From josef.pojsl at SKYNET.CZ Tue Feb 1 02:37:50 2000 From: josef.pojsl at SKYNET.CZ (Josef Pojsl) Date: Tue, 1 Feb 2000 08:37:50 +0100 Subject: Using SSH In-Reply-To: <85256877.007127A7.00@mailex02.armstrong.com>; from Matthew_S_Cramer@ARMSTRONG.COM on Mon, Jan 31, 2000 at 03:36:36PM -0500 References: <85256877.007127A7.00@mailex02.armstrong.com> Message-ID: <20000201083750.B15424@regent.in.skynet.cz> Hi, On Mon, Jan 31, 2000 at 03:36:36PM -0500, Cramer, Matthew wrote: > OpenSSH from the OpenBSD folks probably uses Diffie-Hellman for key exchange > (since RSA is patent restricted by US patent law until fall of 2000). OpenSSH is fully compliant with the SSH protocol version 1.5. This means that it does not use any proprietary key exchange based on D-H. OpenBSD is based in Calgary, Canada, and that is why they are not bound by any export or patent restrictions that you Americans must live with. BTW, OpenBSD has integrated a nice IPsec implementation (all in all, we are in the VPN conference ;-) Josef VPN is sponsored by SecurityFocus.COM From Ilkka.Ranta at F-SECURE.COM Tue Feb 1 02:58:33 2000 From: Ilkka.Ranta at F-SECURE.COM (Ilkka Ranta) Date: Tue, 1 Feb 2000 09:58:33 +0200 Subject: VPN on a Cisco router (was Re: SKIP Evaluation?) In-Reply-To: <200001311023450950.0FC458CC@mailhost.talarian.com> Message-ID: > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On > Behalf Of Peter > Walker > Sent: 31. tammikuuta 2000 20:24 > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN on a Cisco router (was Re: SKIP Evaluation?) > > > Standard disclaimers: > I am not an expert and may be just plain wrong. > I speak for myself not my company > > > *********** REPLY SEPARATOR *********** > > On 1/28/00 at 5:38 PM Bennett Todd wrote: > > >For instance, router-specific OSes (IOS in particular) can be > >simpler and less flexible. They can be more secure out of the box, > >and IOS at least has a nice track record of posessing few security > >problems, and having those problems fixed _exceedingly_ fast. > > I am not sure I agree on IOS's track record, but I do agree > that cisco fix > the problems and publicise advisories fast. > > > > >And again, since typically only a few people, often the most > >technically knowlegeable and security-conscious people in the > >company, can log in to a router, it is liable to be the most secure > >computer in a well-run company. > > Hmmm "security-conscious people" ... ie the sort of people > who would never > allow password to be sent in plain text over the network > were it not for > the fact that cicso still hasnt (as far as I know) > implemented ssh or > anything similar under IOS > Yes they have in the 7k and 12k boxes. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s5/sshv1.htm Cheers, --Ilkka VPN is sponsored by SecurityFocus.COM From twolsey at REALTECH.COM Tue Feb 1 15:56:34 2000 From: twolsey at REALTECH.COM (TC Wolsey) Date: Tue, 1 Feb 2000 15:56:34 -0500 Subject: VPN on a Cisco router (was Re: SKIP Evaluation?) Message-ID: > Peter Walker 01/31/00 01:23PM >>> >Standard disclaimers: > I am not an expert and may be just plain wrong. > I speak for myself not my company > > >*********** REPLY SEPARATOR *********** > >On 1/28/00 at 5:38 PM Bennett Todd wrote: > >>For instance, router-specific OSes (IOS in particular) can be >>simpler and less flexible. They can be more secure out of the box, >>and IOS at least has a nice track record of posessing few security >>problems, and having those problems fixed _exceedingly_ fast. > >I am not sure I agree on IOS's track record, but I do agree that cisco fix >the problems and publicise advisories fast. > >> >>And again, since typically only a few people, often the most >>technically knowlegeable and security-conscious people in the >>company, can log in to a router, it is liable to be the most secure >>computer in a well-run company. > >Hmmm "security-conscious people" ... ie the sort of people who would never >allow password to be sent in plain text over the network were it not for >the fact that cicso still hasnt (as far as I know) implemented ssh or >anything similar under IOS They have implemented ssh on some images on the larger platforms. A OTP authentication passed to a tac+ server can take care of the password sniffing, but of course the telnet transport is vulnerable to active attacks and the data passed over the session is plaintext. IPSec on IOS may be really valuable for just that reason - a confidential channel to configure the boxes once they are in the weeds somewhere. > >I do agree that a well configured cisco router with up to date IOS can be >very secure (but not the most secure computer on the network - OpenBSD >probably has that honor, and it does IPSEC too) > >There was an article in phrack that gave some good instructions for >securing IOS. > >> >>VPN is a job intimately related to routing. It seems reasonable to >>hope that the folks at Cisco would deliver a VPN implementation with >>good performance, which interacts with the rest of a normal routed >>IP environment very gracefully. I am not sure what you mean when you say that VPN is intimately related to routing. Once eligible traffic is selected and encapsulated it is just IP payload again. The one thing that makes the IPSec on IOS somewhat more attractive in terms of ease of configuration is the fact that traffic is selected via access-lists. Having to create a logical tunnel interface for prior crypto schemes caused a lot of pain with recursive routes and leaking of reachability information if you were not careful. >Hmmm, I think I disagree again. IPSEC/ISAKMPD is pretty much a new thing >on IOS (like everywhere else) and it has it's problems. I know only one >person that has attempted to set up an IOS VPN. He gave up in the end >stating that some things just plain didnt work correctly. >I also had a dealer state to me when I asked for a quote for the price of >adding the IPSEC/FW/IDS feature set version of IOS to one of our routers >that I should be careful about having an expectation of having the VPN >features work fully until a few IOS releases time. > >Of course I expect that someone on this list will reply and tell that last >point is plain wrong :-) My experience with limited deployments is that router<->router IPSec with the RSA keys stored locally works pretty well. I do not know what it would take to extract the private RSA key from the routers NVRAM, but I suspect it would take console access. For client<->router IPSec I have seen some struggle with certs, CRLs and CEP. When I checked maybe 4 months ago the CEP standard was under NDA, I am not sure what the current status is. Since Cisco is not OEMing a cert server at this point when things go south you are at the mercy of different vendors implementation of a closed protocol. I think that Cisco may have implemented XAUTH in later 12.0T releases, if not then the certs may be your only choice for user level authentication. The last time I checked IOS did not support pre-shared authentication with hostname identities. I am not sure I like the idea of terminating VPN tunnels on a router in many instances. For instance - terminate the VPN on your Internet border router and if I can flood the router with forged ESP packets maybe it will spend enough time decrypting bogus data that it will flap your BGP session. A couple of flaps later your routes are dampened and you are left with a temporary loss of connectivity. I like the idea of keeping a VPN hardware device on one or two untrusted interfaces off the firewall. Accept IKE and ESP into the device off the outside interface of the firewall and evaluate the decrypted traffic as it passes from the inside interface of the VPN device into the firewall. >Peter Regards, tcw VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Tue Feb 1 14:53:29 2000 From: rgm at ICSA.NET (Robert Moskowitz) Date: Tue, 1 Feb 2000 14:53:29 -0500 Subject: SKIP Evaluation? In-Reply-To: References: <4.2.0.58.20000127123534.00c3b360@homebase.htt-consult.com> Message-ID: <4.2.0.58.20000201142619.00c60330@homebase.htt-consult.com> At 12:16 AM 2/1/2000 +0100, Vasek Petricek wrote: >I see - now I have read more SKIP docs and I still like the idea with >using a long lived master key. What is your opinion on the tradeoff >between relatively frequent reestablishment of SA's (IPSec) and rare >exchanges but additional cost of sending the keys in packets? I have to word this carefully. I HAVE studied SKIP, Photuris, and IKE. I was in the center of the Maelstrom that started with the Dallas IETF and ended in Montreal. We had poorly defined requirements for a KMP see: ftp://ftp.ietf.cnri.reston.va.us/ietf-online-proceedings/94jul/area.and.wg.r eports/sec/ipsec/ipsec-minutes-94jul.txt A craftsman does not bye a all ratchet do-hiky, a handyman does. We put all of our eggs in to IKE. Given the times, this was understandable, but we are paying for it now. THere are things I like about SKIP and those I do not. Ashar had some particular goals that he never well articulated. I think that Phil Karn came the closest to articulating his goals, but he lost control of Photuris in the end, and publically asked to have his name removed from the documents (Dallas or LA, can't remember which one). All engineering is a comprimise. If you know your goals you can optimize from them and know why you made certain choices. Yes, I have been busy for the past 12 months refining MY KMP requirements. Robert Moskowitz ICSA.net (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From cmerchant at LURHQ.COM Wed Feb 2 08:09:36 2000 From: cmerchant at LURHQ.COM (Corey Merchant) Date: Wed, 2 Feb 2000 08:09:36 -0500 Subject: Using SSH References: Message-ID: <38982C90.DF652783@lurhq.com> Everything you ever wanted to know about ssh... http://www.ietf.org/ids.by.wg/secsh.html -- Corey Merchant Network Security Engineer LURHQ Corporation Network Security Specialists ~~-~-~-~-~-~-~-~-~-~-~-~-~-~-> (843) 347-1075 ext.362 cmerchant at lurhq.com www.lurhq.com S Ramakrishnan wrote: > > Hi - > > Thanks for the useful information. > My questions about the protocols > used in SSH was with regards to: > > (a) what key exchange protocol is used > by SSH? > (b) what authentication protocol is used? > (c) Are the encryption keys used by SSH > derived off the authentication information > provided by the client (such as the > password or some such)? > (d) Can the client authentication be > bound to RADIUS? > > Thanks ! > > - r > > On Mon, 31 Jan 2000 15:36:36 Cramer, Matthew wrote: > >For the NT server side, you can install a replacement POSIX subsystem and the > >GNU compiler. My personal favourite is U/WIN from ATT Labs - there is info out > >there on getting GCC to work with U/WIN (see the U/WIN users list). With that, > >one could compile SSH and then run it as a service. I've heard of it done, but > >never done it. > > > >NT Client side - there is DataFellows F-Secure, SecureTTY (both commercial), and > >PuTTY (free, but does not do RSA auth). > > > >SSH supports more than the algorithms you list - also IDEA (default) and ARCFOUR > >(a implementation of RC4 (in theory) published to Usenet). Those are of course > >just the symmetric cryptography; RSA is used for the asymmetric key exchange. > >OpenSSH from the OpenBSD folks probably uses Diffie-Hellman for key exchange > >(since RSA is patent restricted by US patent law until fall of 2000). > > > >Your statement about location does not make sense - SSH is available from all > >sorts of places, .fi and .nl, for example, which are not bound by US Export > >restrictions. Don't download any crypto from us Americans - first of all our > >Government needs their head's examined, secondly stronger crypto is available > >everywhere else! > > > > > > > > > >From: Saravana Ram on 01/30/2000 03:36 AM > > > >Please respond to Saravana Ram > > > >To: VPN at SECURITYFOCUS.COM > >cc: (bcc: Matthew S Cramer/Lancaster/Corporate/Armstrong) > >Subject: Re: Using SSH > > > > > > > >From: "S Ramakrishnan" > > > > > >> Can SSH be used on an NT box? > >> Are there sample blusprints to > >> get up and started on SSH based > >> access control schemes? > > > >Which will be the server side, a Linux box or an NT box? That is more > >important. The full SSH package is easily available on unix flavours, but I > >know not of any server-side implementations for NT. SSH clients, though, are > >available on both platforms. (How could you use it on the server side, > >anyway?) > > > >> What underlying security protocol is > >> SSH based on? > > > >If you are asking about cryptographic transfroms, the original SSH uses DES, > >3DES, and Blowfish. But if you're not in America, you're left with only DES. > > > >VPN is sponsored by SecurityFocus.COM > > > >VPN is sponsored by SecurityFocus.COM > > > > MailCity. Secure Email Anywhere, Anytime! > http://www.mailcity.com > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From pdallato at CAPGEMINI.FR Wed Feb 2 12:20:14 2000 From: pdallato at CAPGEMINI.FR (Pascal DALLA-TORRE) Date: Wed, 2 Feb 2000 18:20:14 +0100 Subject: Question. Message-ID: <3898674E.7A1A1F0D@capgemini.fr> Good afternoon, I would like to know something about ISP and VPN. When you build a VPN for a client, you have to choose an ISP, in order to link the different sites of the client. Does it exist some ISP (in France) which can provide a sure bandwith, even if you have to pay for it ? Thanks for your answer. Regards. -------------- next part -------------- A non-text attachment was scrubbed... Name: pdallato.vcf Type: text/x-vcard Size: 425 bytes Desc: Card for Pascal DALLA-TORRE Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000202/721357a4/attachment.vcf From nick.bryant at IPCENTA.COM Thu Feb 3 09:25:04 2000 From: nick.bryant at IPCENTA.COM (Nick Bryant) Date: Thu, 3 Feb 2000 14:25:04 -0000 Subject: Cisco Pix 515 5.0(2) IOS DES encryption -> Cisco Secure Client... . HELP! Message-ID: <21CD995620D3D211A3E400105CAB158F1B1DFB@beast.i-people.net> Help!!! Ok i have a pix 515 that im trying to get talking to some remote machines i have running the cisco secure client - to no avail! My problem: I can get past phase 1 negotiation no problem so the pre-shared keys are working ok. But phase 2 is failing. Here is my debug from the pix: <<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>> ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 1000 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 ISAKMP (0): processing SA payload. message ID = -1262545779 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: encaps is 1IPSEC(validate_proposal): no IPSEC cryptomap exists for local address 10.0.0.50 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! <<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>> So clearly its the crypto maps?? But i have tried every damn combination possible! Here is my config: 10.0.0.50 outside global address of pix (i know it isnt actually gloabl! ;)) 10.0.0.51 global address of 192.168.100.10 on inside 10.0.0.12 Host thats running Cisco Secure Client Building configuration... : Saved : PIX Version 5.0(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 names pager lines 24 no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 10.0.0.50 255.255.255.192 ip address inside 192.168.100.1 255.255.255.0 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 10.0.0.51 192.168.100.10 netmask 255.255.255.255 0 0 access-list 80 permit ip host 10.0.0.50 host 10.0.0.12 access-list 80 permit ip host 10.0.0.51 host 10.0.0.50 access-list 80 permit ip host 10.0.0.50 host 10.0.0.51 access-list 80 permit ip host 10.0.0.50 any access-list 80 permit ip host 10.0.0.12 host 10.0.0.50 access-list 80 permit ip host 10.0.0.12 host 10.0.0.51 access-list 80 permit ip host 10.0.0.51 host 10.0.0.12 conduit permit icmp any any conduit permit tcp host 10.0.0.51 eq telnet any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 10.0.0.1 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map mydynmap 10 match address 80 crypto dynamic-map mydynmap 10 set transform-set myset crypto map nemap 10 ipsec-isakmp dynamic mydynmap crypto map newmap interface outside isakmp enable outside isakmp key 1234567890 address 0.0.0.0 netmask 0.0.0.0 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 terminal width 80 Cryptochecksum:e917a68f549501fd95a913b4018f8e43 : end [OK] ANY help MASSIVLY appreciated. Cheers Nick VPN is sponsored by SecurityFocus.COM From nick.bryant at IPCENTA.COM Thu Feb 3 09:44:08 2000 From: nick.bryant at IPCENTA.COM (Nick Bryant) Date: Thu, 3 Feb 2000 14:44:08 -0000 Subject: Cisco Pix 515 5.0(2) IOS DES encryption -> Cisco Secure Clien t.... HELP! Message-ID: <21CD995620D3D211A3E400105CAB158F1B1DFC@beast.i-people.net> Duh! Just figured it! crypto map **nemap** 10 ipsec-isakmp dynamic mydynmap crypto map newmap interface outside Sorry! Nick > -----Original Message----- > From: Nick Bryant > Sent: 03 February 2000 14:25 > To: VPN at SECURITYFOCUS.COM > Subject: Cisco Pix 515 5.0(2) IOS DES encryption -> Cisco Secure > Client.... HELP! > > > > Help!!! > > Ok i have a pix 515 that im trying to get talking to some > remote machines i have running the cisco secure client - to no avail! > > My problem: > > I can get past phase 1 negotiation no problem so the > pre-shared keys are working ok. But phase 2 is failing. Here > is my debug from the pix: > > <<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>> > ISAKMP (0): processing SA payload. message ID = 0 > > ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy > ISAKMP: encryption DES-CBC > ISAKMP: hash MD5 > ISAKMP: default group 1 > ISAKMP: auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (basic) of 1000 > ISAKMP (0): atts are acceptable. Next payload is 0 > ISAKMP (0): SA is doing pre-shared key authentication using > id type ID_IPV4_ADDR > > ISAKMP (0): processing KE payload. message ID = 0 > > ISAKMP (0): processing NONCE payload. message ID = 0 > > ISAKMP (0): processing ID payload. message ID = 0 > ISAKMP (0): processing HASH payload. message ID = 0 > ISAKMP (0): SA has been authenticated > > ISAKMP (0): ID payload > next-payload : 8 > type : 1 > protocol : 17 > port : 500 > length : 8 > ISAKMP (0): Total payload length: 12 > ISAKMP (0): processing SA payload. message ID = -1262545779 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: transform 1, ESP_DES > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: encaps is 1IPSEC(validate_proposal): no IPSEC > cryptomap exists for local address 10.0.0.50 > > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): SA not acceptable! > <<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>> > > So clearly its the crypto maps?? But i have tried every damn > combination possible! > > > Here is my config: > > 10.0.0.50 outside global address of pix (i know it isnt > actually gloabl! ;)) > 10.0.0.51 global address of 192.168.100.10 on inside > 10.0.0.12 Host thats running Cisco Secure Client > > > Building configuration... > : Saved > : > PIX Version 5.0(2) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password 8Ry2YjIyt7RRXU24 encrypted > passwd 2KFQnbNIdI.2KYOU encrypted > hostname pixfirewall > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol smtp 25 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol sqlnet 1521 > names > pager lines 24 > no logging timestamp > no logging standby > no logging console > no logging monitor > no logging buffered > no logging trap > logging facility 20 > logging queue 512 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ip address outside 10.0.0.50 255.255.255.192 > ip address inside 192.168.100.1 255.255.255.0 > no failover > failover timeout 0:00:00 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > arp timeout 14400 > nat (inside) 0 0.0.0.0 0.0.0.0 0 0 > static (inside,outside) 10.0.0.51 192.168.100.10 netmask > 255.255.255.255 0 0 > access-list 80 permit ip host 10.0.0.50 host 10.0.0.12 > access-list 80 permit ip host 10.0.0.51 host 10.0.0.50 > access-list 80 permit ip host 10.0.0.50 host 10.0.0.51 > access-list 80 permit ip host 10.0.0.50 any > access-list 80 permit ip host 10.0.0.12 host 10.0.0.50 > access-list 80 permit ip host 10.0.0.12 host 10.0.0.51 > access-list 80 permit ip host 10.0.0.51 host 10.0.0.12 > conduit permit icmp any any > conduit permit tcp host 10.0.0.51 eq telnet any > no rip outside passive > no rip outside default > no rip inside passive > no rip inside default > route outside 0.0.0.0 0.0.0.0 10.0.0.1 1 > timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 > timeout rpc 0:10:00 h323 0:05:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > no floodguard enable > sysopt connection permit-ipsec > crypto ipsec transform-set myset esp-des esp-md5-hmac > crypto dynamic-map mydynmap 10 match address 80 > crypto dynamic-map mydynmap 10 set transform-set myset > crypto map nemap 10 ipsec-isakmp dynamic mydynmap > crypto map newmap interface outside > isakmp enable outside > isakmp key 1234567890 address 0.0.0.0 netmask 0.0.0.0 > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 1 > isakmp policy 10 lifetime 1000 > telnet timeout 5 > terminal width 80 > Cryptochecksum:e917a68f549501fd95a913b4018f8e43 > : end > [OK] > > > ANY help MASSIVLY appreciated. > > Cheers > > Nick > VPN is sponsored by SecurityFocus.COM From cindy_slosar at YAHOO.CA Thu Feb 3 15:46:52 2000 From: cindy_slosar at YAHOO.CA (Cindy Slosar) Date: Thu, 3 Feb 2000 15:46:52 -0500 Subject: Installing a VPN Message-ID: <20000203204652.26649.qmail@web1504.mail.yahoo.com> Hi all, I am hoping to gain information based on your experiences. We're a small manufacturing company running a peer-to-peer network and would like to set up a VPN as our WAN when half of the office moves to a new building. We have about 22 users on our network all connected to a hub. We also have an internet server set up with a firewall. My question is this: what do I need to set up our VPN? More specifically, what hardware (if any) and recommended manufacturers are required and what software is required? I'm kind of new to this whole VPN world so any suggestions you have from your past experiences would be greatly appreciated. _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca VPN is sponsored by SecurityFocus.COM From rk_ at MAILCITY.COM Fri Feb 4 16:09:17 2000 From: rk_ at MAILCITY.COM (S Ramakrishnan) Date: Fri, 4 Feb 2000 13:09:17 -0800 Subject: Support for Vendor ID Payload Message-ID: Can anyone who has used the following desktop IPSec clients please let me know if these clients issue the Vendor ID payload during ISAKMP negotiations? 1) Altiga IPSec Client 2) IRE IPSec Client ("CiscoSecure VPN Client") Although the ISAKMP spec says that Vendor ID payload is not mandatory, what do most implementations do? Is it generally supported? Thanks, -r MailCity. Secure Email Anywhere, Anytime! http://www.mailcity.com VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Fri Feb 4 16:13:14 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Fri, 4 Feb 2000 15:13:14 -0600 Subject: sugestion (fwd) Message-ID: From ranhat007 at yahoo.com Fri Feb 4 07:02:22 2000 From: ranhat007 at yahoo.com (emran mahat) Date: Fri, 4 Feb 2000 04:02:22 -0800 (PST) Subject: sugestion Message-ID: Hi Tina, First I would like to congratulate you for maintaining such good/informative web site on VPN.I would like to make some suggestions here.After brousing tru your web site I found there is no/lack of information on how SNA/netbui application can work on VPN.As we all know SNA and netbui is not routable.So there are might be many possibility/aproach that can solve that problem.I am grateful and happy if you can come up with discussion on this.Thanks for your precious time. regards --ran __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From lkh at DGSYS.COM Thu Feb 3 21:56:02 2000 From: lkh at DGSYS.COM (Lowell Hanson) Date: Thu, 3 Feb 2000 21:56:02 -0500 Subject: Integrated W9x DUN/VPN Client Message-ID: <389A3FC2.24C8980C@dgsys.com> Hi, We have a client looking for a Remote Access VPN solution where the VPN client software is completely transparent to the user. In other words, after the client software is installed the client performs a single function that makes the PPP connection to an Access Server (DUN) and then establishes the VPN connection to the Customers Trusted Network. Generally it is a two step process where the Client makes the DUN connection and then has to perform a 2nd step to establish the VPN connection. Thanks! Lowell -- ------------------------------------------------------ Lowell K. Hanson Senior Consultant Phone:703-817-0627 Grace International Consulting http://www.graceic.com mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh VPN is sponsored by SecurityFocus.COM From eric at THELIVINGSTONS.ORG Thu Feb 3 23:19:22 2000 From: eric at THELIVINGSTONS.ORG (Eric Livingston) Date: Thu, 3 Feb 2000 23:19:22 -0500 Subject: Installing a VPN References: <20000203204652.26649.qmail@web1504.mail.yahoo.com> Message-ID: <003a01bf6ec7$037af400$d422d83f@chezeric.net> > Hi all, > I am hoping to gain information based on your > experiences. We're a small manufacturing company > running a peer-to-peer network and would like to set > up a VPN as our WAN when half of the office moves to a > new building. We have about 22 users on our network > all connected to a hub. We also have an internet > server set up with a firewall. My question is this: > what do I need to set up our VPN? More specifically, > what hardware (if any) and recommended manufacturers > are required and what software is required? I'm kind > of new to this whole VPN world so any suggestions you > have from your past experiences would be greatly appreciated. I've been running a VPN using SSH and PPP for over a year now between my home LAN and my work LAN. It works beautifully, and it's highly configurable (type of encryption, level of compression, etc). Also, depending on your selection of encryption algorithm, you can get pretty low overhead. I was using a 486/75 as my VPN gateway machine over ISDN (128k) and the cpu never worked more than 4% (and averaged around 2%) even when saturating the line with a full-speed download. Now that I'm running a Pentium 200 as my VPN gateway using DSL, the cpu load is still 2-5% with pretty low latency given the packet gymnastics going on (the VPN adds about 30ms of latency for me). Anyway, the tools required are all free, and the process is documented in the VPN HOWTO that's standard with any distribution. There is one program, pty-redir, that you'll have to download (aside from SSH) to get it to work. I found the pty-redir (version .1) referenced in the HOWTO was too old to work with my newer (2.2.x) kernel, so I updated that program (to version .2) and placed it on my site at www.thelivingstons.org. It's GPL - feel free to use it if you need it. Good luck. Eric VPN is sponsored by SecurityFocus.COM From kemp at INDUSRIVER.COM Fri Feb 4 16:52:59 2000 From: kemp at INDUSRIVER.COM (Brad Kemp) Date: Fri, 4 Feb 2000 16:52:59 -0500 Subject: Integrated W9x DUN/VPN Client In-Reply-To: <389A3FC2.24C8980C@dgsys.com> Message-ID: <3.0.3.32.20000204165259.009c3370@pop3.indusriver.com> The Indus river client does this. There are a few other bells and whistles on it as well, it figures out which is the closest/cheapest POP to call. The software is not transparent in that there is an application that the user must run to determine which is the best POP to call. Brad At 09:56 PM 2/3/00 -0500, Lowell Hanson wrote: >Hi, > >We have a client looking for a Remote Access VPN solution where the VPN >client software is completely transparent to the user. In other words, >after the client software is installed the client performs a single >function that makes the PPP connection to an Access Server (DUN) and >then establishes the VPN connection to the Customers Trusted Network. > >Generally it is a two step process where the Client makes the DUN >connection and then has to perform a 2nd step to establish the VPN >connection. > >Thanks! > >Lowell >-- >------------------------------------------------------ >Lowell K. Hanson Senior Consultant Phone:703-817-0627 >Grace International Consulting http://www.graceic.com > mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh > >VPN is sponsored by SecurityFocus.COM > --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 VPN is sponsored by SecurityFocus.COM From dlighty at INTRINSIC.COM Fri Feb 4 16:47:42 2000 From: dlighty at INTRINSIC.COM (David Lighty) Date: Fri, 4 Feb 2000 13:47:42 -0800 Subject: Windows2000 vpn client Message-ID: Are there any VPN packages put there with support for Windows 2000? I have only windows professional, I didn't care for the vpn package in Server. Thanks, David VPN is sponsored by SecurityFocus.COM From jwalzer at STORMSYSTEMS.COM Fri Feb 4 16:48:18 2000 From: jwalzer at STORMSYSTEMS.COM (Jeff Walzer) Date: Fri, 4 Feb 2000 16:48:18 -0500 Subject: PPTP in NT4WS breaking Internet connection Message-ID: Please forgive me if this is the wrong list to post this message to: I have a remote user with a DSL connection. As soon as he loads PPTP on his NT4WS laptop he can no longer access the Internet or even ping the default gateway. The only thing that changes is the loading of PPTP and nothing else. PPTP is needed to create a VPN connection to our internal LAN. Any ideas? The laptop has SP6a. Thanks, Jeff VPN is sponsored by SecurityFocus.COM From rdonkin at ORCHESTREAM.COM Fri Feb 4 17:01:30 2000 From: rdonkin at ORCHESTREAM.COM (Donkin, Richard) Date: Fri, 4 Feb 2000 22:01:30 -0000 Subject: SNA and NetBEUI over IPSec (was: suggestion) Message-ID: <51B3ABF9C1B9D1118EDF0060086D18EE6E2E87@dennis.orchestream.com> Comments below. > -----Original Message----- > From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] > Sent: Friday, February 04, 2000 9:13 PM > To: VPN at SECURITYFOCUS.COM > Subject: sugestion (fwd) > > Date: Fri, 4 Feb 2000 04:02:22 -0800 (PST) > From: emran mahat > To: tbird at precision-guesswork.com > Subject: sugestion > > Hi Tina, > > First I would like to congratulate you for maintaining > such good/informative web site on VPN.I would like to > make some suggestions here.After brousing tru your web > site I found there is no/lack of information on how > SNA/netbui application can work on VPN.As we all know > SNA and netbui is not routable.So there are might be > many possibility/aproach that can solve that problem.I > am grateful and happy if you can come up with > discussion on this.Thanks for your precious time. This is no different to running SNA or NetBEUI over any IP network. Various approaches exist for SNA, e.g. using DLSw+ tunnels (actually TCP sessions) on top of IPSec. For NetBEUI, maybe someone else can suggest something, but the obvious fix is to convert the hosts to use NetBIOS over IP, which is Microsoft's recommended protocol these days I believe. Richard -- rdonkin at orchestream.com http://www.orchestream.com Tel: +44 (0)20 7598 7554 (direct) Orchestream Ltd. +44 (0)20 7460 4460 (switchboard) 125 Old Brompton Road Fax: +44 (0)20 7460 4461 London SW7 3RP, UK >>>>>>>>>>>>>>>>>>>>>> Bandwidth To Bank On >>>>>>>>>>>>>>>>>>>>>>>> VPN is sponsored by SecurityFocus.COM From twolsey at REALTECH.COM Fri Feb 4 17:08:17 2000 From: twolsey at REALTECH.COM (TC Wolsey) Date: Fri, 4 Feb 2000 17:08:17 -0500 Subject: SNA/NetBIOS over VPN (was: sugestion (fwd)) Message-ID: > Tina Bird 02/04/00 04:13PM >>> >Date: Fri, 4 Feb 2000 04:02:22 -0800 (PST) >From: emran mahat >To: tbird at precision-guesswork.com >Subject: sugestion > >Hi Tina, > >First I would like to congratulate you for maintaining >such good/informative web site on VPN.I would like to >make some suggestions here.After brousing tru your web >site I found there is no/lack of information on how >SNA/netbui application can work on VPN.As we all know >SNA and netbui is not routable.So there are might be >many possibility/aproach that can solve that problem.I >am grateful and happy if you can come up with >discussion on this.Thanks for your precious time. > >regards >--ran You are correct that NetBIOS assumes a flat addressing and name space. I do not know that the same can necessarily be said for SNA but I am far from an expert. The main problem that I have seen with SNA/NetBIOS apps over a dispersed network is that they typically have various timers that have default values that are suitable for a local area network, for instance. Access to these timers is not always easy and in some cases changing the communication pacing values may not be feasible. As VPN techonology seems to be increasingly IP-centric the first techonology that I would suggest investigating would be DLSw, as that is a standardized method for the transport of SNA/NetBIOS over an IP infrastructure. The capability of DLSw to make a complex topology appear flat to the SNA/NetBIOS end stations is the approach that you can use to circumvent the lack of hierarchy in the address space. The capability of DLSw to locally acknowledge data-link sessions at the DLSw boundary is a workaround for the absolute timers issue. (Well, some of time anyway). Hope some of this helps. Regards, tcw VPN is sponsored by SecurityFocus.COM From dnewman at NETWORKTEST.COM Fri Feb 4 17:10:43 2000 From: dnewman at NETWORKTEST.COM (David Newman) Date: Fri, 4 Feb 2000 17:10:43 -0500 Subject: sugestion (fwd) In-Reply-To: Message-ID: Hi Ran, By VPN, I presume you mean something based on IPSec. If this is true, then the best option is to encapsulate the SNA traffic into IP packets, which of course *can* be routed. The most common encapsulation method is Data Link Switching (DLSw), which not only stuffs SNA frames into IP packets but also spoofs keepalives to minimize management traffic on the WAN link. All major router vendors have supported DLSw for at least five years, and today it's very stable and widely used. Some DLSw implementations also encapusulate Netbios/Netbeui. RFCs 1795 and 2166 describe DLSw, and RFC 2114 describes a way to use DLSw between hosts and routers. If you do use DLSw, setting up a VPN is just a question of putting the encapsulating routers on the "private" side of each VPN gateway. Then the VPN gateways see only IP packets; there's no knowledge that these packets actually contain SNA frames. When using IPSec's ESP transport, the SNA traffic gets encapsulated *twice* (once into IP and again into IPSec ESP), and that's a lot of overhead. Still, if the goal is to send "unroutable" traffic over a routed network, this is a good way to do it. dn > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina > Bird > Sent: Friday, February 04, 2000 4:13 PM > To: VPN at SECURITYFOCUS.COM > Subject: sugestion (fwd) > > > Date: Fri, 4 Feb 2000 04:02:22 -0800 (PST) > From: emran mahat > To: tbird at precision-guesswork.com > Subject: sugestion > > Hi Tina, > > First I would like to congratulate you for maintaining > such good/informative web site on VPN.I would like to > make some suggestions here.After brousing tru your web > site I found there is no/lack of information on how > SNA/netbui application can work on VPN.As we all know > SNA and netbui is not routable.So there are might be > many possibility/aproach that can solve that problem.I > am grateful and happy if you can come up with > discussion on this.Thanks for your precious time. > > regards > --ran > > __________________________________________________ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://im.yahoo.com > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Fri Feb 4 17:25:50 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Fri, 4 Feb 2000 17:25:50 -0500 Subject: PPTP in NT4WS breaking Internet connection References: Message-ID: <003f01bf6f5e$dfb42f80$cf83f7a5@annecons> He has the box check (under the VPN dial-up settings / TCP/IP settings) to Use Default Gateway on Remote Network. Uncheck that box and all of his internet traffic will continue to use the pre-vpn routes. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Jeff Walzer" To: Sent: Friday, February 04, 2000 4:48 PM Subject: PPTP in NT4WS breaking Internet connection > Please forgive me if this is the wrong list to post this message to: > > I have a remote user with a DSL connection. As soon as he loads PPTP on his > NT4WS laptop he can no longer access the Internet or even ping the default > gateway. The only thing that changes is the loading of PPTP and nothing > else. PPTP is needed to create a VPN connection to our internal LAN. Any > ideas? The laptop has SP6a. > > Thanks, > Jeff > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Fri Feb 4 17:35:46 2000 From: dgillett at NIKU.COM (David Gillett) Date: Fri, 4 Feb 2000 14:35:46 -0800 Subject: PPTP in NT4WS breaking Internet connection In-Reply-To: Message-ID: <000001bf6f60$2e75d140$f30410ac@niku.com> When you say "loads", do you mean "installs", or do you mean "connects using"? If the latter, it is quite common for a VPN client to take over routing of *all* network traffic to go through the VPN tunnel. In fact, this is fairly desirable -- a client who has simultaneous connectivity to some other network is a potential backdoor into your trusted network. (Whether you allow VPN-connected clients to use the gateway at your end to reach other parts of the Internet is your call.) If installing PPTP kills his DSL connection, then that's a serious problem that I don't know how to fix -- although I'd see if one of the "network configuration switcher" products can help. David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jeff Walzer Sent: February 4, 2000 13:48 To: VPN at SECURITYFOCUS.COM Subject: PPTP in NT4WS breaking Internet connection Please forgive me if this is the wrong list to post this message to: I have a remote user with a DSL connection. As soon as he loads PPTP on his NT4WS laptop he can no longer access the Internet or even ping the default gateway. The only thing that changes is the loading of PPTP and nothing else. PPTP is needed to create a VPN connection to our internal LAN. Any ideas? The laptop has SP6a. Thanks, Jeff VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jason.dowd at US.PWCGLOBAL.COM Fri Feb 4 17:25:12 2000 From: jason.dowd at US.PWCGLOBAL.COM (jason.dowd at US.PWCGLOBAL.COM) Date: Fri, 4 Feb 2000 16:25:12 -0600 Subject: sugestion (fwd) Message-ID: <8525687B.007B4691.00@intlnamsmtp20.us.pw.com> One thought here for a site-to-site VPN to carry SNA is to use DLSW. After the SNA -> DLSW conversion, the DLSW can be carried over the VPN like all other IP traffic. Jason Tina Bird on 02/04/2000 03:13:14 PM Please respond to Tina Bird To: VPN at SECURITYFOCUS.COM cc: Subject: sugestion (fwd) From ranhat007 at yahoo.com Fri Feb 4 07:02:22 2000 From: ranhat007 at yahoo.com (emran mahat) Date: Fri, 4 Feb 2000 04:02:22 -0800 (PST) Subject: sugestion Message-ID: Hi Tina, First I would like to congratulate you for maintaining such good/informative web site on VPN.I would like to make some suggestions here.After brousing tru your web site I found there is no/lack of information on how SNA/netbui application can work on VPN.As we all know SNA and netbui is not routable.So there are might be many possibility/aproach that can solve that problem.I am grateful and happy if you can come up with discussion on this.Thanks for your precious time. regards --ran __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Fri Feb 4 18:08:57 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Fri, 4 Feb 2000 18:08:57 -0500 Subject: Integrated W9x DUN/VPN Client References: <389A3FC2.24C8980C@dgsys.com> Message-ID: <005d01bf6f65$1cac57e0$cf83f7a5@annecons> For some of our "less talented" users on Win95, we have written scripts that are executed by the click of an icon. They could just as easily be executed at startup. For both Win95 and NT users, RAS is capable of dial-on-demand, which would get your clients attached to the internet automagically. HtH - Jon Carnes ----- Original Message ----- From: "Lowell Hanson" To: Sent: Thursday, February 03, 2000 9:56 PM Subject: Integrated W9x DUN/VPN Client > Hi, > > We have a client looking for a Remote Access VPN solution where the VPN > client software is completely transparent to the user. In other words, > after the client software is installed the client performs a single > function that makes the PPP connection to an Access Server (DUN) and > then establishes the VPN connection to the Customers Trusted Network. > > Generally it is a two step process where the Client makes the DUN > connection and then has to perform a 2nd step to establish the VPN > connection. > > Thanks! > > Lowell > -- > ------------------------------------------------------ > Lowell K. Hanson Senior Consultant Phone:703-817-0627 > Grace International Consulting http://www.graceic.com > mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From mkinna at MAGNA.COM.AU Fri Feb 4 17:53:00 2000 From: mkinna at MAGNA.COM.AU (Michelle Kinna) Date: Sat, 5 Feb 2000 09:53:00 +1100 Subject: unsubscribe Message-ID: <001a01bf6f62$a6731020$263d6fcb@mkinna> -----Original Message----- From: Robert Moskowitz To: VPN at SECURITYFOCUS.COM Date: Thursday, February 03, 2000 5:12 PM Subject: Re: SKIP Evaluation? >At 12:16 AM 2/1/2000 +0100, Vasek Petricek wrote: > >>I see - now I have read more SKIP docs and I still like the idea with >>using a long lived master key. What is your opinion on the tradeoff >>between relatively frequent reestablishment of SA's (IPSec) and rare >>exchanges but additional cost of sending the keys in packets? > >I have to word this carefully. > >I HAVE studied SKIP, Photuris, and IKE. I was in the center of the >Maelstrom that started with the Dallas IETF and ended in Montreal. > >We had poorly defined requirements for a KMP see: > >ftp://ftp.ietf.cnri.reston.va.us/ietf-online-proceedings/94jul/area.and.wg. r >eports/sec/ipsec/ipsec-minutes-94jul.txt > >A craftsman does not bye a all ratchet do-hiky, a handyman does. We put >all of our eggs in to IKE. Given the times, this was understandable, but >we are paying for it now. > >THere are things I like about SKIP and those I do not. Ashar had some >particular goals that he never well articulated. I think that Phil Karn >came the closest to articulating his goals, but he lost control of Photuris >in the end, and publically asked to have his name removed from the >documents (Dallas or LA, can't remember which one). > >All engineering is a comprimise. If you know your goals you can optimize >from them and know why you made certain choices. > >Yes, I have been busy for the past 12 months refining MY KMP requirements. > > >Robert Moskowitz >ICSA.net > (248) 968-9809 >Fax: (248) 968-2824 >rgm at icsa.net > >There's no limit to what can be accomplished >if it doesn't matter who gets the credit > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Fri Feb 4 18:27:49 2000 From: pete at ETHER.NET (Pete Davis) Date: Fri, 4 Feb 2000 18:27:49 -0500 Subject: Support for Vendor ID Payload In-Reply-To: References: Message-ID: <20000204182749.A32009@ether.net> Yes, the Altiga IPSec Client issues a Vendor ID payload during ISAKMP negotiations. Regards, -Pete On Fri, Feb 04, 2000 at 01:09:17PM -0800, S Ramakrishnan wrote: > Can anyone who has used the following > desktop IPSec clients please let me know > if these clients issue the Vendor ID > payload during ISAKMP negotiations? > > 1) Altiga IPSec Client > 2) IRE IPSec Client ("CiscoSecure VPN Client") > > Although the ISAKMP spec says that > Vendor ID payload is not mandatory, > what do most implementations do? > Is it generally supported? > > Thanks, > > -r > > > > > MailCity. Secure Email Anywhere, Anytime! > http://www.mailcity.com > > VPN is sponsored by SecurityFocus.COM --- Pete Davis - Product Manager (508) 541-7300 x154 Altiga Networks - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From scotta at GNAC.COM Fri Feb 4 19:18:38 2000 From: scotta at GNAC.COM (Scott Armstrong) Date: Fri, 4 Feb 2000 16:18:38 -0800 Subject: PGPNet/Entrust Message-ID: I submitted this note a while back and have now figured out how to get it to work (with some help from some great people at both NAI and Entrust). I thought I'd drop the list a note in case anyone else treaded the same water. Please note, I often say to read the documentation. The Entrust documentation is great and you need to read it to do anything. The NAI docs only really tell how to get it to work with other NAI products. These instructions are meant to be a bridge between the two. >Does anyone have some tips on getting Entrust certificates into >PGPNet. I'm using Entrust 5.0 with pre-5.0 client compatibility and VPN Connector 4.1. >The directory is PeerLogic 8.a.2 with both LDAP v2 and v3 capabilities. My >main problem is getting the CA root certificate into the PGP client. As >soon as that's done I should be able to install my client certificate into >my key ring. Problem is, it doesn't seem to want to work. First of all, to get Entrust to work with most VPN products, you need the Entrust VPN Connector. This is an enrollment/management workstation that listens for requests and then approves or denies them. It can take requests in two ways (1) read the request from a file or (2) listen for requests online. The online requests are for devices that use the Cisco Enrollment Protocol (CEP). It turns out PGPNet uses CEP. There are some extra steps you need to take when configuring the Entrust CA for CEP requests, but these are all documented very well in the VPN Connector installation documentation. However, here's a couple of notes on the installation: - If you're going to be using the VPN Connector, make sure that the directory is configured for LDAPv2 connectivity. - Be sure to edit the entmgr.ini (server only) and entrust.ini (server and client) files. - Change the default CA search base to "Certification Authority" as described in the documentation. Edit the SearchBase entry in entrust.ini as well. In order for CEP devices to send certificates, they need to attach to a web site. With VPN Connector, the web site is something like http://your.ip.address/cgi-bin/pkiclient.exe for an IIS box. When VPN Connector is installed, these files live in the "Program Files\Entrust\VPN Connector\Cgi\Win32" directory (there's also a Solaris version near there). Follow the documentation to get the web site set up and running. Before PGPKeys can send requests to the VPN Connector, you need to import the "CA Root" key. When you install VPN Connector, a file called vpnconcacert.pem is created in the root of the VPN Connector directory. This file contains the information you need. The information in the file needs to be given to the client (through the functioning web site is one way). The client needs to copy the information in the file and then paste it into the PGPKeys window (all of it, including the Begin and End lines). This starts up the import key function. When finished, sign the imported key and make it a Meta-Introducer. Now were almost ready to create the request. But first, we need to tell PGP about the registration server. Open PGPKeys and select Edit | Preferences and go to the CA tab. The URL field should be filed in with the information on how to get to the web site (http://your.ip.address/cgi-bin/pkiclient.exe), the type should be Entrust (I'm not completely sure about the Revocation URL, but I've been using :389). In the Root Certificate box click on "Select Certificate" and chose the certificate you just imported. Now, make sure your web server is running and log into VPN Connector. Put VPN Connector into the "Listen for new requests" state (making sure the port number is that same you entered when you configured the web sites vpnconcgi.cfg file, yeah I didn't mention it earlier but I did say follow the documentation and it's detailed there). Back to PGPKeys and select Keys | Add | Certificate. The default information should show the clients current IP and the PGPKeys user e-mail address. Add in any other information needed (I had to add "Organizational Unit" (ou=), "Organization" (o=) and "Country" (c=)). If everything has been done correctly, you should be welcomed by a nice little message saying that the server got your request. Back to the VPN Connector. You should see the pending request listed there. You can try to approve it, but you'll get an error (something like "Invalid name 15064"). What happens is, PGP sticks an extra field into the request that Entrust doesn't like. So we need to go take it out of the request. Close down VPN Connector and open the requestFile.txt file (it's in the same place as the vpnconcacert.pem file). Once that's open, find the request you just made (there may be many requests if you have pending ones). Next, find the line starting with "Description=PGPKeyCreation=" (without the quotes). Select the whole line and delete it. Save the file, go back into VPN Connector and approve the request. It will now succeed. Back to PGPKeys. Select Server | Retrieve Certificate and it should be retrieved successfully. Next you configure PGPNet to work with GVPN, but that's another story. Note: These instructions have been tried with PGP 6.5.3 on NT and 6.5.2a on the Mac. I don't guarantee this is the proper way to do it, only that it seems to have worked for me. Thanks to everyone who helped with this, Scott Armstrong VPN is sponsored by SecurityFocus.COM From issam.elayoubi-eds at EDS.COM Sat Feb 5 00:43:58 2000 From: issam.elayoubi-eds at EDS.COM (Elayoubi, Issam (UUNET)) Date: Sat, 5 Feb 2000 00:43:58 -0500 Subject: SNA/NetBIOS over VPN (was: sugestion (fwd)) Message-ID: <6BBAFBA0548ED311BBE500508B6FA53A0272878E@CAOTM201> G'day all, The best way to carry SNA/NetBIOS traffic across a WAN is to use DLSW capable routers. SNA/NetBIOS frames are time sensitive since it relies on LLC2 at the data link. On the other hand, DLSW tends to create a TCP session between peer routers across a WAN link. SNA/NetBIOS gets encapsulated in TCP segments and that can be piped through a VPN tunnel, like you would normally do it with your favorite flavor of VPN. Cheers, Issam. -----Original Message----- From: TC Wolsey [mailto:twolsey at REALTECH.COM] Sent: Friday, February 04, 2000 5:08 PM To: VPN at SECURITYFOCUS.COM Subject: Re: SNA/NetBIOS over VPN (was: sugestion (fwd)) > Tina Bird 02/04/00 04:13PM >>> >Date: Fri, 4 Feb 2000 04:02:22 -0800 (PST) >From: emran mahat >To: tbird at precision-guesswork.com >Subject: sugestion > >Hi Tina, > >First I would like to congratulate you for maintaining >such good/informative web site on VPN.I would like to >make some suggestions here.After brousing tru your web >site I found there is no/lack of information on how >SNA/netbui application can work on VPN.As we all know >SNA and netbui is not routable.So there are might be >many possibility/aproach that can solve that problem.I >am grateful and happy if you can come up with >discussion on this.Thanks for your precious time. > >regards >--ran You are correct that NetBIOS assumes a flat addressing and name space. I do not know that the same can necessarily be said for SNA but I am far from an expert. The main problem that I have seen with SNA/NetBIOS apps over a dispersed network is that they typically have various timers that have default values that are suitable for a local area network, for instance. Access to these timers is not always easy and in some cases changing the communication pacing values may not be feasible. As VPN techonology seems to be increasingly IP-centric the first techonology that I would suggest investigating would be DLSw, as that is a standardized method for the transport of SNA/NetBIOS over an IP infrastructure. The capability of DLSw to make a complex topology appear flat to the SNA/NetBIOS end stations is the approach that you can use to circumvent the lack of hierarchy in the address space. The capability of DLSw to locally acknowledge data-link sessions at the DLSw boundary is a workaround for the absolute timers issue. (Well, some of time anyway). Hope some of this helps. Regards, tcw VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Munix-1 at PACBELL.NET Sat Feb 5 01:44:34 2000 From: Munix-1 at PACBELL.NET (Jose Muniz) Date: Fri, 4 Feb 2000 22:44:34 -0800 Subject: Netsceen .jpg bug? Message-ID: <389BC6D2.674634C8@Pacbell.net> Hello Guys; Have any one ever seen this wierd behaivour: While retrieving html docs with .jpg's and others over the IPSec tunnel the images apear broken. Any ideas? Jose Muniz. VPN is sponsored by SecurityFocus.COM From mhw at WITTSEND.COM Sun Feb 6 13:45:31 2000 From: mhw at WITTSEND.COM (Michael H. Warfield) Date: Sun, 6 Feb 2000 13:45:31 -0500 Subject: Linux VPN In-Reply-To: <20000121112346.A686@ssh.com>; from anne@SSH.FI on Fri, Jan 21, 2000 at 11:23:46AM -0800 References: <20000121112346.A686@ssh.com> Message-ID: <20000206134531.I20611@alcove.wittsend.com> On Fri, Jan 21, 2000 at 11:23:46AM -0800, Carasik, Anne wrote: > Hi Todd, > Check out VPS 2.0, which is an open source VPN for Linux. URL please? I'm unfamiliar with that one. Is that an IPSec compatible VPN? > -Anne > On Thu, Jan 20, 2000 at 10:20:49PM -0800, Todd Wilburn wrote: > > We are thinking us using Linux for our server/firewalls and we need to do > > VPN. What programs are available for a Linux VPN box? I can use secret > > pass codes or certs. > > Thanks, > > Todd Wilburn > -- > Anne Carasik > Email: anne at ssh.com > SSH Communications Security, Inc. > Senior Technical Support Engineer > "Any two consenting adults can rub two primes > together to create a public keypair" - R. Thayer > VPN is sponsored by SecurityFocus.COM Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! VPN is sponsored by SecurityFocus.COM From guy.raymakers at EUROPE.EDS.COM Mon Feb 7 03:04:23 2000 From: guy.raymakers at EUROPE.EDS.COM (guy.raymakers at EUROPE.EDS.COM) Date: Mon, 7 Feb 2000 09:04:23 +0100 Subject: PPTP over a NAT router Message-ID: <4125687E.002C92F5.00@beanmg01.lneu.emea.eds.com> Hi, I have a Win NT server with RRAS and router connected to a LAN, the router is connected to the Internet and is doing NAT for the complete network. When I'm trying to setup a PPTP connection from the NT server to another server on the Internet, I get ICMP unreachables from my local router. However, I can ping the destination PPTP server on the Internet. Is there someone who made such a config before and can tell me whether this can work ? Many thanks, Guy VPN is sponsored by SecurityFocus.COM From guy.raymakers at EUROPE.EDS.COM Mon Feb 7 03:11:41 2000 From: guy.raymakers at EUROPE.EDS.COM (guy.raymakers at EUROPE.EDS.COM) Date: Mon, 7 Feb 2000 09:11:41 +0100 Subject: Integrated W9x DUN/VPN Client Message-ID: <4125687E.002D3DB0.00@beanmg01.lneu.emea.eds.com> The Nortel IPSEC client that comes with the Contivity switch (CES) contains a "connection manager" that can setup a tunnel (DUN+IPSec) transparantly for the end-user. Guy Please respond to Lowell Hanson From rodney at TILLERMAN.TO Sat Feb 5 22:00:31 2000 From: rodney at TILLERMAN.TO (Rodney Thayer) Date: Sat, 5 Feb 2000 19:00:31 -0800 Subject: sugestion (fwd) Message-ID: <3.0.6.32.20000205190031.03a4dd70@216.240.42.209> I would recommend you "don't go there". NETBEUI does _not_ scale, regardless of how you get the packets across a wide are network. The broadcast mechanisms in it behave badly in large networks. Even IBM started admitting that. NETBEUI over IPsec (or tin cans and string, or barbed wire, or anything else) is a bad idea. >Approved-By: tbird at PRECISION-GUESSWORK.COM >Delivered-To: vpn at lists.securityfocus.com >Delivered-To: vpn at securityfocus.com >X-Sender: tbird at kuspy.phsx.ukans.edu >Date: Fri, 4 Feb 2000 15:13:14 -0600 >Reply-To: Tina Bird >Sender: VPN Mailing List >From: Tina Bird >Subject: sugestion (fwd) >X-To: vpn at securityfocus.com >To: VPN at SECURITYFOCUS.COM > >Date: Fri, 4 Feb 2000 04:02:22 -0800 (PST) >From: emran mahat >To: tbird at precision-guesswork.com >Subject: sugestion > >Hi Tina, > >First I would like to congratulate you for maintaining >such good/informative web site on VPN.I would like to >make some suggestions here.After brousing tru your web >site I found there is no/lack of information on how >SNA/netbui application can work on VPN.As we all know >SNA and netbui is not routable.So there are might be >many possibility/aproach that can solve that problem.I >am grateful and happy if you can come up with >discussion on this.Thanks for your precious time. > >regards >--ran > >__________________________________________________ >Do You Yahoo!? >Talk to your friends online with Yahoo! Messenger. >http://im.yahoo.com > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jwalzer at STORMSYSTEMS.COM Mon Feb 7 09:37:06 2000 From: jwalzer at STORMSYSTEMS.COM (Jeff Walzer) Date: Mon, 7 Feb 2000 09:37:06 -0500 Subject: PPTP in NT4WS breaking Internet connection Message-ID: Problem solved and here's how: When I first got the laptop I loaded TCP/IP, RAS, then PPTP. This config (with PPTP being installed last) prevented any Internet access at all over the DSL line. What I did was uninstall PPTP then TCP/IP. I left RAS installed. I then installed TCP/IP then PPTP and everything worked. I am thinking that when RAS was installed after TCP/IP some entry was overwritten that prevented any type of Internet access after PPTP was loaded. Hope this helps someone down the line, Jeff -----Original Message----- From: Jeff Walzer [mailto:jwalzer at stormsystems.com] Sent: Friday, February 04, 2000 5:48 PM To: VPN at SECURITYFOCUS.COM Subject: PPTP in NT4WS breaking Internet connection Please forgive me if this is the wrong list to post this message to: I have a remote user with a DSL connection. As soon as he loads PPTP on his NT4WS laptop he can no longer access the Internet or even ping the default gateway. The only thing that changes is the loading of PPTP and nothing else. PPTP is needed to create a VPN connection to our internal LAN. Any ideas? The laptop has SP6a. Thanks, Jeff VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Mon Feb 7 12:10:15 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Mon, 7 Feb 2000 12:10:15 -0500 Subject: Flowpoint and PPTP/VPN In-Reply-To: <001001bf622a$f7e52000$45102918@earthlink.net>; from frank@computica.com on Tue, Jan 18, 2000 at 07:12:06PM -0800 References: <001001bf622a$f7e52000$45102918@earthlink.net> Message-ID: <20000207121015.C2270@washington.cospo.osis.gov> On Tue, Jan 18, 2000 at 07:12:06PM -0800, Frank R. Boecherer wrote: > If you have (or not) experience with Flowpoint routers, maybe you can offer some tips... ... > We have filtering turned off, I believe, on the server, but I read somewhere that we may > need to turn on GRE protocol 47 in the router to allow the passing of certain packets or > header data. Can anyone explain what GRE is and maybe how to enable it on the Flowpoint > and if that is the problem we might be experiencing? I know nothing about Flowpoint routers. GRE is the Generic Routing Encapsulation protocol, for creating tunnels through IP connections. See RFC 1701, October 1994. I understand that there have been several better tunneling protocols since then. -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From dsarel at US.RADGUARD.COM Sun Feb 6 21:34:48 2000 From: dsarel at US.RADGUARD.COM (Dan Sarel) Date: Sun, 6 Feb 2000 18:34:48 -0800 Subject: Netsceen .jpg bug? In-Reply-To: <389BC6D2.674634C8@Pacbell.net> Message-ID: Hi Jose, (Are you the Jose I met at the bakeoff, the guy who works for F-Secure?). Here is a possible answer. When we (Radguard) first came out with an IPSEC client (about a year and a half ago) one of our customers experienced the same problem. It took us some time to replicate but here is what happened. For whatever reason, when you download .jpg files the packets are often large. With the ESP overhead the packets get fragmented and when packets get fragmented things may go wrong. This means that either your VPN application does not deal with the fragmentation correctly, or some router on the way is unhappy about them (in this customer's particular case, he saw that downloading .jpg files broke when he called one of his ISP's local numbers and went away when he called another, which really puzzled us for a while). Once we realized that it is fragmentation that is the culprit we made a few changes to our gateway to make sure that this won't happen. How will you know if this is the problem? One way is putting a sniffer on your PC or anywhere else on the path between the client and the server to see when the communication breaks. If you see that things hang when fragmented packets are starting to flow, then this is your problem. Hope it helps. Dan > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jose > Muniz > Sent: Fri, February 04, 2000 10:45 PM > To: VPN at SECURITYFOCUS.COM > Subject: Netsceen .jpg bug? > > > Hello Guys; > > Have any one ever seen this wierd behaivour: > > While retrieving html docs with .jpg's and others over the > IPSec tunnel the images apear broken. > Any ideas? > > Jose Muniz. > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From rodney at MODULE-TWO.RWTHAYER.COM Sun Feb 6 20:16:58 2000 From: rodney at MODULE-TWO.RWTHAYER.COM (rodney) Date: Sun, 6 Feb 2000 20:16:58 -0500 Subject: Netsceen .jpg bug? References: <389BC6D2.674634C8@Pacbell.net> Message-ID: <389E1D0A.AFA76E07@module-two.rwthayer.com> look at whether the IPsec tunnel handles larges packets and fragmentation properly. It's possible that hughe slabs of data, such as a JPG file, could induce a failure in this. Good luck, and tell us what you find! Jose Muniz wrote: > Hello Guys; > > Have any one ever seen this wierd behaivour: > > While retrieving html docs with .jpg's and others over the > IPSec tunnel the images apear broken. > Any ideas? > > Jose Muniz. > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From koshy at TULIP.ARACOR.COM Tue Feb 1 23:33:02 2000 From: koshy at TULIP.ARACOR.COM (Mathew Koshy) Date: Tue, 1 Feb 2000 20:33:02 -0800 Subject: VPN resource Message-ID: <3897B37E.8BAB3A09@aracor.com> Hi I am looking for a consultant to help set up a VPN which links two networks, one using Checkpoint VPN-1 and the other a small branch office network with an ISDN internet connection. We're looking for a cost-effective solution. Any ideas on how to find a consultant? Thanks, Mathew Koshy koshy at aracor.com VPN is sponsored by SecurityFocus.COM From cdupuis at UNI-GLOBAL.COM Mon Feb 7 02:35:13 2000 From: cdupuis at UNI-GLOBAL.COM (Klement Dupnis) Date: Mon, 7 Feb 2000 08:35:13 +0100 Subject: Linux VPN In-Reply-To: <20000206134531.I20611@alcove.wittsend.com> Message-ID: http://www.strongcrypto.com/ -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Michael H. Warfield Sent: 6 f?vrier, 2000 19:46 To: VPN at SECURITYFOCUS.COM Subject: Re: Linux VPN On Fri, Jan 21, 2000 at 11:23:46AM -0800, Carasik, Anne wrote: > Hi Todd, > Check out VPS 2.0, which is an open source VPN for Linux. URL please? I'm unfamiliar with that one. Is that an IPSec compatible VPN? > -Anne > On Thu, Jan 20, 2000 at 10:20:49PM -0800, Todd Wilburn wrote: > > We are thinking us using Linux for our server/firewalls and we need to do > > VPN. What programs are available for a Linux VPN box? I can use secret > > pass codes or certs. > > Thanks, > > Todd Wilburn > -- > Anne Carasik > Email: anne at ssh.com > SSH Communications Security, Inc. > Senior Technical Support Engineer > "Any two consenting adults can rub two primes > together to create a public keypair" - R. Thayer > VPN is sponsored by SecurityFocus.COM Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From abhijain at HSS.HNS.COM Mon Feb 7 15:16:08 2000 From: abhijain at HSS.HNS.COM (Abhinav Jain) Date: Mon, 7 Feb 2000 20:16:08 -0000 Subject: bandwodth slicer Message-ID: <007e01bf71a8$2c1e7060$04c0c5cb@abhijain> Hi All I am working as a network admin with an ISP. I would like to know whether is any product in the market which can slice a leased line which works on IP in to smaller bandwidth slots. Are there any softwares available.I heard of product called Packet Shaper. Please it is very very urgent. Thanks Abhinav Jain Hughes -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000207/42c8b7e3/attachment.htm