From dgillett at NIKU.COM Tue Dec 12 16:09:41 2000 From: dgillett at NIKU.COM (David Gillett) Date: Tue, 12 Dec 2000 13:09:41 -0800 Subject: attaching to shares over a WAN using Cisco's VPN client In-Reply-To: <20001206090724.J16291@monjard.orgtek.com> Message-ID: <003e01c0647f$d8da8e40$f30410ac@niku.com> Are your clients' VPN addresses in the local LAN's space, or a separate subnet? If a separate subnet, do your routers know that the 3030 is the gateway to that subnet? David Gillett Senior Network Engineer (650) 701-2702 Niku Corp. "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Daniel Monjar Sent: Wednesday, December 06, 2000 6:07 AM To: VPN at SECURITYFOCUS.COM Subject: attaching to shares over a WAN using Cisco's VPN client disclaimers: this is probably an NT issue and/or should go to Cisco Having said that I'll give the list knowledge a shot. I am using the Cisco 3030 box with the 2.5 Cisco client. when a remote client PC connects they go through the network login properly and domain authentication works. They can attach to shares on the LAN on which the VPN server sits. THey can't attach to shares across the private WAN to a remote NT server. Locally attached clients, not VPN just a PC attached to the local LAN, _can_ access the remote NT server. It is also claimed that the same remote client PC using our non-VPN remote access, PPP to a router via a dialup server, can attach to these remote shares. The non-VPN remote access server is attached to the same LAN segment as the Cisco device. Any thoughts? -- Daniel Monjar (mailto:dmonjar at orgtek.com) "If your attack is going really well, it's an ambush." VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From cindy_slosar at YAHOO.CA Wed Dec 13 16:07:29 2000 From: cindy_slosar at YAHOO.CA (Cindy Slosar) Date: Wed, 13 Dec 2000 16:07:29 -0500 Subject: VPN Products Message-ID: <20001213210729.1058.qmail@web1502.mail.yahoo.com> Hi all, I'm leaning towards implementing the Sonicwall SOHO VPN solution and was wondering if anyone can provide any feedback, good and/or bad. Or, if someone knows of a better solution/product that I should be considering for a hardware-based VPN, that would be greatly appreciated too. Thanks in advance, Cindy _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca VPN is sponsored by SecurityFocus.COM From AdamZ at ECONET.COM Wed Dec 13 16:57:50 2000 From: AdamZ at ECONET.COM (Adam Zimmerer) Date: Wed, 13 Dec 2000 15:57:50 -0600 Subject: VPN Products Message-ID: <612DB121BCFED31194F300C0F02BFF740BA44F@ENET_EXCHANGE> Cindy, I have a bunch of very happy clients who use the SonicWALL VPN solution. It is easy to configure and offers reliable service. If you have any more in depth questions, I'll try to answer them. Sincerely, Adam Zimmerer EcoNet.Com -----Original Message----- From: Cindy Slosar [mailto:cindy_slosar at YAHOO.CA] Sent: Wednesday, December 13, 2000 3:07 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Products Hi all, I'm leaning towards implementing the Sonicwall SOHO VPN solution and was wondering if anyone can provide any feedback, good and/or bad. Or, if someone knows of a better solution/product that I should be considering for a hardware-based VPN, that would be greatly appreciated too. Thanks in advance, Cindy _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Wed Dec 13 18:00:01 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Wed, 13 Dec 2000 18:00:01 -0500 Subject: VPN Products Message-ID: <403626CA58D4D3119B92005004A51488209322@Dominus.SecureOps.com> Hi Cindy, I have a friend who reviewed it lately. He found that there where a lot of bugs in the Web GUI. This means that you have to restrict access to the admin port as much as possible. The bug was reported a few weeks ago and may have been fixed, look at the Bugtraq on www.securityfocus.com for more details. Basically, by issueing an HTTP GET without supplying a filename reboots the firewall and supplying a very long username has similar results. Like I said, these may have been fixed by now, check with Bugtraq and SonicWall for more details. The filtering aspect of the product seems ok but I haven't tested it personally. The VPN portion also seems sound but all I have done with it so far is connect my OBSD IKE to it. Regards, Patrick Ethier patrick at secureops.com -----Original Message----- From: Cindy Slosar [mailto:cindy_slosar at YAHOO.CA] Sent: December 13, 2000 4:07 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Products Hi all, I'm leaning towards implementing the Sonicwall SOHO VPN solution and was wondering if anyone can provide any feedback, good and/or bad. Or, if someone knows of a better solution/product that I should be considering for a hardware-based VPN, that would be greatly appreciated too. Thanks in advance, Cindy _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From franci.jereb at MIBO.SI Thu Dec 14 07:27:22 2000 From: franci.jereb at MIBO.SI (Franci Jereb) Date: Thu, 14 Dec 2000 13:27:22 +0100 Subject: Contivity & Entrust Message-ID: <3A38CABA.15954.4BBCD0@localhost> A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 496 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20001214/c18cd9cd/attachment.bin From toddk at SONICWALL.COM Wed Dec 13 18:08:01 2000 From: toddk at SONICWALL.COM (Todd Koopman) Date: Wed, 13 Dec 2000 15:08:01 -0800 Subject: VPN Products Message-ID: <1B4AE1AFBED5D311BC82009027E5A6110124E904@SONIC05> Cindy, The issue mentioned by Patrick has been resolved and is available from our support department. If you have any questions related to the SonicWALL product, please do not hesitate to contact us. Best Regards Todd Koopman Systems Engineer SonicWALL 408-752-7872 toddk at sonicwall.com -----Original Message----- From: Patrick Ethier [mailto:patrick at SECUREOPS.COM] Sent: Wednesday, December 13, 2000 3:00 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products Hi Cindy, I have a friend who reviewed it lately. He found that there where a lot of bugs in the Web GUI. This means that you have to restrict access to the admin port as much as possible. The bug was reported a few weeks ago and may have been fixed, look at the Bugtraq on www.securityfocus.com for more details. Basically, by issueing an HTTP GET without supplying a filename reboots the firewall and supplying a very long username has similar results. Like I said, these may have been fixed by now, check with Bugtraq and SonicWall for more details. The filtering aspect of the product seems ok but I haven't tested it personally. The VPN portion also seems sound but all I have done with it so far is connect my OBSD IKE to it. Regards, Patrick Ethier patrick at secureops.com -----Original Message----- From: Cindy Slosar [mailto:cindy_slosar at YAHOO.CA] Sent: December 13, 2000 4:07 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Products Hi all, I'm leaning towards implementing the Sonicwall SOHO VPN solution and was wondering if anyone can provide any feedback, good and/or bad. Or, if someone knows of a better solution/product that I should be considering for a hardware-based VPN, that would be greatly appreciated too. Thanks in advance, Cindy _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From otariq at BELLATLANTIC.NET Wed Dec 13 22:32:36 2000 From: otariq at BELLATLANTIC.NET (Omar Fahnbulleh) Date: Wed, 13 Dec 2000 22:32:36 -0500 Subject: VPN Products In-Reply-To: <20001213210729.1058.qmail@web1502.mail.yahoo.com> Message-ID: <001b01c0657e$819193e0$6401a8c0@fwplus.com> Cindy you should take a look at the Nortel Contivity. They have the following solutions Contivity 100 - Acceps 5 Concurrent Branch office tunnels (Does not accept IPsec clients connection) Contivity 600 - accepts 30 concurrent Branch office tunnels(Does not accept IPsec clients connection) Contivity 15XX - Accepts 100 concurrent tunnels and IPSec client connection. I feel these two will apply to a small business solution. http://www.nortelnetworks.com/products/01/contivity/index.html -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Cindy Slosar Sent: Wednesday, December 13, 2000 4:07 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Products Hi all, I'm leaning towards implementing the Sonicwall SOHO VPN solution and was wondering if anyone can provide any feedback, good and/or bad. Or, if someone knows of a better solution/product that I should