridging your first amendment rights - namely that to free speech, much in > the same way that suits were brought against the HOA's for prohibiting the > use of Satellite Dishes in one's yard. I doubt it. You're paying them for a service. They define the service. There are probably better grounds for a suit elsewhere. IANALNDIPOOTV. -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Sun Aug 27 15:36:33 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Sun, 27 Aug 2000 12:36:33 -0700 Subject: IPSec dead peer detection References: Message-ID: <39A96DC1.7E939911@pacbell.net> Hello Ray; Well, now that I read the thread the question is are the two central peers toghether? In the same cage? If this is the case then you can set this HA mechanism that you have the 2 IPSec gateways [If this are IPSec servers] then place them behind a pair of IPSec gateway and save CPU cycles. Anyway, this mechanism works nice because if one of the central peers is down the other will take over automatically in a matter of 10 seconds. With session sync and same IP. If want something more dynamic the try running OSPF over it. "Raymakers, Guy" wrote: > > Hi Dante, > > I'm more looking for a solution where you have two central VPN Servers > (peer1 and peer2). If a remote VPN peer is connected to peer1 and peer1 > dies, then the remote peer should automatically switch to the second peer or > peer2. Do you know whether such things exists ? > > Best regards, > Guy > > -----Original Message----- > From: Dante Mercurio [mailto:Dante at webcti.com] > Sent: vrijdag 25 augustus 2000 00:00 > To: Raymakers, Guy > Subject: RE: IPSec dead peer detection > > I haven't seen it implemented into a tunnel monitor, though WatchGuard's > implementation with VPN Manager installed comes close to what you are > asking. What it won't do, however, is send any kind of notification if the > connection is down, though it will show it in the VPN manager screen. > > One solution you may look into is an AlertPage, pinger, or similiar program > that will contact a host on the far side of the tunnel at given intervals > and send an alert if they can not reach it, thus indicating either that host > or the tunnel is down. > > -Dante > > > -----Original Message----- > > From: Raymakers, Guy [mailto:guy.raymakers at EDS.COM] > > Sent: Tuesday, August 22, 2000 5:55 AM > > To: VPN at SECURITYFOCUS.COM > > Subject: IPSec dead peer detection > > > > > > Hi, > > > > Does someone know about solutions, IPSec implementations that > > will detect > > weather the remote peer is down or unreachable. I know that > > e.g. Cisco is > > supporting this, but that's only when the IPsec sessions is setup or > > renewed. I'm more looking for a solution that will detect a > > 'dead' peer at > > any time whithou having to set a very low SA lifetime . > > > > Thanks for your answers, > > > > Best regards, > > Guy > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From ryan at SECURITYFOCUS.COM Sun Aug 27 22:49:41 2000 From: ryan at SECURITYFOCUS.COM (Ryan Russell) Date: Sun, 27 Aug 2000 19:49:41 -0700 Subject: VPN and icmp In-Reply-To: <39A5D91B.C75D2C4C@storm.ca> Message-ID: On Thu, 24 Aug 2000, Sandy Harris wrote: > My reading is that it should be possible to configure the Cisco to > clear DF and, if necessary, fragment the outgoing packet. This is > a "should", not a "must". Check Cisco docs. > It's not possible. I started asking Cisco for that feature over 2 years ago. Ryan VPN is sponsored by SecurityFocus.COM From RJENNINGS at NOVELL.COM Mon Aug 28 00:41:30 2000 From: RJENNINGS at NOVELL.COM (Robert Jennings) Date: Sun, 27 Aug 2000 22:41:30 -0600 Subject: @Home bans VPNS Message-ID: Yes, in effect, your local cable company is a "franchisee" of @HOME. There are a couple of major competitors to @HOME, like RoadRunner. Some cable companies choose to do it entirely on their own. The "franchisees" set-up the local heads, install infrastructure equipment, then run a fat pipe back to @HOME, which provides