From rng at NETSCREEN.COM Mon Feb 7 13:32:52 2000 From: rng at NETSCREEN.COM (Ronald Ng) Date: Mon, 7 Feb 2000 10:32:52 -0800 Subject: Netsceen .jpg bug? References: <389BC6D2.674634C8@Pacbell.net> <389E1D0A.AFA76E07@module-two.rwthayer.com> Message-ID: <389F0FD4.1AF48836@netscreen.com> You can set mss so that no fragmentation occurs. On the command line, "set flow tcp-mss" rodney wrote: > > look at whether the IPsec tunnel handles larges packets and > fragmentation properly. > It's possible that hughe slabs of data, such as a JPG file, could induce > a > failure in this. > > Good luck, and tell us what you find! > > Jose Muniz wrote: > > > Hello Guys; > > > > Have any one ever seen this wierd behaivour: > > > > While retrieving html docs with .jpg's and others over the > > IPSec tunnel the images apear broken. > > Any ideas? > > > > Jose Muniz. > > > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM -- Ronald Ng rng at netscreen.com VPN is sponsored by SecurityFocus.COM From mmandel at POSTPROPERTIES.COM Mon Feb 7 13:43:02 2000 From: mmandel at POSTPROPERTIES.COM (mmandel at POSTPROPERTIES.COM) Date: Mon, 7 Feb 2000 13:43:02 -0500 Subject: PPTP over a NAT router Message-ID: <8525687E.0066D022.00@notes1.postproperties.com> You have to configure your router with a static NAT for the server. ie. outside IP address to the inside IP address. If you have the firewall feature set on your router, you might also try looking into opening up specific ports that PPTP uses. What kind of router? Cisco? what IOS? I have this same setup, only I'm using a PIX firewall to do NAT. I had to open specific TCP and GRE ports for this to work. GL, mm guy.raymakers at EUROPE.EDS.COM on 02/07/2000 03:04:23 AM Please respond to guy.raymakers at EUROPE.EDS.COM From todd at SUSQ.COM Mon Feb 7 15:52:18 2000 From: todd at SUSQ.COM (Allen Todd) Date: Mon, 7 Feb 2000 15:52:18 -0500 Subject: Trouble with middleware and VPN client Message-ID: <200002072052.PAA09900@sauza.dev.susq.com> Hello All, We are currently using raptor mobile VPN with raptor firewall as the endpoint. We establish a tunnel from a shared wireless lan to our internal network so that the handhelds appear to be on our local network but it is really all done through routing once the tunnel is established. Enter a new application requiring a broadcast based middleware (Tibco Rendezvous). The application can take a parameter to define which network interface to listen/broadcast on but there is no way to specify our internal network since we aren't physically on it. We have considered ppp tunnels through the VPN but didn't want to make too many layers of software if we didn't have to -- the wireless is already slow! I am wondering if there are any VPN clients that are implemented as a virtual network interface rather than just taking over the IP stack? I'd love to hear from anyone with similar experiences (with positive or negative outcomes) and things you have done/attempted. Thanks, Allen Todd todd at susq.com VPN is sponsored by SecurityFocus.COM From cindy_slosar at YAHOO.CA Mon Feb 7 17:00:13 2000 From: cindy_slosar at YAHOO.CA (Cindy Slosar) Date: Mon, 7 Feb 2000 17:00:13 -0500 Subject: VPN Software Message-ID: <20000207220013.2754.qmail@web1504.mail.yahoo.com> Hi, Can someone recommend a third-party vendor of VPN software that's stable and easy to set up? Thanks in advance! _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca VPN is sponsored by SecurityFocus.COM From truman at RESEARCH.SUSPICIOUS.ORG Mon Feb 7 18:03:01 2000 From: truman at RESEARCH.SUSPICIOUS.ORG (Truman Boyes) Date: Mon, 7 Feb 2000 18:03:01 -0500 Subject: bandwodth slicer In-Reply-To: <007e01bf71a8$2c1e7060$04c0c5cb@abhijain> Message-ID: Hi Abhinav, There are a few things you can do. First of all, if you want to limit the total IP traffic of the leased line ( assuming it is a T1 ) you can configure each CSU in increments of 64Kb. If you want to actually limit types of traffic over the leased line for different services, we move in Quality of Service. There are black box designs that do just this. They usually have either telnet of java based configuration tools to slide bandwidth up or down for a given network. I have had stable experience using a Cisco 4500M with quad ethernet card sot. You can do this by creating a 'traffic-shape group'. Below is a sample config for a network on ethernet 0: interface Ethernet0 ... media-type 10BaseT traffic-shape group 111 256000 7936 7936 1000 ... access-list 111 permit ip 192.168.0.0 0.0.0.63 any access-list 111 permit ip any 192.168.0.0 0.0.0.63 access-list 111 deny ip any any This gives the machines on the network 192.168.0.0/26 a bandwidth of 256K. This works fairly decently. I really cant complain. You may also want to look into ALTQ for *BSD. I know it was recently ported to OpenBSD, and seemed to work smoothly for various NICs. .truman.boyes. /" \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL / On Mon, 7 Feb 2000, Abhinav Jain wrote: > Hi All > I am working as a network admin with an ISP. I would like to know whether is any product in the market which can slice a leased line which works on IP in to smaller bandwidth slots. Are there any softwares available.I heard of product called Packet Shaper. > > Please it is very very urgent. > > Thanks > Abhinav Jain > Hughes > > VPN is sponsored by SecurityFocus.COM From guy.raymakers at EUROPE.EDS.COM Tue Feb 8 02:38:02 2000 From: guy.raymakers at EUROPE.EDS.COM (guy.raymakers at EUROPE.EDS.COM) Date: Tue, 8 Feb 2000 08:38:02 +0100 Subject: PPTP over a NAT router Message-ID: <4125687F.002A29D0.00@beanmg01.lneu.emea.eds.com> I've setup a static NAT translation and it's working now. (I'm running a Cisco 1605-R with IOS 12.0.5.T2) Thanks ! Guy Please respond to mmandel at POSTPROPERTIES.COM From guy.raymakers at EUROPE.EDS.COM Tue Feb 8 02:44:21 2000 From: guy.raymakers at EUROPE.EDS.COM (guy.raymakers at EUROPE.EDS.COM) Date: Tue, 8 Feb 2000 08:44:21 +0100 Subject: bandwodth slicer Message-ID: <4125687F.002ABED1.00@beanmg01.lneu.emea.eds.com> Hi Abhinav, Here are some products : PacketShaper from Packeteer Floodgate from checkpoint Cisco delivers also an QoS extension in the IOS. AC200 from Allot ..... We are running Packetshaper in our European (HNS) VSAT network. Guy Please respond to Abhinav Jain From aapintor at SIRIO.TECMOR.MX Tue Feb 8 14:13:55 2000 From: aapintor at SIRIO.TECMOR.MX (Abel Alberto Pintor Estrada) Date: Tue, 8 Feb 2000 13:13:55 -0600 Subject: VPN In-Reply-To: <77A1E4F21F59D211862600805F650FD8512FAC@COR0000S001> Message-ID: Hi all! I am studying VPN and I need some technical information about it, I will be glad if someone can help me to find an interest vpn technical information web page not commerce, thanks!. At. Abel Pintor VPN is sponsored by SecurityFocus.COM From adamz at ECONET.COM Tue Feb 8 15:15:07 2000 From: adamz at ECONET.COM (Adam P. Zimmerer) Date: Tue, 8 Feb 2000 14:15:07 -0600 Subject: IPSec thru NAT Message-ID: Hello, I have a situation where an Ascend/Lucent Pipeline 50 is connecting to the Internet via an ISDN dial-up account. It has NAT enabled and the default server under NAT settings is the IPSec VPN device which is also the LAN's default gateway. The Pipe50 is only connected to this device and not the rest of the LAN. The LAN users get all other types of traffic (i.e. HTML, IKE, POP3, SMTP, etc.) but the IPSec packets get dropped, as the Pipe50's NAT software does not know what to do with them. (There is no firewall on the Pipe50.) I know the easiest solution is to turn off NAT and get multi-host static or dynamic - dial-up or dedicated Internet access but the money people don't want to spend the extra money if at all possible. Does anyone know of an ISDN router that will pass IPSec packets through NAT? Take care, Adam Zimmerer VPN is sponsored by SecurityFocus.COM From cynthia at XEROX.COM.NI Tue Feb 8 15:28:14 2000 From: cynthia at XEROX.COM.NI (Cynthia Tercero) Date: Tue, 8 Feb 2000 14:28:14 -0600 Subject: VPN In-Reply-To: Message-ID: Hi Abel, At http://kubarb.phsx.ukans.edu/~tbird/vpn.html you can find a lot of information. Greetings, Cynthia On Tue, 8 Feb 2000, Abel Alberto Pintor Estrada wrote: > Hi all! > > I am studying VPN and I need some technical information about it, I will > be glad if someone can help me to find an interest vpn technical > information web page not commerce, thanks!. > > At. Abel Pintor > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From Peter.D'Arco at ANIXTER.COM Tue Feb 8 16:21:08 2000 From: Peter.D'Arco at ANIXTER.COM (Peter D'Arco) Date: Tue, 8 Feb 2000 16:21:08 -0500 Subject: layer-2 crypto hardware Message-ID: <"000208211809Z.WT05776. 1*/PN=Peter.D'Arco/O=NOTES/PRMD=ANIXTER/ADMD=ATTMAIL/C=US/"@MHS> Howdy, Not exactly a VPN question, but I am currently searching for a transparent layer-2 crypto device, ideally it would scramble FE frames just enough to secure the data but still allow the packet to be switched at layer2. I've heard the military has devices similar to this, but I haven't been able to find any commercially available. I am aware of all the Layer 3 and up options, but this has to essentially function like a bridge with performance close to 100mbs. Any suggestions? Thanks, Peter D'Arco VPN is sponsored by SecurityFocus.COM From guy.raymakers at EUROPE.EDS.COM Wed Feb 9 02:46:46 2000 From: guy.raymakers at EUROPE.EDS.COM (guy.raymakers at EUROPE.EDS.COM) Date: Wed, 9 Feb 2000 08:46:46 +0100 Subject: PPTP between CES and WinNT Message-ID: <41256880.002AF642.00@beanmg01.lneu.emea.eds.com> Hi, I'm trying to configure a PPTP connection between a Nortel CES 1500 and a Win NT 4 SP5 server running RRAS. A couple of problems that I have 1. I don't get the PPTP sessions working, an example config would be great ! 2. When using the 'branch office' connection on the CES, you do need to put in a static IP address for the remote. This requires an ISP connection with a static IP address, which will higher the costs for the ISP connection. Is there a way to eliminate this on the CES ? Many thanks, Guy VPN is sponsored by SecurityFocus.COM From dnewman at NETWORKTEST.COM Wed Feb 9 14:59:10 2000 From: dnewman at NETWORKTEST.COM (David Newman) Date: Wed, 9 Feb 2000 14:59:10 -0500 Subject: layer-2 crypto hardware In-Reply-To: <"000208211809Z.WT05776. 1*/PN=Peter.D'Arco/O=NOTES/PRMD=ANIXTER/ADMD=ATTMAIL/C=US/"@MHS> Message-ID: Celotek makes L2 crypto boxes for links up to OC-12 (622 Mbit/s). The catch is that these boxes work *only* on ATM networks. Cylink makes protocol-independent L2 crypto boxes, but AFAIK the maximum rate supported is E1 (2.048 Mbit/s). www.celotek.com www.cylink.com/products/widevpn/link/link.htm dn > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Peter > D'Arco > Sent: Tuesday, February 08, 2000 4:21 PM > To: VPN at SECURITYFOCUS.COM > Subject: layer-2 crypto hardware > > > Howdy, > > Not exactly a VPN question, but I am currently searching > for a transparent layer-2 crypto device, ideally it would > scramble FE frames just enough to secure the data but still > allow the packet to be switched at layer2. I've heard the > military has devices similar to this, but I haven't been able to > find any commercially available. I am aware of all the Layer 3 > and up options, but this has to essentially function like a > bridge with performance close to 100mbs. Any suggestions? > > > Thanks, > > Peter D'Arco > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From robang at YAHOO.COM Wed Feb 9 21:53:43 2000 From: robang at YAHOO.COM (Rob Ang) Date: Wed, 9 Feb 2000 18:53:43 -0800 Subject: Using Cisco 1601R as a VPN box Message-ID: <013e01bf7372$0e59dee0$1b04a8c0@tbdnetworks.com> Hi everyone, I'm trying to find out what IOS I need to load on my Cisco1601R to be able to do IPSEC. I looked on Cisco's site but see that the minimum requirement is 12MB for most of the different IOS although the 1601R comes with 8MB standard. Is there IOS software that supports IOS with just an 8MB minimum? Anyone have experience with this? thanks! Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000209/c380d38b/attachment.htm From Munix-1 at PACBELL.NET Wed Feb 9 22:52:01 2000 From: Munix-1 at PACBELL.NET (Jose Muniz) Date: Wed, 9 Feb 2000 19:52:01 -0800 Subject: Netsceen .jpg bug? References: <389BC6D2.674634C8@Pacbell.net> <389E1D0A.AFA76E07@module-two.rwthayer.com> Message-ID: <38A235E1.71D4F62F@Pacbell.net> rodney wrote: > > look at whether the IPsec tunnel handles larges packets and > fragmentation properly. > It's possible that hughe slabs of data, such as a JPG file, could induce > a > failure in this. > > Good luck, and tell us what you find! > > Jose Muniz wrote: > > > Hello Guys; > > > > Have any one ever seen this wierd behaivour: > > > > While retrieving html docs with .jpg's and others over the > > IPSec tunnel the images apear broken. > > Any ideas? > > > > Jose Muniz. > > > > VPN is sponsored by SecurityFocus.COM Well I found an easy fix to it. Netscreen> set flow tcp-mss Netscreen> save Netscreen> reset Bada bim bada boom it works fine..! Thanks guys! Jose Muniz VPN is sponsored by SecurityFocus.COM From Munix-1 at PACBELL.NET Wed Feb 9 22:55:08 2000 From: Munix-1 at PACBELL.NET (Jose Muniz) Date: Wed, 9 Feb 2000 19:55:08 -0800 Subject: Netsceen .jpg bug? References: <389BC6D2.674634C8@Pacbell.net> <389E1D0A.AFA76E07@module-two.rwthayer.com> <389F0FD4.1AF48836@netscreen.com> Message-ID: <38A2369C.38852B89@Pacbell.net> Ronald Ng wrote: > > You can set mss so that no fragmentation occurs. On the command line, > "set flow tcp-mss" > > rodney wrote: > > > > look at whether the IPsec tunnel handles larges packets and > > fragmentation properly. > > It's possible that hughe slabs of data, such as a JPG file, could induce > > a > > failure in this. > > > > Good luck, and tell us what you find! > > > > Jose Muniz wrote: > > > > > Hello Guys; > > > > > > Have any one ever seen this wierd behaivour: > > > > > > While retrieving html docs with .jpg's and others over the > > > IPSec tunnel the images apear broken. > > > Any ideas? > > > > > > Jose Muniz. > > > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > > -- > Ronald Ng > rng at netscreen.com > > VPN is sponsored by SecurityFocus.COM Hello Ron; Well, I am ready to go to sleep... finally...!! Yep that did the trick [mss] to avoid frags. However the code should be fixed.. TTYL Jose MUniz. VPN is sponsored by SecurityFocus.COM From jacquiv at IS.CO.ZA Thu Feb 10 01:50:41 2000 From: jacquiv at IS.CO.ZA (Jacqui Vukovic) Date: Thu, 10 Feb 2000 08:50:41 +0200 Subject: Using Cisco 1601R as a VPN box Message-ID: Hi here's some info from Cisco's site. Bear in mind that these are the minimum memory requirements and that Cisco change their newer images (and consequently the requirements) fairly regularly. I've not yet come across a router that comes standard with enough memory to run the IPsec image. 1720 12.0.5T1 IP PLUS IPSEC 56 Minimum Memory Requirements to download image - 4 MB Flash and 20 MB RAM c1700-sy56i-mz.120-5.T1.bin 3989520 08/24/1999 12:56:23 2501-2525 12.0.5 IP PLUS IPSEC 56 Minimum Memory Requirements to download image - 16 MB Flash and 4 MB RAM c2500-is56i-l.120-5.bin 8267784 06/21/1999 02:34:07 3640 12.0.5 IP PLUS IPSEC 56 Minimum Memory Requirements to download image - 8 MB Flash and 32 MB RAM c3640-is56i-mz.120-5.bin 5745848 06/21/1999 02:46:18 1601-1604 12.0.6 IP PLUS IPSEC 56 Minimum Memory Requirements to download image - 8 MB Flash and 6 MB RAM c1600-sy56i-l.120-6.bin 6319772 08/16/1999 01:44:07 -----Original Message----- From: Rob Ang [mailto:robang at yahoo.com] Sent: Thursday, February 10, 2000 4:54 AM To: VPN at SECURITYFOCUS.COM Subject: Using Cisco 1601R as a VPN box Hi everyone, I'm trying to find out what IOS I need to load on my Cisco1601R to be able to do IPSEC. I looked on Cisco's site but see that the minimum requirement is 12MB for most of the different IOS although the 1601R comes with 8MB standard. Is there IOS software that supports IOS with just an 8MB minimum? Anyone have experience with this? thanks! Rob VPN is sponsored by SecurityFocus.COM From ifox100 at HOTMAIL.COM Thu Feb 10 08:55:05 2000 From: ifox100 at HOTMAIL.COM (Ivan Fox) Date: Thu, 10 Feb 2000 08:55:05 -0500 Subject: Checkpoint VPN-1 and IRE SafeNet Client Message-ID: <20000210135508.44768.qmail@hotmail.com> A customer plans to use Checkpoint VPN-1, but to use IRE's SafeNet client instead of Checkpoint's SecuRemote or Secure Client. Is it a viable combo? Any info are greatly appreciated. Best regards, Ivan VPN is sponsored by SecurityFocus.COM From jason.dowd at US.PWCGLOBAL.COM Thu Feb 10 11:00:44 2000 From: jason.dowd at US.PWCGLOBAL.COM (jason.dowd at US.PWCGLOBAL.COM) Date: Thu, 10 Feb 2000 10:00:44 -0600 Subject: layer-2 crypto hardware Message-ID: <85256881.00584138.00@intlnamsmtp20.us.pw.com> Racal is pretty much the leader in Frame Relay encryption. I believe they are at www.racal.com, but I have not been there in a while. Good luck! Jason David Newman on 02/09/2000 01:59:10 PM Please respond to David Newman To: VPN at SECURITYFOCUS.COM cc: Subject: Re: layer-2 crypto hardware Celotek makes L2 crypto boxes for links up to OC-12 (622 Mbit/s). The catch is that these boxes work *only* on ATM networks. Cylink makes protocol-independent L2 crypto boxes, but AFAIK the maximum rate supported is E1 (2.048 Mbit/s). www.celotek.com www.cylink.com/products/widevpn/link/link.htm dn > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Peter > D'Arco > Sent: Tuesday, February 08, 2000 4:21 PM > To: VPN at SECURITYFOCUS.COM > Subject: layer-2 crypto hardware > > > Howdy, > > Not exactly a VPN question, but I am currently searching > for a transparent layer-2 crypto device, ideally it would > scramble FE frames just enough to secure the data but still > allow the packet to be switched at layer2. I've heard the > military has devices similar to this, but I haven't been able to > find any commercially available. I am aware of all the Layer 3 > and up options, but this has to essentially function like a > bridge with performance close to 100mbs. Any suggestions? > > > Thanks, > > Peter D'Arco > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. VPN is sponsored by SecurityFocus.COM From theresa at TI.COM Thu Feb 10 11:15:09 2000 From: theresa at TI.COM (Brown, Theresa) Date: Thu, 10 Feb 2000 10:15:09 -0600 Subject: NAT and VPN Message-ID: <3C369333FC7BD21193A60000F8FE891F0B0404DB@dlee02.itg.ti.com> We are piloting an IPSEC solution and have had issues with users that are using NAT on their home networks. Does anyone know if it is possible to use Network Address Translation over any of the tunneling protocols - IPSEC, L2F, PPTP, or L2TP? Are there any known workarounds to make NAT work with IPSEC? Regards, Theresa Brown Dial Services 972-575-5452 theresa at ti.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000210/160a5a5d/attachment.htm From m.heesbeen at CMG.NL Thu Feb 10 07:55:40 2000 From: m.heesbeen at CMG.NL (Miranda Heesbeen) Date: Thu, 10 Feb 2000 13:55:40 +0100 Subject: VPN Products Message-ID: <3DE1DF234B51D211A70600104BB3F6DA017396C9@NL-ROT-MAIL01> Hi everyone, I'm doing a school project about VPN and I'm looking for products for VPN. Does someone know who offers the "best" products and also most complete (suite)? Thanks, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM From markus at HOFMAR.DE Thu Feb 10 10:29:55 2000 From: markus at HOFMAR.DE (Markus Hofmann) Date: Thu, 10 Feb 2000 16:29:55 +0100 Subject: Performance investigation Message-ID: Hello! I'm looking for some investigation about VPN performance: - different products with SW/HW implementation (in correlation with CPU speed) and the influence to bandwith and specially latency. - The influnence of lower MTU (due to more overhead) or higher latency values to network windowing mechanisms (like TCP uses a windowing mechanism). Does anyone know, where to find such an investigation? Please do not send adviertisement about VPN products, that they'll support up to xyz mbit/s - I'm looking for a little bit more detailed data... yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! VPN is sponsored by SecurityFocus.COM From secure at SECUREAUSTIN.COM Thu Feb 10 12:16:29 2000 From: secure at SECUREAUSTIN.COM (H D Moore) Date: Thu, 10 Feb 2000 11:16:29 -0600 Subject: NAT and VPN References: <3C369333FC7BD21193A60000F8FE891F0B0404DB@dlee02.itg.ti.com> Message-ID: <38A2F26D.8CA826B0@secureaustin.com> Hi, I am currently using Linux S/WAN IPSEC (www.freeswan.org) to link together two private network across the internet. Each of the private networks sits behind a masquearading (NAT) firewall and everything has been working prefectly. If you want to know the technical details, let me know... -HD > "Brown, Theresa" wrote: > > We are piloting an IPSEC solution and have had issues with users that > are using NAT on their home networks. Does anyone know if it is > possible to use Network Address Translation over any of the tunneling > protocols - IPSEC, L2F, PPTP, or L2TP? Are there any known > workarounds to make NAT work with IPSEC? > > Regards, > > Theresa Brown > Dial Services > 972-575-5452 > theresa at ti.com VPN is sponsored by SecurityFocus.COM From adamz at ECONET.COM Thu Feb 10 12:33:47 2000 From: adamz at ECONET.COM (Adam P. Zimmerer) Date: Thu, 10 Feb 2000 11:33:47 -0600 Subject: NAT and VPN In-Reply-To: <3C369333FC7BD21193A60000F8FE891F0B0404DB@dlee02.itg.ti.com> Message-ID: I have IPSec VPN Client software (SonicWALL) running on my laptop. I can VPN just fine into my client?s networks via my laptop which, while at my home office, accesses the Internet via my LAN & DSL connection through a Firewall/Router that is performing NAT for a single public IP. Sincerely, Adam P. Zimmerer Economic Networks -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Brown, Theresa Sent: Thursday, February 10, 2000 10:15 AM To: VPN at SECURITYFOCUS.COM Subject: NAT and VPN We are piloting an IPSEC solution and have had issues with users that are using NAT on their home networks. Does anyone know if it is possible to use Network Address Translation over any of the tunneling protocols - IPSEC, L2F, PPTP, or L2TP? Are there any known workarounds to make NAT work with IPSEC? Regards, Theresa Brown Dial Services 972-575-5452 theresa at ti.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000210/5443bf45/attachment.htm From dnewman at NETWORKTEST.COM Thu Feb 10 12:46:21 2000 From: dnewman at NETWORKTEST.COM (David Newman) Date: Thu, 10 Feb 2000 12:46:21 -0500 Subject: Performance investigation In-Reply-To: Message-ID: Here are links to a couple of performance comparisons. Vendors are now claiming higher rates; as noted in these links, it is a good practice to grill vendors on exactly what they did to achieve the rates they claim (what packet size, what kind of encryption, what type of compression, how many concurrent connections, and so on). http://www.data.com/lab_tests/first.html http://www.data.com/lab_tests/vpn.html Hope this helps. Regards, David Newman Network Test > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Markus > Hofmann > Sent: Thursday, February 10, 2000 10:30 AM > To: VPN at SECURITYFOCUS.COM > Subject: Performance investigation > > > Hello! > > I'm looking for some investigation about VPN performance: > - different products with SW/HW implementation (in correlation with > CPU speed) and the influence to bandwith and specially latency. > - The influnence of lower MTU (due to more overhead) or higher latency > values to network windowing mechanisms (like TCP uses a windowing > mechanism). > > Does anyone know, where to find such an investigation? > Please do not send adviertisement about VPN products, that they'll support > up to xyz mbit/s - I'm looking for a little bit more detailed > data... > > yours sincerely > > M. Hofmann > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Markus Hofmann Phone: +49 170 2848250 > St. Urbanusstr. 15 Fax: +49 9371 2032 > E-Mail: hofmann at hofmar.de > 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) > Germany PGP-Keys: look at http://www.hofmar.de > --------------------------------------------------------------------- > Only written with 100% recycleable electrons! > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From amy_hollister at GLOBALCROSSING.COM Thu Feb 10 12:23:15 2000 From: amy_hollister at GLOBALCROSSING.COM (AMY HOLLISTER) Date: Thu, 10 Feb 2000 12:23:15 -0500 Subject: VPN Products References: <3DE1DF234B51D211A70600104BB3F6DA017396C9@NL-ROT-MAIL01> Message-ID: <38A2F403.A06BB2FD@globalcrossing.com> Here are some that I know of * Checkpoint * Network Associates * VPNet * Cocentric Networks * Raptor * Cisco Then you also have all of the Telecom/Data Carriers * UUnet * GTE * PSInet * Sprint * AT&T Miranda Heesbeen wrote: > Hi everyone, > > I'm doing a school project about VPN and I'm looking for products for VPN. > Does someone know who offers the "best" products and also most complete > (suite)? > > Thanks, > > Miranda Heesbeen > > VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000210/c4248f3c/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: amy_hollister.vcf Type: text/x-vcard Size: 331 bytes Desc: Card for AMY HOLLISTER Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000210/c4248f3c/attachment.vcf From steve_j_kuo at EMAIL.MOBIL.COM Thu Feb 10 13:00:17 2000 From: steve_j_kuo at EMAIL.MOBIL.COM (Steve J Kuo) Date: Thu, 10 Feb 2000 12:00:17 -0600 Subject: VPN log reporting Message-ID: <86256881.006358DF.00@xdallng1.dal.mobil.com> Is there any commercial products that produce reports using VPN logs from Shiva or Cisco? Steve VPN is sponsored by SecurityFocus.COM From joseph at E-PRIME.COM Thu Feb 10 13:02:06 2000 From: joseph at E-PRIME.COM (Joseph Williams) Date: Thu, 10 Feb 2000 11:02:06 -0700 Subject: VPN in the firewall References: <85256881.00584138.00@intlnamsmtp20.us.pw.com> Message-ID: <001801bf73f0$f2dd2df0$8869e1cf@home> I attended a Cisco product briefing recently and at one point a discussion ensued about basic VPN architecture, to wit: * Is it preferable to have a stand-alone VPN product? * If so, is it in-line in front of the Firewall or behind it and why? * If not, can one exploit the VPN to punch through the FW? Chaos and confusion reigned in the room and the poor lad from Cisco also seemed bewildered by it all. I'm certainly not a VPN wizard (or I wouldn't be attending product briefings) but I would like to understand the architectural dynamics. Any insights would be greatly appreciated. I went and tried to read some of the product literature but, well, frankly, they often read like man pages. Thanks, Joseph Williams e-prime.com VPN is sponsored by SecurityFocus.COM From sdurette at TIMESTEP.COM Thu Feb 10 13:12:59 2000 From: sdurette at TIMESTEP.COM (Stephane Durette) Date: Thu, 10 Feb 2000 13:12:59 -0500 Subject: VPN Products Message-ID: <319A1C5F94C8D11192DE00805FBBADDF011A223B@exchange> Miranda, ? ????? The best and most complete VPN on the market ??!!??!! ? ????? This answer is impossible to get right. Your best bet is to accumulate all the info on different vendors and make a comparison on your own. Most of the products out from vendors are in there third generation and are fairly comparable. ? ????? Amy listed some vendors and to that list you can add Nortel, TimeStep and also take a look at www.icsa.net which will give you a run down of the different vendors doing IPSEC VPN or proprietary VPN. ? Cheers Steph ? axW--------------------------------------------------------------- Stephane Y Durette-? Applications Engineer,TimeStep Corp. (613) 599-3610 x:4682 Voice????????? (613) 599-9560 - FAX mailto:sdurette at timestep.com ?? http://www.timestep.com --------------------------------------------------------------------- "Two possibilities exist: either we are alone in the universe or ?we are not. Both are equally terrifying." Arthur C.Clarke --------------------------------------------------------------------- ? -----Original Message----- From: AMY HOLLISTER [mailto:amy_hollister at GLOBALCROSSING.COM] Sent: February 10, 2000 12:23 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products Here are some that I know of * Checkpoint * Network Associates * VPNet * Cocentric Networks * Raptor * Cisco Then you also have all of the Telecom/Data Carriers * UUnet * GTE * PSInet * Sprint * AT&T Miranda Heesbeen wrote: Hi everyone, I'm doing a school project about VPN and I'm looking for products for VPN. Does someone know who offers the "best" products and also most complete (suite)? Thanks, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From secure at SECUREAUSTIN.COM Thu Feb 10 13:26:04 2000 From: secure at SECUREAUSTIN.COM (H D Moore) Date: Thu, 10 Feb 2000 12:26:04 -0600 Subject: NAT and VPN References: <3C369333FC7BD21193A60000F8FE891F0B0404DB@dlee02.itg.ti.com> <3.0.3.32.20000210125809.00719b88@pop.starpower.net> Message-ID: <38A302BC.5BA58291@secureaustin.com> Deb Cameron wrote: > > Dear HD, > > I would like to know more about the configuration because it is often said > that IPSEC plain won't work with NAT. Obviously, that's not the case. FreeS/WAN works well with NAT as long as you install the IPSEC gateway on the actual masquarading server. > Also, do you have any feelings on firewall placement and VPNs? Maybe I > should mail this question to the entire list. It seems to me that if you > tunnel (by definition encrypted) VPN traffic through a firewall, this is a > major security risk. The FAQ seems to leave the options wide open in this > regard. Any information (or opinions) you have about how VPNs should relate > to firewalls in terms of a secure topology would be appreciated. Your own > network sounds as if it is designed in the way I would consider "right." > I'm just having trouble figuring out if the other ways are as blatantly > insecure as they seem to me. Ascii Diagram Time ;) _ |A| - | (X) | %%% %%% -- Internet %%% | (Y) | _ |B| - A = Office A's internal network using IANA private addresses (10.0.1.X) X = NAT gateway and FreeS/WAN IPSEC gateway for Office A B = Office B's internal network using IANA private addresses (10.0.2.X) Y = NAT gateway and FreeS/WAN IPSEC gateway for Office B Each security gateway only needs to allow port 500 UDP (IKE Key Negotiation) from one gateway to another. The firewall rules (ipchains) only allow traffic from the other internal network on the VPN virtual interface. Each private network thinks the other is two hops away and each uses thier own NAT gateway for internet access. With a bit of mucking around, we could route one networks internet traffic over the VPN and out the other end's NAT gateway, allowing even tighter firewall controls for one of the offices (and NAT would be happening OVER the VPN versus through the local gateway). We are still in the process of hammering on our firewall rules and the FreeS/WAN code to make sure that everything is setup as secure as it can be. Of course all of this goes to hell if someone sets up a reverse tunnel from the inside... -HD VPN is sponsored by SecurityFocus.COM From ssedam at ICI.NET Thu Feb 10 13:38:54 2000 From: ssedam at ICI.NET (Scott Sedam) Date: Thu, 10 Feb 2000 13:38:54 -0500 Subject: VPN Products References: <3DE1DF234B51D211A70600104BB3F6DA017396C9@NL-ROT-MAIL01> <38A2F403.A06BB2FD@globalcrossing.com> Message-ID: <007501bf73f6$27dff140$720aa8c0@adnet> Don't forget the Contivity by Nortel. It runs clean, has an easy install, user friendly client, and is reliable. I have around 10 of these at customer locations and they are all running great. I have not had very good luck with the Cisco client (IRE) to PIX VPN. The client is not user friendly and there are reliability issue with the connection. The newest version of PIX software 5.0.3 fixes allot of the original issues (i.e. Network neighborhood problems) as did the use of the IRE client 1.0A. This solution is still not fully cooked. Becareful!! --Scott ----- Original Message ----- From: AMY HOLLISTER To: VPN at securityfocus.com Sent: Thursday, February 10, 2000 12:23 PM Subject: Re: VPN Products Here are some that I know of a.. Checkpoint b.. Network Associates c.. VPNet d.. Cocentric Networks e.. Raptor f.. Cisco Then you also have all of the Telecom/Data Carriers a.. UUnet b.. GTE c.. PSInet d.. Sprint e.. AT&T Miranda Heesbeen wrote: Hi everyone, I'm doing a school project about VPN and I'm looking for products for VPN. Does someone know who offers the "best" products and also most complete (suite)? Thanks, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000210/58964906/attachment.htm From adamz at ECONET.COM Thu Feb 10 13:36:27 2000 From: adamz at ECONET.COM (Adam P. Zimmerer) Date: Thu, 10 Feb 2000 12:36:27 -0600 Subject: VPN Products In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDF011A223B@exchange> Message-ID: Another to add is the SonicWALL. It is a very reliable and easy to configure ICSA certified Stateful Packet Inspection Firewall/IPSec VPN device. Sincerely, Adam P. Zimmerer Economic Networks -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Stephane Durette Sent: Thursday, February 10, 2000 12:13 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products Miranda, The best and most complete VPN on the market ??!!??!! This answer is impossible to get right. Your best bet is to accumulate all the info on different vendors and make a comparison on your own. Most of the products out from vendors are in there third generation and are fairly comparable. Amy listed some vendors and to that list you can add Nortel, TimeStep and also take a look at www.icsa.net which will give you a run down of the different vendors doing IPSEC VPN or proprietary VPN. Cheers Steph axW--------------------------------------------------------------- Stephane Y Durette- Applications Engineer,TimeStep Corp. (613) 599-3610 x:4682 Voice (613) 599-9560 - FAX mailto:sdurette at timestep.com http://www.timestep.com --------------------------------------------------------------------- "Two possibilities exist: either we are alone in the universe or we are not. Both are equally terrifying." Arthur C.Clarke --------------------------------------------------------------------- -----Original Message----- From: AMY HOLLISTER [mailto:amy_hollister at GLOBALCROSSING.COM] Sent: February 10, 2000 12:23 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products Here are some that I know of * Checkpoint * Network Associates * VPNet * Cocentric Networks * Raptor * Cisco Then you also have all of the Telecom/Data Carriers * UUnet * GTE * PSInet * Sprint * AT&T Miranda Heesbeen wrote: Hi everyone, I'm doing a school project about VPN and I'm looking for products for VPN. Does someone know who offers the "best" products and also most complete (suite)? Thanks, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From DARNELL.WALKER at EMAIL.SWMED.EDU Thu Feb 10 13:51:07 2000 From: DARNELL.WALKER at EMAIL.SWMED.EDU (Darnell Walker) Date: Thu, 10 Feb 2000 12:51:07 -0600 Subject: VPN Products Message-ID: Compitable Systems, who was recently purchased by Cisco provides a good product including the Macintosh platform (if that's of any interest) >>> Miranda Heesbeen 02/10/00 06:55AM >>> Hi everyone, I'm doing a school project about VPN and I'm looking for products for VPN. Does someone know who offers the "best" products and also most complete (suite)? Thanks, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Peter.D'Arco at ANIXTER.COM Thu Feb 10 14:05:33 2000 From: Peter.D'Arco at ANIXTER.COM (Peter D'Arco) Date: Thu, 10 Feb 2000 14:05:33 -0500 Subject: layer-2 crypto hardware Message-ID: <"000210190144Z.WT27446. 