From Ram at POP.JARING.MY Sat Jan 1 01:57:31 2000 From: Ram at POP.JARING.MY (Saravana Ram) Date: Sat, 1 Jan 2000 14:57:31 +0800 Subject: need help about ppp+ssh References: <199912291514.XAA20796@smtp3.zj.cninfo.net> Message-ID: <00c901bf5425$917ee980$0245a8c0@galena> > I am now going to set up a VPN with PPP and ssh on my Linux. > But after reading lots of documents(including VPN howto,and other > things)I still get lots of problems. At last, I solved most of them, the PPP > device appeared on both sides, route table is set correct, HOWEVER, I can not > ping them through. I am really confused about this situation, and can not get > helpful information on the web.If somebody have some experience of ssh+ppp > VPN solution,I hope you can give me some hints. Maybe a detail explanation of > the ssh & PPP mechanism would help me. Please send us a dump of your routing tables and interface address info for both hosts you're trying to connect. At least we can see if its a routing problem. Happy new year, Ram. VPN is sponsored by SecurityFocus.COM From misha at INSYNC.NET Sun Jan 2 13:19:32 2000 From: misha at INSYNC.NET (Misha) Date: Sun, 2 Jan 2000 12:19:32 -0600 Subject: Nortel Contivity Message-ID: I have recently made a bold move and decided to choose the Nortel Contivity as a VPN platform we will support in addition to Cisco. I really have no other reason other than the fact that I really like the product. I have some questions for people with existing Nortel experience: 1) I still can't put a name with the company. Is Nortels sales organization just paralyzed or do they just not have any sales people? I keep offering them money, but they are just not interested. 2) Has anyone used the Optivity VPN management software for the Contivity line? I can't find much information on it, but it looks promising. 3) Any idea why Nortel continues to avoid any magazine tests? I really dont care much about the outcome, because those things are usually a bit skewed, but the fact that Nortel refuses participation worries me. 4) Any experience with Nortel's support of the product? I am looking for both technical support and a variation of Cisco SmartNET. Misha VPN is sponsored by SecurityFocus.COM From jneedle at NORTELNETWORKS.COM Sun Jan 2 19:37:02 2000 From: jneedle at NORTELNETWORKS.COM (Jeffrey Needle) Date: Sun, 2 Jan 2000 16:37:02 -0800 Subject: Nortel Contivity Message-ID: <6F303E756050D3119C4C0008C7917D00679F79@zbl6c000.corpeast.baynetworks.com> > 1) I still can't put a name with the company. Is Nortels sales > organization just paralyzed or do they just not have any sales people? I > keep offering them money, but they are just not interested. > If you e-mail me your location and contact details, I'll make sure it gets to the right sales people. We've definitely got a large sales force, so it sounds like something fell through the cracks. > 2) Has anyone used the Optivity VPN management software for the Contivity > line? I can't find much information on it, but it looks promising. > Not sure, but I think there is a downloadable demo version of the product. It's a good addition for managing multiple Contivity platforms. What specifically were you looking for it to do? > 3) Any idea why Nortel continues to avoid any magazine tests? I really > dont care much about the outcome, because those things are usually a bit > skewed, but the fact that Nortel refuses participation worries me. > I'm sure you're referring to the recent Network World review where they slammed us and Cisco for not participating. The reasons that we gave the reviewer, as cited in the article, were correct. We didn't have the resources to throw at yet another performance test. As one of the market leaders, we're always being invited to do some sort of test or other and they do take quite some time. The slam by that particular reviewer was uncalled for. If you have any concerns about our scalability or performance, I'd be happy to address them. We think our box is pretty good, and we think our customers believe that as well. > 4) Any experience with Nortel's support of the product? I am looking for > both technical support and a variation of Cisco SmartNET. > From my viewpoint from the engineering team, I think our support is good. In the past, the support organization has been resource constrained and spread thin, but they've recently increased the group of Contivity experts by over 100%. But I'll defer the answer to this question to others who might be less biased :-). Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000102/5a039463/attachment.htm From jcarr at STATE.ND.US Mon Jan 3 08:43:50 2000 From: jcarr at STATE.ND.US (Carr, Jeff N.) Date: Mon, 3 Jan 2000 07:43:50 -0600 Subject: Nortel Contivity Message-ID: <537E0AFAA151D111A2C800805F150DE303E10DE8@email.state.nd.us> I have had the same experience with Nortel, to the point of submitting a PO and receiving a bill charged against that PO. Only one problem - I had not received product. Only by refusing to honor the PO was I able to obtain product. Time from submission of the PO to receipt of product: 5 months. Jeff -----Original Message----- From: Misha [mailto:misha at INSYNC.NET] Sent: Sunday, January 02, 2000 12:20 PM To: VPN at SECURITYFOCUS.COM Subject: Nortel Contivity I have recently made a bold move and decided to choose the Nortel Contivity as a VPN platform we will support in addition to Cisco. I really have no other reason other than the fact that I really like the product. I have some questions for people with existing Nortel experience: 1) I still can't put a name with the company. Is Nortels sales organization just paralyzed or do they just not have any sales people? I keep offering them money, but they are just not interested. 2) Has anyone used the Optivity VPN management software for the Contivity line? I can't find much information on it, but it looks promising. 3) Any idea why Nortel continues to avoid any magazine tests? I really dont care much about the outcome, because those things are usually a bit skewed, but the fact that Nortel refuses participation worries me. 4) Any experience with Nortel's support of the product? I am looking for both technical support and a variation of Cisco SmartNET. Misha VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Jan 3 12:01:19 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 3 Jan 2000 12:01:19 -0500 Subject: PGPnet Message-ID: Ok, Now add the following to your /etc/isakmpd/isakmpd.conf [Phase 1] Default= PGPNet_Config [Phase 2] Default= PGPNet-OBSD [PGPNet_Config] Phase= 1 Transport= udp Local-address= Your_OBSD_IP_Address Address= 0.0.0.0 Configuration= Default-main-mode Authentication= mekmitasdigoat #Flags= [PGPNet-OBSD] Phase= 2 ISAKMP-peer= PGPNet_Config Configuration= Default-quick-mode Local-ID= Net-YourNet Remote-ID= Net-PGPClient [Net-YourNet] ID-type= IPV4_ADDR_SUBNET Network= Your_Network_Broadcast_Address Netmask= Your_Network_Netmask [Net-PGPClient] ID-type= IPV4_ADDR Address= 0.0.0.0 Netmask= 255.255.255.255 This should make the whole thing work. Just fill in the entries with your personal IP's and stuff... Regards, ____________________ Patrick Ethier patrick at secureops.com [ It doesn't matter if you don't know where you're going....] [ As long as you get there --- DrBones ] -----Original Message----- From: Jonas Eriksson [mailto:je at sekure.net] Sent: Monday, January 03, 2000 11:17 AM To: Patrick Ethier Subject: RE: PGPnet Ok, i've read your mail that you posted earlier on the openbsd misc list (how you set up your PGPnet) So, i have changed all that in PGPnet. Thanks, -- Jonas Eriksson je at sekure.net On Mon, 3 Jan 2000, Patrick Ethier wrote: > Just a wild guess here, but if you got an invalid payload it is because your > encyption transforms for phase 2 (aka quick mode) are invalid. The default > for PGPNet is CAST-MD5, the default for openbsd is 3DES-SHA. > > Try changing the IPSEC section of PGPNet to match the quick mode transform > of OpenBSD. > > > If you look on my VPN website, (www.secureops.com/resources) you'll get all > the explanation you need to get it working. Simply replace all remote IP's > with 0.0.0.0 and in the [NET-] section use a ID-type= IPV4_ADDR with > Address= 0.0.0.0 and Netmask=255.255.255.255 > > That should work. > > I'll post my isakmpd.conf and isakmpd.policy file for you soon(I just need > to blank out the IP's.) > > Regards, > > ____________________ > Patrick Ethier > patrick at secureops.com > > [ It doesn't matter if you don't know where you're going....] > [ As long as you get there --- DrBones ] > > > > -----Original Message----- > From: Jonas Eriksson [mailto:je at sekure.net] > Sent: Saturday, January 01, 2000 11:24 PM > To: Patrick Ethier > Subject: PGPnet > > > > Hi, > > I noticed on the openbsd maillinglist that you got PGPnet to work > with isakmpd. > > Can you send me your isakmpd.conf and isakmpd.policy? > > I've got this error while trying to connect: > > 052005.362795 Default message_parse_payloads: invalid next payload type > 116 in payload of type 5 > 052005.362911 Default dropped message from 193.15.98.52 port 500 due to > notification type INVALID_PAYLOAD_TYPE > > > > -- > Regards jonas > VPN is sponsored by SecurityFocus.COM From lrenn at ETCI.COM Mon Jan 3 12:03:55 2000 From: lrenn at ETCI.COM (Luke Renn) Date: Mon, 3 Jan 2000 12:03:55 -0500 Subject: PGPnet References: Message-ID: <03e101bf560c$84b453f0$0a83a8c0@localnet> not sure, but i think the DEFAULT_PAYLOAD_TYPE from the original post is due to not having perfect forward security set to 1024 in PGPnet options. Just a thought, Luke (Could be wrong) ----- Original Message ----- From: Patrick Ethier To: 'Jonas Eriksson' Cc: ; Sent: Monday, January 03, 2000 12:01 PM Subject: RE: PGPnet > Ok, > > > Now add the following to your /etc/isakmpd/isakmpd.conf > > [Phase 1] > Default= PGPNet_Config > > [Phase 2] > Default= PGPNet-OBSD > > [PGPNet_Config] > Phase= 1 > Transport= udp > Local-address= Your_OBSD_IP_Address > Address= 0.0.0.0 > Configuration= Default-main-mode > Authentication= mekmitasdigoat > #Flags= > > [PGPNet-OBSD] > Phase= 2 > ISAKMP-peer= PGPNet_Config > Configuration= Default-quick-mode > Local-ID= Net-YourNet > Remote-ID= Net-PGPClient > > [Net-YourNet] > ID-type= IPV4_ADDR_SUBNET > Network= Your_Network_Broadcast_Address > Netmask= Your_Network_Netmask > > [Net-PGPClient] > ID-type= IPV4_ADDR > Address= 0.0.0.0 > Netmask= 255.255.255.255 > > > This should make the whole thing work. Just fill in the entries with your > personal IP's and stuff... > > Regards, > > ____________________ > Patrick Ethier > patrick at secureops.com > > [ It doesn't matter if you don't know where you're going....] > [ As long as you get there --- DrBones ] > > > > -----Original Message----- > From: Jonas Eriksson [mailto:je at sekure.net] > Sent: Monday, January 03, 2000 11:17 AM > To: Patrick Ethier > Subject: RE: PGPnet > > > > Ok, i've read your mail that you posted earlier on the openbsd > misc list (how you set up your PGPnet) > > So, i have changed all that in PGPnet. > > Thanks, > > -- Jonas Eriksson > je at sekure.net > > On Mon, 3 Jan 2000, Patrick Ethier wrote: > > > Just a wild guess here, but if you got an invalid payload it is because > your > > encyption transforms for phase 2 (aka quick mode) are invalid. The default > > for PGPNet is CAST-MD5, the default for openbsd is 3DES-SHA. > > > > Try changing the IPSEC section of PGPNet to match the quick mode > transform > > of OpenBSD. > > > > > > If you look on my VPN website, (www.secureops.com/resources) you'll get > all > > the explanation you need to get it working. Simply replace all remote IP's > > with 0.0.0.0 and in the [NET-] section use a ID-type= IPV4_ADDR with > > Address= 0.0.0.0 and Netmask=255.255.255.255 > > > > That should work. > > > > I'll post my isakmpd.conf and isakmpd.policy file for you soon(I just need > > to blank out the IP's.) > > > > Regards, > > > > ____________________ > > Patrick Ethier > > patrick at secureops.com > > > > [ It doesn't matter if you don't know where you're going....] > > [ As long as you get there --- DrBones ] > > > > > > > > -----Original Message----- > > From: Jonas Eriksson [mailto:je at sekure.net] > > Sent: Saturday, January 01, 2000 11:24 PM > > To: Patrick Ethier > > Subject: PGPnet > > > > > > > > Hi, > > > > I noticed on the openbsd maillinglist that you got PGPnet to work > > with isakmpd. > > > > Can you send me your isakmpd.conf and isakmpd.policy? > > > > I've got this error while trying to connect: > > > > 052005.362795 Default message_parse_payloads: invalid next payload type > > 116 in payload of type 5 > > 052005.362911 Default dropped message from 193.15.98.52 port 500 due to > > notification type INVALID_PAYLOAD_TYPE > > > > > > > > -- > > Regards jonas > > > VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Jan 3 12:16:54 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 3 Jan 2000 12:16:54 -0500 Subject: PGPnet Message-ID: Probably, But Jonas says he set everything right in PGPNet. If PFS isn't on, he'll get INVALID_PAYLOAD_TYPE because the IPSec proposals do not match. Make sure you have 3DES-SHA for transforms on both IKE and IPSEC in PGPNet and that PFS is set to 1024.(Make sure also that AH is disabled and the ESP is enabled). -----Original Message----- From: Luke Renn [mailto:lrenn at etci.com] Sent: Monday, January 03, 2000 12:04 PM To: Patrick Ethier; 'Jonas Eriksson' Cc: misc at openbsd.org; vpn at securityfocus.com Subject: Re: PGPnet not sure, but i think the DEFAULT_PAYLOAD_TYPE from the original post is due to not having perfect forward security set to 1024 in PGPnet options. Just a thought, Luke (Could be wrong) ----- Original Message ----- From: Patrick Ethier To: 'Jonas Eriksson' Cc: ; Sent: Monday, January 03, 2000 12:01 PM Subject: RE: PGPnet > Ok, > > > Now add the following to your /etc/isakmpd/isakmpd.conf > > [Phase 1] > Default= PGPNet_Config > > [Phase 2] > Default= PGPNet-OBSD > > [PGPNet_Config] > Phase= 1 > Transport= udp > Local-address= Your_OBSD_IP_Address > Address= 0.0.0.0 > Configuration= Default-main-mode > Authentication= mekmitasdigoat > #Flags= > > [PGPNet-OBSD] > Phase= 2 > ISAKMP-peer= PGPNet_Config > Configuration= Default-quick-mode > Local-ID= Net-YourNet > Remote-ID= Net-PGPClient > > [Net-YourNet] > ID-type= IPV4_ADDR_SUBNET > Network= Your_Network_Broadcast_Address > Netmask= Your_Network_Netmask > > [Net-PGPClient] > ID-type= IPV4_ADDR > Address= 0.0.0.0 > Netmask= 255.255.255.255 > > > This should make the whole thing work. Just fill in the entries with your > personal IP's and stuff... > > Regards, > > ____________________ > Patrick Ethier > patrick at secureops.com > > [ It doesn't matter if you don't know where you're going....] > [ As long as you get there --- DrBones ] > > > > -----Original Message----- > From: Jonas Eriksson [mailto:je at sekure.net] > Sent: Monday, January 03, 2000 11:17 AM > To: Patrick Ethier > Subject: RE: PGPnet > > > > Ok, i've read your mail that you posted earlier on the openbsd > misc list (how you set up your PGPnet) > > So, i have changed all that in PGPnet. > > Thanks, > > -- Jonas Eriksson > je at sekure.net > > On Mon, 3 Jan 2000, Patrick Ethier wrote: > > > Just a wild guess here, but if you got an invalid payload it is because > your > > encyption transforms for phase 2 (aka quick mode) are invalid. The default > > for PGPNet is CAST-MD5, the default for openbsd is 3DES-SHA. > > > > Try changing the IPSEC section of PGPNet to match the quick mode > transform > > of OpenBSD. > > > > > > If you look on my VPN website, (www.secureops.com/resources) you'll get > all > > the explanation you need to get it working. Simply replace all remote IP's > > with 0.0.0.0 and in the [NET-] section use a ID-type= IPV4_ADDR with > > Address= 0.0.0.0 and Netmask=255.255.255.255 > > > > That should work. > > > > I'll post my isakmpd.conf and isakmpd.policy file for you soon(I just need > > to blank out the IP's.) > > > > Regards, > > > > ____________________ > > Patrick Ethier > > patrick at secureops.com > > > > [ It doesn't matter if you don't know where you're going....] > > [ As long as you get there --- DrBones ] > > > > > > > > -----Original Message----- > > From: Jonas Eriksson [mailto:je at sekure.net] > > Sent: Saturday, January 01, 2000 11:24 PM > > To: Patrick Ethier > > Subject: PGPnet > > > > > > > > Hi, > > > > I noticed on the openbsd maillinglist that you got PGPnet to work > > with isakmpd. > > > > Can you send me your isakmpd.conf and isakmpd.policy? > > > > I've got this error while trying to connect: > > > > 052005.362795 Default message_parse_payloads: invalid next payload type > > 116 in payload of type 5 > > 052005.362911 Default dropped message from 193.15.98.52 port 500 due to > > notification type INVALID_PAYLOAD_TYPE > > > > > > > > -- > > Regards jonas > > > VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Jan 3 12:27:59 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 3 Jan 2000 12:27:59 -0500 Subject: PGPnet Message-ID: It works with the Freeware version also... The only problem is you cannot access anything beyond the security gateway. Simply put, It only supports Point-To-Point between the client and the security gateway... It makes the freeware version virtually useless unless you want to share files between 2 computers on win9X boxes across the Internet. I guess NAI looks upon anybody connecting to a Remote Network as a Corporate Client(They are probably right in a sense). I call it a Marketing Scandal. Anyways, I'm still waiting for a decent price quotation from NAI for the PGPVPN client. Does anybody know of a "Free" or "OpenSourced" or "GPL" client equivalent that will install on win9X/NT?? -----Original Message----- From: Luke Renn [mailto:lrenn at etci.com] Sent: Monday, January 03, 2000 12:12 PM To: Patrick Ethier Cc: misc at openbsd.org Subject: Re: PGPnet now all we have to do is get it to work with the *freeware* version of PGPnet :) Luke ----- Original Message ----- From: Patrick Ethier To: 'Luke Renn' ; Patrick Ethier ; 'Jonas Eriksson' Cc: ; Sent: Monday, January 03, 2000 12:16 PM Subject: RE: PGPnet > Probably, > > But Jonas says he set everything right in PGPNet. If PFS isn't on, he'll > get INVALID_PAYLOAD_TYPE because the IPSec proposals do not match. > > > Make sure you have 3DES-SHA for transforms on both IKE and IPSEC in PGPNet > and that PFS is set to 1024.(Make sure also that AH is disabled and the ESP > is enabled). > > > > > -----Original Message----- > From: Luke Renn [mailto:lrenn at etci.com] > Sent: Monday, January 03, 2000 12:04 PM > To: Patrick Ethier; 'Jonas Eriksson' > Cc: misc at openbsd.org; vpn at securityfocus.com > Subject: Re: PGPnet > > > not sure, but i think the DEFAULT_PAYLOAD_TYPE from the original post is due > to not having perfect forward security set to 1024 in PGPnet options. > > Just a thought, > > Luke > > (Could be wrong) > ----- Original Message ----- > From: Patrick Ethier > To: 'Jonas Eriksson' > Cc: ; > Sent: Monday, January 03, 2000 12:01 PM > Subject: RE: PGPnet > > > > Ok, > > > > > > Now add the following to your /etc/isakmpd/isakmpd.conf > > > > [Phase 1] > > Default= PGPNet_Config > > > > [Phase 2] > > Default= PGPNet-OBSD > > > > [PGPNet_Config] > > Phase= 1 > > Transport= udp > > Local-address= Your_OBSD_IP_Address > > Address= 0.0.0.0 > > Configuration= Default-main-mode > > Authentication= mekmitasdigoat > > #Flags= > > > > [PGPNet-OBSD] > > Phase= 2 > > ISAKMP-peer= PGPNet_Config > > Configuration= Default-quick-mode > > Local-ID= Net-YourNet > > Remote-ID= Net-PGPClient > > > > [Net-YourNet] > > ID-type= IPV4_ADDR_SUBNET > > Network= Your_Network_Broadcast_Address > > Netmask= Your_Network_Netmask > > > > [Net-PGPClient] > > ID-type= IPV4_ADDR > > Address= 0.0.0.0 > > Netmask= 255.255.255.255 > > > > > > This should make the whole thing work. Just fill in the entries with your > > personal IP's and stuff... > > > > Regards, > > > > ____________________ > > Patrick Ethier > > patrick at secureops.com > > > > [ It doesn't matter if you don't know where you're going....] > > [ As long as you get there --- DrBones ] > > > > > > > > -----Original Message----- > > From: Jonas Eriksson [mailto:je at sekure.net] > > Sent: Monday, January 03, 2000 11:17 AM > > To: Patrick Ethier > > Subject: RE: PGPnet > > > > > > > > Ok, i've read your mail that you posted earlier on the openbsd > > misc list (how you set up your PGPnet) > > > > So, i have changed all that in PGPnet. > > > > Thanks, > > > > -- Jonas Eriksson > > je at sekure.net > > > > On Mon, 3 Jan 2000, Patrick Ethier wrote: > > > > > Just a wild guess here, but if you got an invalid payload it is because > > your > > > encyption transforms for phase 2 (aka quick mode) are invalid. The > default > > > for PGPNet is CAST-MD5, the default for openbsd is 3DES-SHA. > > > > > > Try changing the IPSEC section of PGPNet to match the quick mode > > transform > > > of OpenBSD. > > > > > > > > > If you look on my VPN website, (www.secureops.com/resources) you'll get > > all > > > the explanation you need to get it working. Simply replace all remote > IP's > > > with 0.0.0.0 and in the [NET-] section use a ID-type= IPV4_ADDR with > > > Address= 0.0.0.0 and Netmask=255.255.255.255 > > > > > > That should work. > > > > > > I'll post my isakmpd.conf and isakmpd.policy file for you soon(I just > need > > > to blank out the IP's.) > > > > > > Regards, > > > > > > ____________________ > > > Patrick Ethier > > > patrick at secureops.com > > > > > > [ It doesn't matter if you don't know where you're going....] > > > [ As long as you get there --- DrBones ] > > > > > > > > > > > > -----Original Message----- > > > From: Jonas Eriksson [mailto:je at sekure.net] > > > Sent: Saturday, January 01, 2000 11:24 PM > > > To: Patrick Ethier > > > Subject: PGPnet > > > > > > > > > > > > Hi, > > > > > > I noticed on the openbsd maillinglist that you got PGPnet to work > > > with isakmpd. > > > > > > Can you send me your isakmpd.conf and isakmpd.policy? > > > > > > I've got this error while trying to connect: > > > > > > 052005.362795 Default message_parse_payloads: invalid next payload type > > > 116 in payload of type 5 > > > 052005.362911 Default dropped message from 193.15.98.52 port 500 due to > > > notification type INVALID_PAYLOAD_TYPE > > > > > > > > > > > > -- > > > Regards jonas > > > > > > VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Jan 3 12:57:52 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 3 Jan 2000 12:57:52 -0500 Subject: PGPnet Message-ID: Hi Jeremy, If I understand correctly, what you are wanting to do is encrypt communications between your Internal Network components and still be able to get regular traffic from the Internet??? Well, from my experience, You're better off installing your Linux Box in a minimalist installation, then install a very strict firewall ruleset on it. This should eliminate the need for Intranet Encryption. Other fun fact is that I am not sure that all network games will work thorugh IPSec tunnels. The answer to your question, Yes, you could install PGPNet on all your windows boxes, and FreeS/WAN on your Linux box, configure them all as SA's and communicate with encryption between them. If you do it right, all data that isn't behing explicitly sent to one of your Internal Boxes would travel unencrypted to the Internet and back. Question is, do you really need that encrypted traffic on your Internal Network??? (The answer is, unless you have VERY sensitive information flowing between hosts or want to use it for a learning experience, it is a rather useless exercise.) Have fun, ____________________ Patrick Ethier patrick at secureops.com [ It doesn't matter if you don't know where you're going....] [ As long as you get there --- DrBones ] -----Original Message----- From: Jeremy [mailto:jeremy at meer.net] Sent: Monday, January 03, 2000 12:46 PM To: Patrick Ethier Cc: VPN at SECURITYFOCUS.COM Subject: Re: PGPnet Ok, with PGPNET freeware, and IPsec, it will only encrypt everything on the internal network correct? Cause what I am wanting to do is, have a Linux box be the DSL Gateway, then everything that is done Internally be using IPsec and PGPNET, but say when one of my linux or Windows machines wants to access the Outside World through my Linux Gateway will my Gateway still work ok? Jeremy VPN is sponsored by SecurityFocus.COM From jeremy at MEER.NET Mon Jan 3 12:45:38 2000 From: jeremy at MEER.NET (Jeremy) Date: Mon, 3 Jan 2000 12:45:38 -0500 Subject: PGPnet References: Message-ID: <3870E042.A6A36985@meer.net> Ok, with PGPNET freeware, and IPsec, it will only encrypt everything on the internal network correct? Cause what I am wanting to do is, have a Linux box be the DSL Gateway, then everything that is done Internally be using IPsec and PGPNET, but say when one of my linux or Windows machines wants to access the Outside World through my Linux Gateway will my Gateway still work ok? Jeremy VPN is sponsored by SecurityFocus.COM From adamz at ECONET.COM Mon Jan 3 16:33:40 2000 From: adamz at ECONET.COM (Adam P. Zimmerer) Date: Mon, 3 Jan 2000 13:33:40 -0800 Subject: IKE Message-ID: Any thoughts on the security pitfalls of IKE Phase 1 & 2 negotiation with a pre-shared secret??? Sincerely, Adam P. Zimmerer Director of Client Services Economic Networks Today there are 150,887,000 people connected to the Internet. By 2005, 720 Million!!! What's your E-Economy Strategy? "Act Locally, Think Globally" www.EcoNet.Com AdamZ at EcoNet.Com Office: 972.385.7099 Toll Free: 888.EcoNet2 Fax: 972.385.9505 VPN is sponsored by SecurityFocus.COM From joe at NALL.COM Mon Jan 3 22:28:07 2000 From: joe at NALL.COM (Joe Nall) Date: Mon, 3 Jan 2000 21:28:07 -0600 Subject: Effort required to setup and maintain a VPN Message-ID: <387168C7.75C77568@nall.com> In a recent local debate about managed VPNs the following questions came up: How many hours does it take to set up a VPN? How much time per month do you spend taking care of it? What factors affect admin load the most? I'm looking for personal experiences or opinions. We had local answers from 10 minutes to set up and no effort to maintain to months to set up and full time to maintain. Curious, Joe Nall VPN is sponsored by SecurityFocus.COM From matthewr at MORETON.COM.AU Tue Jan 4 00:17:26 2000 From: matthewr at MORETON.COM.AU (Matthew Ramsay) Date: Tue, 4 Jan 2000 15:17:26 +1000 Subject: PPTP VPN networked drive unmapping References: <4128C0428F94D3118F1E00902773CED201B359@NNSBOIS1> Message-ID: <00010415201509.25729@gibberling> Has anyone experienced this before: PPTP client VPN's into a PPTP server. that client then maps a drive of a machine on the local network (local to the VPN server that is). After a certain period of time this mapped drive unmaps itself???!!? anyone have a clue? Could it have something to do with the MSCHAPv2 re-authentication perhaps? or something similar? The VPN connection is still up.. just the drive unmapped. Cheers, Matt. VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Tue Jan 4 00:01:04 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Mon, 3 Jan 2000 21:01:04 -0800 Subject: Effort required to setup and maintain a VPN Message-ID: <20000104050104.5037.qmail@web115.yahoomail.com> Joe, Not sure about managed VPN services, but I can give you information on the effort to maintain a 7,500 person VPN system at my customer site. 1) Account creation/deletion issues 2) Rollout/update of VPN client software 3) User training, Help Desk support, 24x7 support 4) Additional VPN servers (for global geographic coverage) 5) System upgrades, patches, network monitoring 6) Unforeseen requirements (support for third-parties, emergency access, etc.) While managed VPN services would address items 4 and 5, I can say that most of the effort and budget is on human capital to support items 1, 2, and 3. My team of two full-time and five matrixed employees handle items 4, 5, and 6 of our VPN system in-house. But items 1, 2, and 3 have required upwards of 75 full and part-time employees spread across the US, Europe, and Asia! Cross-training, making the system painless and effortless to manage, role-based administration, access control considerations, user and system level reporting, security logs, disaster recovery, and real-time account histories (including adds, mods, deletes, and terms) all play an important consideration on top of the technical features. Please investigate these soft issues while you perform your due-diligence on managed VPN services. One former customer of mine had 2 FTEs and 6 matrixed employees to manage a 20,000 person dial-in infrastructure. But how hard is it to configure dial-up networking, static passwords, and an 800 number on a user's machine?? Installing third-party VPN software, rolling out global ISP provider phone numbers and dialers, adding new user accounts, and distributing SecurID/ACE token cards for strong authentication blew their personnel budget out of the water. Their managed WAN provider which tried to pitch managed VPN services couldn't address any of these issues!! Good luck with your efforts! Chris -- --- Joe Nall wrote: > In a recent local debate about managed VPNs the > following questions came > up: > How many hours does it take to set up a VPN? > How much time per month do you spend taking care of > it? > What factors affect admin load the most? > > I'm looking for personal experiences or opinions. > We had local answers > from 10 minutes to set up and no effort to maintain > to months to set up > and full time to maintain. > > Curious, > Joe Nall > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://messenger.yahoo.com VPN is sponsored by SecurityFocus.COM From gowrishankar.setty at WIPRO.COM Tue Jan 4 00:06:20 2000 From: gowrishankar.setty at WIPRO.COM (Gowri Shankar Bhogisetty) Date: Tue, 4 Jan 2000 10:36:20 +0530 Subject: VPN PORT DETAILS Message-ID: <38717FCC.20532344@wipro.com> Hi, We were using Axcent Raptor Mobile VPN client , i have few questions. 1.we wanted to what are all the ports(TCP,UDP,IP) it uses.currently we are allowing entire ip on our router access-lists . 2.The VPN ports are standard.for all the venders(shiva,axcent..etc). any help on this greatly appriciated. Regards Gowri Shankar VPN is sponsored by SecurityFocus.COM From lhebert at NETESYS.COM Tue Jan 4 09:21:57 2000 From: lhebert at NETESYS.COM (Laurent Hebert) Date: Tue, 4 Jan 2000 09:21:57 -0500 Subject: clarification please? Message-ID: <20000104141755785.AAA120@bacchus2.netesys.com@gvl-12364> Point to point VPN usually mean site to site VPN. It requires two VPN Gateways (one at each site) to be implemented. Remote access VPN is more a client to site VPN (for telecommuters). It requires a VPN Client (usually S/W based) on the PC client and a VPN G/W at the main site. ---------- > De : Janis MacIsaac > A : VPN at SECURITYFOCUS.COM > Objet : clarification please? > Date?: 20 d?cembre, 1999 16:16 > > I have been speaking with several industry people in the last two weeks, > and I often hear point-to-point VPNs and remote access VPNs are > different things. What is the difference? What are the defining > characteristics that make a particular iinfrastructure one or the other? > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Hoven at Q-RAY.NL Tue Jan 4 09:59:09 2000 From: Hoven at Q-RAY.NL (Marcel van den Hoven) Date: Tue, 4 Jan 2000 15:59:09 +0100 Subject: Network Neighborhood omn VPN Client Message-ID: <6124DE2980A8D11196FA00609712EF5245B480@NTSERVER4> > Hi all, > For users we like to have a VPN server so that people at home can connect to te office by Internet. We use different clients (Win9x/NT) When I browse by network neighborhood I don't our servers at the office. At the office all server are NT 4.0. The VPN Server is also a NT. Connecting and a ping to a server at the office is working fine, but you have to know the server and share name to connect. Who can help me to solf this challenge. Marcel van den Hoven ___________________________________________________________ Networks would be a lot easier to build and maintain if it wasn't for users..... ___________________________________________________________ Q-Ray /\ IT Consultancy and Software Engineering Marcel van den Hoven Technical Consultant / Network Administrator PO Box 123, 6700 AC Wageningen, The Netherlands Tel: +31 317 472 999, Fax: +31 317 472 900 Internet: www.q-ray.nl, www.agriplus.nl E-mail hoven at q-ray.nl VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Tue Jan 4 09:55:56 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 4 Jan 2000 08:55:56 -0600 Subject: Network Neighborhood omn VPN Client In-Reply-To: <6124DE2980A8D11196FA00609712EF5245B480@NTSERVER4> Message-ID: Hi Marcel -- How do your client PCs do name resolution? If they use WINS in order to translate between server names and IP addresses, you have to be sure that they can contact the private WINS server over the VPN. Some VPN packages -- like VTCP/Secure from InfoExpress -- specifically proxy that information through the VPN, so they work pretty easily. In a lot of cases, though, you have to configure the LMHOSTS file on the remote PC with the IP addresses of the servers to be contacted over the VPN. This is really only practical in small, relatively static networks. In any event -- to determine whether or not this is your problem -- can you map network drives by IP address? If that works, but mapping by name fails, then you've definitely got a name resolution issue. If that >doesn't< work, I'd check the routing. Cheers -- Tina On Tue, 4 Jan 2000, Marcel van den Hoven wrote: > Date: Tue, 4 Jan 2000 15:59:09 +0100 > From: Marcel van den Hoven > To: VPN at SECURITYFOCUS.COM > Subject: Network Neighborhood omn VPN Client > > > Hi all, > > > For users we like to have a VPN server so that people at home can connect to > te office by Internet. We use different clients (Win9x/NT) > When I browse by network neighborhood I don't our servers at the office. At > the office all server are NT 4.0. The VPN Server is also a NT. > Connecting and a ping to a server at the office is working fine, but you > have to know the server and share name to connect. > Who can help me to solf this challenge. > > > Marcel van den Hoven > ___________________________________________________________ > Networks would be a lot easier to build and maintain if it wasn't for > users..... > ___________________________________________________________ > Q-Ray /\ IT Consultancy and Software Engineering > Marcel van den Hoven > Technical Consultant / Network Administrator > PO Box 123, 6700 AC Wageningen, The Netherlands > Tel: +31 317 472 999, Fax: +31 317 472 900 > Internet: www.q-ray.nl, www.agriplus.nl > E-mail hoven at q-ray.nl > > VPN is sponsored by SecurityFocus.COM > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From Fred.Golder at CENDANT.COM Tue Jan 4 10:21:27 2000 From: Fred.Golder at CENDANT.COM (Golder, Fred) Date: Tue, 4 Jan 2000 10:21:27 -0500 Subject: Network Neighborhood omn VPN Client Message-ID: Are you sure the clients are logged into the domain? It may sound like a dumb question, but check just in case. I had setup a VPN which authenticated users against NT, but it didn't log the users into the domain, because of how the client machines were configured. There is also a catch with NT. NT will log onto a domain at startup, but not after a dialup connection is made. I have heard that there is a way to get NT to perform NT domain log on after a dialup connection is made, but I do not know how to make NT perform in that manner. Are there any Microsoft people lurking on this list, that can answer that? -Fred Golder -----Original Message----- From: Marcel van den Hoven [mailto:Hoven at Q-RAY.NL] Sent: Tuesday, January 04, 2000 9:59 AM To: VPN at SECURITYFOCUS.COM Subject: Network Neighborhood omn VPN Client > Hi all, > For users we like to have a VPN server so that people at home can connect to te office by Internet. We use different clients (Win9x/NT) When I browse by network neighborhood I don't our servers at the office. At the office all server are NT 4.0. The VPN Server is also a NT. Connecting and a ping to a server at the office is working fine, but you have to know the server and share name to connect. Who can help me to solf this challenge. Marcel van den Hoven ___________________________________________________________ Networks would be a lot easier to build and maintain if it wasn't for users..... ___________________________________________________________ Q-Ray /\ IT Consultancy and Software Engineering Marcel van den Hoven Technical Consultant / Network Administrator PO Box 123, 6700 AC Wageningen, The Netherlands Tel: +31 317 472 999, Fax: +31 317 472 900 Internet: www.q-ray.nl, www.agriplus.nl E-mail hoven at q-ray.nl VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000104/aad6188b/attachment.htm From jonc at HAHT.COM Tue Jan 4 10:36:29 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Tue, 4 Jan 2000 10:36:29 -0500 Subject: Effort required to setup and maintain a VPN References: <387168C7.75C77568@nall.com> Message-ID: <013901bf56c9$8a647d80$6803010a@dhcp.haht.com> I have setup a variety of VPN's in my day. In general it is *much* easier to do today than it was in the past. Network to Network based VPNs: I setup my first VPN 6 years ago (we called it an IP tunnel at that time). It was a link across the Internet from a Novell server in Raleigh, NC to Novell server in Cambridge, Mass. I spent about 6 hours prep time (reading and downloading documents), and 2 hours execution time - including the testing. After that, the maintenance was trivial. First MS based VPN 2 years ago. It took 14 days prep time (reading, downloading documents and updates, applying updates to servers), and about 20 days execution time - including testing. After that, it required a lot of maintenance, and at least a weekly reboot. Since that time, MS has revised and refined their applications (and their servers). It takes about 6 hours to get one up and running now, and the maintenance is low. First Linux based VPN 1 year ago. It took 9 days prep time, and 3 days execution time. I had to do maintenance every few days, but quickly wrote a few scripts that handled that, and its been maintenance free ever since. VPN access for the "Dial-up" user MAX Ascend 6000 for a Dial-up VPN. That took about 8 days prep, and 2 days execution time. I still haven't got it to authenticate to my NT domain, but I have a feeling NT5 will handle it. Once it authenticates to the Domain, then it too will be maintenance free. MS dial-up VPN. That took about 2 days prep, and 14 days to get it working right. Now it's pretty much maintenance free. Linux dial-in VPN. That took about 2 days prep, and 2 hours to get it working right. It's also maintenance free. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Joe Nall" To: Sent: Monday, January 03, 2000 10:28 PM Subject: Effort required to setup and maintain a VPN > In a recent local debate about managed VPNs the following questions came > up: > How many hours does it take to set up a VPN? > How much time per month do you spend taking care of it? > What factors affect admin load the most? > > I'm looking for personal experiences or opinions. We had local answers > from 10 minutes to set up and no effort to maintain to months to set up > and full time to maintain. > > Curious, > Joe Nall > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Hoven at Q-RAY.NL Tue Jan 4 10:42:56 2000 From: Hoven at Q-RAY.NL (Marcel van den Hoven) Date: Tue, 4 Jan 2000 16:42:56 +0100 Subject: Network Neighborhood omn VPN Client Message-ID: <6124DE2980A8D11196FA00609712EF5245B482@NTSERVER4> > static networks. > > In any event -- to determine whether or not this > is your problem -- can you map network drives > by IP address? If that works, but mapping by name > fails, then you've definitely got a name resolution > issue. If that >doesn't< work, I'd check the > routing. > Yes, mapping by IP number is working. The clients abtain an IP adress from the DHCP server inside the office network, with a DNS server and WINS server adress given. Marcel VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Tue Jan 4 10:45:32 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Tue, 4 Jan 2000 10:45:32 -0500 Subject: Effort required to setup and maintain a VPN References: <20000104050104.5037.qmail@web115.yahoomail.com> Message-ID: <014901bf56ca$ce476070$6803010a@dhcp.haht.com> Chris is 100% on the mark. The human-factors load caused by handling our dial-up VPN clients is stunning. On going "maintenance" for Dial-up VPN is about 1000x that of our network to network based VPN's. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Chris Carlson" To: Sent: Tuesday, January 04, 2000 12:01 AM Subject: Re: Effort required to setup and maintain a VPN > Joe, > > Not sure about managed VPN services, but I can give > you information on the effort to maintain a 7,500 > person VPN system at my customer site. > > 1) Account creation/deletion issues > 2) Rollout/update of VPN client software > 3) User training, Help Desk support, 24x7 support > 4) Additional VPN servers (for global geographic > coverage) > 5) System upgrades, patches, network monitoring > 6) Unforeseen requirements (support for third-parties, > emergency access, etc.) > > While managed VPN services would address items 4 and > 5, I can say that most of the effort and budget is on > human capital to support items 1, 2, and 3. > > My team of two full-time and five matrixed employees > handle items 4, 5, and 6 of our VPN system in-house. > But items 1, 2, and 3 have required upwards of 75 full > and part-time employees spread across the US, Europe, > and Asia! Cross-training, making the system painless > and effortless to manage, role-based administration, > access control considerations, user and system level > reporting, security logs, disaster recovery, and > real-time account histories (including adds, mods, > deletes, and terms) all play an important > consideration on top of the technical features. > > Please investigate these soft issues while you perform > your due-diligence on managed VPN services. > > One former customer of mine had 2 FTEs and 6 matrixed > employees to manage a 20,000 person dial-in > infrastructure. But how hard is it to configure > dial-up networking, static passwords, and an 800 > number on a user's machine?? Installing third-party > VPN software, rolling out global ISP provider phone > numbers and dialers, adding new user accounts, and > distributing SecurID/ACE token cards for strong > authentication blew their personnel budget out of the > water. Their managed WAN provider which tried to > pitch managed VPN services couldn't address any of > these issues!! > > Good luck with your efforts! > > Chris > -- > > --- Joe Nall wrote: > > In a recent local debate about managed VPNs the > > following questions came > > up: > > How many hours does it take to set up a VPN? > > How much time per month do you spend taking care of > > it? > > What factors affect admin load the most? > > > > I'm looking for personal experiences or opinions. > > We had local answers > > from 10 minutes to set up and no effort to maintain > > to months to set up > > and full time to maintain. > > > > Curious, > > Joe Nall > > > > VPN is sponsored by SecurityFocus.COM > > > > __________________________________________________ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://messenger.yahoo.com > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jmaegli at PCPROS.NET Tue Jan 4 10:38:43 2000 From: jmaegli at PCPROS.NET (jmaegli) Date: Tue, 4 Jan 2000 09:38:43 -0600 Subject: Linux IP Masq and Nortel Extranet Client Message-ID: <002f01bf56c9$ca620560$42d2a8c0@jam5660.jam.bogus> Hello, I have a NT laptop running Nortel Networks Extranet client. When I dialin to my ISP the client connects and everything works great. Now the rub, I have an at home network with 5 Win 98 and NT boxes, one sun and 3 Linux workstations. One of the Linux boxes is my gateway to the internet. This box has the modem and all other boxes use this as their gateway. When I make my connection, everything works fine, HTTP, Email, Telnet etc. but when I try to connect the client (the one that works as mentioned before) I can not connect and get the message "Failure Do to remote host not responding" I do see a UDP packet on port 500 and my firewall is opened up so I'm not getting blocked there. If anyone has any thoughts or white papers on this kind of setup especially with a Linux gateway please let me know. Thanx so much for your time. John Maegli Systems Engineer Sterling Software Office (715) 848-2682 john.maegli at sterling.com VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Tue Jan 4 10:50:29 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Tue, 4 Jan 2000 10:50:29 -0500 Subject: VPN PORT DETAILS References: <38717FCC.20532344@wipro.com> Message-ID: <015101bf56cb$7f276020$6803010a@dhcp.haht.com> You should be able to trace this yourself. If your firewall or router is closed to you, you can still rent a sniffer or build one using an NT server or Linux box. My firewall is Linux based and I trace protocols by using tcpdump and netstat. Netstat will also work on an NT box. Good Luck, Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Gowri Shankar Bhogisetty" To: Sent: Tuesday, January 04, 2000 12:06 AM Subject: VPN PORT DETAILS > Hi, > > We were using Axcent Raptor Mobile VPN client , i have few questions. > > 1.we wanted to what are all the ports(TCP,UDP,IP) it uses.currently we > are allowing entire ip on our router access-lists . > 2.The VPN ports are standard.for all the venders(shiva,axcent..etc). > > any help on this greatly appriciated. > > Regards > > Gowri Shankar > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From theresa at TI.COM Tue Jan 4 10:42:58 2000 From: theresa at TI.COM (Brown, Theresa) Date: Tue, 4 Jan 2000 09:42:58 -0600 Subject: Network Neighborhood omn VPN Client Message-ID: <3C369333FC7BD21193A60000F8FE891F0B0402CA@dlee02.itg.ti.com> When using NT the user needs to log on to their NT session using the same username and password as their NT domain account uses. Then when the vpn is established, NT will pass the username and password to any NT resources the user attempts to connect to. However, if they are using a logon script, it will not be executed this way. Regards, Theresa Brown -----Original Message----- From: Golder, Fred [mailto:Fred.Golder at CENDANT.COM] Sent: Tuesday, January 04, 2000 9:21 AM To: VPN at SECURITYFOCUS.COM Subject: Re: Network Neighborhood omn VPN Client Are you sure the clients are logged into the domain? It may sound like a dumb question, but check just in case. I had setup a VPN which authenticated users against NT, but it didn't log the users into the domain, because of how the client machines were configured. There is also a catch with NT. NT will log onto a domain at startup, but not after a dialup connection is made. I have heard that there is a way to get NT to perform NT domain log on after a dialup connection is made, but I do not know how to make NT perform in that manner. Are there any Microsoft people lurking on this list, that can answer that? -Fred Golder -----Original Message----- From: Marcel van den Hoven [ mailto:Hoven at Q-RAY.NL ] Sent: Tuesday, January 04, 2000 9:59 AM To: VPN at SECURITYFOCUS.COM Subject: Network Neighborhood omn VPN Client > Hi all, > For users we like to have a VPN server so that people at home can connect to te office by Internet. We use different clients (Win9x/NT) When I browse by network neighborhood I don't our servers at the office. At the office all server are NT 4.0. The VPN Server is also a NT. Connecting and a ping to a server at the office is working fine, but you have to know the server and share name to connect. Who can help me to solf this challenge. Marcel van den Hoven ___________________________________________________________ Networks would be a lot easier to build and maintain if it wasn't for users..... ___________________________________________________________ Q-Ray /\ IT Consultancy and Software Engineering Marcel van den Hoven Technical Consultant / Network Administrator PO Box 123, 6700 AC Wageningen, The Netherlands Tel: +31 317 472 999, Fax: +31 317 472 900 Internet: www.q-ray.nl, www.agriplus.nl E-mail hoven at q-ray.nl VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000104/d885cc41/attachment.htm From jonc at HAHT.COM Tue Jan 4 10:58:31 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Tue, 4 Jan 2000 10:58:31 -0500 Subject: Network Neighborhood omn VPN Client References: <6124DE2980A8D11196FA00609712EF5245B480@NTSERVER4> Message-ID: <016301bf56cc$9ef9c770$6803010a@dhcp.haht.com> Sounds like you are just entering the marvelous world of VPN by using Microsoft's RAS server. You're best bet is to also bring up a WINS server, and then add that WINS server to all your boxes at work, and to your client dialup setup's. There are other problems you may be having, but WINS should clear up about 90% of them! Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Marcel van den Hoven" To: Sent: Tuesday, January 04, 2000 9:59 AM Subject: Network Neighborhood omn VPN Client > > Hi all, > > > For users we like to have a VPN server so that people at home can connect to > te office by Internet. We use different clients (Win9x/NT) > When I browse by network neighborhood I don't our servers at the office. At > the office all server are NT 4.0. The VPN Server is also a NT. > Connecting and a ping to a server at the office is working fine, but you > have to know the server and share name to connect. > Who can help me to solf this challenge. > > > Marcel van den Hoven > ___________________________________________________________ > Networks would be a lot easier to build and maintain if it wasn't for > users..... > ___________________________________________________________ > Q-Ray /\ IT Consultancy and Software Engineering > Marcel van den Hoven > Technical Consultant / Network Administrator > PO Box 123, 6700 AC Wageningen, The Netherlands > Tel: +31 317 472 999, Fax: +31 317 472 900 > Internet: www.q-ray.nl, www.agriplus.nl > E-mail hoven at q-ray.nl > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From mmcconnell at COMPATIBLE.COM Tue Jan 4 11:03:30 2000 From: mmcconnell at COMPATIBLE.COM (Matt McConnell) Date: Tue, 4 Jan 2000 09:03:30 -0700 Subject: Network Neighborhood omn VPN Client In-Reply-To: Message-ID: RE: Network Neighborhood omn VPN ClientThere are several NT VPN clients (ours among them) capable of running prior to logon, allowing a tunnel to be opened and a domain logon to be performed. Matt Matt McConnell President & CEO Compatible Systems Corporation http://www.compatible.com/ -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Golder, Fred Sent: Tuesday, January 04, 2000 8:21 AM To: VPN at SECURITYFOCUS.COM Subject: Re: Network Neighborhood omn VPN Client Are you sure the clients are logged into the domain? It may sound like a dumb question, but check just in case. I had setup a VPN which authenticated users against NT, but it didn't log the users into the domain, because of how the client machines were configured. There is also a catch with NT. NT will log onto a domain at startup, but not after a dialup connection is made. I have heard that there is a way to get NT to perform NT domain log on after a dialup connection is made, but I do not know how to make NT perform in that manner. Are there any Microsoft people lurking on this list, that can answer that? -Fred Golder -----Original Message----- From: Marcel van den Hoven [mailto:Hoven at Q-RAY.NL] Sent: Tuesday, January 04, 2000 9:59 AM To: VPN at SECURITYFOCUS.COM Subject: Network Neighborhood omn VPN Client > Hi all, > For users we like to have a VPN server so that people at home can connect to te office by Internet. We use different clients (Win9x/NT) When I browse by network neighborhood I don't our servers at the office. At the office all server are NT 4.0. The VPN Server is also a NT. Connecting and a ping to a server at the office is working fine, but you have to know the server and share name to connect. Who can help me to solf this challenge. Marcel van den Hoven ___________________________________________________________ Networks would be a lot easier to build and maintain if it wasn't for users..... ___________________________________________________________ Q-Ray /\ IT Consultancy and Software Engineering Marcel van den Hoven Technical Consultant / Network Administrator PO Box 123, 6700 AC Wageningen, The Netherlands Tel: +31 317 472 999, Fax: +31 317 472 900 Internet: www.q-ray.nl, www.agriplus.nl E-mail hoven at q-ray.nl VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000104/4a177986/attachment.htm From GThibodeau at NAVISITE.COM Tue Jan 4 11:00:54 2000 From: GThibodeau at NAVISITE.COM (Thibodeau, Gregg) Date: Tue, 4 Jan 2000 11:00:54 -0500 Subject: Linux IP Masq and Nortel Extranet Client Message-ID: <7C06EA1D5AAAD311B4EB00508B550B9921D45C@navexc01.and.navisite.com> The problem is most like with many to one NAT. IPSEC will not work with many to one NAT unless the firewall/gateway is specifically designed to handle this configuration. IPSEC requires that both source and destination ports used during connection setup be 500. Most boxes doing many to one NAT change the source port. The Contivity Extranet Switch will not respond to the setup request since the source port is not 500. Even after that, the firewall/gateway needs to use the SAs in the IPSEC traffic running on IP 50 to keep track of the original source. The only device that we have found that will support outgoing IPSEC and many to one NAT is Nortel's Instant Internet. Gregg -----Original Message----- From: jmaegli [mailto:jmaegli at PCPROS.NET] Sent: Tuesday, January 04, 2000 10:39 AM To: VPN at SECURITYFOCUS.COM Subject: Linux IP Masq and Nortel Extranet Client Hello, I have a NT laptop running Nortel Networks Extranet client. When I dialin to my ISP the client connects and everything works great. Now the rub, I have an at home network with 5 Win 98 and NT boxes, one sun and 3 Linux workstations. One of the Linux boxes is my gateway to the internet. This box has the modem and all other boxes use this as their gateway. When I make my connection, everything works fine, HTTP, Email, Telnet etc. but when I try to connect the client (the one that works as mentioned before) I can not connect and get the message "Failure Do to remote host not responding" I do see a UDP packet on port 500 and my firewall is opened up so I'm not getting blocked there. If anyone has any thoughts or white papers on this kind of setup especially with a Linux gateway please let me know. Thanx so much for your time. John Maegli Systems Engineer Sterling Software Office (715) 848-2682 john.maegli at sterling.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From mmcconnell at COMPATIBLE.COM Tue Jan 4 12:13:30 2000 From: mmcconnell at COMPATIBLE.COM (Matt McConnell) Date: Tue, 4 Jan 2000 10:13:30 -0700 Subject: Linux IP Masq and Nortel Extranet Client In-Reply-To: <7C06EA1D5AAAD311B4EB00508B550B9921D45C@navexc01.and.navisite.com> Message-ID: Several VPN products (including ours) provide a "NAT compatible" transport mode using IPSec ESP. This is a configurable option, very important for running clients behind many cablemodems, DSL modems, or corporate LAN NAT devices. Matt Matt McConnell President & CEO Compatible Systems Corporation http://www.compatible.com/ -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Thibodeau, Gregg Sent: Tuesday, January 04, 2000 9:01 AM To: VPN at SECURITYFOCUS.COM Subject: Re: Linux IP Masq and Nortel Extranet Client The problem is most like with many to one NAT. IPSEC will not work with many to one NAT unless the firewall/gateway is specifically designed to handle this configuration. IPSEC requires that both source and destination ports used during connection setup be 500. Most boxes doing many to one NAT change the source port. The Contivity Extranet Switch will not respond to the setup request since the source port is not 500. Even after that, the firewall/gateway needs to use the SAs in the IPSEC traffic running on IP 50 to keep track of the original source. The only device that we have found that will support outgoing IPSEC and many to one NAT is Nortel's Instant Internet. Gregg -----Original Message----- From: jmaegli [mailto:jmaegli at PCPROS.NET] Sent: Tuesday, January 04, 2000 10:39 AM To: VPN at SECURITYFOCUS.COM Subject: Linux IP Masq and Nortel Extranet Client Hello, I have a NT laptop running Nortel Networks Extranet client. When I dialin to my ISP the client connects and everything works great. Now the rub, I have an at home network with 5 Win 98 and NT boxes, one sun and 3 Linux workstations. One of the Linux boxes is my gateway to the internet. This box has the modem and all other boxes use this as their gateway. When I make my connection, everything works fine, HTTP, Email, Telnet etc. but when I try to connect the client (the one that works as mentioned before) I can not connect and get the message "Failure Do to remote host not responding" I do see a UDP packet on port 500 and my firewall is opened up so I'm not getting blocked there. If anyone has any thoughts or white papers on this kind of setup especially with a Linux gateway please let me know. Thanx so much for your time. John Maegli Systems Engineer Sterling Software Office (715) 848-2682 john.maegli at sterling.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Tue Jan 4 12:37:30 2000 From: dgillett at NIKU.COM (David Gillett) Date: Tue, 4 Jan 2000 09:37:30 -0800 Subject: Network Neighborhood on VPN Client In-Reply-To: <6124DE2980A8D11196FA00609712EF5245B480@NTSERVER4> Message-ID: <001101bf56da$60fd8570$f30410ac@niku.com> This might be related to a couple of quirks I'm seeing. We run a primarily NT network using an Altiga VPN concentrator. Remote NT users (local logon to their machine) start up the client, enter account, password and domain name, and they're in and logged on to the domain. But when I run the client on my 98 SE machine, two odd things happen: 1. I have to enter account/password/domain twice -- apparently, once to authenticate against the VPN gateway, and once to actually log onto the domain. 2. Network Neighborhood never does get populated. I can ping, share (via NET USE command), etc, so this isn't intolerable, but it does sound rather like Marcel's case. [And I have WINS set up and its address being given out by DHCP, which works fine for clients running NT....] David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Marcel van den Hoven Sent: January 4, 2000 06:59 To: VPN at SECURITYFOCUS.COM Subject: Network Neighborhood omn VPN Client > Hi all, > For users we like to have a VPN server so that people at home can connect to te office by Internet. We use different clients (Win9x/NT) When I browse by network neighborhood I don't our servers at the office. At the office all server are NT 4.0. The VPN Server is also a NT. Connecting and a ping to a server at the office is working fine, but you have to know the server and share name to connect. Who can help me to solf this challenge. Marcel van den Hoven ___________________________________________________________ Networks would be a lot easier to build and maintain if it wasn't for users..... ___________________________________________________________ Q-Ray /\ IT Consultancy and Software Engineering Marcel van den Hoven Technical Consultant / Network Administrator PO Box 123, 6700 AC Wageningen, The Netherlands Tel: +31 317 472 999, Fax: +31 317 472 900 Internet: www.q-ray.nl, www.agriplus.nl E-mail hoven at q-ray.nl VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From chris.goellner at CORP.BELLSOUTH.NET Wed Jan 5 14:35:17 2000 From: chris.goellner at CORP.BELLSOUTH.NET (Chris Goellner) Date: Wed, 5 Jan 2000 14:35:17 -0500 Subject: Linux IP Masq and Nortel Extranet Client In-Reply-To: <002f01bf56c9$ca620560$42d2a8c0@jam5660.jam.bogus> References: <002f01bf56c9$ca620560$42d2a8c0@jam5660.jam.bogus> Message-ID: You need to start with the following FAQ http://www.redhat.com/mirrors/LDP/HOWTO/VPN-Masquerade-HOWTO.html I have a similar situation using the Extranet client from behind a Linux firewall/masq box and it works great once you get it set up. It will take some time, a kernel patch, and a recompile but it works. I did it with RedHat 6.0 and 6.1. I like 6.1 better for a number of reasons. If you need any more help send me an e-mail. On Tue, 4 Jan 2000 09:38:43 -0600, you wrote: >Hello, >I have a NT laptop running Nortel Networks Extranet client. When I dialin to >my ISP the client connects and everything works great. Now the rub, I have >an at home network with 5 Win 98 and NT boxes, one sun and 3 Linux >workstations. One of the Linux boxes is my gateway to the internet. >This box has the modem and all other boxes use this as their gateway. When I >make my connection, everything works fine, HTTP, Email, Telnet etc. but when >I try to connect the client (the one that works as mentioned before) I can >not connect and get the message "Failure Do to remote host not responding" I >do see a UDP packet on port 500 and my firewall is opened up so I'm not >getting blocked there. >If anyone has any thoughts or white papers on this kind of setup especially >with a Linux gateway please let me know. Thanx so much for your time. > >John Maegli >Systems Engineer >Sterling Software >Office (715) 848-2682 >john.maegli at sterling.com > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Wed Jan 5 14:02:06 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Wed, 5 Jan 2000 14:02:06 -0500 Subject: OpenBSD/ISAKMP configuration interface Message-ID: Anybody know of a GUI or command line based configuration tool for ISAKMP on OpenBSD? ____________________ Patrick Ethier patrick at secureops.com [ It doesn't matter if you don't know where you're going....] [ As long as you get there --- DrBones ] VPN is sponsored by SecurityFocus.COM From piter at CETI.COM.PL Thu Jan 6 05:05:31 2000 From: piter at CETI.COM.PL (Piotr Sawicki) Date: Thu, 6 Jan 2000 11:05:31 +0100 Subject: Using multiple Microsoft PPTP lines over Internet Message-ID: <001901bf582d$913d9cd0$738696c3@psawicki> Does somebody know if using multiple Microsoft PPTP lines over Internet can speed up the connection ? The case is that Internet connection is very slow but not from our office to the Internet itself. So if one runs for example 2 ftp downloads, they are not slower then if only 1 is running. Can Microsoft PPTP send more packets concurrently if these multiple lines are configured ? Could I speed up this way transfer of one particular file ? Piotr Sawicki VPN is sponsored by SecurityFocus.COM From Tony.Smith at USAREC.ARMY.MIL Thu Jan 6 09:52:32 2000 From: Tony.Smith at USAREC.ARMY.MIL (Smith, Tony) Date: Thu, 6 Jan 2000 09:52:32 -0500 Subject: vpn certifications Message-ID: I am looking for vpn certification. Does anyone know a company that offers this yet. Anthony T. Smith VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Thu Jan 6 09:49:58 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Thu, 6 Jan 2000 08:49:58 -0600 Subject: Using multiple Microsoft PPTP lines over Internet In-Reply-To: <001901bf582d$913d9cd0$738696c3@psawicki> Message-ID: Hi Piotr -- I'm not really sure I understand your problem, but I suspect that running PPTP is not going to help. When you say the connection is slow, but not from your office to the Internet, what does that mean? That downloads from desktop machines inside your firewall are slow, but pings from the firewall to the Internet aren't? Does it depend on protocol? Does the performance change if you connect to an Internet server by IP address rather than name? Routing information, stats on performance, etc. would all help troubleshoot. But anyhow -- PPTP or any VPN connection is going to rely on the underlying infrastructure, so if you have routing issues or name resolution issues or firewall issues that are degrading your performance, those will affect the VPN just the same way. And PPTP is itself a pretty major performance killer, at least if you have more than a handful of simultaneous connections. cheers -- Tina On Thu, 6 Jan 2000, Piotr Sawicki wrote: > Date: Thu, 6 Jan 2000 11:05:31 +0100 > From: Piotr Sawicki > To: VPN at SECURITYFOCUS.COM > Subject: Using multiple Microsoft PPTP lines over Internet > > Does somebody know if using multiple Microsoft PPTP lines over Internet can > speed up the connection ? > The case is that Internet connection is very slow but not from our office to > the Internet itself. So if one runs for example 2 ftp downloads, they are > not slower then if only 1 is running. Can Microsoft PPTP send more packets > concurrently if these multiple lines > are configured ? Could I speed up this way transfer of one particular file ? > > Piotr Sawicki > > VPN is sponsored by SecurityFocus.COM > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Thu Jan 6 10:18:33 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Thu, 6 Jan 2000 10:18:33 -0500 Subject: vpn certifications Message-ID: Hi Tony, From what I understand, lots of vendors require you to take "their" proprietary classes in order to gain certification for their specific product. Check out Checkpoint.com or nai.com or any other vendor site. regards, ____________________ Patrick Ethier patrick at secureops.com [ It doesn't matter if you don't know where you're going....] [ As long as you get there --- DrBones ] > -----Original Message----- > From: Smith, Tony [mailto:Tony.Smith at USAREC.ARMY.MIL] > Sent: Thursday, January 06, 2000 9:53 AM > To: VPN at SECURITYFOCUS.COM > Subject: vpn certifications > > > I am looking for vpn certification. Does anyone know a > company that offers > this yet. > > > Anthony T. Smith > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From chost at LANL.GOV Thu Jan 6 10:15:04 2000 From: chost at LANL.GOV (Cheryl Host) Date: Thu, 6 Jan 2000 08:15:04 -0700 Subject: vpn certifications References: Message-ID: <004301bf5858$cf4cb3a0$1672a580@lanl.gov> I'm unaware of a "certification". LearningTree http://www.learningtree.com/ offers a VPN course. ----- Original Message ----- From: Smith, Tony To: Sent: Thursday, January 06, 2000 7:52 AM Subject: vpn certifications > I am looking for vpn certification. Does anyone know a company that offers > this yet. > > > Anthony T. Smith > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Thu Jan 6 10:09:12 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Thu, 6 Jan 2000 09:09:12 -0600 Subject: vpn certifications In-Reply-To: Message-ID: This is correct. There aren't any "vendor neutral" certificiations. I don't normally use this forum to promote myself, but since you asked... I teach a day long vendor neutral class on designing and implementing VPNs for the SANS Institute and USENIX. It's looking like the next chance for that will be the March SANS conference in Orlando. Check out http://www.sans.org for more information. cheers -- t. On Thu, 6 Jan 2000, Patrick Ethier wrote: > Date: Thu, 6 Jan 2000 10:18:33 -0500 > From: Patrick Ethier > To: VPN at SECURITYFOCUS.COM > Subject: Re: vpn certifications > > Hi Tony, > > > From what I understand, lots of vendors require you to take "their" > proprietary classes in order to gain certification for their specific > product. > > Check out Checkpoint.com or nai.com or any other vendor site. > > regards, > > ____________________ > Patrick Ethier > patrick at secureops.com > > [ It doesn't matter if you don't know where you're going....] > [ As long as you get there --- DrBones ] > > > > > -----Original Message----- > > From: Smith, Tony [mailto:Tony.Smith at USAREC.ARMY.MIL] > > Sent: Thursday, January 06, 2000 9:53 AM > > To: VPN at SECURITYFOCUS.COM > > Subject: vpn certifications > > > > > > I am looking for vpn certification. Does anyone know a > > company that offers > > this yet. > > > > > > Anthony T. Smith > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From rodney at TILLERMAN.TO Thu Jan 6 10:25:18 2000 From: rodney at TILLERMAN.TO (Rodney Thayer) Date: Thu, 6 Jan 2000 07:25:18 -0800 Subject: vpn certifications In-Reply-To: Message-ID: <3.0.6.32.20000106072518.0385c8c0@216.240.42.209> That depends on what you mean. The VPN Vendor Consortium, www.vpnc.org, is looking at this. ICSA, a for-profit testing company that sells a 'brand mark', has some certification programs (which not everyone trusts). There are FIPS certifications for DES and other bits and pieces. In Europe, there's ITSEC. At 09:52 AM 1/6/00 -0500, Smith, Tony wrote: >I am looking for vpn certification. Does anyone know a company that offers >this yet. > > >Anthony T. Smith > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Thu Jan 6 10:29:37 2000 From: rgm at ICSA.NET (Robert Moskowitz) Date: Thu, 6 Jan 2000 10:29:37 -0500 Subject: vpn certifications In-Reply-To: Message-ID: <4.2.0.58.20000106102626.00c1c9d0@homebase.htt-consult.com> At 09:52 AM 1/6/2000 -0500, Smith, Tony wrote: >I am looking for vpn certification. Does anyone know a company that offers >this yet. What do you mean by certification? That you can support the product? Or the product really works as advertised? For the former, a number of the big names have training programs. Cisco of course does, as does Checkpoint. I suspect Nortel, Lucent, 3COM, and Axent also have programs. All would be one-ups. For the later, ICSA.net certifies IPsec products. Our 1.0 certification is on our web site. We are in the middle of the 1.0a certification right now. The criteria for these certifications are on our web site. Robert Moskowitz ICSA.net (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From rng at NETSCREEN.COM Thu Jan 6 11:31:56 2000 From: rng at NETSCREEN.COM (Ronald Ng) Date: Thu, 6 Jan 2000 08:31:56 -0800 Subject: vpn certifications References: Message-ID: <003801bf5863$8cdc07e0$c438fea9@netscreen.com> ICSA has VPN certification (I think), but those that are can't communicate with anybody else. So this is a big joke. Wait until VPN becomes more standardized, and has matured more, then look at certification again. ----- Original Message ----- From: "Smith, Tony" To: Sent: Thursday, January 06, 2000 6:52 AM Subject: vpn certifications > I am looking for vpn certification. Does anyone know a company that offers > this yet. > > > Anthony T. Smith > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Brent_Jarvis at MITEL.COM Thu Jan 6 13:47:35 2000 From: Brent_Jarvis at MITEL.COM (Brent_Jarvis at MITEL.COM) Date: Thu, 6 Jan 2000 13:47:35 -0500 Subject: VPN's from a Security perspective. Message-ID: <8525685E.00673C42.00@kanmta01.software.mitel.com> I hope I am not repeating an already asked question as I have not been following all threads since I joined but here goes. The Situation: I am a remote client on a Network segment and I am initiating a tunnel through my firewall to a VPN appliance at another companies site. This is not a site to site VPN connection and the calling client do not have a VPN in the company. Questions: 1. How secure am I (remote client) and my fellow workers from the other companies site? Am I putting a great deal of trust in them? Can anyone at the other company tunnel back (or spoof the tunnel) into my segment? 2. What are the best ways to protect the client in this case? (i.e. Install personal firewall, segment machine from others, require network disconnect prior to VPN connection). 3. If I install a VPN box on my site and set up a site to site VPN tunnel with the other company, will this architecture allow for improved security? Is VPN interoperability now at the stage that my VPN box does not need to be that same make as the other companies? Thanks Brent VPN is sponsored by SecurityFocus.COM From kleon at PRIMENET.COM Thu Jan 6 14:46:15 2000 From: kleon at PRIMENET.COM (Ken Leon) Date: Thu, 6 Jan 2000 12:46:15 -0700 Subject: VPN information and research Message-ID: <3874F107.47009A12@primenet.com> Greetings. I work for CSC managing an information architecture group in support of a government contract, and in my spare time I'm doing advanced degree work with a local university. My thesis area is VPNs of course, so I'm looking for any sites you may know of aside from this group which maintains credible information on configuration, maintenance, and technical issues related to VPNs. Thanks- Ken VPN is sponsored by SecurityFocus.COM From Ryan.Russell at SYBASE.COM Thu Jan 6 18:37:47 2000 From: Ryan.Russell at SYBASE.COM (Ryan Russell) Date: Thu, 6 Jan 2000 15:37:47 -0800 Subject: VPN's from a Security perspective. Message-ID: <8825685E.0081E87D.00@gwwest.sybase.com> >1. How secure am I (remote client) and my fellow workers from the other >companies site? Am I putting a great deal of trust in them? Can anyone at the >other company tunnel back (or spoof the tunnel) into my segment? This is asking if the crypto is secure. It's hard to answer. So far, the only VPN I'm aware of that's had much public review is PPTP. While I'll bash MS as much as the next guy, I suspect that other VPNs wouldn't hold up so great, either. The only difference being at a company like in your situation is that you KNOW there is someone who's quite capable of sniffing your traffic. They've (presumably) got a nice single choke point where your traffic will pass. (Of course, the same capability exists at any given ISP, but there's a general assumption, probably bad, that they won't do that.) >2. What are the best ways to protect the client in this case? (i.e. Install >personal firewall, segment machine from others, require network disconnect prior >to VPN connection). Personal firewall. I'm not seeing how the others are options... you have to use their network to get to yours, right? >3. If I install a VPN box on my site and set up a site to site VPN tunnel with >the other company, will this architecture allow for improved security? Is VPN >interoperability now at the stage that my VPN box does not need to be that same >make as the other companies? That's logically equivalent to user->site VPN + firewall, if you're still talking about just yourself. Ryan VPN is sponsored by SecurityFocus.COM From eric.jeffery at EDWARDS.AF.MIL Wed Jan 5 18:58:32 2000 From: eric.jeffery at EDWARDS.AF.MIL (Jeffery Eric Contr 95 CS) Date: Wed, 5 Jan 2000 15:58:32 -0800 Subject: AOL and VPN's Message-ID: <1342BEFC44BED31195100090276D3496399A4B@FSFSPM15> Have any of you run into a problem with AOL and VPN's. I've set up a successful VPN with an Altiga C20 concentrator. I put the client software on a few test systems with other engineers and we were doing great. One of the users has AOL. He establishes a connection with AOL and then launches the Client Dialer. We checked out Firewall logs and the user doesn't even reach our Firewall. I believe the data is getting caught by AOL. I called their tech support and they were WORTHLESS. The lady laughed and said "that is way over my head." I said cool, escalate me and I'll work it out with an Engineer. She said there is no level 2, she was it. I said fine, let's pretend I can't FTP, what would you have me do. She said "does that have to do with opening a web page?" Needless to say I am on my own so I thought I'd chat with you all and see what you ran in to. Eric Jeffery, MCSE Network Systems Analyst TYBRIN Corp. VPN is sponsored by SecurityFocus.COM From eric.jeffery at EDWARDS.AF.MIL Tue Jan 4 13:54:45 2000 From: eric.jeffery at EDWARDS.AF.MIL (Jeffery Eric Contr 95 CS) Date: Tue, 4 Jan 2000 10:54:45 -0800 Subject: 3 DES Encryption Message-ID: <1342BEFC44BED31195100090276D3496399A2B@FSFSPM15> My VPN Device uses 168-bit 3 DES Encryption and HMAC-MD5 for Authentication. Question- are all packets encrypted with the same key or do they change with each packet? Basically, I want to know if someone broke the encryption key would they have access to all data or just that one (or few) packet(s)? Eric Jeffery, MCSE Network Systems Analyst TYBRIN Corp. VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Thu Jan 6 19:05:01 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Thu, 6 Jan 2000 18:05:01 -0600 Subject: 3 DES Encryption In-Reply-To: <1342BEFC44BED31195100090276D3496399A2B@FSFSPM15> Message-ID: On a IPSec based device, the lifetime of session keys is one of the parameters that you can configure. If it's not IPSec, then it depends on the vendor -- what you want to look for is something called, oh, "session key lifetime" or "key tumbling" frequency. You also need to consider how the session keys themselves are generated. For the highest security, you want to use a generation algorithm, such as Diffie Hellman, that provides "perfect forward secrecy" -- new keys are generated without any correlation to past or future keys. A lot of key generation mechanisms (MPPE leaps to mind, but there are others) that create session keys out of known perturbations of old keys. In that scenario, someone who compromises a session keys gets everything. On Tue, 4 Jan 2000, Jeffery Eric Contr 95 CS wrote: > Date: Tue, 4 Jan 2000 10:54:45 -0800 > From: Jeffery Eric Contr 95 CS > To: VPN at SECURITYFOCUS.COM > Subject: 3 DES Encryption > > My VPN Device uses 168-bit 3 DES Encryption and HMAC-MD5 for Authentication. > > Question- are all packets encrypted with the same key or do they change with > each packet? Basically, I want to know if someone broke the encryption key > would they have access to all data or just that one (or few) packet(s)? > > Eric Jeffery, MCSE > Network Systems Analyst > TYBRIN Corp. > > VPN is sponsored by SecurityFocus.COM > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Thu Jan 6 20:05:04 2000 From: rgm at ICSA.NET (Robert Moskowitz) Date: Thu, 6 Jan 2000 20:05:04 -0500 Subject: 3 DES Encryption In-Reply-To: <1342BEFC44BED31195100090276D3496399A2B@FSFSPM15> Message-ID: <4.2.0.58.20000106194935.00a2cf00@homebase.htt-consult.com> At 10:54 AM 1/4/2000 -0800, Jeffery Eric Contr 95 CS wrote: >My VPN Device uses 168-bit 3 DES Encryption and HMAC-MD5 for Authentication. that 'sounds like' and IPsec device using IKE. >Question- are all packets encrypted with the same key or do they change with >each packet? Basically, I want to know if someone broke the encryption key >would they have access to all data or just that one (or few) packet(s)? No. IKE has two modes, Main and Quick. In Main mode, Keying Material 2 diffie-Hellman key pairs are used to generated both the encryption and authentication. Some vendors default to 8 hours for Main Mode lifetimes. In Quick mode, this keying material is passed through an expotentiation to get new keying material. There is a limit to the number of times this expotentation can be done before the keying material is guessable, and no cryptographer will answer how frequent; common QM lifetimes are 1 hour. The final piece of the puzzle is the Diffie-Hellman group size used in MainMode. Group 1 is a 768 bit prime. This is fine for up to a 80 bit key requirement. Group 2 is a 1024 bit prime and soem say it is OK for a 112 bit key, other cryptographers argue that is a conservative estimate and Group @ can be used up to around 170 bits. Group 3 and 4 use Elliptic Curve instead of Diffie-Hellman and might be a tad faster (same relative strengths). We've been pressuring Dr. Orman to compute a 2048 prime for a Group 5, maybe she'll do it by spring and products will have it in the summer. We will definitely need this for AES. So, set your lifetimes for Quick and Main modes. Note that quick mode has a data lifetime as well as a time lifetime (too much data with the same key and you are toast). Use the right Group; some products figure this out for you, others expect you to be the crypto wiz. Sigh. Oh, That HMAC-MD5. There is a reasonable body of evidence that if you go through the effort for 3DES (that is you fear that a DES scale attack could be launched against you), you really should use HMAC-SHA1. Dr. Krawczyk, the author of HMAC, has expressed a slight concern about the weakness of HMAC-MD5 under the size of attacks that will break DES. But to be honest, my head spins after 15 minutes with him :) Final point. If your data has a short time value, frequent rekeying with DES MIGHT be just as good protection as 3DES. Provided that data's value over its lifetime is not great enough to warrant very large realtime attackers. Time to crash and burn. >Eric Jeffery, MCSE >Network Systems Analyst >TYBRIN Corp. > >VPN is sponsored by SecurityFocus.COM Robert Moskowitz ICSA.net (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Thu Jan 6 19:49:57 2000 From: pete at ETHER.NET (Pete Davis) Date: Thu, 6 Jan 2000 19:49:57 -0500 Subject: AOL and VPN's In-Reply-To: <1342BEFC44BED31195100090276D3496399A4B@FSFSPM15> References: <1342BEFC44BED31195100090276D3496399A4B@FSFSPM15> Message-ID: <20000106194957.C2899@ether.net> I have seen AOL5 assign two IP addreses on different adapters to users (unrelated to VPNs). When it does this, it does not behave properly. This is very broken behavior. Under no circumstances should a dial-up with AOL have two different adapters with different IP addreses. When AOL5 does not do this, I have seen it behave properly. Best Regards, -pete On Wed, Jan 05, 2000 at 03:58:32PM -0800, Jeffery Eric Contr 95 CS wrote: > Have any of you run into a problem with AOL and VPN's. > > I've set up a successful VPN with an Altiga C20 concentrator. I put the > client software on a few test systems with other engineers and we were doing > great. One of the users has AOL. He establishes a connection with AOL and > then launches the Client Dialer. We checked out Firewall logs and the user > doesn't even