be considering for a hardware-based VPN, that would be greatly appreciated too. Thanks in advance, Cindy _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Fri Dec 15 04:04:40 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Fri, 15 Dec 2000 01:04:40 -0800 Subject: VPN Products References: <001b01c0657e$819193e0$6401a8c0@fwplus.com> Message-ID: <3A39DEA8.72A49754@pacbell.net> I guess you guys have not seen the Netscreen huh? It offers the best of the best, asic technology for less than the others... Apples are apples. I have 170 of them and they do not give me any problems at all, and I manage them all and have 80% of my time to do other things that are not as trivial as a VPN. Jose Muniz Omar Fahnbulleh wrote: > > Cindy you should take a look at the Nortel Contivity. > They have the following solutions > Contivity 100 - Acceps 5 Concurrent Branch office tunnels (Does not accept > IPsec clients connection) > Contivity 600 - accepts 30 concurrent Branch office tunnels(Does not accept > IPsec clients connection) > Contivity 15XX - Accepts 100 concurrent tunnels and IPSec client > connection. > I feel these two will apply to a small business solution. > http://www.nortelnetworks.com/products/01/contivity/index.html > > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Cindy > Slosar > Sent: Wednesday, December 13, 2000 4:07 PM > To: VPN at SECURITYFOCUS.COM > Subject: VPN Products > > Hi all, > I'm leaning towards implementing the Sonicwall SOHO > VPN solution and was wondering if anyone can provide > any feedback, good and/or bad. Or, if someone knows > of a better solution/product that I should be > considering for a hardware-based VPN, that would be > greatly appreciated too. > > Thanks in advance, > Cindy > > _______________________________________________________ > Do You Yahoo!? > Get your free @yahoo.ca address at http://mail.yahoo.ca > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Fri Dec 15 14:01:06 2000 From: cgripp at AXCELERANT.COM (Christopher S. Gripp) Date: Fri, 15 Dec 2000 11:01:06 -0800 Subject: VPN Products In-Reply-To: <3A39DEA8.72A49754@pacbell.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree. We design, deploy and manage VPN's and Netscreen is our product of choice. Several of our fotune 1000 customers use them. Redcreek is also good if you aren't looking for a device that is a firewall also. Christopher S. Gripp Systems Engineer Axcelerant Connecting Everyone In Your Business World Visit us @ http://www.axcelerant.com - -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jose Muniz Sent: Friday, December 15, 2000 1:05 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products I guess you guys have not seen the Netscreen huh? It offers the best of the best, asic technology for less than the others... Apples are apples. I have 170 of them and they do not give me any problems at all, and I manage them all and have 80% of my time to do other things that are not as trivial as a VPN. Jose Muniz Omar Fahnbulleh wrote: > > Cindy you should take a look at the Nortel Contivity. > They have the following solutions > Contivity 100 - Acceps 5 Concurrent Branch office tunnels (Does not > accept IPsec clients connection) > Contivity 600 - accepts 30 concurrent Branch office tunnels(Does > not accept IPsec clients connection) > Contivity 15XX - Accepts 100 concurrent tunnels and IPSec client > connection. > I feel these two will apply to a small business solution. > http://www.nortelnetworks.com/products/01/contivity/index.html > > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of > Cindy Slosar > Sent: Wednesday, December 13, 2000 4:07 PM > To: VPN at SECURITYFOCUS.COM > Subject: VPN Products > > Hi all, > I'm leaning towards implementing the Sonicwall SOHO > VPN solution and was wondering if anyone can provide > any feedback, good and/or bad. Or, if someone knows > of a better solution/product that I should be > considering for a hardware-based VPN, that would be > greatly appreciated too. > > Thanks in advance, > Cindy > > _______________________________________________________ > Do You Yahoo!? > Get your free @yahoo.ca address at http://mail.yahoo.ca > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOjpqcmLRPLnfp/zREQJD1gCePawTClN1EI03hRpEYNWmXCsCNOUAn3pj QrIFs5+Nt0lNlYUisx/+e21F =yN6w -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.COM From nygs at MEDIAONE.NET Fri Dec 15 18:54:35 2000 From: nygs at MEDIAONE.NET (The Nybergs) Date: Fri, 15 Dec 2000 18:54:35 -0500 Subject: VPN Products References: <001b01c0657e$819193e0$6401a8c0@fwplus.com> <3A39DEA8.72A49754@pacbell.net> Message-ID: <002c01c066f2$608ac5c0$dff58018@hq> Agreed. The NetScreen devices offer alot more for the $$ than most items on the market. They can support HA among other things much cheaper than anything Nortel has to offer. Steve N ----- Original Message ----- From: Jose Muniz To: Sent: Friday, December 15, 2000 4:04 AM Subject: Re: VPN Products > I guess you guys have not seen the Netscreen huh? > It offers the best of the best, asic technology for less than > the others... > Apples are apples. > I have 170 of them and they do not give me any problems at all, > and I manage them all and have 80% of my time to do other things > that are not as trivial as a VPN. > > Jose Muniz > > Omar Fahnbulleh wrote: > > > > Cindy you should take a look at the Nortel Contivity. > > They have the following solutions > > Contivity 100 - Acceps 5 Concurrent Branch office tunnels (Does not accept > > IPsec clients connection) > > Contivity 600 - accepts 30 concurrent Branch office tunnels(Does not accept > > IPsec clients connection) > > Contivity 15XX - Accepts 100 concurrent tunnels and IPSec client > > connection. > > I feel these two will apply to a small business solution. > > http://www.nortelnetworks.com/products/01/contivity/index.html > > > > -----Original Message----- > > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Cindy > > Slosar > > Sent: Wednesday, December 13, 2000 4:07 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: VPN Products > > > > Hi all, > > I'm leaning towards implementing the Sonicwall SOHO > > VPN solution and was wondering if anyone can provide > > any feedback, good and/or bad. Or, if someone knows > > of a better solution/product that I should be > > considering for a hardware-based VPN, that would be > > greatly appreciated too. > > > > Thanks in advance, > > Cindy > > > > _______________________________________________________ > > Do You Yahoo!? > > Get your free @yahoo.ca address at http://mail.yahoo.ca > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From wolf at GMX.AT Mon Dec 18 06:10:18 2000 From: wolf at GMX.AT (Marco Wolf) Date: Mon, 18 Dec 2000 11:10:18 -0000 Subject: MS-VPN and Cisco 800 Message-ID: <20001218111018.20964.qmail@securityfocus.com> Hi! We try to establish a connection between my home and our firm. It should look like this: (Local network, DHCP) <---> Cisco 800 <---> Internet <---> VPN-Server (global adress) I read a lot of articels, but none of them said it is impossible nor could I find a step-by-step- documentation. Cisco has great product pages, but they are hard to understand for network-beginners! We tried a lot of things, many options, we even disactivated the access-lists, so that traffic can pass through the router as is. Nothing helps. I am thankful for any help, even if you have to say, it is not possible in this constellation. Marco. VPN is sponsored by SecurityFocus.COM From KLorenzo at CTNET.COM Mon Dec 18 13:04:09 2000 From: KLorenzo at CTNET.COM (Kenneth Lorenzo) Date: Mon, 18 Dec 2000 13:04:09 -0500 Subject: MS-VPN and Cisco 800 Message-ID: <5124F9C9228AD411B169009027DC56FAFEB460@exchange.ctnet.com> you need to use the command: ip helper-address x.x.x.x where x.x.x.x is the ip of your dhcp. It'll let your router act as a relay server for DHCP. ---------------------------- Kenneth Lorenzo Network Engineer Christian & Timbers 25825 Science Park Drive Cleveland, OH 44122 Voice: (216) 682-3281 Mobile: (216) 256-3281 Email: klorenzo at ctnet.com Web : http://www.ctnet.com ---------------------------- -----Original Message----- From: Marco Wolf [mailto:wolf at GMX.AT] Sent: Monday, December 18, 2000 6:10 AM To: VPN at SECURITYFOCUS.COM Subject: MS-VPN and Cisco 800 Hi! We try to establish a connection between my home and our firm. It