2*/PN=Peter.D'Arco/O=NOTES/PRMD=ANIXTER/ADMD=ATTMAIL/C=US/"@MHS> I've gotten a lot of good responses to my post, thanks to everyone who helped out. As of yet I have not found a layer-2 fast ethernet encryptor. I did indentify Cylink's NetHawk product as the closest match, it uses some arp magic to be transparent to IP and boasts throughput of around 100Mbs. If anyone does know of a layer-2 fast ethernet encryptor I would still love to hear from you. To summarize the responses I've gotten there are alot of companies that make layer-1/2 crypto for Frame Relay, ATM, leased line, and low speed ethernet, to various degrees. If you're ever in a similar position I'd check out. Cylink, Celotek, or Racal, they all have some nice niche products (and obvious domain names if your looking for them) Thanks again, Peter D'Arco, MCSE+I CCNP CCDP VPN is sponsored by SecurityFocus.COM From andrew.wightman at GARTNER.COM Thu Feb 10 14:09:06 2000 From: andrew.wightman at GARTNER.COM (Wightman,Andrew) Date: Thu, 10 Feb 2000 14:09:06 -0500 Subject: VPN Products Message-ID: So here is a question for you all about Nortel Contivity - Is anyone out there willing to share information on their implementation of the Contivity w/ PPTP for remove access solutions? Our company is currently involved in this implementation and are having some cross vendor difficulties. I do not agree with using PPTP, however, it is the requirement and we must find the solution. An additional question would be how many problems, if any, has any one had with IPSec clients? Especially with Nortel's client? Thanks for your input! Andrew NOTE: Watch out for the Contivity - by default it allows for non-encrypted sessions to be established with PPTP - be sure to turn this off! -----Original Message----- From: Scott Sedam [mailto:ssedam at ICI.NET] Sent: Thursday, February 10, 2000 10:39 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products Don't forget the Contivity by Nortel. It runs clean, has an easy install, user friendly client, and is reliable. I have around 10 of these at customer locations and they are all running great. I have not had very good luck with the Cisco client (IRE) to PIX VPN. The client is not user friendly and there are reliability issue with the connection. The newest version of PIX software 5.0.3 fixes allot of the original issues (i.e. Network neighborhood problems) as did the use of the IRE client 1.0A. This solution is still not fully cooked. Becareful!! --Scott ----- Original Message ----- From: AMY HOLLISTER To: VPN at securityfocus.com Sent: Thursday, February 10, 2000 12:23 PM Subject: Re: VPN Products Here are some that I know of * Checkpoint * Network Associates * VPNet * Cocentric Networks * Raptor * Cisco Then you also have all of the Telecom/Data Carriers * UUnet * GTE * PSInet * Sprint * AT&T Miranda Heesbeen wrote: Hi everyone, I'm doing a school project about VPN and I'm looking for products for VPN. Does someone know who offers the "best" products and also most complete (suite)? Thanks, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Thu Feb 10 14:23:20 2000 From: dgillett at NIKU.COM (David Gillett) Date: Thu, 10 Feb 2000 11:23:20 -0800 Subject: VPN in the firewall In-Reply-To: <001801bf73f0$f2dd2df0$8869e1cf@home> Message-ID: <000c01bf73fc$4acbb440$f30410ac@niku.com> The basic choice is between security (packets arriving via the VPN tunnel must pass the firewall) and functionality (VPN provides the illusion that the remote site/host is directly on the trusted network). There's a third possibility (for VPNs that aren't built into the firewall) that you haven't listed: in parallel with the firewall. (Actually, putting the external interface of the VPN in the DMZ is better, but may not work for everyone.) This involves opting for functionality, and regarding the remote site/host as being within your security perimeter. You may want to take additional steps to secure remote hosts in order to live with this. There's a fourth possibility, too: A VPN box and a NAT box, in parallel, outside a transparent-mode firewall. [The NetScreen devices implement this -- if the external and internal interfaces are on the same subnet, the firewall acts like a bridge rather than a router.] David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Joseph Williams Sent: February 10, 2000 10:02 To: VPN at SECURITYFOCUS.COM Subject: VPN in the firewall I attended a Cisco product briefing recently and at one point a discussion ensued about basic VPN architecture, to wit: * Is it preferable to have a stand-alone VPN product? * If so, is it in-line in front of the Firewall or behind it and why? * If not, can one exploit the VPN to punch through the FW? Chaos and confusion reigned in the room and the poor lad from Cisco also seemed bewildered by it all. I'm certainly not a VPN wizard (or I wouldn't be attending product briefings) but I would like to understand the architectural dynamics. Any insights would be greatly appreciated. I went and tried to read some of the product literature but, well, frankly, they often read like man pages. Thanks, Joseph Williams e-prime.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jfranco at MUNDO-R.NET Thu Feb 10 14:58:18 2000 From: jfranco at MUNDO-R.NET (Franco Sabaris, Javier) Date: Thu, 10 Feb 2000 20:58:18 +0100 Subject: Nortel Contivity cost Message-ID: <77A1E4F21F59D211862600805F650FD85130BE@COR0000S001> Hi! Can anybody tell me how much does the Nortel Contivity cost? More or less, the lowest-end solution (Contivity 1500 ?)... Xavier Franco VPN is sponsored by SecurityFocus.COM From cliff at WRKCS.COM Thu Feb 10 15:52:06 2000 From: cliff at WRKCS.COM (Cliff Friedel) Date: Thu, 10 Feb 2000 15:52:06 -0500 Subject: redirecting a port in cisco 1604 using NAT Message-ID: Hi all. Realize that this is a little off topic, but since there are a fair number of cisco admins on the list I figured I would ask. I was wondering if there was a way to redirect a port on the BRI interface of a 1604, to a machine on a private network. I am running NAT for the outbound traffic if that is a concern. The reason I want to do this is so I can allow telnet traffic into a machine while still keeping the machine behind NAT. If you can guide me to a resource (I have looked on cisco's site to no avail) it would be greatly appreciated. Thanks. Cliff Friedel VPN is sponsored by SecurityFocus.COM From Fred.Golder at CENDANT.COM Thu Feb 10 16:29:44 2000 From: Fred.Golder at CENDANT.COM (Golder, Fred) Date: Thu, 10 Feb 2000 16:29:44 -0500 Subject: VPN Products Message-ID: Nortel's client has been easy all around so far. No problems. I have only tried timestep's client before that and it was a nightmare comparatively. The only down side to Nortel's client is that is only supports win95/98 and WinNT. no linux, Mac, Solaris, open bsd. Our techies were very disappointed. As far as IPSEC goes, you need the vendors client to connect to a vendor's device. You can preconfigure the client and setup the client to prevent setting tampering by the end user, which is a nice touch in a large scale deployment. I heard that the ITEF was attempting to create a standard for client interaction. Has Anybody else hear about this? PPTP we didn't even bother with, so I can't offer any experience. Another IPSEC issue to be aware of is WINDOWS 2000. Good old Microsoft has struck again and decided to implement IPSEC as SLOW as possible and in a way NOBODY else has. The MS version of IPSEC uses L2F also adds about 10-15% more overhead. So Maybe PPTP wasn't entirely a bad choice if you ignore the security concerns. -Fred Golder -----Original Message----- From: Wightman,Andrew [mailto:andrew.wightman at GARTNER.COM] Sent: Thursday, February 10, 2000 2:09 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products So here is a question for you all about Nortel Contivity - Is anyone out there willing to share information on their implementation of the Contivity w/ PPTP for remove access solutions? Our company is currently involved in this implementation and are having some cross vendor difficulties. I do not agree with using PPTP, however, it is the requirement and we must find the solution. An additional question would be how many problems, if any, has any one had with IPSec clients? Especially with Nortel's client? Thanks for your input! Andrew NOTE: Watch out for the Contivity - by default it allows for non-encrypted sessions to be established with PPTP - be sure to turn this off! -----Original Message----- From: Scott Sedam [mailto:ssedam at ICI.NET] Sent: Thursday, February 10, 2000 10:39 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products Don't forget the Contivity by Nortel. It runs clean, has an easy install, user friendly client, and is reliable. I have around 10 of these at customer locations and they are all running great. I have not had very good luck with the Cisco client (IRE) to PIX VPN. The client is not user friendly and there are reliability issue with the connection. The newest version of PIX software 5.0.3 fixes allot of the original issues (i.e. Network neighborhood problems) as did the use of the IRE client 1.0A. This solution is still not fully cooked. Becareful!! --Scott ----- Original Message ----- From: AMY HOLLISTER To: VPN at securityfocus.com Sent: Thursday, February 10, 2000 12:23 PM Subject: Re: VPN Products Here are some that I know of * Checkpoint * Network Associates * VPNet * Cocentric Networks * Raptor * Cisco Then you also have all of the Telecom/Data Carriers * UUnet * GTE * PSInet * Sprint * AT&T Miranda Heesbeen wrote: Hi everyone, I'm doing a school project about VPN and I'm looking for products for VPN. Does someone know who offers the "best" products and also most complete (suite)? Thanks, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000210/f1eae523/attachment.htm From andrew.wightman at GARTNER.COM Thu Feb 10 16:42:35 2000 From: andrew.wightman at GARTNER.COM (Wightman,Andrew) Date: Thu, 10 Feb 2000 16:42:35 -0500 Subject: VPN Products Message-ID: Our problems with PPTP and the Contivity come when you start to look at authentication between the Contivity and a RADIUS server. Must vendors of RADIUS systems (from what I have found) do not implement MS-CHAP (required for PPTP) w/ the MPPE attribute (required for the encryption key hash). Cisco supports MS-CHAP w/ their Secure ACS - but not with the MPPE attributes. Funk supports MS-CHAP w/ MPPE - we are looking at this now, but there is a known problem with the Contivity and Funk RADIUS w/ 128-bit PPTP. So my suggestion was to use IPSec, but the it was turned down due to reported issues with IPSec clients causing problems with hardware because of their NDIS layer install. Anyone care to comment? Andrew -----Original Message----- From: Golder, Fred [mailto:Fred.Golder at cendant.com] Sent: Thursday, February 10, 2000 1:30 PM To: 'Wightman,Andrew'; VPN at SECURITYFOCUS.COM Subject: RE: VPN Products Nortel's client has been easy all around so far. No problems. I have only tried timestep's client before that and it was a nightmare comparatively. The only down side to Nortel's client is that is only supports win95/98 and WinNT. no linux, Mac, Solaris, open bsd. Our techies were very disappointed. As far as IPSEC goes, you need the vendors client to connect to a vendor's device. You can preconfigure the client and setup the client to prevent setting tampering by the end user, which is a nice touch in a large scale deployment. I heard that the ITEF was attempting to create a standard for client interaction. Has Anybody else hear about this? PPTP we didn't even bother with, so I can't offer any experience. Another IPSEC issue to be aware of is WINDOWS 2000. Good old Microsoft has struck again and decided to implement IPSEC as SLOW as possible and in a way NOBODY else has. The MS version of IPSEC uses L2F also adds about 10-15% more overhead. So Maybe PPTP wasn't entirely a bad choice if you ignore the security concerns. -Fred Golder -----Original Message----- From: Wightman,Andrew [ mailto:andrew.wightman at GARTNER.COM ] Sent: Thursday, February 10, 2000 2:09 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products So here is a question for you all about Nortel Contivity - Is anyone out there willing to share information on their implementation of the Contivity w/ PPTP for remove access solutions? Our company is currently involved in this implementation and are having some cross vendor difficulties. I do not agree with using PPTP, however, it is the requirement and we must find the solution. An additional question would be how many problems, if any, has any one had with IPSec clients? Especially with Nortel's client? Thanks for your input! Andrew NOTE: Watch out for the Contivity - by default it allows for non-encrypted sessions to be established with PPTP - be sure to turn this off! -----Original Message----- From: Scott Sedam [ mailto:ssedam at ICI.NET ] Sent: Thursday, February 10, 2000 10:39 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products Don't forget the Contivity by Nortel. It runs clean, has an easy install, user friendly client, and is reliable. I have around 10 of these at customer locations and they are all running great. I have not had very good luck with the Cisco client (IRE) to PIX VPN. The client is not user friendly and there are reliability issue with the connection. The newest version of PIX software 5.0.3 fixes allot of the original issues (i.e. Network neighborhood problems) as did the use of the IRE client 1.0A. This solution is still not fully cooked. Becareful!! --Scott ----- Original Message ----- From: AMY HOLLISTER < mailto:amy_hollister at globalcrossing.com > To: VPN at securityfocus.com < mailto:VPN at securityfocus.com > Sent: Thursday, February 10, 2000 12:23 PM Subject: Re: VPN Products Here are some that I know of * Checkpoint * Network Associates * VPNet * Cocentric Networks * Raptor * Cisco Then you also have all of the Telecom/Data Carriers * UUnet * GTE * PSInet * Sprint * AT&T Miranda Heesbeen wrote: Hi everyone, I'm doing a school project about VPN and I'm looking for products for VPN. Does someone know who offers the "best" products and also most complete (suite)? Thanks, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Thu Feb 10 19:35:25 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Thu, 10 Feb 2000 16:35:25 -0800 Subject: Nortel Contivity cost Message-ID: <20000211003525.2427.qmail@web123.yahoomail.com> Heh, I just bought some last month... Check with your reseller as prices may vary. In the U.S., the Nortel price list has: Contivity 1500 $7,000 list Contivity 2500 $20,000 list Contivity 4500 $50,000 list Client software is *free*. (Most VPN vendors charge $50-150 per user). Hope this helps. Chris -- --- "Franco Sabaris, Javier" wrote: > Hi! > > > Can anybody tell me how much does the Nortel > Contivity cost? More or less, > the lowest-end solution (Contivity 1500 ?)... > > > Xavier Franco > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From matthewr at MORETON.COM.AU Thu Feb 10 19:43:18 2000 From: matthewr at MORETON.COM.AU (Matthew Ramsay) Date: Fri, 11 Feb 2000 10:43:18 +1000 Subject: VPN Products References: <3DE1DF234B51D211A70600104BB3F6DA017396C9@NL-ROT-MAIL01> Message-ID: <0002111045060K.28862@gibberling> >I'm doing a school project about VPN and I'm looking for products for VPN. >Does someone know who offers the "best" products and also most complete >(suite)? PoPToP is a free PPTP VPN solution that is ready now and can be patched to include MSCHAPv2 and RC4 compatible 40-128 bit encryption. You don't have to worry about client software as windows machines have VPN client software by default (well.. 98, NT and 2000 at least.. patches for 95 exist). PoPToP: http://www.moretonbay.com/vpn/pptp.html Hope that helps! Cheers, Matt. VPN is sponsored by SecurityFocus.COM From SDE at ARINC.COM Thu Feb 10 16:43:52 2000 From: SDE at ARINC.COM (De, Santanu* (SDE)) Date: Thu, 10 Feb 2000 16:43:52 -0500 Subject: VPN and IPSec Message-ID: <09328AED5429D311A3000008C7911B1002C8FCF2@exanpmb1.arinc.com> Hi, I have been subscribing to this email mailing list for quite a while now. I am really interested in the VPN stuff. Though I'd admit I have never laid a hand on any of the related products. I work in networking stuff.. ISO -OSI standard- HDLC and all.. though I was never in TCP/IP suite of protocols. Nevertheless, I never miss any article or interesting white paper that I come across. I understand that IPSec is a pretty new technology around for a couple of years or less. I was told that IPSec is implemented in Win2K. Some of the routers have also come with IPSec implemented. May I know what is a VPN client after all? I understand that routers that are IPSec enabled give the network administrators the privilege to decide which packets are to be tunneled and which not to be. I presume VPN clients are software which gives the user this privilege to decide. Am I right? Could one elaborate how these VPN clients work after all. I also want to know that how IPSec or other newer protocols are implemented in systems where the OS is not IPSec enabled as such. Could one tell me how the BITS and BITW implementations are done? Could I have an access to some open source code for my interests? Regards, Santanu. VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Fri Feb 11 14:29:26 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Fri, 11 Feb 2000 13:29:26 -0600 Subject: More than one VPN-Connection from a gateway (fwd) Message-ID: ---------- Forwarded message ---------- Date: Thu, 10 Feb 2000 23:26:47 -0500 (EST) From: Henry Spencer To: klaus.gross at web2cad.de Cc: ipsec at lists.tislabs.com Subject: Re: More than one VPN-Connection from a gateway On Thu, 10 Feb 2000 klaus.gross at web2cad.de wrote: > I'm new in configuring a VPN and I > have the following question... You probably want to ask this question on a different mailing list, one specific to the particular software involved. This list is for technical discussion of the protocols themselves. (From some of the technical details you mention, you're almost certainly using Linux FreeS/WAN. See the documentation for the location, and details of how to join, the linux-ipsec mailing list.) Henry Spencer henry at spsystems.net VPN is sponsored by SecurityFocus.COM From misha at INSYNC.NET Thu Feb 10 19:28:11 2000 From: misha at INSYNC.NET (Misha) Date: Thu, 10 Feb 2000 18:28:11 -0600 Subject: Nortel Contivity cost In-Reply-To: <77A1E4F21F59D211862600805F650FD85130BE@COR0000S001> Message-ID: $7000 list. The 2500 is quite a bit more. On Thu, 10 Feb 2000, Franco Sabaris, Javier wrote: > Hi! > > > Can anybody tell me how much does the Nortel Contivity cost? More or less, > the lowest-end solution (Contivity 1500 ?)... > > > Xavier Franco > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From misha at INSYNC.NET Thu Feb 10 19:29:37 2000 From: misha at INSYNC.NET (Misha) Date: Thu, 10 Feb 2000 18:29:37 -0600 Subject: Using Cisco 1601R as a VPN box In-Reply-To: <013e01bf7372$0e59dee0$1b04a8c0@tbdnetworks.com> Message-ID: I believe we had to bring it up to more than 12 to get it to work right. That was about a year ago, so they have worked out the memory issues. It will do about 128k at 56bits if I remember correctly. Misha On Wed, 9 Feb 2000, Rob Ang wrote: > Hi everyone, > > I'm trying to find out what IOS I need to load on my Cisco1601R to be able to do IPSEC. I looked on Cisco's site but see that the minimum requirement is 12MB for most of the different IOS although the 1601R comes with 8MB standard. Is there IOS software that supports IOS with just an 8MB minimum? Anyone have experience with this? > > thanks! > Rob > VPN is sponsored by SecurityFocus.COM From matt at NEUROTRAIN.COM Thu Feb 10 17:18:21 2000 From: matt at NEUROTRAIN.COM (Matthew Harding) Date: Thu, 10 Feb 2000 17:18:21 -0500 Subject: VPN in the firewall References: <85256881.00584138.00@intlnamsmtp20.us.pw.com> <001801bf73f0$f2dd2df0$8869e1cf@home> Message-ID: <38A3392D.8E06CF64@neurotrain.com> Well, Joseph Williams wrote: > > I attended a Cisco product briefing recently and at one point a discussion > ensued about basic VPN architecture, to wit: > > * Is it preferable to have a stand-alone VPN product? > * If so, is it in-line in front of the Firewall or behind it and why? > * If not, can one exploit the VPN to punch through the FW? > > Chaos and confusion reigned in the room and the poor lad from Cisco also > seemed bewildered by it all. > > I'm certainly not a VPN wizard (or I wouldn't be attending product > briefings) but I would like to understand the architectural dynamics. > > Any insights would be greatly appreciated. I went and tried to read some of > the product literature but, well, frankly, they often read like man pages. > > Thanks, > > Joseph Williams > e-prime.com > > VPN is sponsored by SecurityFocus.COM -- Matthew Harding, Director NeuroTrain ATS Inc. Tel: 1-877-58-NEURO (613-824-6397) Fax: 613-841-2158 matt at neurotrain.com VPN is sponsored by SecurityFocus.COM From misha at INSYNC.NET Thu Feb 10 20:38:51 2000 From: misha at INSYNC.NET (Misha) Date: Thu, 10 Feb 2000 19:38:51 -0600 Subject: VPN in the firewall In-Reply-To: <001801bf73f0$f2dd2df0$8869e1cf@home> Message-ID: > * Is it preferable to have a stand-alone VPN product? Personally I think so, but its also more expensive to deploy. I am partial to dedicated VPN boxes though. > * If so, is it in-line in front of the Firewall or behind it and why? I would consider two methods: 1) Parrallel to the firewall with the clean side of the VPN on the inside interface. Not the most secure thing in the world, but by far the easiest to manage 2) Parrallel to the firewall with the clean side on separate interface of the firewall. This would allow you to build ACL's to the inside. > * If not, can one exploit the VPN to punch through the FW? I would say no, though I get this question often. I would test your implementation to be sure of this, but the VPN box should drop all non-VPN traffic. Its not any worse than RAS, just another entry point that should be treated carefully. What you do want to pay attention to is whether the clients and networks being tunneled to you are protected, which is a different story all together. > Chaos and confusion reigned in the room and the poor lad from Cisco > also seemed bewildered by it all. Ahh yes. Cisco is in real trouble as far as VPN's go right now. The IRE client is completely whacky, cannot do any authentication other than pre-shared secret or x.509 certificates, and is quite a chore to roll out to clients. There are a lot of NAT issues to work out, and the resolution for them in plain nasty. There are no good VPN management tools. PKI implementation barely works. I have not seen a Cisco tech who can help us with any of our problems. We have had a case opened with TAC for two weeks, and dont even get notifications on it any more. The sales person was nice enough to offer to help, but apparently was scared off by the volume of problems we have been seeing that apparently have no resolution. To add to that, they just bought out Altiga and Compatible, so I am hearing that Cisco reps are pusing anything from existing gear that may be phased out, to Altiga gear that may be phased out. No hard answers on which way they are going to go yet. Its the Red Creek fiasco all over again. Misha VPN is sponsored by SecurityFocus.COM From nate_21 at HOTMAIL.COM Fri Feb 11 10:25:01 2000 From: nate_21 at HOTMAIL.COM (Nate C) Date: Fri, 11 Feb 2000 07:25:01 PST Subject: VPN Products Message-ID: <20000211152501.52441.qmail@hotmail.com> Miranda, Here's a link that you might find useful in your project. It is the VPN Consortium's link and has a little rundown on different products with a fancy little comparison chart showing characteristics and features of each product. Obviously there are the Nortel and Checkpoint solutions which are pretty popular. A couple others you may want to look at are Altiga and Compatible Systems which were both just bought by Cisco a couple weeks ago. http://www.vpnc.org/ The chart is located in the features section and there are a bunch of links to the different memebers of the consortium - who are really the players in the VPN market anyway. All the best on the project! Best regards, Nate Cote Northeast Regional Network Account Manager Great Lakes Computer 877-884-5263 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM From jratford at CTRSEC.COM Fri Feb 11 00:45:16 2000 From: jratford at CTRSEC.COM (Jay Ratford) Date: Thu, 10 Feb 2000 21:45:16 -0800 Subject: Netscreen proc_auth gw-gw problem Message-ID: <200002100542.VAA00550@ctrsec.com> An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000210/1dc18a5b/attachment.htm From vpnsup at CTRSEC.COM Thu Feb 10 00:46:20 2000 From: vpnsup at CTRSEC.COM (Jay Ratford) Date: Wed, 9 Feb 2000 21:46:20 -0800 Subject: Netscreen 100 gw-gw IKE Problem Message-ID: I'm having a problem with IPSec communication between 2 NetScreen 100 boxes (latest firmware) They are setup for identical configurations (as far as authentication for ike, etc...) and i'm sure I have everything right, we've setup many boxes before. Each trusted interface has a nonroutable 10'network. It seems in this situation happens only on these 2 boxes. The error message on the netscreen console when a packet is sent from a host on the private network to the other network its supposed to talk encrypted to is as follows: Error state mark E20 : has no proc_auth I believe this is during IKE negotiation - does anyone have an idea of this error message I cannot seem to find a summary of errors on NetScreeen's support site. VPN is sponsored by SecurityFocus.COM From dana at INTERPRISE.COM Fri Feb 11 13:05:41 2000 From: dana at INTERPRISE.COM (Dana J. Dawson) Date: Fri, 11 Feb 2000 12:05:41 -0600 Subject: redirecting a port in cisco 1604 using NAT References: Message-ID: <38A44F75.FC8F4C3C@interprise.com> Cliff Friedel wrote: > > Hi all. Realize that this is a little off topic, but since there are a > fair number of cisco admins on the list I figured I would ask. I was > wondering if there was a way to redirect a port on the BRI interface of > a 1604, to a machine on a private network. I am running NAT for the > outbound traffic if that is a concern. The reason I want to do this is so > I can allow telnet traffic into a machine while still keeping the machine > behind NAT. If you can guide me to a resource (I have looked on cisco's > site to no avail) it would be greatly appreciated. Thanks. > > Cliff Friedel > > VPN is sponsored by SecurityFocus.COM Try this command: ip nat inside source static tcp 10.1.1.1 23 A.B.C.D 23 where "10.1.1.1" is the private address of the host you want to allow telnet access to (this is a dangerous thing, by the way), and "A.B.C.D" is the registered address being routed to your 1604. Assuming you have a version of IOS with full NAT support, and that you have a permanently assigned IP address from your ISP, this should do the trick. If you're getting only a dynamic address from your ISP, then there's no syntax in IOS to do what you want to do (at least not yet). Bummer. HTH Dana -- Dana J. Dawson dana at interprise.com Distinguished Principal Engineer CCIE #1937 !NTERPRISE Networking Services (612) 664-3364 U S WEST (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.COM From rdocquois at COMPAREX.FR Fri Feb 11 02:46:59 2000 From: rdocquois at COMPAREX.FR (Rodolphe DOCQUOIS) Date: Fri, 11 Feb 2000 08:46:59 +0100 Subject: Algoritms and protocols Message-ID: <38A3BE72.AAFA0EE@comparex.fr> I Looking for informations about VPN high availability and DSA algorithm. Do you have any informations (URL...) about these subjets ? Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: rdocquois.vcf Type: text/x-vcard Size: 324 bytes Desc: Carte pour Rodolphe DOCQUOIS Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000211/8a661c13/attachment.vcf From tdechant at FIRSTAM.COM Fri Feb 11 11:49:08 2000 From: tdechant at FIRSTAM.COM (Dechant, Troy) Date: Fri, 11 Feb 2000 10:49:08 -0600 Subject: Nortel Contivity cost Message-ID: <26096C3989CCD3119A910008C7F45A0F09FB39@fada1sxc03.firstam-reis.com> The list price on the lowest product in the Contivity line (Contivity Extranet Switch 1500, 300MHZ Celeron, Dual 10/100 Ports, 128-Bit Encryption, Unlimited License for IPSec Client Software) is $7,000. You can typically swing a 15% to 28% discount with your reseller (depending on volume). If you need the Netscape Directory server added on top (for CA/LDAP functionality), it increases the list price to $8,800. Troy Dechant Sr. Technical Specialist Network Design First American Real Estate Information Services, Inc. tdechant at firstam.com t.214.879.5079, f.214.879.4822 > -----Original Message----- > From: Franco Sabaris, Javier [SMTP:jfranco at MUNDO-R.NET] > Sent: Thursday, February 10, 2000 1:58 PM > To: VPN at SECURITYFOCUS.COM > Subject: Nortel Contivity cost > > Hi! > > > Can anybody tell me how much does the Nortel Contivity cost? More or less, > the lowest-end solution (Contivity 1500 ?)