reach our Firewall. I believe the data is getting caught by > AOL. VPN is sponsored by SecurityFocus.COM From sbrown at CW.NET Thu Jan 6 20:09:12 2000 From: sbrown at CW.NET (Steven Brown) Date: Thu, 6 Jan 2000 20:09:12 -0500 Subject: AOL and VPN's In-Reply-To: <1342BEFC44BED31195100090276D3496399A4B@FSFSPM15> Message-ID: Jeffrey- The AOL stack, from last I looked into it, will not work with CheckPoint's Secure Remote either. After I found out, we had to bypass AOL when creating an ecrypted tunnel vpn. Apparently, they do something with the TCP/IP stack, I think they implement their own, much like the problems we had with some versions of winsock. I thought some vendors were working around that, but not looked into much lately. On Wed, 5 Jan 2000, Jeffery Eric Contr 95 CS wrote: > Have any of you run into a problem with AOL and VPN's. > > I've set up a successful VPN with an Altiga C20 concentrator. I put the > client software on a few test systems with other engineers and we were doing > great. One of the users has AOL. He establishes a connection with AOL and > then launches the Client Dialer. We checked out Firewall logs and the user > doesn't even reach our Firewall. I believe the data is getting caught by > AOL. > > I called their tech support and they were WORTHLESS. The lady laughed and > said "that is way over my head." I said cool, escalate me and I'll work it > out with an Engineer. She said there is no level 2, she was it. I said > fine, let's pretend I can't FTP, what would you have me do. She said "does > that have to do with opening a web page?" Needless to say I am on my own so > I thought I'd chat with you all and see what you ran in to. > > Eric Jeffery, MCSE > Network Systems Analyst > TYBRIN Corp. > > VPN is sponsored by SecurityFocus.COM > Steven A. Brown, MBA., CCSA, CCSE, VPN/Firewall & Internet Security Engineer Cable&Wireless, 6400 Weston Pkwy, 3rd. FL Research Triangle Park, NC, 27513 Author:Implementing Virtual Private Networks, McGraw-Hill sbrown at cw.net, Steven.Brown at cwusa.com VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Thu Jan 6 19:43:02 2000 From: dgillett at NIKU.COM (David Gillett) Date: Thu, 6 Jan 2000 16:43:02 -0800 Subject: VPN's from a Security perspective. In-Reply-To: <8525685E.00673C42.00@kanmta01.software.mitel.com> Message-ID: <006a01bf58a8$2806d670$f30410ac@niku.com> > 1. How secure am I (remote client) and my fellow workers from the other > companies site? Am I putting a great deal of trust in them? Can anyone at the > other company tunnel back (or spoof the tunnel) into my segment? It depends. The more common question is "How much does my client expose the other site?", and the prevailing answer has been for the VPN client to force all application traffic to flow through the tunnel. And in your case, that would effectively isolate anything at upper protocol levels on your machine from the rest of the LAN that you're on. [The lowest levels must, of course, still function in order to carry the tunnel.] > 2. What are the best ways to protect the client in this case? (i.e. Install > personal firewall, segment machine from others, require network disconnect prior > to VPN connection). On those clients which allow non-tunnel traffic while the tunnel is in place, you should be able to turn this off -- and in fact the folks at the other end of the tunnel are likely to request that you do so! > 3. If I install a VPN box on my site and set up a site to site VPN tunnel with > the other company, will this architecture allow for improved security? No; from the perspective of these concerns, it will expose your entire network to theirs and vice versa. Site-to-site is an alternative to WAN technologies; it is a much better fit for linking separate sites of a single organization than for linking across organization perimeters. David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Thu Jan 6 23:19:36 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Thu, 6 Jan 2000 20:19:36 -0800 Subject: AOL and VPN's Message-ID: <20000107041936.8994.qmail@web113.yahoomail.com> I have a client that uses AOL with the Nortel Contivity Extranet Switch. It works fine, at least with AOL v3.0 (which is the first rev that they have their own stack, I think) and I think 4.0, too. The only gotcha with the Extranet client is that it won't install on Win95 if you already have 4 network adapters. The workaround is to uninstall AOL, install the Extranet client, and reinstall AOL. Problem solved! I think this isn't an issue with 98 or NT since the WAN NDIS driver installed by PPTP (required on 95) is already part of the stack. What did your VPN vendor say? One would think that with AOL's 20+ million subscribers your vendor would have encountered this before! Good luck, Chris -- --- Steven Brown wrote: > Jeffrey- > > The AOL stack, from last I looked into it, will > not work with > CheckPoint's Secure Remote either. After I found > out, we had to > bypass AOL when creating an ecrypted tunnel vpn. > Apparently, they > do something with the TCP/IP stack, I think they > implement their own, > much like the problems we had with some versions of > winsock. > I thought some vendors were working around that, > but not looked > into much lately. > > > On Wed, 5 Jan 2000, Jeffery Eric Contr 95 CS wrote: > > > Have any of you run into a problem with AOL and > VPN's. > > > > I've set up a successful VPN with an Altiga C20 > concentrator. I put the > > client software on a few test systems with other > engineers and we were doing > > great. One of the users has AOL. He establishes > a connection with AOL and > > then launches the Client Dialer. We checked out > Firewall logs and the user > > doesn't even reach our Firewall. I believe the > data is getting caught by > > AOL. > > > > I called their tech support and they were > WORTHLESS. The lady laughed and > > said "that is way over my head." I said cool, > escalate me and I'll work it > > out with an Engineer. She said there is no level > 2, she was it. I said > > fine, let's pretend I can't FTP, what would you > have me do. She said "does > > that have to do with opening a web page?" > Needless to say I am on my own so > > I thought I'd chat with you all and see what you > ran in to. > > > > Eric Jeffery, MCSE > > Network Systems Analyst > > TYBRIN Corp. > > > > VPN is sponsored by SecurityFocus.COM > > > > Steven A. Brown, MBA., CCSA, CCSE, > VPN/Firewall & Internet Security Engineer > Cable&Wireless, 6400 Weston Pkwy, 3rd. FL > Research Triangle Park, NC, 27513 > Author:Implementing Virtual Private Networks, > McGraw-Hill > sbrown at cw.net, Steven.Brown at cwusa.com > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From Schwarz.Tony at PRINCIPAL.COM Fri Jan 7 09:17:07 2000 From: Schwarz.Tony at PRINCIPAL.COM (Schwarz, Tony) Date: Fri, 7 Jan 2000 08:17:07 -0600 Subject: FW: AOL and VPN's Message-ID: <1D4E309BA672D2118C7900805FBE9FE90684D8F6@pfgdsmmsg009.principal.com> We have found similar results with AOL. Seems that if you use their version of Internet Explorer that is "built-in" to AOL, their proxy servers don't know what to do with the VPN traffic because the internal addresses being requested by the applications are not valid on the Internet. To get around the problem we run IE (and other apps) from outside AOL (start AOL, minimize, then start IE) and it seems to work fine for browser-based VPN functions. Most of the apps that we are using are not browser based anyway, so it really is not a major point to us. __________________________ Tony L. Schwarz, MBA IT Analyst - Lead Principal Life Insurance Company Retail IS 711 High Street, Des Moines, Iowa 50392 Phone (515) 247-4893 Fax (515) 362-0436 Schwarz.Tony at Principal.com When life throws you lemons, make lemonade. __________________________ -----Original Message----- From: Steven Brown [mailto:sbrown at CW.NET] Sent: Thursday, January 06, 2000 7:09 PM To: VPN at SECURITYFOCUS.COM Subject: Re: AOL and VPN's Jeffrey- The AOL stack, from last I looked into it, will not work with CheckPoint's Secure Remote either. After I found out, we had to bypass AOL when creating an ecrypted tunnel vpn. Apparently, they do something with the TCP/IP stack, I think they implement their own, much like the problems we had with some versions of winsock. I thought some vendors were working around that, but not looked into much lately. On Wed, 5 Jan 2000, Jeffery Eric Contr 95 CS wrote: > Have any of you run into a problem with AOL and VPN's. > > I've set up a successful VPN with an Altiga C20 concentrator. I put the > client software on a few test systems with other engineers and we were doing > great. One of the users has AOL. He establishes a connection with AOL and > then launches the Client Dialer. We checked out Firewall logs and the user > doesn't even reach our Firewall. I believe the data is getting caught by > AOL. > > I called their tech support and they were WORTHLESS. The lady laughed and > said "that is way over my head." I said cool, escalate me and I'll work it > out with an Engineer. She said there is no level 2, she was it. I said > fine, let's pretend I can't FTP, what would you have me do. She said "does > that have to do with opening a web page?" Needless to say I am on my own so > I thought I'd chat with you all and see what you ran in to. > > Eric Jeffery, MCSE > Network Systems Analyst > TYBRIN Corp. > > VPN is sponsored by SecurityFocus.COM > Steven A. Brown, MBA., CCSA, CCSE, VPN/Firewall & Internet Security Engineer Cable&Wireless, 6400 Weston Pkwy, 3rd. FL Research Triangle Park, NC, 27513 Author:Implementing Virtual Private Networks, McGraw-Hill sbrown at cw.net, Steven.Brown at cwusa.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jneedle at NORTELNETWORKS.COM Fri Jan 7 10:05:39 2000 From: jneedle at NORTELNETWORKS.COM (Jeffrey Needle) Date: Fri, 7 Jan 2000 10:05:39 -0500 Subject: AOL and VPN's In-Reply-To: References: <1342BEFC44BED31195100090276D3496399A4B@FSFSPM15> Message-ID: <4.2.2.20000107100318.00d0acc0@zbl6c000.corpeast.baynetworks.com> With V5.0, they use a pseudo-driver and force all traffic through it to their proxy servers. Clearly, if you're tunneled, this won't work since their proxy server isn't reachable! We worked around it by breaking the binding they made to our pseudo-driver. We spoke to some engineers at AOL and they are aware of the issue, but I'm not convinced they're going to fix it. They probably need to hear from more VPN vendors to truly understand the scope of this problem. Jeff, Nortel At 08:09 PM 1/6/00 -0500, Steven Brown wrote: >Jeffrey- > > The AOL stack, from last I looked into it, will not work with >CheckPoint's Secure Remote either. After I found out, we had to >bypass AOL when creating an ecrypted tunnel vpn. Apparently, they >do something with the TCP/IP stack, I think they implement their own, >much like the problems we had with some versions of winsock. > I thought some vendors were working around that, but not looked >into much lately. > > >On Wed, 5 Jan 2000, Jeffery Eric Contr 95 CS wrote: > > > Have any of you run into a problem with AOL and VPN's. > > > > I've set up a successful VPN with an Altiga C20 concentrator. I put the > > client software on a few test systems with other engineers and we were > doing > > great. One of the users has AOL. He establishes a connection with AOL and > > then launches the Client Dialer. We checked out Firewall logs and the user > > doesn't even reach our Firewall. I believe the data is getting caught by > > AOL. > > > > I called their tech support and they were WORTHLESS. The lady laughed and > > said "that is way over my head." I said cool, escalate me and I'll work it > > out with an Engineer. She said there is no level 2, she was it. I said > > fine, let's pretend I can't FTP, what would you have me do. She said "does > > that have to do with opening a web page?" Needless to say I am on my > own so > > I thought I'd chat with you all and see what you ran in to. > > > > Eric Jeffery, MCSE > > Network Systems Analyst > > TYBRIN Corp. > > > > VPN is sponsored by SecurityFocus.COM > > > >Steven A. Brown, MBA., CCSA, CCSE, >VPN/Firewall & Internet Security Engineer >Cable&Wireless, 6400 Weston Pkwy, 3rd. FL >Research Triangle Park, NC, 27513 >Author:Implementing Virtual Private Networks, McGraw-Hill >sbrown at cw.net, Steven.Brown at cwusa.com > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From ken.c.chen at LMCO.COM Fri Jan 7 11:48:16 2000 From: ken.c.chen at LMCO.COM (Chen, Ken C) Date: Fri, 7 Jan 2000 11:48:16 -0500 Subject: Cisco Router and IP Protocols for IPsec Message-ID: <15B7999C4F94D211AAE90000F81A45E70120478A@emss20m02.ems.lmco.com> Can you specify which IP Protocols are allowed and denied through access-lists on a Cisco router? We found that "permit IP" was necessary before a few implementations would work. This is a little open ended, and we'd like to secure the connection a little better. If someone could provide the command line arguments and maybe an example ACL, it would be appreciated! Thanks! VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Fri Jan 7 13:13:52 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Fri, 7 Jan 2000 12:13:52 -0600 Subject: Glossary On Line! Message-ID: Hi all -- Well, it's taken me nearly half a year, but I am delighted to report that we have a functional VPN glossary on line. It's at http://kubarb.phsx.ukans.edu/~tbird/vpn.html click on the last button, labelled (you guessed it) "Glossary." It's mostly based on the glossary from Rick Smith's book "Internet Cryptography" (thanks, Rick!). I've added a few VPN specific terms. If there are others you'd like to see, send them along and I'll add them in. Whew! Tina "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From twolsey at REALTECH.COM Fri Jan 7 12:55:58 2000 From: twolsey at REALTECH.COM (TC Wolsey) Date: Fri, 7 Jan 2000 12:55:58 -0500 Subject: Cisco Router and IP Protocols for IPsec Message-ID: > "Chen, Ken C" 01/07/00 11:48AM >>> >Can you specify which IP Protocols are allowed and denied through >access-lists on a Cisco router? We found that "permit IP" was necessary Sure, you can specify the protocol number. >before a few implementations would work. This is a little open ended, and >we'd like to secure the connection a little better. > >If someone could provide the command line arguments and maybe an example >ACL, it would be appreciated! access-list 101 permit 47 any any <-- permit GRE traffic access-list 101 permit 89 any any <-- permit OSPF traffic etc, etc.... Some VPN specific details at http://kubarb.phsx.ukans.edu/~tbird/vpn/toc.html > >Thanks! > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dana at INTERPRISE.COM Fri Jan 7 15:59:57 2000 From: dana at INTERPRISE.COM (Dana J. Dawson) Date: Fri, 7 Jan 2000 14:59:57 -0600 Subject: Cisco Router and IP Protocols for IPsec References: <15B7999C4F94D211AAE90000F81A45E70120478A@emss20m02.ems.lmco.com> Message-ID: <387653CD.7AAB65C5@interprise.com> "Chen, Ken C" wrote: > > Can you specify which IP Protocols are allowed and denied through > access-lists on a Cisco router? We found that "permit IP" was necessary > before a few implementations would work. This is a little open ended, and > we'd like to secure the connection a little better. > > If someone could provide the command line arguments and maybe an example > ACL, it would be appreciated! > > Thanks! > > VPN is sponsored by SecurityFocus.COM Here's the output of "access-list 100 permit ?" in a Cisco router: > Router(config)#access-list 100 permit ? > <0-255> An IP protocol number > ahp Authentication Header Protocol > eigrp Cisco's EIGRP routing protocol > esp Encapsulation Security Payload > gre Cisco's GRE tunneling > icmp Internet Control Message Protocol > igmp Internet Gateway Message Protocol > igrp Cisco's IGRP routing protocol > ip Any Internet Protocol > ipinip IP in IP tunneling > nos KA9Q NOS compatible IP over IP tunneling > ospf OSPF routing protocol > pcp Payload Compression Protocol > pim Protocol Independent Multicast > tcp Transmission Control Protocol > udp User Datagram Protocol Instead of "ip", you can specify a protocol number (0-255), or one of the keywords above if you don't remember the appropriate number. Since IPSec uses IP protocols 50 (esp) and 51 (ah) and UDP port 500, here's a common access-list to allow IPSec: access-list 100 permit 50 any host 1.2.3.4 access-list 100 permit 51 any host 1.2.3.4 access-list 100 permit udp any host 1.2.3.4 eq 500 When you look at the configuration, the router will display this list like this, since it replaces most common protocol and port numbers with the corresponding keywords (you can use the kewords instead of the numbers if you want when you enter the list, too): access-list 100 permit esp any host 1.2.3.4 access-list 100 permit ahp any host 1.2.3.4 access-list 100 permit udp any host 1.2.3.4 eq isakmp The above list allows IPSec traffic from anywhere (the "any" keyword) to the host at IP address "1.2.3.4". HTH Dana -- Dana J. Dawson dana at interprise.com Distinguished Principal Engineer CCIE #1937 !NTERPRISE Networking Services (612) 664-3364 U S WEST (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.COM From gowrishankar.setty at WIPRO.COM Mon Jan 10 02:44:13 2000 From: gowrishankar.setty at WIPRO.COM (Gowri Shankar Bhogisetty) Date: Mon, 10 Jan 2000 13:14:13 +0530 Subject: VPN connectivity using NAT Message-ID: <38798DCC.3F374A90@wipro.com> Hi, We need to establish a VPN connectivity from our private network to the remote server ,for that we are using NAT at the internet router to change the private address to valid internet address . The address translation is working fine ,but i am not getting the return packets from the remote server . I am able to connect with the internet address without using NAT,that means there is no problem at the server side. If i use NAT i am getting can't connect to the server from the private n/w. Any help on this appreciable. regards Gowri Shankar VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Mon Jan 10 10:35:51 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 10 Jan 2000 10:35:51 -0500 Subject: NAI's PGP VPN Client Message-ID: Hi guys, As you have probably read, I have been working on setting up a client VPN link between NAI's PGP VPN(Otherwise know as PGPNet commercial version) client and OpenBSD 2.6. I have been able to successfully achieve my goal but I have 1 major problem. PGP VPN keeps crashing on my win98 box. Here is the situation: 1- I manage to set up a Security Gateway as an SA without any problems. 2- I configure a Secure Host behind that security Gateway. 3- When I try and connect this Secure Host, I get the "Blue Screen of Death" saying "Fatal Exception in PGPMAC.vxd" According to my OpenBSD box, my netstat says I have an IPSec tunnel between that particular host and the PGP client. Has anybody set up a client connection to any VPN technology using PGP VPN client and experienced similar problems? Basically, I'm trying to determine whether this is a flaw in the software or it is the configurations that are wrong.(With such a serious crash, my biased opinion is that there is a major flaw in PGP VPN client and that it does not support Client-to-LAN VPN properly). Thanks for your time, ____________________ Patrick Ethier patrick at secureops.com [ It doesn't matter if you don't know where you're going....] [ As long as you get there --- DrBones ] VPN is sponsored by SecurityFocus.COM From eric.jeffery at EDWARDS.AF.MIL Mon Jan 10 10:34:55 2000 From: eric.jeffery at EDWARDS.AF.MIL (Jeffery Eric Contr 95 CS) Date: Mon, 10 Jan 2000 07:34:55 -0800 Subject: AOL and Altiga Support Clarification Message-ID: <1342BEFC44BED31195100090276D3496399A55@FSFSPM15> In my previous message regarding AOL there is some confusion. The comments regarding support and no level two was in reference to AOL, NOT Altiga. Altiga has been fantastic sending an SE out multiple times. I have no complaints about Altiga and apologize if my message was unclear. All support issues in my previous message were in reference to AOL, NOT Altiga. Eric Jeffery, MCSE Network Systems Analyst TYBRIN Corp. VPN is sponsored by SecurityFocus.COM From markus at HOFMAR.DE Mon Jan 10 10:09:21 2000 From: markus at HOFMAR.DE (Markus Hofmann) Date: Mon, 10 Jan 2000 16:09:21 +0100 Subject: Cisco Router and IP Protocols for IPsec In-Reply-To: <387653CD.7AAB65C5@interprise.com> Message-ID: On Fri, 7 Jan 2000, Dana J. Dawson wrote: > access-list 100 permit esp any host 1.2.3.4 > access-list 100 permit ahp any host 1.2.3.4 > access-list 100 permit udp any host 1.2.3.4 eq isakmp > > The above list allows IPSec traffic from anywhere (the "any" keyword) to the > host at IP address "1.2.3.4". This only allows incomig ipsec packets. Additional you need to setup the same ACLs in the other direction. access-list 100 permit esp any host 1.2.3.4 access-list 100 permit ahp any host 1.2.3.4 access-list 100 permit udp any host 1.2.3.4 eq isakmp access-list 100 permit esp host 1.2.3.4 any access-list 100 permit ahp host 1.2.3.4 any access-list 100 permit udp host 1.2.3.4 any eq isakmp yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! VPN is sponsored by SecurityFocus.COM From m_basha at AGAINTECH.COM Mon Jan 10 10:17:36 2000 From: m_basha at AGAINTECH.COM (Mohamed Mohaideen Basha) Date: Mon, 10 Jan 2000 20:47:36 +0530 Subject: VPN behind router Message-ID: <001501bf5b7e$338a6ce0$0b01a8c0@a_tech_pdc> Can any one help me. I have VPN server configured behind my router and the IP address of router is dynamic( IP is obtained from ISP each time when is connected).The setup is like this Internet----->router(WAN IP)------>VPNserver(LAN IP). If I have connected my VPN server directly to internet then my VPN server is WAN IP address assigned by ISP.Since iam dialing thru router the WAN IP address is assigned to router and not VPN server. Is there a way in router so that I can map WAN IP to VPN server Mohamed Mohaideen Basha Again Technologies Inc 641 P.H road Aminjikarai Chennai India 600 029 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000110/3f498b77/attachment.htm From patrick at SECUREOPS.COM Mon Jan 10 11:56:35 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Mon, 10 Jan 2000 11:56:35 -0500 Subject: NAI's PGP VPN Client Message-ID: Hi Jarret, I managed to download the PGP6.5.1 off the international site. I'm still waiting for the demo CD to get here(I was supposed to receive it "expidite" last week. NAI uses "whois" to do their export control verification. Personally, that isn't the best way to do things and it also causes us not to be able to retrieve anything from their American website. Can you point me to the 6.5.2a International(If it exists)??? I'd greatly appreciate that. Regards, > -----Original Message----- > From: Jarrett Knoll [mailto:knoll at email.msn.com] > Sent: Monday, January 10, 2000 11:43 AM > To: Patrick Ethier > Subject: Re: NAI's PGP VPN Client > > > Patrick, > which version of pgpnet are you using? version 6.5.2a seems > to work the > best. 6.5.3 has caused several dreaded blue screens. Several > issues have > been presented to the backline support, but we have not received any > response back yet. > Jarrett Knoll > > ----- Original Message ----- > From: "Patrick Ethier" > To: > Sent: Monday, January 10, 2000 9:35 AM > Subject: NAI's PGP VPN Client > > > > Hi guys, > > > > > > As you have probably read, I have been working on setting > up a client VPN > > link between NAI's PGP VPN(Otherwise know as PGPNet > commercial version) > > client and OpenBSD 2.6. I have been able to successfully > achieve my goal > but > > I have 1 major problem. PGP VPN keeps crashing on my win98 box. > > > > Here is the situation: > > > > 1- I manage to set up a Security Gateway as an SA without > any problems. > > 2- I configure a Secure Host behind that security Gateway. > > 3- When I try and connect this Secure Host, I get the "Blue > Screen of > Death" > > saying "Fatal Exception in PGPMAC.vxd" > > > > According to my OpenBSD box, my netstat says I have an IPSec tunnel > between > > that particular host and the PGP client. > > > > Has anybody set up a client connection to any VPN > technology using PGP VPN > > client and experienced similar problems? Basically, I'm trying to > determine > > whether this is a flaw in the software or it is the > configurations that > are > > wrong.(With such a serious crash, my biased opinion is that > there is a > major > > flaw in PGP VPN client and that it does not support > Client-to-LAN VPN > > properly). > > > > Thanks for your time, > > > > > > ____________________ > > Patrick Ethier > > patrick at secureops.com > > > > [ It doesn't matter if you don't know where you're going....] > > [ As long as you get there --- DrBones ] > > > > VPN is sponsored by SecurityFocus.COM > > > VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Mon Jan 10 13:00:35 2000 From: JJones at NWNETS.COM (Jeremy Jones) Date: Mon, 10 Jan 2000 11:00:35 -0700 Subject: VPN connectivity using NAT Message-ID: <4128C0428F94D3118F1E00902773CED201B3B0@NNSBOIS1> Depending on what type of VPN connection you're making, you'll need to make some static nat mappings on the nat router. For PPTP you'll need to map protocol 47 (gre) and tcp port 1723 to the ip address of the machine on the private network making the call to the vpn server. For other VPNs (like l2tp, etc), you'll have to find out what protocols and ports it uses. Jeremy Jones, MA, MCSE, CCNA Systems Analyst Northwest Network Services (208) 343-5260 x106 http://www.nwnets.com mailto:jjones at nwnets.com -----Original Message----- From: Gowri Shankar Bhogisetty [mailto:gowrishankar.setty at WIPRO.COM] Sent: Monday, January 10, 2000 12:44 AM To: VPN at SECURITYFOCUS.COM Subject: VPN connectivity using NAT Hi, We need to establish a VPN connectivity from our private network to the remote server ,for that we are using NAT at the internet router to change the private address to valid internet address . The address translation is working fine ,but i am not getting the return packets from the remote server . I am able to connect with the internet address without using NAT,that means there is no problem at the server side. If i use NAT i am getting can't connect to the server from the private n/w. Any help on this appreciable. regards Gowri Shankar VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Mon Jan 10 14:52:27 2000 From: JJones at NWNETS.COM (Jeremy Jones) Date: Mon, 10 Jan 2000 12:52:27 -0700 Subject: VPN connectivity using NAT Message-ID: <4128C0428F94D3118F1E00902773CED201B3B1@NNSBOIS1> Hi Pete and All, If you're using a Linux based firewall/nat box, there's a pretty good HOWTO at http://www.linux.ncsu.edu/linux/LDP/HOWTO/VPN-Masquerade-HOWTO.html. I use the NAT functionality of a Cisco 675 ADSL modem, which handles GRE for PPTP just fine. I'm not sure about the translation of protocols for IPSEC or any other VPN methods, though... Jeremy -----Original Message----- From: Pete Davis [mailto:pete at ether.net] Sent: Monday, January 10, 2000 12:43 PM To: Jeremy Jones Cc: VPN at SECURITYFOCUS.COM Subject: Re: VPN connectivity using NAT There are very few firewalls that properly handle translation of GRE or IPSEC-ESP packets since both of these came out way after most TCP/UDP/ICMP NAT implementations. I think that Sygate supports PPTP, and for small little routers, Nexland supports IPSEC. There are a few others out there. If your fw does not have specific NAT support for GRE translation for the case of PPTP or IPSEC-ESP translation for the case of IPSEC, then you will not be able to use VPN through it. Regards, -Pete On Mon, Jan 10, 2000 at 11:00:35AM -0700, Jeremy Jones wrote: > Depending on what type of VPN connection you're making, you'll need to make > some static nat mappings on the nat router. For PPTP you'll need to map > protocol 47 (gre) and tcp port 1723 to the ip address of the machine on the > private network making the call to the vpn server. For other VPNs (like > l2tp, etc), you'll have to find out what protocols and ports it uses. > > Jeremy Jones, MA, MCSE, CCNA > Systems Analyst > Northwest Network Services > (208) 343-5260 x106 > http://www.nwnets.com > mailto:jjones at nwnets.com --- Pete Davis - Product Manager (508) 541-7300 x154 Altiga Networks - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Mon Jan 10 14:43:19 2000 From: pete at ETHER.NET (Pete Davis) Date: Mon, 10 Jan 2000 14:43:19 -0500 Subject: VPN connectivity using NAT In-Reply-To: <4128C0428F94D3118F1E00902773CED201B3B0@NNSBOIS1> References: <4128C0428F94D3118F1E00902773CED201B3B0@NNSBOIS1> Message-ID: <20000110144319.B16500@ether.net> There are very few firewalls that properly handle translation of GRE or IPSEC-ESP packets since both of these came out way after most TCP/UDP/ICMP NAT implementations. I think that Sygate supports PPTP, and for small little routers, Nexland supports IPSEC. There are a few others out there. If your fw does not have specific NAT support for GRE translation for the case of PPTP or IPSEC-ESP translation for the case of IPSEC, then you will not be able to use VPN through it. Regards, -Pete On Mon, Jan 10, 2000 at 11:00:35AM -0700, Jeremy Jones wrote: > Depending on what type of VPN connection you're making, you'll need to make > some static nat mappings on the nat router. For PPTP you'll need to map > protocol 47 (gre) and tcp port 1723 to the ip address of the machine on the > private network making the call to the vpn server. For other VPNs (like > l2tp, etc), you'll have to find out what protocols and ports it uses. > > Jeremy Jones, MA, MCSE, CCNA > Systems Analyst > Northwest Network Services > (208) 343-5260 x106 > http://www.nwnets.com > mailto:jjones at nwnets.com --- Pete Davis - Product Manager (508) 541-7300 x154 Altiga Networks - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From ken.c.chen at LMCO.COM Mon Jan 10 16:54:56 2000 From: ken.c.chen at LMCO.COM (Chen, Ken C) Date: Mon, 10 Jan 2000 16:54:56 -0500 Subject: Cisco Router and IP Protocols for IPsec Message-ID: <15B7999C4F94D211AAE90000F81A45E70120479F@emss20m02.ems.lmco.com> Thanks for everyone's reply to this subject! One last question, do I need TCP open for IPsec to function properly? I know there is an implicit deny all at the end of the list, but just thought I'd throw in a line just to be safe... and for clarification. -----Original Message----- From: Markus Hofmann [mailto:markus at HOFMAR.DE] Sent: Monday, January 10, 2000 10:09 AM To: VPN at SECURITYFOCUS.COM Subject: Re: Cisco Router and IP Protocols for IPsec On Fri, 7 Jan 2000, Dana J. Dawson wrote: > access-list 100 permit esp any host 1.2.3.4 > access-list 100 permit ahp any host 1.2.3.4 > access-list 100 permit udp any host 1.2.3.4 eq isakmp > > The above list allows IPSec traffic from anywhere (the "any" keyword) to the > host at IP address "1.2.3.4". This only allows incomig ipsec packets. Additional you need to setup the same ACLs in the other direction. access-list 100 permit esp any host 1.2.3.4 access-list 100 permit ahp any host 1.2.3.4 access-list 100 permit udp any host 1.2.3.4 eq isakmp access-list 100 permit esp host 1.2.3.4 any access-list 100 permit ahp host 1.2.3.4 any access-list 100 permit udp host 1.2.3.4 any eq isakmp yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From ken.c.chen at LMCO.COM Mon Jan 10 18:56:40 2000 From: ken.c.chen at LMCO.COM (Chen, Ken C) Date: Mon, 10 Jan 2000 18:56:40 -0500 Subject: Nortel EAC Win2K version? Message-ID: <15B7999C4F94D211AAE90000F81A45E7012047A5@emss20m02.ems.lmco.com> Anyone hear of a Windows 2000 version of the Nortel's EAC? VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Mon Jan 10 22:19:36 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Mon, 10 Jan 2000 19:19:36 -0800 Subject: Nortel EAC Win2K version? Message-ID: <20000111031936.4444.qmail@web120.yahoomail.com> No doubt Jeff Needle will hop in here, but in case he's on vacation or something, I'll chime in... :) I spoke with the Product Manager for the Contivity switch. They aren't going to parallel develop a Windows 2000 client version until AFTER Microsoft officially ships W2K. Wasn't the official shipping date last week or so? You see, since MS changed so many things with the IP stack, route APIs, and other stuff from Beta 1 to Beta 2 of W2K, they didn't want to re-write the Extranet client after every beta release... Nortel committed to a Windows 2000 version (Extranet client v.3.0) slated for Q1/00, probably towards the end of March. (Don't hold me to this!!) I've successfully tested a W2K PPTP client connecting to a 2.11 and 2.5 Contivity server, which a few of my clients are considering as a transitional step. After all, W2K has much better support for laptops than NT4! I wonder if Nortel will natively support MS' new VPN direction for Windows 2000 though, which is tunnelling L2TP traffic in IPSec packets, in essence putting IPSec's security on top of L2TP's multiprotocol support. (MS released a white paper on this a few months ago.) Typical Microsoft -- who said anything about standards?? Good luck, Chris -- --- "Chen, Ken C" wrote: > Anyone hear of a Windows 2000 version of the > Nortel's EAC? > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From josef.pojsl at SKYNET.CZ Tue Jan 11 05:37:38 2000 From: josef.pojsl at SKYNET.CZ (Josef Pojsl) Date: Tue, 11 Jan 2000 11:37:38 +0100 Subject: NAI's PGP VPN Client In-Reply-To: ; from patrick@SECUREOPS.COM on Mon, Jan 10, 2000 at 10:35:51AM -0500 References: Message-ID: <20000111113738.A25594@regent.in.skynet.cz> Patrick, what type of network interface are you using? I have seen a similar behaviour in PGPnet when trying to connect to Gauntlet GVPN or another PGPnet box. I was using PGP 6.5.1 commercial version on Win 95 OSR2. In both cases, I got the BSoD referring to PGPMAC.vxd as a cause of the trouble. To my big surprise, that behaviour vanished when I changed my network interface card! I started to track down the probem and found out that: - With an ethernet NIC on ISA (2 types, actually, NEC and 3com) => crash - With an ethernet NIC on PCI (3com) => OK - With dial-up connection => OK I have reported that to NAI but no reply since. I haven't had chance to try it on newer versions of PGP yet. Regards, Josef On Mon, Jan 10, 2000 at 10:35:51AM -0500, Patrick Ethier wrote: > Here is the situation: > > 1- I manage to set up a Security Gateway as an SA without any problems. > 2- I configure a Secure Host behind that security Gateway. > 3- When I try and connect this Secure Host, I get the "Blue Screen of Death" > saying "Fatal Exception in PGPMAC.vxd" > > According to my OpenBSD box, my netstat says I have an IPSec tunnel between > that particular host and the PGP client. > > Has anybody set up a client connection to any VPN technology using PGP VPN > client and experienced similar problems? Basically, I'm trying to determine > whether this is a flaw in the software or it is the configurations that are > wrong.(With such a serious crash, my biased opinion is that there is a major > flaw in PGP VPN client and that it does not support Client-to-LAN VPN > properly). -- Josef Pojsl mailto:josef.pojsl at skynet.cz VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Tue Jan 11 09:51:49 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Tue, 11 Jan 2000 09:51:49 -0500 Subject: NAI's PGP VPN Client Message-ID: Hi Josef, I've currently got 2 PCI ethernet cards in my system. I have a 3c509BTX and a Linksys Lan Card II(Both 100mbs). I've tried linking the driver to both and it crashes(Actually, I figured if I disabled the PGP VPN client that I should not have any problems as long as I don't use it, but the system still crashes randomly). I uninstalled the software and am currently for other stand-alone products to try. Any suggestions? > -----Original Message----- > From: Josef Pojsl [mailto:josef.pojsl at SKYNET.CZ] > Sent: Tuesday, January 11, 2000 5:38 AM > To: VPN at SECURITYFOCUS.COM > Subject: Re: NAI's PGP VPN Client > > > Patrick, > > what type of network interface are you using? > > I have seen a similar behaviour in PGPnet when trying to connect > to Gauntlet GVPN or another PGPnet box. I was using PGP 6.5.1 > commercial version on Win 95 OSR2. In both cases, I got the BSoD > referring to PGPMAC.vxd as a cause of the trouble. > > To my big surprise, that behaviour vanished when I changed my > network interface card! I started to track down the probem > and found out that: > - With an ethernet NIC on ISA (2 types, actually, NEC and > 3com) => crash > - With an ethernet NIC on PCI (3com) => OK > - With dial-up connection => OK > > I have reported that to NAI but no reply since. > I haven't had chance to try it on newer versions of PGP yet. > > Regards, > Josef > > > On Mon, Jan 10, 2000 at 10:35:51AM -0500, Patrick Ethier wrote: > > > Here is the situation: > > > > 1- I manage to set up a Security Gateway as an SA without > any problems. > > 2- I configure a Secure Host behind that security Gateway. > > 3- When I try and connect this Secure Host, I get the "Blue > Screen of Death" > > saying "Fatal Exception in PGPMAC.vxd" > > > > According to my OpenBSD box, my netstat says I have an > IPSec tunnel between > > that particular host and the PGP client. > > > > Has anybody set up a client connection to any VPN > technology using PGP VPN > > client and experienced similar problems? Basically, I'm > trying to determine > > whether this is a flaw in the software or it is the > configurations that are > > wrong.(With such a serious crash, my biased opinion is that > there is a major > > flaw in PGP VPN client and that it does not support > Client-to-LAN VPN > > properly). > > -- > Josef Pojsl mailto:josef.pojsl at skynet.cz > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From scotta at GNAC.COM Tue Jan 11 15:46:22 2000 From: scotta at GNAC.COM (Scott Armstrong) Date: Tue, 11 Jan 2000 12:46:22 -0800 Subject: NAI's PGP VPN Client In-Reply-To: Message-ID: It's definitely the NIC. I've been setting up a test LAN with GVPN 5.0 and PGPNet 6.5.2a. Running NT 4.0 server, SP5 + hot fixes on a laptop, a Linksys NP10T card would cause a BSOD every time I hit the Connect button (maybe the button was mislabeled and should have said Crash). I swapped it out for a Xircom CreditCard 10/100 card and everything started working fine. A review of the PGP docs says you need to use PGPNet with an approved adapter. Neither their docs or the NAI web site define a set of approved adapters. Scott >-----Original Message----- >From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of >Patrick Ethier >Sent: Tuesday, January 11, 2000 6:52 AM >To: VPN at SECURITYFOCUS.COM >Subject: Re: NAI's PGP VPN Client > > >Hi Josef, > > > I've currently got 2 PCI ethernet cards in my system. I have a >3c509BTX and >a Linksys Lan Card II(Both 100mbs). I've tried linking the driver to both >and it crashes(Actually, I figured if I disabled the PGP VPN client that I >should not have any problems as long as I don't use it, but the >system still >crashes randomly). > > >I uninstalled the software and am currently for other stand-alone products >to try. Any suggestions? > > > >> -----Original Message----- >> From: Josef Pojsl [mailto:josef.pojsl at SKYNET.CZ] >> Sent: Tuesday, January 11, 2000 5:38 AM >> To: VPN at SECURITYFOCUS.COM >> Subject: Re: NAI's PGP VPN Client >> >> >> Patrick, >> >> what type of network interface are you using? >> >> I have seen a similar behaviour in PGPnet when trying to connect >> to Gauntlet GVPN or another PGPnet box. I was using PGP 6.5.1 >> commercial version on Win 95 OSR2. In both cases, I got the BSoD >> referring to PGPMAC.vxd as a cause of the trouble. >> >> To my big surprise, that behaviour vanished when I changed my >> network interface card! I started to track down the probem >> and found out that: >> - With an ethernet NIC on ISA (2 types, actually, NEC and >> 3com) => crash >> - With an ethernet NIC on PCI (3com) => OK >> - With dial-up connection => OK >> >> I have reported that to NAI but no reply since. >> I haven't had chance to try it on newer versions of PGP yet. >> >> Regards, >> Josef >> >> >> On Mon, Jan 10, 2000 at 10:35:51AM -0500, Patrick Ethier wrote: >> >> > Here is the situation: >> > >> > 1- I manage to set up a Security Gateway as an SA without >> any problems. >> > 2- I configure a Secure Host behind that security Gateway. >> > 3- When I try and connect this Secure Host, I get the "Blue >> Screen of Death" >> > saying "Fatal Exception in PGPMAC.vxd" >> > >> > According to my OpenBSD box, my netstat says I have an >> IPSec tunnel between >> > that particular host and the PGP client. >> > >> > Has anybody set up a client connection to any VPN >> technology using PGP VPN >> > client and experienced similar problems? Basically, I'm >> trying to determine >> > whether this is a flaw in the software or it is the >> configurations that are >> > wrong.