should look like this: (Local network, DHCP) <---> Cisco 800 <---> Internet <---> VPN-Server (global adress) I read a lot of articels, but none of them said it is impossible nor could I find a step-by-step- documentation. Cisco has great product pages, but they are hard to understand for network-beginners! We tried a lot of things, many options, we even disactivated the access-lists, so that traffic can pass through the router as is. Nothing helps. I am thankful for any help, even if you have to say, it is not possible in this constellation. Marco. VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Mon Dec 18 13:37:11 2000 From: lists at FIPS.DE (Philipp Buehler) Date: Mon, 18 Dec 2000 19:37:11 +0100 Subject: win98 against non-windows vpn gates Message-ID: <20001218193711.A19663@pohl.fips.de> Hi, any software in the market which can talk to linux or openbsd [frees/wan, isakmpd, whatever] and NOT uses PPTP. Regarding the counterpane paper PPTP[v2] is really not nice for usage. commercial 3rd party software like securemote is an option, but discouraged due to exorbitant pricing from fw-1 and thelike. ciao -- Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity. [X] <-- nail here for new monitor VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Mon Dec 18 15:14:11 2000 From: sandy at STORM.CA (Sandy Harris) Date: Mon, 18 Dec 2000 15:14:11 -0500 Subject: win98 against non-windows vpn gates References: <20001218193711.A19663@pohl.fips.de> Message-ID: <3A3E7013.452EB80B@storm.ca> Philipp Buehler wrote: > > Hi, > > any software in the market which can talk to linux or openbsd > [frees/wan, isakmpd, whatever] and NOT uses PPTP. > Regarding the counterpane paper PPTP[v2] is really not nice for > usage. commercial 3rd party software like securemote is an option, > but discouraged due to exorbitant pricing from fw-1 and thelike. There's a list of Windows IPSEC clients in the FreeS/WAN docs: http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/interop.html#winclient VPN is sponsored by SecurityFocus.COM From jgoodwin at ASHLEYLAURENT.COM Mon Dec 18 18:02:36 2000 From: jgoodwin at ASHLEYLAURENT.COM (Jeffrey M. Goodwin) Date: Mon, 18 Dec 2000 17:02:36 -0600 Subject: win98 against non-windows vpn gates Message-ID: <387DCE97A6A6CC40B4A6E090A955B5E00869CE@voyager.ashleylaurent.com> Also, http://www.ashleylaurent.com -----Original Message----- From: Sandy Harris [mailto:sandy at STORM.CA] Sent: Monday, December 18, 2000 2:14 PM To: VPN at SECURITYFOCUS.COM Subject: Re: win98 against non-windows vpn gates Philipp Buehler wrote: > > Hi, > > any software in the market which can talk to linux or openbsd > [frees/wan, isakmpd, whatever] and NOT uses PPTP. > Regarding the counterpane paper PPTP[v2] is really not nice for > usage. commercial 3rd party software like securemote is an option, > but discouraged due to exorbitant pricing from fw-1 and thelike. There's a list of Windows IPSEC clients in the FreeS/WAN docs: http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/interop.html#win client VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From prashanth.pallati at CQSL.COM Tue Dec 19 01:06:11 2000 From: prashanth.pallati at CQSL.COM (prashanth) Date: Tue, 19 Dec 2000 11:36:11 +0530 Subject: it is about client installtion of VPN Message-ID: <009c01c06981$db6d3980$4600a8c0@prashanth.in.cqsl.com> Hi All, I am very new to VPN and stuff like this. I am in a project of client installation of ISP for windows 95 & 98. When people say installing VPN ..is it enough to run MSDUN13.EXE on the client machine. Can anybdoy give me clear idea what else i need to require to do for dial-up network connection for the client side. Thanx in advance -Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20001219/48595357/attachment.htm From wolf at GMX.AT Tue Dec 19 07:41:19 2000 From: wolf at GMX.AT (Marco Wolf) Date: Tue, 19 Dec 2000 12:41:19 -0000 Subject: MS-VPN and Cisco 800 II Message-ID: <20001219124119.23571.qmail@securityfocus.com> Me again. Maybe I should be a littlebit more precise: (local network, local ip's) --> Cisco 800 as DHCP --> Internet --> NT-Server with VPN from Microsoft In the articles we read it only said, we should open port 1723 with IP-protocoll 47. And we think we did, because we removed all access-lists (in and out) from the router. Of course we want to turn them on again, if we get the router and the tunnel to work. Another article said, it does only work for one computer in the LAN, because we only have one global ip on this side. In the moment it doesn't even work for one computer ;-) Thanks for any comment, which may help us... Marco. VPN is sponsored by SecurityFocus.COM From jwrussell70 at HOTMAIL.COM Wed Dec 20 14:52:55 2000 From: jwrussell70 at HOTMAIL.COM (James Russell) Date: Wed, 20 Dec 2000 13:52:55 -0600 Subject: Test Certificates? Message-ID: Hi everyone, I'm new to the list and a real VPN novice, so please bear with me. Some cohorts and myself have just purchased copies of Safenet's SoftPk VPN Windows2000 client for securing our connections to one another. It was so amazingly easy to get everything up and running using fixed keys that I'm now considering trying to use certificates because I know they're more secure. I know I should probably leave well enough alone, but does anyone know of a Certificate Authority where I can just get testing or temporary certificates to see if I can get them working? The Certificate Manager on the client looks easy enough, so I'd like to give it a shot. Thanks for any input. James Russell _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com VPN is sponsored by SecurityFocus.COM From mcbride at COUNTERSIEGE.COM Wed Dec 20 22:40:02 2000 From: mcbride at COUNTERSIEGE.COM (Ryan McBride) Date: Wed, 20 Dec 2000 22:40:02 -0500 Subject: Test Certificates? In-Reply-To: ; from jwrussell70@HOTMAIL.COM on Wed, Dec 20, 2000 at 01:52:55PM -0600 References: Message-ID: <20001220224002.B32564@countersiege.com> On Wed, Dec 20, 2000 at 01:52:55PM -0600, James Russell wrote: > Some cohorts and myself have just purchased copies of Safenet's SoftPk VPN > Windows2000 client for securing our connections to one another. It was so > amazingly easy to get everything up and running using fixed keys that I'm > now considering trying to use certificates because I know they're more > secure. They're not necessarily more secure than using fixed keys - they're one way to handle the problem of key management, but the're definately not a panacea. > I know I should probably leave well enough alone, but does anyone know of a > Certificate Authority where I can just get testing or temporary certificates > to see if I can get them working? The Certificate Manager on the client > looks easy enough, so I'd like to give it a shot. I've had good experiences using OpenSSL (on OpenBSD) to generate x509 certificates for use with the SafeNet client. If you have access to a Unix system that you can install OpenSSL on, you can generate all the certificates you like. -Ryan -- Ryan McBride - mcbride at countersiege.com Systems Security Consultant Countersiege Systems Corporation - http://www.countersiege.com VPN is sponsored by SecurityFocus.COM From ryan at SECURITYFOCUS.COM Thu Dec 21 13:37:19 2000 From: ryan at SECURITYFOCUS.COM (Ryan Russell) Date: Thu, 21 Dec 2000 10:37:19 -0800 Subject: [PEN-TEST] VPN security evaluation (fwd) Message-ID: Thought this might be of interest to the VPN list. Ryan ---------- Forwarded message ---------- Date: Thu, 21 Dec 2000 14:00:31 +0100 From: ingeborn at IXSECURITY.COM Reply-To: Penetration Testers To: PEN-TEST at SECURITYFOCUS.COM Subject: Re: [PEN-TEST] VPN security evaluation We did an initial evaluation of the Contivity some months ago. Here are some things worth discussing: The Client If the users are allowed to use the 'Save password' option, the password is encrypted and hidden in a windows registry key named 'Errors' ;-) The user name is encrypted and stored in a key named 'UserErrors'. The user name is also stored in plaintext in a text file. The user name and password are encrypted in the same way with the same key. So you will at least have a known plain text situation. If you have a client to play with you will of course have a chosen plain text situation which is 'better'. The encryption is done in 64 bit blocks and the blocks are not chained. This