... > > > Xavier Franco > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From MLittle at BHSI.COM Fri Feb 11 14:49:55 2000 From: MLittle at BHSI.COM (Little, Mike (BHS)) Date: Fri, 11 Feb 2000 14:49:55 -0500 Subject: NT RAS \ PPTP question. Message-ID: <00Feb11.144955est.115204@pcbhi266.bhsi.com> All, I'm needing some clarification on proxied PPTP and NT RAS, and I'm hoping you can help. I have a site that has 10 users on there network that need to tunnel into ours. They have a WebRamp 410i and we have a Nortel CES 2000, and the clients want to use MS PPTP. The 410i supports PPTP pass-through (it doesn't do branch-to-branch), and I can get the first tunnel established. However, no one else can tunnel in until the first connection drops, and so on, allowing a single tunnel at a time. The 410i documentation refers to using the MS NT RAS for the destination network, so it appears that MS NT can handle multiple proxied PPTP connections. Would someone please explain to me how this is accomplished? I just don't understand how MS's NT Server can allow this when our CES 2000 doesn't, and I'd like to provide a more educated explanation on the matter if possible. Thanks, in advance, for your help. Mike Little Network Services Baptist Healthcare System Louisville, KY. VPN is sponsored by SecurityFocus.COM From kemp at INDUSRIVER.COM Fri Feb 11 15:27:19 2000 From: kemp at INDUSRIVER.COM (Brad Kemp) Date: Fri, 11 Feb 2000 15:27:19 -0500 Subject: VPN Products In-Reply-To: Message-ID: <3.0.3.32.20000211152719.033648f0@pop3.indusriver.com> The problem with 128 bit encryption is that Microsoft was very fuzzy on what to hand back as the key value. By reading the spec, you could hand back the unhashed key value or the hashed value. The Microsoft Radius server does it one way and Funk did it the other way. Funk has fixed the problem and I believe it is in the current release. I seem to remember that Shiva interpreted the spec the same way Funk did, but I am not sure. Brad At 04:42 PM 2/10/00 -0500, Wightman,Andrew wrote: >Our problems with PPTP and the Contivity come when you start to look at >authentication between the Contivity and a RADIUS server. Must vendors of >RADIUS systems (from what I have found) do not implement MS-CHAP (required >for PPTP) w/ the MPPE attribute (required for the encryption key hash). >Cisco supports MS-CHAP w/ their Secure ACS - but not with the MPPE >attributes. Funk supports MS-CHAP w/ MPPE - we are looking at this now, but >there is a known problem with the Contivity and Funk RADIUS w/ 128-bit PPTP. >So my suggestion was to use IPSec, but the it was turned down due to >reported issues with IPSec clients causing problems with hardware because of >their NDIS layer install. > >Anyone care to comment? > > >Andrew --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 VPN is sponsored by SecurityFocus.COM From Noah_Salzman at NAI.COM Fri Feb 11 18:09:31 2000 From: Noah_Salzman at NAI.COM (Salzman, Noah) Date: Fri, 11 Feb 2000 15:09:31 -0800 Subject: VPN and IPSec Message-ID: <0DA2A15FEE96D31187AA009027AA6A729CFC50@ca-exchange1.nai.com> Hello Santanu, In regards to the source code question: You can download the FULL source code to PGP 6.5.1 from http://www.pgpi.com (a site that is not truly affiliated with PGP Security Inc, but is the current de facto location to acquire the source). The exact link to the PGP 6.5.1 source is: http://www.pgpi.org/cgi/download.cgi?filename=pgp651i-win-src.zip PGP 6.5.1 is many things, but the PGPnet component in it is a full fledged IPsec client for Windows 95, 98, NT4 and Mac OS. The current version of the shipping product is 6.5.3 and if you actually want to use PGP on a regular basis you should use 6.5.3. (Please note that the source to 6.5.3 has not been published at this date.) In regards to the general question about VPN clients: The most common use of a VPN client on a desktop or portable PC is to establish a secure connection -- through a generic ISP -- to a secure server, firewall, or gateway. Some VPN clients -- such as PGP 6.5.x -- allow you to establish peer-to-peer IPsec connections between any two PCs... but by far the former example is the primary use of this technology. Noah Salzman noah at pgp.com 408.346.5186 -----Original Message----- From: De, Santanu* (SDE) [mailto:SDE at ARINC.COM] Sent: Thursday, February 10, 2000 1:44 PM To: VPN at SECURITYFOCUS.COM Subject: VPN and IPSec Hi, I have been subscribing to this email mailing list for quite a while now. I am really interested in the VPN stuff. Though I'd admit I have never laid a hand on any of the related products. I work in networking stuff.. ISO -OSI standard- HDLC and all.. though I was never in TCP/IP suite of protocols. Nevertheless, I never miss any article or interesting white paper that I come across. I understand that IPSec is a pretty new technology around for a couple of years or less. I was told that IPSec is implemented in Win2K. Some of the routers have also come with IPSec implemented. May I know what is a VPN client after all? I understand that routers that are IPSec enabled give the network administrators the privilege to decide which packets are to be tunneled and which not to be. I presume VPN clients are software which gives the user this privilege to decide. Am I right? Could one elaborate how these VPN clients work after all. I also want to know that how IPSec or other newer protocols are implemented in systems where the OS is not IPSec enabled as such. Could one tell me how the BITS and BITW implementations are done? Could I have an access to some open source code for my interests? Regards, Santanu. VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jm at DEFCON.ORG Fri Feb 11 20:47:17 2000 From: jm at DEFCON.ORG (Jeff Moss) Date: Fri, 11 Feb 2000 17:47:17 -0800 Subject: Black Hat Briefings USA Call for Papers and Singapore conference announcement Message-ID: <4.3.0.40.0.20000211173957.00dcea40@165.87.194.210> A Black Hat Briefings Announcement I would like to announce the Call for papers for the U.S. Black Hat Briefings and the Black Hat Briefings in Singapore! - The Black Hat Briefings conference in Singapore (See announcement below, and on-line at http//www.blackhat.com/) - The Call for Papers (CFP) for The Black Hat Briefings conference in the US. If you are interested in submitting a presentation please visit the CFP guidelines page at http//www.blackhat.com/html/bh-usa-00/bh-usa-00-cfp.html - A newly redesigned web site, to include in RealMedia format past presentations as well as RealVideo of the Black Hat '99 speeches will be on line this week. Black Hat is about spreading computer security knowledge, and I think this is a good way to do it. Due to the sheer file size of the video, it is being sampled in 1/4 screen size. Thank you for your time. Jeff Moss, CISSP Organizer ------------------ Security Conference Announcement - The Black Hat Briefings Singapore The Black Hat Briefings Asia '00 http//www.blackhat.com/ April 4 - 5th, Singapore Marina Mandarin Hotel The Black Hat Briefings is a conference for IT professionals and decision makers who are faced with problems of security in their computer infrastructure. For the first time, this conference will be brought to Asia after three successful years in the US. It has become one of the most important and talked about Internet security conferences in the world. Every year leaders in the security field are brought together to this conference to discuss the latest products, trends, issues, and influences in the Internet and security environment. This year's topics include Computer Forensics Systems, Intrusion Detection, Secure Programming Techniques and Tools Selection, and legal issues. There will be about 12 speakers from the United States and two local speakers to cover the local and regional Internet issues. Different than the Black Hat Briefings in the US, the Asia briefing will in its first year feature one track of speakers with speaking times longer to give the speakers more time to explain complex issues, and give the audience more time to ask questions. For more information please contact blackhat at defcon.org VPN is sponsored by SecurityFocus.COM From deb at CAMCONSULTING.COM Sun Feb 13 07:18:56 2000 From: deb at CAMCONSULTING.COM (Deb Cameron) Date: Sun, 13 Feb 2000 07:18:56 -0500 Subject: VPN in the firewall In-Reply-To: References: <001801bf73f0$f2dd2df0$8869e1cf@home> Message-ID: <3.0.3.32.20000213071856.00785f68@pop.starpower.net> Could you elaborate on security options for this: >What you do want to pay attention to is whether the clients and networks >being tunneled to you are protected, which is a different story all >together. > And it is a story I would like to hear. Exactly how do you achieve that? Best wishes, Deb Cameron Cameron Consulting VPN is sponsored by SecurityFocus.COM From WRB0 at EMPRISETECH.COM Mon Feb 14 08:09:49 2000 From: WRB0 at EMPRISETECH.COM (William R. Bergman) Date: Mon, 14 Feb 2000 08:09:49 -0500 Subject: Can't get Sonic Wall VPN client to work Message-ID: <2956136EA5F5D111A64800A0C9824AC0317EA4@WINNT01> Has anybody had problems (or been successful) with the SonicWall VPN client? Whenever I try connecting to the SonicWall via the client I get a 'payload malformed' error. I've gotten the same error with both the previous client and the new client posted on SonicWall's web site last week. Here is the log of my session: 2000/02/13 18:33:45.760: AL_IKE-- Transform -- KEY_IKE 2000/02/13 18:33:45.870: AL_IKE-- Transform -- ESP_DES 2000/02/13 18:34:16.070: AL_IKE--Start Phase 1 negotiation with peer xxx.yyy.168.212 2000/02/13 18:34:16.130: AL_IKE-- DestID: xxx.yyy.168.212 PresharedKey:abcdef 2000/02/13 18:34:16.130: AL_IKE-- Protocol -- PROTO_ISAKMP 2000/02/13 18:34:16.130: AL_IKE-- Transform -- KEY_IKE 2000/02/13 18:34:16.130: AL_IKE-- Encryption -- DES_CBC 2000/02/13 18:34:16.130: AL_IKE-- Hash -- MD5_HASH 2000/02/13 18:34:16.130: AL_IKE-- MyID: 192.168.100.1 2000/02/13 18:34:16.130: AL_IKE-- Authentication -- PRESHARED_KEY 2000/02/13 18:34:16.130: AL_IKE-- LifeType -- SECONDS 2000/02/13 18:34:16.130: AL_IKE-- LifeDuration -- 86400 2000/02/13 18:34:16.130: AL_IKE-- GroupDescription -- MODP_768 2000/02/13 18:34:16.130: AL_IKE-- MainMode Exchange Selected 2000/02/13 18:34:16.130: AL_IKE-- MainMode -- initiator sent out message1 2000/02/13 18:34:27.610: AL_IKE--IKE message received from xxx.yyy.168.212 2000/02/13 18:34:27.610: AL_IKE-- MainMode -- initiator received response message1 2000/02/13 18:34:27.720: AL_IKE-- MainMode -- initiator sent out message2 2000/02/13 18:34:41.010: AL_IKE--IKE message received from xxx.yyy.168.212 2000/02/13 18:34:41.010: AL_IKE-- MainMode -- initiator received response message2 2000/02/13 18:34:41.560: AL_IKE-- MainMode -- initiator sent out message3 2000/02/13 18:34:41.610: AL_IKE--IKE message received from xxx.yyy.168.212 2000/02/13 18:34:41.610: AL_IKE-- MainMode -- initiator received response message3 2000/02/13 18:34:41.610: AL_IKE-- DestID: xxx.yyy.168.212 PresharedKey:abcdef 2000/02/13 18:34:41.610: AL_IKE--Phase 1 negotiation succeeded with xxx.yyy.168.212 2000/02/13 18:34:41.670: AL_IKE--Sending Notification INVALID_NOTIFICATION_TYPE (0x40) to peer xxx.yyy.168.212 2000/02/13 18:34:48.590: AL_IKE--Start Phase 2 negotiation with peer xxx.yyy.168.212 2000/02/13 18:34:48.590: AL_IKE-- RemoteHostID: 192.168.1.0/255.255.255.0 2000/02/13 18:34:48.590: AL_IKE-- SourceID: 192.168.100.1 2000/02/13 18:34:48.590: AL_IKE-- Protocol -- PROTO_IPSEC_ESP, Number of transforms -- 1 2000/02/13 18:34:48.590: AL_IKE-- Transform -- ESP_DES 2000/02/13 18:34:48.590: AL_IKE-- Authentication -- HMAC_MD5 2000/02/13 18:34:48.590: AL_IKE-- LifeType -- SECONDS 2000/02/13 18:34:48.590: AL_IKE-- LifeDuration -- 28800 2000/02/13 18:34:48.590: AL_IKE-- EncapsulationMode -- TUNNEL 2000/02/13 18:34:49.080: AL_IKE-- QuickMode -- initiator sent out message1 2000/02/13 18:34:49.190: AL_IKE--IKE message received from xxx.yyy.168.212 2000/02/13 18:34:49.190: AL_IKE-- QuickMode -- initiator received response message1 2000/02/13 18:34:49.190: AL_IKE-- QuickMode -- initiator sent out message2 2000/02/13 18:34:49.190: AL_IKE--Phase 2 negotiation succeeded with xxx.yyy.168.212 2000/02/13 18:35:19.350: AL_IKE--IKE message received from xxx.yyy.168.212 2000/02/13 18:35:19.350: AL_IKE--PAYLOAD_MALFORMED -- peer xxx.yyy.168.212 2000/02/13 18:35:19.350: AL_IKE--Sending Notification INVALID_NOTIFICATION_TYPE (0x1000) to peer xxx.yyy.168.212 I've been successful in setting up a lan to lan vpn with a Checkpoint VPN-1 (which I expected to be the hard part). It is the vpn client that I can't make work. Any help will be greatly appreciated. Bill VPN is sponsored by SecurityFocus.COM From m.heesbeen at CMG.NL Mon Feb 14 05:33:52 2000 From: m.heesbeen at CMG.NL (Miranda Heesbeen) Date: Mon, 14 Feb 2000 11:33:52 +0100 Subject: L2F and L2TP Message-ID: <3DE1DF234B51D211A70600104BB3F6DA017818C9@NL-ROT-MAIL01> Hi everyone, Does somebody know where i can find information about the two protocols for VPN? I can't find anything about it. Only information about the same options between PPTP and L2TP. But i would like to know how they both work, the protocols L2F and L2TP and what they do. Thanks, Miranda VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Mon Feb 14 12:46:27 2000 From: JJones at NWNETS.COM (Jeremy Jones) Date: Mon, 14 Feb 2000 10:46:27 -0700 Subject: PPTP Overhead Message-ID: <4128C0428F94D3118F1E00902773CED201B45C@NNSBOIS1> Hello, Does anyone out there have any information (or know of any links to information) about the overhead involved in MS PPTP? Using, say, 128bit encryption, can I expect about 75% throughput compared to the physical line speed? 50%? Less? Thanks in advance, Jeremy Jones, MA, MCSE, CCNA Systems Analyst Northwest Network Services (208) 343-5260 x106 http://www.nwnets.com mailto:jjones at nwnets.com VPN is sponsored by SecurityFocus.COM From chayward at LUCENT.COM Fri Feb 11 21:57:12 2000 From: chayward at LUCENT.COM (Cary Hayward) Date: Fri, 11 Feb 2000 18:57:12 -0800 Subject: VPN Products In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDF011A223B@exchange> Message-ID: <3.0.2.32.20000211185712.00b5b390@149.198.1.70> To many VPN does not just mean IPSec enabled GWs and routers- L2TP and VRing are the VPNs of choice for many carriers. The new carrier-class VPN tunneling devises are gaining acceptance from SPs as wholesaling of broadband/narrowband access and backbones is growing. Some vendors in this space are Spring Tide Networks, Shasta/Nortel, Cosine Communications, Ennovate, and RedBack. I may have missed a few. For a more detailed list of vendors look at the IETF bakeoff list. ICSA is a for profit org that not all vendors support or believe in. Cary At 01:12 PM 2/10/00 -0500, Stephane Durette wrote: >Miranda, >? >????? The best and most complete VPN on the market ??!!??!! >? >????? This answer is impossible to get right. Your best bet is to accumulate >all the info on different vendors and make a comparison on your own. Most of >the products out from vendors are in there third generation and are fairly >comparable. >? >????? Amy listed some vendors and to that list you can add Nortel, TimeStep >and also take a look at www.icsa.net which will give >you a run down of the different vendors doing IPSEC VPN or proprietary VPN. >? >Cheers > >Steph >? > >axW--------------------------------------------------------------- >Stephane Y Durette-? Applications Engineer,TimeStep Corp. >(613) 599-3610 x:4682 Voice????????? (613) 599-9560 - FAX >mailto:sdurette at timestep.com ?? >http://www.timestep.com >--------------------------------------------------------------------- >"Two possibilities exist: either we are alone in the universe or >?we are not. Both are equally terrifying." Arthur C.Clarke >--------------------------------------------------------------------- > >? > >-----Original Message----- >From: AMY HOLLISTER [mailto:amy_hollister at GLOBALCROSSING.COM] >Sent: February 10, 2000 12:23 PM >To: VPN at SECURITYFOCUS.COM >Subject: Re: VPN Products > > >Here are some that I know of > >* Checkpoint > >* Network Associates > >* VPNet > >* Cocentric Networks > >* Raptor > >* Cisco > >Then you also have all of the Telecom/Data Carriers > >* UUnet > >* GTE > >* PSInet > >* Sprint > >* AT&T > > >Miranda Heesbeen wrote: > > >Hi everyone, > >I'm doing a school project about VPN and I'm looking for products for VPN. >Does someone know who offers the "best" products and also most complete >(suite)? > > >Thanks, > > >Miranda Heesbeen > > >VPN is sponsored by SecurityFocus.COM > >VPN is sponsored by SecurityFocus.COM > > VPN Product Line Manager Core Access (510) 747-2289 VPN is sponsored by SecurityFocus.COM From bob.vail at EDS.COM Tue Feb 15 09:24:56 2000 From: bob.vail at EDS.COM (Vail, Bob) Date: Tue, 15 Feb 2000 08:24:56 -0600 Subject: VPN-to-Clear-to-VPN Message-ID: I am wondering if anyone has ever designed or implemented a VPN environment similar to the following: VPN------VPN----------VPN--------Traffic---------VPN------------Internet---- --------VPN-----------Intranet Client Gateway Gateway "In the Gateway Gateway #1 #2 Clear" #3 #4 Network encrypted--------------decrypted------------------encrypted----------------- --------decrypted------ I do not want to get into why an "In the clear" segment is required except the traffic has to be monitored. Logging and review of the contents of the network traffic must be possible. I am just looking for information if this type of configuration will actually work. Will some one monitoring the "in the clear" network segment actually be able to review or monitor the traffic as if it never went through a VPN? Also, I am concerned about authentication of the VPN client at VPN Gateway #3. I am concerned this will require a second login process (the second login process maybe valid and appropriate security; it just is not on the agenda of the clients). Will the traffic traversing the "In the Clear" segment be routed appropriately? Thanks for any help. Bob VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Tue Feb 15 20:11:33 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 15 Feb 2000 19:11:33 -0600 Subject: VPN clients for Palms/WinCE Message-ID: Anyone have more up to date information than I do on VPN clients for Palm Pilots, WinCE or other "light" operating systems? TIA -- Tina "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From petricek at KOLEJ.MFF.CUNI.CZ Tue Feb 15 20:29:55 2000 From: petricek at KOLEJ.MFF.CUNI.CZ (Vasek Petricek) Date: Wed, 16 Feb 2000 02:29:55 +0100 Subject: L2F and L2TP In-Reply-To: <3DE1DF234B51D211A70600104BB3F6DA017818C9@NL-ROT-MAIL01> Message-ID: On Mon, 14 Feb 2000, Miranda Heesbeen wrote: > Hi everyone, > > Does somebody know where i can find information about the two protocols for > VPN? > I can't find anything about it. Only information about the same options > between PPTP and L2TP. But i would like to know how they both work, the > protocols L2F and L2TP and what they do. The protocols are specified in these requests for comments... L2TP: RFC2661 L2F : RFC2341 PPTP: RFC2637 Vasek VPN is sponsored by SecurityFocus.COM From adamz at ECONET.COM Wed Feb 16 15:12:41 2000 From: adamz at ECONET.COM (Adam P. Zimmerer) Date: Wed, 16 Feb 2000 14:12:41 -0600 Subject: VPN Products In-Reply-To: <3.0.2.32.20000211185712.00b5b390@149.198.1.70> Message-ID: Does anyone know what is the link for this "IETF Bakeoff list"??? Sincerely, Adam P. Zimmerer Economic Networks -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Cary Hayward Sent: Friday, February 11, 2000 8:57 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN Products To many VPN does not just mean IPSec enabled GWs and routers- L2TP and VRing are the VPNs of choice for many carriers. The new carrier-class VPN tunneling devises are gaining acceptance from SPs as wholesaling of broadband/narrowband access and backbones is growing. Some vendors in this space are Spring Tide Networks, Shasta/Nortel, Cosine Communications, Ennovate, and RedBack. I may have missed a few. For a more detailed list of vendors look at the IETF bakeoff list. ICSA is a for profit org that not all vendors support or believe in. Cary At 01:12 PM 2/10/00 -0500, Stephane Durette wrote: >Miranda, > > The best and most complete VPN on the market ??!!??!! > > This answer is impossible to get right. Your best bet is to accumulate >all the info on different vendors and make a comparison on your own. Most of >the products out from vendors are in there third generation and are fairly >comparable. > > Amy listed some vendors and to that list you can add Nortel, TimeStep >and also take a look at www.icsa.net which will give >you a run down of the different vendors doing IPSEC VPN or proprietary VPN. > >Cheers > >Steph > > >axW--------------------------------------------------------------- >Stephane Y Durette- Applications Engineer,TimeStep Corp. >(613) 599-3610 x:4682 Voice (613) 599-9560 - FAX >mailto:sdurette at timestep.com >http://www.timestep.com >--------------------------------------------------------------------- >"Two possibilities exist: either we are alone in the universe or > we are not. Both are equally terrifying." Arthur C.Clarke >--------------------------------------------------------------------- > > > >-----Original Message----- >From: AMY HOLLISTER [mailto:amy_hollister at GLOBALCROSSING.COM] >Sent: February 10, 2000 12:23 PM >To: VPN at SECURITYFOCUS.COM >Subject: Re: VPN Products > > >Here are some that I know of > >* Checkpoint > >* Network Associates > >* VPNet > >* Cocentric Networks > >* Raptor > >* Cisco > >Then you also have all of the Telecom/Data Carriers > >* UUnet > >* GTE > >* PSInet > >* Sprint > >* AT&T > > >Miranda Heesbeen wrote: > > >Hi everyone, > >I'm doing a school project about VPN and I'm looking for products for VPN. >Does someone know who offers the "best" products and also most complete >(suite)? > > >Thanks, > > >Miranda Heesbeen > > >VPN is sponsored by SecurityFocus.COM > >VPN is sponsored by SecurityFocus.COM > > VPN Product Line Manager Core Access (510) 747-2289 VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From JSlaby at GIGAWEB.COM Wed Feb 16 15:11:47 2000 From: JSlaby at GIGAWEB.COM (Slaby, James) Date: Wed, 16 Feb 2000 15:11:47 -0500 Subject: VPN clients for Palms/WinCE Message-ID: I've encountered two distinct approaches to VPN functionality in a PDA, both for the CE platform (nothing for Palm): 1. SSL support for CE applications. This is distinct from traditional Layer 3 (e.g., IPsec) or Layer 2 (e.g., PPTP) based virtualization - SSL provides application-layer security, and is commonly implemented for secure browser-based transactions - but does achieve the goal of protecting data against tampering/eavesdropping while in transit over a public network. SSL can also provide authentication using X.509 digital certificates. While fine for BtoC applications like online purchasing, SSL cannot provide secure access to non-HTTP applications behind a firewall without extensive middleware or other code mediation. 2. V-One's SmartPass CE client, which provides authentication, authorization, and encryption between remote CE devices and a V-One SmartGate Server at the corporate site. V-One's VPN technology is proprietary, though they purport to be developing an IPsec-compliant product. I'd be interested to hear of any other VPN clients for handhelds. Jim Slaby Senior Industry Analyst Giga Information Group +1 617-577-4767 -----Original Message----- From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] Sent: Tuesday, February 15, 2000 8:12 PM To: VPN at SECURITYFOCUS.COM Subject: VPN clients for Palms/WinCE Anyone have more up to date information than I do on VPN clients for Palm Pilots, WinCE or other "light" operating systems? TIA -- Tina "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From swissman at PILOT.NET Wed Feb 16 16:17:01 2000 From: swissman at PILOT.NET (swissman) Date: Wed, 16 Feb 2000 13:17:01 -0800 Subject: VPN clients for Palms/WinCE In-Reply-To: Message-ID: The only one I have actually seen so far is the SSH client for the Palm Pilot and that one works pretty good. I am interested in any other flavors. Patrick On Tue, 15 Feb 2000, Tina Bird wrote: > Anyone have more up to date information than I > do on VPN clients for Palm Pilots, WinCE or other > "light" operating systems? > > TIA -- Tina > > "Doubt is an uncomfortable situation, but certainty is an > absurd one." -- Voltaire > > VPN is sponsored by SecurityFocus.COM > ******************************************************************** PILOT NETWORK SERVICES Patrick Ramseier, CCNA 2450 Mariner Square Loop Security Operations Engineer Alameda, CA 94501 Phone: 800-811-5222 FAX : 510-864-6438 swissman at pilot.net ******************************************************************** VPN is sponsored by SecurityFocus.COM From elfering at TCONL.COM Wed Feb 16 19:46:25 2000 From: elfering at TCONL.COM (Dave Elfering) Date: Wed, 16 Feb 2000 18:46:25 -0600 Subject: SANS VPN Survey References: <0DA2A15FEE96D31187AA009027AA6A7283AD9D@ca-exchange1.nai.com> Message-ID: <38AB44E1.11D4CA00@tconl.com> The SANS organization now has a VPN survey online at http://www.sans.org/vpnsurvey The target of the survey is technical personnel charged with planning, implementing and administering VPN's. The initial results will be delivered at SANS' May SNAP conference (http://www.sans.org/sj00.htm) via VPN and remote access training sessions (given by Tina Bird, George Freeman (RISCmanagement) and myself. The objective of the survey is to learn what people have deployed, whether the deployment went through on time, size of deployments, whether people are outsourcing, etc. There is also an opportunity for your input to be heard in terms of likes, dislikes and wish lists. In case you're not familiar with SANS, it is a vendor neutral organization which is focused on research and education. The survey is about 20 questions long and only takes 3-5 minutes. Please help us make this a meaningful and educational endeavor. Sincerely, Dave Elfering Werner Logistics elfering at tconl.com - dave at aroundomaha.com VPN is sponsored by SecurityFocus.COM From passemar at HOTMAIL.COM Thu Feb 17 04:47:55 2000 From: passemar at HOTMAIL.COM (Antony Passemard) Date: Thu, 17 Feb 2000 01:47:55 PST Subject: L2F and L2TP Message-ID: <20000217094755.12036.qmail@hotmail.com> > > Hi everyone, > > > > Does somebody know where i can find information about the two protocols >for > > VPN? > > I can't find anything about it. Only information about the same options > > between PPTP and L2TP. But i would like to know how they both work, the > > protocols L2F and L2TP and what they do. > >The protocols are specified in these requests for comments... > >L2TP: RFC2661 >L2F : RFC2341 >PPTP: RFC2637 > >Vasek The RFC are very complete but often confusing, You should check Cisco's web site. They have great documentation about L2F and L2TP. Anyway, I have a question about L2TP.. After reading the documentation I was confused about the layer this protocol was working on. L2TP means Layer 2 tunneling Protocol, and I always thought it was working at the layer 2, which was kind of hard to understand though. In fact it seems that L2TP, is a layer 4 protocol (working with UDP on a specified port), that encapsulates PPP, therefore creating a tunnel for a layer 2 protocol... What I would like to know is if I undertood this well??? Anyway, the first POP your accessing from the Internet needs to be L2TP compliant, as needs to be the POP in the company your accessing.. Between those two POPs nothing needs to be award of L2TP, because it's working at the layer 4 (If I understood it right). My problem is the following : How can you be sure that the first POP your accessing is L2TP compliant? This is very restrictive I guess.. You can't move all over the world because your not sure the ISP's POPs will be able to work with L2TP... Am I correct about that?? Thanks for your answers. Antony. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM From Munix-1 at PACBELL.NET Thu Feb 17 05:20:55 2000 From: Munix-1 at PACBELL.NET (Jose Muniz) Date: Thu, 17 Feb 2000 02:20:55 -0800 Subject: VPN Products References: Message-ID: <38ABCB87.5D0DE4D@Pacbell.net> "Adam P. Zimmerer" wrote: > > Does anyone know what is the link for this "IETF Bakeoff list"??? > > Sincerely, > Adam P. Zimmerer > Economic Networks > > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Cary > Hayward > Sent: Friday, February 11, 2000 8:57 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN Products > > To many VPN does not just mean IPSec enabled GWs and routers- L2TP and > VRing are the VPNs of choice for many carriers. The new carrier-class VPN > tunneling devises are gaining acceptance from SPs as wholesaling of > broadband/narrowband access and backbones is growing. Some vendors in this > space are Spring Tide Networks, Shasta/Nortel, Cosine Communications, > Ennovate, and RedBack. I may have missed a few. > > For a more detailed list of vendors look at the IETF bakeoff list. ICSA is > a for profit org that not all vendors support or believe in. > > Cary > > At 01:12 PM 2/10/00 -0500, Stephane Durette wrote: > >Miranda, > > > > The best and most complete VPN on the market ??!!??!! > > > > This answer is impossible to get right. Your best bet is to > accumulate > >all the info on different vendors and make a comparison on your own. Most > of > >the products out from vendors are in there third generation and are fairly > >comparable. > > > > Amy listed some vendors and to that list you can add Nortel, TimeStep > >and also take a look at www.icsa.net which will give > >you a run down of the different vendors doing IPSEC VPN or proprietary VPN. > > > >Cheers > > > >Steph > > > > > >axW--------------------------------------------------------------- > >Stephane Y Durette- Applications Engineer,TimeStep Corp. > >(613) 599-3610 x:4682 Voice (613) 599-9560 - FAX > >mailto:sdurette at timestep.com > >http://www.timestep.com > >--------------------------------------------------------------------- > >"Two possibilities exist: either we are alone in the universe or > > we are not. Both are equally terrifying." Arthur C.Clarke > >--------------------------------------------------------------------- > > > > > > > >-----Original Message----- > >From: AMY HOLLISTER [mailto:amy_hollister at GLOBALCROSSING.COM] > >Sent: February 10, 2000 12:23 PM > >To: VPN at SECURITYFOCUS.COM > >Subject: Re: VPN Products > > > > > >Here are some that I know of > > > >* Checkpoint > > > >* Network Associates > > > >* VPNet > > > >* Cocentric Networks > > > >* Raptor > > > >* Cisco > > > >Then you also have all of the Telecom/Data Carriers > > > >* UUnet > > > >* GTE > > > >* PSInet > > > >* Sprint > > > >* AT&T > > > > > >Miranda Heesbeen wrote: > > > > > >Hi everyone, > > > >I'm doing a school project about VPN and I'm looking for products for VPN. > >Does someone know who offers the "best" products and also most complete > >(suite)? > > > > > >Thanks, > > > > > >Miranda Heesbeen > > > > > >VPN is sponsored by SecurityFocus.COM > > > >VPN is sponsored by SecurityFocus.COM > > > > > VPN Product Line Manager > Core Access > (510) 747-2289 > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM Try http://www.vpnc.org Jose Muniz VPN is sponsored by SecurityFocus.COM From petricek at KOLEJ.MFF.CUNI.CZ Thu Feb 17 16:56:57 2000 From: petricek at KOLEJ.MFF.CUNI.CZ (Vasek Petricek) Date: Thu, 17 Feb 2000 22:56:57 +0100 Subject: L2F and L2TP In-Reply-To: <20000217094755.12036.qmail@hotmail.com> Message-ID: > Anyway, I have a question about L2TP.. After reading the documentation I was > confused about the layer this protocol was working on. L2TP means Layer 2 > tunneling Protocol, and I always thought it was working at the layer 2, > which was kind of hard to understand though. In fact it seems that L2TP, is > a layer 4 protocol (working with UDP on a specified port), that encapsulates > PPP, therefore creating a tunnel for a layer 2 protocol... What I would like > to know is if I undertood this well??? I understood it the same way. If you are wrong you are not alone ;-) IP PPP "2" L2TP 4 IP = network layer 3 link layer 2 physical layer 1 > Anyway, the first POP your accessing from the Internet needs to be L2TP > compliant, as needs to be the POP in the company your accessing.. Between > those two POPs nothing needs to be award of L2TP, because it's working at > the layer 4 (If I understood it right). My problem is the following : How > can you be sure that the first POP your accessing is L2TP compliant? This is > very restrictive I guess.. You can't move all over the world because your > not sure the ISP's POPs will be able to work with L2TP... Am I correct about > that?? I think tahat there are two possibilities both in the following picture: [Home LAN] [LAC Client]==========+ | ____U_____ +--[Host] | | | [LAC]=========| Internet |=====[LNS]-----+ | |__________| | _____|_____ : | | | PSTN | [User]----| | |___________| Legend: ==== ..... L2TP tunnel LNS ..... L2TP network server (gateway to your home LAN) LAC ..... L2TP access concentrator (access server with L2TP enabled) LAC client runs L2TP natively and encapsulates PPP itself 1. You use a dialup to a LAC that supports L2TP and makes a tunnel for you to the LNS. LAC has to be configured that way. 2. You run L2TP natively and make the ttunnel yourself Vasek VPN is sponsored by SecurityFocus.COM From petricek at KOLEJ.MFF.CUNI.CZ Thu Feb 17 19:06:41 2000 From: petricek at KOLEJ.MFF.CUNI.CZ (Vasek Petricek) Date: Fri, 18 Feb 2000 01:06:41 +0100 Subject: Virtual routing Message-ID: Hello I was just reading through draft-muthukrishnan-mpls-corevpn-arch-00.txt at http://www.ietf.org/internet-drafts/ and wondering if the "virtual routing" approach should be used just with MPLS. They mention the possibility to use hop-by-hop routing "during periods of LSP establishment and failure." But is it wise to implement "virtual routing" just using hop-by-hop? MPLS can offer the possibility of QoS guarantees - does it offer anything more in this case? Thanks for your opinions, Vasek VPN is sponsored by SecurityFocus.COM From robang at YAHOO.COM Fri Feb 18 13:47:34 2000 From: robang at YAHOO.COM (Rob Ang) Date: Fri, 18 Feb 2000 10:47:34 -0800 Subject: pulling vpn statistics Message-ID: <002401bf7a40$a22fcb00$2d891318@frmt1.sfba.home.com> Hi everyone, I have a VPN setup between two cisco1601R's and was wondering if anyone had a good resource to read for pulling statistics between the tunnels; i.e. latency, packet count/loss, etc. I'm not too familiar with RTTMON and was wondering how to implement this for VPNs thanks! Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000218/37bd0e69/attachment.htm From marck at ESU.EDU Fri Feb 18 09:59:44 2000 From: marck at ESU.EDU (MARC A KURTZ) Date: Fri, 18 Feb 2000 09:59:44 -0500 Subject: Has anyone ever run into this? Message-ID: <004601bf7a20$ca93a8c0$cbda94c0@s30603> Hi, I have a question about interoperatability of FreeS/WAN and PGPnet. I have the following scenario: ---===VPN===---- Both gateways are running FreeS/WAN with a tunnel between the two. (note all computers are running on the same wire, this is a lab experiment. The routing tables have been manipulated to simluate an internet). So far everything works fine, and everybody can ping everybody. Then I also wanted to set up a tunnel between client1 and gateway1. Once I established the tunnel between client1 and gateway1 I could then only communicate from the client1 to gateway1, but not out to gateway2 or client2. So I set up a sniffer and saw that my packets were making it from: client1 -> through both gateways -> and then to client2 but the response went: client2 -> through both gateways -> and then dies at gateway1 (never making it back to client1) How should I configure each client1 and gateway1? I think it is a misconfiguration problem. Any help is _greatly_ appreciated!!! Thank you, Marc Kurtz Security Engineer East Stroudsburg University 570-422-3493 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000218/46ac8f35/attachment.htm From David.Haber at VTMEDNET.ORG Mon Feb 21 11:31:53 2000 From: David.Haber at VTMEDNET.ORG (Haber, David J.) Date: Mon, 21 Feb 2000 11:31:53 -0500 Subject: Nortel and Win98 2nd Edition Message-ID: <87E2A0D9120AD1119E2200805F15E0D804824FB5@BURLINGTON03> Does anyone know of any problems with the Nortel Extranet Client v.2.50 and Windows 98 Second Edition? We are testing the Nortel Contivity and have good success with W95, W98 older versions, and NT 4.0--the product works great. However we have not been able to get a successful install in Win98 second edition. VPN is sponsored by SecurityFocus.COM From jneedle at NORTELNETWORKS.COM Mon Feb 21 07:12:42 2000 From: jneedle at NORTELNETWORKS.COM (Jeffrey Needle) Date: Mon, 21 Feb 2000 07:12:42 -0500 Subject: L2F and L2TP In-Reply-To: <3DE1DF234B51D211A70600104BB3F6DA017818C9@NL-ROT-MAIL01> Message-ID: <4.2.2.20000221070753.069597e0@zbl6c000.corpeast.baynetworks.com> An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000221/9a3d9e11/attachment.htm From tbird at PRECISION-GUESSWORK.COM Tue Feb 22 12:24:06 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 22 Feb 2000 11:24:06 -0600 Subject: VPN clients for Palms/WinCE (fwd) Message-ID: "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire ---------- Forwarded message ---------- Date: Thu, 17 Feb 2000 19:44:16 -0500 From: rodney Reply-To: rodney at tillerman.to To: Tina Bird Subject: Re: VPN clients for Palms/WinCE Feel free to forward this but I doubt you'll consider it on-topic. There have been various efforts in the area of handheld IPsec implementations, most unsucessful. The problem is that doing Diffie-Hellman and RSA is too computationally intensive on a PDA. Also, Wince is in fact not compatible enough with 98/95 to attempt straightforward ports. There are some 'ipsec-on-a-card' solutions, like those from 3com, that may manifest themselves as PCCARD formats and therefore might work in some of these devices. Also, as the linux-on-a-brick solutions get smaller and smaller, my legendary "IPsec on a garage door opener" challenge gets more and more realistic. Tina Bird wrote: > Anyone have more up to date information than I > do on VPN clients for Palm Pilots, WinCE or other > "light" operating systems? > > TIA -- Tina > > "Doubt is an uncomfortable situation, but certainty is an > absurd one." -- Voltaire > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Tue Feb 22 12:55:18 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 22 Feb 2000 11:55:18 -0600 Subject: VPN's (fwd) Message-ID: From durwardj at home.com Sun Feb 20 19:33:43 2000 From: durwardj at home.com (Jim Durward) Date: Sun, 20 Feb 2000 16:33:43 -0800 Subject: VPN's Message-ID: I am trying to find answers to the following questions: 1. Where can I find a Win95/98/NT VPN client that will lock out all other IP communications when the session is alive? 2. Is there a Linux server that will talk with this Win VPN client? Please excuse my ignorance on this matter. Can you help? Thanks, jim VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Tue Feb 22 14:01:50 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Tue, 22 Feb 2000 14:01:50 -0500 Subject: VPN's (fwd) References: Message-ID: <009c01bf7d67$58a735c0$6803010a@dhcp.haht.com> The answer to 2) is yes. Here is a good reference site: http://www.moretonbay.com/vpn/pptp.html An in-elegant answer to 1) is that you could always run a script on vpn connection that closes down the other ports or brings up a firewall program which closes all the other ports. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Tina Bird" To: Sent: Tuesday, February 22, 2000 12:55 PM Subject: VPN's (fwd) > Date: Sun, 20 Feb 2000 16:33:43 -0800 > From: Jim Durward > To: tbird at precision-guesswork.com > Subject: VPN's > > I am trying to find answers to the following questions: > > 1. Where can I find a Win95/98/NT VPN client that will lock out all other IP > communications when the session is alive? > > 2. Is there a Linux server that will talk with this Win VPN client? > > Please excuse my ignorance on this matter. Can you help? > > > Thanks, > > jim > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From bet at RAHUL.NET Tue Feb 22 13:52:06 2000 From: bet at RAHUL.NET (Bennett Todd) Date: Tue, 22 Feb 2000 13:52:06 -0500 Subject: VPN clients for Palms/WinCE (fwd) In-Reply-To: ; from tbird@PRECISION-GUESSWORK.COM on Tue, Feb 22, 2000 at 11:24:06AM -0600 References: Message-ID: <20000222135206.J20981@rahul.net> 2000-01-18-00:44:16 rodney at tillerman.to: > There have been various efforts in the area of handheld IPsec > implementations, most unsucessful. The problem is that doing > Diffie-Hellman and RSA is too computationally intensive on a PDA. I haven't yet tried loading it up and using it, but I'm pretty sure I read that the ssh client for Palm Pilots was built on a port of SSLeay to the palm, which would mean that the algorithms are there and working. It might not run as fast as it does on a desktop or a server or a router, but it should run; and since the only IP connectivity off a Palm would be PPP anyway, it may well be able to keep up for all I know. What I can't quite figure is whether there'd be any advantage to using IPsec from a handheld, rather than using ssh, with port forwarding if needed. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000222/6d5db86e/attachment.pgp From rdonkin at ORCHESTREAM.COM Tue Feb 22 14:23:44 2000 From: rdonkin at ORCHESTREAM.COM (Donkin, Richard) Date: Tue, 22 Feb 2000 19:23:44 -0000 Subject: VPN clients for Palms/WinCE (fwd) Message-ID: SSH for the Palm does indeed include RSA (7KB) and DES (28KB) libraries - however I've not tested SSH so I couldn't tell you how fast they'd be. More recent Palm devices run at 16 MHz and are 680x0 (Coldfire) based, so it wouldn't be very fast... -----Original Message----- From: Bennett Todd [mailto:bet at RAHUL.NET] Sent: 22 February 2000 18:52 To: VPN at SECURITYFOCUS.COM Subject: Re: VPN clients for Palms/WinCE (fwd) 2000-01-18-00:44:16 rodney at tillerman.to: > There have been various efforts in the area of handheld IPsec > implementations, most unsucessful. The problem is that doing > Diffie-Hellman and RSA is too computationally intensive on a PDA. I haven't yet tried loading it up and using it, but I'm pretty sure I read that the ssh client for Palm Pilots was built on a port of SSLeay to the palm, which would mean that the algorithms are there and working. It might not run as fast as it does on a desktop or a server or a router, but it should run; and since the only IP connectivity off a Palm would be PPP anyway, it may well be able to keep up for all I know. What I can't quite figure is whether there'd be any advantage to using IPsec from a handheld, rather than using ssh, with port forwarding if needed. -Bennett VPN is sponsored by SecurityFocus.COM From Jean.Triquet at PWGSC.GC.CA Tue Feb 22 14:20:29 2000 From: Jean.Triquet at PWGSC.GC.CA (Jean Triquet) Date: Tue, 22 Feb 2000 14:20:29 -0500 Subject: VPN's (fwd) Message-ID: 1- Newbridge Permit/Client does that. It is an IPsec-based product and therefore allow you to decide how to process every IP packets you send/receive. So you can decide to apply IPsec or just discard the packets, depending on the IP packet source/destination. Any IPsec compliant client has to offer the same functionality. 2- freeS/WAN is an IPsec package which runs on Linux RedHat. It is compatible with several other IPsec products. I know it works with the Newbridge Permit/Gate so I guess it would work with the Permit/client. > -----Original Message----- > From: Jon Carnes [SMTP:jonc at HAHT.COM] > Sent: Tuesday, February 22, 2000 2:02 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN's (fwd) > > The answer to 2) is yes. Here is a good reference site: > http://www.moretonbay.com/vpn/pptp.html > > An in-elegant answer to 1) is that you could always run a script on vpn > connection that closes down the other ports or brings up a firewall > program > which closes all the other ports. > > Jon Carnes > MIS - HAHT Software > > ----- Original Message ----- > From: "Tina Bird" > To: > Sent: Tuesday, February 22, 2000 12:55 PM > Subject: VPN's (fwd) > > > > Date: Sun, 20 Feb 2000 16:33:43 -0800 > > From: Jim Durward > > To: tbird at precision-guesswork.com > > Subject: VPN's > > > > I am trying to find answers to the following questions: > > > > 1. Where can I find a Win95/98/NT VPN client that will lock out all > other > IP > > communications when the session is alive? > > > > 2. Is there a Linux server that will talk with this Win VPN client? > > > > Please excuse my ignorance on this matter. Can you help? > > > > > > Thanks, > > > > jim > > > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From APaul at CNCX.COM Tue Feb 22 14:25:42 2000 From: APaul at CNCX.COM (Andrew Paul) Date: Tue, 22 Feb 2000 11:25:42 -0800 Subject: VPN's (fwd) Message-ID: You might check with the various VPN vendors. They should be able to set up a "route table" when the client software is enabled that states all traffic should go through the encrypted tunnel. I believe this can be set up on the VPNet VSU systems. They have a WIN95/98 and NT 4.0 client. It also may be a possibility in the Nortel Contivity product line. Andy -----Original Message----- From: Jon Carnes [mailto:jonc at HAHT.COM] Sent: Tuesday, February 22, 2000 11:02 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN's (fwd) The answer to 2) is yes. Here is a good reference site: http://www.moretonbay.com/vpn/pptp.html An in-elegant answer to 1) is that you could always run a script on vpn connection that closes down the other ports or brings up a firewall program which closes all the other ports. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Tina Bird" To: Sent: Tuesday, February 22, 2000 12:55 PM Subject: VPN's (fwd) > Date: Sun, 20 Feb 2000 16:33:43 -0800 > From: Jim Durward > To: tbird at precision-guesswork.com > Subject: VPN's > > I am trying to find answers to the following questions: > > 1. Where can I find a Win95/98/NT VPN client that will lock out all other IP > communications when the session is alive? > > 2. Is there a Linux server that will talk with this Win VPN client? > > Please excuse my ignorance on this matter. Can you help? > > > Thanks, > > jim > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From truman at RESEARCH.SUSPICIOUS.ORG Tue Feb 22 14:43:15 2000 From: truman at RESEARCH.SUSPICIOUS.ORG (Truman Boyes) Date: Tue, 22 Feb 2000 14:43:15 -0500 Subject: pulling vpn statistics In-Reply-To: <002401bf7a40$a22fcb00$2d891318@frmt1.sfba.home.com> Message-ID: Hi Rob, If you have access to a unix workstation you could setup MRTG. It is a decent traffic graphing tool for polling SNMP objects. Your basic MIB should be able to walk the correct objects out of the routers. I am unaware if there are specific VPN MIBs avail for Cisco routers. A quick search on MRTG should give promising results. Good Luck! .truman.boyes. /" \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL / On Fri, 18 Feb 2000, Rob Ang wrote: > Hi everyone, > > I have a VPN setup between two cisco1601R's and was wondering if anyone had a good resource to read for pulling statistics between the tunnels; i.e. latency, packet count/loss, etc. I'm not too familiar with RTTMON and was wondering how to implement this for VPNs > > thanks! > Rob > VPN is sponsored by SecurityFocus.COM From arsen at GNAC.COM Tue Feb 22 14:46:53 2000 From: arsen at GNAC.COM (Thomas J. Arseneault) Date: Tue, 22 Feb 2000 11:46:53 -0800 Subject: VPN's (fwd) In-Reply-To: Message-ID: <000201bf7d6d$915446f0$8901a8c0@pretty-tom-1.gnac.com> You can configure the TimeStep client to do that, at least in the 1.1 and 1.2 version. ********************************************** Tom Arseneault System Admin. Gnac Inc. arsen at gnac.com ********************************************** > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina > Bird > Sent: Tuesday, February 22, 2000 9:55 AM > To: VPN at SECURITYFOCUS.COM > Subject: VPN's (fwd) > > > Date: Sun, 20 Feb 2000 16:33:43 -0800 > From: Jim Durward > To: tbird at precision-guesswork.com > Subject: VPN's > > I am trying to find answers to the following questions: > > 1. Where can I find a Win95/98/NT VPN client that will lock out > all other IP > communications when the session is alive? > > 2. Is there a Linux server that will talk with this Win VPN client? > > Please excuse my ignorance on this matter. Can you help? > > > Thanks, > > jim > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From ryan at SECURITYFOCUS.COM Tue Feb 22 14:48:25 2000 From: ryan at SECURITYFOCUS.COM (Ryan Russell) Date: Tue, 22 Feb 2000 11:48:25 -0800 Subject: VPN's (fwd) In-Reply-To: Message-ID: On Tue, 22 Feb 2000, Andrew Paul wrote: > You might check with the various VPN vendors. They should be able to set up > a "route table" when the client software is enabled that states all traffic > should go through the encrypted tunnel. I believe this can be set up on the > VPNet VSU systems. They have a WIN95/98 and NT 4.0 client. It also may be > a possibility in the Nortel Contivity product line. > That may not be sufficient. The attacker can still get packets to your VPN client. Even if the replies go back home, the attacker may still get them, depending on the firewall back home. I may cases, they'll get them with a translated source address, whcih for clever attackers won't slow them down at all, and may allow them to continue their connection just fine. Ryan VPN is sponsored by SecurityFocus.COM From marck at ESU.EDU Tue Feb 22 15:30:18 2000 From: marck at ESU.EDU (MARC A KURTZ) Date: Tue, 22 Feb 2000 15:30:18 -0500 Subject: VPN's (fwd) References: Message-ID: <004201bf7d73$a260d7f0$cbda94c0@s30603> Has anyone ever come up with a solution for this problem ( in particular from windows to linux )? i.e. How can we authenticate that the data going over the encrypted tunnel is legitimate? ----- Original Message ----- From: "Ryan Russell" To: Sent: Tuesday, February 22, 2000 2:48 PM Subject: Re: VPN's (fwd) > On Tue, 22 Feb 2000, Andrew Paul wrote: > > > You might check with the various VPN vendors. They should be able to set up > > a "route table" when the client software is enabled that states all traffic > > should go through the encrypted tunnel. I believe this can be set up on the > > VPNet VSU systems. They have a WIN95/98 and NT 4.0 client. It also may be > > a possibility in the Nortel Contivity product line. > > > > That may not be sufficient. The attacker can still get packets to your > VPN client. Even if the replies go back home, the attacker may still get > them, depending on the firewall back home. I may cases, they'll get them > with a translated source address, whcih for clever attackers won't slow > them down at all, and may allow them to continue their connection just > fine. > > Ryan > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Tue Feb 22 15:58:01 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Tue, 22 Feb 2000 15:58:01 -0500 Subject: VPN's (fwd) - and personal firewalling References: Message-ID: <012501bf7d77$93b81c00$6803010a@dhcp.haht.com> If you are worried about your folks in the field (and you may well be!) then I would suggest that you get them a decent firewalling program to run on their boxen. For $40, you can buy software that will protect their machine. I like BlackIce Defender ( http://www.netice.com ), which monitors any attempts to get into their computer and makes sure that the attempts fail. It also tells you when someone has been trying. The users can have the firewall program up and running and still VPN in to the company site, or browse the web. ----- Original Message ----- From: "Ryan Russell" To: Sent: Tuesday, February 22, 2000 2:48 PM Subject: Re: VPN's (fwd) > On Tue, 22 Feb 2000, Andrew Paul wrote: > > > You might check with the various VPN vendors. They should be able to set up > > a "route table" when the client software is enabled that states all traffic > > should go through the encrypted tunnel. I believe this can be set up on the > > VPNet VSU systems. They have a WIN95/98 and NT 4.0 client. It also may be > > a possibility in the Nortel Contivity product line. > > > > That may not be sufficient. The attacker can still get packets to your > VPN client. Even if the replies go back home, the attacker may still get > them, depending on the firewall back home. I may cases, they'll get them > with a translated source address, whcih for clever attackers won't slow > them down at all, and may allow them to continue their connection just > fine. > > Ryan > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From carson at TLA.ORG Tue Feb 22 15:05:19 2000 From: carson at TLA.ORG (Carson Gaspar) Date: Tue, 22 Feb 2000 15:05:19 -0500 Subject: VPN clients for Palms/WinCE (fwd) In-Reply-To: <20000222135206.J20981@rahul.net> References: <20000222135206.J20981@rahul.net> Message-ID: <14514.60415.870321.925892@taltos.tla.org> >>>>> "Bennett" == Bennett Todd writes: Bennett> What I can't quite figure is whether there'd be any advantage to Bennett> using IPsec from a handheld, rather than using ssh, with port Bennett> forwarding if needed. Nasty evil protocols with IP addresses embedded in them break via SSH. Also, the Palm application model forbids straightforward port forwarding. When the web browser is running, SSH isn't, and vice-versa. I've threatened to write a SOCKS5 hackmaster hack that traps the call to open the network library, and is compatible with Aventail's SOCKS5 over SSL VPN. No idea if I'll ever have enough round tuits to do so, though. The same methodology could be used for IPSec. -- Carson Gaspar -- carson at tla.org carson at cs.columbia.edu carson at cugc.org http://www.cs.columbia.edu/~carson/home.html Queen Trapped in a Butch Body VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Tue Feb 22 17:05:44 2000 From: dgillett at NIKU.COM (David Gillett) Date: Tue, 22 Feb 2000 14:05:44 -0800 Subject: VPN's (fwd) - and personal firewalling In-Reply-To: <012501bf7d77$93b81c00$6803010a@dhcp.haht.com> Message-ID: <009401bf7d80$f7e6b0c0$f30410ac@niku.com> While this ought reasonably to be true, our experience to date with Altiga's 1.2x client (haven't tested 2.x yet) is that it locks up the client machine if firewalling software is also active.... David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jon Carnes Sent: February 22, 2000 12:58 To: VPN at SECURITYFOCUS.COM Subject: Re: VPN's (fwd) - and personal firewalling If you are worried about your folks in the field (and you may well be!) then I would suggest that you get them a decent firewalling program to run on their boxen. For $40, you can buy software that will protect their machine. I like BlackIce Defender ( http://www.netice.com ), which monitors any attempts to get into their computer and makes sure that the attempts fail. It also tells you when someone has been trying. The users can have the firewall program up and running and still VPN in to the company site, or browse the web. ----- VPN is sponsored by SecurityFocus.COM From neil.ratzlaff at UCOP.EDU Tue Feb 22 17:03:09 2000 From: neil.ratzlaff at UCOP.EDU (Neil Ratzlaff) Date: Tue, 22 Feb 2000 14:03:09 -0800 Subject: VPN's (fwd) In-Reply-To: <004201bf7d73$a260d7f0$cbda94c0@s30603> References: Message-ID: <4.2.2.20000222140021.00a46c50@popserv.ucop.edu> You can't evaluate encrypted packets. A common solution is to put the VPN endpoint on a DMZ (or the firewall itself) so that the firewall can see the decrypted packets. If you are really careful, then you re-encrypt them and send them on. Neil At 15:30 02/22/00 -0500, MARC A KURTZ wrote: >Has anyone ever come up with a solution for this problem ( in particular >from windows to linux )? > >i.e. How can we authenticate that the data going over the encrypted tunnel >is legitimate? VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Tue Feb 22 17:15:16 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Tue, 22 Feb 2000 14:15:16 -0800 Subject: VPN's (fwd) - and personal firewalling Message-ID: <20000222221516.3309.qmail@web114.yahoomail.com> I'm not sure if this is officially released yet... CheckPoint SecureClient 4.1, their enhanced VPN client, includes a personal firewall module that is installed on the end-user's machine as part of the VPN client. The cool thing about this? All firewall policies for the SecureClient are managed and maintained from the company's central server that gets pushed down to the user each time s/he logs into the VPN. This secures the end-user's machine even when they're not on the VPN and everything is managed by the company's security admins. Hope this helps. Chris -- --- Jon Carnes wrote: > If you are worried about your folks in the field > (and you may well be!) then > I would suggest that you get them a decent > firewalling program to run on > their boxen. For $40, you can buy software that > will protect their machine. > I like BlackIce Defender ( http://www.netice.com ), > which monitors any > attempts to get into their computer and makes sure > that the attempts fail. > It also tells you when someone has been trying. > > The users can have the firewall program up and > running and still VPN in to > the company site, or browse the web. > ----- Original Message ----- > From: "Ryan Russell" > To: > Sent: Tuesday, February 22, 2000 2:48 PM > Subject: Re: VPN's (fwd) > > > > On Tue, 22 Feb 2000, Andrew Paul wrote: > > > > > You might check with the various VPN vendors. > They should be able to > set up > > > a "route table" when the client software is > enabled that states all > traffic > > > should go through the encrypted tunnel. I > believe this can be set up on > the > > > VPNet VSU systems. They have a WIN95/98 and NT > 4.0 client. It also may > be > > > a possibility in the Nortel Contivity product > line. > > > > > > > That may not be sufficient. The attacker can > still get packets to your > > VPN client. Even if the replies go back home, the > attacker may still get > > them, depending on the firewall back home. I may > cases, they'll get them > > with a translated source address, whcih for clever > attackers won't slow > > them down at all, and may allow them to continue > their connection just > > fine. > > > > Ryan > > > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From mep at NETSEC.NET Tue Feb 22 18:18:00 2000 From: mep at NETSEC.NET (matthew patton) Date: Tue, 22 Feb 2000 18:18:00 -0500 Subject: VPN's (fwd) - and personal firewalling In-Reply-To: <20000222221516.3309.qmail@web114.yahoomail.com> Message-ID: On Tue, 22 Feb 2000, Chris Carlson wrote: I want to know who's been cribbing from whom.. > I'm not sure if this is officially released yet... ... > CheckPoint SecureClient 4.1, their enhanced VPN ... > The cool thing about this? All firewall policies for > the SecureClient are managed and maintained from the > company's central server that gets pushed down to the > user each time s/he logs into the VPN. F-Secure has the exact same thing. Their VPN+ and distributed Firewall (and anti-virus and disk encryption piece) all are controlled remotely via policies. Pretty slick. You can contact us for more info if you want it. -- Network Security Technologies Inc. - Commercial support for OpenBSD www.netsec.net (703) 561-0420 matthew.patton at netsec.net "Government is not reason; it is not eloquence; it is force! Like fire, it is a dangerous servant and a fearful master." - George Washington VPN is sponsored by SecurityFocus.COM From m_basha at AGAINTECH.COM Wed Feb 23 01:18:10 2000 From: m_basha at AGAINTECH.COM (Mohamed Mohaideen Basha) Date: Wed, 23 Feb 2000 11:48:10 +0530 Subject: VPN's in two Network Message-ID: <38B37BA2.EE81CA53@againtech.com> Hi Everybody I have my webRamp 410i in India connected to my network which is running in ISDN line.I also have network in US connected using Netopia R7 100 where they do have a DSL connection.I want my 2 network to be connected using VPN where all workstation in India can see all terminals in US and vice versa. Can I do this using a single login ID so that all terminals share the same user ID and see all terminals on other side and share the resources. Iam using Windows NT RAS PPTP Server on both sides. Basha VPN is sponsored by SecurityFocus.COM From cdupuis at UNI-GLOBAL.COM Wed Feb 23 03:19:07 2000 From: cdupuis at UNI-GLOBAL.COM (Klement Dupvis) Date: Wed, 23 Feb 2000 09:19:07 +0100 Subject: pulling vpn statistics In-Reply-To: Message-ID: There is even a windows version of MRTG available if you do not have a UNIX box. Clement Clement Dupuis CISSP,ACE Tel: 514-840-9642 Fax: 514-840-1166 Courriel/Email: cdupuis at uni-global.com Directeur des Operations/Operations Manager UniGlobal http://www.uni-global.com Solutions de securite/Security solutions -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Truman Boyes Sent: 22 fevr. 2000 20:43 To: VPN at SECURITYFOCUS.COM Subject: Re: pulling vpn statistics Hi Rob, If you have access to a unix workstation you could setup MRTG. It is a decent traffic graphing tool for polling SNMP objects. Your basic MIB should be able to walk the correct objects out of the routers. I am unaware if there are specific VPN MIBs avail for Cisco routers. A quick search on MRTG should give promising results. Good Luck! .truman.boyes. /" \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL / On Fri, 18 Feb 2000, Rob Ang wrote: > Hi everyone, > > I have a VPN setup between two cisco1601R's and was wondering if anyone had a good resource to read for pulling statistics between the tunnels; i.e. latency, packet count/loss, etc. I'm not too familiar with RTTMON and was wondering how to implement this for VPNs > > thanks! > Rob > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lrenn at ETCI.COM Wed Feb 23 12:13:14 2000 From: lrenn at ETCI.COM (Luke Renn) Date: Wed, 23 Feb 2000 12:13:14 -0500 Subject: win2k vpn problem Message-ID: <00f101bf7e21$452311d0$0a83a8c0@localnet> Hi all, I really wish we could just use ipsec for our vpn connections, but I have to support this damn MS PPTP vpn.. argh. anyway, I had it working for the past few months on win2k beta. it worked ok, a little slow, but it worked. While i was away on vacaction someone upgraded the machine to the final release version on win2k server. Anyway, In the "Ports" part of the Routing and Remote Access console, there are no longer any entries. I had this problem a while back but i can't remember how i got them to come back. I disable routing and remote access...rebooted, and reconfigured it, but it still didn't add the PPTP entries to the "Ports" tree. Anyone else ever have this problem? Know of a fix? I should probably ask the win2k newsgroups, but i'd rather ask you guys first :) I have a working NT based PPTP vpn that i can just route to, but my superiors want it on 2000. It says it running, the service starts fine. Only symptoms are the lack of all the VPN ports (in the managment console of RRAS) and tcp 1723 isn't open. God I hate windows... Thanks guys, Luke VPN is sponsored by SecurityFocus.COM From truman at RESEARCH.SUSPICIOUS.ORG Wed Feb 23 09:56:48 2000 From: truman at RESEARCH.SUSPICIOUS.ORG (Truman Boyes) Date: Wed, 23 Feb 2000 09:56:48 -0500 Subject: Security and Out of the Office Messages Message-ID: Hi, Sorry as this does not relate to VPNs. I recently replied to a post, and over the next few days recieved numerous bounce messages from MTAs stating that the recipient was out of the office until a given date. Now in a corporate environment where this information is useful, I would feel relieved to know the where abouts of my co-workers. On the Internet, as I would presume this list has been subscribed to by individuals wearing a slightly darker hat, this becomes an information leakage. I think it would also be a safe bet that most of you are in some way overseeing the security of your companies or clients. I have now five or six companies that I know will have lax administation, since their admins or engineers will be out of the office, that I could begin hypothetically attacking. I would know my window. If we really are to be concerned with key lengths and dangers of preshared secrets and such, basic rules of security should accompany. .truman.boyes. -------------- www.suspicious.org VPN is sponsored by SecurityFocus.COM From marck at ESU.EDU Wed Feb 23 12:26:51 2000 From: marck at ESU.EDU (MARC A KURTZ) Date: Wed, 23 Feb 2000 12:26:51 -0500 Subject: VPN's (fwd) References: <4.2.2.20000222140021.00a46c50@popserv.ucop.edu> Message-ID: <00b501bf7e25$18148170$cbda94c0@s30603> This is exactly what we want. Anyone have an idea on how to do this with PGPnet and FreeS/WAN? ----- Original Message ----- From: "Neil Ratzlaff" To: "MARC A KURTZ" ; Sent: Tuesday, February 22, 2000 5:03 PM Subject: Re: VPN's (fwd) > You can't evaluate encrypted packets. A common solution is to put the VPN > endpoint on a DMZ (or the firewall itself) so that the firewall can see the > decrypted packets. If you are really careful, then you re-encrypt them and > send them on. > Neil > > At 15:30 02/22/00 -0500, MARC A KURTZ wrote: > >Has anyone ever come up with a solution for this problem ( in particular > >from windows to linux )? > > > >i.e. How can we authenticate that the data going over the encrypted tunnel > >is legitimate? > > VPN is sponsored by SecurityFocus.COM From jfranco at MUNDO-R.NET Wed Feb 23 13:42:25 2000 From: jfranco at MUNDO-R.NET (Franco Sabaris, Javier) Date: Wed, 23 Feb 2000 19:42:25 +0100 Subject: Max. remote users - Cisco HGw Message-ID: > Hi! > > I have a little problem and I would like to know your thoughts about it. > It would be perfect if any Cisco guy over there is reading this. > > Some months ago I installed a VPDN with up to 70 concurrent remote users, > using L2F tunnels. The tunnels are initiated in the Access Server of the > ISP, and they end in the Home Gateway, which is in the central node of the > network. Well, a typical VPDN. > > Working together a local Cisco partner, we installed a Cisco 3620, which > seemed to be suitable for this configuration. Some weeks after the start > of the installation, we found that the Cisco 3620 reset when the > concurrent remote connections grew up to 10-14, more or less. It seemed to > be a bug in IOS. As a temporary solution, we installed a 4700, that is > working well since then. > > After a couple of months waiting for an answer, this local Cisco partner > says that Cisco is not giving an answer to the problem, and that we should > install a 7120 for a permanent solution to this problem, and for other > similar VPNs we may install in future. > > It sounded a bit strange, but I had nothing to argue against that. But... > recently, I've read a new information on the Cisco web site. It talks > about a 3620 supporting up to _hundreds_ remote users. Our local provider > says that Cisco doesn't guarantee this figures in our configuration. They > want to make a test in our network, without guarantee, and we're not > willing to do that. > > I have recently asked for a Home Gateway for a similar VPDN for only 5 > remote nodes, and they suggest a 3620, which is a bit expensive for this > little network. > > My questions are: > > - Does anybody have any experience with this kind of networks working with > these equipments? > - Is there any chart stating which HGw to use in each case, depending on > whatever parameters? I mean a _guaranteed_ chart, something I would use to > ask for responsibilities in case of problems. > > > Javier Franco > R > > > > > VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Wed Feb 23 17:25:46 2000 From: dgillett at NIKU.COM (David Gillett) Date: Wed, 23 Feb 2000 14:25:46 -0800 Subject: VPN's in two Network In-Reply-To: <38B37BA2.EE81CA53@againtech.com> Message-ID: <011901bf7e4c$ee94b2c0$f30410ac@niku.com> Presumably, your two networks are using different subnet address ranges, and so the VPN tunnel "looks like" a router connecting the two subnets. At that point, the fact that the connection is a VPN tunnel can safely be ignored, and now you want to be able to see everything in Network Neighborhood and access shared resources and so on. The key to *that* is to have at least one WINS server on each subnet, and configure the WINS servers to do replication with each other. [If you have no WINS present, your machines will happily use broadcast traffic to resolve NetBIOS names to addresses. But broadcasts won't traverse a router, and won't flow through the VPN.] Implementing WINS is pretty simple if you already use DHCP; it can be pretty tedious if you don't. I don't think it's on-topic for this list, though. David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Mohamed Mohaideen Basha Sent: February 22, 2000 22:18 To: VPN at SECURITYFOCUS.COM Subject: VPN's in two Network Hi Everybody I have my webRamp 410i in India connected to my network which is running in ISDN line.I also have network in US connected using Netopia R7 100 where they do have a DSL connection.I want my 2 network to be connected using VPN where all workstation in India can see all terminals in US and vice versa. Can I do this using a single login ID so that all terminals share the same user ID and see all terminals on other side and share the resources. Iam using Windows NT RAS PPTP Server on both sides. Basha VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From carson at TLA.ORG Wed Feb 23 16:55:13 2000 From: carson at TLA.ORG (Carson Gaspar) Date: Wed, 23 Feb 2000 16:55:13 -0500 Subject: VPN's (fwd) In-Reply-To: <00b501bf7e25$18148170$cbda94c0@s30603> References: <4.2.2.20000222140021.00a46c50@popserv.ucop.edu> <00b501bf7e25$18148170$cbda94c0@s30603> Message-ID: <14516.22337.615477.529584@taltos.tla.org> The _correct_ way to handle authorization is to have it integrated with the VPN, so that all the information necessary for making the authorization decision is available. Unfortunately, I know of no free VPN implementation that does this. Here's one of my VPN policy torture testd for folks who try to sell me VPNs: - Permit User "fred" AuthType "securid" Crypto "3-DES" Dest "imap-server:TCP:143" Dest "admin-server:TCP:22" Dest "NT-server:TCP:139" - Permit User "fred" AuthType "securid" Crypto "DES-40" Dest "imap-server:TCP:143" - Permit User "ManagingDirector" AuthType "password" Crypto "*" Dest "imap-server:TCP:143" If you can't implement the above policy, go back and re-write your VPN or it's useless for anything other than a leased-line replacement. -- Carson Gaspar -- carson at tla.org carson at cs.columbia.edu carson at cugc.org http://www.cs.columbia.edu/~carson/home.html Queen Trapped in a Butch Body VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Wed Feb 23 16:49:46 2000 From: dgillett at NIKU.COM (David Gillett) Date: Wed, 23 Feb 2000 13:49:46 -0800 Subject: win2k vpn problem In-Reply-To: <00f101bf7e21$452311d0$0a83a8c0@localnet> Message-ID: <010e01bf7e47$e7303fe0$f30410ac@niku.com> Not what you're hoping to hear, of course, but I thought I'd seen that Microsoft were dropping PPTP support in Win2K.... David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Luke Renn Sent: February 23, 2000 09:13 To: VPN at SECURITYFOCUS.COM Subject: win2k vpn problem Hi all, I really wish we could just use ipsec for our vpn connections, but I have to support this damn MS PPTP vpn.. argh. anyway, I had it working for the past few months on win2k beta. it worked ok, a little slow, but it worked. While i was away on vacaction someone upgraded the machine to the final release version on win2k server. Anyway, In the "Ports" part of the Routing and Remote Access console, there are no longer any entries. I had this problem a while back but i can't remember how i got them to come back. I disable routing and remote access...rebooted, and reconfigured it, but it still didn't add the PPTP entries to the "Ports" tree. Anyone else ever have this problem? Know of a fix? I should probably ask the win2k newsgroups, but i'd rather ask you guys first :) I have a working NT based PPTP vpn that i can just route to, but my superiors want it on 2000. It says it running, the service starts fine. Only symptoms are the lack of all the VPN ports (in the managment console of RRAS) and tcp 1723 isn't open. God I hate windows... Thanks guys, Luke VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Brent_Jarvis at MITEL.COM Wed Feb 23 17:32:12 2000 From: Brent_Jarvis at MITEL.COM (Brent_Jarvis at MITEL.COM) Date: Wed, 23 Feb 2000 17:32:12 -0500 Subject: iPlanet Webtop, An Alternative to the traditional VPN Message-ID: <8525688E.007BCC6D.00@kanmta01.software.mitel.com> Has anyone ever heard of or tried the remote access product offered by iPlanet (Netscape/SUN Alliance) called Webtop? >From my understanding it is completely Browser based (creates SSL connections) and allows remote users to access their companies WEB-Enabled applications supported by the Webtop server. (site: http://www.iplanet.com/products/hosting_prod/webtop/index.html) I thought before I do too much investigation/analysis, I would ask what this group thinks of the product (or concept). My first reactions are this is great for the following reasons; - no client to install or manage - access anywhere, anytime - appears to support all major applications (email, file, telnet, other? - not sure about ERP apps) - common interface for all application (browser) - rapid deployment and little effort - reduces remote access costs (1-800) - faster access speeds than traditional VPNs?(a guess on my part) With my security hat on I am concerned about the following issues: - does not address broadband access security issues - encourages remote access to your internal network on any computer - another server and access route to support/manage Any other thoughts, especially from those who use or have tried it. Thanks, Brent VPN is sponsored by SecurityFocus.COM From lisa at CORECOM.COM Wed Feb 23 18:35:38 2000 From: lisa at CORECOM.COM (Lisa Phifer) Date: Wed, 23 Feb 2000 18:35:38 -0500 Subject: win2k vpn problem In-Reply-To: <010e01bf7e47$e7303fe0$f30410ac@niku.com> References: <00f101bf7e21$452311d0$0a83a8c0@localnet> Message-ID: <4.2.0.58.20000223182524.0099c3a0@mail2.netreach.net> At 01:49 PM 2/23/2000 -0800, you wrote: >Not what you're hoping to hear, of course, but I thought I'd seen that >Microsoft were dropping PPTP support in Win2K.... While IPSec and L2TP are definitely favored in Win2K, PPTP hasn't been dropped, according to W2K white paper posted at: http://www.microsoft.com/windows2000/library/howitworks/security/comsec.asp Relevant passages are quoted below: "PPTP is broadly used today in both client-to-gateway and gateway-to-gateway scenarios. With mutual client/server authentication based on users' passwords and encryption keys seeded by the authentication process, PPTP is easy and inexpensive to set up and simple to administer. By virtue of its design, PPTP can also be passed through Network Address Translators (NAT). This NAT capability eliminates the requirement that each PPTP end-point have a registered IP address when used across the Internet." "While L2TP/IPSec is an excellent solution for multi-vendor interoperability in both client-to-gateway and gateway-to-gateway scenarios, its usage of IPSec does require a PKI to be scalable. Also, because of incompatibilities between IKE And NAT, neither L2TP/IPSec, nor IPSec pure tunnel mode, nor IPSec transport can pass through typical NATs. Microsoft believes that PPTP will remain an important protocol choice for customers who do not require the sophistication of IPSec-based communications, who do not want to deploy a PKI, or who require a NAT-capable VPN protocol. As such, Microsoft is committed to ongoing support and advancement of PPTP." and "Windows 2000 includes PPTP support for client-to-gateway and gateway-to-gateway configurations." This MS paper appears current - has anyone seen a more recent backoff statement on PPTP by Microsoft? VPN is sponsored by SecurityFocus.COM From jeffg at ASHLEYLAURENT.COM Wed Feb 23 18:55:46 2000 From: jeffg at ASHLEYLAURENT.COM (Jeffrey Goodwin) Date: Wed, 23 Feb 2000 17:55:46 -0600 Subject: win2k vpn problem Message-ID: Microsoft has contributed as an author to a DHCP draft for IPSec. They do talk about moving to it at some point in the future in one of their white papers. I've discussed this in a security newsletter: http://www.ashleylaurent.com/newsletter/newsletter.htm However, we have verified that PPTP is in fact in Windows 2000. Jeffrey Goodwin -----Original Message----- From: Lisa Phifer [mailto:lisa at CORECOM.COM] Sent: Wednesday, February 23, 2000 5:36 PM To: VPN at SECURITYFOCUS.COM Subject: Re: win2k vpn problem At 01:49 PM 2/23/2000 -0800, you wrote: >Not what you're hoping to hear, of course, but I thought I'd seen that >Microsoft were dropping PPTP support in Win2K.... VPN is sponsored by SecurityFocus.COM From Jean.Triquet at PWGSC.GC.CA Wed Feb 23 22:04:31 2000 From: Jean.Triquet at PWGSC.GC.CA (Jean Triquet) Date: Wed, 23 Feb 2000 22:04:31 -0500 Subject: VPN's (fwd) Message-ID: FreeS/WAN is IPsec and IPsec's purpose is to provide authentication and/or encryption for each and every packets processed by it. So if you want the packets to be authenticated you just need to setup the security policies accordingly. Firts time I hear about PGPnet but if it's IPsec compliant, configure it to use IPsec/AH or IPsec/ESP with authentication; configure an identical policy on your freeS/WAN computer. When PGPnet and freeS/WAN will establish their IPsec link, each IP packet sent between the two will be authenticated. If PGPnet is not an IPsec software, try SSH/IPsec Express or Newbridge Permit/Client (or should we say Alcatel?) or any other IPsec client for Windows. -----Original Message----- From: MARC A KURTZ [mailto:marck at ESU.EDU] Sent: February 23, 2000 12:27 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN's (fwd) This is exactly what we want. Anyone have an idea on how to do this with PGPnet and FreeS/WAN? ----- Original Message ----- From: "Neil Ratzlaff" To: "MARC A KURTZ" ; Sent: Tuesday, February 22, 2000 5:03 PM Subject: Re: VPN's (fwd) > You can't evaluate encrypted packets. A common solution is to put the VPN > endpoint on a DMZ (or the firewall itself) so that the firewall can see the > decrypted packets. If you are really careful, then you re-encrypt them and > send them on. > Neil > > At 15:30 02/22/00 -0500, MARC A KURTZ wrote: > >Has anyone ever come up with a solution for this problem ( in particular > >from windows to linux )? > > > >i.e. How can we authenticate that the data going over the encrypted tunnel > >is legitimate? > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From guy.raymakers at EUROPE.EDS.COM Thu Feb 24 08:12:38 2000 From: guy.raymakers at EUROPE.EDS.COM (guy.raymakers at EUROPE.EDS.COM) Date: Thu, 24 Feb 2000 14:12:38 +0100 Subject: PPTP server Message-ID: <4125688F.0049BFA1.00@beanmg01.lneu.emea.eds.com> Hi everyone, Is there someone who know some products that support PPTP , we have tested Nortel CES ? I'm looking for having a PPTP client at the remote and a PPTP server central. Therefor, we are looking for systems that supports PPTP tunnels. Many Thanks Guy VPN is sponsored by SecurityFocus.COM From mlow at USWEBCKS.COM Wed Feb 23 22:47:41 2000 From: mlow at USWEBCKS.COM (Michael Low) Date: Wed, 23 Feb 2000 22:47:41 -0500 Subject: L2F and L2TP In-Reply-To: <4.2.2.20000221070753.069597e0@zbl6c000.corpeast.baynetworks.com> References: <4.2.2.20000221070753.069597e0@zbl6c000.corpeast.baynetworks.com> Message-ID: You can also look into the following free sources for useful information. Cisco's documentation on L2TP provides some quick comparisons with L2F: http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113a a/113aa_5/l2tp.htm Also check: RFC 2341 (L2F) and RFC 2661 (L2TP). Michael At 7:12 AM -0500 21/2/00, Jeffrey Needle wrote: >Miranda, an excellent book came out recently called L2TP: Implementation and >Operation by Richard Shea. It covers layer 2 protocols extensively. >It's part of >Addison-Wesley's Networking Basics series >(http://www.awl.com/cseng/networkingbasics) >and lists for $19.95. > >j. > >At 05:33 AM 2/14/00 , Miranda Heesbeen wrote: > >>Hi everyone, >> >>Does somebody know where i can find information about the two protocols for >>VPN? >>I can't find anything about it. Only information about the same options >>between PPTP and L2TP. But i would like to know how they both work, the >>protocols L2F and L2TP and what they do. >> >>Thanks, >> >>Miranda >> >>VPN is sponsored by SecurityFocus.COM >> >VPN is sponsored by SecurityFocus.COM -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 1119 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000223/8423bef7/attachment.bin From SCundall at ARIBA.COM Thu Feb 24 11:26:54 2000 From: SCundall at ARIBA.COM (Steve Cundall) Date: Thu, 24 Feb 2000 08:26:54 -0800 Subject: PPTP server Message-ID: <19A187F26DD4D311949F009027E28ACE062FAC@us-mtvmail3.ariba.com> I have heard rumors that Cisco IOS on certain hardware platforms was support to support PPTP in late Dec. Steve -----Original Message----- From: guy.raymakers at EUROPE.EDS.COM [mailto:guy.raymakers at EUROPE.EDS.COM] Sent: Thursday, February 24, 2000 5:13 AM To: VPN at SECURITYFOCUS.COM Subject: PPTP server Hi everyone, Is there someone who know some products that support PPTP , we have tested Nortel CES ? I'm looking for having a PPTP client at the remote and a PPTP server central. Therefor, we are looking for systems that supports PPTP tunnels. Many Thanks Guy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From sand232 at YAHOO.COM Thu Feb 24 11:41:02 2000 From: sand232 at YAHOO.COM (Sandy Green) Date: Thu, 24 Feb 2000 08:41:02 -0800 Subject: PPTP server Message-ID: <20000224164102.16904.qmail@web704.mail.yahoo.com> The product that supports PPTP natively is windows NT. and though i have not tested myself but i have heard people on this list that PPTP is supported in windows 2000 as well. The RAS service and PPTP protocol need to be installed on the hosts. And if one is using PPTP in all probability it would need to be able to go through a firewall. For the Firewal to allow PPTP traffic to flow through it you would need the following to be opened between the relevant sources/desinations... TCP port 1723 and IP protocol no 47 (which is GRE). -sandy --- guy.raymakers at EUROPE.EDS.COM wrote: > Hi everyone, > > Is there someone who know some products that support > PPTP , we have tested > Nortel CES ? I'm looking for having a PPTP client at > the remote and a PPTP > server central. Therefor, we are looking for systems > that supports PPTP tunnels. > > Many Thanks > Guy > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From fred at DONCK.COM Fri Feb 25 04:26:14 2000 From: fred at DONCK.COM (Fred Donck) Date: Fri, 25 Feb 2000 10:26:14 +0100 Subject: SANE 2000 program details and registration - May 22-25, 2000 Message-ID: <20000225102614.A25976@blue.patriots.net> At the SANE 2000 web site ( http://www.nluug.nl/sane/ ) you will find full program details, on-line registration, hotel information & reservation forms, travel information and much more, regarding the SANE 2000 conference. ____ _ _ _ _____ ____ ___ ___ ___ / ___| / \ | \ | | ____| |___ \ / _ \ / _ \ / _ \___ \ / _ \ | \| | _| __) | | | | | | | | | | ___) / ___ \| |\ | |___ / __/| |_| | |_| | |_| | |____/_/ \_\_| \_|_____| |_____|\___/ \___/ \___/ http://www.nluug.nl/sane/ 2nd International SANE Conference May 22-25, 2000 Maastricht, The Netherlands A conference organized by the NLUUG, the UNIX User Group - The Netherlands co-sponsored by USENIX, the Advanced Computing Systems Association, and Stichting NLnet ---------------- Important dates: ---------------- Early registration deadline: April 7, 2000 Registration closing date : May 14, 2000 We are very pleased to present you the program for SANE 2000, an international conference on System Administration and Networking, focused on UNIX and IP networking. Going through the program, you will find renowned speakers for many interesting topics. SANE 2000 is the place where you will hear, discuss, then put to use the latest research, well-thought-out approaches, tools and techniques for practical system administration and security. Monday and Tuesday are your true opportunity for in-depth study! For two days, choose among three tracks of tutorials, covering topics like Perl/Tk, IPSEC, Sendmail, firewalls, DNS and general UNIX systems administration and led by experienced and respected instructors like Eric Allman, Jim Reid, Hugh Daniel, Walter Belgers, Hans van de Looy, Mark Overmeer, Jos Vos and Evi Nemeth. During the third and fourth day of SANE 2000 you will (after the keynote) be able to choose from two tracks of interesting presentations: the refereed papers track or the invited talks sessions. Hear about network management, security, modern file system techniques, IP internals, (b)leading edge developments, the use of open source software, and so on. You will find a remarkable line-up of speakers, including Brian Reid, Jeff Allen, Eric Allman, Barbara Dijker, Guido van Rooij, Mark Burgess, Joe Greco, Bastiaan Bakker and many, many more. On Tuesday and Wednesday you can also stroll along the exhibition area, where vendors will demonstrate their latest hardware and software products they hope will help you do your job more efficiently and effectively. Of course, there's also time to relax. Make sure you don't miss the social event (and conference dinner) on Wednesday evening. The conference ends on Thursday afternoon with the "The inSANE Quiz" where keywords like Hilarious! Fun! Educational! apply. Attend the quiz and be awed by the vast amounts of absolutely useless knowledge portrayed by the quiz candidates. Or, even better, register as a potential quiz candidate and test your cognitive powers against the world's masters of completely useless facts. Try to beat the reigning champion! SANE 2000 is hosted in the Maastricht Exposition and Conference Center, MECC, close to the medieval center of the city of Maastricht, in the south of the Netherlands, close to the borders with Belgium and Germany. Please join us. We hope to see you in Maastricht on May 22-25 at SANE 2000! Edwin H. Kremer, Program Co-Chair Dept. of Computer Science, Utrecht University Bob Eskes, Program Co-Chair Applied System's Research, Hollandse Signaalapparaten, Hengelo For The SANE 2000 Program Committee. P.S. register early for the tutorials: they tend to fill up fast! -- Fred Donck || voice/fax: +31-70-311-2374 || e-mail: fred at donck.com Unix is not user unfriendly, it's picky about its friends VPN is sponsored by SecurityFocus.COM From John.C.Hayward at WHEATON.EDU Thu Feb 24 23:36:44 2000 From: John.C.Hayward at WHEATON.EDU (John Hayward) Date: Thu, 24 Feb 2000 22:36:44 -0600 Subject: PPTP server In-Reply-To: <20000224164102.16904.qmail@web704.mail.yahoo.com> Message-ID: > installed on the hosts. And if one is using PPTP in > all > probability it would need to be able to go through a > firewall. For the Firewal to allow PPTP traffic to > flow > through it you would need the following to be opened > between the relevant sources/desinations... > TCP port 1723 and IP protocol no 47 (which is GRE). I'm a bit confused by IP protocol no 47. Is this a port number or something else. We have a person attempting to connect via pptp thru our firewall router and we generally block ports below 1024. I did a tcpdump and can see connections going to port 1723 and acks coming back but it dies at some point in the negociations. Does port 47 have to be open or might the the router be blocking protocol no 47 (GRE)? TIA johnh... > > -sandy VPN is sponsored by SecurityFocus.COM From nmackay at SYMPATICO.CA Fri Feb 25 14:26:37 2000 From: nmackay at SYMPATICO.CA (Nancy) Date: Fri, 25 Feb 2000 11:26:37 -0800 Subject: L2TP security Message-ID: <000801bf7fc6$3d106500$629ed1d8@default> I need information on L2TP security. As I understand, it combines the encryption power of PPTP with the packet authentication power of L2F. Vendor and IETF documents aren't answering all my questions. With IPSec, any number of security levels can be negotiated by selecting encryption and authentication algorithms, key lifetimes, etc. Does the same capability exist within L2TP? L2TP claims to offer a choice of encryption and authentication algorithms. I can't determine if the choice exists when establishing a tunnel or configuring a piece of equipment. The latter seems rather restrictive since it locks the user into a single security scheme, no matter what the sensitivity of the data. Are L2TP products from different vendors compatible? In the case of PPTP, the Microsoft implementation has taken a lot of criticism. Other vendors implementing PPTP solutions are quick to distance themselves. Doesn't this mean that products would be incompatible? Is an L2TP tunnel different from an IPSec tunnel? Some of the wording of the documentation I have come across so far leads me to believe that L2TP establishes a virtual circuit, while IPSec uses standard packet switching. If this is the case, does L2TP offer any QoS or security characteristics derived from virtual circuit switching? Thanks for your help! Nancy MacKay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000225/322ab2a1/attachment.htm From chayward at LUCENT.COM Fri Feb 25 11:49:05 2000 From: chayward at LUCENT.COM (Cary Hayward) Date: Fri, 25 Feb 2000 08:49:05 -0800 Subject: PPTP server In-Reply-To: <20000224164102.16904.qmail@web704.mail.yahoo.com> Message-ID: <3.0.2.32.20000225084905.00ba7990@149.198.1.70> PPTP is supported on the Lucent (former Ascend) TNT, MAX 6000, MAX 3000 platforms. Protocols also supported are L2TP, ATMP, IPIP, IPSec. The TNT also supports L2F (foreign agent only). Cary At 08:41 AM 2/24/00 -0800, Sandy Green wrote: >The product that supports PPTP natively is windows NT. >and though i have not tested myself but i have heard >people on this list that PPTP is supported in windows >2000 >as well. > >The RAS service and PPTP protocol need to be >installed on the hosts. And if one is using PPTP in >all >probability it would need to be able to go through a >firewall. For the Firewal to allow PPTP traffic to >flow >through it you would need the following to be opened >between the relevant sources/desinations... >TCP port 1723 and IP protocol no 47 (which is GRE). > >-sandy > > >--- guy.raymakers at EUROPE.EDS.COM wrote: >> Hi everyone, >> >> Is there someone who know some products that support >> PPTP , we have tested >> Nortel CES ? I'm looking for having a PPTP client at >> the remote and a PPTP >> server central. Therefor, we are looking for systems >> that supports PPTP tunnels. >> >> Many Thanks >> Guy >> >> VPN is sponsored by SecurityFocus.COM >> >__________________________________________________ >Do You Yahoo!? >Talk to your friends online with Yahoo! Messenger. >http://im.yahoo.com > >VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Fri Feb 25 14:26:30 2000 From: dgillett at NIKU.COM (David Gillett) Date: Fri, 25 Feb 2000 11:26:30 -0800 Subject: PPTP server In-Reply-To: <4125688F.0049BFA1.00@beanmg01.lneu.emea.eds.com> Message-ID: <01cc01bf7fc6$384e4910$f30410ac@niku.com> The key attraction of PPTP (IMHO...) is that you get a free client in every 32-bit Windows. You'll only need separate PPTP clients if you need to support other platforms. Part of the reason we got an Altiga in to test was because it advertised PPTP support. It turned out -- this may have changed -- that it can't do NT domain authentication for PPTP connections, so unless you can dedicate a machine to serve it RADIUS (or TACACS, I think), your user account database for PPTP is limited to what the Altiga can hold in memory -- 100 accounts. That might be sufficient for you. It wasn't for us, but we were sufficiently pleased with the Altiga IPSEC client (and its license/pricing model, which I hope Cisco leaves intact!) to adopt that instead of PPTP. David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of guy.raymakers at EUROPE.EDS.COM Sent: February 24, 2000 05:13 To: VPN at SECURITYFOCUS.COM Subject: PPTP server Hi everyone, Is there someone who know some products that support PPTP , we have tested Nortel CES ? I'm looking for having a PPTP client at the remote and a PPTP server central. Therefor, we are looking for systems that supports PPTP tunnels. Many Thanks Guy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From sand232 at YAHOO.COM Fri Feb 25 14:25:52 2000 From: sand232 at YAHOO.COM (Sandy Green) Date: Fri, 25 Feb 2000 11:25:52 -0800 Subject: PPTP server Message-ID: <20000225192552.19854.qmail@web701.mail.yahoo.com> IP protocol is not a port. It is IP protocol number. eg. IP protocol no 6 ----> TCP IP protocol no 17---> UDP similarly IP protocol no 47 ----> GRE general routing encapsulation protocol. (i do not know the details but for our understanding in PPTP it should suffice that it needs this protocol. port numbers are used by TCP and UDP. IP protocol number is a field which is embedded in a IP packet. The firewall is designed to read the contents of the IP header and the IP protocol number is also adjacent (next to the IP header field). look into any text book as to how a IP packet looks like and you will see that there is someting called as IP protocol number. Hence to allow connections through your router you would need to rules. one to allow TCP port 1723 and the other rule to allow IP protolocol number 47. I do not know what firewall router you are using but if it is cisco with the firewall feature set then you would need rules in both directions as well. hope this helped sandy --- John Hayward wrote: > > > installed on the hosts. And if one is using PPTP > in > > all > > probability it would need to be able to go through > a > > firewall. For the Firewal to allow PPTP traffic to > > flow > > through it you would need the following to be > opened > > between the relevant sources/desinations... > > TCP port 1723 and IP protocol no 47 (which is > GRE). > > I'm a bit confused by IP protocol no 47. Is this a > port number or > something else. We have a person attempting to > connect via pptp thru > our firewall router and we generally block ports > below 1024. I did a > tcpdump and can see connections going to port 1723 > and acks coming back > but it dies at some point in the negociations. Does > port 47 have to be > open or might the the router be blocking protocol no > 47 (GRE)? > > TIA > > johnh... > > > > -sandy > > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Fri Feb 25 14:48:33 2000 From: dgillett at NIKU.COM (David Gillett) Date: Fri, 25 Feb 2000 11:48:33 -0800 Subject: PPTP server In-Reply-To: Message-ID: <01d301bf7fc9$4cac7d70$f30410ac@niku.com> TCP is IP protocol no 6. UDP is no 17. I think ICMP is no 1. Port numbers are a feature of TCP and UDP; ICMP has "types" and other IP protocols may or may not have mechanisms for identifying subsets. GRE is a separate IP protocol, and does not use port numbers within TCP or UDP. It is quite possible that your router is blocking GRE; in general, firewalls block everything except what they are told to allow. David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of John Hayward Sent: February 24, 2000 20:37 To: VPN at SECURITYFOCUS.COM Subject: Re: PPTP server > installed on the hosts. And if one is using PPTP in > all > probability it would need to be able to go through a > firewall. For the Firewal to allow PPTP traffic to > flow > through it you would need the following to be opened > between the relevant sources/desinations... > TCP port 1723 and IP protocol no 47 (which is GRE). I'm a bit confused by IP protocol no 47. Is this a port number or something else. We have a person attempting to connect via pptp thru our firewall router and we generally block ports below 1024. I did a tcpdump and can see connections going to port 1723 and acks coming back but it dies at some point in the negociations. Does port 47 have to be open or might the the router be blocking protocol no 47 (GRE)? TIA johnh... > > -sandy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From matthewr at MORETON.COM.AU Thu Feb 24 18:10:21 2000 From: matthewr at MORETON.COM.AU (Matthew Ramsay) Date: Fri, 25 Feb 2000 09:10:21 +1000 Subject: PPTP server References: <4125688F.0049BFA1.00@beanmg01.lneu.emea.eds.com> Message-ID: <00022509114900.21212@gibberling> >Is there someone who know some products that support PPTP , we have tested >Nortel CES ? I'm looking for having a PPTP client at the remote and a PPTP >server central. Therefor, we are looking for systems that supports PPTP tunnels. Here's a small and very cheap device which supports PPTP (it has a PPTP server on it.. and works with windows client PPTP software): http://www.moretonbay.com/MBWEB/product/nettel/nettel.htm -matt VPN is sponsored by SecurityFocus.COM From sdurette at NEWBRIDGE.COM Thu Feb 24 08:52:08 2000 From: sdurette at NEWBRIDGE.COM (Stephane Durette) Date: Thu, 24 Feb 2000 08:52:08 -0500 Subject: VPN's (fwd) In-Reply-To: Message-ID: <000201bf7ece$5808d5c0$75dba8c0@4080xcdt.TIMESTEP> Jim, You can take a look at the TimeStep client, it as the ability to block communications to the internet while being tunneled in to your internal network. This is a configurable option and can be locked down by the VPN admin so the user cannot change this option. This feature is available on Win 95, 98 and NT clients. Cheers Steph axW--------------------------------------------------------------- Stephane Y Durette- Applications Engineer, TimeStep Corp. (613) 599-3610 x:4682 Voice (613) 599-9560 - FAX mailto:sdurette at timestep.com http://www.timestep.com --------------------------------------------------------------------- "Two possibilities exist: either we are alone in the universe or we are not. Both are equally terrifying." Arthur C.Clarke --------------------------------------------------------------------- -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina Bird Sent: February 22, 2000 12:55 PM To: VPN at SECURITYFOCUS.COM Subject: VPN's (fwd) From durwardj at home.com Sun Feb 20 19:33:43 2000 From: durwardj at home.com (Jim Durward) Date: Sun, 20 Feb 2000 16:33:43 -0800 Subject: VPN's Message-ID: I am trying to find answers to the following questions: 1. Where can I find a Win95/98/NT VPN client that will lock out all other IP communications when the session is alive? 