the DNS, DHCP, hosting and all other related services. Your local cable company provides the first level support, to eliminate local infrastructure problems and low-end operator headspace problems. Second level support is @HOME staff. Hope this clarifies. Bob Jennings Director, Americas East Territory Novell Worldwide Consulting Novell, the leading provider of NetServices solutions! >>> Joseph S D Yao 8/25/00 18:22 >>> On Fri, Aug 25, 2000 at 08:36:31AM -0500, Rick Blanchard wrote: > The rules referenced are for Comcast at Home. > > Is this Subscriber Agreement only for Comcast, or have all @Home providers > also changed their Subscriber Agreements to outlaw VPN traffic? > > Rick You may have to enlighten most of us as to the differences. Are you saying that there are @Home "franchisees"? -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Sat Aug 26 22:43:02 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Sat, 26 Aug 2000 19:43:02 -0700 Subject: netscreen opinions.. References: <20000825012545.5356.qmail@web3005.mail.yahoo.com> Message-ID: <39A88036.9A80B5CF@pacbell.net> THey are the fastest VPN and firewall in the marcket today. I tested it against a FW-1 on a Sun 450 with a Cryptoaccelerator card and it blew it by far.... The Virtual IP or VIP are fine for a few protocols, however I find that the MAPed IP supports all of the protocols that I have tested so far. The VPN implementation is very nice and reliable. So the difference is how much money you have to put in the trash. The FW-1 and Sun and Crypto card with licences about $100 k The NS-100 about 9 k and much faster, fast to setup, nice to administer from remote via SSH, etc.. etc.. etc.. So you tell me.. Jose Muniz Scott S wrote: > > I am currently evaluating using netscreens to > replace the PIX firewalls I am using now as I > expand my vpn based WAN. > > two things I have noticed so far is the virtual IP > internal/external ip mapping function seems a bit > limited. It seems I can only redirect certain > services, ssh is one that seems to be missing. > Is the alternative just to use the ip mapping > function and do access-lists? > > Also, on the PIX one IP address is reserved for > doing PAT, the netscreen doesn't seem to have that > option. > > Anyway, if anyone out there has real world experience > with these boxes I'd love to hear opinions about > them in terms of reliability, speed and other > little problems like the two I mentioned above. > > -Scott > > __________________________________________________ > Do You Yahoo!? > Yahoo! Mail - Free email you can access from anywhere! > http://mail.yahoo.com/ > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From mikef at POCKETLINT.COM Mon Aug 28 12:17:42 2000 From: mikef at POCKETLINT.COM (Mike Forrester) Date: Mon, 28 Aug 2000 10:17:42 -0600 Subject: @Home bans VPNS References: <4.3.2.7.2.20000825180715.0494aed0@pop.erols.com> Message-ID: <003301c0110b$8036c780$ea02020a@paperweight> http://www4.law.cornell.edu/uscode/47/551.html Here's a law (are there others?) that pertain to this. I haven't read it yet, but maybe one of you more well versed in law can take a look... Mike ----- Original Message ----- From: "John Horton" To: Sent: Friday, August 25, 2000 4:10 PM Subject: Re: @Home bans VPNS > I wonder if it would be a valid lawsuit to sue @Home on the grounds of > abridging your first amendment rights - namely that to free speech, much in > the same way that suits were brought against the HOA's for prohibiting the > use of Satellite Dishes in one's yard. > > At 02:27 PM 08/25/2000, Charles Finney* wrote: > >As I understand things, ESP is protocol 50 and ISAKMP is typically UDP=500. > >under IPsec. Encryption under IPsec for any purpose, VPN or otherwise would > >must utilize protocol 50 and likely will use UDP=500. To filter VPN traffic > >would require the invalid premise that any IPsec encrypted traffic must be VPN > >traffic. > > > >The truth of the matter is my ISP sold me bandwidth. How I use it is