means that no password will ever be stronger than 8 characters in terms of brute force guessing(!) The marketing talks about RC4, DES and 3-DES. I would guess DES or 3-DES because of the 64 bit block scheme, but I don't know for sure, yet. The same password is encrypted into different cipher texts on different hosts. But the same password is encrypted to the same cipher text after a re-install. This either means that the encryption key (or some salt value) is saved on the client host after the un-install (doesn't look like that) or that the key (or salt) is generated from something unique on the client host (maybe some serial no etc). If it is the latter, it is probably the same 'thing' on all hosts and it would be interesting to know. We didn't find it, but if you do, please let us know. Luckily there is an option in the server that disallows the user to store the password. I suggest to use that option. When a client connects to the VPN server it uses port 50/udp. The authentication consists of a number of steps (12 if I'm not wrong now). In order to do buffer overflow checks etc. on each of those steps, we wrote a combined server/client that acted as a man-in-the-middle at the network/transport layer level. With the time given we couldn't break any of the application layer level encryption, so maybe this should be called something like 'bi-directional IP-spoofing' instead. Anyway, the interesting thing is that when we just forwarded the datasegments of all packets in both directions (i.e. just changing the IP-address) we ended up with a situation where the client popped up a dialog stating it was authenticated and successfully connected to us :-) This may be used to collect cipher text sessions for further cryptanalysis without the need to be (or break in to) the ISP etc. This may also be used to trick users into allowing certain IP-addresses in their personal firewall rule sets etc. When the client connects to the server (the real one now) and the authentication is successfully performed the client adds a new default gateway to the local routing table. This is fine because he should use the VPN-tunnel from now on. However, with the version we used (2.62) the VPN-session was not disconnected if the user manually changed the routing table back. This means that a user infected with your favorite trojan could be set up to act as a gateway into the internal network. There is a patch for this, I suggest to get it. The server The VPN server includes a FW-1 filter module. However Checkpoint's service packs cannot be applied directly and Nortel does not provide service packs equivalent to more than FW-1 4.1 SP5. This means that e.g. the authentication weaknesses presented at Black Hats 2000 are present and 'cannot' be patched. Nortel says they are going to replace the FW-1 module with something else, but as far as I know, they havn't done that yet. There are also a number of older issues with the management interface that you can find on SecurityFocus. Those are fixed in the latest versions. Good luck with you evaluation, please get back to tell us about any progress you make! Regards, Anders Ingeborn iXsecurity, Sweden PS. Compaq servers are shipped with a program that includes a remotely exploitable buffer overflow. We're posting it to Bugtraq along with proof-of-concept code soon. Don't miss it. There's a lot of Compaq servers out there... Can anyone direct me to documents pertaining to the evaluation of VPN security using IPSec and the Nortel Network Contivity 1500 Extranet switch. Thanks VPN is sponsored by SecurityFocus.COM From TDubois at INST.STRYKERCORP.COM Fri Dec 22 14:19:37 2000 From: TDubois at INST.STRYKERCORP.COM (Dubois, Tim) Date: Fri, 22 Dec 2000 14:19:37 -0500 Subject: Checkpoint VPN in distributed firewall/vpn config Message-ID: Wondering if anybody can help me out here. We have a Checkpoint FW/VPN v. 4.1 SP2 - the management station is our corporate firewall, also FW-1 v4.1 SP2. With SecuRemote, we are able to create a site, but cannot connect to any of our network sites. We are able to ping our corporate network, but not our own network. Both Firewalls are using the same encryption domain. We have set this up according to the Checkpoint documentation, yet it still doesn't work. We are using IKE encryption. The user is authenticated, we can ping only 1 network, but not any other. Does anyone have any ideas about this? A separate problem (I think) is that DNSInfo is not downloading to the userc.c file on the SecuRemote client. This seems to be happening to other people as well. Does anyone know if this is a common problem? Does anyone know what the solution is? Thanks, Tim Dubois Network Analyst, Stryker Instruments (616) 323-7700 ext 3549 tdubois at inst.strykercorp.com VPN is sponsored by SecurityFocus.COM From almartin at ESOTERICA.PT Sat Dec 23 07:13:25 2000 From: almartin at ESOTERICA.PT (Luis Martins) Date: Sat, 23 Dec 2000 12:13:25 -0000 Subject: falling telnets Message-ID: We use our VPN to make a remote conection to our unix server using telnet but the telnets started to fall. If no one uses the program for about 15 minutes the telnet falls. Could anyone help me in this matter? Thanks Luis Martins VPN is sponsored by SecurityFocus.COM From siva4u at USA.NET Thu Dec 21 02:41:20 2000 From: siva4u at USA.NET (Sivaramakrishnan M.S.) Date: Thu, 21 Dec 2000 00:41:20 MST Subject: No subject Message-ID: <20001221074120.11400.qmail@nwcst285.netaddress.usa.net> Dear , I 've got some doubts regarding implementing VPN. in India I am currently having 5 geographically dispersed sites which i want to connect over VPN. I am having 512 KBPS ADSL Lines on each locations. I am having mobile users roaming with laptops. I am having NT setup with desktops having NT worsktations and laptops with 98 clients. Five sites are having there own PDC's. I 've to implement a IP Masq Firewall and have VPN for connecting these users safely across the internet. Kindly give a small project Idea. > Best Regards, > Sivaramakrishnan M.S. > HIN -IT ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 VPN is sponsored by SecurityFocus.COM From Dante at WEBCTI.COM Thu Dec 21 10:42:49 2000 From: Dante at WEBCTI.COM (Dante Mercurio) Date: Thu, 21 Dec 2000 10:42:49 -0500 Subject: NetScreen 5 & WG Firebox II VPN? Message-ID: Has anyone tried this combination? Any if it was successful, what were the settings used? (IKE? Manual? Encryption Types? etc.) --Dante VPN is sponsored by SecurityFocus.COM From simon at PACHUKA.COM Fri Dec 22 21:34:19 2000 From: simon at PACHUKA.COM (Simon Wong) Date: Fri, 22 Dec 2000 18:34:19 -0800 Subject: VPN from home Message-ID: Thank You for putting up this site! However, I am still running into a problem. Here is the situation. I am trying to get my work laptop to connect into my work server via DSL connection. I have VPN at work. They currently use Altiga. I have DSL at home. I have a single IP address assigned to me by my ISP. My computer has 2 NIC cards. The DSL modem is connected to one card. And the other is connected to a hub. I would like to be able to connect my work laptop straight into the hub and have it run to my work server. I am able to get into the work server through the VPN software by dial up only, but have no success in getting through via the hub at home/DSL. I believe my computer is preventing the VPN tunneling to work properly. I have already tried repeatedly with my IT guys from work to get it to work. However, it appears that they are not knowledgeable enough to help me. Do I need to setup another Network connection for my home computer??? Do I need to make some adjustments on my laptop??? Please assist me in any way you can. This is my schematic: DSL modem ---> Home Computer ---> HUB ---> 2nd computer This is what I would like to do.... Be able to plug my laptop (VPN Software installed and working properly) into the hub and connected to work. Thank You, Simon V. Wong email: simon at pachuka.com VPN is sponsored by SecurityFocus.COM From kgray at DREAMWORKS.COM Fri Dec 22 21:38:15 2000 From: kgray at DREAMWORKS.COM (Gray, Kevin) Date: Fri, 22 Dec 2000 18:38:15 -0800 Subject: Problem establishing tunnel between CheckPoint and freeswan Message-ID: I am trying to establish a tunnel between Checkpoint FW1/VPN1 and FreeSwan 1.8. I have read the document located at