2. Is there a Linux server that will talk with this Win VPN client? Please excuse my ignorance on this matter. Can you help? Thanks, jim VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From angelos at DSL.CIS.UPENN.EDU Thu Feb 24 10:54:21 2000 From: angelos at DSL.CIS.UPENN.EDU (Angelos D. Keromytis) Date: Thu, 24 Feb 2000 10:54:21 -0500 Subject: VPN's (fwd) In-Reply-To: Your message of "Thu, 24 Feb 2000 07:50:03 EST." Message-ID: <200002241554.KAA31980@adk.gr> >From: Carson Gaspar >To: VPN at SECURITYFOCUS.COM >Subject: Re: VPN's (fwd) > >The _correct_ way to handle authorization is to have it integrated with the >VPN, so that all the information necessary for making the authorization >decision is available. Unfortunately, I know of no free VPN implementation >that does this. Here's one of my VPN policy torture testd for folks who try >to sell me VPNs: [snip examples] Someone else forwarded me this message, and I felt obliged to respond :-) The OpenBSD IPsec in -current (that is, after the 2.6 release in December) has ingress filtering at the SA level. This means you can specify exactly the examples you mentioned, except that we don't support securid authentication in isakmpd (there's no standard way for it). Then again, I'm not trying to sell you a VPN :-) Enjoy, -Angelos VPN is sponsored by SecurityFocus.COM From pjohnson at BOSCONET.ORG Thu Feb 24 14:27:04 2000 From: pjohnson at BOSCONET.ORG (Paul Johnson) Date: Thu, 24 Feb 2000 14:27:04 -0500 Subject: VPN's (fwd) In-Reply-To: Message-ID: On Tue, 22 Feb 2000, Tina Bird wrote: > I am trying to find answers to the following questions: > > 1. Where can I find a Win95/98/NT VPN client that will lock out all other IP > communications when the session is alive? In addition to all theothers mentioned check out Nortel's IPSec client for their Contivity platform. > 2. Is there a Linux server that will talk with this Win VPN client? I haven't looked into this at all but the Contivity platform is actully pretty nice and reasonably priced. Paul Johnson Herndon VA http://www.bosconet.org (made with 100% recycled bits) VPN is sponsored by SecurityFocus.COM From pbryan at ACRUX.NET Fri Feb 25 17:24:46 2000 From: pbryan at ACRUX.NET (Patrick Bryan) Date: Fri, 25 Feb 2000 14:24:46 -0800 Subject: VPN's (fwd) In-Reply-To: <200002241554.KAA31980@adk.gr> Message-ID: <200002252016.OAA01375@firewall.swedishamerican.org> You mention ingress filtering.. can anyone tell me what that is? -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Angelos D. Keromytis Sent: Thursday, February 24, 2000 7:54 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN's (fwd) >From: Carson Gaspar >To: VPN at SECURITYFOCUS.COM >Subject: Re: VPN's (fwd) > >The _correct_ way to handle authorization is to have it integrated with the >VPN, so that all the information necessary for making the authorization >decision is available. Unfortunately, I know of no free VPN implementation >that does this. Here's one of my VPN policy torture testd for folks who try >to sell me VPNs: [snip examples] Someone else forwarded me this message, and I felt obliged to respond :-) The OpenBSD IPsec in -current (that is, after the 2.6 release in December) has ingress filtering at the SA level. This means you can specify exactly the examples you mentioned, except that we don't support securid authentication in isakmpd (there's no standard way for it). Then again, I'm not trying to sell you a VPN :-) Enjoy, -Angelos VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From andrew.wightman at GARTNER.COM Fri Feb 25 15:15:54 2000 From: andrew.wightman at GARTNER.COM (Wightman,Andrew) Date: Fri, 25 Feb 2000 15:15:54 -0500 Subject: Sniffer Message-ID: Does anyone know if a method or tool that will verify encryption on a data stream? I am trying to verify that data is encrypted and not compressed. Please let me know if you do. Thanks, Andy _________________________________ Andrew Wightman Sr. Network Analyst GartnerGroup Inc. andrew.wightman at gartner.com 408.468.8662 VPN is sponsored by SecurityFocus.COM From kemp at INDUSRIVER.COM Fri Feb 25 15:21:05 2000 From: kemp at INDUSRIVER.COM (Brad Kemp) Date: Fri, 25 Feb 2000 15:21:05 -0500 Subject: L2TP security In-Reply-To: <000801bf7fc6$3d106500$629ed1d8@default> Message-ID: <3.0.3.32.20000225152105.00cabe70@pop3.indusriver.com> At 11:26 AM 2/25/00 -0800, Nancy wrote: >>>> >I need information on L2TP security. As I understand, it combines the >encryption power of PPTP with the packet authentication power of L2F. Vendor >and IETF documents aren't answering all my questions. >With IPSec, any number of security levels can be negotiated by selecting >encryption and authentication algorithms, key lifetimes, etc. Does the same >capability exist within L2TP? L2TP uses IPsec for encryption and integrity. It can use the IPsec authentication mechanism. >L2TP claims to offer a choice of encryption and authentication algorithms. I >can't determine if the choice exists when establishing a tunnel or configuring >a piece of equipment. The latter seems rather restrictive since it locks the >user into a single security scheme, no matter what the sensitivity of the >data. This will depend on the vendor. IPsec allows the encryption and authentication to be negotiated. L2TP can use PPP authentication above the IPsec authentication for support smartcards, RADIUS or other authentication mechanisms. >Are L2TP products from different vendors compatible? They should be. There are bound to be a few interoperability problems here and there, but most of the participants and recent bakeoffs have been successful. > In the case of PPTP, the Microsoft implementation has taken a lot of >criticism. Other vendors implementing PPTP solutions are quick to distance >themselves. Doesn't this mean that products would be incompatible? PPTP has some design problems as far as security goes. Microsoft made them worse by producing a less the stellar implementation. Many of the problems are fixed in the later release from Microsoft, however not all platforms support the new version. There are inherit problems with some of the things Microsoft did in the old version (statefull compression and encryption on a lossy link, tiny window sizes to overcome the statefull problem, using the same key in both directions, allowing key rollback). Most vendors will interoperate with Microsoft PPTP. In our case, if we are at both ends, we drop into a mode that cures some of the PPTP ills, if not we speak Microsoft PPTP. >Is an L2TP tunnel different from an IPSec tunnel? Some of the wording of the >documentation I have come across so far leads me to believe that L2TP >establishes a virtual circuit, while IPSec uses standard packet switching. If >this is the case, does L2TP offer any QoS or security characteristics derived >from virtual circuit switching? L2TP allows multiprotocol tunneling, alternative authentication, and any other feature PPP has. QOS and/or other virtual circuit switching features are vendor specific. >Thanks for your help! >Nancy MacKay Brad --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 VPN is sponsored by SecurityFocus.COM From sand232 at YAHOO.COM Mon Feb 28 10:20:59 2000 From: sand232 at YAHOO.COM (Sandy Green) Date: Mon, 28 Feb 2000 07:20:59 -0800 Subject: PPTP server (continued..) Message-ID: <20000228152100.2662.qmail@web705.mail.yahoo.com> continuing on this thread i wanted to know about the implementation of PPTP. PPTP as i have implemented is basically a client to gateway implementation. ie a client connects to a PPTP gateway and can connect to hosts behind the gateway under the tunnel. what about PPTP in a gateway to gateway implementation. is it possible to implement in a gateway to gateway configuration. if yes, do let me if any one of you has done this. thanks all sandy --- David Gillett wrote: > TCP is IP protocol no 6. UDP is no 17. I think > ICMP is no 1. Port > numbers are a feature of TCP and UDP; ICMP has > "types" and other IP > protocols may or may not have mechanisms for > identifying subsets. GRE is a > separate IP protocol, and does not use port numbers > within TCP or UDP. > It is quite possible that your router is blocking > GRE; in general, > firewalls block everything except what they are told > to allow. > > David Gillett > Enterprise Server Manager, Niku Corp. > (650) 701-2702 > "Transforming the Service Economy" > > -----Original Message----- > From: VPN Mailing List > [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of John > Hayward > Sent: February 24, 2000 20:37 > To: VPN at SECURITYFOCUS.COM > Subject: Re: PPTP server > > > > installed on the hosts. And if one is using PPTP > in > > all > > probability it would need to be able to go through > a > > firewall. For the Firewal to allow PPTP traffic to > > flow > > through it you would need the following to be > opened > > between the relevant sources/desinations... > > TCP port 1723 and IP protocol no 47 (which is > GRE). > > I'm a bit confused by IP protocol no 47. Is this a > port number or > something else. We have a person attempting to > connect via pptp thru > our firewall router and we generally block ports > below 1024. I did a > tcpdump and can see connections going to port 1723 > and acks coming back > but it dies at some point in the negociations. Does > port 47 have to be > open or might the the router be blocking protocol no > 47 (GRE)? > > TIA > > johnh... > > > > -sandy > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From Noah_Salzman at NAI.COM Sat Feb 26 23:19:54 2000 From: Noah_Salzman at NAI.COM (Salzman, Noah) Date: Sat, 26 Feb 2000 20:19:54 -0800 Subject: Sniffer Message-ID: <0DA2A15FEE96D31187AA009027AA6A729D06F9@ca-exchange1.nai.com> Andrew, Any of the Sniffer(tm) products from Network Associates will tell you when a packet is ESP or AH. I'm not to familiar with the decodes (or IPCOMP for that matter) but I don't think it is possible to know when IPCOMP has been used for an IPsec connection. Go to www.sniffer.com for more info or to http://www.nai.com/asp_set/buy_try/try/products_evals.asp for an evaluation copy. Noah Salzman noah at pgp.com PGP QA Manager 408.346.5186 -----Original Message----- From: Wightman,Andrew [mailto:andrew.wightman at GARTNER.COM] Sent: Friday, February 25, 2000 12:16 PM To: VPN at SECURITYFOCUS.COM Subject: Sniffer Does anyone know if a method or tool that will verify encryption on a data stream? I am trying to verify that data is encrypted and not compressed. Please let me know if you do. Thanks, Andy _________________________________ Andrew Wightman Sr. Network Analyst GartnerGroup Inc. andrew.wightman at gartner.com 408.468.8662 VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jason.dowd at US.PWCGLOBAL.COM Mon Feb 28 18:01:12 2000 From: jason.dowd at US.PWCGLOBAL.COM (jason.dowd at US.PWCGLOBAL.COM) Date: Mon, 28 Feb 2000 17:01:12 -0600 Subject: Sniffer Message-ID: <85256893.007E8F7F.00@intlnamsmtp20.us.pw.com> All, Since 3des looks identical to rot13 through the eyes of sniffer, they are not going to be of much value. I don't know anything about the source of the stream of interest, but if it is IPSec for example, and you are concerned the vendor is fibbing, interop their product with somebody elses at the same level of crypto. If this works, repeat as necessary until you conclude: a) They all work as advertise b) The whole world is lying to you : ) Jason Jarrett Knoll on 02/28/2000 08:25:19 AM Please respond to Jarrett Knoll To: VPN at SECURITYFOCUS.COM cc: Subject: Re: Sniffer Andy, I'm not sure there is a method to determine it data has been encrypted and not compressed. In either case the data will be converted to a different data stream. If you took a Sniffer Trace for the same message on either side of the encryption unit and compare the message length, the size may indicate if compression is being used. Setting the filters may be the biggest difficulty. Jarrett Knoll -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Wightman,Andrew Sent: Friday, February 25, 2000 2:16 PM To: VPN at SECURITYFOCUS.COM Subject: Sniffer Does anyone know if a method or tool that will verify encryption on a data stream? I am trying to verify that data is encrypted and not compressed. Please let me know if you do. Thanks, Andy _________________________________ Andrew Wightman Sr. Network Analyst GartnerGroup Inc. andrew.wightman at gartner.com 408.468.8662 VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. VPN is sponsored by SecurityFocus.COM From cbrenton at SOVER.NET Sat Feb 26 06:50:20 2000 From: cbrenton at SOVER.NET (Chris Brenton) Date: Sat, 26 Feb 2000 06:50:20 -0500 Subject: VPN's (fwd) References: <200002252016.OAA01375@firewall.swedishamerican.org> Message-ID: <38B7BDFC.7BF52B00@sover.net> Patrick Bryan wrote: > > You mention ingress filtering.. can anyone tell me what that is? There are two methods of filtering, both designed to achieve the same goal. There are ingress and egress filtering. The RFC written by Paul Ferguson on ingress filtering is located here: http://www.cis.ohio-state.edu/htbin/rfc/rfc2267.html The paper I wrote for SANS on egress filtering is located here: http://www.sans.org/y2k/egress.htm The whole idea is to prevent IP spoofing. For example Let's say you've been allocated the address space 192.168.1.0/24 by your ISP. With egress filtering you would setup your border router to only allow 192.168.1.0/24 addresses out to the Internet. That way if I root one of your machines and I try spoofing traffic using a source address of 10.10.10.50, your router will block the traffic and keep it from reaching its intended target. A slick trick is the following: access-list 112 permit ip 192.168.1.0 0.0.0.255 any access-list 112 deny ip any any log-input int eth0 ip access-group 112 in This will log any internal system which tries to spoof traffic. The "log-input" switch allows the source MAC address to be included in the log entry. This helps to ID the system generating the traffic. I've already caught (and had fired) two people attempting to attack a host by spoofing traffic using this logging method. ;) HTH, Chris -- ************************************** cbrenton at sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet VPN is sponsored by SecurityFocus.COM From gowrishankar.setty at WIPRO.COM Sun Feb 27 06:12:20 2000 From: gowrishankar.setty at WIPRO.COM (Gowri Shankar Bhogisetty) Date: Sun, 27 Feb 2000 16:42:20 +0530 Subject: VPN case study Message-ID: <38B90693.D9161D60@wipro.com> Hi, I need to know the following things from VPN ,since i am new to this technology. Overview, vendor solutions and technology trends in VPN Pre-requisites, planning and design considerations,pros and cons. pls let me know any documents available. Thanks & Regards Gowri Shankar VPN is sponsored by SecurityFocus.COM From truman at RESEARCH.SUSPICIOUS.ORG Mon Feb 28 09:43:21 2000 From: truman at RESEARCH.SUSPICIOUS.ORG (Truman Boyes) Date: Mon, 28 Feb 2000 09:43:21 -0500 Subject: Sniffer In-Reply-To: Message-ID: Hi Andrew, Tcpdump on OpenBSD provides support for examining the ESP. Other versions of tcpdump may have been patched up to provide this functionality. I am unaware if windump supports this yet. .truman.boyes. -------------- www.suspicious.org On Fri, 25 Feb 2000, Wightman,Andrew wrote: > Does anyone know if a method or tool that will verify encryption on a data > stream? I am trying to verify that data is encrypted and not compressed. > > Please let me know if you do. > > Thanks, > Andy > > _________________________________ > > Andrew Wightman > Sr. Network Analyst > GartnerGroup Inc. > andrew.wightman at gartner.com > 408.468.8662 > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From m_basha at AGAINTECH.COM Sat Feb 26 00:10:15 2000 From: m_basha at AGAINTECH.COM (Basha) Date: Sat, 26 Feb 2000 10:40:15 +0530 Subject: Could not Ping Message-ID: <000801bf8017$c51fec30$0201a8c0@atechpdc> Hi All One simple problem I do face when I connect to PPTP server. Iam able to login to PPTP server which is behind WebRamp 410i ISDN router but Iam unable to ping the PPTP server and access the resources. My DHCP server is in PPTP server. Mohamed Mohaideen Basha Again Technologies Inc. India VPN is sponsored by SecurityFocus.COM From JKnoll at MCSIT.COM Mon Feb 28 09:25:19 2000 From: JKnoll at MCSIT.COM (Jarrett Knoll) Date: Mon, 28 Feb 2000 08:25:19 -0600 Subject: Sniffer Message-ID: Andy, I'm not sure there is a method to determine it data has been encrypted and not compressed. In either case the data will be converted to a different data stream. If you took a Sniffer Trace for the same message on either side of the encryption unit and compare the message length, the size may indicate if compression is being used. Setting the filters may be the biggest difficulty. Jarrett Knoll -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Wightman,Andrew Sent: Friday, February 25, 2000 2:16 PM To: VPN at SECURITYFOCUS.COM Subject: Sniffer Does anyone know if a method or tool that will verify encryption on a data stream? I am trying to verify that data is encrypted and not compressed. Please let me know if you do. Thanks, Andy _________________________________ Andrew Wightman Sr. Network Analyst GartnerGroup Inc. andrew.wightman at gartner.com 408.468.8662 VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Fri Feb 25 20:14:23 2000 From: pete at ETHER.NET (Pete Davis) Date: Fri, 25 Feb 2000 20:14:23 -0500 Subject: PPTP server In-Reply-To: <01cc01bf7fc6$384e4910$f30410ac@niku.com> References: <4125688F.0049BFA1.00@beanmg01.lneu.emea.eds.com> <01cc01bf7fc6$384e4910$f30410ac@niku.com> Message-ID: <20000225201423.A7741@ether.net> David, Unfortunately, PPTP has both pros and cons. One of the major pros, as you mentioned, is the free client either integrated with Windows or available as a DUN upgrade (depending on which version you have). One of the cons is that something like NT authentication can only be done if you are willing to install a MPPE/MSCHAP compatible RADIUS server on a Primary or Backup domain controller. So, you are able to do NT authentication, but only with specific RADIUS servers, installed on a PDC/BDC. Out at VPNcon next week (March 1) in San Jose, this is the topic of my discussion (Remote Access Protocols and Authentication Options for VPNs). I find that this in particular causes lots of confusion out there. As far as the Internal user database, this is more of an artifical limitation than anything else. We didn't really want anybody to use an Internal database to build a significant user authentication system since then the next question would be "How do I share this database across multiple servers", etc, and before you know it, the device turns into an authentication server. Best Regards, -pete On Fri, Feb 25, 2000 at 11:26:30AM -0800, David Gillett wrote: > The key attraction of PPTP (IMHO...) is that you get a free client in > every 32-bit Windows. You'll only need separate PPTP clients if you need to > support other platforms. > Part of the reason we got an Altiga in to test was because it advertised > PPTP support. It turned out -- this may have changed -- that it can't do NT > domain authentication for PPTP connections, so unless you can dedicate a > machine to serve it RADIUS (or TACACS, I think), your user account database > for PPTP is limited to what the Altiga can hold in memory -- 100 accounts. > That might be sufficient for you. It wasn't for us, but we were > sufficiently pleased with the Altiga IPSEC client (and its license/pricing > model, which I hope Cisco leaves intact!) to adopt that instead of PPTP. VPN is sponsored by SecurityFocus.COM From Munix-1 at PACBELL.NET Fri Feb 25 23:25:45 2000 From: Munix-1 at PACBELL.NET (Jose Muniz) Date: Fri, 25 Feb 2000 20:25:45 -0800 (PST) Subject: VPN's (fwd) - and personal firewalling References: <20000222221516.3309.qmail@web114.yahoomail.com> Message-ID: <32D36CA2.D1D54757@Pacbell.net> Well, I know that F-Secure will be releasing soon a VPN and PersonalDistributed Firewall, combined and configurable by policy data structures. You might want to cll them and get some information. As far as you have a "good" IPSec implementation like Checkpoint 4.1 sp-1 as your gateway termination point the interoperability will be just fine using either preshared secret or certs. Good luck. Jose Muniz. > > I'm not sure if this is officially released yet... > > CheckPoint SecureClient 4.1, their enhanced VPN > client, includes a personal firewall module that is > installed on the end-user's machine as part of the VPN > client. > > The cool thing about this? All firewall policies for > the SecureClient are managed and maintained from the > company's central server that gets pushed down to the > user each time s/he logs into the VPN. > > This secures the end-user's machine even when they're > not on the VPN and everything is managed by the > company's security admins. > > Hope this helps. > Chris > -- > > --- Jon Carnes wrote: > > If you are worried about your folks in the field > > (and you may well be!) then > > I would suggest that you get them a decent > > firewalling program to run on > > their boxen. For $40, you can buy software that > > will protect their machine. > > I like BlackIce Defender ( http://www.netice.com ), > > which monitors any > > attempts to get into their computer and makes sure > > that the attempts fail. > > It also tells you when someone has been trying. > > > > The users can have the firewall program up and > > running and still VPN in to > > the company site, or browse the web. > > ----- Original Message ----- > > From: "Ryan Russell" > > To: > > Sent: Tuesday, February 22, 2000 2:48 PM > > Subject: Re: VPN's (fwd) > > > > > > > On Tue, 22 Feb 2000, Andrew Paul wrote: > > > > > > > You might check with the various VPN vendors. > > They should be able to > > set up > > > > a "route table" when the client software is > > enabled that states all > > traffic > > > > should go through the encrypted tunnel. I > > believe this can be set up on > > the > > > > VPNet VSU systems. They have a WIN95/98 and NT > > 4.0 client. It also may > > be > > > > a possibility in the Nortel Contivity product > > line. > > > > > > > > > > That may not be sufficient. The attacker can > > still get packets to your > > > VPN client. Even if the replies go back home, the > > attacker may still get > > > them, depending on the firewall back home. I may > > cases, they'll get them > > > with a translated source address, whcih for clever > > attackers won't slow > > > them down at all, and may allow them to continue > > their connection just > > > fine. > > > > > > Ryan > > > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > > > __________________________________________________ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://im.yahoo.com > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Munix-1 at PACBELL.NET Fri Feb 25 23:20:52 2000 From: Munix-1 at PACBELL.NET (Jose Muniz) Date: Fri, 25 Feb 2000 20:20:52 -0800 (PST) Subject: VPN's (fwd) References: <4.2.2.20000222140021.00a46c50@popserv.ucop.edu> Message-ID: <32D36B80.9154D3B0@Pacbell.net> hello guys, Well, yes I agree with Neil, there is no way for you to sniff or probe the IPSec traffic and get some nice reporting and/or accounting [monitoring] either. It is only possible to tell the source and destination wich won't do you any good because it will be gateway a and gateway b. Terminate the tunnel on a dmx prferable off the firewall and you will be able to filter and stuff at the firewall the sources will be the real sources as well as the destinations, they will practically be just regular L3 traffic, that you can shape and monitor taste and smell.. Yours, Jose Muniz. > > You can't evaluate encrypted packets. A common solution is to put the VPN > endpoint on a DMZ (or the firewall itself) so that the firewall can see the > decrypted packets. If you are really careful, then you re-encrypt them and > send them on. > Neil > > At 15:30 02/22/00 -0500, MARC A KURTZ wrote: > >Has anyone ever come up with a solution for this problem ( in particular > >from windows to linux )? > > > >i.e. How can we authenticate that the data going over the encrypted tunnel > >is legitimate? > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From massadb at NETSCOUT.COM Tue Feb 29 10:50:47 2000 From: massadb at NETSCOUT.COM (massadb at NETSCOUT.COM) Date: Tue, 29 Feb 2000 10:50:47 -0500 Subject: Tunnel ID Message-ID: <85256894.00582A89.00@nsismtp1.netscout.com> Hi. Can anyone tell me what the practical utility or concept was behind the need for a Tunnel ID and a Client or Multiplex ID? Thanx. VPN is sponsored by SecurityFocus.COM From gowrishankar.setty at WIPRO.COM Tue Feb 29 11:01:21 2000 From: gowrishankar.setty at WIPRO.COM (Gowri Shankar Bhogisetty) Date: Tue, 29 Feb 2000 21:31:21 +0530 Subject: info on hardware and software vpn Message-ID: <38BBED50.100B8145@wipro.com> Hi, Can any one help me getting the differences between the hardware based VPN and software based vpn. Regards Gowri Shanakr VPN is sponsored by SecurityFocus.COM From mguenter at IAM.UNIBE.CH Tue Feb 29 05:55:46 2000 From: mguenter at IAM.UNIBE.CH (Manuel Guenter) Date: Tue, 29 Feb 2000 11:55:46 +0100 Subject: Sniffer Message-ID: <200002291055.LAA29380@milou.unibe.ch> Dear Andy If you really want to know if the data is encrypted you can do the following: 1) Use a sniffer and some filtering to collect a significant amount of (possibly) encrypted payload. When visualizing this by assigning grayshades or color to each byte, you will immediately see regularities if e.g. Rot13 was used. However you will hardly see the difference between zipped data and encrypted data. Nevertheless, even though zipped files try to flat the byte distribution, they contain tables and other structures. That's why such data will not pass all statistical tests. So: 2) Apply a statistical test of your choice. For example the "byte frequency test" will already reveal if your data was zipped instead of encrypted. This test basically counts how many bytes of each byte value occured. If the bytes were equally distributed (as they should be for encryption), certain deviations get very improbable. The test calculates the probability using the Chi-square statistic. Another possibility is using the 'run test'. This test counts the length of increasing (resp decreasing) subsequences of the data. The distribution of these run-lengths can also reveal dependencies in the data. There are hundreds of other tests that can be applied. The byte frequency test (and also the run test) are easy to implement. You can find more info in the book of D.E. Knuth, "The art of computer programming", 2nd Ed, Addison-Wesley, 1981 (ok, thats old, but it is good). With both the presented tests I could distinguish between 200K data that was produced by IPSec (ESP tunnel with 3DES) and a tar.gz file of similar size. However, how to distinguish between 40 bit DES and 3 DES is another question. I doubt that this question can be answered just by looking at the encrypted data. Please correct me if I'm wrong! cheers Manuel VPN is sponsored by SecurityFocus.COM From me at NETTEST.DK Tue Feb 29 12:54:40 2000 From: me at NETTEST.DK (Michael Enk) Date: Tue, 29 Feb 2000 18:54:40 +0100 Subject: VPN over cell phones Message-ID: Hi specialist, Does anybody have experience with travling users, who access their mail by using a VPN client dialing the internet using a cell phone? I have heard that there are a lot of problems with this due to the small bandwith provide by the cell phone. Best regards, Michael Enk VPN is sponsored by SecurityFocus.COM From Michael.Medwid at ARIBA.COM Tue Feb 29 19:15:01 2000 From: Michael.Medwid at ARIBA.COM (Michael Medwid) Date: Tue, 29 Feb 2000 16:15:01 -0800 Subject: Stymied on a PPTP Routing Question Message-ID: <271DE2625FD4D311949B009027F43B9F0283AB@us-mtvmail2.ariba.com> Currently our internal address space at our company is 10.x.x.x. We recently acquired a company whose internal address space is 172.2.x.x. Their routes have populated our routers via eigrp and from my 10.x.x.x network I can ping or telnet any device on the 172.2 network. However if I use PPTP to tunnel into our network from my home system on DSL (with a routable IP address) I can get to any system on the 10.x.x.x subnet but I can not reach anything on the 172.2. I tried manually adding routes while the PPTP tunnel was up. That did not help. Can you think of what might be limiting my access to only the 10.x.x.x network? Any solutions? If this question is too specific for this mail list send me a whack on the head. :-) -Michael VPN is sponsored by SecurityFocus.COM From toddw at LIGHTMAIL.COM Tue Feb 29 20:19:12 2000 From: toddw at LIGHTMAIL.COM (Todd Wilburn) Date: Tue, 29 Feb 2000 17:19:12 -0800 Subject: Palm VPN? Message-ID: Is it possible to do VPN with a Palm VII? or Palm III with a modem? Is there software avilable for the Palm to do this? How about a portable with Win CE with a wireless modem? I am looking at ways for our office staff to remotely get emails and appointments and some data from our server. Thanks Todd Wilburn IT Tech. MCSE wantabe VPN is sponsored by SecurityFocus.COM