none of > >their business. I understand the desire to cripple the service provided for > >financial gain, however the ISP marketed bandwidth and Internet > >connectivity and > >sold bandwidth and Internet connectivity. That's what I expect to use. > > > >VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Mon Aug 28 14:49:08 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Mon, 28 Aug 2000 14:49:08 -0400 Subject: @Home and Privacy law? Message-ID: <20000828144908.A29218@washington.cospo.osis.gov> http://www4.law.cornell.edu/uscode/47/551.html deals with cable user privacy. I don't see what that has to do with "infringement of free speech" by denying a Cable Internet user the ability to use a VPN. I'm still not a lawyer ... -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From dcroxford at TICKETS.COM Mon Aug 28 14:57:48 2000 From: dcroxford at TICKETS.COM (David Croxford) Date: Mon, 28 Aug 2000 13:57:48 -0500 Subject: @Home bans VPNS Message-ID: <01C010F7.F3CFEAF0.dcroxford@tickets.com> I just called my cable internet provider, they hadn't heard anything about banning VPN traffic so they called @home and were told that @home is not banning VPN traffic but they wont be supporting it. David Croxford QC Analyst - Tickets.com 608-236-1017 dcroxford at tickets.com -----Original Message----- From: Mike Forrester [SMTP:mikef at POCKETLINT.COM] Sent: Monday, August 28, 2000 11:18 AM To: VPN at SECURITYFOCUS.COM Subject: Re: @Home bans VPNS http://www4.law.cornell.edu/uscode/47/551.html Here's a law (are there others?) that pertain to this. I haven't read it yet, but maybe one of you more well versed in law can take a look... Mike ----- Original Message ----- From: "John Horton" To: Sent: Friday, August 25, 2000 4:10 PM Subject: Re: @Home bans VPNS > I wonder if it would be a valid lawsuit to sue @Home on the grounds of > abridging your first amendment rights - namely that to free speech, much in > the same way that suits were brought against the HOA's for prohibiting the > use of Satellite Dishes in one's yard. > > At 02:27 PM 08/25/2000, Charles Finney* wrote: > >As I understand things, ESP is protocol 50 and ISAKMP is typically UDP=500. > >under IPsec. Encryption under IPsec for any purpose, VPN or otherwise would > >must utilize protocol 50 and likely will use UDP=500. To filter VPN traffic > >would require the invalid premise that any IPsec encrypted traffic must be VPN > >traffic. > > > >The truth of the matter is my ISP sold me bandwidth. How I use it is none of > >their business. I understand the desire to cripple the service provided for > >financial gain, however the ISP marketed bandwidth and Internet > >connectivity and > >sold bandwidth and Internet connectivity. That's what I expect to use. > > > >VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rbeneson at HOTMAIL.COM Tue Aug 29 03:26:01 2000 From: rbeneson at HOTMAIL.COM (Rob Beneson) Date: Tue, 29 Aug 2000 00:26:01 PDT Subject: PPTP through Pix Message-ID: Hey all, quick question. I am trying to run PPTP clients through my pix firewall with 3DES encryption. I followed the vanilla config from the documentation online to get the PPTP "server" up on my Pix. What do I need to do to get users to authenticate through the firewall using Windows 2000 clients? Do I need to set up certs on the DC? Do I need to use RRAS on the DC? Do any ports need to be explicitly opened? I guess part of the question is, ok, they authenticate to the firewall...great, but then what? How does my win2k domain authenticate the user and let them use network resources? This may be too vague, but any help is appreciated, and I will go as detailed as necessary. Thanks! Rob _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. VPN is sponsored by SecurityFocus.COM From nada at NETWAY.CA Tue Aug 29 13:32:23 2000 From: nada at NETWAY.CA (Nada Kesavan) Date: Tue, 29 Aug 2000 13:32:23 -0400 Subject: Number of VPN Connections in Cisco IOS and PIX Firewall Message-ID: <000a01c011df$2e6dc960$10fea8c0@netway> Hi, I