http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-linuxvpn.p df I tried following it verbatim, but that didn't work. I got the following error: 104 "gray-dreamworks" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2 003 "gray-dreamworks" #1: discarding duplicate packet; already STATE_MAIN_I2 003 "gray-dreamworks" #1: discarding duplicate packet; already STATE_MAIN_I2 003 "gray-dreamworks" #1: discarding duplicate packet; already STATE_MAIN_I2 003 "gray-dreamworks" #1: discarding duplicate packet; already STATE_MAIN_I2 010 "gray-dreamworks" #1: STATE_MAIN_I2: retransmission; will wait 20s for response 003 "gray-dreamworks" #1: discarding duplicate packet; already STATE_MAIN_I2 106 "gray-dreamworks" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3 003 "gray-dreamworks" #1: no suitable connection for peer '10.10.1.198' 218 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION 003 "gray-dreamworks" #1: no suitable connection for peer '10.10.1.198' 218 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION 003 "gray-dreamworks" #1: no suitable connection for peer '10.10.1.198' 218 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION So I added a leftid=10.10.1.198 parameter to the connection definition in /etc/ipsec.conf for freeswan since CKP was answering back with that ID. Now I get the following error: 102 "gray-dreamworks" #1: STATE_MAIN_I1: initiate 104 "gray-dreamworks" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2 106 "gray-dreamworks" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3 003 "gray-dreamworks" #1: received Hash Payload does not match computed value 223 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_HASH_INFORMATION 003 "gray-dreamworks" #1: received Hash Payload does not match computed value 223 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_HASH_INFORMATION 003 "gray-dreamworks" #1: received Hash Payload does not match computed value 223 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_HASH_INFORMATION Has anyone seen this error before, or have any idea what I might be doing wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20001222/c39f802e/attachment.htm From cgripp at AXCELERANT.COM Sat Dec 23 19:55:08 2000 From: cgripp at AXCELERANT.COM (Christopher S. Gripp) Date: Sat, 23 Dec 2000 16:55:08 -0800 Subject: Test Certificates? In-Reply-To: <20001220224002.B32564@countersiege.com> Message-ID: Well, the reason they are more "secure" is due to the key length. It is essentially a MUCH larger static key. Chris -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Ryan McBride Sent: Wednesday, December 20, 2000 7:40 PM To: VPN at SECURITYFOCUS.COM Subject: Re: Test Certificates? On Wed, Dec 20, 2000 at 01:52:55PM -0600, James Russell wrote: > Some cohorts and myself have just purchased copies of Safenet's SoftPk VPN > Windows2000 client for securing our connections to one another. It was so > amazingly easy to get everything up and running using fixed keys that I'm > now considering trying to use certificates because I know they're more > secure. They're not necessarily more secure than using fixed keys - they're one way to handle the problem of key management, but the're definately not a panacea. > I know I should probably leave well enough alone, but does anyone know of a > Certificate Authority where I can just get testing or temporary certificates > to see if I can get them working? The Certificate Manager on the client > looks easy enough, so I'd like to give it a shot. I've had good experiences using OpenSSL (on OpenBSD) to generate x509 certificates for use with the SafeNet client. If you have access to a Unix system that you can install OpenSSL on, you can generate all the certificates you like. -Ryan -- Ryan McBride - mcbride at countersiege.com Systems Security Consultant Countersiege Systems Corporation - http://www.countersiege.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Sat Dec 23 20:03:28 2000 From: cgripp at AXCELERANT.COM (Christopher S. Gripp) Date: Sat, 23 Dec 2000 17:03:28 -0800 Subject: VPN from home In-Reply-To: Message-ID: The computer is acting as a NAT device, translating a public IP(from your ISP) to a private IP(assigned by your computer). This is great for regular internet sharing but it essentially breaks the VPN. You either have to use the dsl connection straight into your laptop or get another IP connection just for telecommuting. The problem with that is usually, a residence only has enough pairs accesible to get 1 DSL connection. You might just have to work with it by doing the ol' switcharoo. Chris Gripp Systems Engineer Axcelerant www.axcelerant.com -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Simon Wong Sent: Friday, December 22, 2000 6:34 PM To: VPN at SECURITYFOCUS.COM Subject: VPN from home Importance: High Sensitivity: Confidential Thank You for putting up this site! However, I am still running into a problem. Here is the situation. I am trying to get my work laptop to connect into my work server via DSL connection. I have VPN at work. They currently use Altiga. I have DSL at home. I have a single IP address assigned to me by my ISP. My computer has 2 NIC cards. The DSL modem is connected to one card. And the other is connected to a hub. I would like to be able to connect my work laptop straight into the hub and have it run to my work server. I am able to get into the work server through the VPN software by dial up only, but have no success in getting through via the hub at home/DSL. I believe my computer is preventing the VPN tunneling to work properly. I have already tried repeatedly with my IT guys from work to get it to work. However, it appears that they are not knowledgeable enough to help me. Do I need to setup another Network connection for my home computer??? Do I need to make some adjustments on my laptop??? Please assist me in any way you can. This is my schematic: DSL modem ---> Home Computer ---> HUB ---> 2nd computer This is what I would like to do.... Be able to plug my laptop (VPN Software installed and working properly) into the hub and connected to work. Thank You, Simon V. Wong email: simon at pachuka.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From mcbride at COUNTERSIEGE.COM Sat Dec 23 20:39:35 2000 From: mcbride at COUNTERSIEGE.COM (Ryan McBride) Date: Sat, 23 Dec 2000 20:39:35 -0500 Subject: Test Certificates? In-Reply-To: ; from cgripp@axcelerant.com on Sat, Dec 23, 2000 at 04:55:08PM -0800 References: <20001220224002.B32564@countersiege.com> Message-ID: <20001223203935.A29355@countersiege.com> On Sat, Dec 23, 2000 at 04:55:08PM -0800, Christopher S. Gripp wrote: > Ryan McBride wrote: > > > They're not necessarily more secure than using fixed keys - they're > > one way to handle the problem of key management, but the're definately > > not a panacea. > > Well, the reason they are more "secure" is due to the key length. It is > essentially a MUCH larger static key. That's only if you are using weak static keys... Any IPSec implementation that does not permit static keys with entropy greater than or equal to the key length of the cipher I would consider broken. There are drawbacks to using certificate based authentication - people often overestimate the security provided by a PKI. Unless the transmission of CA certificates is done with care to ensure authenticity, man-in-the-middle attacks become a real threat. The recent release of dsniff 2.3 which makes available "point-and-click" man-in-the-middle attacks against SSH and SSL is a hint of the tools that will soon be publicly available to attack IPSec. There _is_ an advantage in letting your machine generate random keys for you, but users of IPSec should be doing this anyways (or flipping a coin) to generate static keys. There is no point in using robust 128 bit key encryption algorithms if your key is "bob", or even "7:3O - mAn, @m 1 3v3r hunGry!". -Ryan -- Ryan McBride - mcbride at countersiege.com Systems Security Consultant Countersiege Systems Corporation - http://www.countersiege.com VPN is sponsored by SecurityFocus.COM From nvakhari at HOTJOBS.COM Wed Dec 27 15:37:25 2000 From: nvakhari at HOTJOBS.COM (Nimesh Vakharia) Date: Wed, 27 Dec 2000 15:37:25 -0500 Subject: Checkpoint VPN Interoperability Woes! In-Reply-To: Message-ID: So a single Nokia/CP firewall and VPNet VSU, tunnel established no problem. Come VRRP and