(With such a serious crash, my biased opinion is that >> there is a major >> > flaw in PGP VPN client and that it does not support >> Client-to-LAN VPN >> > properly). >> >> -- >> Josef Pojsl mailto:josef.pojsl at skynet.cz >> >> VPN is sponsored by SecurityFocus.COM >> > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From ifox100 at HOTMAIL.COM Wed Jan 12 14:19:55 2000 From: ifox100 at HOTMAIL.COM (Ivan Fox) Date: Wed, 12 Jan 2000 14:19:55 -0500 Subject: VPN behind a firewall with NAT Message-ID: <20000112191959.4208.qmail@hotmail.com> Some of our engineers are working at customer plants. They need to access NT and Lotus Notes servers back home here. The manufacturing plants which they are working in are highly secured. They are *not* allowed to use dial-up networking. They are working behind a firewalled network. We are using Checkpoint Firewall-1 with VPN-1. Should I just ask their network administrators to open ports 500 and 501 so that they can use SecureRemote access the Lotus Notes servers and NT servers back home. Any pointers are appreciated. Thanks, Ivan VPN is sponsored by SecurityFocus.COM From Ryan.Russell at SYBASE.COM Wed Jan 12 14:29:00 2000 From: Ryan.Russell at SYBASE.COM (Ryan Russell) Date: Wed, 12 Jan 2000 11:29:00 -0800 Subject: [FW1] VPN behind a firewall with NAT Message-ID: <88256864.006B0C1A.00@gwwest.sybase.com> >The manufacturing plants which they are working in are highly secured. They >are *not* allowed to use dial-up networking. They are working behind a >firewalled network. Then they won't be allowed to use a VPN either. All of my users have a standing order that they must get permission to use our VPN when at any customer site. Hopefully, some of them even follow that order. >We are using Checkpoint Firewall-1 with VPN-1. Should I just ask their >network administrators to open ports 500 and 501 so that they can use >SecureRemote access the Lotus Notes servers and NT servers back home. Those are only the authentication/topology download ports. SecuRemote uses IP in IP (I think IP type 40?) for it's tunneling. The firewall admin would have to open that up, too. I doubt they'd be willing. Any kind of proxying or NAT will cause you trouble as well. Ryan VPN is sponsored by SecurityFocus.COM From rstandefer at FJICL.COM Wed Jan 12 14:37:55 2000 From: rstandefer at FJICL.COM (Standefer, Robert) Date: Wed, 12 Jan 2000 19:37:55 -0000 Subject: Help with VPN on Windows 2000 RC2 Message-ID: I hope this is the right forum for this kind of question. If not, I apologize. I'm trying to set up a VPN connection using Windows 2000. When I try to creat a connection, however, the VPN option is "grayed out". Anyone have any info to point me in the right direction? Thanks very much in advance. Rob Standefer ICL eBusiness North America VPN is sponsored by SecurityFocus.COM From guy.raymakers at EUROPE.EDS.COM Thu Jan 13 04:30:01 2000 From: guy.raymakers at EUROPE.EDS.COM (guy.raymakers at EUROPE.EDS.COM) Date: Thu, 13 Jan 2000 10:30:01 +0100 Subject: VPN management Message-ID: <41256865.0034A710.00@beanmg01.lneu.emea.eds.com> We are investigating the management effort of a site to site VPN network including about 3000 sites (connecting secure to one central point). Since the IPsec function is implemented on routers, there's a need to use the Pre-shared text secrets. We want to change that text-secret on a regular basis, the question is now : are there some "smart" techniques to do this ? I cannot imagine to do this all one by one manually. Thanks for your responses, Guy VPN is sponsored by SecurityFocus.COM From Torx at TM.NET.MY Thu Jan 13 08:37:18 2000 From: Torx at TM.NET.MY (torx) Date: Thu, 13 Jan 2000 21:37:18 +0800 Subject: VPN management References: <41256865.0034A710.00@beanmg01.lneu.emea.eds.com> Message-ID: <003501bf5dcb$596b1f00$0245a8c0@galena> Out of curiousity, why do you need to use pre-shared secrets? Ram. ----- Original Message ----- From: To: Sent: Thursday, January 13, 2000 5:30 PM Subject: VPN management > We are investigating the management effort of a site to site VPN network > including about 3000 sites (connecting secure to one central point). Since the > IPsec function is implemented on routers, there's a need to use the Pre-shared > text secrets. We want to change that text-secret on a regular basis, the > question is now : are there some "smart" techniques to do this ? I cannot > imagine to do this all one by one manually. > > Thanks for your responses, > Guy > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From kemp at INDUSRIVER.COM Thu Jan 13 08:53:29 2000 From: kemp at INDUSRIVER.COM (Brad Kemp) Date: Thu, 13 Jan 2000 08:53:29 -0500 Subject: VPN behind a firewall with NAT In-Reply-To: <20000112191959.4208.qmail@hotmail.com> Message-ID: <3.0.3.32.20000113085329.032b96c0@pop3.indusriver.com> Ivan, Ask them to open up the ports and protocols you need. It is possible to use covert tunneling to create a tunnel in this environment. A covert tunnel is one that appears to the firewall as an https (SSL) or TLS request. I would not recommend implementing this without your customers approval, one of the fastest ways to lose a contract is to breach your customers security systems. This should only be deployed if the customer says its OK to tunnel, but doesn't want to touch the firewall. If your customers are not letting you use dial up networking, it is unlikely they would let you do this. There are a few vendors who provide this type of tunneling, usually it consists of establishing a tunnel through a SSL/TLS connection. There are performance penalties invlovled with this type of tunnel. If the tunnel experiences congestion, there will be an avalance of packets causing more congestion. This is due to the retransmission of the same packet both at the SSL/TLS layer and at the applications TCP layer. Be aware that this type of tunneling may not work well through certain proxy servers. These servers disconnect and reconnect the SSL/TLS tcp connection during periods of in-activity. Some vendors handle this poorly. Brad At 02:19 PM 1/12/00 -0500, Ivan Fox wrote: >Some of our engineers are working at customer plants. They need to access >NT and Lotus Notes servers back home here. > >The manufacturing plants which they are working in are highly secured. They >are *not* allowed to use dial-up networking. They are working behind a >firewalled network. > >We are using Checkpoint Firewall-1 with VPN-1. Should I just ask their >network administrators to open ports 500 and 501 so that they can use >SecureRemote access the Lotus Notes servers and NT servers back home. > >Any pointers are appreciated. > >Thanks, > >Ivan > >VPN is sponsored by SecurityFocus.COM > --- -- -- Brad Kemp Indus River Networks, Inc. BradKemp at indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111 VPN is sponsored by SecurityFocus.COM From jcarr at STATE.ND.US Thu Jan 13 08:48:15 2000 From: jcarr at STATE.ND.US (Carr, Jeff N.) Date: Thu, 13 Jan 2000 07:48:15 -0600 Subject: VPN management Message-ID: <537E0AFAA151D111A2C800805F150DE303E10E33@email.state.nd.us> Why is there a need for a pre-shared text secret? You could use certificates with a central PKI and the problem you are worried about simply does not exist. Of course, one must maintain the PKI and the CRLs, but at least that is centrally managed, and a lot less work. Jeff -----Original Message----- From: guy.raymakers at EUROPE.EDS.COM [mailto:guy.raymakers at EUROPE.EDS.COM] Sent: Thursday, January 13, 2000 3:30 AM To: VPN at SECURITYFOCUS.COM Subject: VPN management We are investigating the management effort of a site to site VPN network including about 3000 sites (connecting secure to one central point). Since the IPsec function is implemented on routers, there's a need to use the Pre-shared text secrets. We want to change that text-secret on a regular basis, the question is now : are there some "smart" techniques to do this ? I cannot imagine to do this all one by one manually. Thanks for your responses, Guy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Thu Jan 13 09:58:45 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Thu, 13 Jan 2000 06:58:45 -0800 Subject: VPN management Message-ID: <20000113145845.6086.qmail@web123.yahoomail.com> Without answering for Guy personally :), I'm guessing that he's using pre-shared secrets because that's all his routers support! Most routers with a "basic" set of IPSec security only use pre-shared secrets. And, as far as I know, IPSec interoperability is only guaranteed with pre-shared secrets. Yes, certificates, a central CA, etc. would be the best, or even a proprietary mechanism to update VPN end-points. You can replace/upgrade your routers, but if you got 3000 sites, that's gonna be a nightmare and fairly expensive. If I had to guess, you're using Cisco routers, right? Does a more recent version of IOS have better shared-secret management? Good luck to you! Chris -- --- "Carr, Jeff N." wrote: > Why is there a need for a pre-shared text secret? > You could use certificates > with a central PKI and the problem you are worried > about simply does not > exist. Of course, one must maintain the PKI and the > CRLs, but at least that > is centrally managed, and a lot less work. > > Jeff > > -----Original Message----- > From: guy.raymakers at EUROPE.EDS.COM > [mailto:guy.raymakers at EUROPE.EDS.COM] > Sent: Thursday, January 13, 2000 3:30 AM > To: VPN at SECURITYFOCUS.COM > Subject: VPN management > > > We are investigating the management effort of a site > to site VPN network > including about 3000 sites (connecting secure to one > central point). Since > the > IPsec function is implemented on routers, there's a > need to use the > Pre-shared > text secrets. We want to change that text-secret on > a regular basis, the > question is now : are there some "smart" techniques > to do this ? I cannot > imagine to do this all one by one manually. > > Thanks for your responses, > Guy > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From Kevin_Butters at NAI.COM Thu Jan 13 10:07:20 2000 From: Kevin_Butters at NAI.COM (Butters, Kevin) Date: Thu, 13 Jan 2000 07:07:20 -0800 Subject: VPN management Message-ID: <150C5D516A43D211A5EF00A0C99D758F030623CF@ca-exchange3.nai.com> I concur with Jeff. Management of 3000 different site with Pre-Shared secret passphrases, is going to quite a task. In addition to Jeff's comments about PKI, a PKI infrastructure is designed to be hierarchical. You can specify lifetimes for the certificates you issue to facilitate special user needs - i.e. temps. Additional, from your central location your can segment your PKI environment to have a PKI infrastructure that is based on geographical locations or business units. >From a administrative point of view, PKI is alot easier. Cheers/ Kevin -----Original Message----- From: Carr, Jeff N. [mailto:jcarr at STATE.ND.US] Sent: Thursday, January 13, 2000 5:48 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN management Why is there a need for a pre-shared text secret? You could use certificates with a central PKI and the problem you are worried about simply does not exist. Of course, one must maintain the PKI and the CRLs, but at least that is centrally managed, and a lot less work. Jeff -----Original Message----- From: guy.raymakers at EUROPE.EDS.COM [mailto:guy.raymakers at EUROPE.EDS.COM] Sent: Thursday, January 13, 2000 3:30 AM To: VPN at SECURITYFOCUS.COM Subject: VPN management We are investigating the management effort of a site to site VPN network including about 3000 sites (connecting secure to one central point). Since the IPsec function is implemented on routers, there's a need to use the Pre-shared text secrets. We want to change that text-secret on a regular basis, the question is now : are there some "smart" techniques to do this ? I cannot imagine to do this all one by one manually. Thanks for your responses, Guy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From guy.raymakers at EUROPE.EDS.COM Thu Jan 13 10:31:42 2000 From: guy.raymakers at EUROPE.EDS.COM (guy.raymakers at EUROPE.EDS.COM) Date: Thu, 13 Jan 2000 16:31:42 +0100 Subject: VPN management Message-ID: <41256865.0055C3F5.00@beanmg01.lneu.emea.eds.com> The routers I've tested (Nortel , Cisco) only worked with pre-shared text secrets. Do you know routers that support certificates, the only one I know of is the Nokia router ? Guy From jcarr at STATE.ND.US Thu Jan 13 10:55:39 2000 From: jcarr at STATE.ND.US (Carr, Jeff N.) Date: Thu, 13 Jan 2000 09:55:39 -0600 Subject: VPN management Message-ID: <537E0AFAA151D111A2C800805F150DE303E10E39@email.state.nd.us> My understanding is that Cisco IOS 12's firewall feature set does support certificate based authentication. I could be wrong, though. Jeff -----Original Message----- From: guy.raymakers at EUROPE.EDS.COM [mailto:guy.raymakers at EUROPE.EDS.COM] Sent: Thursday, January 13, 2000 9:32 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN management The routers I've tested (Nortel , Cisco) only worked with pre-shared text secrets. Do you know routers that support certificates, the only one I know of is the Nokia router ? Guy From GSUSINI at ARINC.COM Thu Jan 13 10:58:28 2000 From: GSUSINI at ARINC.COM (Susini, George (GSUSINI)) Date: Thu, 13 Jan 2000 10:58:28 -0500 Subject: VPN management Message-ID: <09328AED5429D311A3000008C7911B1001D38118@exanpmb1.arinc.com> I know for a fact that Cisco works with Entrust and their VPN connector. For more info: http://www.cisco.com/warp/customer/cc/cisco/mkt/security/encryp/prodlit/821_ pp.htm George -----Original Message----- From: guy.raymakers at EUROPE.EDS.COM [mailto:guy.raymakers at EUROPE.EDS.COM] Sent: Thursday, January 13, 2000 10:32 AM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN management The routers I've tested (Nortel , Cisco) only worked with pre-shared text secrets. Do you know routers that support certificates, the only one I know of is the Nokia router ? Guy From eric.jeffery at EDWARDS.AF.MIL Thu Jan 13 18:48:28 2000 From: eric.jeffery at EDWARDS.AF.MIL (Jeffery Eric Contr 95 CS/SCBA) Date: Thu, 13 Jan 2000 15:48:28 -0800 Subject: IPX Message-ID: <1342BEFC44BED31195100090276D3496399A8D@FSFSPM15> How do you folks access IPX Netware Servers with VPN Concentrator device? We can set up a share between on an NT Server to access a Netware Server and get the data that way; however, this will slow us down. Thought? Lessons learned? Eric Jeffery, MCSE Network Systems Analyst TYBRIN Corp. Edwards AFB, CA 661-277-1760 VPN is sponsored by SecurityFocus.COM From Andrew.Fletcher at TAYWOOD.CO.UK Thu Jan 13 17:39:47 2000 From: Andrew.Fletcher at TAYWOOD.CO.UK (Andrew.Fletcher at TAYWOOD.CO.UK) Date: Thu, 13 Jan 2000 22:39:47 +0000 Subject: Operating VPNs with Netware 5 and NDS Message-ID: We currently have a point to point VPN's from London to Africa. The config is:- The VPNs originate and terminate on the Cisco routers configured with IPSEC. We employ NAT at both ends.The FW-1 provides NAT in London, the 1720 provides NAT on the African Router. Our problem is this. We will be rolling out a number of local and remote Netware 5 Servers that require NDS replication. Apparently NDS does not work with NAT. First of all am I correct in stating Netware 5 does not work with NAT. Has anybody come across this before or have any ideas on solving this problem. Regards Andrew Andrew Fletcher - Communications Analyst IT Group Taylor Woodrow Construction Limited 345 Ruislip Road, Southall, Middlesex, UK. mailto:andrew.fletcher at taywood.co.uk -------------- next part -------------- A non-text attachment was scrubbed... Name: BDY.RTF Type: application/rtf Size: 1229 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000113/49905e99/attachment.rtf From Torx at TM.NET.MY Fri Jan 14 06:29:14 2000 From: Torx at TM.NET.MY (Saravana Ram) Date: Fri, 14 Jan 2000 19:29:14 +0800 Subject: Operating VPNs with Netware 5 and NDS References: Message-ID: <000a01bf5e82$a7bffd80$0245a8c0@galena> I don't know whether NDS has a problem with NAT, but have you considered not using NAT at all? ----- Original Message ----- From: To: Sent: Friday, January 14, 2000 6:39 AM Subject: Operating VPNs with Netware 5 and NDS We currently have a point to point VPN's from London to Africa. The config is:- The VPNs originate and terminate on the Cisco routers configured with IPSEC. We employ NAT at both ends.The FW-1 provides NAT in London, the 1720 provides NAT on the African Router. Our problem is this. We will be rolling out a number of local and remote Netware 5 Servers that require NDS replication. Apparently NDS does not work with NAT. First of all am I correct in stating Netware 5 does not work with NAT. Has anybody come across this before or have any ideas on solving this problem. Regards Andrew Andrew Fletcher - Communications Analyst IT Group Taylor Woodrow Construction Limited 345 Ruislip Road, Southall, Middlesex, UK. mailto:andrew.fletcher at taywood.co.uk VPN is sponsored by SecurityFocus.COM From SHOPE at DATARANGE.CO.UK Fri Jan 14 04:00:08 2000 From: SHOPE at DATARANGE.CO.UK (Stephen Hope) Date: Fri, 14 Jan 2000 09:00:08 -0000 Subject: IPX Message-ID: <01903665B361D211BF6700805FAD5D935915B7@mail.datarange.co.uk> Maybe i am missing somthing here, but if you are running WAN links across a VPN and presumably routers, serial links and so on, why would going NT server -> Novell server on the LAN once you get to a main site hit performance? I would expect some added delay for file open etc, but extra hops across a LAN should be negligible compared to VPN slowdowns. Stephen Stephen Hope C. Eng, Network Consultant, shope at datarange.co.uk, Datarange Communications PLC, part of Energis, WWW: http://www.datarange.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Jeffery Eric Contr 95 CS/SCBA > [mailto:eric.jeffery at EDWARDS.AF.MIL] > Sent: Thursday, January 13, 2000 11:48 PM > To: VPN at SECURITYFOCUS.COM > Subject: IPX > > > How do you folks access IPX Netware Servers with VPN > Concentrator device? > > We can set up a share between on an NT Server to access a > Netware Server and > get the data that way; however, this will slow us down. > Thought? Lessons > learned? > > Eric Jeffery, MCSE > Network Systems Analyst > TYBRIN Corp. > Edwards AFB, CA > 661-277-1760 > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From pieterg at ABSA.CO.ZA Fri Jan 14 04:29:08 2000 From: pieterg at ABSA.CO.ZA (Pieter Grobler) Date: Fri, 14 Jan 2000 11:29:08 +0200 Subject: IPSec vs. Nat for VPN Problem Message-ID: <387EEC61.532E1E68@absa.co.za> Hi to all, I have a interesting problem, is that i can not do NAT (network address translation) when I use IPSec to secure a VPN tunneled through L2TP. The problem is simple to understand, it is that NAT is actually a nice word for IP address spoofing, and IPSec when it is used in tunnel mode prevent IP address spoofing that is why NAT does not work with IPSec ( tunnel mode). But if i use IPSec transport mode it will solve the problem, but there is no RFC of white paper that implement IPSec in transport mode, there is no defined standard in IPSec that implement IPSec in transport mode. IS there there a standard that can help, a IPSec forum. The use of IPSec is growing rapidly why did no one else have this problem. I must do NAT and want to create VPNs over the Internet because of the cost benefit. Now it create the following scenario: 1) One can not create an end-to-end VPN solution between two large networks that uses NAT. 2) This means that you must cut the IPSec tunnel into pieces at every NAT box creating a lot of points of attack. The ideal end-to-end security becomes impossible because of the lack of IPSec's NAT compatibility. Is the may new standards for IPSec that I do not no off (RFC). IF Not how can overcome this. Can any one Please help me or give me some advise. Thanks Pieter VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Fri Jan 14 07:39:16 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Fri, 14 Jan 2000 06:39:16 -0600 Subject: IPX In-Reply-To: <01903665B361D211BF6700805FAD5D935915B7@mail.datarange.co.uk> Message-ID: My interpretation of Eric's question is that he's thinking of using the IP-to-IPX gateway to communicate between the NT and Netware servers. The performance of that system is okay if you're only hitting a couple of machines (well, "okay" is a pretty subjective measurement of performance, and your users may disagree), but if you have a lot of traffic to translate it's pretty inefficient. Eric, I've worked with a few customers who've used routers to do the encapsulation of the IPX traffic -- if you check out http://kubarb.phsx.ukans.edu/~tbird/vpn/vpnfeatures.html and look for hardware-based systems that handle IPX, they ought to be able to do what you need. >Some< day that vendor information is going to be searchable! cheers -- Tina On Fri, 14 Jan 2000, Stephen Hope wrote: > Date: Fri, 14 Jan 2000 09:00:08 -0000 > From: Stephen Hope > To: VPN at SECURITYFOCUS.COM > Subject: Re: IPX > > Maybe i am missing somthing here, > > but if you are running WAN links across a VPN and presumably routers, serial > links and so on, why would going NT server -> Novell server on the LAN > once you get to a main site hit performance? > > I would expect some added delay for file open etc, but extra hops across > a LAN should be negligible compared to VPN slowdowns. > > Stephen > > Stephen Hope C. Eng, Network Consultant, shope at datarange.co.uk, > Datarange Communications PLC, part of Energis, WWW: > http://www.datarange.co.uk > Carrington Business Park, Carrington, Manchester , UK. M31 4ZU > Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 > 4189 > > > > -----Original Message----- > > From: Jeffery Eric Contr 95 CS/SCBA > > [mailto:eric.jeffery at EDWARDS.AF.MIL] > > Sent: Thursday, January 13, 2000 11:48 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: IPX > > > > > > How do you folks access IPX Netware Servers with VPN > > Concentrator device? > > > > We can set up a share between on an NT Server to access a > > Netware Server and > > get the data that way; however, this will slow us down. > > Thought? Lessons > > learned? > > > > Eric Jeffery, MCSE > > Network Systems Analyst > > TYBRIN Corp. > > Edwards AFB, CA > > 661-277-1760 > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From Torx at TM.NET.MY Fri Jan 14 08:33:34 2000 From: Torx at TM.NET.MY (Saravana Ram) Date: Fri, 14 Jan 2000 21:33:34 +0800 Subject: IPSec vs. Nat for VPN Problem References: <387EEC61.532E1E68@absa.co.za> Message-ID: <001001bf5e94$09c8f980$0245a8c0@galena> > 1) One can not create an end-to-end VPN solution between two large > networks > that uses NAT. Yes you can. You could terminate your IPSec tunnels at your firewall/NAT box. Or, you could place your IPSec router between your internal network and your WAN links, parallel to your firewall. The later solution could pose a security headache, though, since you'd then have to enterences to your network that needs to be secured and monitored. VPN is sponsored by SecurityFocus.COM From akirsman at BAGO.COM.AR Tue Jan 18 12:59:28 2000 From: akirsman at BAGO.COM.AR (Ariel Kirsman) Date: Tue, 18 Jan 2000 14:59:28 -0300 Subject: About compatibility Message-ID: <000201bf61dd$cd731040$543312ac@bago.com.ar> My question is: I have on one side a PIX and, in the other side, a Firewall-1. Do someone know whether I can build a VPN between them? If so, what protocol should I have to use? Thanks a lot. Help will be appreciated. Ariel Kirsman Buenos Aires Argentina -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000118/1b91ad6e/attachment.htm From arsen at GNAC.COM Mon Jan 17 16:30:31 2000 From: arsen at GNAC.COM (Thomas J. Arseneault) Date: Mon, 17 Jan 2000 13:30:31 -0800 Subject: Shiva LanRover VPN Message-ID: <000801bf6132$14a65f50$9301a8c0@pretty-tom-1.gnac.com> Software version 6.6. I'm trying to get the single user tunnel to work but it keeps complaining about "Can't assign Client IP". I have tried turning off the "Client IP" check box to no avail. I'm unclear about the use of the multiple tunnel config and am also wondering if that is what I should be doing instead of a single tunnel. The initial tests are being done with a single user but the active config will have multiple users from multiple sites. We plan on using Certs once we get up and running but the tests will be done with shared secret's. Also how does one deal with DHCP address at the far end? I'm sure I left out something important so if you all need more information please feel free to ask for it. P.S. I have never gotten one of these to work so I don't know what a working one looks like so sanitized configs would come in handy. Thanks. ********************************************** Tom Arseneault System Admin. Gnac Inc. arsen at gnac.com ********************************************** VPN is sponsored by SecurityFocus.COM From csoto at NOVARED.CL Tue Jan 18 09:56:43 2000 From: csoto at NOVARED.CL (Cristobal Soto) Date: Tue, 18 Jan 2000 10:56:43 -0400 Subject: Help with a testing tool Message-ID: <38847F2B.5D6CED10@novared.cl> Dear vpn list co-subscribers I've been desperately searching ttcp for windows 95/nt now for days to make some tests in our vpn environment. Would some kind soul point me to it? I have the unix version and thats exactly what I need, now on windows, ttcp.exe. Thanks and sorry for the request. I know its not the right place to ask for a tool.. Cristobal Soto VPN is sponsored by SecurityFocus.COM From SHOPE at DATARANGE.CO.UK Wed Jan 19 04:04:16 2000 From: SHOPE at DATARANGE.CO.UK (Stephen Hope) Date: Wed, 19 Jan 2000 09:04:16 -0000 Subject: Shiva LanRover VPN Message-ID: <01903665B361D211BF6700805FAD5D935915DC@mail.datarange.co.uk> Thomas, I dont have any practical experience with LANrover, so i cant help you directly. Maybe i am being dense here, but what do you get out of a test that does not cover what you plan to do with the kit in anger? Test get much more useful as they get more realistic. You also remove a lot of the unpleasant surprises from later deployment. I would say given the issues that get discussed here, you should try to make the tests more realistic - not up to the scale you need for production, but at least enough clients to check all the "it only works for 1" type problems. Stephen Stephen Hope C. Eng, Network Consultant, shope at datarange.co.uk, Datarange Communications PLC, part of Energis, WWW: http://www.datarange.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Thomas J. Arseneault [mailto:arsen at GNAC.COM] > Sent: Monday, January 17, 2000 9:31 PM > To: VPN at SECURITYFOCUS.COM > Subject: Shiva LanRover VPN > > > Software version 6.6. I'm trying to get the single user > tunnel to work but > it keeps complaining about "Can't assign Client IP". I have > tried turning > off the "Client IP" check box to no avail. I'm unclear about > the use of the > multiple tunnel config and am also wondering if that is what > I should be > doing instead of a single tunnel. The initial tests are being > done with a > single user but the active config will have multiple users > from multiple > sites. We plan on using Certs once we get up and running but > the tests will > be done with shared secret's. > > Also how does one deal with DHCP address at the far end? > > I'm sure I left out something important so if you all need > more information > please feel free to ask for it. P.S. I have never gotten one > of these to > work so I don't know what a working one looks like so > sanitized configs > would come in handy. Thanks. > > > ********************************************** > Tom Arseneault > System Admin. > Gnac Inc. > arsen at gnac.com > ********************************************** > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From frank at COMPUTICA.COM Tue Jan 18 22:12:06 2000 From: frank at COMPUTICA.COM (Frank R. Boecherer) Date: Tue, 18 Jan 2000 19:12:06 -0800 Subject: Flowpoint and PPTP/VPN Message-ID: <001001bf622a$f7e52000$45102918@earthlink.net> If you have (or not) experience with Flowpoint routers, maybe you can offer some tips... We are trying to setup remote access to our NT with one end of the connection being a remote computer connected to the Internet via cable modem and using Microsoft's PPTP VPN and the other end being the main office server with cable modem and a Flowpoint ethernet to ethernet router. Everything seems to be going OK after clickin the VPN dialup icon, but after the box that says "Verifying user name and password" comes up, the connection times out and we get an "Error 650: The computer you're dialing in to does not respond to a network request. Check your server type setting in the properties of the connection. If this problem persists, check with your network administrator." We have filtering turned off, I believe, on the server, but I read somewhere that we may need to turn on GRE protocol 47 in the router to allow the passing of certain packets or header data. Can anyone explain what GRE is and maybe how to enable it on the Flowpoint and if that is the problem we might be experiencing? Thanks Frank -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000118/b65eff63/attachment.htm From rmacdonald at GFS.COM Wed Jan 19 09:36:31 2000 From: rmacdonald at GFS.COM (Robert MacDonald) Date: Wed, 19 Jan 2000 09:36:31 -0500 Subject: Help with a testing tool Message-ID: http://ftp.sunet.se/pub/network/monitoring/ttcp/ Robert P. MacDonald, Network& Security Engineer G o r d o n F o o d S e r v i c e Voice: +1.616.261.7987 email: rmacdonald at gfs.com >>> Cristobal Soto 01/18/00 09:56AM >>> Dear vpn list co-subscribers I've been desperately searching ttcp for windows 95/nt now for days to make some tests in our vpn environment. Would some kind soul point me to it? I have the unix version and thats exactly what I need, now on windows, ttcp.exe. Thanks and sorry for the request. I know its not the right place to ask for a tool.. Cristobal Soto VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Wed Jan 19 12:59:48 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Wed, 19 Jan 2000 12:59:48 -0500 Subject: Using certificates with isakmpd? Message-ID: Hi guys, I've been looking at your attemps on the list to sort out the x509 certificate stuff with OBSD and IKE. As far as I can tell, it seems that the source code has to be synchronized with the --current libraries. Until that happens, it is no longer just a simple configuration or certificate generation issue but a programming issue as well. I haven't attempted to do the certificate stuff yet but I hope one of you people will give us access to your findings when it is done. In the subject of creating policy files, I found this little trick that I use to verify if it is my config or my policy that is stopping things from working. Use netstat -p esp or netstat -p tcp It'll give you some fun little facts about the incoming and outgoing packets such as how many packets were dropped because of no matching policy. Another note. I got into contact with NAI about their PGP VPN client. It seems that the latest release was actually tested with OpenBSD ISAKMP and is supposed to be able to establish Host to Lan communications properly. The version is 6.5.3. Regards, Patrick Ethier patrick at secureops.com VPN is sponsored by SecurityFocus.COM From jsdy at COSPO.OSIS.GOV Wed Jan 19 15:48:14 2000 From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao) Date: Wed, 19 Jan 2000 15:48:14 -0500 Subject: Cisco Router and IP Protocols for IPsec In-Reply-To: <15B7999C4F94D211AAE90000F81A45E70120479F@emss20m02.ems.lmco.com>; from ken.c.chen@lmco.com on Mon, Jan 10, 2000 at 04:54:56PM -0500 References: <15B7999C4F94D211AAE90000F81A45E70120479F@emss20m02.ems.lmco.com> Message-ID: <20000119154814.H4133@washington.cospo.osis.gov> On Mon, Jan 10, 2000 at 04:54:56PM -0500, Chen, Ken C wrote: > Thanks for everyone's reply to this subject! > > One last question, do I need TCP open for IPsec to function properly? I > know there is an implicit deny all at the end of the list, but just thought > I'd throw in a line just to be safe... and for clarification. ISTM that you've already been told that IPsec usesnetwork protocols 50 and 51, and port 500 on UDP, which is network protocol 17. It doesn't use TCP, network protocol 6, AFAIK. In fact, the above was more than I'd thought; but I hadn't followed IPsec as closely as I would have liked. -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Thu Jan 20 07:44:31 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Thu, 20 Jan 2000 07:44:31 -0500 Subject: Flowpoint and PPTP/VPN References: <001001bf622a$f7e52000$45102918@earthlink.net> Message-ID: <004201bf6344$2ac4f4e0$6803010a@dhcp.haht.com> Microsoft's PPTP uses two ports - I believe they are 1027 and 47. The initial connection is made on port 1027, and then data is passed on port 47. It's been a long time since I read the specs, but they are up in Microsoft's Knowledge base. If your router (the flowpoint box) is using masquerading then you will have problems using MS PPTP. Most masquerading firewall/routers now have patches to allow PPTP to pass through them. We use a Linux box as our firewall/router and we had to apply a patch to our kernel so that the GRE packets (port 47) would be redirected to the proper box inside our firewall. Also, some ISP's do not pass GRE packets. You may want to confirm with them that will allow PPTP to travel into and across their net. Also, check in with MS's knowledge base. They have lot of info logged up their on getting your PPTP to work. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: Frank R. Boecherer To: VPN at SECURITYFOCUS.COM Sent: Tuesday, January 18, 2000 10:12 PM Subject: Flowpoint and PPTP/VPN If you have (or not) experience with Flowpoint routers, maybe you can offer some tips... We are trying to setup remote access to our NT with one end of the connection being a remote computer connected to the Internet via cable modem and using Microsoft's PPTP VPN and the other end being the main office server with cable modem and a Flowpoint ethernet to ethernet router. Everything seems to be going OK after clickin the VPN dialup icon, but after the box that says "Verifying user name and password" comes up, the connection times out and we get an "Error 650: The computer you're dialing in to does not respond to a network request. Check your server type setting in the properties of the connection. If this problem persists, check with your network administrator." We have filtering turned off, I believe, on the server, but I read somewhere that we may need to turn on GRE protocol 47 in the router to allow the passing of certain packets or header data. Can anyone explain what GRE is and maybe how to enable it on the Flowpoint and if that is the problem we might be experiencing? Thanks Frank -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000120/a356c775/attachment.htm From angelos at DSL.CIS.UPENN.EDU Wed Jan 19 14:39:29 2000 From: angelos at DSL.CIS.UPENN.EDU (Angelos D. Keromytis) Date: Wed, 19 Jan 2000 14:39:29 -0500 Subject: Using certificates with isakmpd? In-Reply-To: Your message of "Wed, 19 Jan 2000 12:59:48 EST." Message-ID: <200001191939.OAA01638@adk.gr> In message , Patric k Ethier writes: >Use netstat -p esp >or netstat -p tcp > >It'll give you some fun little facts about the incoming and outgoing packets >such as how many packets were dropped because of no matching policy. That statistic refers to IPsec packets dropped because they do not match what isakmpd has negotiated. It has nothing to do with isakmpd.policy. -Angelos VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Thu Jan 20 08:07:44 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Thu, 20 Jan 2000 08:07:44 -0500 Subject: Shiva LanRover VPN References: <000801bf6132$14a65f50$9301a8c0@pretty-tom-1.gnac.com> Message-ID: <005501bf6347$69646c00$6803010a@dhcp.haht.com> Just a guess, but I would say you need multiple tunnels if you are going to have multiple endpoints. For most Tunnels to work, you have to have an ip address on one end, and another on the other end (same network). If your Lan Rover is routing the Tunnels then the addresses for this virtual network are different from your local LAN addresses. You need to program your router to send all packets for the virtual network to your Lan Rover. Your Lan Rover will have two addresses: one that is on your local LAN, and another that is used for Virtual Connections (the end-point of the Tunnels). If the Lan Rover is bridging the Tunnels, then all the addresses must be valid for your local LAN. In this case, I believe the device puts itself into promiscuous mode and intercepts all packets for attached clients. In both cases, the Lan Rover needs to have a pool of addresses to hand out to clients, as they attach to it. If the device is bridging the Tunnels, then you can just use a local DHCP server on your network. If the device is routing, then you will have set it up with a virtual LAN, like 192.168.1.0/255.255.255.0. In this case, the Lan Rover would have its local LAN address and the address 192.168.1.1. You would enable it hand out addresses, and then specify that it can hand out the range: 192.168.1.2 thru 192.168.1.254. I imagine that the Lan Rover works with other protocols and not just TCP/IP. Most likely it also works with IPX (Novell protocol). That being the case, it is possible that you may be using strictly IPX on your LAN and not be using TCP/IP at all. This is the only case that I can see in which you would want to "turn off the Client IP check box". Hope that helps, Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Thomas J. Arseneault" To: Sent: Monday, January 17, 2000 4:30 PM Subject: Shiva LanRover VPN > Software version 6.6. I'm trying to get the single user tunnel to work but > it keeps complaining about "Can't assign Client IP". I have tried turning > off the "Client IP" check box to no avail. I'm unclear about the use of the > multiple tunnel config and am also wondering if that is what I should be > doing instead of a single tunnel. The initial tests are being done with a > single user but the active config will have multiple users from multiple > sites. We plan on using Certs once we get up and running but the tests will > be done with shared secret's. > > Also how does one deal with DHCP address at the far end? > > I'm sure I left out something important so if you all need more information > please feel free to ask for it. P.S. I have never gotten one of these to > work so I don't know what a working one looks like so sanitized configs > would come in handy. Thanks. > > > ********************************************** > Tom Arseneault > System Admin. > Gnac Inc. > arsen at gnac.com > ********************************************** > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From darren.kruse at EDS.COM Wed Jan 19 18:15:45 2000 From: darren.kruse at EDS.COM (Kruse, Darren) Date: Thu, 20 Jan 2000 09:45:45 +1030 Subject: Shiva LanRover VPN Message-ID: Thomas, I have over 12 months experience with the Shiva Lanrover VPN. We are using it at several of our customer sites and are really happy with it. First, you need to be using version 6.7 of the s/w. The client code is 6.7 patch 2 and the latest gateway code is 6.7 patch 3. The GUI manager is also 6.7 p3. Get this code from your Shiva rep before going any further. We only use multiple remote user tunnels and I have also seen the same problems when using the older code. If it is W95 client, it MUST have the WINSOCK 2 patch. Regarding the DHCP pool, we don't use true Microsoft DHCP, but instead allocate a secondary IP address to the inside trusted interface on the vpn gateway. For example, if the g/w is 123.123.123.2 , the nearest inside router is 123.123.123.1 which leaves us with a pool from .3 up to .254 for client IPs (assuming a /24) I have not used certs , but are instead used Shiva access manager (RADIUS). We alo have Secur-ID working well at another location. Both work exremely well. You can get a 45 day eval of SAM 5.0 from the Shiva web site. One of my collegues in the US also had the Lanrover working with Cisco Secure (another RADIUS implementation) I've attached a sanitized version of a g/w config. Just replace "inside" and "outside" with the subnets you are using. Note the "another-inside-subnet" for the secondary for the client IP's. The client IPs don't have to be routable on the internet, just on the trusted network - so you can use 10. or any addressing for client IP's that you like. Hope this helps, regards, Darren Kruse? Advanced Communications Engineer EDS (Australia) tel: + 61 8 8301 5322 <<-- !! **Note new phone number** !! PGP Fingerprint (valid to 31/12/2000)? 