would like to know whether the performance of a Cisco Router or a PIX Firewall goes down when the number of VPN sessions connected through them go up. Is there a literature or site which has any detail analysis on Cisco VPN performance Thank you Nada -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000829/e1d5f032/attachment.htm From ajennamo at UNCC.EDU Tue Aug 29 13:57:17 2000 From: ajennamo at UNCC.EDU (Andrew Jesse Ennamorato) Date: Tue, 29 Aug 2000 13:57:17 -0400 Subject: I now feel rejected Message-ID: <200008291757.NAA26618@ms-sm2.uncc.edu> Hey listters, My first letter was rejected. Painful beginning. ;-) Here it is a gain - just a few simple questions. ------------- Begin Forwarded Message ------------- List, Just had a few general "newbie" questions - 1. Can anyone recommend a good VPN book/online documentation? One that covers just general theory of vpn's and is in-depth in how to go about creating one would be nice. 2. What about a book/online doc. that covers setting up a Linux/FreeBSD firewall? Thanks for the help, Andy ajennamo at uncc.edu ------------- End Forwarded Message ------------- VPN is sponsored by SecurityFocus.COM From renuka_nadkarni at YAHOO.COM Tue Aug 29 15:09:42 2000 From: renuka_nadkarni at YAHOO.COM (Renuka Nadkarni) Date: Tue, 29 Aug 2000 12:09:42 -0700 Subject: I now feel rejected Message-ID: <20000829190942.37703.qmail@web9305.mail.yahoo.com> For the BSD firewall implementation see the site: http://coombs.anu.edu.au/~avalon/ip-filter.html There is lot of information on the web itself for the generic VPN information. Refer to RFC 24XX for IPSec issues. --- Andrew Jesse Ennamorato wrote: > Hey listters, > > My first letter was rejected. Painful beginning. ;-) > Here it is a gain - just a > few simple questions. > > ------------- Begin Forwarded Message ------------- > > List, > > Just had a few general "newbie" questions - 1. Can > anyone recommend a good VPN > book/online documentation? One that covers just > general theory of vpn's and is > in-depth in how to go about creating one would be > nice. 2. What about a > book/online doc. that covers setting up a > Linux/FreeBSD firewall? > > Thanks for the help, > > Andy > ajennamo at uncc.edu > > > ------------- End Forwarded Message ------------- > > VPN is sponsored by SecurityFocus.COM __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Tue Aug 29 18:01:49 2000 From: sandy at STORM.CA (Sandy Harris) Date: Tue, 29 Aug 2000 18:01:49 -0400 Subject: I now feel rejected References: <200008291757.NAA26618@ms-sm2.uncc.edu> Message-ID: <39AC32CD.85D9427@storm.ca> Andrew Jesse Ennamorato wrote: > Just had a few general "newbie" questions - 1. Can anyone recommend a good VPN > book/online documentation? One that covers just general theory of vpn's and is > in-depth in how to go about creating one would be nice. 2. What about a > book/online doc. that covers setting up a Linux/FreeBSD firewall? > For Linux the standard HowTo source is www.linuxdoc.org FreeS/WAN IPSEC for Linux docs are online at www.freeswan.org See links.linux.html and links.ipsec.html for more. The various BSDs all have web sites of the form *bsd.org, with net, free or open replacing the '*'. Open BSD ships with IPSEC and other security tools. VPN is sponsored by SecurityFocus.COM From mikef at POCKETLINT.COM Wed Aug 30 12:24:06 2000 From: mikef at POCKETLINT.COM (Mike Forrester) Date: Wed, 30 Aug 2000 10:24:06 -0600 Subject: @Home and Privacy law? References: <20000828144908.A29218@washington.cospo.osis.gov> Message-ID: <00a601c0129e$b8d05e50$ea02020a@paperweight> I was thinking more along the lines of what sort of monitoring can be done to detect if one is using a VPN. We don't do any monitoring except for bandwidth usage, if we notice that a system has above average traffic. I hate 'legal speak' and have now read it a few times and I'm still not sure (I'm going to read a few more times). I think the implications probably vary with interpretation. We