HA, now you run into all sorts of problems. Your tunnel endpoint is the VIP, but when you try and do that, the reply coming from the CP firewall (ie the source IP) is the interface IP on the firewall. This COMPLETELY breaks how TCP/IP works. If you are thinking in a Checkpoint sense of object and IP/interfaces on that object it makes sense, but thats not how other firewalls/VPN equipment work. I don't know what checkpoint is trying to do to fix it! Anyone have any ideas. Summary: Nokia/Checkpoint fw with VRRP does not interoperate any other vendor solution. Nimesh. VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Wed Dec 27 19:07:08 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Wed, 27 Dec 2000 19:07:08 -0500 Subject: VPN from home In-Reply-To: ; from simon@PACHUKA.COM on Fri, Dec 22, 2000 at 06:34:19PM -0800 References: Message-ID: <20001227190708.E17224@washington.cospo.osis.gov> On Fri, Dec 22, 2000 at 06:34:19PM -0800, Simon Wong wrote: > Thank You for putting up this site! However, I am still running into a > problem. Here is the situation. I am trying to get my work laptop to > connect into my work server via DSL connection. I have VPN at work. They > currently use Altiga. > I have DSL at home. I have a single IP address assigned to me by my ISP. > My computer has 2 NIC cards. The DSL modem is connected to one card. And > the other is connected to a hub. I would like to be able to connect my work > laptop straight into the hub and have it run to my work server. ... With a single IP address, your dual-homed PC attached to your DSL box has to be doing some kind of NAT - right? Is it acting as a proxying firewall? In short, how are you connecting multiple computers to the Internet via one IP address before introducing this laptop? Is the dual-homed PC acting as a firewall or a gateway? Does it let all IP through without change? [I doubt it.] How does your laptop authenticate itself to your VPN? I have no knowledge of what Altiga does. More information is needed, I think. -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Mon Dec 25 03:52:08 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Mon, 25 Dec 2000 00:52:08 -0800 Subject: Problem establishing tunnel between CheckPoint and freeswan References: Message-ID: <3A470AB8.5979ACEF@pacbell.net> Hello Gray, Unselect "PFS" on the rules of the Checkpoint, and also make sure that the seret matches /etc/ipsec.secrets file on the Freeswan. Also disable pfs /etc/ipsec.conf conn %default type=tunnel pfs=NO If PFS os on then you have to also set DH Group 5 on the FreeSwan Good Luck Jose M. > "Gray, Kevin" wrote: > > I am trying to establish a tunnel between Checkpoint FW1/VPN1 and > FreeSwan 1.8. I have read the document located at > http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-linuxvpn.pdf > I tried following it verbatim, but that didn't work. I got the > following error: > > 104 "gray-dreamworks" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, > expecting MR2 > 003 "gray-dreamworks" #1: discarding duplicate packet; already > STATE_MAIN_I2 > 003 "gray-dreamworks" #1: discarding duplicate packet; already > STATE_MAIN_I2 > 003 "gray-dreamworks" #1: discarding duplicate packet; already > STATE_MAIN_I2 > 003 "gray-dreamworks" #1: discarding duplicate packet; already > STATE_MAIN_I2 > 010 "gray-dreamworks" #1: STATE_MAIN_I2: retransmission; will wait 20s > for response > 003 "gray-dreamworks" #1: discarding duplicate packet; already > STATE_MAIN_I2 > 106 "gray-dreamworks" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, > expecting MR3 > 003 "gray-dreamworks" #1: no suitable connection for peer > '10.10.1.198' > 218 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION > 003 "gray-dreamworks" #1: no suitable connection for peer > '10.10.1.198' > 218 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION > 003 "gray-dreamworks" #1: no suitable connection for peer > '10.10.1.198' > 218 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION > So I added a leftid=10.10.1.198 parameter to the connection definition > in /etc/ipsec.conf for freeswan since CKP was answering back with that > ID. Now I get the following error: > > 102 "gray-dreamworks" #1: STATE_MAIN_I1: initiate > 104 "gray-dreamworks" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, > expecting MR2 > 106 "gray-dreamworks" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, > expecting MR3 > 003 "gray-dreamworks" #1: received Hash Payload does not match > computed value > 223 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_HASH_INFORMATION > 003 "gray-dreamworks" #1: received Hash Payload does not match > computed value > 223 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_HASH_INFORMATION > 003 "gray-dreamworks" #1: received Hash Payload does not match > computed value > 223 "gray-dreamworks" #1: STATE_MAIN_I3: INVALID_HASH_INFORMATION > > Has anyone seen this error before, or have any idea what I might be > doing wrong? VPN is sponsored by SecurityFocus.COM From duane.duvall at WILLIAMS.COM Wed Dec 27 09:57:09 2000 From: duane.duvall at WILLIAMS.COM (Duvall, Duane) Date: Wed, 27 Dec 2000 08:57:09 -0600 Subject: VPN Terminology Message-ID: <13B13D9BA6EDD211AE390008C7916AFD0E93256E@twctule004.twc.com> For a novice, anyone have any suggestions for a website to learn "terms of the trade" for VPN terminology etc. We will be implementing VPN in several areas in 2001. You may reply "offline" if you wish. Many Thanks. Duane Duvall Analyst--Corporate Strategic Sourcing Ph: 918-573-4039 Fx: 918-573-4755 employed: http://www.williams.com "If a man hasn't found something worth dying for, he isn't fit to live"---Martin Luther King, Jr. and Cassie Bernall -----Original Message----- From: Dante Mercurio [mailto:Dante at WEBCTI.COM] Sent: Thursday, December 21, 2000 9:43 AM To: VPN at SECURITYFOCUS.COM Subject: NetScreen 5 & WG Firebox II VPN? Has anyone tried this combination? Any if it was successful, what were the settings used? (IKE? Manual? Encryption Types? etc.) --Dante VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20001227/aa7f575c/attachment.htm From Joel.Snyder at OPUS1.COM Fri Dec 29 08:46:44 2000 From: Joel.Snyder at OPUS1.COM (Joel Snyder) Date: Fri, 29 Dec 2000 06:46:44 -0700 Subject: Test Certificates? References: Message-ID: <3A4C951C.14B138A2@Opus1.COM> "Christopher S. Gripp" wrote: > > Well, the reason they are more "secure" is due to the key length. It is > essentially a MUCH larger static key. I wouldn't NECESSARILY agree with that, although your conclusion is probably correct given real-world constraints. First, I am assuming that when you say "static key," you mean "pre-shared secret," not manual keying. In the case of pre-shared secrets, the secret is transmitted during configuration, and is transmitted across the wire (encrypted) each time an IKE authentication occurs. The management overhead with existing products to pair-wise PSS is so high that real VPNs rarely use them in a secure way. In addition, while many implementations give you the option of long PSS, there are practical limits (such as UDP packet length and management GUI) which typically limit the size of PSS to some small value, such as 80 octets. By contrast, certified public keys in IKE authentication do NOT transmit the private key ever in IKE, and often are configured in such a way that the private key is private to the device/user and never transmitted to the CA. >From a cryptographer's point of view, you cannot compare these two approaches, since they are apples & oranges. However, from a management point of view, the way that real products actually implement both PSS and certified public keys does often lead to better MANAGED VPNs, which typically results in an IKE authentication approach with a higher face validity. jms > > Chris > > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Ryan > McBride > Sent: Wednesday, December 20, 2000 7:40 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: Test Certificates? > > On Wed, Dec 20, 2000 at 01:52:55PM -0600, James Russell wrote: > > > Some cohorts and myself have just purchased copies of Safenet's SoftPk VPN > > Windows2000 client for securing our connections to one another. It was so > > amazingly easy to get everything up and running using fixed keys that I'm > > now considering trying to use certificates because