6CD809275B6777820D61888AF84DEF004AF40E9F mailto://darren.kruse at eds.com > -----Original Message----- > From: Thomas J. Arseneault [mailto:arsen at GNAC.COM] > Sent: Tuesday, January 18, 2000 8:01 AM > To: VPN at SECURITYFOCUS.COM > Subject: Shiva LanRover VPN > > > Software version 6.6. I'm trying to get the single user > tunnel to work but > it keeps complaining about "Can't assign Client IP". I have > tried turning > off the "Client IP" check box to no avail. I'm unclear about > the use of the > multiple tunnel config and am also wondering if that is what > I should be > doing instead of a single tunnel. The initial tests are being > done with a > single user but the active config will have multiple users > from multiple > sites. We plan on using Certs once we get up and running but > the tests will > be done with shared secret's. > > Also how does one deal with DHCP address at the far end? > > I'm sure I left out something important so if you all need > more information > please feel free to ask for it. P.S. I have never gotten one > of these to > work so I don't know what a working one looks like so > sanitized configs > would come in handy. Thanks. > > > ********************************************** > Tom Arseneault > System Admin. > Gnac Inc. > arsen at gnac.com > ********************************************** > > VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- A non-text attachment was scrubbed... Name: sanitized adlvpn01 january 13th 2000.cfg Type: application/octet-stream Size: 3737 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000120/6d7ecc55/attachment.obj From carlsonmail at YAHOO.COM Thu Jan 20 11:35:46 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Thu, 20 Jan 2000 08:35:46 -0800 Subject: Nortel Contivity Extranet Vulnerability! Message-ID: <20000120163546.29309.qmail@web123.yahoomail.com> All, I read this morning a new vulnerability for the Contivity extranet switches. This vulnerability gives anyone the ability to crash the Contivity from a web browser. I tested the file list successfully. Scary! Typical cgi-bin exploits, though. While I don't believe that this vulnerability leads to an exploit of the authentication, encryption, or IPSec modules, it's something to consider. In the mean time, you can disable unencrypted WEB management sessions to the switch. That makes the web server unavailable to anyone NOT coming in encrypted. To manage it, you would tunnel to the inside interface of the switch. (Of course, if you did this, then you couldn't manage any Contivities remotely if you tunnel in, since you can't set up two IPSec tunnels on a PC, one to get into the network and one for the web server.) As of yet there is no fix from Nortel, although 2 calls have been logged by Securityfocus. Nortel has opened cases for each of these vulnerability's: CR# 118890 - DoS CR# 118887 - cgiproc 'bug' A fix is planned for the next release of VxWorks. There is 2 exploits one that will cause a crash and one that will allow you to view system files. http://x.x.x.x/manage/cgi/cgiproc?$ [crash] No evidence of this problem being exploited is saved in the logs. The second exploit allows any user to view system files from their web browser. http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (interesting places to look: /system/filelist.dat, /system/version.dat, /system/keys, /system/core, etc.) All that is written to the logs when this is exploited is below: 09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login You can read more at http://www.securityfocus.com/bid/938 Chris -- __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From mlsa at IM.SE Thu Jan 20 01:36:03 2000 From: mlsa at IM.SE (Standen Malcolm - mlsa) Date: Thu, 20 Jan 2000 07:36:03 +0100 Subject: UUsecure VPN Message-ID: Follow members Does anybody have any experience with UUNET's UUsecure VPN solution using the Xedia Access Point hardware? Is any Company using this solution for their Corporate VPN solution, for site to site connectivity? If so what problems or situation have you encountered? Regards Malcolm IMI Industri-Matematik International http://www.im.se Malcolm Standen Email: mailto:mlsa at im.se SSA/NSO Phone: +46 8 676 50 00 Stadsg?rden 10 Phone direct: +46 8 676 56 96 Box 15044 Fax: +46 8 676 56 00 SE - 104 65 Stockholm Mobilephone +46 708 593 987 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000120/3cfc75b8/attachment.htm From elfering at TCONL.COM Thu Jan 20 07:12:52 2000 From: elfering at TCONL.COM (Dave Elfering) Date: Thu, 20 Jan 2000 06:12:52 -0600 Subject: Stronger PPTP? Message-ID: <3886FBC4.E043E4EF@tconl.com> Has Microsoft increased the strength of PPTP's crypto? A network engineer friend of mine asked if the encryption has been raised to 128 bits, and I had no answer as I've never seriously considered PPTP. Has this beast been strengthened the process that used a user-supplied password at the client to derive the MD4 hash? I gather MS raised the encryption level that will ship with Windows 2000 to 128 bits, so does this mean PPTP gets bumped a notch too? I'd thought it was going away in favor of IPSec. Regards, Dave Elfering VPN is sponsored by SecurityFocus.COM From Jose.Muniz at US.DATAFELLOWS.COM Wed Jan 19 22:21:24 2000 From: Jose.Muniz at US.DATAFELLOWS.COM (Muniz, Jose) Date: Wed, 19 Jan 2000 19:21:24 -0800 Subject: About compatibility Message-ID: Hello Ariel: Yes that is totally possible, both of them support the IPSec Standards, based on the draft. The protocol to use because this will be a gateway to gateway setup, you will be better off with esp-tunnel main mode. For ciphers you should use 3des and md5 or sha-1. I am quite positive that both of them also support preshared secret or rsa signed certificates :] Yours, Jose. ________________________________________ Jose Muniz. -Jose.Muniz at F-Secure.com Systems Engineer. F-Secure, Inc. Phone 408.350.2193 Cell 408.569.9306 675 N. First Street, 5th Floor San Jose, Ca. 95112 http://www.F-Secure.com ________________________________________ -----Original Message----- From: Ariel Kirsman [mailto:akirsman at BAGO.COM.AR] Sent: Tuesday, January 18, 2000 9:59 AM To: VPN at SECURITYFOCUS.COM Subject: About compatibility My question is: I have on one side a PIX and, in the other side, a Firewall-1. Do someone know whether I can build a VPN between them? If so, what protocol should I have to use? Thanks a lot. Help will be appreciated. Ariel Kirsman Buenos Aires Argentina VPN is sponsored by SecurityFocus.COM From rng at NETSCREEN.COM Thu Jan 20 13:38:33 2000 From: rng at NETSCREEN.COM (Ronald Ng) Date: Thu, 20 Jan 2000 10:38:33 -0800 Subject: Flowpoint and PPTP/VPN References: <001001bf622a$f7e52000$45102918@earthlink.net> <004201bf6344$2ac4f4e0$6803010a@dhcp.haht.com> Message-ID: <38875629.73E35E97@netscreen.com> I'm not sure about 1047, but I believe you mean protocol 47 -- Ronald Ng rng at netscreen.com VPN is sponsored by SecurityFocus.COM From smorison at TEXT100.COM.AU Tue Jan 18 20:04:35 2000 From: smorison at TEXT100.COM.AU (Stephen Morison) Date: Wed, 19 Jan 2000 12:04:35 +1100 Subject: Cisco 800 VPN Message-ID: <218BFCE943B0D31180FB00A0C9E9337113E6@TXTAS1> Hi, I'm having troubles getting a Cisco 800 router to open up a port to accept VPN access below is a diagram of what I'm trying to achieve Client (win9x / win2k) --> Internet -->CISCO 800 --> NT Server (VPN Server) Please advise what would be the best way to achieve this Stephen VPN is sponsored by SecurityFocus.COM From Ryan.Russell at SYBASE.COM Thu Jan 20 13:48:07 2000 From: Ryan.Russell at SYBASE.COM (Ryan Russell) Date: Thu, 20 Jan 2000 10:48:07 -0800 Subject: Stronger PPTP? Message-ID: <8825686C.006751D0.00@gwwest.sybase.com> >Has Microsoft increased the strength of PPTP's crypto? A network >engineer friend of mine asked if the encryption has been raised to 128 >bits, and I had no answer as I've never seriously considered PPTP. > >Has this beast been strengthened the process that used a user-supplied >password at the client to derive the MD4 hash? Present pre-W2K implementation still derives the crypto strength from the user password. So no, you're not getting a good 128 bits worth. MS fixed some protocol issues, like using the same key in 2 directions, etc... >I gather MS raised the encryption level that will ship with Windows 2000 >to 128 bits, so does this mean PPTP gets bumped a notch too? I'd thought >it was going away in favor of IPSec. They've made some significant enhancements in W2K, including adding L2TP and IPSec, I believe. I haven't read any analysis of those implementations along the lines of the ones done for PPTP yet. One has to assume (and I think we just had a thread on this) that the IPSec implementation can do manually shared secrets, so if you're any good at managing passwords, you can get your full strength. Ryan VPN is sponsored by SecurityFocus.COM From jneedle at NORTELNETWORKS.COM Thu Jan 20 13:36:52 2000 From: jneedle at NORTELNETWORKS.COM (Jeffrey Needle) Date: Thu, 20 Jan 2000 13:36:52 -0500 Subject: Nortel Contivity Extranet Vulnerability! In-Reply-To: <20000120163546.29309.qmail@web123.yahoomail.com> Message-ID: <4.2.2.20000120132747.05d8ea30@zbl6c000.corpeast.baynetworks.com> There have been a couple of paragraphs added to the "exploit" page at www.securityfocus.com. Check them over. Chris, I've got to clarify something you said that is incorrect and a very dangerous statement. When you say "gives anyone the ability to crash the Contivity", that's not true. This can only be exploited by people who the administrator has granted HTTP access to in the first place. If you've allowed all private users HTTP access through the Services->Available page, you are saying that you trust all your internal users. If you don't, turn that off! The other group of people who are typically trusted are the valid tunnel users using a "Permit All" filter allowing HTTP as a management protocol. You should consider removing that and having a special filter for administrators that allows HTTP. That's just security 101. We ship the box with Private side HTTP enabled because otherwise there'd be no way to add that first tunnel. Or at least there wasn't until we added the ability to define a control tunnel through the serial menu. We should update our documentation to recommend these security measures, but many already have them in place. Another statement that you make that has me confused is that you feel you'd need 2 tunnels active to manage the box from the public network. You can definitely manage the box through the same tunnel you use to access the private network providing your filter allows that. I do that all the time. If there are any further questions, don't hesitate to either post them here, reply to me directly, or call our Technical Support Center at 1-800-2LANWAN. Jeff, Nortel At 08:35 AM 1/20/00 -0800, Chris Carlson wrote: >All, > >I read this morning a new vulnerability for the >Contivity extranet switches. This vulnerability gives >anyone the ability to crash the Contivity from a web >browser. > >I tested the file list successfully. Scary! Typical >cgi-bin exploits, though. > >While I don't believe that this vulnerability leads to >an exploit of the authentication, encryption, or IPSec >modules, it's something to consider. > >In the mean time, you can disable unencrypted WEB >management sessions to the switch. That makes the web >server unavailable to anyone NOT coming in encrypted. >To manage it, you would tunnel to the inside interface >of the switch. (Of course, if you did this, then you >couldn't manage any Contivities remotely if you tunnel >in, since you can't set up two IPSec tunnels on a PC, >one to get into the network and one for the web >server.) > >As of yet there is no fix from Nortel, although 2 >calls have been logged by Securityfocus. > >Nortel has opened cases for each of these >vulnerability's: > > CR# 118890 - DoS > > CR# 118887 - cgiproc 'bug' > >A fix is planned for the next release of VxWorks. > >There is 2 exploits one that will cause a crash and >one that will allow you to view system files. > >http://x.x.x.x/manage/cgi/cgiproc?$ > > [crash] > >No evidence of this problem being exploited is saved >in the logs. > > >The second exploit allows any user to view system >files from their web browser. > > >http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. > >(interesting places to look: /system/filelist.dat, >/system/version.dat, /system/keys, /system/core, etc.) > >All that is written to the logs when this is exploited >is below: > > 09:44:23 tEvtLgMgr 0 : Security [12] Management: >Request for cgiproc denied. requires login > >You can read more at >http://www.securityfocus.com/bid/938 > > >Chris >-- > >__________________________________________________ >Do You Yahoo!? >Talk to your friends online with Yahoo! Messenger. >http://im.yahoo.com > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Ryan.Russell at SYBASE.COM Thu Jan 20 13:57:34 2000 From: Ryan.Russell at SYBASE.COM (Ryan Russell) Date: Thu, 20 Jan 2000 10:57:34 -0800 Subject: Cisco 800 VPN Message-ID: <8825686C.00682C76.00@gwwest.sybase.com> >I'm having troubles getting a Cisco 800 router to open up a port to accept >VPN access below is a diagram of what I'm trying to achieve > >Client (win9x / win2k) --> Internet -->CISCO 800 --> NT Server (VPN Server) What kind of VPN, and are you doing NAT on the 800? Ryan VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Thu Jan 20 14:01:04 2000 From: JJones at NWNETS.COM (Jeremy Jones) Date: Thu, 20 Jan 2000 12:01:04 -0700 Subject: Flowpoint and PPTP/VPN Message-ID: <4128C0428F94D3118F1E00902773CED201B3F0@NNSBOIS1> One of my clients has a flowpoint dsl router with can handle gre (protocol 47). The tcp port needed is 1723. -----Original Message----- From: Jon Carnes [mailto:jonc at HAHT.COM] Sent: Thursday, January 20, 2000 5:45 AM To: VPN at SECURITYFOCUS.COM Subject: Re: Flowpoint and PPTP/VPN Microsoft's PPTP uses two ports - I believe they are 1027 and 47. The initial connection is made on port 1027, and then data is passed on port 47. It's been a long time since I read the specs, but they are up in Microsoft's Knowledge base. If your router (the flowpoint box) is using masquerading then you will have problems using MS PPTP. Most masquerading firewall/routers now have patches to allow PPTP to pass through them. We use a Linux box as our firewall/router and we had to apply a patch to our kernel so that the GRE packets (port 47) would be redirected to the proper box inside our firewall. Also, some ISP's do not pass GRE packets. You may want to confirm with them that will allow PPTP to travel into and across their net. Also, check in with MS's knowledge base. They have lot of info logged up their on getting your PPTP to work. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: Frank R. Boecherer To: VPN at SECURITYFOCUS.COM Sent: Tuesday, January 18, 2000 10:12 PM Subject: Flowpoint and PPTP/VPN If you have (or not) experience with Flowpoint routers, maybe you can offer some tips... We are trying to setup remote access to our NT with one end of the connection being a remote computer connected to the Internet via cable modem and using Microsoft's PPTP VPN and the other end being the main office server with cable modem and a Flowpoint ethernet to ethernet router. Everything seems to be going OK after clickin the VPN dialup icon, but after the box that says "Verifying user name and password" comes up, the connection times out and we get an "Error 650: The computer you're dialing in to does not respond to a network request. Check your server type setting in the properties of the connection. If this problem persists, check with your network administrator." We have filtering turned off, I believe, on the server, but I read somewhere that we may need to turn on GRE protocol 47 in the router to allow the passing of certain packets or header data. Can anyone explain what GRE is and maybe how to enable it on the Flowpoint and if that is the problem we might be experiencing? Thanks Frank VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Thu Jan 20 16:17:32 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Thu, 20 Jan 2000 13:17:32 -0800 Subject: Nortel Contivity Extranet Vulnerability! Message-ID: <20000120211732.27633.qmail@web113.yahoomail.com> Thanks for replying. Just to clarify your clarifications... :-) Items 1 and 2 below are tied together, since one can only "turn off" HTTP access to the switch from the internal network by mandating encrypted tunnels in order to manage the switch. That comes to my point. Yes, I can tunnel in from the public network and manage that switch, but I CANNOT tunnel into Switch 1, for example, and manage Switch 2 if Switch 2 requires an encrypted tunnel. See...? One organization I consult to has 16 Contivities scattered across the world. I certainly don't want to tunnel over the Internet to Singapore just to manage that box if I force encrypted management sessions. And as far as I know, your statement of "This can only be exploited by people who the administrator has granted HTTP access to in the first place" is only for users coming in through the switch. This has no affect on internal users. And yes I agree, it's important to protect all external facing devices even from the inside, but the Contivity doesn't have such protection, not counting basic administrator authentication. (How about an authenticating web proxy running on the box, that front-ends Web queries to the web server running on the box. No cgis to worry about then!) After all, the file list exploit works WITHOUT authenticating to the switch at all! But waddya expect from cgi-bin exploits. :-P Any news on Nortel's time frame for a fix?? Chris -- --- Jeffrey Needle wrote: > There have been a couple of paragraphs added to the > "exploit" > page at www.securityfocus.com. Check them over. > > Chris, I've got to clarify something you said that > is incorrect > and a very dangerous statement. When you say "gives > anyone > the ability to crash the Contivity", that's not > true. This can only > be exploited by people who the administrator has > granted HTTP > access to in the first place. If you've allowed all > private users > HTTP access through the Services->Available page, > you are > saying that you trust all your internal users. If > you don't, turn > that off! The other group of people who are > typically trusted are > the valid tunnel users using a "Permit All" filter > allowing HTTP as > a management protocol. You should consider removing > that and > having a special filter for administrators that > allows HTTP. That's > just security 101. > > We ship the box with Private side HTTP enabled > because otherwise > there'd be no way to add that first tunnel. Or at > least there wasn't > until we added the ability to define a control > tunnel through the serial > menu. We should update our documentation to > recommend these > security measures, but many already have them in > place. > > Another statement that you make that has me confused > is that you > feel you'd need 2 tunnels active to manage the box > from the public > network. You can definitely manage the box through > the same tunnel > you use to access the private network providing your > filter allows that. > I do that all the time. > > If there are any further questions, don't hesitate > to either post them here, > reply to me directly, or call our Technical Support > Center at 1-800-2LANWAN. > > Jeff, Nortel > > At 08:35 AM 1/20/00 -0800, Chris Carlson wrote: > >All, > > > >I read this morning a new vulnerability for the > >Contivity extranet switches. This vulnerability > gives > >anyone the ability to crash the Contivity from a > web > >browser. > > > >I tested the file list successfully. Scary! > Typical > >cgi-bin exploits, though. > > > >While I don't believe that this vulnerability leads > to > >an exploit of the authentication, encryption, or > IPSec > >modules, it's something to consider. > > > >In the mean time, you can disable unencrypted WEB > >management sessions to the switch. That makes the > web > >server unavailable to anyone NOT coming in > encrypted. > >To manage it, you would tunnel to the inside > interface > >of the switch. (Of course, if you did this, then > you > >couldn't manage any Contivities remotely if you > tunnel > >in, since you can't set up two IPSec tunnels on a > PC, > >one to get into the network and one for the web > >server.) > > > >As of yet there is no fix from Nortel, although 2 > >calls have been logged by Securityfocus. > > > >Nortel has opened cases for each of these > >vulnerability's: > > > > CR# 118890 - DoS > > > > CR# 118887 - cgiproc 'bug' > > > >A fix is planned for the next release of VxWorks. > > > >There is 2 exploits one that will cause a crash and > >one that will allow you to view system files. > > > >http://x.x.x.x/manage/cgi/cgiproc?$ > > > > [crash] > > > >No evidence of this problem being exploited is > saved > >in the logs. > > > > > >The second exploit allows any user to view system > >files from their web browser. > > > > > >http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. > > > >(interesting places to look: /system/filelist.dat, > >/system/version.dat, /system/keys, /system/core, > etc.) > > > >All that is written to the logs when this is > exploited > >is below: > > > > 09:44:23 tEvtLgMgr 0 : Security [12] Management: > >Request for cgiproc denied. requires login > > > >You can read more at > >http://www.securityfocus.com/bid/938 > > > > > >Chris > >-- > > > >__________________________________________________ > >Do You Yahoo!? > >Talk to your friends online with Yahoo! Messenger. > >http://im.yahoo.com > > > >VPN is sponsored by SecurityFocus.COM > > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Thu Jan 20 16:37:04 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Thu, 20 Jan 2000 13:37:04 -0800 Subject: Stronger PPTP? Message-ID: <20000120213704.13592.qmail@web123.yahoomail.com> AFAIK, Microsoft has always had 128-bit PPTP, but you had to register for it on their web site since export is controlled. They had a version available back in the Win95 days. The issue of Microsoft's implementation of the PPTP protocol isn't the strength/length of the encryption key, it's the fact that they use a crappy hash based on the LanMan authentication sequence. You can read more about it at: http://www.counterpane.com/pptp.html Microsoft should have addressed this better in their PPTPv2 release, but some people say no. Third party companies like Network Telesystems (www.nts.com) makes PPTP clients for Windows and Mac that has a better authentication mechanism than Microsoft's implementation. Microsoft is still supporting PPTP in Windows2000. I tested it for functionality, not security. A white paper on Windows2000 security a few months ago said that Microsoft is focusing on encrypting L2TP packets with IPSec as their future direction. That way they can have the "approved" encryption/authentication of IPSec with the multi-protocol support of L2TP. If this doesn't speak of a totally non-standard implementation, I don't know what does. Hope I've been useful! Chris -- --- Dave Elfering wrote: > Has Microsoft increased the strength of PPTP's > crypto? A network > engineer friend of mine asked if the encryption has > been raised to 128 > bits, and I had no answer as I've never seriously > considered PPTP. > > Has this beast been strengthened the process that > used a user-supplied > password at the client to derive the MD4 hash? > > I gather MS raised the encryption level that will > ship with Windows 2000 > to 128 bits, so does this mean PPTP gets bumped a > notch too? I'd thought > it was going away in favor of IPSec. > > Regards, > > Dave Elfering > > VPN is sponsored by SecurityFocus.COM > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From dnewman at NETWORKTEST.COM Thu Jan 20 19:34:16 2000 From: dnewman at NETWORKTEST.COM (David Newman) Date: Thu, 20 Jan 2000 16:34:16 -0800 Subject: FW-1 interoperability (was: About compatibility) In-Reply-To: Message-ID: > My question is: I have on one side a PIX and, in the other side, a > Firewall-1. Do someone know whether I can build a VPN between them? If so, > what protocol should I have to use? Thanks a lot. Help will be > appreciated. (snip) > Yes that is totally possible, both of them support the IPSec Standards, > based on the draft. Have you verified this with Firewall-1 and Vendor X's VPN box, both operating in gateway-to-gateway mode? As of a few months ago, FW-1 version 4 would talk IPSec with other folks' gateways, but only by setting up individual SAs for each remote host that wanted to communicate. Check Point said last summer that the next FW-1 release would handle gateway-to-gateway mode with other vendors' kit, and at least in my experience they've been good on their word, but I haven't verified this. dn VPN is sponsored by SecurityFocus.COM From Jose.Muniz at US.DATAFELLOWS.COM Thu Jan 20 16:39:04 2000 From: Jose.Muniz at US.DATAFELLOWS.COM (Muniz, Jose) Date: Thu, 20 Jan 2000 13:39:04 -0800 Subject: FW-1 interoperability (was: About compatibility) Message-ID: Well, I actually sow that at the Cisco 2000 VPN Interop last week in San Diego. Of course I do not work for either company neither look at the testing results of them either, however 90% or 98% of the IPSec solutions out there as it today, are able to interoperate with each other. Must of the stuff that I saw was on either Beta and Alfa stage so you might be totally right about the current releases, let me see.... mmmm....mmmm.... OK Here is the Checkpoint version; I was Checkpoint FW-1 version 4.1 SP 1 I could not tell you about Cisco, apparently they were compiling new builds on the fly so I could not tell. Hope that this info helps. Jose. ________________________________________ Jose Muniz. -Jose.Muniz at F-Secure.com Systems Engineer. F-Secure, Inc. Phone 408.350.2193 Cell 408.569.9306 675 N. First Street, 5th Floor San Jose, Ca. 95112 http://www.F-Secure.com ________________________________________ > -----Original Message----- > From: David Newman [mailto:dnewman at networktest.com] > Sent: Thursday, January 20, 2000 4:34 PM > To: Muniz, Jose; VPN at SECURITYFOCUS.COM > Subject: FW-1 interoperability (was: About compatibility) > > > > > > My question is: I have on one side a PIX and, in the other side, a > > Firewall-1. Do someone know whether I can build a VPN > between them? If so, > > what protocol should I have to use? Thanks a lot. Help will be > > appreciated. > > (snip) > > > Yes that is totally possible, both of them support the > IPSec Standards, > > based on the draft. > > Have you verified this with Firewall-1 and Vendor X's VPN box, both > operating in gateway-to-gateway mode? As of a few months ago, > FW-1 version 4 > would talk IPSec with other folks' gateways, but only by setting up > individual SAs for each remote host that wanted to > communicate. Check Point > said last summer that the next FW-1 release would handle > gateway-to-gateway > mode with other vendors' kit, and at least in my experience > they've been > good on their word, but I haven't verified this. > > dn > > VPN is sponsored by SecurityFocus.COM From darren.kruse at EDS.COM Thu Jan 20 19:59:55 2000 From: darren.kruse at EDS.COM (Kruse, Darren) Date: Fri, 21 Jan 2000 11:29:55 +1030 Subject: Shiva LanRover VPN - IPX support Message-ID: There is NO support for IPX/SPX in the current release of the Shiva Lanrover ,nor is there likely to be IMHO. I have told our sales people that if they want to sell the VPN solution to people who want to access Netware resources then there are two options / workarounds : 1. (Preferred) upgrade to Netware 5.0 and don't run IPX. 2. (Ugly - but it works ) - the VPN client talks IP to a NT box inside the trusted network. The NT box then in turn runs Gateway services for Netware - this is included for free in the OS. Basically, the NT server by talking IPX to the Netware box inside the trusted network is acting as a proxy for the client. With this I think the NT server needs to be logged into the Netware server with administrator rights - I'm not a NT guru so I may be wrong on this. This will allow remote VPN clients to map drives and print to the the netware printer using IP and using the NT box as a proxy. regards, Darren Kruse? Advanced Communications Engineer EDS (Australia) tel: + 61 8 8301 5322 <<-- !! **Note new phone number** !! PGP Fingerprint (valid to 31/12/2000)? 6CD809275B6777820D61888AF84DEF004AF40E9F mailto://darren.kruse at eds.com > -----Original Message----- > From: Jon Carnes [mailto:jonc at haht.com] > Sent: Thursday, January 20, 2000 11:38 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: Shiva LanRover VPN > > <> > > I imagine that the Lan Rover works with other protocols and > not just TCP/IP. > Most likely it also works with IPX (Novell protocol). That > being the case, > it is possible that you may be using strictly IPX on your LAN > and not be > using TCP/IP at all. This is the only case that I can see in > which you > would want to "turn off the Client IP check box". > > Hope that helps, > > Jon Carnes > MIS - HAHT Software VPN is sponsored by SecurityFocus.COM From smorison at TEXT100.COM.AU Thu Jan 20 18:21:20 2000 From: smorison at TEXT100.COM.AU (Stephen Morison) Date: Fri, 21 Jan 2000 10:21:20 +1100 Subject: Cisco 800 VPN Message-ID: <218BFCE943B0D31180FB00A0C9E9337113FB@TXTAS1> The guy that initially set-up the routers in the offices I baby sit did a terrible job I am about to re-configure them all and they will be using NAT. and static port to internal (private ip) addresses. Does this help? Stephen -----Original Message----- From: Ryan Russell [mailto:Ryan.Russell at SYBASE.COM] Sent: Friday, 21 January 2000 5:58 AM To: VPN at SECURITYFOCUS.COM Subject: Re: Cisco 800 VPN >I'm having troubles getting a Cisco 800 router to open up a port to accept >VPN access below is a diagram of what I'm trying to achieve > >Client (win9x / win2k) --> Internet -->CISCO 800 --> NT Server (VPN Server) What kind of VPN, and are you doing NAT on the 800? Ryan VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From toddw at LIGHTMAIL.COM Fri Jan 21 01:20:49 2000 From: toddw at LIGHTMAIL.COM (Todd Wilburn) Date: Thu, 20 Jan 2000 22:20:49 -0800 Subject: Linux VPN Message-ID: We are thinking us using Linux for our server/firewalls and we need to do VPN. What programs are available for a Linux VPN box? I can use secret pass codes or certs. Thanks, Todd Wilburn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000120/b79ec230/attachment.htm From MikeOh at ROCKETMAIL.COM Fri Jan 21 10:30:38 2000 From: MikeOh at ROCKETMAIL.COM (Michael Oh) Date: Fri, 21 Jan 2000 07:30:38 -0800 Subject: W2K and IPSec Message-ID: <20000121153038.26338.qmail@web2906.mail.yahoo.com> I've recently been playing around with the VPN in W2K. Trying to get this working with a Raptor firewall using IPSec. Can't seem to get this running even though it looks like all the configuration settings are correct (and available) in W2K. Does anyone know if W2k's IPSec works according to spec? Or do I need to do something different like IPSec over L2TP? Anyone ever gotten W2k's IPSec working with another 3rd party product? TIA Michael Oh ===== Michael Oh __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com VPN is sponsored by SecurityFocus.COM From steve_j_kuo at EMAIL.MOBIL.COM Thu Jan 20 18:43:45 2000 From: steve_j_kuo at EMAIL.MOBIL.COM (Steve J Kuo) Date: Thu, 20 Jan 2000 17:43:45 -0600 Subject: Shiva LanRover VPN - tunnel access Message-ID: <8625686C.0082C4DF.00@xdallng1.dal.mobil.com> Darren, This is a different question. With a Shiva Access Manager, can you limit which tunnel a user can access? For example, there is 10 multiuser tunnels defined all using the same authentication server. If I have a valid id/password to pass the authentication, and I know all the tunnel names, can you limit me to only connect to one tunnel but not the other 9? I know Shiva VPN box does not have that user-tunnel association. Steve Kuo "Kruse, Darren" on 01/19/2000 05:15:45 PM Please respond to "Kruse, Darren" From pete at ETHER.NET Thu Jan 20 22:48:29 2000 From: pete at ETHER.NET (Pete Davis) Date: Thu, 20 Jan 2000 22:48:29 -0500 Subject: Cisco 800 VPN In-Reply-To: <218BFCE943B0D31180FB00A0C9E9337113E6@TXTAS1> References: <218BFCE943B0D31180FB00A0C9E9337113E6@TXTAS1> Message-ID: <20000120224829.A16904@ether.net> Stephen, Are you performing network address translation or is the NT server on public address space? Either way, you will need to make sure that your inbound access-list is set to permit: PPTP - GRE (Protocol 47), and PPTP Controls, which is TCP destination port 1723. IPSEC - ESP (Protocol 50), and IKE, which is UDP Port 500 If your VPN server is on private address space, you will need a public IP address in order to do an address mapping for a singular external IP address to the internal IP address. I am not sure off the top of my head which version of IOS first added support for GRE/ESP protocols for access-lists, you may want to check out cco.cisco.com. Regards, -pete On Wed, Jan 19, 2000 at 12:04:35PM +1100, Stephen Morison wrote: > Hi, > I'm having troubles getting a Cisco 800 router to open up a port to accept > VPN access below is a diagram of what I'm trying to achieve > > > Client (win9x / win2k) --> Internet -->CISCO 800 --> NT Server (VPN Server) > > > Please advise what would be the best way to achieve this > > Stephen > > VPN is sponsored by SecurityFocus.COM --- Pete Davis - Product Manager (508) 541-7300 x154 Altiga Networks - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Fri Jan 21 13:10:42 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Fri, 21 Jan 2000 13:10:42 -0500 Subject: Linux VPN Message-ID: Hi, I've tried FreeS/WAN on Linux and it is fairly difficult ot implement. Have you considered a solution like OpenBSD( http://www.openbsd.org ). Advantages over Linux(These aren't scientific mind you but a result of my personal opinion). IPFilter is easier to implement than IPChains and has a few extra features(Like keeping state of connections) ISAKMPD on OpenBSD is included witht he initial installation, all you need to do is edit some configuration files IKE supports X509 certs and Pre-Shared secrets It's Canadian, so encryption is not an issue(Unless you are in the States, then you need to obtain it from a US ftp server). It also has very clear instructions off their website on how to recompile a kernel and do basic system administration. Also, most of the users on their mailing lists are experienced systems administrators with a very strong background in security. You get in contact with the actual developers if there is a problem. Things are very personal. NetBSD and FreeBSD are also alternatives. Linux makes a great workstation because of how many people support it. As for setting up a Firewall/VPN Gateway, Linux has too many audit issues to make me comfortable with it. Regards, Patrick Ethier -----Original Message----- From: Todd Wilburn [mailto:toddw at LIGHTMAIL.COM] Sent: Friday, January 21, 2000 1:21 AM To: VPN at SECURITYFOCUS.COM Subject: Linux VPN We are thinking us using Linux for our server/firewalls and we need to do VPN. What programs are available for a Linux VPN box? I can use secret pass codes or certs. Thanks, Todd Wilburn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000121/c922fe85/attachment.htm From bet at RAHUL.NET Fri Jan 21 14:29:13 2000 From: bet at RAHUL.NET (Bennett Todd) Date: Fri, 21 Jan 2000 14:29:13 -0500 Subject: Linux VPN In-Reply-To: ; from toddw@LIGHTMAIL.COM on Thu, Jan 20, 2000 at 10:20:49PM -0800 References: Message-ID: <20000121142913.I534@rahul.net> 2000-01-21-01:20:49 Todd Wilburn: > We are thinking us using Linux for our server/firewalls and we > need to do VPN. What programs are available for a Linux VPN box? I > can use secret pass codes or certs. There are a lot of alternatives. I've been trying to read up on them, but haven't yet tried them. If you favour IPSec, there's FreeS/WAN[1]. There's PopTop[2] for people who need interoperability with Windows clients with no add-on software, and are willing to live with the security of PPTP to get it. There are more approaches to doing ppp, slip, or other protocols tunneled over ssh than you can shake a stick at. The newest I've seen is vpnstarter[3]. The simplest VPN implementation I know of for Linux is vpnd[4], and simplicity is often a win. But I fear, even though it's probably the most complex solution of them all, I'd probably recommend pursuing the FreeS/WAN, and if I couldn't get that working I'd then recommend trying replacing the Linux boxes with OpenBSD and trying its ipsec for the VPNning. The thing is, from everything I've read, I get the strong impression that IP-over-TCP tunneling --- which includes the foo-over-ssh solutions and vpnd --- has really awful performance problems as soon as the net is less than perfect (and the internet is the diametrical opposite of perfect these days). TCP has some amazing performance-tuning hacks, designed to minimize needless resends in the face of large and variable latencies, and to avoid filling buffers in intermediate routers. Apparently their behavior is such that the latency characteristics delivered up by an underlying TCP layer completely screw up the performance of the tunneled tcp layer attempting to ride on top. Or so I've heard. All this is hearsay, so if anybody knows I'm wrong about it I'd love to be corrected. -Bennett [1] [2] [3] [4] -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000121/69d3bf31/attachment.pgp From eric.jeffery at EDWARDS.AF.MIL Fri Jan 21 16:11:33 2000 From: eric.jeffery at EDWARDS.AF.MIL (Jeffery Eric Contr 95 CS/SCBA) Date: Fri, 21 Jan 2000 13:11:33 -0800 Subject: Shiva LanRover VPN - IPX support Message-ID: <1342BEFC44BED31195100090276D3496399ACD@FSFSPM15> I found out that Compatible Systems have a box called the IntraPort that supports IPX communication over their IPSec VPN. Adding to what Darren says below is a 3rd option. Eric Jeffery, MCSE Network Systems Analyst TYBRIN Corp. Edwards AFB, CA 661-277-1760 -----Original Message----- From: Kruse, Darren [mailto:darren.kruse at EDS.COM] Sent: Thursday, January 20, 2000 5:00 PM To: VPN at SECURITYFOCUS.COM Subject: Re: Shiva LanRover VPN - IPX support There is NO support for IPX/SPX in the current release of the Shiva Lanrover ,nor is there likely to be IMHO. I have told our sales people that if they want to sell the VPN solution to people who want to access Netware resources then there are two options / workarounds : 1. (Preferred) upgrade to Netware 5.0 and don't run IPX. 2. (Ugly - but it works ) - the VPN client talks IP to a NT box inside the trusted network. The NT box then in turn runs Gateway services for Netware - this is included for free in the OS. Basically, the NT server by talking IPX to the Netware box inside the trusted network is acting as a proxy for the client. With this I think the NT server needs to be logged into the Netware server with administrator rights - I'm not a NT guru so I may be wrong on this. This will allow remote VPN clients to map drives and print to the the netware printer using IP and using the NT box as a proxy. regards, Darren Kruse? Advanced Communications Engineer EDS (Australia) tel: + 61 8 8301 5322 <<-- !! **Note new phone number** !! PGP Fingerprint (valid to 31/12/2000)? 