couldn't cancel customers (if we cared about them using a VPN, which we don't) just based on port number. We would have to look at the individual packets to determine if someone is using a VPN. If we did that, we may find out all kinds of info that we are not allowed to. Isn't this similar to the gripes about Carnivore? Just food for thought, Mike ----- Original Message ----- From: "Joseph S D Yao" To: Sent: Monday, August 28, 2000 12:49 PM Subject: @Home and Privacy law? > http://www4.law.cornell.edu/uscode/47/551.html deals with cable user > privacy. I don't see what that has to do with "infringement of free > speech" by denying a Cable Internet user the ability to use a VPN. > > I'm still not a lawyer ... > > -- > Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao > COSPO/OSIS Computer Support EMT-B > ----------------------------------------------------------------------- > This message is not an official statement of COSPO policies. > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From giles.frith at AC.COM Wed Aug 30 10:08:30 2000 From: giles.frith at AC.COM (Frith, Giles) Date: Wed, 30 Aug 2000 10:08:30 -0400 Subject: VPN's and Windows CE Message-ID: We are trying to find a Windows CE shim that will connect to a Nortel Contivity switch. I would be interested in hearing about any products or solutions that anyone on this list has found or knows about. Thanks, Giles VPN is sponsored by SecurityFocus.COM From patrickbryan at SWEDISHAMERICAN.ORG Wed Aug 30 10:00:01 2000 From: patrickbryan at SWEDISHAMERICAN.ORG (Patrick Bryan) Date: Wed, 30 Aug 2000 09:00:01 -0500 Subject: PPTP Secure? Message-ID: <200008291355.IAA26348@firewall.swedishamerican.org> Can someone tell me, for day to day business use, is M$'s PPTP v2.0 implementation secure? VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Wed Aug 30 13:57:58 2000 From: sandy at STORM.CA (Sandy Harris) Date: Wed, 30 Aug 2000 13:57:58 -0400 Subject: VPN's and Windows CE References: Message-ID: <39AD4B26.D21FB8B9@storm.ca> "Frith, Giles" wrote: > > We are trying to find a Windows CE shim that will connect to a Nortel > Contivity switch. I would be interested in hearing about any products > or solutions that anyone on this list has found or knows about. Helsinki U of Technology have an IPSEC implementation in Java. http://www.tml.hut.fi/Tutkimus/IPSEC/ Could your CE machine's browser run that? VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Wed Aug 30 14:38:18 2000 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Wed, 30 Aug 2000 18:38:18 -0000 Subject: W2K vpn don't work References: <39AD4B26.D21FB8B9@storm.ca> Message-ID: <001501c012b1$7acf9630$0100000a@support.net> Hi, I configure IPSec tunneling with two W2K server whith statics IP adress After define the 2 filters (netA to NetB and NetB to NetA) and the rules of each filters, I ping the other server and I receive this message : Negociation pf IP security before assign the policy in my local security settings, i have the normale reply from the other server. After launch "ipsecmon", I don't see my policy that i've created. What's that is it mean ? Can someone help me to build a tunnel with encryption ? Thanks VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Wed Aug 30 14:10:25 2000 From: sandy at STORM.CA (Sandy Harris) Date: Wed, 30 Aug 2000 14:10:25 -0400 Subject: PPTP Secure? References: <200008291355.IAA26348@firewall.swedishamerican.org> Message-ID: <39AD4E11.530597E@storm.ca> Patrick Bryan wrote: > > Can someone tell me, for day to day business use, is M$'s PPTP v2.0 > implementation secure? No. http://www.counterpane.com/pptp.html VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Wed Aug 30 14:11:06 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Wed, 30 Aug 2000 14:11:06 -0400 Subject: @Home and Privacy law? In-Reply-To: <00a601c0129e$b8d05e50$ea02020a@paperweight>; from mikef@pocketlint.com on Wed, Aug 30, 2000 at 10:24:06AM -0600 References: <20000828144908.A29218@washington.cospo.osis.gov> <00a601c0129e$b8d05e50$ea02020a@paperweight> Message-ID: <20000830141106.J13284@washington.cospo.osis.gov> On Wed, Aug 30, 2000 at 10:24:06AM -0600, Mike Forrester wrote: > I was thinking more along the lines of what sort of monitoring can be done > to detect if one is using a VPN. We don't do any monitoring except for > bandwidth usage, if we notice that a system has above average traffic. > > I hate 'legal speak' and have now read it a few times and I'm still not sure > (I'm going to read a few more times). I think the implications probably > vary with interpretation. > > We couldn't cancel customers (if we cared about them using a VPN, which we > don't) just based on port number. We would have to look at the individual > packets to determine if someone is using a VPN. If we did that, we may find > out all kinds of info that we are not allowed to. Isn't this similar to the > gripes about Carnivore? > > Just food for thought, > > Mike OK, now I see where you're coming from. Yes, this is a different possible approach. Sorry, when I read the earlier one it looked like you were supporting the "free speech" approach. -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Wed Aug 30 16:21:43 2000 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Wed, 30 Aug 2000 20:21:43 -0000 Subject: L2TP/IPSec vpn with W2K !!! Message-ID: <001701c012bf$ec610a50$0100000a@support.net> Hi all, I try to configure vpn connexions with L2TP/IPSec combination on W2K. After install/configure certificate server for authentification, i get user certificate through the web but i cannot connect to my vpn server when i use a lan connection. I configure correctly - i think- the filters but .... client and server on the the same physical cable when i did the tests the error message is : the vpn server have refused the connection. please contact your admin nb : i am not behind a firewall please help. That is the solution to my stage memory and it don't work Thanks Olivier -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000830/72cf344d/attachment.htm From kemp at INDUSRIVER.COM Wed Aug 30 17:08:32 2000 From: kemp at INDUSRIVER.COM (Brad Kemp) Date: Wed, 30 Aug 2000 17:08:32 -0400 Subject: PPTP Secure? In-Reply-To: <200008291355.IAA26348@firewall.swedishamerican.org> Message-ID: <4.2.2.20000830165722.00cd6100@pop3.indusriver.com> Ptrick It all depends upon your threat model. If you are trying to protect data from a well funded government agency, the answer is no. PPTP V2 is vulnerable to offline password attacks, the control channel is cleartext, there is no forward secrecy, there is no packet integrity checks, it may allow for version rollback attacks, and other flaws. I do not know what your day to day business entails, therefore I cannot say if it is secure enough for you. Read the papers on the flaws in PPTP and decide if the level of protection it provides is sufficient at http://www.counterpane.com/pptp.html Brad At 09:00 AM 8/30/00 -0500, Patrick Bryan wrote: >Can someone tell me, for day to day business use, is M$'s PPTP v2.0 >implementation secure? > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Wed Aug 30 16:31:43 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Wed, 30 Aug 2000 15:31:43 -0500 Subject: PPTP Secure? In-Reply-To: <39AD4E11.530597E@storm.ca> Message-ID: You might also want to check out the Frequently Asked Questions for the mailing list at http://kubarb.phsx.ukans.edu/~tbird/vpn.html Question #6 is a review of PPTP information, which although a bit dated is more up to date than Bruce's original article. On Wed, 30 Aug 2000, Sandy Harris wrote: > Date: Wed, 30 Aug 2000 14:10:25 -0400 > From: Sandy Harris > To: VPN at SECURITYFOCUS.COM > Subject: Re: PPTP Secure? > > Patrick Bryan wrote: > > > > Can someone tell me, for day to day business use, is M$'s PPTP v2.0 > > implementation secure? > > No. > http://www.counterpane.com/pptp.html > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From zeller at INDIANA.EDU