I know they're more > > secure. > > They're not necessarily more secure than using fixed keys - they're > one way to handle the problem of key management, but the're definately > not a panacea. > > > I know I should probably leave well enough alone, but does anyone know of > a > > Certificate Authority where I can just get testing or temporary > certificates > > to see if I can get them working? The Certificate Manager on the client > > looks easy enough, so I'd like to give it a shot. > > I've had good experiences using OpenSSL (on OpenBSD) to generate x509 > certificates for use with the SafeNet client. If you have access to a > Unix system that you can install OpenSSL on, you can generate all the > certificates you like. > > -Ryan > > -- > Ryan McBride - mcbride at countersiege.com > Systems Security Consultant > Countersiege Systems Corporation - http://www.countersiege.com > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.com http://www.opus1.com/jms Opus One This was sent from home, so calling now won't catch me. VPN is sponsored by SecurityFocus.COM From Joel.Snyder at OPUS1.COM Fri Dec 29 08:50:45 2000 From: Joel.Snyder at OPUS1.COM (Joel M Snyder) Date: Fri, 29 Dec 2000 06:50:45 -0700 Subject: Checkpoint VPN Interoperability Woes! In-Reply-To: "Your message dated Wed, 27 Dec 2000 15:37:25 -0500" References: Message-ID: <01JY9N62S2BE8WWR8U@Opus1.COM> >So a single Nokia/CP firewall and VPNet VSU, tunnel established no >problem. Come VRRP and HA, now you run into all sorts of problems. Your >tunnel endpoint is the VIP, but when you try and do that, the reply coming >from the CP firewall (ie the source IP) is the interface IP on the >firewall. > This COMPLETELY breaks how TCP/IP works. If you are thinking in a >Checkpoint sense of object and IP/interfaces on that object it makes >sense, but thats not how other firewalls/VPN equipment work. I don't know >what checkpoint is trying to do to fix it! Anyone have any ideas. See my recent review of VPN High Availability solutions in Network World for a longer discussion of this: http://www.nwfusion.com/reviews/2000/1211bgtoc.html >Summary: Nokia/Checkpoint fw with VRRP does not interoperate any other >vendor solution. If you like Nokia hardware, you should be looking at their CryptoCluster VPN solution which DOES work with any other VPN product: http://www.nokia.com/vpn/nokiavpn.html jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One >Nimesh. >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Markus.Moullion at DE.BOSCH.COM Fri Dec 29 09:04:00 2000 From: Markus.Moullion at DE.BOSCH.COM (Moullion Markus (QI/LSD1) *) Date: Fri, 29 Dec 2000 15:04:00 +0100 Subject: AW: VPN from home Message-ID: If your home computer is doing NAT and you use the Altiga VPN Client on your work laptop to establish an IPSec connection, I see a chance to avoid the problem by a feature called 'IPSec through NAT' which is implemented in the Altiga VPN Concentrator and client software. In this case, ask your administrator to activate it for you. If PPTP is used for the VPN connection, NAT should not be a problem. Best regards, Markus > -----Urspr?ngliche Nachricht----- > Von: Simon Wong [mailto:simon at PACHUKA.COM] > Gesendet: 23. Dez 2000 03:34 > An: VPN at SECURITYFOCUS.COM > Betreff: VPN from home > Wichtigkeit: Hoch > Vertraulichkeit: Vertraulich > > > Thank You for putting up this site! However, I am still running into a > problem. Here is the situation. I am trying to get my work laptop to > connect into my work server via DSL connection. I have VPN at work. They > currently use Altiga. > I have DSL at home. I have a single IP address assigned to me by my ISP. > My computer has 2 NIC cards. The DSL modem is connected to one card. And > the other is connected to a hub. I would like to be able to connect my work > laptop straight into the hub and have it run to my work server. I am able > to get into the work server through the VPN software by dial up only, but > have no success in getting through via the hub at home/DSL. > I believe my computer is preventing the VPN tunneling to work properly. I > have already tried repeatedly with my IT guys from work to get it to work. > However, it appears that they are not knowledgeable enough to help me. > Do I need to setup another Network connection for my home computer??? Do > I need to make some adjustments on my laptop??? Please assist me in any way you can. > > This is my schematic: > > DSL modem ---> Home Computer ---> HUB ---> 2nd computer > > This is what I would like to do.... > > Be able to plug my laptop (VPN Software installed and working properly) into > the hub and connected to work. > > Thank You, > Simon V. Wong > email: simon at pachuka.com > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Fri Dec 29 09:13:38 2000 From: rgm at ICSA.NET (Robert Moskowitz) Date: Fri, 29 Dec 2000 09:13:38 -0500 Subject: Test Certificates? In-Reply-To: <20001223203935.A29355@countersiege.com> References: <20001220224002.B32564@countersiege.com> Message-ID: <5.0.0.25.2.20001229085254.02e56eb0@localhost> At 08:39 PM 12/23/2000 -0500, Ryan McBride wrote: >On Sat, Dec 23, 2000 at 04:55:08PM -0800, Christopher S. Gripp wrote: > > > Ryan McBride wrote: > > > > > They're not necessarily more secure than using fixed keys - they're > > > one way to handle the problem of key management, but the're definately > > > not a panacea. > > > > Well, the reason they are more "secure" is due to the key length. It is > > essentially a MUCH larger static key. First Verisign maintains a test CA for certs. https://testdrive.verisign.com Now one very strong advantage of certificate based IPsec (well, actually IKE) is the removal of the IP address from the policy database. That is, you gain support for mobile clients. Yes, there is Aggresive Mode, but there are plenty of security concerns there. Better to go with Main Mode and RSA sig. The strength of the IPsec security has little to do with the strength of the key used for IKE. Rather the Group negotiated in IKE. The crypto gays and gals love to debate, but basically Group1 is ok for up to 80 bit keys. After that you should be using at least Group 2. I would have to check again but even IKE's security is not dependent on the 'key size' after all, the typical use of the RSA key in the cert is ONLY for a signing operation. IKE and IPsec are tricky and lead to wrong guesses on where their weakness are. >That's only if you are using weak static keys... Any IPSec >implementation that does not permit static keys with entropy greater >than or equal to the key length of the cipher I would consider broken. Are their many implementations that use static keys as defined in RFC 2401??? I think not. Most use session keying controled by IKE with 'pre-shared secrets'. These secrets are a form of identity. But when you use pre-shared secrets you have to use IP addresses for Main Mode identity, ie no mobility (static gateways or hosts). Aggresive mode 'fixes' this at a price. BTW, the Certicom Pilot (meaning the PDA) demo I saw at N+I was using Aggresive mode. >There are drawbacks to using certificate based authentication - people >often overestimate the security provided by a PKI. Unless the >transmission of CA certificates is done with care to ensure >authenticity, man-in-the-middle attacks become a real threat. The >recent release of dsniff 2.3 which makes available "point-and-click" >man-in-the-middle attacks against SSH and SSL is a hint of the tools >that will soon be publicly available to attack IPSec. Not even close to the same attack model. If you use RSA encrypt mode, you are strongly protected against man-in-the middle. If you are running your own CA and maintain it offline, leaving only the repostory online, you can pretty much run clean. You see, SSL depend on at the time of connection verification of keys. SSH when it gets loaded (which with the win version can happen at the strangest times, it seems). But with IKE, you are pre-storing certificate info that will be checked. Only if the CA is comprimised MIGHT there be concern (the bad guy first has to figure out what is in your policy database. He can't figure that out by looking at Main Mode packets. G-d, I HATE this protocol. Too much to keep straight. >There _is_ an advantage in letting your machine generate random keys >for you, but users of IPSec should