6CD809275B6777820D61888AF84DEF004AF40E9F mailto://darren.kruse at eds.com > -----Original Message----- > From: Jon Carnes [mailto:jonc at haht.com] > Sent: Thursday, January 20, 2000 11:38 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: Shiva LanRover VPN > > <> > > I imagine that the Lan Rover works with other protocols and > not just TCP/IP. > Most likely it also works with IPX (Novell protocol). That > being the case, > it is possible that you may be using strictly IPX on your LAN > and not be > using TCP/IP at all. This is the only case that I can see in > which you > would want to "turn off the Client IP check box". > > Hope that helps, > > Jon Carnes > MIS - HAHT Software VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Jose.Muniz at US.DATAFELLOWS.COM Fri Jan 21 14:58:01 2000 From: Jose.Muniz at US.DATAFELLOWS.COM (Muniz, Jose) Date: Fri, 21 Jan 2000 11:58:01 -0800 Subject: Linux VPN Message-ID: Hello Todd, Well there is a choice out there it is named FreeS/Wan and it is really coming along quite nicely, at this time there is only support for Preshared Keys and the Certificate support is coming down the pipe. Also very interesting they are focusing on implementing SECDNS [Secure DNS] for certificate distribution and scalability, what it means to me that they are in the right track! On this link is a link to the site: http://www.toad.com Jose Muniz. ________________________________________ Jose Muniz. -Jose.Muniz at F-Secure.com Systems Engineer. F-Secure, Inc. Phone 408.350.2193 Cell 408.569.9306 675 N. First Street, 5th Floor San Jose, Ca. 95112 http://www.F-Secure.com ________________________________________ -----Original Message----- From: Todd Wilburn [mailto:toddw at LIGHTMAIL.COM] Sent: Thursday, January 20, 2000 10:21 PM To: VPN at SECURITYFOCUS.COM Subject: Linux VPN We are thinking us using Linux for our server/firewalls and we need to do VPN. What programs are available for a Linux VPN box? I can use secret pass codes or certs. Thanks, Todd Wilburn VPN is sponsored by SecurityFocus.COM From scotta at GNAC.COM Fri Jan 21 20:39:10 2000 From: scotta at GNAC.COM (Scott Armstrong) Date: Fri, 21 Jan 2000 17:39:10 -0800 Subject: PGPNet/Entrust Message-ID: Does anyone have some tips on getting Entrust certificates into PGPNet. I'm using Entrust 5.0 with pre-5.0 client compatibility and VPN Connector 4.1. The directory is PeerLogic 8.a.2 with both LDAP v2 and v3 capabilities. My main problem is getting the CA root certificate into the PGP client. As soon as that's done I should be able to install my client certificate into my key ring. Problem is, it doesn't seem to want to work. Any help would be appreciated. Thanks, Scott Armstrong VPN is sponsored by SecurityFocus.COM From Ryan.Russell at SYBASE.COM Fri Jan 21 19:42:09 2000 From: Ryan.Russell at SYBASE.COM (Ryan Russell) Date: Fri, 21 Jan 2000 16:42:09 -0800 Subject: Linux VPN Message-ID: <8825686E.0003E151.00@gwwest.sybase.com> > I've tried FreeS/WAN on Linux and it is fairly difficult ot implement. Have >you considered a solution like OpenBSD( http://www.openbsd.org > ). >It's Canadian, so encryption is not an issue(Unless you are in the States, >then you need to obtain it from a US ftp server). There is no import restriction for the US for crypto. The only issue with OpenBSD you'd have as a US user is the RSA patent. That problem goes away after September 29th. I believe one can get patent-free distros of OpenBSD (which may be what you're referring to.) (I realize you may know this Patrick, but for the benefit of other readers on the list who may misread your statement...) Ryan VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Fri Jan 21 15:26:42 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Fri, 21 Jan 2000 15:26:42 -0500 Subject: Linux VPN References: Message-ID: <017e01bf644d$e66129d0$6803010a@dhcp.haht.com> I personally use Linux boxes for my Firewall and VPN. I find them easy to setup and reliable. However, I have heard a lot of folks say that OpenBSD makes a better firewall, because of its leaner install. I would say that you would be in good shape using either one. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: Patrick Ethier To: VPN at SECURITYFOCUS.COM Sent: Friday, January 21, 2000 1:10 PM Subject: Re: Linux VPN Hi, I've tried FreeS/WAN on Linux and it is fairly difficult ot implement. Have you considered a solution like OpenBSD(http://www.openbsd.org). Advantages over Linux(These aren't scientific mind you but a result of my personal opinion). IPFilter is easier to implement than IPChains and has a few extra features(Like keeping state of connections) ISAKMPD on OpenBSD is included witht he initial installation, all you need to do is edit some configuration files IKE supports X509 certs and Pre-Shared secrets It's Canadian, so encryption is not an issue(Unless you are in the States, then you need to obtain it from a US ftp server). It also has very clear instructions off their website on how to recompile a kernel and do basic system administration. Also, most of the users on their mailing lists are experienced systems administrators with a very strong background in security. You get in contact with the actual developers if there is a problem. Things are very personal. NetBSD and FreeBSD are also alternatives. Linux makes a great workstation because of how many people support it. As for setting up a Firewall/VPN Gateway, Linux has too many audit issues to make me comfortable with it. Regards, Patrick Ethier -----Original Message----- From: Todd Wilburn [mailto:toddw at LIGHTMAIL.COM] Sent: Friday, January 21, 2000 1:21 AM To: VPN at SECURITYFOCUS.COM Subject: Linux VPN We are thinking us using Linux for our server/firewalls and we need to do VPN. What programs are available for a Linux VPN box? I can use secret pass codes or certs. Thanks, Todd Wilburn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000121/dc91588c/attachment.htm From mhw at WITTSEND.COM Fri Jan 21 20:06:02 2000 From: mhw at WITTSEND.COM (Michael H. Warfield) Date: Fri, 21 Jan 2000 20:06:02 -0500 Subject: Linux VPN In-Reply-To: ; from patrick@SECUREOPS.COM on Fri, Jan 21, 2000 at 01:10:42PM -0500 References: Message-ID: <20000121200602.B1717@alcove.wittsend.com> Uhhh... Just to correct some technical details and not to debate the issues... On Fri, Jan 21, 2000 at 01:10:42PM -0500, Patrick Ethier wrote: > Hi, > I've tried FreeS/WAN on Linux and it is fairly difficult ot implement. Have > you considered a solution like OpenBSD( http://www.openbsd.org > ). > Advantages over Linux(These aren't scientific mind you but a result of my > personal opinion). > IPFilter is easier to implement than IPChains and has a few extra > features(Like keeping state of connections) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Don't know about the "easier" part but the state issue is true. > ISAKMPD on OpenBSD is included witht he initial installation, all you need > to do is edit some configuration files One can argue the same for FreeS/WAN (at least recent versions). With the proviso that once it's in the kernel, it's just a matter of some configuration files. > IKE supports X509 certs and Pre-Shared secrets There are patches for X509 certs for FreeS/WAN although they are not up to the latest snapshot. Pluto (FreeS/WAN IKE) supports RSA keys as well as preshared secrets with or without automatic rekeying. > It's Canadian, so encryption is not an issue(Unless you are in the States, > then you need to obtain it from a US ftp server). FreeS/WAN is also Canadian in origin. Hopefully, now that the crypto regs have been relaxed a bit, we should have FreeS/WAN in the kernel sources (at least the KLIPS part of it). That will vastly easy the install difficulty (no more patching the kernel). Hoping for 2.4. > It also has very clear instructions off their website on how to recompile a > kernel and do basic system administration. > Also, most of the users on their mailing lists are experienced systems > administrators with a very strong background in security. > You get in contact with the actual developers if there is a problem. Things > are very personal. Could also be argued for FreeS/WAN. > NetBSD and FreeBSD are also alternatives. Linux makes a great workstation > because of how many people support it. As for setting up a Firewall/VPN > Gateway, Linux has too many audit issues to make me comfortable with it. So go with one of the audited distros and add Bastille to it. Oh... And just because OpenBSD is audited, the lack of auditing in NetBSD and FreeBSD make me uncomfortable. I get real uneasy when people lump the *BSD varients into one pile when a lot of those guys won't even talk to one another... We just had a dust-up over this "streams.c" which seems to hit FreeBSD pretty hard but I found it doesn't even cause OpenBSD to blink. It causes some problems for Linux (slows it down - spotty) but it's not a major problem. Seems to be able to panic FreeBSD under the right conditions. The network stacks are not the same. > Regards, > Patrick Ethier > -----Original Message----- > From: Todd Wilburn [mailto:toddw at LIGHTMAIL.COM] > Sent: Friday, January 21, 2000 1:21 AM > To: VPN at SECURITYFOCUS.COM > Subject: Linux VPN > We are thinking us using Linux for our server/firewalls and we need to do > > VPN. What programs are available for a Linux VPN box? I can use secret > > pass codes or certs. > > > > Thanks, > > Todd Wilburn > -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Fri Jan 21 14:14:37 2000 From: pete at ETHER.NET (Pete Davis) Date: Fri, 21 Jan 2000 14:14:37 -0500 Subject: W2K and IPSec In-Reply-To: <20000121153038.26338.qmail@web2906.mail.yahoo.com> References: <20000121153038.26338.qmail@web2906.mail.yahoo.com> Message-ID: <20000121141437.A18541@ether.net> Michael, You are absolutely right, you need either PPTP or L2TP over IPSec. I do not believe the Raptor supports this yet, but you will need to give them a call and ask. We (Altiga) have tested W2K's IPSec client with our Concenator and all works fine. Regards, -Pete On Fri, Jan 21, 2000 at 07:30:38AM -0800, Michael Oh wrote: > I've recently been playing around with the VPN in W2K. Trying to get > this working with a Raptor firewall using IPSec. > > Can't seem to get this running even though it looks like all the > configuration settings are correct (and available) in W2K. > > Does anyone know if W2k's IPSec works according to spec? Or do I need > to do something different like IPSec over L2TP? > > Anyone ever gotten W2k's IPSec working with another 3rd party product? > > TIA > Michael Oh > > ===== > > Michael Oh > > __________________________________________________ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://im.yahoo.com > > VPN is sponsored by SecurityFocus.COM --- Pete Davis - Product Manager (508) 541-7300 x154 Altiga Networks - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From Noah_Salzman at NAI.COM Sat Jan 22 21:50:26 2000 From: Noah_Salzman at NAI.COM (Salzman, Noah) Date: Sat, 22 Jan 2000 18:50:26 -0800 Subject: PGPNet/Entrust Message-ID: <0DA2A15FEE96D31187AA009027AA6A7283AD9D@ca-exchange1.nai.com> Scott, Just get a PEM copy of the root CA and [literally] paste it into PGPkeys. Then sign and trust the root CA (or sign it as a meta-introducer). Then configure the CA tab in the options dialog so that you can access the Entrust server automatically. You can then use PGPkeys and the "Add Certificate" command on an RSA key. One the cert has been approved on the server you can use the "Server -> Retrieve Certificate" command in PGPkeys. Once you have retrieved your cert you can go to PGPnet and set it as the X.509 cert you plan to use to authenticate IPsec connections. Give me a call if you run into trouble, Noah Salzman noah at pgp.com PGP QA Manager 408.346.5186 -----Original Message----- From: Scott Armstrong [mailto:scotta at gnac.com] Sent: Friday, January 21, 2000 5:39 PM To: VPN at SECURITYFOCUS.COM Subject: PGPNet/Entrust Does anyone have some tips on getting Entrust certificates into PGPNet. I'm using Entrust 5.0 with pre-5.0 client compatibility and VPN Connector 4.1. The directory is PeerLogic 8.a.2 with both LDAP v2 and v3 capabilities. My main problem is getting the CA root certificate into the PGP client. As soon as that's done I should be able to install my client certificate into my key ring. Problem is, it doesn't seem to want to work. Any help would be appreciated. Thanks, Scott Armstrong VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rodney at TILLERMAN.TO Sat Jan 22 17:05:02 2000 From: rodney at TILLERMAN.TO (Rodney Thayer) Date: Sat, 22 Jan 2000 14:05:02 -0800 Subject: W2K and IPSec In-Reply-To: <20000121153038.26338.qmail@web2906.mail.yahoo.com> Message-ID: <3.0.6.32.20000122140502.03aa1100@216.240.42.209> Microsoft took code to several interop events that worked with other vendors. I do not know of anyone using final production W2k in this way. I know Microsoft was at the recent Interop event, there should be data on their testing floating around somewhere in public... I know, for example, that at various times they interoperated with SSH, Hi/fn, Cisco, and probably Indus River. At 07:30 AM 1/21/00 -0800, Michael Oh wrote: >I've recently been playing around with the VPN in W2K. Trying to get >this working with a Raptor firewall using IPSec. > >Can't seem to get this running even though it looks like all the >configuration settings are correct (and available) in W2K. > >Does anyone know if W2k's IPSec works according to spec? Or do I need >to do something different like IPSec over L2TP? > >Anyone ever gotten W2k's IPSec working with another 3rd party product? > >TIA >Michael Oh > >===== > >Michael Oh > >__________________________________________________ >Do You Yahoo!? >Talk to your friends online with Yahoo! Messenger. >http://im.yahoo.com > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From rodney at TILLERMAN.TO Sat Jan 22 17:02:56 2000 From: rodney at TILLERMAN.TO (Rodney Thayer) Date: Sat, 22 Jan 2000 14:02:56 -0800 Subject: VPN Interop (was: About compatibility) In-Reply-To: Message-ID: <3.0.6.32.20000122140256.03aa2e50@216.240.42.209> Remember that vendors are SUPPOSED to be doing active development at these Interop events -- this is a Very Good Thing. I don't mean to imply the gentleman from Data Fellows said that, but I want to make it clear we (the VPN user commununity) want them (the VPN vendor community) to feel comfortable in doing these interoperability trials. Other venues exist for absolutely only production code, we've done some "live shoot-outs" for example. At 01:39 PM 1/20/00 -0800, Muniz, Jose wrote: >Well, I actually sow that at the Cisco 2000 VPN Interop last week in >San Diego. >Of course I do not work for either company neither look at the testing >results >of them either, however 90% or 98% of the IPSec solutions out there as it >today, >are able to interoperate with each other. >Must of the stuff that I saw was on either Beta and Alfa stage so you might >be totally right >about the current releases, let me see.... mmmm....mmmm.... > >OK >Here is the Checkpoint version; >I was Checkpoint FW-1 version 4.1 SP 1 > >I could not tell you about Cisco, apparently they were compiling new builds >on the fly so I could not tell. >Hope that this info helps. > >Jose. > >________________________________________ > >Jose Muniz. -Jose.Muniz at F-Secure.com >Systems Engineer. >F-Secure, Inc. >Phone 408.350.2193 >Cell 408.569.9306 > >675 N. First Street, 5th Floor >San Jose, Ca. 95112 >http://www.F-Secure.com >________________________________________ > > > >> -----Original Message----- >> From: David Newman [mailto:dnewman at networktest.com] >> Sent: Thursday, January 20, 2000 4:34 PM >> To: Muniz, Jose; VPN at SECURITYFOCUS.COM >> Subject: FW-1 interoperability (was: About compatibility) >> >> >> >> >> > My question is: I have on one side a PIX and, in the other side, a >> > Firewall-1. Do someone know whether I can build a VPN >> between them? If so, >> > what protocol should I have to use? Thanks a lot. Help will be >> > appreciated. >> >> (snip) >> >> > Yes that is totally possible, both of them support the >> IPSec Standards, >> > based on the draft. >> >> Have you verified this with Firewall-1 and Vendor X's VPN box, both >> operating in gateway-to-gateway mode? As of a few months ago, >> FW-1 version 4 >> would talk IPSec with other folks' gateways, but only by setting up >> individual SAs for each remote host that wanted to >> communicate. Check Point >> said last summer that the next FW-1 release would handle >> gateway-to-gateway >> mode with other vendors' kit, and at least in my experience >> they've been >> good on their word, but I haven't verified this. >> >> dn >> >> > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From markus at HOFMAR.DE Sat Jan 22 06:11:49 2000 From: markus at HOFMAR.DE (Markus Hofmann) Date: Sat, 22 Jan 2000 12:11:49 +0100 Subject: VPN-1 FWZ Message-ID: Hello! Does anyone has detailed protocol descriptions about Checkpoint VPN-1 FWZ Authentication Protocol and Encryption Algorithm? O.k. I already read, that they use DH, 512 Bits RSA Keys, CAST, DEs, 3DES and so on - but no detailed protocol description how all the stuff is fitted togehter in FWZ (i.e. how the authentication like SecurID or S/Key is integrated in this protocol). yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! VPN is sponsored by SecurityFocus.COM From mhw at WITTSEND.COM Sun Jan 23 23:16:42 2000 From: mhw at WITTSEND.COM (Michael H. Warfield) Date: Sun, 23 Jan 2000 23:16:42 -0500 Subject: Linux VPN In-Reply-To: <002901bf64a3$97ecf940$0245a8c0@galena>; from Torx@TM.NET.MY on Sat, Jan 22, 2000 at 02:40:30PM +0800 References: <8825686E.0003E151.00@gwwest.sybase.com> <002901bf64a3$97ecf940$0245a8c0@galena> Message-ID: <20000123231642.B2165@alcove.wittsend.com> On Sat, Jan 22, 2000 at 02:40:30PM +0800, Saravana Ram wrote: > From: "Ryan Russell" > > There is no import restriction for the US for crypto. The only issue with > > OpenBSD you'd have as a US user is the RSA patent. That problem > > goes away after September 29th. I believe one can get patent-free > > distros of OpenBSD (which may be what you're referring to.) > Why does the problem go away after September 29th? In America, patents can > be renewed, right? Yes and no... They can not be renewed indefinitely and come September (or some say October) this one is toast. Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! VPN is sponsored by SecurityFocus.COM From darren.kruse at EDS.COM Sun Jan 23 18:50:17 2000 From: darren.kruse at EDS.COM (Kruse, Darren) Date: Mon, 24 Jan 2000 10:20:17 +1030 Subject: Shiva LanRover VPN - tunnel access Message-ID: Steve, you can't to my knowledge stop people from *trying* to authenticate to a tunnel profile, but you CAN stop them successfully authenticating by the use of VPN groups at the back end authentication server. I'm not sure if this is a Shiva Access Manager 4.5 / 5.0 feature only - or if it is also available on other RADIUS back ends - like Cisco Secure - can anyone answer this ? VPN Groups are the association or glue that bind LRVG tunnels to Authentication server User templates. Create VPN-groups on the SAM that match the name of the LRVG tunnel profile group names on the tunnels tab. It is important that the VPN groups-name that are set up have EXACTLY the same name ( case sensitive ) as the LRVG tunnel profiles. Refer to the attached , zipped pictures. I've had to airbrush over the sensitive bits .. sorry. This will allow you to set up as many tunnel profiles as you like, and only have selected people use the vpn tunnels profiles YOU want. Note the bug with SAM 4.5p1 that is fixed in 4.51p2 - deleted vpn groups are not really deleted ...get the 4.51p2 release notes. Additionally, we are setting up different client IP pools per tunnel profile so that we can limit through router packet filtering the ports (ie HTTP, telnet ect ) that users can go to. This is personal preference and may be overkill for you. I'm more comfortable using Cisco ACLs to do the packet filtering than the Shiva's firewall features. It's ( IMHO ) , also good security practice to separate these functions to give us greater defence in depth. hope this helps, regards, Darren Kruse? Advanced Communications Engineer EDS (Australia) tel: + 61 8 8301 5322 <<-- !! **Note new phone number** !! PGP Fingerprint (valid to 31/12/2000)? 6CD809275B6777820D61888AF84DEF004AF40E9F mailto://darren.kruse at eds.com > -----Original Message----- > From: Steve J Kuo [mailto:steve_j_kuo at EMAIL.MOBIL.COM] > Sent: Friday, January 21, 2000 10:14 AM > To: VPN at SECURITYFOCUS.COM > Subject: Re: Shiva LanRover VPN - tunnel access > > > Darren, > > This is a different question. With a Shiva Access Manager, > can you limit which > tunnel a user can access? For example, there is 10 multiuser > tunnels defined > all using the same authentication server. If I have a valid > id/password to pass > the authentication, and I know all the tunnel names, can you > limit me to only > connect to one tunnel but not the other 9? I know Shiva VPN > box does not have > that user-tunnel association. > > Steve Kuo > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: vpn groups.zip Type: application/octet-stream Size: 18751 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000124/ed7812f5/attachment.obj From patton at NETSEC.NET Mon Jan 24 05:18:23 2000 From: patton at NETSEC.NET (matthew patton) Date: Mon, 24 Jan 2000 05:18:23 -0500 Subject: Linux VPN In-Reply-To: <8825686E.0003E151.00@gwwest.sybase.com> Message-ID: On Fri, 21 Jan 2000, Ryan Russell wrote: > There is no import restriction for the US for crypto. The only issue with > OpenBSD you'd have as a US user is the RSA patent. very definately. > That problem > goes away after September 29th. Maybe. that is if the Senators haven't been convinced otherwise by large injections of cash into their re-election campaign funds. > I believe one can get patent-free > distros of OpenBSD (which may be what you're referring to.) Nope, you can't. What is available for USA people is libcryp/libssl based on RSAREF. This is legel within the US for ONLY NON-COMMERCIAL use. So if you're a company, you can't use it. Therefore, we're in a bind. Technically, Nobody (in the US) unless they are private citizens can use OpenBSD's crypto. So what about the hundreds of corporate users who use it (ssh, VPN, SSL) within the united states? They are in violation of Patent and could arguably find themselves in legel trouble with RSA labs. The problem is, most people don't know about the restrictions, or they are hoping that RSA doesn't come after them. The cost for a RSA license starts at 50,000 US. If that were to be CD-ROM's, that's 1000 CD's at $50 a pop. Which is IMO a reasonable sum and fits within their minimal pricing structure. Only then could commercial entities be properly licensed. I think it would make sense for a company like ourselves to be the distribution point (if you will) of the reworked libcrypt/libssl libraries and to sell a US Corporate distribution of OpenBSD for that very purpose. The problem is trying to justify the high initial cash outlay. What do you guys think? -- Network Security Technologies Inc. - Commercial support for OpenBSD www.netsec.net (703) 561-0420 matthew.patton at netsec.net "Government is not reason; it is not eloquence; it is force! Like fire, it is a dangerous servant and a fearful master." - George Washington VPN is sponsored by SecurityFocus.COM From cbrenton at SOVER.NET Mon Jan 24 10:09:49 2000 From: cbrenton at SOVER.NET (Chris Brenton) Date: Mon, 24 Jan 2000 10:09:49 -0500 Subject: Single homed VPN solution? Message-ID: <388C6B3D.BB37C31E@sover.net> Greetings all, Here's what I'm running into. I have a site fed by a T3 that needs VPN connectivity to approximately 30 sites on the Internet (this may climb to 50 or more). The amount of traffic crossing the VPN is minimal, but it is highly sensitive. I'm thinking what ever I go with needs to do IPSec with triple DES. The "bump" I'm running into is that these "boxes" can not disturb the existing perimeter security (beyond rule modification to get the VPN to flow of course). I'm looking at a mixed bad of firewall solution so I'm not going to even try going the interoperability route. I'm looking for a single homed solution that I can drop behind the existing perimeter, make a few routing chances, and get the whole thing flowing. The "box" at the main site needs to be scalable (obviously), there will only be 3-10 hosts per remote site so the "box" there can be minimal. Any suggestions on what to go with here? I'm finding the number of single homed solutions to be severely limited. Anyone run something similar up to this scale before? Any and all help appreciated, Chris -- ************************************** cbrenton at sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet VPN is sponsored by SecurityFocus.COM From Ryan.Russell at SYBASE.COM Mon Jan 24 13:24:11 2000 From: Ryan.Russell at SYBASE.COM (Ryan Russell) Date: Mon, 24 Jan 2000 10:24:11 -0800 Subject: Linux VPN Message-ID: <88256870.00651A0E.00@gwwest.sybase.com> >> That problem >> goes away after September 29th. >Maybe. that is if the Senators haven't been convinced otherwise by large >injections of cash into their re-election campaign funds. Here's a relevent article: http://www.zdnet.com/zdnn/stories/news/0,4586,2425610,00.html?chkpt=zdhpnews01 Do I have the date wrong? The article says the 20th. Anyway, the article certainly doesn't make it sound like RSA is planning to put up a fight over the patent thing. I agree, though. The government has repeatedly show it's ability to do really stupid things. Clinton could declare a state of emerygency to prevent evil Hax0rs from using the patented algorithm or something. >Nope, you can't. What is available for USA people is libcryp/libssl based >on RSAREF. This is legel within the US for ONLY NON-COMMERCIAL use. So if >you're a company, you can't use it. Therefore, we're in a >bind. Technically, Nobody (in the US) unless they are private citizens can >use >OpenBSD's crypto. So what about the hundreds of corporate users who use >it (ssh, VPN, SSL) within the united states? They are in >violation of Patent and could arguably find themselves in legel trouble >with RSA labs. What I meant by "patent-free" was that you could get a copy of OpenBSD without the appropriate crytpo at all, not that one could get a version with different algorithms... seems to me that one had to download the libs separately. Maybe that was pre-2.6? You'd know better than I. >I think it would make sense for a company like ourselves to be the >distribution point (if you will) of the reworked libcrypt/libssl libraries >and to sell a US Corporate distribution of OpenBSD for that very purpose. I think that's a very reasonable business model, but the timing is really unfortunate. Sure, I'd probably buy a couple if they were available right now, but I'd be waiting until September to see what happens before I do any kind of mass deployment. (I'm thinking more of OpenSSH rather than OpenBSD for "mass deployment", but same idea.) Ryan VPN is sponsored by SecurityFocus.COM From rodney at TILLERMAN.TO Mon Jan 24 09:33:58 2000 From: rodney at TILLERMAN.TO (Rodney Thayer) Date: Mon, 24 Jan 2000 06:33:58 -0800 Subject: VPN-1 FWZ In-Reply-To: Message-ID: <3.0.6.32.20000124063358.039c4750@216.240.42.209> [If there's a Checkpoint person in the room I'm sure they'll overtake this comment ;-) ] FWZ is a proprietary algorithm/scheme. As such, it's use is severely frowned upon by the crypto/security plumbing community. It's not published, which means there's no peer review. In all fairness, you CAN use real algorithms, such as 3DES, with that product, but you should think carefully before using anybody's proprietary undocumented unaudited unanalyzed crypto. It's hard enough finding safe choices among the validated ones. At 12:11 PM 1/22/00 +0100, Markus Hofmann wrote: >Hello! > >Does anyone has detailed protocol descriptions about Checkpoint VPN-1 FWZ >Authentication Protocol and Encryption Algorithm? >O.k. I already read, that they use DH, 512 Bits RSA Keys, CAST, DEs, 3DES >and so on - but no detailed protocol description how all the stuff is >fitted togehter in FWZ (i.e. how the authentication like SecurID or S/Key >is integrated in this protocol). > >yours sincerely > >M. Hofmann > >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >Markus Hofmann Phone: +49 170 2848250 >St. Urbanusstr. 15 Fax: +49 9371 2032 > E-Mail: hofmann at hofmar.de >63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) >Germany PGP-Keys: look at http://www.hofmar.de >--------------------------------------------------------------------- > Only written with 100% recycleable electrons! > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From eoberson at TERCOM.CH Mon Jan 24 04:52:04 2000 From: eoberson at TERCOM.CH (Eric Oberson) Date: Mon, 24 Jan 2000 10:52:04 +0100 Subject: IKE Authentification Message-ID: <174767FC6455D311B2CC00500443895909457E@TERCOM1> Hello Yes you can use TimeStep VPN Gateway and PC-Software. The IPSec client software from TimeStep is one of the most advanced available today. We use it by a lot of customers. The IPSec Client of TimeStep supports SecurID authentication through his RADIUS feature. He follows the IETF draft for Extended Authentication within ISAKMP/Oakley "draft-ietf-ipsec-isakmp-xauth-03 ". SecurID does not replace shared secret. Shared secret is fully automated during the phase one. The user sees only the SecurID login. On the central side you need to have one VPN-Gateway PERMIT/Gate from TimeStep with his virtual tunnel feature to use SecurID as the Authentication mechanism. This is our preferred modus for Remote Access VPN-Applications. Best regards Eric Oberson System Engineering TERCOM SA, Route Andr? Piller 33a, CH-1762 Givisiez, Web www.tercom.ch -----Original Message----- From: Markus Hofmann [mailto:markus at HOFMAR.DE] Sent: lundi, 24. janvier 2000 09:26 To: VPN at SECURITYFOCUS.COM Subject: IKE Authentification Hello! Doe anyone know, if a product supports SecurID for IKE as preshared-secret? I know Checkpoint FW-1/VPN-1 supports SecurID, but only for FWZ, not for IKE. Or another question: Does anyone know some smartcards for X.509 Certificates and protected by a pin that works with SecuRemote from Checkpoint? yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000124/9e354b6b/attachment.htm From steve_j_kuo at EMAIL.MOBIL.COM Mon Jan 24 11:50:24 2000 From: steve_j_kuo at EMAIL.MOBIL.COM (Steve J Kuo) Date: Mon, 24 Jan 2000 10:50:24 -0600 Subject: Shiva LanRover VPN - tunnel access Message-ID: <86256870.005CECE4.00@xdallng1.dal.mobil.com> Darren, Thanks for this very helpful information. We are using a firewall behind the VPN box to control user access using assigned tunnel IP addresses as you said. (Like you, I am more for a separate box instead of using the VPN firewall feature.) However, this access control based on tunnel addresses does not mean anything if we can not control who can connect to what tunnels. We realized that with just the Shiva VPN box it does not provide such tie. It is good to know Shiva Access Manager is able to fill that hole. I am also very interested to know if other RADIUS servers, such as NT, can do the same or not. Steve Kuo ---------------------- Forwarded by Steve J Kuo/Dallas/Mobil-Notes on 01/24/2000 10:35 AM --------------------------- "Kruse, Darren" on 01/23/2000 05:50:17 PM Please respond to "Kruse, Darren" From lhebert at NETESYS.COM Mon Jan 24 11:01:06 2000 From: lhebert at NETESYS.COM (Laurent Hebert) Date: Mon, 24 Jan 2000 11:01:06 -0500 Subject: IKE Authentification Message-ID: <01BF665A.51E33DC0.lhebert@netesys.com> I believe that most VPN vendor use RADIUS to interface with SecurID. A very few of them have a direct SecurID interface... Laurent -----Original Message----- From: Markus Hofmann [SMTP:markus at HOFMAR.DE] Sent: Monday, January 24, 2000 3:26 AM To: VPN at SECURITYFOCUS.COM Subject: IKE Authentification Hello! Doe anyone know, if a product supports SecurID for IKE as preshared-secret? I know Checkpoint FW-1/VPN-1 supports SecurID, but only for FWZ, not for IKE. Or another question: Does anyone know some smartcards for X.509 Certificates and protected by a pin that works with SecuRemote from Checkpoint? yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From nasraoui at CHICKMAIL.COM Mon Jan 24 07:40:01 2000 From: nasraoui at CHICKMAIL.COM (fethi nasraoui) Date: Mon, 24 Jan 2000 04:40:01 -0800 Subject: VPN problems Message-ID: Hi, I know all the contributions of the VPN but I wants to know the problems which decrease the deployment of the VPN. Please help me and thank you in advance. Best Regards. *********************************** chickclick.com http://www.chickclick.com girl sites that don't fake it. http://www.chickmail.com sign up for your free email. http://www.chickshops.com boutique shopping from chickclick.com *********************************** VPN is sponsored by SecurityFocus.COM From rodney at TILLERMAN.TO Mon Jan 24 09:37:45 2000 From: rodney at TILLERMAN.TO (Rodney Thayer) Date: Mon, 24 Jan 2000 06:37:45 -0800 Subject: IKE Authentification In-Reply-To: Message-ID: <3.0.6.32.20000124063745.039c7d90@216.240.42.209> There are multiple implementations out there using SecureID together with IKE and Pre-shared secrets. I would check Tina's VPN vendor list. Off the top of my head, I'd look at Timestep, Alcaltel/Internet Devices, Altiga, Nortel/Bay Networks/New Oak for starters. I have not heard of people using SecuRemote with other products besides Checkpoint. To be fair here, most vendor's client-side implementations are intended for use with their own products. Client implementations that work with other vendors are relatively rare. I happen to like the IRE client (no, they don't pay me, I grumble about them just like I grumble about the others...) but there are several. Again, I'd welcome a Checkpoint person's clarification to this -- they of course would have fresh correct information. At 09:25 AM 1/24/00 +0100, Markus Hofmann wrote: >Hello! > >Doe anyone know, if a product supports SecurID for IKE as >preshared-secret? I know Checkpoint FW-1/VPN-1 supports SecurID, but only >for FWZ, not for IKE. >Or another question: Does anyone know some smartcards for X.509 >Certificates and protected by a pin that works with SecuRemote from >Checkpoint? > >yours sincerely > >M. Hofmann > >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >Markus Hofmann Phone: +49 170 2848250 >St. Urbanusstr. 15 Fax: +49 9371 2032 > E-Mail: hofmann at hofmar.de >63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) >Germany PGP-Keys: look at http://www.hofmar.de >--------------------------------------------------------------------- > Only written with 100% recycleable electrons! > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From bet at RAHUL.NET Mon Jan 24 13:34:07 2000 From: bet at RAHUL.NET (Bennett Todd) Date: Mon, 24 Jan 2000 13:34:07 -0500 Subject: Linux VPN In-Reply-To: ; from patton@NETSEC.NET on Mon, Jan 24, 2000 at 05:18:23AM -0500 References: <8825686E.0003E151.00@gwwest.sybase.com> Message-ID: <20000124133407.C7227@rahul.net> 2000-01-24-05:18:23 matthew patton: > > That problem goes away after September 29th. > > Maybe. that is if the Senators haven't been convinced otherwise by > large injections of cash into their re-election campaign funds. If the law gets rewritten to allow this monopoly to stretch longer, that'll just jack up the incentive to finish the job of rewriting all crypto-using apps to avoid RSA. SSL already has support for D-H in the protocol. I don't know if all implementations support it yet, but if RSA gets outlawed for any longer I'm sure they will. Likewise, if this monopoly gets stretched any more I'm sure we'll hack ssh to do D-H. > Nope, you can't. What is available for USA people is > libcryp/libssl based on RSAREF. This is legel within the US for > ONLY NON-COMMERCIAL use. So if you're a company, you can't use > it. Therefore, we're in a bind. Technically, Nobody (in the US) > unless they are private citizens can use OpenBSD's crypto. That's only if you use the RSA. So avoid RSA until Sep. 29th, and if the law gets changed help purge RSA out of all the tools you need. > The problem is, most people don't know about the restrictions, or > they are hoping that RSA doesn't come after them. The cost for > a RSA license starts at 50,000 US. If that were to be CD-ROM's, > that's 1000 CD's at $50 a pop. Which is IMO a reasonable sum > and fits within their minimal pricing structure. Only then could > commercial entities be properly licensed. > > I think it would make sense for a company like ourselves to be the > distribution point (if you will) of the reworked libcrypt/libssl > libraries and to sell a US Corporate distribution of OpenBSD for > that very purpose. > > The problem is trying to justify the high initial cash outlay. > > What do you guys think? I think if you can come up with a model that recovers the high intial cost in the next nine months, go for it. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000124/b3e22ad8/attachment.pgp From john.d.fulmer at MAIL.SPRINT.COM Mon Jan 24 14:30:36 2000 From: john.d.fulmer at MAIL.SPRINT.COM (John Fulmer) Date: Mon, 24 Jan 2000 13:30:36 -0600 Subject: VPN-1 FWZ References: <3.0.6.32.20000124063358.039c4750@216.240.42.209> Message-ID: <388CA85C.1E9673B8@mail.sprint.com> rodney at TILLERMAN.TO wrote: > FWZ is a proprietary algorithm/scheme. As such, it's use is > severely frowned upon by the crypto/security plumbing community. > It's not published, which means there's no peer review. > Also, it has always been exportable (aka 'approved' by the NSA) from the US with no restrictions, which should give you some idea as to it's relative crypto strength... VPN is sponsored by SecurityFocus.COM From matthewr at MORETON.COM.AU Fri Jan 21 13:01:14 2000 From: matthewr at MORETON.COM.AU (Matthew Ramsay) Date: Sat, 22 Jan 2000 04:01:14 +1000 Subject: Linux VPN References: Message-ID: <003c01bf6439$82d3df20$4d00a8c0@qld.bigpond.net.au> PoPToP is the PPTP server for linux (VPN) that ios compatible with Windows clients (ie. no 3rd party software required on client end). You can setup PoPToP with MSCHAPv2 authentication (a significant improvement on the flawed MSCHAP method).. plus 40->128 bit RC4 compatible encryption. All this is available now (GPL). http://www.moretonbay.com/vpn/pptp.html Cheers, Matt. ----- Original Message ----- From: Todd Wilburn To: VPN at SECURITYFOCUS.COM Sent: Friday, January 21, 2000 4:20 PM Subject: Linux VPN We are thinking us using Linux for our server/firewalls and we need to do VPN. What programs are available for a Linux VPN box? I can use secret pass codes or certs. Thanks, Todd Wilburn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000122/d84a767b/attachment.htm From Torx at TM.NET.MY Sat Jan 22 01:40:30 2000 From: Torx at TM.NET.MY (Saravana Ram) Date: Sat, 22 Jan 2000 14:40:30 +0800 Subject: Linux VPN References: <8825686E.0003E151.00@gwwest.sybase.com> Message-ID: <002901bf64a3$97ecf940$0245a8c0@galena> From: "Ryan Russell" > There is no import restriction for the US for crypto. The only issue with > OpenBSD you'd have as a US user is the RSA patent. That problem > goes away after September 29th. I believe one can get patent-free > distros of OpenBSD (which may be what you're referring to.) Why does the problem go away after September 29th? In America, patents can be renewed, right? VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Mon Jan 24 12:59:23 2000 From: dgillett at NIKU.COM (David Gillett) Date: Mon, 24 Jan 2000 09:59:23 -0800 Subject: W2K and IPSec In-Reply-To: <20000121141437.A18541@ether.net> Message-ID: <00a401bf6694$bfc401f0$f30410ac@niku.com> Is there a (brief?) document that explains how to configure W2K's client to talk to an Altiga concentrator? We have an Altiga, and a report from a user that the Altiga client doesn't install under W2K.... David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Pete Davis Sent: January 21, 2000 11:15 To: VPN at SECURITYFOCUS.COM Subject: Re: W2K and IPSec Michael, You are absolutely right, you need either PPTP or L2TP over IPSec. I do not believe the Raptor supports this yet, but you will need to give them a call and ask. We (Altiga) have tested W2K's IPSec client with our Concenator and all works fine. Regards, -Pete On Fri, Jan 21, 2000 at 07:30:38AM -0800, Michael Oh wrote: > I've recently been playing around with the VPN in W2K. Trying to get > this working with a Raptor firewall using IPSec. > > Can't seem to get this running even though it looks like all the > configuration settings are correct (and available) in W2K. > > Does anyone know if W2k's IPSec works according to spec? Or do I need > to do something different like IPSec over L2TP? > > Anyone ever gotten W2k's IPSec working with another 3rd party product? > > TIA > Michael Oh > > ===== > > Michael Oh > > __________________________________________________ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://im.yahoo.com > > VPN is sponsored by SecurityFocus.COM --- Pete Davis - Product Manager (508) 541-7300 x154 Altiga Networks - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Fri Jan 21 21:42:44 2000 From: pete at ETHER.NET (Pete Davis) Date: Fri, 21 Jan 2000 21:42:44 -0500 Subject: Cisco 800 VPN In-Reply-To: <218BFCE943B0D31180FB00A0C9E9337113FB@TXTAS1> References: <218BFCE943B0D31180FB00A0C9E9337113FB@TXTAS1> Message-ID: <20000121214244.A19319@ether.net> As long as you're using a single IP address externally and dynamic ports for the source of outgoing traffic, you could potentially run in to problems either with the client itself or the fact that most implementations of NAT do not yet support ESP. Even with the ones that do, many do not handle multiple clients to a single destination (VPN Server) simultaneously. I would suggest asking your VPN vendor if they have a workaround for this situation. You will find that some vendors have a solution for a TCP/UDP only NAT environment, maybe they do? Regards, -pete On Fri, Jan 21, 2000 at 10:21:20AM +1100, Stephen Morison wrote: > The guy that initially set-up the routers in the offices I baby sit did a > terrible job I am about to re-configure them all and they will be using NAT. > and static port to internal (private ip) addresses. > > Does this help? --- Pete Davis - Product Manager (508) 541-7300 x154 Altiga Networks - 124 Grove Street Suite 205 Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From markus at HOFMAR.DE Mon Jan 24 03:25:45 2000 From: markus at HOFMAR.DE (Markus Hofmann) Date: Mon, 24 Jan 2000 09:25:45 +0100 Subject: IKE Authentification Message-ID: Hello! Doe anyone know, if a product supports SecurID for IKE as preshared-secret? I know Checkpoint FW-1/VPN-1 supports SecurID, but only for FWZ, not for IKE. Or another question: Does anyone know some smartcards for X.509 Certificates and protected by a pin that works with SecuRemote from Checkpoint? yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmann at hofmar.de 63927 Buergstadt SMS-Mail: sms at hofmar.de (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons! VPN is sponsored by SecurityFocus.COM From pbryan at ACRUX.NET Mon Jan 24 13:38:49 2000 From: pbryan at ACRUX.NET (Pat Bryan) Date: Mon, 24 Jan 2000 12:38:49 -0600 Subject: NT PPTP over multiple aliased IP's Message-ID: Hello, Has anyone ever gotten a MS RRAS/PPTP server to answer on an aliased IP? E.G. NIC -> 10.0.0.1 10.0.0.2 (alias) 10.0.0.3 (alias) Connection to 10.0.0.1 works fine, but when trying to connect to, .2 or .3, I receive a 629 error message. I'm not sure this is possible without adding additional physical NICs. Any input is appreciated.. Pat VPN is sponsored by SecurityFocus.COM From arsen at GNAC.COM Mon Jan 24 16:16:27 2000 From: arsen at GNAC.COM (Thomas J. Arseneault) Date: Mon, 24 Jan 2000 13:16:27 -0800 Subject: I think I'm screwed... Message-ID: <000201bf66b0$46e3e180$9301a8c0@pretty-tom-1.gnac.com> But I figgered I'll ask the lists. I have a client who needs a VPN between his remote site and his main site. Both sites use Gauntlet firewalls and I have been able to get a VPN going between two Gauntlet sites before. The problem is this: The remote site firewall sits behind a firewall for the whole building. I don't know the make/model of the building firewall. This building firewall NATs so that I don't seen the correct address coming from the client's firewall (I see the buildings firewall). Does anyone have a possible config that could work in this setup? Main Site___________Main Site_____Internet_____Building______Client ________Client Host Firewall Firewall Firewall Host Thanks, ********************************************** Tom Arseneault System Admin. Gnac Inc. arsen at gnac.com ********************************************** VPN is sponsored by SecurityFocus.COM From Munix-1 at PACBELL.NET Mon Jan 24 19:06:26 2000 From: Munix-1 at PACBELL.NET (Jose Muniz) Date: 24 Jan 2000 16:06:26 -0800 Subject: I think I'm screwed... References: <000201bf66b0$46e3e180$9301a8c0@pretty-tom-1.gnac.com> Message-ID: <32DCD302.88647784@Pacbell.net> Hello Thomas, Well, it seams that there is a 'Device' doing NAT in between the hosts that need to talk IPSec with each other, Gauntlet VPN is IPSec based.. OK going back to the issue, there can't be NAT in between two devises that communicate via IPSec protocol, it just won't work. IF this not the case "NOT NAT IN BETWEEN" then you just solve your problems by creating a filter on the "Unknown Firewall" to allow IKE [Internet Key Exchange] which uses UDP port 500 and I will imagine that you want to use ESP in tunel mode so also you will need to open protocol 50 on the same unknown devise, and make sure that you can route traffic from right to left, and left to right :] Jose Muniz. "Thomas J. Arseneault" wrote: > > But I figgered I'll ask the lists. I have a client who needs a VPN between > his remote site and his main site. Both sites use Gauntlet firewalls and I > have been able to get a VPN going between two Gauntlet sites before. The > problem is this: The remote site firewall sits behind a firewall for the > whole building. I don't know the make/model of the building firewall. This > building firewall NATs so that I don't seen the correct address coming from > the client's firewall (I see the buildings firewall). Does anyone have a > possible config that could work in this setup? > > Main Site___________Main Site_____Internet_____Building______Client > ________Client > Host Firewall Firewall Firewall > Host > > Thanks, > > ********************************************** > Tom Arseneault > System Admin. > Gnac Inc. > arsen at gnac.com > ********************************************** > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jchri09 at IBM.NET Mon Jan 24 23:10:35 2000 From: jchri09 at IBM.NET (John Christensen) Date: Mon, 24 Jan 2000 20:10:35 -0800 Subject: PPTP Message-ID: <002601bf66ea$219ed120$8b01a8c0@R4R3J2> Has anyone setup PPTP on an NT server and enabled users to specify their own IP and have it work? There is an option on the Remote Access Setup to configure the network on TCP/IP to allow remote clients to request a predetermined IP address. What can they really put there to make this work? Thanks John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000124/1dbacfba/attachment.htm From david.bovee at WATCHGUARD.COM Mon Jan 24 21:37:47 2000 From: david.bovee at WATCHGUARD.COM (David Bovee) Date: Mon, 24 Jan 2000 18:37:47 -0800 Subject: Single homed VPN solution? Message-ID: <74A68BE138CED311AD5400105A250021092ABC@mail42.inside.sealabs.com> The Compatible Systems Intraport2 does operate in a single-homed mode...It is strictly a VPN device, but it sounds as though your firewalling needs are covered. -D > -----Original Message----- > From: Chris Brenton [mailto:cbrenton at sover.net] > Sent: Monday, January 24, 2000 7:10 AM > To: VPN at SECURITYFOCUS.COM > Subject: Single homed VPN solution? > > > > Greetings all, > > Here's what I'm running into. I have a site fed by a T3 that needs VPN > connectivity to approximately 30 sites on the Internet (this may climb > to 50 or more). The amount of traffic crossing the VPN is minimal, but > it is highly sensitive. I'm thinking what ever I go with needs to do > IPSec with triple DES. > > The "bump" I'm running into is that these "boxes" can not disturb the > existing perimeter security (beyond rule modification to get > the VPN to > flow of course). I'm looking at a mixed bad of firewall > solution so I'm > not going to even try going the interoperability route. I'm > looking for > a single homed solution that I can drop behind the existing perimeter, > make a few routing chances, and get the whole thing flowing. The "box" > at the main site needs to be scalable (obviously), there will only be > 3-10 hosts per remote site so the "box" there can be minimal. > > Any suggestions on what to go with here? I'm finding the number of > single homed solutions to be severely limited. Anyone run something > similar up to this scale before? > > Any and all help appreciated, > Chris > -- > ************************************** > cbrenton at sover.net > > * Multiprotocol Network Design & Troubleshooting > http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet > * Mastering Network Security > http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From Kevin_Butters at NAI.COM Tue Jan 25 09:17:59 2000 From: Kevin_Butters at NAI.COM (Butters, Kevin) Date: Tue, 25 Jan 2000 06:17:59 -0800 Subject: PPTP Message-ID: <150C5D516A43D211A5EF00A0C99D758F03062C5F@ca-exchange3.nai.com> Yes. The PPTP server requires the installation of RAS. In RAS you have the ability to make configurations pertaining to the distribution of client IP addresses, DHCP server or a static IP pool. -----Original Message----- From: John Christensen [mailto:jchri09 at IBM.NET] Sent: Monday, January 24, 2000 8:11 PM To: VPN at SECURITYFOCUS.COM Subject: PPTP Has anyone setup PPTP on an NT server and enabled users to specify their own IP and have it work? There is an option on the Remote Access Setup to configure the network on TCP/IP to allow remote clients to request a predetermined IP address. What can they really put there to make this work? Thanks John VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Tue Jan 25 09:00:15 2000 From: JJones at NWNETS.COM (Jeremy Jones) Date: Tue, 25 Jan 2000 07:00:15 -0700 Subject: PPTP Message-ID: <4128C0428F94D3118F1E00902773CED201B40B@NNSBOIS1> John, If you specify the pool from which IP addresses are doled out to remote clients by the RAS server when a call (or PPTP connection) is established, and you have selected that clients can specify their own IP address, they must use an IP address that falls within the range you've specified. Of course, it must be one that's not in use by another client, and the clients may need to specify WINS and DNS servers (if used) as well. To answer your question, it does work--i.e. clients can use IP addresses they request, as long as they fall within the range you specify and they're not already in use--although I've run into a bit of routing weirdness when more than one PPTP connection is established to the same PPTP server. Jeremy Jones, MA, MCSE, CCNA Systems Analyst Northwest Network Services (208) 343-5260 x106 http://www.nwnets.com mailto:jjones at nwnets.com -----Original Message----- From: John Christensen [mailto:jchri09 at IBM.NET] Sent: Monday, January 24, 2000 9:11 PM To: VPN at SECURITYFOCUS.COM Subject: PPTP Has anyone setup PPTP on an NT server and enabled users to specify their own IP and have it work? There is an option on the Remote Access Setup to configure the network on TCP/IP to allow remote clients to request a predetermined IP address. What can they really put there to make this work? Thanks John Jeremy Jones, MA, MCSE, CCNA Systems Analyst Northwest Network Services (208) 343-5260 x106 http://www.nwnets.com mailto:jjones at nwnets.com VPN is sponsored by SecurityFocus.COM From Francoise.Beckers at GLOBALONE.NET Tue Jan 25 10:27:23 2000 From: Francoise.Beckers at GLOBALONE.NET (Francoise Beckers) Date: Tue, 25 Jan 2000 16:27:23 +0100 Subject: MPLS &Co Message-ID: <388DC0DB.8A08B073@GlobalOne.net> Hi, I've been working at Global One in Belgium for 3 months now and I'm trying to learn about IVPN, but this isn't easy since I wasn't really familiar with such technologies until now. This doesn't concern installation or programming issues, but what I'm interested in, is: * how does TAG switching, MPLS and everything related to this, work? * Why would an enterprise choose to send his data over a VPN instead of e.g. FR? What are the pro's and con's of IVPN in comparison with other technologies? All kinds of info would be highly appreciated. Thanks in advance! Kind regards, Fran?oise -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000125/af4e5ab1/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: Francoise.Beckers.vcf Type: text/x-vcard Size: 326 bytes Desc: Card for Francoise Beckers Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000125/af4e5ab1/attachment.vcf From dgillett at NIKU.COM Tue Jan 25 14:28:34 2000 From: dgillett at NIKU.COM (David Gillett) Date: Tue, 25 Jan 2000 11:28:34 -0800 Subject: MPLS &Co In-Reply-To: <388DC0DB.8A08B073@GlobalOne.net> Message-ID: <00eb01bf676a$5fc789d0$f30410ac@niku.com> It happens that I can suggest some answers to the second question, based on my own situation. Historically, we've had LANs at several locations (because of business activity such as mergers, this continues to happen...), each with their own connection to the Internet. VPN technology provides a simple/inexpensive way to begin securely linking these isolated LANs together into a virtual company private network, WITHOUT venturing into new (for us!) telecomm territory. If our only telecomm needs were email and Internet access, we'd be done at that point. Of course, they're not. A few internal applications don't tolerate network latencies very well -- and neither does voice traffic. It is the need for low-latency connections between our offices that is driving us toward Frame Relay. But note: Some recent advisories have suggested that encryption of FR data traffic might be a wise precaution. So the current thinking is that while FR will enhance the *transport* of data traffic between our sites (in addition to carrying voice traffic), we will continue to use VPN implementations to encrypt that data traffic. So VPN and FR wind up being complementary rather than competitive; the choice of Internet versus FR transport is pretty much orthogonal to the choice of data encryption or not. Our network is growing and changing, and many of our users are not in one of our offices. We will need to continue to support Internet VPN access for these users even as offices are bought onto Frame Relay.... David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Francoise Beckers Sent: January 25, 2000 07:27 To: VPN at SECURITYFOCUS.COM Subject: MPLS &Co Hi, I've been working at Global One in Belgium for 3 months now and I'm trying to learn about IVPN, but this isn't easy since I wasn't really familiar with such technologies until now. This doesn't concern installation or programming issues, but what I'm interested in, is: - how does TAG switching, MPLS and everything related to this, work? - Why would an enterprise choose to send his data over a VPN instead of e.g. FR? What are the pro's and con's of IVPN in comparison with other technologies? All kinds of info would be highly appreciated. Thanks in advance! Kind regards, Fran?oise VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Tue Jan 25 14:32:46 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 25 Jan 2000 13:32:46 -0600 Subject: IPsec Evaluation (fwd) Message-ID: Niels Ferguson and Bruce Schneier have released "A Cryptographic Evaluation of IPsec" at http://www.counterpane.com/ipsec.html Although the authors' main point is that IPsec's extreme complexity makes it effectively impossible to implement securely, they do admit that it's better than any of the alternatives (no security, PPTP or L2TP). The review is divided into two main sections. The first one evaluates IPsec's handling of bulk data transmission. It recommends dropping AH and ESP transport mode from the protocol, claiming that the security these options provide is far outweighed by the complexity they add into VPN systems. This confirmed something I'd been noticing for what seems like years -- that the vast majority of VPNs implemented in corporate environments used ESP tunnel mode. The majority of corporate users want to authenticate data and header information, as well as to protect the confidentiality of their data. Ferguson and Schneier recommend modifying ESP to always perform authentication -- removing another option from gateway configurations -- and dropping DES-CBC as a supported encryption mechanisms, since DES keys are so easy to brute force. The authors admit that they haven't looked at specific IPsec implementations. If they had taken a look at specific commercial offerings, or spoken to some of the VPN users out there, they would have noticed that many of their recommendations have happened "by default" over the last couple of years -- most products default to the recommended configuration, or some variant, and it's probably safe to assume that most companies implement a configuration that is close to the default paramenters. The discussion of ISAKMP was a bit less detailed, especially in terms of changes a VPN administrator could make within their current deployment -- but continues to stress the point that the number of options supported within each stage of key negotiation is not practical or necessary, and greatly increases the chances of vendors, administrators (or both) getting it wrong. The last paragraph is a classic example of double negatives: 'We strongly discourage the use of IPsec in its current form for protection of any kind of valuable information...However, we even more strongly discourage any current alternatives, and recommend IPsec when the alternative is an insecure network.' cheers -- Tina "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From rdonkin at ORCHESTREAM.COM Tue Jan 25 14:56:09 2000 From: rdonkin at ORCHESTREAM.COM (Donkin, Richard) Date: Tue, 25 Jan 2000 19:56:09 -0000 Subject: MPLS & Co Message-ID: <51B3ABF9C1B9D1118EDF0060086D18EE6E2DDF@dennis.orchestream.com> >-----Original Message----- >From: Francoise Beckers [mailto:Francoise.Beckers at GLOBALONE.NET] > I've been working at Global One in Belgium for 3 months now and I'm trying to learn about > IVPN, but this isn't easy since I wasn't really familiar with such technologies until now. > This doesn't concern installation or programming issues, but what I'm interested in, is: I'll try to answer some of your questions, but this is quite a big area! > how does TAG switching, MPLS and everything related to this, work? Tag switching is Cisco's predecessor to MPLS. The latter works very much in the same way as ATM forwarding at the lowest level - where ATM would swap VPI+VCI to a new VPI+VCI as part of switching a cell, MPLS swaps a 'label' attached to the packet as part of switching that packet. MPLS switches can be implemented using ATM switches (here, the label is in fact VPI+VCI), or using IP routing (here, the label is carried in a separate 'shim' between the layer 2 and layer 3 headers. One advantage of MPLS for VPNs is that, once the packet is labelled by an MPLS edge router, the IP headers don't need to be inspected again until it pops out at the egress of the MPLS network: this means that the IP headers can carry enterprise private IP addresses without any problems, as long as the edge routers have the correct routing tables (used for labelling packets). MPLS VPNs provide privacy by carefully-managed setup of the edge routing tables - while the configuration for this is complex, this is quite scalable once configured, since it goes as fast as the edge router can forward packets, and the core MPLS switches know nothing about VPNs, but simply switch packets. MPLS VPNs can be highly scalable (since they are not circuit based per se), provide good performance (linking very large sites without running into IPSec hardware accelerator limits - current accelerators that I'm aware of go to approx 155 Mbps, though I'd be interested to hear of others!), support traffic engineering (though standards for this are evolving), and reduce enterprise admin costs (since provider managed). However, they aren't encryption based, so their security should be considered roughly the same as a Frame Relay or ATM-based VPN service. > Why would an enterprise choose to send his data over a VPN instead of e.g. FR? What are the > pro's and con's of IVPN in comparison with other technologies? It's worth distinguishing multi-domain IP VPNs from single-domain IP VPNs, although nobody agrees on terminology. The former run across the Internet and usually involve many ISPs between VPN nodes - hence it is difficult to guarantee performance, but the use of the Internet can make it very easy to support users connecting from any Internet location. Single-domain IP VPNs are more like Frame/ATM VPNs, in that they (may) run across a single managed network that happens to run IP - the result is that they can give performance as good as Frame Relay (with careful network design, provisioning, policing, QoS setup, traffic engineering, etc.). It so happens that both types of IP VPN can use identical technology (in e.g. IPSec), but single-domain IP VPNs can also use MPLS, Frame or ATM. Dialup VPNs can be single-domain or multi-domain as well - single-domain dial VPNs are able to use more flexible terminology, e.g. L2TP, which simplifies management of the VPN clients by keeping the VPN setup within the provider domain. Multi-domain dial VPNs tend to use IPSec since this can be configured on the VPN client, enabling it to use any Internet connection. I'm not so familiar with Frame and ATM VPNs, but if the majority of traffic on a VPN is IP, switching to a pure IP VPN (MPLS, IPSec, etc, over an IP network) should make it easier to manage the network (though MPLS standards are still less mature than FR and ATM) To summarise without being too controversial (I hope...): - MPLS is good for scalable, high performance, provider-managed single domain IP VPNs - LT2P is good for provider-managed dial VPNs - IPSec is good for many types of VPN, including dial VPNs, site-to-site VPNs, and extranet VPNs, but is somewhat complex to manage due to its use of tunnels and encryption keys. Unfortunately, VPNs are an area that is rife with marketing hype and non-standard terminology, as well as evolving very fast. The promise is that the whole world migrates to a single IP network, with VPNs providing security and performance SLAs as required on top of that converged network. However, it may take a little while to get there! For more information, have a look at http://www.vpdn.com/, http://kubarb.phsx.ukans.edu/~tbird/vpn.html, and http://www.cisco.com/warp/public/cc/cisco/mkt/servprod/dial/tech/ievpn_rg.ht m (while Cisco-oriented, the latter is an excellent overview of the whole field). The Cisco Internet Protocol Journal had a couple of good articles on VPNs in July and Aug 98 I think - it's downloadable from their site. For information on MPLS VPN provisioning, see http://www.orchestream.com/ for details of our Provider 2.0 product. Cheers, Richard -- rdonkin at orchestream.com http://www.orchestream.com Tel: +44 (0)20 7598 7554 (direct) Orchestream Ltd. +44 (0)20 7460 4460 (switchboard) 125 Old Brompton Road Fax: +44 (0)20 7460 4461 London SW7 3RP, UK >>>>>>>>>>>>>>>>>>>>>> Bandwidth To Bank On >>>>>>>>>>>>>>>>>>>>>>>> VPN is sponsored by SecurityFocus.COM From chris.goellner at CORP.BELLSOUTH.NET Wed Jan 26 10:55:40 2000 From: chris.goellner at CORP.BELLSOUTH.NET (Chris Goellner) Date: Wed, 26 Jan 2000 10:55:40 -0500 Subject: IPSec behind Firewall In-Reply-To: <91C71FCA53C9D31199AA00105A7718C89E27@Exchangicus.SecureOps.com>; from patrick@secureops.com on Wed, Jan 26, 2000 at 10:50:05AM -0500 References: <91C71FCA53C9D31199AA00105A7718C89E27@Exchangicus.SecureOps.com> Message-ID: <20000126105540.E10036@kenny.bat.bellsouth.net> I got it to work with the box behind the NAT using a static NAT. Basically, I set the everything up using the public address of the NAT. Now if I can only figure out how to put multiple networks on the tunnel I would be cooking with gas. >From - Patrick Ethier (patrick at secureops.com): > Hi, > > I've not tried NAT with ISAKMP myself yet but here is why I think it may > not work(Please somebody correct me if I am wrong or not totally right so I > can add this to the VPN docs). > > Firstly, which host is behind the NAT and which one has a normal IP with > normal routing? The question for this is that the host behind the NAT box > must initiate the Phase 1 security association.Let us call host B not behind > the NAT box. It does not need any IP = NAME entries in Phase 1 but it does > need a DEFAULT = NAME entry. The same goes for the Phase 2 section. > > You cannot use AH also, the reason being that an IPSec packet looks like > this > > [IP][AH][ESP] (The ESP encapsulates the packet sent to the internal lan on > the host A side). Nat strips off [IP][AH] and replaces it with [IP] of the > NAT box. So, don't use NAT with AH. > > As for the rest, you may run into fragmentation issues also. > > Try the following conf. > > On host B(Behind the NAT) > > [General] > Normal config > [Phase 1] > > default= HOSTA_NAME > > [Phase 2] > > default= HOSTA_HOSTB > > [HOSTA_NAME] > Normal config except the IP address must be that of the translated NAT box > for proper authentication. > (I believe that the Local-Address value does not get transmitted) > > > [HOSTA_HOSTB] > Normal Config > > > Let me know what comes up. If someone could give me a more scientific > explanation as to the problems with IPSec and NAT I\d gladly it it to the > VPN doc. > > > -----Original Message----- > > From: Chris Goellner [mailto:chris.goellner at corp.bellsouth.net] > > Sent: Tuesday, January 25, 2000 2:47 PM > > To: misc at openbsd.org > > Subject: IPSec behind Firewall > > > > > > I think this question has been asked many times so I'm sorry > > for asking > > again. > > > > I have two OpenBSD boxes that I want to create a VPN between. > > I'm using > > the basic config from the man pages and I've read and reread the > > secureops.com pages. I've even gotten one of the gateways to work with > > PGPNet VPN. > > > > The problem is the new gateway is behind a static NAT. I've tried > > every combination of the private and public address to get the two to > > speak but I keep getting NO_PROPOSAL_CHOSEN. > > > > I've checked everything, the policy files match the shared secrets > > and the Phase 1 stuff looks right. My only guess is that the NAT is > > somehow causing a problem. > > > > Can anyone provide any input. > > > > FYI, the NAT is through a Cisco with no ACL's and the tcpdump's look > > right, they show both guys talking to each other. > > > > Config Files Follow (names changed to protect the innocent) > > > > ######## > > # Host A > > ######## > > > > [General] > > Policy-File= /etc/isakmpd.policy > > Retransmits= 5 > > Exchange-max-time= 120 > > Listen-on= HostA-private > > > > [Phase 1] > > HostB-public= HostB > > > > [Phase 2] > > Connections= HostA-HostB > > > > [HostB] > > Phase= 1 > > Transport= udp > > Local-address= HostA-private > > Address= HostB-public > > Configuration= Default-main-mode > > Authentication= beavis > > Flags= Stayalive > > > > [HostA-HostB] > > Phase= 2 > > ISAKMP-peer= HostB > > Configuration= Default-quick-mode > > Local-ID= Net-A > > Remote-ID= Net-B > > Flags= Stayalive > > > > [Net-A] > > ID-type= IPV4_ADDR_SUBNET > > Network= 172.16.0.0 > > Netmask= 255.255.0.0 > > > > [Net-B] > > ID-type= IPV4_ADDR_SUBNET > > Network= 192.168.0.0 > > Netmask= 255.255.255.0 > > > > [Default-main-mode] > > DOI= IPSEC > > EXCHANGE_TYPE= ID_PROT > > Transforms= 3DES-SHA > > > > [Default-quick-mode] > > DOI= IPSEC > > EXCHANGE_TYPE= QUICK_MODE > > Suites= > > QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE > > > > ####################### > > # Begin Listed Transforms > > ####################### > > > > [3DES-SHA] > > ENCRYPTION_ALGORITHM= 3DES_CBC > > HASH_ALGORITHM= SHA > > AUTHENTICATION_METHOD= ANY > > GROUP_DESCRIPTION= MODP_1024 > > PRF= Any > > Life= LIFE_3600_SECS > > > > [QM-ESP-3DES-SHA-PFS-SUITE] > > Protocols= QM-ESP-3DES-SHA-PFS > > > > [QM-ESP-3DES-SHA-PFS] > > PROTOCOL_ID= IPSEC_ESP > > Transforms= QM-ESP-3DES-SHA-PFS-XF > > > > [QM-ESP-3DES-SHA-PFS-XF] > > TRANSFORM_ID= 3DES > > ENCAPSULATION_MODE= TUNNEL > > AUTHENTICATION_ALGORITHM= HMAC_SHA > > GROUP_DESCRIPTION= MODP_1024 > > Life= LIFE_600_SECS > > > > [QM-ESP-DES-MD5-SUITE] > > Protocols= QM-ESP-DES-MD5 > > > > ####################### > > # End Listed Transforms > > ####################### > > > > [LIFE_600_SECS] > > LIFE_TYPE= SECONDS > > LIFE_DURATION= 600,450:720 > > > > [LIFE_3600_SECS] > > LIFE_TYPE= SECONDS > > LIFE_DURATION= 3600,1800:7200 > > > > [LIFE_1000_KB] > > LIFE_TYPE= KILOBYTES > > LIFE_DURATION= 1000,768:1536 > > > > [LIFE_32_MB] > > LIFE_TYPE= KILOBYTES > > LIFE_DURATION= 32768,16384:65536 > > > > [LIFE_4.5_GB] > > LIFE_TYPE= KILOBYTES > > LIFE_DURATION= 4608000,4096000:8192000 > > > > # Certificates stored in PEM format > > [X509-certificates] > > CA-directory= /etc/isakmpd/ca/ > > Cert-directory= /etc/isakmpd/certs/ > > #Accept-self-signed= defined > > Private-key= /etc/isakmpd/private/local.key > > > > > > ######## > > # Host B > > ######## > > > > [General] > > Policy-File= /etc/isakmpd.policy > > Retransmits= 5 > > Exchange-max-time= 120 > > Listen-on= HostB-public > > > > [Phase 1] > > HostA-public= HostA > > > > [Phase 2] > > Connections= HostB-HostA > > > > [HostA] > > Phase= 1 > > Transport= udp > > Local-address= HostB-public > > Address= HostA-public > > Configuration= Default-main-mode > > Authentication= beavis > > Flags= Stayalive > > > > [HostB-HostA] > > Phase= 2 > > ISAKMP-peer= HostA > > Configuration= Default-quick-mode > > Local-ID= Net-B > > Remote-ID= Net-A > > Flags= Stayalive > > > > [Net-A] > > ID-type= IPV4_ADDR_SUBNET > > Network= 192.168.0.0 > > Netmask= 255.255.255.0 > > > > [Net-B] > > ID-type= IPV4_ADDR_SUBNET > > Network= 172.16.0.0 > > Netmask= 255.255.0.0 > > > > [Default-main-mode] > > DOI= IPSEC > > EXCHANGE_TYPE= ID_PROT > > Transforms= 3DES-SHA > > > > [Default-quick-mode] > > DOI= IPSEC > > EXCHANGE_TYPE= QUICK_MODE > > Suites= > > QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE > > > > ####################### > > # Begin Listed Transforms > > ####################### > > > > [3DES-SHA] > > ENCRYPTION_ALGORITHM= 3DES_CBC > > HASH_ALGORITHM= SHA > > AUTHENTICATION_METHOD= ANY > > GROUP_DESCRIPTION= MODP_1024 > > PRF= Any > > Life= LIFE_3600_SECS > > > > [QM-ESP-3DES-SHA-PFS-SUITE] > > Protocols= QM-ESP-3DES-SHA-PFS > > > > [QM-ESP-3DES-SHA-PFS] > > PROTOCOL_ID= IPSEC_ESP > > Transforms= QM-ESP-3DES-SHA-PFS-XF > > > > [QM-ESP-3DES-SHA-PFS-XF] > > TRANSFORM_ID= 3DES > > ENCAPSULATION_MODE= TUNNEL > > AUTHENTICATION_ALGORITHM= HMAC_SHA > > GROUP_DESCRIPTION= MODP_1024 > > Life= LIFE_600_SECS > > > > [QM-ESP-DES-MD5-SUITE] > > Protocols= QM-ESP-DES-MD5 > > > > ####################### > > # End Listed Transforms > > ####################### > > > > [LIFE_600_SECS] > > LIFE_TYPE= SECONDS > > LIFE_DURATION= 600,450:720 > > > > [LIFE_3600_SECS] > > LIFE_TYPE= SECONDS > > LIFE_DURATION= 3600,1800:7200 > > > > [LIFE_1000_KB] > > LIFE_TYPE= KILOBYTES > > LIFE_DURATION= 1000,768:1536 > > > > [LIFE_32_MB] > > LIFE_TYPE= KILOBYTES > > LIFE_DURATION= 32768,16384:65536 > > > > [LIFE_4.5_GB] > > LIFE_TYPE= KILOBYTES > > LIFE_DURATION= 4608000,4096000:8192000 > > > > # Certificates stored in PEM format > > [X509-certificates] > > CA-directory= /etc/isakmpd/ca/ > > Cert-directory= /etc/isakmpd/certs/ > > #Accept-self-signed= defined > > Private-key= /etc/isakmpd/private/local.key > > VPN is sponsored by SecurityFocus.COM From Torx at TM.NET.MY Wed Jan 26 03:36:32 2000 From: Torx at TM.NET.MY (Saravana Ram) Date: Wed, 26 Jan 2000 16:36:32 +0800 Subject: MPLS &Co References: <388DC0DB.8A08B073@GlobalOne.net> Message-ID: <001801bf67d8$7ca2bca0$0245a8c0@galena> > * Why would an enterprise choose to send his data over a VPN instead > of e.g. FR? What are the pro's and con's of IVPN in comparison with > other technologies? The primary advantage of VPN's over frame relay links is that - generally - the cost of running data through the internet is cheaper than running data through frame relay. When the sum of the cost of internet connectivity at two locations is cheaper than the cost of a point-to-point frame relay connection from your telco, its considered worth it to go VPN. Of cource, the cost savings increase the furthur apart the two sites are. VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Wed Jan 26 15:06:44 2000 From: rgm at ICSA.NET (Robert Moskowitz) Date: Wed, 26 Jan 2000 15:06:44 -0500 Subject: IPsec Evaluation (fwd) In-Reply-To: Message-ID: <4.2.0.58.20000126145655.00c50240@homebase.htt-consult.com> At 01:32 PM 1/25/2000 -0600, Tina Bird wrote: >Niels Ferguson and Bruce Schneier have released >"A Cryptographic Evaluation of IPsec" at > >http://www.counterpane.com/ipsec.html yeah, this is a great one to further confound the landscape. >The review is divided into two main sections. The >first one evaluates IPsec's handling of bulk data >transmission. It recommends dropping AH and ESP >transport mode from the protocol, claiming that the >security these options provide is far outweighed >by the complexity they add into VPN systems. If the world is nothing but VPNs, I would agree with this. However, VPNs are just a stepping stone to end to end protection. For this, it is ESP transport mode that should be used. Further, tunnel mode provides more known text for attacks. AH only brings value to IPv6, so the dropping of AH should be left ot the v6 developers; you should not see it in any deployed VPNs. That is why I had ESP NULL added (wiht a fight from some interesting sources, I might add, oh read rfc 2510 for a good laugh. We had fun writing it.). >Ferguson and Schneier recommend modifying >ESP to always perform authentication -- removing >another option from gateway configurations -- and >dropping DES-CBC as a supported encryption >mechanisms, since DES keys are so easy to brute >force. the non-auth mode of ESP is SUPPOSE to only be used when ESP/non-auth is within some auth tunnel, like AH. This is to save bandwidth for those military (oops was not suppose to name the culprits :) setups were gateways use auth, and end ot end is secure. The IETF was unable to agree on dropping DES yet. The disire is to move to AES. So the first step is to get a couple of AES transforms fielded, then in mid-2001 change to AES. We will see what happens in the coming 6 months. >The discussion of ISAKMP was a bit less detailed, >especially in terms of changes a VPN administrator >could make within their current deployment -- but >continues to stress the point that the number of >options supported within each stage of key negotiation >is not practical or necessary, and greatly increases >the chances of vendors, administrators (or both) >getting it wrong. IKE is better than the biggest swiss army knife! And to use it, you have to have at least 3 blades open! >The last paragraph is a classic example of double >negatives: 'We strongly discourage the use of IPsec >in its current form for protection of any kind of >valuable information...However, we even more strongly >discourage any current alternatives, and recommend >IPsec when the alternative is an insecure network.' I won't touch this one. Yet. Tina, you know what I am aluding to. Robert Moskowitz ICSA.net (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From petricek at KOLEJ.MFF.CUNI.CZ Thu Jan 27 06:37:44 2000 From: petricek at KOLEJ.MFF.CUNI.CZ (Vasek Petricek) Date: Thu, 27 Jan 2000 12:37:44 +0100 Subject: SKIP Evaluation? In-Reply-To: <4.2.0.58.20000126145655.00c50240@homebase.htt-consult.com> Message-ID: Hello Has anyone seen or done some evaluation of the SKIP protocol? It seems to differ from IPSec in that it encrypts a packet using a random key that is encrypted using a shared secret and sent together with tthe packet. Are there any security risks in doing so, or is the overhead considered to be too much? Thanks for any information and your opinions, Vaclav Petricek VPN is sponsored by SecurityFocus.COM From rgm at ICSA.NET Thu Jan 27 12:43:32 2000 From: rgm at ICSA.NET (Robert Moskowitz) Date: Thu, 27 Jan 2000 12:43:32 -0500 Subject: SKIP Evaluation? In-Reply-To: References: <4.2.0.58.20000126145655.00c50240@homebase.htt-consult.com> Message-ID: <4.2.0.58.20000127123534.00c3b360@homebase.htt-consult.com> At 12:37 PM 1/27/2000 +0100, Vasek Petricek wrote: >Has anyone seen or done some evaluation of the SKIP protocol? We had quite a few of them for the Montreal IETF meeting ;) >It seems to differ from IPSec in that it encrypts a packet using a random >key that is encrypted using a shared secret and sent together with tthe >packet. Are there any security risks in doing so, or is the overhead >considered to be too much? Not quite. SKIP is an alternative Key Management Protocol to IKE or Photuris. All three establish symetric keying material for IPsec's ESP or AH. SKIP uses 2 Diffie-Hellman exchanges. The first is based on 'well known' keys. Since there is a small chance that these keys would be cracked over time, and if used heavily, they are only used to protect an exchange of a pair of ephemeral D-Hs that actually supply the IPsec KEYMAT. SKIP ain't so bad, if you have a single administrative domain (it lacks many of the fine grain policy controls in IKE). It was this one reason that I argued against it for VPN usage at the Montreal IETF. I pointed out to Ashar that, ignoring the violent security debates about SKIP, this lack would limit SKIP to homogeneous VPN deployments. This has since been born out by some early adopters that have used SunScreen and Checkpoint's SKIP option. Now it WOULD be very nice ot have more than one key exchange protocol for IPsec, trageted at different community needs. IKE is so complex becuase it is anything to everyone. Of course, this is part of the reason IKE 'won'. >Thanks for any information and your opinions, > >Vaclav Petricek > >VPN is sponsored by SecurityFocus.COM Robert Moskowitz ICSA.net (248) 968-9809 Fax: (248) 968-2824 rgm at icsa.net There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.COM From Azim.Ferchichi at SWISSCOM.COM Fri Jan 28 05:08:55 2000 From: Azim.Ferchichi at SWISSCOM.COM (Azim.Ferchichi at SWISSCOM.COM) Date: Fri, 28 Jan 2000 11:08:55 +0100 Subject: SKIP Evaluation? Message-ID: <7E46AF731AD5D111BF4F0000F830C63D03A1085D@gd3i5w.swissptt.ch> Hi all, We are currently evaluating different IPSEC VPN solutions. I can understand pretty well the advantages of using HW or software solutions. On many platforms I can also understand what are the consequences of installing a VPN software. However, we had a presentation of Cisco' solution this week and despite of the evaluation of the pure IPSEC stuff, I'm not able to understand the consequence of installing a VPN gateway software on a router. First I would like to know on a conceptual point of view what are the advantages and drawbacks to have a VPN gw on a router. Then I would ask people who have experience with Cisco's VPN solution, If they consider Cisco IOS platform as secure as a Unix one, if it's easy to 'harden' IOS without loosing too much routing functionality. I would also ask them if the Cisco's VPN is easy to deploy initially and if the VPN management tools are good enough to easily manage more than 500 VPN machines... Thanks a lot for your help! Azim Ferchichi ___________________ CIT-CT-TPM IT security and Smart-cards Swisscom AG CH-3050 BERN Phone: +41 31 342 09 22 Mobile: +41 79 301 55 56 Fax: +41 31 342 00 08 ______________________ VPN is sponsored by SecurityFocus.COM From bet at RAHUL.NET Fri Jan 28 17:38:50 2000 From: bet at RAHUL.NET (Bennett Todd) Date: Fri, 28 Jan 2000 17:38:50 -0500 Subject: VPN on a Cisco router (was Re: SKIP Evaluation?) In-Reply-To: <7E46AF731AD5D111BF4F0000F830C63D03A1085D@gd3i5w.swissptt.ch>; from Azim.Ferchichi@SWISSCOM.COM on Fri, Jan 28, 2000 at 11:08:55AM +0100 References: <7E46AF731AD5D111BF4F0000F830C63D03A1085D@gd3i5w.swissptt.ch> Message-ID: <20000128173850.U24311@rahul.net> Disclaimer: I've worked with some Cisco gurus, and I've read about Cisco gear for years, but I'm not a Cisco guru myself. I can often convince IOS to do what I want, so can anybody who can read and type and knows the basics of IP networking, but I'm not particularly expert with it. And I've yet to actually work with any VPN implementation at all, just read about a lot of 'em. But I think I can give reasonable answers to some of the questions you ask. Just some basic thoughts, first. By and large few people can log on to a router (compared to the number of people who can log on to a typical computer). A router does a fairly tightly specified job: it routes network traffic. By contrast a more typical computer does _anything_. These points have consequences all around your questions. For instance, router-specific OSes (IOS in particular) can be simpler and less flexible. They can be more secure out of the box, and IOS at least has a nice track record of posessing few security problems, and having those problems fixed _exceedingly_ fast. And again, since typically only a few people, often the most technically knowlegeable and security-conscious people in the company, can log in to a router, it is liable to be the most secure computer in a well-run company. And another: routers are ubiquitous. For the VPN application of setting up fixed, permanent tunnels between offices who all connect to the internet, you probably already have routers in place. Just make sure they're all Cisco (or all have interoperable IPSEC, could happen if you're lucky) and you don't need to throw any extra boxes at the problem to have your VPN in place. That's appealing. VPN is a job intimately related to routing. It seems reasonable to hope that the folks at Cisco would deliver a VPN implementation with good performance, which interacts with the rest of a normal routed IP environment very gracefully. As to downsides: I'd expect VPN on a router to be a superb solution for permanent inter-office links if you already have routers in place, sufficiently over-provisioned that they have sufficient excess capacity to run the VPN. However, I'd expect it to be less ideal if you don't already have those routers in place; Cisco gear may be nice and fast and stable, but it's usually the most expensive way to move bits, for most jobs a general-purpose computer running an open source OS with open source routing/VPNning/whatever atop is gonna be cheaper. And if your VPN application is supporting roving