Wed Aug 30 17:36:09 2000 From: zeller at INDIANA.EDU (Zeller, Tom S) Date: Wed, 30 Aug 2000 16:36:09 -0500 Subject: PPTP Secure? Message-ID: <4F1C26C2EB4CD211BD2300805F657B5C03546B3B@newjersey.exchange.indiana.edu> PPTP using MS-Chap V2 has some security weaknesses, but it would take a fairly advanced user to crack the encrypted stream. the weakness stems from the fact that ms-chap v2 uses the user's password as the encryption key, which of course is infinitely more crackable than a 40-digit random number. you can read details on pptp in general at http://www.win2000mag.com/Articles/Index.cfm?ArticleID=5188&pg=2 and for MS-Chap in particular, v1 versus v2: http://www.counterpane.com/pptpv2-paper.html Tom Zeller Telecommunications Division Indiana University Bloomington, IN zeller at indiana.edu -----Original Message----- From: Sandy Harris [mailto:sandy at STORM.CA] Sent: Wednesday, August 30, 2000 1:10 PM To: VPN at SECURITYFOCUS.COM Subject: Re: PPTP Secure? Patrick Bryan wrote: > > Can someone tell me, for day to day business use, is M$'s PPTP v2.0 > implementation secure? No. http://www.counterpane.com/pptp.html VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rick_smith at SECURECOMPUTING.COM Wed Aug 30 19:01:28 2000 From: rick_smith at SECURECOMPUTING.COM (Rick Smith) Date: Wed, 30 Aug 2000 18:01:28 -0500 Subject: PPTP Secure? In-Reply-To: <39AD4E11.530597E@storm.ca> References: <200008291355.IAA26348@firewall.swedishamerican.org> Message-ID: <4.3.2.7.0.20000830174614.00b37670@mailhost.sctc.com> >Patrick Bryan asked: > > Can someone tell me, for day to day business use, is M$'s PPTP v2.0 > > implementation secure? Sandy Harris replied: >No. >http://www.counterpane.com/pptp.html To cut to the chase, you can use l0phtcrack to intercept Microsoft CHAP packets and crack the passwords they carry. In addition, the paper at Counterpane outlines other attacks. So, if in "day to day business use" your computers manipulate valuable assets, then there's a risk someone might take the time to pick your cryptographic lock. At the moment, I don't see any off-the-shelf PPTP cracking programs out there. For example, it doesn't look to me as if l0phtcrack will crack PPTP passwords right out of the box -- rather, it's designed to sniff the hashed credentials in plaintext SMB packets. Folks on the list -- does anyone else know of such a tool? The point of the Counterpane paper is that someone *might* build a cracking tool directed at PPTP. Or, some criminal enterprise may have done so and kept it to themselves. This is enough of a risk to make lots of people nervous. On the other hand, a court would probably say you were taking "due care" if you use cryptography to protect your traffic, regardless of whether it's weak or not. The courts seem to be tolerating weak encryption and demonizing the cracking tools this season. Rick. smith at securecomputing.com roseville, minnesota "Internet Cryptography" at http://www.visi.com/crypto/ VPN is sponsored by SecurityFocus.COM From Chris.Keladis at CMC.CWO.NET.AU Wed Aug 30 21:15:19 2000 From: Chris.Keladis at CMC.CWO.NET.AU (Chris Keladis) Date: Wed, 30 Aug 2000 21:15:19 -0400 Subject: Cisco IPSec <-> W2K. Message-ID: <4.3.2.7.0.20000830211157.00ceede0@zippy.cmc.cwo.net.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, Reading through the list, it seems many people are trying to "VPN" W2K boxes to all kinds of equipment. I was wondering if it was possible to create an IPSec VPN using a Cisco (36xx) router with an IPSec IOS loaded, to a W2K machine. Anyone have any experience with this kind of setup? Thanks, Chris Keladis System/Security Administrator Custom Management Centre Cable & Wireless Optus. Phone: (02) 9775-5312 Mobile: (0402) 067-375 E-Mail: Chris.Keladis at cmc.cwo.net.au -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use iQA/AwUBOa6ElyEx0akmf5vwEQKohwCgqOYkr++3txpfkvuD0CBWnA0kPUkAn2Ud RgMkTaV+rfELXmavgy2/Epqg =gTf5 -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.COM