be doing this anyways (or flipping >a coin) to generate static keys. There is no point in using robust 128 >bit key encryption algorithms if your key is "bob", or even "7:3O - >mAn, @m 1 3v3r hunGry!". Provided that the software is really generating good random nubers. But it better have for the IPsec IV (if you are using a CBC crypto).... Robert Moskowitz Senior Technical Director ICSA Labs, a division of the TruSecure Corporation (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From Brian.Fellows at NEWSEDGE.COM Fri Dec 29 09:20:24 2000 From: Brian.Fellows at NEWSEDGE.COM (Brian Fellows) Date: Fri, 29 Dec 2000 09:20:24 -0500 Subject: VPN from home Message-ID: <2F4617DC4177D311B97B00508B55A96EA9BBFF@exchange2.newsedge.com> You don't mention the specifics of the software used on the DSL-connected computer to perform many-to-one Port Address Translation (PAT). In order to provide the desired result, your home systems must support three services. First the ISAKMP key negotiation portion of the IPSEC protocol is conducted using source AND destination TCP port 500. Second, do not use the Authentication Header method of encryption, this will NOT work through PAT devices. Lastly the encrypted ESP packets uses protocol (not port) 50 and must be passed by your PAT device. In our company's experience with dozens of users doing what you describe, the key negotiation has been the most likely cause of problems. The PAT device must transparently pass all port 500 packets. This means all packets on port 500 from your internal second computer must be sent to the Altiga server on port 500 by the PAT device. Check to see that AH encryption is not being used. Some hardware/software PAT devices which have worked successfully with our IPSEC clients include the LinkSys BEFSR41 DSL/Cable router, WinRoute Pro for MS computers and IP MASQ for LINUX. There are other products out there which will also work. Bottom line, your desired setup can be made to work keeping the above caveats in mind. > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On > Behalf Of Simon > Wong > Sent: Friday, December 22, 2000 6:34 PM > To: VPN at SECURITYFOCUS.COM > Subject: VPN from home > Importance: High > Sensitivity: Confidential > > > Thank You for putting up this site! However, I am still > running into a > problem. Here is the situation. I am trying to get my work laptop to > connect into my work server via DSL connection. I have VPN > at work. They > currently use Altiga. > I have DSL at home. I have a single IP address assigned to > me by my ISP. > My computer has 2 NIC cards. The DSL modem is connected to > one card. And > the other is connected to a hub. I would like to be able to > connect my work > laptop straight into the hub and have it run to my work > server. I am able > to get into the work server through the VPN software by dial > up only, but > have no success in getting through via the hub at home/DSL. > I believe my > computer is preventing the VPN tunneling to work properly. I > have already > tried repeatedly with my IT guys from work to get it to work. > However, it > appears that they are not knowledgeable enough to help me. > Do I need to > setup another Network connection for my home computer??? Do > I need to make > some adjustments on my laptop??? Please assist me in any way you can. > > This is my schematic: > > DSL modem ---> Home Computer ---> HUB ---> 2nd computer > > This is what I would like to do.... > > Be able to plug my laptop (VPN Software installed and working > properly) into > the hub and connected to work. > > Thank You, > Simon V. Wong > email: simon at pachuka.com > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Fri Dec 29 09:28:59 2000 From: sandy at STORM.CA (Sandy Harris) Date: Fri, 29 Dec 2000 09:28:59 -0500 Subject: VPN Terminology References: <13B13D9BA6EDD211AE390008C7916AFD0E93256E@twctule004.twc.com> Message-ID: <3A4C9FAB.33EC7975@storm.ca> > "Duvall, Duane" wrote: > > For a novice, anyone have any suggestions for a website to learn "terms of the trade" > for VPN terminology etc. This mailing list's home page and vpnc.org. The FreeS/WAN IPSEC for Linux project puts all its documentation on line: http://www.freeswan.org/doc.html It includes some explanations, a large glossary, and links to lots of other sources. VPN is sponsored by SecurityFocus.COM From mcbride at COUNTERSIEGE.COM Sat Dec 30 00:22:30 2000 From: mcbride at COUNTERSIEGE.COM (Ryan McBride) Date: Sat, 30 Dec 2000 00:22:30 -0500 Subject: Test Certificates? In-Reply-To: <3A4C951C.14B138A2@Opus1.COM>; from Joel.Snyder@Opus1.COM on Fri, Dec 29, 2000 at 06:46:44AM -0700 References: <3A4C951C.14B138A2@Opus1.COM> Message-ID: <20001230002230.A11962@countersiege.com> On Fri, Dec 29, 2000 at 06:46:44AM -0700, Joel Snyder wrote: > > "Christopher S. Gripp" wrote: > > > > Well, the reason they are more "secure" is due to the key length. It is > > essentially a MUCH larger static key. > > I wouldn't NECESSARILY agree with that, although your conclusion is probably > correct given real-world constraints. > > First, I am assuming that when you say "static key," you mean > "pre-shared secret," not manual keying. In the case of pre-shared > secrets, the secret is transmitted during configuration, and is > transmitted across the wire (encrypted) each time an IKE > authentication occurs. Actually the pre-shared secret is not transmitted. A hash of the preshared secret and other shared information is computed and that is transmitted in an encrypted packet. The full details of the exchange are in section 5.4 of rfc 2409. > The management overhead with existing products to pair-wise PSS is > so high that real VPNs rarely use them in a secure way. In addition, > while many implementations give you the option of long PSS, there are > practical limits (such as UDP packet length and management GUI) which > typically limit the size of PSS to some small value, such as 80 > octets. Since the pre-shared secret is not transmitted, there are not protocol restrictions of its length. In the forseeable future the longest hash required would likely be a 512 bit hash function, to complement a 256 bit key AES cipher. This amounts to 64 octets. > By contrast, certified public keys in IKE authentication do NOT > transmit the private key ever in IKE, and often are configured in such > a way that the private key is private to the device/user and never > transmitted to the CA. > > From a cryptographer's point of view, you cannot compare these two > approaches, since they are apples & oranges. >From a cryptographer's point of view, you CAN compare the two approaches. Key management aside (assume that the keys generated are are random, secret keys remain secret and certificates are validated), they offer roughly equal security. > However, from a management point of view, the way that real products > actually implement both PSS and certified public keys does often lead > to better MANAGED VPNs, which typically results in an IKE > authentication approach with a higher face validity. Although implementing a certificate based authentication system will force the administrator to think and operate in a more structured fashion, there are drawbacks to using such a system that you're omitting: - Certificate based authentication results in a single point of failure, the Certification Authority. - An attacker who subverts the CA certificate on either the initiator or responder sides may be abled to mount a man-in-the-middle attack. Certificate based authentication shifts around the problems of key management and distribution, but it does not remove them. -Ryan -- Ryan McBride - mcbride at countersiege.com Systems Security Consultant Countersiege Systems Corporation - http://www.countersiege.com VPN is sponsored by SecurityFocus.COM From Mike.Parsons at WACHOVIA.COM Fri Dec 29 17:31:58 2000 From: Mike.Parsons at WACHOVIA.COM (Mike.Parsons at WACHOVIA.COM) Date: Fri, 29 Dec 2000 17:31:58 -0500 Subject: VPN from home Message-ID: Alternatively, bite the bullet and get a hardware device such as a Linksys router to interface to your hub. You still can enjoy the private IP (serves up DHCP to 255 boxes without a problem) and it passes through IPSEC VPNs without a hitch. Mike Parsons Senior Business Architect eBusiness Division Wachovia Bank (336)747-8050 VPN is sponsored by SecurityFocus.COM