users, who want to VPN into the office when they dial in to the internet, then I would expect to prefer a VPN endpoint on a general-purpose computer; I'd be wanting to set up weirdly custom hacks. Like, if they were allowed to VPN into a secure net, I'd be back-probing the originating machine to make sure it hasn't been infested with a remote-control app via trojan, or configured as an open router, or otherwise turned into a gaping vulnerability in our secured net. I wouldn't be wanting to do that kind of thing on a router, they make poor development platforms:-). And when you talk about end-users VPNning into a secured net, you're facing the nastiest problem, namely trying to securely authenticate end-users. They are not cooperative. So it can be a help having the widest possible array of potential solutions. I'd expect authentication solution alternatives to be more diverse on a general-purpose computer running an open source OS: one-time password, a la S/Key; time-based tokens like e.g. SecurID cards; challenge/response cryptocards; cards, perhaps with keyboards on which you enter pins, containing certificates; certificates stored encrypted on their laptop; etc. You dream it, the first implementation is probably on a general-purpose computer. -Bennett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000128/fdc536a8/attachment.pgp From rk_ at MAILCITY.COM Sat Jan 29 21:26:16 2000 From: rk_ at MAILCITY.COM (S Ramakrishnan) Date: Sat, 29 Jan 2000 18:26:16 -0800 Subject: Using SSH Message-ID: Hello... I would like to use SSH to grant access to a small set of users to a database server. While most of these users use a Linux box, some use Windows NT. Can SSH be used on an NT box? Are there sample blusprints to get up and started on SSH based access control schemes? What underlying security protocol is SSH based on? Any other information (its implementation) greatly appreciated. Thanks ! -r MailCity. Secure Email Anywhere, Anytime! http://www.mailcity.com VPN is sponsored by SecurityFocus.COM From Munix-1 at PACBELL.NET Sat Jan 29 16:50:32 2000 From: Munix-1 at PACBELL.NET (Jose Muniz) Date: Sat, 29 Jan 2000 13:50:32 -0800 (PST) Subject: Network-Alchemy & NetScreen. Message-ID: <32E34C17.EA254C80@Pacbell.net> Hello boys and girls, Well, I need some feedback if anybody has any about these two products, Network-Alchemy Crypto Cluster and Netscreen 100 gateways. If anyone has a comment to make I will apreciate it very much. And if someone has a case study on either, well that will be even better. TNX! a big bunch.. Jose Muniz. VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Wed Jan 26 10:41:48 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Wed, 26 Jan 2000 10:41:48 -0500 (EST) Subject: IPSec behind Firewall Message-ID: <91C71FCA53C9D31199AA00105A7718C89E27@Exchangicus.SecureOps.com> Hi, I've not tried NAT with ISAKMP myself yet but here is why I think it may not work(Please somebody correct me if I am wrong or not totally right so I can add this to the VPN docs). Firstly, which host is behind the NAT and which one has a normal IP with normal routing? The question for this is that the host behind the NAT box must initiate the Phase 1 security association.Let us call host B not behind the NAT box. It does not need any IP = NAME entries in Phase 1 but it does need a DEFAULT = NAME entry. The same goes for the Phase 2 section. You cannot use AH also, the reason being that an IPSec packet looks like this [IP][AH][ESP] (The ESP encapsulates the packet sent to the internal lan on the host A side). Nat strips off [IP][AH] and replaces it with [IP] of the NAT box. So, don't use NAT with AH. As for the rest, you may run into fragmentation issues also. Try the following conf. On host B(Behind the NAT) [General] Normal config [Phase 1] default= HOSTA_NAME [Phase 2] default= HOSTA_HOSTB [HOSTA_NAME] Normal config except the IP address must be that of the translated NAT box for proper authentication. (I believe that the Local-Address value does not get transmitted) [HOSTA_HOSTB] Normal Config Let me know what comes up. If someone could give me a more scientific explanation as to the problems with IPSec and NAT I\d gladly it it to the VPN doc. > -----Original Message----- > From: Chris Goellner [mailto:chris.goellner at corp.bellsouth.net] > Sent: Tuesday, January 25, 2000 2:47 PM > To: misc at openbsd.org > Subject: IPSec behind Firewall > > > I think this question has been asked many times so I'm sorry > for asking > again. > > I have two OpenBSD boxes that I want to create a VPN between. > I'm using > the basic config from the man pages and I've read and reread the > secureops.com pages. I've even gotten one of the gateways to work with > PGPNet VPN. > > The problem is the new gateway is behind a static NAT. I've tried > every combination of the private and public address to get the two to > speak but I keep getting NO_PROPOSAL_CHOSEN. > > I've checked everything, the policy files match the shared secrets > and the Phase 1 stuff looks right. My only guess is that the NAT is > somehow causing a problem. > > Can anyone provide any input. > > FYI, the NAT is through a Cisco with no ACL's and the tcpdump's look > right, they show both guys talking to each other. > > Config Files Follow (names changed to protect the innocent) > > ######## > # Host A > ######## > > [General] > Policy-File= /etc/isakmpd.policy > Retransmits= 5 > Exchange-max-time= 120 > Listen-on= HostA-private > > [Phase 1] > HostB-public= HostB > > [Phase 2] > Connections= HostA-HostB > > [HostB] > Phase= 1 > Transport= udp > Local-address= HostA-private > Address= HostB-public > Configuration= Default-main-mode > Authentication= beavis > Flags= Stayalive > > [HostA-HostB] > Phase= 2 > ISAKMP-peer= HostB > Configuration= Default-quick-mode > Local-ID= Net-A > Remote-ID= Net-B > Flags= Stayalive > > [Net-A] > ID-type= IPV4_ADDR_SUBNET > Network= 172.16.0.0 > Netmask= 255.255.0.0 > > [Net-B] > ID-type= IPV4_ADDR_SUBNET > Network= 192.168.0.0 > Netmask= 255.255.255.0 > > [Default-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA > > [Default-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= > QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE > > ####################### > # Begin Listed Transforms > ####################### > > [3DES-SHA] > ENCRYPTION_ALGORITHM= 3DES_CBC > HASH_ALGORITHM= SHA > AUTHENTICATION_METHOD= ANY > GROUP_DESCRIPTION= MODP_1024 > PRF= Any > Life= LIFE_3600_SECS > > [QM-ESP-3DES-SHA-PFS-SUITE] > Protocols= QM-ESP-3DES-SHA-PFS > > [QM-ESP-3DES-SHA-PFS] > PROTOCOL_ID= IPSEC_ESP > Transforms= QM-ESP-3DES-SHA-PFS-XF > > [QM-ESP-3DES-SHA-PFS-XF] > TRANSFORM_ID= 3DES > ENCAPSULATION_MODE= TUNNEL > AUTHENTICATION_ALGORITHM= HMAC_SHA > GROUP_DESCRIPTION= MODP_1024 > Life= LIFE_600_SECS > > [QM-ESP-DES-MD5-SUITE] > Protocols= QM-ESP-DES-MD5 > > ####################### > # End Listed Transforms > ####################### > > [LIFE_600_SECS] > LIFE_TYPE= SECONDS > LIFE_DURATION= 600,450:720 > > [LIFE_3600_SECS] > LIFE_TYPE= SECONDS > LIFE_DURATION= 3600,1800:7200 > > [LIFE_1000_KB] > LIFE_TYPE= KILOBYTES > LIFE_DURATION= 1000,768:1536 > > [LIFE_32_MB] > LIFE_TYPE= KILOBYTES > LIFE_DURATION= 32768,16384:65536 > > [LIFE_4.5_GB] > LIFE_TYPE= KILOBYTES > LIFE_DURATION= 4608000,4096000:8192000 > > # Certificates stored in PEM format > [X509-certificates] > CA-directory= /etc/isakmpd/ca/ > Cert-directory= /etc/isakmpd/certs/ > #Accept-self-signed= defined > Private-key= /etc/isakmpd/private/local.key > > > ######## > # Host B > ######## > > [General] > Policy-File= /etc/isakmpd.policy > Retransmits= 5 > Exchange-max-time= 120 > Listen-on= HostB-public > > [Phase 1] > HostA-public= HostA > > [Phase 2] > Connections= HostB-HostA > > [HostA] > Phase= 1 > Transport= udp > Local-address= HostB-public > Address= HostA-public > Configuration= Default-main-mode > Authentication= beavis > Flags= Stayalive > > [HostB-HostA] > Phase= 2 > ISAKMP-peer= HostA > Configuration= Default-quick-mode > Local-ID= Net-B > Remote-ID= Net-A > Flags= Stayalive > > [Net-A] > ID-type= IPV4_ADDR_SUBNET > Network= 192.168.0.0 > Netmask= 255.255.255.0 > > [Net-B] > ID-type= IPV4_ADDR_SUBNET > Network= 172.16.0.0 > Netmask= 255.255.0.0 > > [Default-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA > > [Default-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= > QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE > > ####################### > # Begin Listed Transforms > ####################### > > [3DES-SHA] > ENCRYPTION_ALGORITHM= 3DES_CBC > HASH_ALGORITHM= SHA > AUTHENTICATION_METHOD= ANY > GROUP_DESCRIPTION= MODP_1024 > PRF= Any > Life= LIFE_3600_SECS > > [QM-ESP-3DES-SHA-PFS-SUITE] > Protocols= QM-ESP-3DES-SHA-PFS > > [QM-ESP-3DES-SHA-PFS] > PROTOCOL_ID= IPSEC_ESP > Transforms= QM-ESP-3DES-SHA-PFS-XF > > [QM-ESP-3DES-SHA-PFS-XF] > TRANSFORM_ID= 3DES > ENCAPSULATION_MODE= TUNNEL > AUTHENTICATION_ALGORITHM= HMAC_SHA > GROUP_DESCRIPTION= MODP_1024 > Life= LIFE_600_SECS > > [QM-ESP-DES-MD5-SUITE] > Protocols= QM-ESP-DES-MD5 > > ####################### > # End Listed Transforms > ####################### > > [LIFE_600_SECS] > LIFE_TYPE= SECONDS > LIFE_DURATION= 600,450:720 > > [LIFE_3600_SECS] > LIFE_TYPE= SECONDS > LIFE_DURATION= 3600,1800:7200 > > [LIFE_1000_KB] > LIFE_TYPE= KILOBYTES > LIFE_DURATION= 1000,768:1536 > > [LIFE_32_MB] > LIFE_TYPE= KILOBYTES > LIFE_DURATION= 32768,16384:65536 > > [LIFE_4.5_GB] > LIFE_TYPE= KILOBYTES > LIFE_DURATION= 4608000,4096000:8192000 > > # Certificates stored in PEM format > [X509-certificates] > CA-directory= /etc/isakmpd/ca/ > Cert-directory= /etc/isakmpd/certs/ > #Accept-self-signed= defined > Private-key= /etc/isakmpd/private/local.key > VPN is sponsored by SecurityFocus.COM From Torx at TM.NET.MY Sun Jan 30 03:36:20 2000 From: Torx at TM.NET.MY (Saravana Ram) Date: Sun, 30 Jan 2000 16:36:20 +0800 Subject: Using SSH References: Message-ID: <000a01bf6afd$33175320$0245a8c0@galena> From: "S Ramakrishnan" > Can SSH be used on an NT box? > Are there sample blusprints to > get up and started on SSH based > access control schemes? Which will be the server side, a Linux box or an NT box? That is more important. The full SSH package is easily available on unix flavours, but I know not of any server-side implementations for NT. SSH clients, though, are available on both platforms. (How could you use it on the server side, anyway?) > What underlying security protocol is > SSH based on? If you are asking about cryptographic transfroms, the original SSH uses DES, 3DES, and Blowfish. But if you're not in America, you're left with only DES. VPN is sponsored by SecurityFocus.COM From Azim.Ferchichi at SWISSCOM.COM Mon Jan 31 09:32:43 2000 From: Azim.Ferchichi at SWISSCOM.COM (Azim.Ferchichi at SWISSCOM.COM) Date: Mon, 31 Jan 2000 15:32:43 +0100 Subject: VPN GW on router Message-ID: <7E46AF731AD5D111BF4F0000F830C63D03A10862@gd3i5w.swissptt.ch> > Hi all, > > We are currently evaluating different IPSEC VPN solutions. I can > understand > pretty well the advantages of using HW or software solutions. On many > platforms I can also understand what are the consequences of installing a > VPN software. However, we had a presentation of Cisco' solution this week > and despite of the evaluation of the pure IPSEC stuff, I'm not able to > understand the consequence of installing a VPN gateway software on a > router. > First I would like to know on a conceptual point of view what are the > advantages and drawbacks to have a VPN gw on a router. Then I would ask > people who have experience with Cisco's VPN solution, If they consider > Cisco > IOS platform as secure as a Unix one, if it's easy to 'harden' IOS without > loosing too much routing functionality. I would also ask them if the > Cisco's > VPN is easy to deploy initially and if the VPN management tools are good > enough to easily manage more than 500 VPN machines... > > Thanks a lot for your help! > > Azim Ferchichi > ___________________ > CIT-CT-TPM > IT security and Smart-cards > Swisscom AG > CH-3050 BERN > Phone: +41 31 342 09 22 > Mobile: +41 79 301 55 56 > Fax: +41 31 342 00 08 > ______________________ > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From pat at SECUREOPS.COM Mon Jan 31 10:25:03 2000 From: pat at SECUREOPS.COM (Patrick Ethier) Date: Mon, 31 Jan 2000 10:25:03 -0500 Subject: Using SSH Message-ID: <403626CA58D4D3119B92005004A514880123F3@Dominus.SecureOps.com> Hi, I use SSH from my windows NT box all the time. I'm currently using SecureCRT 3.something but I've heard that Datafellows makes a nice SSH client also. Here are the URLS: SecureCRT - http://www.vandyke.com Datafellows- http://www.datafellows.com I know SSH can be used as a tunnel to create a virtual private network. >From what I hear it is also pretty secure. But, if you only need to grant access to one single computer you might as well just give them a shell account on that machine and then let network traffic through TCP port 22 from those users to your DB box(I'm assuming you have a firewall set up somewhere to filter traffic flow). SSH would be exactly like telnet in this respect except that all the typing is encrypted and nobody can tell what is going on between the host and the client. SSH can do funky things like RSA authentication which is nice. Read up on it. In linux, do "man ssh" and "man sshd". Good luck, ____________________ Patrick Ethier patrick at secureops.com [ It doesn't matter if you don't know where you're going....] [ As long as you get there --- DrBones ] > -----Original Message----- > From: S Ramakrishnan [mailto:rk_ at MAILCITY.COM] > Sent: Saturday, January 29, 2000 9:26 PM > To: VPN at SECURITYFOCUS.COM > Subject: Using SSH > > > Hello... > > I would like to use SSH to grant access to a small set of > users to a database server. > While most of these users use a Linux > box, some use Windows NT. > > Can SSH be used on an NT box? > Are there sample blusprints to > get up and started on SSH based > access control schemes? > > What underlying security protocol is > SSH based on? > > Any other information (its implementation) > greatly appreciated. > > Thanks ! > > -r > > > > MailCity. Secure Email Anywhere, Anytime! > http://www.mailcity.com > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From peter at TALARIAN.COM Mon Jan 31 13:23:45 2000 From: peter at TALARIAN.COM (Peter Walker) Date: Mon, 31 Jan 2000 10:23:45 -0800 Subject: VPN on a Cisco router (was Re: SKIP Evaluation?) In-Reply-To: <20000128173850.U24311@rahul.net> References: <7E46AF731AD5D111BF4F0000F830C63D03A1085D@gd3i5w.swissptt.ch> <20000128173850.U24311@rahul.net> Message-ID: <200001311023450950.0FC458CC@mailhost.talarian.com> Standard disclaimers: I am not an expert and may be just plain wrong. I speak for myself not my company *********** REPLY SEPARATOR *********** On 1/28/00 at 5:38 PM Bennett Todd wrote: >For instance, router-specific OSes (IOS in particular) can be >simpler and less flexible. They can be more secure out of the box, >and IOS at least has a nice track record of posessing few security >problems, and having those problems fixed _exceedingly_ fast. I am not sure I agree on IOS's track record, but I do agree that cisco fix the problems and publicise advisories fast. > >And again, since typically only a few people, often the most >technically knowlegeable and security-conscious people in the >company, can log in to a router, it is liable to be the most secure >computer in a well-run company. Hmmm "security-conscious people" ... ie the sort of people who would never allow password to be sent in plain text over the network were it not for the fact that cicso still hasnt (as far as I know) implemented ssh or anything similar under IOS I do agree that a well configured cisco router with up to date IOS can be very secure (but not the most secure computer on the network - OpenBSD probably has that honor, and it does IPSEC too) There was an article in phrack that gave some good instructions for securing IOS. > >VPN is a job intimately related to routing. It seems reasonable to >hope that the folks at Cisco would deliver a VPN implementation with >good performance, which interacts with the rest of a normal routed >IP environment very gracefully. Hmmm, I think I disagree again. IPSEC/ISAKMPD is pretty much a new thing on IOS (like everywhere else) and it has it's problems. I know only one person that has attempted to set up an IOS VPN. He gave up in the end stating that some things just plain didnt work correctly. I also had a dealer state to me when I asked for a quote for the price of adding the IPSEC/FW/IDS feature set version of IOS to one of our routers that I should be careful about having an expectation of having the VPN features work fully until a few IOS releases time. Of course I expect that someone on this list will reply and tell that last point is plain wrong :-) Peter VPN is sponsored by SecurityFocus.COM From David.Haber at VTMEDNET.ORG Sun Jan 30 08:45:25 2000 From: David.Haber at VTMEDNET.ORG (Haber, David J.) Date: Sun, 30 Jan 2000 08:45:25 -0500 Subject: Indus River VPN Message-ID: <87E2A0D9120AD1119E2200805F15E0D804824F13@BURLINGTON03> Anyone have any experience with Indus River VPN solution. We are testing and would like some feedback. VPN is sponsored by SecurityFocus.COM From secure at SECUREAUSTIN.COM Sun Jan 30 03:41:55 2000 From: secure at SECUREAUSTIN.COM (H D Moore) Date: Sun, 30 Jan 2000 02:41:55 -0600 Subject: Using SSH References: Message-ID: <3893F953.D9762527@secureaustin.com> S Ramakrishnan wrote: > > Hello... > > I would like to use SSH to grant access to a small set of users to a database server. > While most of these users use a Linux > box, some use Windows NT. Well are you more interested in securing the traffic between the users and the database server, or restricting access to the database? > Can SSH be used on an NT box? > Are there sample blusprints to > get up and started on SSH based > access control schemes? If you just want to encrypt the network traffic, you can setup an SSH tunnel from a machine on the inside network (unix based) to the database server's tcp port. See the -L and -R options for SSH. > What underlying security protocol is > SSH based on? Public/Private keys (see PGP | PKI). > Any other information (its implementation) > greatly appreciated. Access control to the database itself could be implemented via whatever host/user/db restrictions the database server has built in. I only have experience dealing with MySQL, consult the documentation for other software. -HD VPN is sponsored by SecurityFocus.COM From scotta at GNAC.COM Mon Jan 31 11:51:53 2000 From: scotta at GNAC.COM (Scott Armstrong) Date: Mon, 31 Jan 2000 08:51:53 -0800 Subject: Using SSH In-Reply-To: Message-ID: >Can SSH be used on an NT box? You might want to take a look at http://www.gnac.com/techinfo/ssh_on_nt/index.html. Scott VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Mon Jan 31 14:17:58 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Mon, 31 Jan 2000 13:17:58 -0600 Subject: Future ISAKMP Denial of Service Vulnerablity Needs Addressing (fwd) Message-ID: "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire ---------- Forwarded message ---------- Date: Sun, 30 Jan 100 14:51:28 -0500 (EST) From: Mr. Anderson To: ipsec at lists.tislabs.com Subject: Future ISAKMP Denial of Service Vulnerablity Needs Addressing WG Members: We are hearing more and more concerns in the enterprise community that ISAKMP will be vulnerable to UDP denial of service attacks in the future. This is a widely known and serious flaw, IMHO. ---------------------------------------------------------- FYI Review of RFC 2408: ISAKMP ---------------------------------------------------------- 2.5.1 Transport Protocol ISAKMP can be implemented over any transport protocol or over IP itself. Implementations MUST include send and receive capability for ISAKMP using the User Datagram Protocol (UDP) on port 500. ---------------------------------------------------------- The specification above means that most vendors who read this will build ISAKMP on 500/UDP; which means that any malicious person with a clue as to how UDP DoS attacks can be done will be able to create chaos with the ISAKMP process during SA setup, etc. Vendors with a clue will build an alternate mechanism which allows ISAKMP to play using a more robust transport mechanism, at least TCP based, which raises the bar against simple UDP DoS attacks. I suggest the ISAKMP RFC address this vulnerability more directly because IPSEC and ISAKMP security issues such as this could be treated more openly in the RFC, perhaps even an ISAKMP protocol risk-analysis should be documented in the IETF process. Finest Regards, Neo VPN is sponsored by SecurityFocus.COM From eric.jeffery at EDWARDS.AF.MIL Mon Jan 31 15:38:42 2000 From: eric.jeffery at EDWARDS.AF.MIL (Jeffery Eric Contr 95 CS/SCBA) Date: Mon, 31 Jan 2000 12:38:42 -0800 Subject: VPN Over Network Message-ID: <1342BEFC44BED31195100090276D3496399B11@FSFSPM15> I have a Network Client running Altiga Client Software 2.1 Beta 2. I have a VPN Concentrator installed on our Network. I am able to establish the VPN connection; however, none of the data goes through the tunnel. If I ping the Client software does not show any traffic pass. Any thoughts? Eric Jeffery, MCSE Network Systems Analyst TYBRIN Corp. VPN is sponsored by SecurityFocus.COM From petricek at KOLEJ.MFF.CUNI.CZ Mon Jan 31 18:16:59 2000 From: petricek at KOLEJ.MFF.CUNI.CZ (Vasek Petricek) Date: Tue, 1 Feb 2000 00:16:59 +0100 Subject: SKIP Evaluation? In-Reply-To: <4.2.0.58.20000127123534.00c3b360@homebase.htt-consult.com> Message-ID: On Thu, 27 Jan 2000, Robert Moskowitz wrote: > At 12:37 PM 1/27/2000 +0100, Vasek Petricek wrote: > > >Has anyone seen or done some evaluation of the SKIP protocol? > > We had quite a few of them for the Montreal IETF meeting ;) Are any of these available somewhere? I think it would provde the missing reasoning for choices made in the RFC's. > >It seems to differ from IPSec in that it encrypts a packet using a random > >key that is encrypted using a shared secret and sent together with tthe > >packet. Are there any security risks in doing so, or is the overhead > >considered to be too much? > > Not quite. SKIP is an alternative Key Management Protocol to IKE or > Photuris. All three establish symetric keying material for IPsec's ESP or AH. > > SKIP uses 2 Diffie-Hellman exchanges. The first is based on 'well known' > keys. Since there is a small chance that these keys would be cracked over > time, and if used heavily, they are only used to protect an exchange of a > pair of ephemeral D-Hs that actually supply the IPsec KEYMAT. I see - now I have read more SKIP docs and I still like the idea with using a long lived master key. What is your opinion on the tradeoff between relatively frequent reestablishment of SA's (IPSec) and rare exchanges but additional cost of sending the keys in packets? Vasek Petricek VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Mon Jan 31 18:54:07 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Mon, 31 Jan 2000 17:54:07 -0600 Subject: Future ISAKMP Denial of Service Vulnerablity Needs Addressing (fwd) Message-ID: ---------- Forwarded message ---------- Date: Mon, 31 Jan 2000 15:55:27 -0500 From: Theodore Y. Ts'o To: Mr. Anderson Cc: mhw at wittsend.com, mcr at solidum.com, ipsec at lists.tislabs.com, neo at silkroad.com Subject: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing Let me make a couple of observations here. A lot of people have been getting all excited about the "cookie crumb" attack, thinking that it's something new, or something super serious. First of all, it should be recognized that the designers of ISAKMP made an engineering trade-off. In Photuris, a cookie exchange was done at the beginning before anything else was done. This allowed the responder to know that the initiator was coming from a valid IP address before having to create *any* state. However, this was done at the cost of an extra round-trip. In ISAKMP, some state does need to be created, but no heavy-weight crypto operations need to be done until the second packet from the initiator is received, at which point the initiator knows the initiator is coming from a valid IP address. The fact that this state needs to be garbage collected is explicitly mentioned in RFC 2409: It should be noted that in the exchanges shown in section 4, the anticlogging mechanism should be used in conjuction with a garbage- state collection mechanism; an attacker can still flood a server using packets with bogus IP addresses and cause state to be created. Such aggressive memory management techniques SHOULD be employed by protocols using ISAKMP that do not go through an initial, anti- clogging only phase, as was done in [Karn]. Now, was this a bad decision? It depends on how much you value minimization of round-trips, and how bad you believe the resulting DoS possibilities are as a result. As regards to the latter question, it should be noted that most of the TCP/IP infrastructure is subject to the same problem; to wit, the SYN attack --- and there are defenses against it. It's interesting to note that defenses that worked well towards prventing the SYN attack, such as random drop, also work just as well on the so-called "cookie crumb" attack. Furthermore, it's not true that the cookie prevents all DoS attacks. It simply prevents DoS attacks that come from spoofed IP address such that it is hard to track down from whence they came. In the TCP SYN attack, part of the problem was that with the listen queue depth set at 5, it was possible for a very low-bandwidth attack to completely paralyze a host, and if an attack only required sending a packet or two per minute, it was hard to identify the source, both to block it and to implement out-of-band-corrective-measures (i.e., a smackdown). But in the case of the "exploit" provided by Simpson, the IKE implementation is flooded by cookies as fast as the receiver can send them. True, the IP addresses were masked so you couldn't trace it back via the IP address. But the packet flow is big enough that it should be fairly easy to track it back simply by looking at the packet statistics at various router interfaces. This makes it very much unlike the TCP Syn attack, and therefore much less of an issue. True, Simpson's program could modified to slow down the rate at which cookies were issued, in an attempt to evade detection. However, this also slows the rate at which state needs to kept, and assuming that the recommendation in RFC 2409 is followed to have a good garbage collection mechanism (and a random drop technique when huge number of initial cookies are found in the system should do the trick quite nicely --- see discussions regarding the SYN attack about why this works), it's hard for me to see why this is such a huge problem as some people make it out to be. Fundamentally, it is extremely hard to defend against all denial of service attacks. If an attacker is willing to give away their location (or at least their IP address), the cookie doesn't save you. A large part of the defense against DoS attacks is the knowledge that if it is attempted that the problem can be easily traced back to the perpetrator. This doesn't have to be by IP address, however. If it involves a very heavy packet flow, it can be just as easily traced back. Hence, all that is necessary is to harden an implementation to such a point that in order to carry out such a clogging attack, the attacker is forced to use a heavy enough flow that the flow can be easily traced back to the source. - Ted VPN is sponsored by SecurityFocus.COM From Matthew_S_Cramer at ARMSTRONG.COM Mon Jan 31 15:36:36 2000 From: Matthew_S_Cramer at ARMSTRONG.COM (Cramer, Matthew) Date: Mon, 31 Jan 2000 15:36:36 -0500 Subject: Using SSH Message-ID: <85256877.007127A7.00@mailex02.armstrong.com> For the NT server side, you can install a replacement POSIX subsystem and the GNU compiler. My personal favourite is U/WIN from ATT Labs - there is info out there on getting GCC to work with U/WIN (see the U/WIN users list). With that, one could compile SSH and then run it as a service. I've heard of it done, but never done it. NT Client side - there is DataFellows F-Secure, SecureTTY (both commercial), and PuTTY (free, but does not do RSA auth). SSH supports more than the algorithms you list - also IDEA (default) and ARCFOUR (a implementation of RC4 (in theory) published to Usenet). Those are of course just the symmetric cryptography; RSA is used for the asymmetric key exchange. OpenSSH from the OpenBSD folks probably uses Diffie-Hellman for key exchange (since RSA is patent restricted by US patent law until fall of 2000). Your statement about location does not make sense - SSH is available from all sorts of places, .fi and .nl, for example, which are not bound by US Export restrictions. Don't download any crypto from us Americans - first of all our Government needs their head's examined, secondly stronger crypto is available everywhere else! From: Saravana Ram on 01/30/2000 03:36 AM Please respond to Saravana Ram From tisc-pc at CORECOM.COM Mon Jan 31 19:05:57 2000 From: tisc-pc at CORECOM.COM (Piscitello, David) Date: Tue, 1 Feb 2000 00:05:57 GMT Subject: TISC April 24-28 2000 San Jose Message-ID: <20000201000557.604.qmail@kiki.netreach.net> The Fourth Internet Security Conference will be held April 24-28, 2000 in San Jose, CA, at the Fairmont Hotel. TISC is an educational forum for security professionals and practitioners. The TISC Security Symposium is an opportunity for individuals to share their expertise and practical experience with others involved in the design, implementation and deployment of networked security systems. To register, or to learn more about TISC workshops and symposium sessions, visit http://tisc.corecom.com We invite you to subscribe to the TISC bi-weekly newsletter, Insight, by visiting http://tisc.corecom.com/insight.html We hope to see you in San Jose! Regards, The TISC Advisory Board VPN is sponsored by SecurityFocus.COM From petricek at KOLEJ.MFF.CUNI.CZ Mon Jan 31 17:32:36 2000 From: petricek at KOLEJ.MFF.CUNI.CZ (Vasek Petricek) Date: Mon, 31 Jan 2000 23:32:36 +0100 Subject: IPsec Evaluation (fwd) In-Reply-To: <4.2.0.58.20000126145655.00c50240@homebase.htt-consult.com> Message-ID: On Wed, 26 Jan 2000, Robert Moskowitz wrote: > At 01:32 PM 1/25/2000 -0600, Tina Bird wrote: > > >The review is divided into two main sections. The > >first one evaluates IPsec's handling of bulk data > >transmission. It recommends dropping AH and ESP > >transport mode from the protocol, claiming that the > >security these options provide is far outweighed > >by the complexity they add into VPN systems. > > If the world is nothing but VPNs, I would agree with this. > > However, VPNs are just a stepping stone to end to end protection. For > this, it is ESP transport mode that should be used. Further, tunnel mode > provides more known text for attacks. The suggested compression by specifying the fields that are the same in inner and outer header can help reduce the amount of known text so that it will have nearly the same overhead as ESP transport. Vasek Petricek VPN is sponsored by SecurityFocus.COM From rk_ at MAILCITY.COM Mon Jan 31 22:21:21 2000 From: rk_ at MAILCITY.COM (S Ramakrishnan) Date: Mon, 31 Jan 2000 19:21:21 -0800 Subject: Using SSH Message-ID: Hi - Thanks for the useful information. My questions about the protocols used in SSH was with regards to: (a) what key exchange protocol is used by SSH? (b) what authentication protocol is used? (c) Are the encryption keys used by SSH derived off the authentication information provided by the client (such as the password or some such)? (d) Can the client authentication be bound to RADIUS? Thanks ! - r On Mon, 31 Jan 2000 15:36:36 Cramer, Matthew wrote: >For the NT server side, you can install a replacement POSIX subsystem and the >GNU compiler. My personal favourite is U/WIN from ATT Labs - there is info out >there on getting GCC to work with U/WIN (see the U/WIN users list). With that, >one could compile SSH and then run it as a service. I've heard of it done, but >never done it. > >NT Client side - there is DataFellows F-Secure, SecureTTY (both commercial), and >PuTTY (free, but does not do RSA auth). > >SSH supports more than the algorithms you list - also IDEA (default) and ARCFOUR >(a implementation of RC4 (in theory) published to Usenet). Those are of course >just the symmetric cryptography; RSA is used for the asymmetric key exchange. >OpenSSH from the OpenBSD folks probably uses Diffie-Hellman for key exchange >(since RSA is patent restricted by US patent law until fall of 2000). > >Your statement about location does not make sense - SSH is available from all >sorts of places, .fi and .nl, for example, which are not bound by US Export >restrictions. Don't download any crypto from us Americans - first of all our >Government needs their head's examined, secondly stronger crypto is available >everywhere else! > > > > >From: Saravana Ram on 01/30/2000 03:36 AM > >Please respond to Saravana Ram > >To: VPN at SECURITYFOCUS.COM >cc: (bcc: Matthew S Cramer/Lancaster/Corporate/Armstrong) >Subject: Re: Using SSH > > > >From: "S Ramakrishnan" > > >> Can SSH be used on an NT box? >> Are there sample blusprints to >> get up and started on SSH based >> access control schemes? > >Which will be the server side, a Linux box or an NT box? That is more >important. The full SSH package is easily available on unix flavours, but I >know not of any server-side implementations for NT. SSH clients, though, are >available on both platforms. (How could you use it on the server side, >anyway?) > >> What underlying security protocol is >> SSH based on? > >If you are asking about cryptographic transfroms, the original SSH uses DES, >3DES, and Blowfish. But if you're not in America, you're left with only DES. > >VPN is sponsored by SecurityFocus.COM > >VPN is sponsored by SecurityFocus.COM > MailCity. Secure Email Anywhere, Anytime! http://www.mailcity.com VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Mon Jan 31 20:13:56 2000 From: dgillett at NIKU.COM (David Gillett) Date: Mon, 31 Jan 2000 17:13:56 -0800 Subject: VPN Over Network In-Reply-To: <1342BEFC44BED31195100090276D3496399B11@FSFSPM15> Message-ID: <002201bf6c51$9cf584b0$f30410ac@niku.com> Is this client using a machine that was previously directly connected to your network? The symptom sounds like a case we've often seen with the 1.26 client (don't have 2.1 yet), with our laptop users who work in the office and then go out on the road. The route information from their in-house connection is still present, and so after the connection to the concentrator is established, their traffic bound for the trusted network is finding an apparent route via the NIC before it gets to the tunnel. (If the NIC's address was assigned via DHCP -- ours almost always are -- then an IPCONFIG /RELEASE before connecting to the ISP will flush out the old route entries. If the configuration is static, I've been recommending a switcher such as Symantec's Mobile Essentials....) Hmmm... I had expected that Altiga would have to fix this in order to support "split tunnelling", which I thought was supposed to be in 2.x. So maybe this is something else. David Gillett Enterprise Server Manager, Niku Corp. (650) 701-2702 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jeffery Eric Contr 95 CS/SCBA Sent: January 31, 2000 12:39 To: VPN at SECURITYFOCUS.COM Subject: VPN Over Network I have a Network Client running Altiga Client Software 2.1 Beta 2. I have a VPN Concentrator installed on our Network. I am able to establish the VPN connection; however, none of the data goes through the tunnel. If I ping the Client software does not show any traffic pass. Any thoughts? Eric Jeffery, MCSE Network Systems Analyst TYBRIN Corp. VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From anne at SSH.FI Fri Jan 21 14:23:46 2000 From: anne at SSH.FI (Carasik, Anne) Date: Fri, 21 Jan 2000 11:23:46 -0800 Subject: Linux VPN In-Reply-To: References: Message-ID: <20000121112346.A686@ssh.com> Hi Todd, Check out VPS 2.0, which is an open source VPN for Linux. -Anne On Thu, Jan 20, 2000 at 10:20:49PM -0800, Todd Wilburn wrote: > We are thinking us using Linux for our server/firewalls and we need to do > > VPN. What programs are available for a Linux VPN box? I can use secret > > pass codes or certs. > > > > Thanks, > > Todd Wilburn > -- Anne Carasik Email: anne at ssh.com SSH Communications Security, Inc. Senior Technical Support Engineer "Any two consenting adults can rub two primes together to create a public keypair" - R. Thayer VPN is sponsored by SecurityFocus.COM From lhebert at NETESYS.COM Fri Jan 14 11:06:03 2000 From: lhebert at NETESYS.COM (Laurent Hebert) Date: Fri, 14 Jan 2000 11:06:03 -0500 Subject: IPX Message-ID: <01A8EA59.A0F33340.lhebert@netesys.com> I know that Cisco can encapsulate the IPX traffic in GRE... Novell have also a native solution if the customer is using Netware 5 and their Border Manager product. Laurent -----Original Message----- From: Tina Bird [SMTP:tbird at PRECISION-GUESSWORK.COM] Sent: Friday, January 14, 2000 7:39 AM To: VPN at SECURITYFOCUS.COM Subject: Re: IPX My interpretation of Eric's question is that he's thinking of using the IP-to-IPX gateway to communicate between the NT and Netware servers. The performance of that system is okay if you're only hitting a couple of machines (well, "okay" is a pretty subjective measurement of performance, and your users may disagree), but if you have a lot of traffic to translate it's pretty inefficient. Eric, I've worked with a few customers who've used routers to do the encapsulation of the IPX traffic -- if you check out http://kubarb.phsx.ukans.edu/~tbird/vpn/vpnfeatures.html and look for hardware-based systems that handle IPX, they ought to be able to do what you need. >Some< day that vendor information is going to be searchable! cheers -- Tina On Fri, 14 Jan 2000, Stephen Hope wrote: > Date: Fri, 14 Jan 2000 09:00:08 -0000 > From: Stephen Hope > To: VPN at SECURITYFOCUS.COM > Subject: Re: IPX > > Maybe i am missing somthing here, > > but if you are running WAN links across a VPN and presumably routers, serial > links and so on, why would going NT server -> Novell server on the LAN > once you get to a main site hit performance? > > I would expect some added delay for file open etc, but extra hops across > a LAN should be negligible compared to VPN slowdowns. > > Stephen > > Stephen Hope C. Eng, Network Consultant, shope at datarange.co.uk, > Datarange Communications PLC, part of Energis, WWW: > http://www.datarange.co.uk > Carrington Business Park, Carrington, Manchester , UK. M31 4ZU > Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 > 4189 > > > > -----Original Message----- > > From: Jeffery Eric Contr 95 CS/SCBA > > [mailto:eric.jeffery at EDWARDS.AF.MIL] > > Sent: Thursday, January 13, 2000 11:48 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: IPX > > > > > > How do you folks access IPX Netware Servers with VPN > > Concentrator device? > > > > We can set up a share between on an NT Server to access a > > Netware Server and > > get the data that way; however, this will slow us down. > > Thought? Lessons > > learned? > > > > Eric Jeffery, MCSE > > Network Systems Analyst > > TYBRIN Corp. > > Edwards AFB, CA > > 661-277-1760 > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lhebert at NETESYS.COM Fri Jan 14 11:17:50 2000 From: lhebert at NETESYS.COM (Laurent Hebert) Date: Fri, 14 Jan 2000 11:17:50 -0500 Subject: VPN behind a firewall with NAT Message-ID: <01A8EA5B.47D541C0.lhebert@netesys.com> Did you check with Check Point to see if they have a VPN client that work with their Firewall? If not, you could install another VPN solution (VPN Gateway attached to a dedicated port on your Firewall that comes with a good VPN client that fits your needs...). Altiga have a very good product that is compatible with a lot of VPN client (including MS). Laurent -----Original Message----- From: Ivan Fox [SMTP:ifox100 at HOTMAIL.COM] Sent: Wednesday, January 12, 2000 2:20 PM To: VPN at SECURITYFOCUS.COM Subject: VPN behind a firewall with NAT Some of our engineers are working at customer plants. They need to access NT and Lotus Notes servers back home here. The manufacturing plants which they are working in are highly secured. They are *not* allowed to use dial-up networking. They are working behind a firewalled network. We are using Checkpoint Firewall-1 with VPN-1. Should I just ask their network administrators to open ports 500 and 501 so that they can use SecureRemote access the Lotus Notes servers and NT servers back home. Any pointers are appreciated. Thanks, Ivan VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM