From andrew at SANFRANMAIL.COM Thu Jun 1 11:46:17 2000 From: andrew at SANFRANMAIL.COM (andrew at SANFRANMAIL.COM) Date: Thu, 1 Jun 2000 08:46:17 -0700 Subject: Checkpoint Message-ID: <001101bfcbe0$86a90580$060110ac@pacbell.net> I'm currently working on configuring a PIX for VPN services. We are connecting to a CheckPoint firewall over the Internet. We are using a manual IPSec setup. Does anyone know if the CheckPoint can be configured with different SPI values for both the AH and the ESP? Andrew VPN is sponsored by SecurityFocus.COM From Alessandro.Predieri at MCIWORLDCOM.IT Thu Jun 1 12:33:40 2000 From: Alessandro.Predieri at MCIWORLDCOM.IT (Predieri, Alessandro) Date: Thu, 1 Jun 2000 17:33:40 +0100 Subject: VPN Performance Message-ID: <2FB074C218C1D211B00B0008C75DE7E6010ABEB8@itmil1r2.wcom.it> I have to write a chapter of my university degree these about the VPN's performance. Has enyone of you did some test ? I'm interesting on the test of the DES & 3-DES performances. Thank you very much to all. Predieri Alessandro MCIWORLDCOM S.p.A. Corso Garibaldi, 86, 20121Milano Ph. 39-023600.1377 Fax. 39-023600.1791 Email alessandro.predieri at mciworldcom.it -- This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. VPN is sponsored by SecurityFocus.COM From clbrewer at US.IBM.COM Thu Jun 1 13:14:57 2000 From: clbrewer at US.IBM.COM (Brewer, CL) Date: Thu, 1 Jun 2000 13:14:57 -0400 Subject: Real life performance.... Message-ID: I am looking at a VPN-330 Appliance box from Checkpoint and was wondering if anyone has any real life performance information ? Thank You in advance! Chad L. Brewer IBM Global Services www.ibm.com/services -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000601/08b01ec1/attachment.htm From patrick at SECUREOPS.COM Thu Jun 1 15:50:42 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Thu, 1 Jun 2000 15:50:42 -0400 Subject: WatchGuard SOHO VPN to Raptor 6.0/6.5 Message-ID: <403626CA58D4D3119B92005004A514880FFD78@Dominus.SecureOps.com> Hi Dave, It can't be IPsec compliant if it is a little off-center. My guess would be to call SOHO and ask them if they have any known issues with talking to Raptor. I've only played with RaptorMobile Client but I have not had a chance to test IPsec on a Raptor gateway. I'd say use a TCPDUMP to see what is going on in the IKE exchange but alas, if the IKE SA and the IPsec SAs were set up then it relies on the implementation of IPsec at either end of the tunnel. Regards, Patrick Ethier patrick at secureops.com -----Original Message----- From: Dave Sroelov [mailto:dave at ascomputer.com] Sent: Wednesday, May 31, 2000 7:53 PM To: Patrick Ethier Subject: Re: WatchGuard SOHO VPN to Raptor 6.0/6.5 patrick, believe me, i would change alot of configuration stuff on the SOHO if i could. the only problem is that you can't configure much of anything. i do know that it doesn't use AH. i know this because i configured the raptor to use it and then they wouldn't even start the tunnel. considering that everyone says they are IPSEC/ISKAMP compatible, and the SOHO doesn't work with checkpoint 4.0 but does with 4.1, i suspect the SOHO is a little off center on it's implementation. checkpoint probably made an "accomodation" strictly for market share. thanks for getting back to me. dave Patrick Ethier wrote: > Hi Dave, > > Try configuring both sides to not use AH and see what that will do. The > problem might rely on the way that the SOHO does NAT. If it IPsecs and the > NATs then this would explain your problem. > > -----Original Message----- > From: Dave Sroelov [mailto:dave at ASCOMPUTER.COM] > Sent: Saturday, May 27, 2000 3:47 PM > To: VPN at SECURITYFOCUS.COM > Subject: WatchGuard SOHO VPN to Raptor 6.0/6.5 > > dear everyone, > > i have a need to connect a watchguard soho to a raptor firewall via the > branch vpn option for the soho. so far, after several hours of playing > with this option, that option, and the other option, i have the two > connected with a live tunnel. however, it does have it's problems, i.e. > half the tunnel doesn't work. > > the following happens after the tunnel is up: > > 1. if i ping from a system on the raptor side to a system on the > watchguard side, the packet goes to the raptor, over the tunnel to the > watchguard, to the system on the other side, and gets there in one > piece. the receiving system sends out a reply packet, which goes to the > watchguard, then to the raptor. but the raptor says it has a bad > checksum and dumps it. > > 2. if i ping from a system on the watchguard side to a system on the > raptor side, the packet goes to the watchguard, over the tunnel to the > raptor, and the raptor says it has a bad checksum and dumps it. > > since the tunnel is up, meaning that the authentication worked, i assume > that the two boxes can talk to each other. but for some reason, when > the watchguard is emcapsulating regular data packets, it is doing > something just a little off center. > > any help would be greatly appreciated. > > thanks. > > dave > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Thu Jun 1 16:03:18 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Thu, 1 Jun 2000 16:03:18 -0400 Subject: WatchGuard SOHO VPN to Raptor 6.0/6.5 Message-ID: <403626CA58D4D3119B92005004A514880FFD7C@Dominus.SecureOps.com> While you're waiting, your other option is to set up a VPN gateway behind your SOHO box to handle IPsec while you wait for the bugfix. There shouldn't be any issues with the NAT unless you use AH. -----Original Message----- From: Dave Sroelov [mailto:dave at ascomputer.com] Sent: Thursday, June 01, 2000 3:54 PM To: Patrick Ethier Subject: Re: WatchGuard SOHO VPN to Raptor 6.0/6.5 they do not support pptp or l2tp in this particular implementation. the soho box has a branch vpn option that lets them do site to site using an IPSEC/ISKAMP tunnel. the only problem is that they have only tested it with their own products and with checkpoint 4.1 dave Patrick Ethier wrote: > Do they support pptp or l2tp??? If so, I think it may be possible to connect > to Raptor. > > If they don't, I don't see how they can claim to support VPNing. > > -----Original Message----- > From: Dave Sroelov [mailto:dave at ascomputer.com] > Sent: Thursday, June 01, 2000 3:47 PM > To: Patrick Ethier > Subject: Re: WatchGuard SOHO VPN to Raptor 6.0/6.5 > > patrick, > > i have watchguard tech support on the phone as i am typing this message. i > finally got someone to tell me that their implementation has not been > certified > yet. i think that pretty much says it all. > > that also means there's hope. when they get bounced during certification > they > will have to fix the bug. > > dave > > Patrick Ethier wrote: > > > Hi Dave, > > > > It can't be IPsec compliant if it is a little off-center. My guess would > be > > to call SOHO and ask them if they have any known issues with talking to > > Raptor. I've only played with RaptorMobile Client but I have not had a > > chance to test IPsec on a Raptor gateway. > > > > I'd say use a TCPDUMP to see what is going on in the IKE exchange but > alas, > > if the IKE SA and the IPsec SAs were set up then it relies on the > > implementation of IPsec at either end of the tunnel. > > > > Regards, > > > > Patrick Ethier > > patrick at secureops.com > > > > -----Original Message----- > > From: Dave Sroelov [mailto:dave at ascomputer.com] > > Sent: Wednesday, May 31, 2000 7:53 PM > > To: Patrick Ethier > > Subject: Re: WatchGuard SOHO VPN to Raptor 6.0/6.5 > > > > patrick, > > > > believe me, i would change alot of configuration stuff on the SOHO if i > > could. the only problem is that you can't configure much of anything. i > do > > know that it doesn't use AH. i know this because i configured the raptor > to > > use it and then they wouldn't even start the tunnel. > > > > considering that everyone says they are IPSEC/ISKAMP compatible, and the > > SOHO > > doesn't work with checkpoint 4.0 but does with 4.1, i suspect the SOHO is > a > > little off center on it's implementation. checkpoint probably made an > > "accomodation" strictly for market share. > > > > thanks for getting back to me. > > > > dave > > > > Patrick Ethier wrote: > > > > > Hi Dave, > > > > > > Try configuring both sides to not use AH and see what that will do. The > > > problem might rely on the way that the SOHO does NAT. If it IPsecs and > the > > > NATs then this would explain your problem. > > > > > > -----Original Message----- > > > From: Dave Sroelov [mailto:dave at ASCOMPUTER.COM] > > > Sent: Saturday, May 27, 2000 3:47 PM > > > To: VPN at SECURITYFOCUS.COM > > > Subject: WatchGuard SOHO VPN to Raptor 6.0/6.5 > > > > > > dear everyone, > > > > > > i have a need to connect a watchguard soho to a raptor firewall via the > > > branch vpn option for the soho. so far, after several hours of playing > > > with this option, that option, and the other option, i have the two > > > connected with a live tunnel. however, it does have it's problems, i.e. > > > half the tunnel doesn't work. > > > > > > the following happens after the tunnel is up: > > > > > > 1. if i ping from a system on the raptor side to a system on the > > > watchguard side, the packet goes to the raptor, over the tunnel to the > > > watchguard, to the system on the other side, and gets there in one > > > piece. the receiving system sends out a reply packet, which goes to the > > > watchguard, then to the raptor. but the raptor says it has a bad > > > checksum and dumps it. > > > > > > 2. if i ping from a system on the watchguard side to a system on the > > > raptor side, the packet goes to the watchguard, over the tunnel to the > > > raptor, and the raptor says it has a bad checksum and dumps it. > > > > > > since the tunnel is up, meaning that the authentication worked, i assume > > > that the two boxes can talk to each other. but for some reason, when > > > the watchguard is emcapsulating regular data packets, it is doing > > > something just a little off center. > > > > > > any help would be greatly appreciated. > > > > > > thanks. > > > > > > dave > > > > > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From patrick at SECUREOPS.COM Fri Jun 2 10:25:00 2000 From: patrick at SECUREOPS.COM (Patrick Ethier) Date: Fri, 2 Jun 2000 10:25:00 -0400 Subject: aggressive mode VPN under OpenBSD Message-ID: <403626CA58D4D3119B92005004A514880FFD7F@Dominus.SecureOps.com> Hi Matthew, Yup, it works fine with me. Look at http://www.secureops.com/vpn/ipsecvpn.html in section 6.1. I implemented it with RaptorMobile but it should work for any other IPsec client. Another thing, look through the misc at openbsd.org archive. Niels posted the solution to this in a reply to me a while back. If you need specific help in setting it up I'm here to help. Of course, you'll need OBSD 2.7 in order for this to work. Regards, Patrick Ethier patrick at secureops.com -----Original Message----- From: matthew patton [mailto:mep at netsec.net] Sent: Friday, June 02, 2000 10:17 AM To: VPN at SECURITYFOCUS.COM Cc: misc at openbsd.org Subject: aggressive mode VPN under OpenBSD To date, several people have posted configurations that allow one to use dynamic IP clients and OpenBSD VPN gateways. As far as I can determine, though, such setups require all users to share the same pre-shared key. tHat's not acceptible in my book. The only supposedly working aggressive mode configuration I've seen doesn't use dynamic IP's and further, recent isakmpd's reject the phase1 section because it's missing the "Authentication=" section. So does anybody out there have a working isakmpd.conf file that uses dynamic IP clients AND aggressive mode? -- Network Security Technologies Inc. - Commercial support for OpenBSD www.netsec.net (703) 561-0420 matthew.patton at netsec.net "Government is not reason; it is not eloquence; it is force! Like fire, it is a dangerous servant and a fearful master." - George Washington VPN is sponsored by SecurityFocus.COM From mep at NETSEC.NET Fri Jun 2 10:16:56 2000 From: mep at NETSEC.NET (matthew patton) Date: Fri, 2 Jun 2000 10:16:56 -0400 Subject: aggressive mode VPN under OpenBSD Message-ID: To date, several people have posted configurations that allow one to use dynamic IP clients and OpenBSD VPN gateways. As far as I can determine, though, such setups require all users to share the same pre-shared key. tHat's not acceptible in my book. The only supposedly working aggressive mode configuration I've seen doesn't use dynamic IP's and further, recent isakmpd's reject the phase1 section because it's missing the "Authentication=" section. So does anybody out there have a working isakmpd.conf file that uses dynamic IP clients AND aggressive mode? -- Network Security Technologies Inc. - Commercial support for OpenBSD www.netsec.net (703) 561-0420 matthew.patton at netsec.net "Government is not reason; it is not eloquence; it is force! Like fire, it is a dangerous servant and a fearful master." - George Washington VPN is sponsored by SecurityFocus.COM From provos at CITI.UMICH.EDU Fri Jun 2 20:42:19 2000 From: provos at CITI.UMICH.EDU (Niels Provos) Date: Fri, 2 Jun 2000 20:42:19 -0400 Subject: aggressive mode VPN under OpenBSD In-Reply-To: matthew patton, Fri, 02 Jun 2000 10:16:56 EDT Message-ID: <20000603004219.87136207C2@citi.umich.edu> In message , matt hew patton writes: >aggressive mode configuration I've seen doesn't use dynamic IP's and >further, recent isakmpd's reject the phase1 section because it's >missing the "Authentication=" section. So does anybody out there have a >working isakmpd.conf file that uses dynamic IP clients AND aggressive >mode? In aggressive mode you can deal with dynamic IPs by using either USER_FQDN or FQDN IDs. You can leave out the Authtenication= entry in the default section, and put a different authenication key into each ID section. Niels. VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Mon Jun 5 07:24:27 2000 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Mon, 5 Jun 2000 12:24:27 +0100 Subject: Network Alchemy Message-ID: Hi, Can someone help us with the configuration (guidelines,... ) of PPTP over IPSec in a Network Alchemy environment (CryptoCluster + IRE IPSec client/MS PPTP client ) ? Many Thanks Guy Guy Raymakers Network Engineer EDS EMail : guy.raymakers at eds.com Atlantic House Tel : +32 (0)3 544 66 46 Noorderlaan 147 Fax : +32 (0)3 544 65 86 VPN is sponsored by SecurityFocus.COM From jrnorton at ALTIERTECH.COM Mon Jun 5 11:21:09 2000 From: jrnorton at ALTIERTECH.COM (Joel Norton) Date: Mon, 5 Jun 2000 10:21:09 -0500 Subject: VPN Resource In-Reply-To: <20000603004219.87136207C2@citi.umich.edu> Message-ID: This is a rather general question, but can anyone reccommend one or two good comprehensive resources on setting up a vpn with Win NT and PPTP? Joel Norton VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Mon Jun 5 14:41:34 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Mon, 5 Jun 2000 14:41:34 -0400 Subject: VPN Resource References: Message-ID: <02ce01bfcf1d$bef56e20$6803010a@dhcp.haht.com> Go to the source! http://www.microsoft.com Look in their knowledge base (under Support). They have a lot of stuff, including a very good white paper on setting up an NT server as a PPTP - VPN server. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Joel Norton" To: Sent: Monday, June 05, 2000 11:21 AM Subject: VPN Resource > This is a rather general question, but can anyone reccommend one or two good > comprehensive resources on setting up a vpn with Win NT and PPTP? > > Joel Norton > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lkh at DGSYS.COM Mon Jun 5 17:52:56 2000 From: lkh at DGSYS.COM (Lowell Hanson) Date: Mon, 5 Jun 2000 14:52:56 -0700 Subject: VPN Resource References: Message-ID: <393C2138.C6DBA8CF@dgsys.com> Joel, I have a few URL's on my Internet Web Links page on my Website at: http://www2.dgsys.com/~lkh/TechInfo/Techindex.html The NT section is about in the middle of the page. Thanks! Lowell Joel Norton wrote: > > This is a rather general question, but can anyone reccommend one or two good > comprehensive resources on setting up a vpn with Win NT and PPTP? > > Joel Norton > > VPN is sponsored by SecurityFocus.COM -- ------------------------------------------------------ Lowell K. Hanson Senior Consultant Phone:703-817-0627 mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh We can change the world, but must begin with ourselves" VPN is sponsored by SecurityFocus.COM From lkh at DGSYS.COM Tue Jun 6 16:46:05 2000 From: lkh at DGSYS.COM (Lowell Hanson) Date: Tue, 6 Jun 2000 16:46:05 -0400 Subject: VPN Performance References: <2FB074C218C1D211B00B0008C75DE7E6010ABEB8@itmil1r2.wcom.it> Message-ID: <393D630D.1EE238F0@dgsys.com> Hi Predieri At http://www2.dgsys.com/~lkh/TechInfo/ContivityMTU_Compression.htm you will find the results of some testing I have been doing in the past few days with a Dialup IPSec connection to a Nortel Networks Contivity Switch. The two Dialup PoPs are in Northern Virginia and the Contivity Switch is in New England. The Ping results are from the Trusted Interface of the Contivity Switch and another Server on the same network as the Public Interface of the Switch when no Encryption is used. My first goal was to evaluate the effect changes in a W98 workstation would have on throughput. The 576,2144,64,2 are the Maximum Transmission Unit, Default Receive Window, Default Time to Live, and Com boost time. Early W95 Operating Systems exhibited many performance issues which could be resolved by manipulating the above attributes. Apparently W98 has resolved most of these issues, because very little effect was shown by varying these parameters. The Test Station is a Compaq 7465 with 128M of memory and an AMD550 Processor. The first 5 sets of tests used only one file for the TCP test, the rest of the tests include an Ascii file. The Ascii file is a 400k section of the Unix dictionary file and is compressible by the PPP software in the Workstation. The binary file is the same size but has been encrypted by a Unix encryption process. The result of this encryption is the file is no longer able to be compressed and speeds tend to be quite close to wire speed. The last sets of tests were done to measure the results of compression by the Extranet IPSec software. This compression is done before the data is given to the PPP software in the Workstation. The results indicated a large difference in Ping response times and a significant difference in Put times of the Ascii files. The Ascii files could not be compressed by the PPP software since the Extranet Client makes the data incompressible before presenting it to the PPP software. One of the main points resulting from this testing is that test results are not too useful, and misleading, unless you completely understand all of the variables. The ping results have great variations mainly because of the way the Ping software which I was using operates. It creates a 1387 byte ping with data of all 0's. This, of course, is very compressible and results in one frame of transmitted data as opposed to 4 frames when not compressed. An interesting test on your part, if you have the resources, would be to do similar kinds of testing with various VPN Client/Server combinations. One of the things to be learned would be if all Clients have compression capabilities. Let me know if you have any questions. Thanks! Lowell "Predieri, Alessandro" wrote: > > I have to write a chapter of my university degree these about the VPN's > performance. > Has enyone of you did some test ? > I'm interesting on the test of the DES & 3-DES performances. > > Thank you very much to all. > > Predieri Alessandro > MCIWORLDCOM S.p.A. > Corso Garibaldi, 86, 20121Milano > Ph. 39-023600.1377 > Fax. 39-023600.1791 > Email alessandro.predieri at mciworldcom.it > > -- > This communication contains information which is confidential and > may also be privileged. It is for the exclusive use of the > intended recipient(s). If you are not the intended recipient(s), > please note that any distribution, copying or use of this > communication or the information in it is strictly prohibited. > If you have received this communication in error, please notify > the sender immediately and then destroy any copies of it. > > VPN is sponsored by SecurityFocus.COM -- ------------------------------------------------------ Lowell K. Hanson Senior Consultant Phone:703-817-0627 mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh We can change the world, but must begin with ourselves" VPN is sponsored by SecurityFocus.COM From amajumder at CALTIGER.COM Wed Jun 7 20:45:47 2000 From: amajumder at CALTIGER.COM (Anirban Majumder) Date: Thu, 8 Jun 2000 06:15:47 +0530 Subject: No subject Message-ID: <000901bfd0e2$e4424d80$2e8356ca@a.majumder> 1. What softwares are practically used in different stages of implementing a VPN ? 2.What additional hardware is required(other than that needed to connect to the internet(modem etc.) for implementing VPN? 3.Is it possible to connect computers on different platforms(say one is running Win NT and the other Solaris) through VPN? VPN is sponsored by SecurityFocus.COM From kgsatam at INFOSEC.FEDEX.COM Thu Jun 8 18:16:39 2000 From: kgsatam at INFOSEC.FEDEX.COM (Kirtikumar Satam) Date: Thu, 8 Jun 2000 17:16:39 -0500 Subject: Firewall-1 4.1 and Sonic Wall Message-ID: <02ad01bfd197$3794f8c0$c13f51c7@dpd.fedex.com> We are trying to get Sonicwall with VPN enabled to work with FIrewall-1 using IKE (DES or 3DES) and MD5 in ESP mode. It always fails in negotiations saying no proposal chosen. The same firewall works great with any CISCO gear - 800, 1600,1700 or 2500 series. So, I know for a fact that IKE/IPSEC is working properly on the Firewall-1 SP1. Any clues? Kirtikumar Satam VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Fri Jun 9 05:18:51 2000 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Fri, 9 Jun 2000 09:18:51 +0000 Subject: selection criteria of VPN solution Message-ID: <3940B67B.46804DB9@globeaccess.net> Hi, This is a general question about the choices of VPN solutions. What are the selection criteria for the choice of VPN solution. And please, can you help me to find a vpn software whiwh supports PPTP, L2TP and IPSec protocol and meet some of these criteria ? Thanks Olivier VPN is sponsored by SecurityFocus.COM From david.bovee at WATCHGUARD.COM Sun Jun 11 01:03:20 2000 From: david.bovee at WATCHGUARD.COM (David Bovee) Date: Sat, 10 Jun 2000 22:03:20 -0700 Subject: Firewall-1 4.1 and Sonic Wall Message-ID: <74A68BE138CED311AD5400105A2500210934DF@mail42.inside.sealabs.com> I may be misunderstood, but I thought that SonicWall talks only DES (not 3DES)...if so, that could be part of the problem? -D > -----Original Message----- > From: Kirtikumar Satam [mailto:kgsatam at INFOSEC.FEDEX.COM] > Sent: Thursday, June 08, 2000 3:17 PM > To: VPN at SECURITYFOCUS.COM > Subject: Firewall-1 4.1 and Sonic Wall > > > We are trying to get Sonicwall with VPN enabled to work with > FIrewall-1 > using IKE (DES or 3DES) and MD5 in ESP mode. It always fails in > negotiations saying no proposal chosen. > > The same firewall works great with any CISCO gear - 800, > 1600,1700 or 2500 > series. So, I know for a fact that IKE/IPSEC is working > properly on the > Firewall-1 SP1. > > Any clues? > > > Kirtikumar Satam > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From kgsatam at INFOSEC.FEDEX.COM Sun Jun 11 15:39:27 2000 From: kgsatam at INFOSEC.FEDEX.COM (Kirtikumar Satam) Date: Sun, 11 Jun 2000 14:39:27 -0500 Subject: Firewall-1 4.1 and Sonic Wall In-Reply-To: <74A68BE138CED311AD5400105A2500210934DF@mail42.inside.sealabs.com> Message-ID: <000401bfd3dc$c0d23250$d2525c18@keyuree> If you go the SonicWall site's demo... http://www.sonicwall.com/firewall/demo/ It lead me to believe that they support 3DES, check under VPN tab.. Satam -----Original Message----- From: David Bovee [mailto:david.bovee at watchguard.com] Sent: Sunday, June 11, 2000 12:03 AM To: 'Kirtikumar Satam'; VPN at SECURITYFOCUS.COM Subject: RE: Firewall-1 4.1 and Sonic Wall I may be misunderstood, but I thought that SonicWall talks only DES (not 3DES)...if so, that could be part of the problem? -D > -----Original Message----- > From: Kirtikumar Satam [mailto:kgsatam at INFOSEC.FEDEX.COM] > Sent: Thursday, June 08, 2000 3:17 PM > To: VPN at SECURITYFOCUS.COM > Subject: Firewall-1 4.1 and Sonic Wall > > > We are trying to get Sonicwall with VPN enabled to work with > FIrewall-1 > using IKE (DES or 3DES) and MD5 in ESP mode. It always fails in > negotiations saying no proposal chosen. > > The same firewall works great with any CISCO gear - 800, > 1600,1700 or 2500 > series. So, I know for a fact that IKE/IPSEC is working > properly on the > Firewall-1 SP1. > > Any clues? > > > Kirtikumar Satam > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From david.bovee at WATCHGUARD.COM Sun Jun 11 17:56:26 2000 From: david.bovee at WATCHGUARD.COM (David Bovee) Date: Sun, 11 Jun 2000 14:56:26 -0700 Subject: Firewall-1 4.1 and Sonic Wall Message-ID: <74A68BE138CED311AD5400105A2500210934F3@mail42.inside.sealabs.com> http://www.sonicwall.com/firewall/firewall_Features.html Encryption Encryption methods include 56 bit Data Encryption Standard (DES) and 56 bit ARCFour (ARC4). Upon further investigation, it appears they offer 3DES on their higher end products only (according to their online info): http://www.sonicwall.com/Firewall-DMZ/vpn_overview.html Encryption. Encryption methods include 168 bit Data Encryption Standard (Triple-DES), 56 bit Data Encryption Standard (DES) and 56 bit ARCFour (ARC4). > -----Original Message----- > From: Kirtikumar Satam [mailto:kgsatam at infosec.fedex.com] > Sent: Sunday, June 11, 2000 12:39 PM > To: David Bovee; VPN at SECURITYFOCUS.COM > Subject: RE: Firewall-1 4.1 and Sonic Wall > > > If you go the SonicWall site's demo... > > http://www.sonicwall.com/firewall/demo/ > > It lead me to believe that they support 3DES, check under VPN tab.. > > Satam > > -----Original Message----- > From: David Bovee [mailto:david.bovee at watchguard.com] > Sent: Sunday, June 11, 2000 12:03 AM > To: 'Kirtikumar Satam'; VPN at SECURITYFOCUS.COM > Subject: RE: Firewall-1 4.1 and Sonic Wall > > > I may be misunderstood, but I thought that SonicWall talks > only DES (not > 3DES)...if so, that could be part of the problem? > > -D > > > -----Original Message----- > > From: Kirtikumar Satam [mailto:kgsatam at INFOSEC.FEDEX.COM] > > Sent: Thursday, June 08, 2000 3:17 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: Firewall-1 4.1 and Sonic Wall > > > > > > We are trying to get Sonicwall with VPN enabled to work with > > FIrewall-1 > > using IKE (DES or 3DES) and MD5 in ESP mode. It always fails in > > negotiations saying no proposal chosen. > > > > The same firewall works great with any CISCO gear - 800, > > 1600,1700 or 2500 > > series. So, I know for a fact that IKE/IPSEC is working > > properly on the > > Firewall-1 SP1. > > > > Any clues? > > > > > > Kirtikumar Satam > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM From gil at RADGUARD.COM Mon Jun 12 11:53:29 2000 From: gil at RADGUARD.COM (Gil Sperling) Date: Mon, 12 Jun 2000 17:53:29 +0200 Subject: IPSec events Message-ID: <39450779.B9EF8F9D@radguard.com> Hi, We'd like to maintain an updated calendar of IPsec related events (conferences, bakeoffs etc.), so any info you have will be appreciated. Thanks, Gil Sperling -- VPN is sponsored by SecurityFocus.COM From mathenley at HOTMAIL.COM Mon Jun 12 14:50:22 2000 From: mathenley at HOTMAIL.COM (Mat Henley) Date: Mon, 12 Jun 2000 11:50:22 PDT Subject: PIX -> Raptor VPN Message-ID: <20000612185022.24324.qmail@hotmail.com> Is anyone bringing up VPN connections between Pix and Raptor Firewalls? We're looking at the possibility of doing this but are having a hard time getting any straight answers. Anyone currently doing this? Raptor 6.0 (NT) -> Pix 5.2 Thanks, Mat ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM From Craig.Illman at PACCAR.COM Mon Jun 12 15:50:15 2000 From: Craig.Illman at PACCAR.COM (Craig Illman) Date: Mon, 12 Jun 2000 12:50:15 -0700 Subject: PIX -> Raptor VPN Message-ID: I have a couple business partners using Raptor 6.0x to my Nortel Contivity v2.51. I haven't been impressed with Raptor's IPSec interoperability, even though it's ICSA certified. -----Original Message----- From: Mat Henley [mailto:mathenley at HOTMAIL.COM] Sent: Monday, June 12, 2000 11:50 AM To: VPN at SECURITYFOCUS.COM Subject: PIX -> Raptor VPN Is anyone bringing up VPN connections between Pix and Raptor Firewalls? We're looking at the possibility of doing this but are having a hard time getting any straight answers. Anyone currently doing this? Raptor 6.0 (NT) -> Pix 5.2 Thanks, Mat ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From SHOPE at DATARANGE.CO.UK Mon Jun 12 16:01:52 2000 From: SHOPE at DATARANGE.CO.UK (Stephen Hope) Date: Mon, 12 Jun 2000 21:01:52 +0100 Subject: PIX -> Raptor VPN Message-ID: <01903665B361D211BF6700805FAD5D93591901@mail.datarange.co.uk> We are still waiting for complete release of Pix 5.1.2 (was due on June 9th) - it may be out now. So, which version are you looking at, and if it is 5.2 is it a beta? Stephen Stephen Hope C. Eng, Network Consultant, shope at datarange.co.uk, Datarange Communications PLC, part of Energis, WWW: http://www.datarange.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Mat Henley [mailto:mathenley at HOTMAIL.COM] > Sent: Monday, June 12, 2000 7:50 PM > To: VPN at SECURITYFOCUS.COM > Subject: PIX -> Raptor VPN > > > Is anyone bringing up VPN connections between Pix and Raptor > Firewalls? > We're looking at the possibility of doing this but are having > a hard time > getting any straight answers. > > Anyone currently doing this? Raptor 6.0 (NT) -> Pix 5.2 > > Thanks, > Mat > ______________________________________________________________ > __________ > Get Your Private, Free E-mail from MSN Hotmail at > http://www.hotmail.com > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Datarange Communications PLC. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Datarange Communications PLC accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Datarange Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From mathenley at HOTMAIL.COM Mon Jun 12 16:41:14 2000 From: mathenley at HOTMAIL.COM (Mat Henley) Date: Mon, 12 Jun 2000 13:41:14 PDT Subject: PIX -> Raptor VPN Message-ID: <20000612204114.30715.qmail@hotmail.com> Typo on my part... it's 5.1.2. >From: Stephen Hope >Reply-To: Stephen Hope >To: VPN at SECURITYFOCUS.COM >Subject: Re: PIX -> Raptor VPN >Date: Mon, 12 Jun 2000 21:01:52 +0100 > >We are still waiting for complete release of Pix 5.1.2 (was due on June >9th) >- it may be out now. > >So, which version are you looking at, and if it is 5.2 is it a beta? > >Stephen > >Stephen Hope C. Eng, Network Consultant, shope at datarange.co.uk, >Datarange Communications PLC, part of Energis, WWW: >http://www.datarange.co.uk >Carrington Business Park, Carrington, Manchester , UK. M31 4ZU >Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 >4189 > > > > -----Original Message----- > > From: Mat Henley [mailto:mathenley at HOTMAIL.COM] > > Sent: Monday, June 12, 2000 7:50 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: PIX -> Raptor VPN > > > > > > Is anyone bringing up VPN connections between Pix and Raptor > > Firewalls? > > We're looking at the possibility of doing this but are having > > a hard time > > getting any straight answers. > > > > Anyone currently doing this? Raptor 6.0 (NT) -> Pix 5.2 > > > > Thanks, > > Mat > > ______________________________________________________________ > > __________ > > Get Your Private, Free E-mail from MSN Hotmail at > > http://www.hotmail.com > > > > VPN is sponsored by SecurityFocus.COM > > > >----------------------------------------------------------------------------------------------------------- > >This email is confidential and intended solely for the use of the >individual to >whom it is addressed. Any views or opinions presented are solely those of >the >author and do not necessarily represent those of Datarange Communications >PLC. >If you are not the intended recipient, be advised that you have received >this >email in error and that any use, dissemination, forwarding, printing, or >copying >of this email is strictly prohibited. > >We have an anti-virus system installed on all our PC's and therefore any >files >leaving us via e-mail will have been checked for known viruses. >Datarange Communications PLC accepts no responsibility once an e-mail >and any attachments leave us. > >If you have received this email in error please notify Datarange >Communications >IT department on +44 (0) 1494 476222.. >----------------------------------------------------------------------------------------------------------- > >VPN is sponsored by SecurityFocus.COM ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM From jwalzer at STORMSYSTEMS.COM Mon Jun 12 17:13:21 2000 From: jwalzer at STORMSYSTEMS.COM (Jeff Walzer) Date: Mon, 12 Jun 2000 17:13:21 -0400 Subject: VPN/Firewall recommendation Message-ID: I just come into a situation in which we will all of the sudden have multiple offices throughout the US. A majority of these offices will have 10 users or less because they will be executives. Our office is currently using the Watchguard Firebox II as our firewall/VPN solution. The problem is that Watchguard does not offer any solutions for smaller offices. We will probably install a frame relay network between offices for security and performance reasons (too many problems with DSL and cable modems for the time being). The question I have is there any vendor that covers a small office of 10 or less people to a large office that may have close to 100 users with their products? Specifically looking for a product that combines firewall and VPN capability unless there is reason to separate the two. Thanks, Jeff Walzer VPN is sponsored by SecurityFocus.COM From david.bovee at WATCHGUARD.COM Mon Jun 12 18:15:21 2000 From: david.bovee at WATCHGUARD.COM (David Bovee) Date: Mon, 12 Jun 2000 15:15:21 -0700 Subject: VPN/Firewall recommendation Message-ID: <74A68BE138CED311AD5400105A25002109350C@mail42.inside.sealabs.com> Actually, WatchGuard does have a solution for small offices, the WG SOHO. This box can be licensed for 10-, 25-, or 50-user. Check it out at: General info: http://www.watchguard.com/ Special offering for SOHO box with a VPN: http://www.watchguard.com/products/announce.html Specific product information: http://www.watchguard.com/products/soho.html Also, just in case you were wondering, the WG SOHO and WG Firebox were designed to VPN together...there is also a VPN Manager that allows you to visualize the VPN's running on the boxes under management--simple, remote monitoring. -David > -----Original Message----- > From: Jeff Walzer [mailto:jwalzer at STORMSYSTEMS.COM] > Sent: Monday, June 12, 2000 2:13 PM > To: VPN at SECURITYFOCUS.COM > Subject: VPN/Firewall recommendation > > > I just come into a situation in which we will all of the sudden have > multiple offices throughout the US. A majority of these > offices will have 10 > users or less because they will be executives. Our office is > currently using > the Watchguard Firebox II as our firewall/VPN solution. The > problem is that > Watchguard does not offer any solutions for smaller offices. We will > probably install a frame relay network between offices for > security and > performance reasons (too many problems with DSL and cable > modems for the > time being). > > The question I have is there any vendor that covers a small > office of 10 or > less people to a large office that may have close to 100 > users with their > products? Specifically looking for a product that combines > firewall and VPN > capability unless there is reason to separate the two. > > Thanks, > Jeff Walzer > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From m.heesbeen at CMG.NL Tue Jun 13 04:25:46 2000 From: m.heesbeen at CMG.NL (Miranda Heesbeen) Date: Tue, 13 Jun 2000 10:25:46 +0200 Subject: IPsec Tunnels modes with VPN Message-ID: <3DE1DF234B51D211A70600104BB3F6DA01BD9A20@NL-ROT-MAIL01> Hello everyone, Does somebody know why IPsec has different tunnel modes with VPN (tunnel, transport and iteratie mode)? What sort of functions (abilities) does these give the VPN? Or has it nothing to do with eachother? Thanks. Greetings, Miranda Heesbeen VPN is sponsored by SecurityFocus.COM From SHOPE at DATARANGE.CO.UK Tue Jun 13 08:56:46 2000 From: SHOPE at DATARANGE.CO.UK (Stephen Hope) Date: Tue, 13 Jun 2000 13:56:46 +0100 Subject: VPN/Firewall recommendation Message-ID: <01903665B361D211BF6700805FAD5D93591903@mail.datarange.co.uk> The Q i would ask first with this is - what will the comms model you use be? You ask about VPN, but this is not normally used over F/Relay. You should only need a firewall at every site for specific reasons: 1. Paranoia (or security policy etc) 2. Local Internet access (access to Internet, VPN dial in). 3. RAS Often, the implication of an office with "just" execs, is that the traffic requirements are simple, and there is no "heavy" use of networking - this may not apply in your case. If you dont do any of these, you only need a router. You can get suitable routers from various vendors (cisco is normally the default choice, but others such as Nortel exist), or you can buy an "outsource" style Frame service, which includes the routers, and remote management etc. One thing we are seeing a lot of interest in recently is combining voice and data for small offices - not necessarily for the WAN links (although that can be an efficient way to reduce cost), but to allow a single remote site box to give a small PBX, a router, voicemail etc. Nicest one i have seen is the Nortel Enterprise Edge, but there are others, such as Lucent Network Alchemy. As a bonus, a lot of these devices support firewall, VPN etc, but you may not need that. Stephen Stephen Hope C. Eng, Network Consultant, shope at datarange.co.uk, Datarange Communications PLC, part of Energis, WWW: http://www.datarange.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: David Bovee [mailto:david.bovee at WATCHGUARD.COM] > Sent: Monday, June 12, 2000 11:15 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN/Firewall recommendation > > > Actually, WatchGuard does have a solution for small offices, > the WG SOHO. > This box can be licensed for 10-, 25-, or 50-user. Check it out at: > > General info: > http://www.watchguard.com/ > > Special offering for SOHO box with a VPN: > http://www.watchguard.com/products/announce.html > > Specific product information: > http://www.watchguard.com/products/soho.html > > Also, just in case you were wondering, the WG SOHO and WG Firebox were > designed to VPN together...there is also a VPN Manager that > allows you to > visualize the VPN's running on the boxes under > management--simple, remote > monitoring. > > -David > > > -----Original Message----- > > From: Jeff Walzer [mailto:jwalzer at STORMSYSTEMS.COM] > > Sent: Monday, June 12, 2000 2:13 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: VPN/Firewall recommendation > > > > > > I just come into a situation in which we will all of the sudden have > > multiple offices throughout the US. A majority of these > > offices will have 10 > > users or less because they will be executives. Our office is > > currently using > > the Watchguard Firebox II as our firewall/VPN solution. The > > problem is that > > Watchguard does not offer any solutions for smaller offices. We will > > probably install a frame relay network between offices for > > security and > > performance reasons (too many problems with DSL and cable > > modems for the > > time being). > > > > The question I have is there any vendor that covers a small > > office of 10 or > > less people to a large office that may have close to 100 > > users with their > > products? Specifically looking for a product that combines > > firewall and VPN > > capability unless there is reason to separate the two. > > > > Thanks, > > Jeff Walzer > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Datarange Communications PLC. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Datarange Communications PLC accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Datarange Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Tue Jun 13 10:57:04 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 13 Jun 2000 09:57:04 -0500 Subject: VPN/Firewall recommendation In-Reply-To: <01903665B361D211BF6700805FAD5D93591903@mail.datarange.co.uk> Message-ID: We've been around this particular argument before, but anyhow... Even over frame relay, I recommend using IPsec or other encryption/authentication technology. Frame relay can be sniffed. It's not an infrastructure that is dedicated to a single organization -- so even though it's better than (say) the Internet in terms of providing protection from other users, it's still not "secure enough" for a lot of organizations. Most routers will support IPsec encapsulation of traffic without a lot of additional configuration work. This will increase your overhead per-packet, but is feasible for most wide area connections (except for very large pipes), especially with the addition of hardware encrypting devices... cheers -- tbird On Tue, 13 Jun 2000, Stephen Hope wrote: > Date: Tue, 13 Jun 2000 13:56:46 +0100 > From: Stephen Hope > To: VPN at SECURITYFOCUS.COM > Subject: Re: VPN/Firewall recommendation > > The Q i would ask first with this is - what will the comms > model you use be? > > You ask about VPN, but this is not normally used over F/Relay. > > You should only need a firewall at every site for specific > reasons: > > 1. Paranoia (or security policy etc) > 2. Local Internet access (access to Internet, VPN dial in). > 3. RAS > > Often, the implication of an office with "just" execs, is that > the traffic requirements are simple, and there is no "heavy" > use of networking - this may not apply in your case. > > If you dont do any of these, you only need a router. > > You can get suitable routers from various vendors (cisco is > normally the default choice, but others such as Nortel exist), > or you can buy an "outsource" style Frame service, which includes > the routers, and remote management etc. > > One thing we are seeing a lot of interest in recently is combining > voice and data for small offices - not necessarily for the WAN links > (although that can be an efficient way to reduce cost), but to > allow a single remote site box to give a small PBX, a router, > voicemail etc. Nicest one i have seen is the Nortel Enterprise Edge, > but there are others, such as Lucent Network Alchemy. > > As a bonus, a lot of these devices support firewall, VPN etc, but > you may not need that. > > Stephen > > Stephen Hope C. Eng, Network Consultant, shope at datarange.co.uk, > Datarange Communications PLC, part of Energis, WWW: > http://www.datarange.co.uk > Carrington Business Park, Carrington, Manchester , UK. M31 4ZU > Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 > 4189 > > > > -----Original Message----- > > From: David Bovee [mailto:david.bovee at WATCHGUARD.COM] > > Sent: Monday, June 12, 2000 11:15 PM > > To: VPN at SECURITYFOCUS.COM > > Subject: Re: VPN/Firewall recommendation > > > > > > Actually, WatchGuard does have a solution for small offices, > > the WG SOHO. > > This box can be licensed for 10-, 25-, or 50-user. Check it out at: > > > > General info: > > http://www.watchguard.com/ > > > > Special offering for SOHO box with a VPN: > > http://www.watchguard.com/products/announce.html > > > > Specific product information: > > http://www.watchguard.com/products/soho.html > > > > Also, just in case you were wondering, the WG SOHO and WG Firebox were > > designed to VPN together...there is also a VPN Manager that > > allows you to > > visualize the VPN's running on the boxes under > > management--simple, remote > > monitoring. > > > > -David > > > > > -----Original Message----- > > > From: Jeff Walzer [mailto:jwalzer at STORMSYSTEMS.COM] > > > Sent: Monday, June 12, 2000 2:13 PM > > > To: VPN at SECURITYFOCUS.COM > > > Subject: VPN/Firewall recommendation > > > > > > > > > I just come into a situation in which we will all of the sudden have > > > multiple offices throughout the US. A majority of these > > > offices will have 10 > > > users or less because they will be executives. Our office is > > > currently using > > > the Watchguard Firebox II as our firewall/VPN solution. The > > > problem is that > > > Watchguard does not offer any solutions for smaller offices. We will > > > probably install a frame relay network between offices for > > > security and > > > performance reasons (too many problems with DSL and cable > > > modems for the > > > time being). > > > > > > The question I have is there any vendor that covers a small > > > office of 10 or > > > less people to a large office that may have close to 100 > > > users with their > > > products? Specifically looking for a product that combines > > > firewall and VPN > > > capability unless there is reason to separate the two. > > > > > > Thanks, > > > Jeff Walzer > > > > > > VPN is sponsored by SecurityFocus.COM > > > > > > > VPN is sponsored by SecurityFocus.COM > > > > ----------------------------------------------------------------------------------------------------------- > > This email is confidential and intended solely for the use of the individual to > whom it is addressed. Any views or opinions presented are solely those of the > author and do not necessarily represent those of Datarange Communications PLC. > If you are not the intended recipient, be advised that you have received this > email in error and that any use, dissemination, forwarding, printing, or copying > of this email is strictly prohibited. > > We have an anti-virus system installed on all our PC's and therefore any files > leaving us via e-mail will have been checked for known viruses. > Datarange Communications PLC accepts no responsibility once an e-mail > and any attachments leave us. > > If you have received this email in error please notify Datarange Communications > IT department on +44 (0) 1494 476222.. > ----------------------------------------------------------------------------------------------------------- > > VPN is sponsored by SecurityFocus.COM > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From Muhd.Hamdan at BCM.ERICSSON.SE Mon Jun 12 23:33:59 2000 From: Muhd.Hamdan at BCM.ERICSSON.SE (Muhamad Hamdan (BCM)) Date: Tue, 13 Jun 2000 05:33:59 +0200 Subject: Have an outline of the technology needed to build a VPN Message-ID: What sort of technology needed to build a Virtual Private Network? VPN is sponsored by SecurityFocus.COM From pklassen at JCPENNEY.COM Tue Jun 13 07:27:43 2000 From: pklassen at JCPENNEY.COM (Phil W Klassen) Date: Tue, 13 Jun 2000 06:27:43 -0500 Subject: VPN input References: <74A68BE138CED311AD5400105A25002109350C@mail42.inside.sealabs.com> Message-ID: <39461AAF.C5D0BEB6@jcpenney.com> JCPenney is in the process of evaluating DSL service. I pretty much feel we need a VPN specific solution however JCPenney is a large MS shop, and as such they would like to leverage a MS WIN2K server at the remote end. Does anyone have any experience deploying MS solutions for VPN, inlcuding PPTP or L2TP and Routing and Remote Access ? if so any input into your experinces would be appreciated. VPN is sponsored by SecurityFocus.COM From pbryan at ACRUX.NET Tue Jun 13 13:04:42 2000 From: pbryan at ACRUX.NET (Patrick Bryan) Date: Tue, 13 Jun 2000 12:04:42 -0500 Subject: Routing over PPTP Tunnel Message-ID: <200006131653.LAA24741@firewall.swedishamerican.org> Hi there.. Recently I was asked to provide a plan to connect a clients main office to a branch office via PPTP.. in a scenario like the following: Main Office (Net A) ---> PPTP Server --<> Internet <>-- PPTP Server <-- Branch Office (NetB) Is this possible? The server in the main office is behind a firewall, and is providing connectivity to individual remote clients. The PPTP Server at the branch office would be dual homed, one nic to the internet, the other to the LAN. I am guessing the PPTP Box on netB would establish a connection the machine on neta. I can see this working, but I am unsure if for example I wanted to send a print job to a printer on NetB, if the PPTP Server on NetA would route it over the tunnel? Any input/experiences would be much appreciated. Pat VPN is sponsored by SecurityFocus.COM From qzhu at ULOGON.COM Tue Jun 13 13:50:37 2000 From: qzhu at ULOGON.COM (qzhu) Date: Tue, 13 Jun 2000 10:50:37 -0700 Subject: netscreen100 VPN Message-ID: <019001bfd55f$e3293040$6969080a@corp.ulogon.com> Hello, there.. I got a problem when I try to build VPN connection between our company and the other office. The netscreen100 firewall works fine, I can ping each boxs' untrust IP. But I can not ping the trust IP which is behind the firewall. I use the manual key, and put this VPN policy on the top of outgoing policies page. The two boxes are behind routers. I don't if I need to modify to routers. Any help would be much appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000613/df0d0fe4/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3304 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000613/df0d0fe4/attachment.bin From dgillett at NIKU.COM Tue Jun 13 14:48:01 2000 From: dgillett at NIKU.COM (David Gillett) Date: Tue, 13 Jun 2000 11:48:01 -0700 Subject: netscreen100 VPN In-Reply-To: <019001bfd55f$e3293040$6969080a@corp.ulogon.com> Message-ID: <019701bfd567$e6fa14c0$f30410ac@niku.com> You need to enter the same manual key information on both NetScreens, but with the sequence(?) numbers (local and remote) reversed. On firewall A, having defined the tunnel, you need to create an Untrusted Address definition for firewall B's trusted network. Then you need to add an outgoing policy rule, saying that traffic to this address range should be encrypted using the tunnel you defined. Of course, the inverse of this process needs to be done on firewall B, to point traffic to firewall A's network. It's these policy entries that provide the routing (and encapsulation) rules to allow traffic to flow through the tunnel. Once you've got these set up, your pings should work. [Although I hear things have improved on NetScreen's version 2, on version 1 any new policy rules get created at the end of the list, and you will have to move them, a line at a time, up the list past any default rules in order for them to take effect. Specifically, there's probably a default inside-to-outside rule, and your inside-to-remote-via-tunnel rule needs to be moved above that....] David Gillett Enterprise Networking Services Manager, Niku Corp. (650) 701-2702 "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of qzhu Sent: Tuesday, June 13, 2000 10:51 AM To: VPN at SECURITYFOCUS.COM Subject: netscreen100 VPN Hello, there.. I got a problem when I try to build VPN connection between our company and the other office. The netscreen100 firewall works fine, I can ping each boxs' untrust IP. But I can not ping the trust IP which is behind the firewall. I use the manual key, and put this VPN policy on the top of outgoing policies page. The two boxes are behind routers. I don't if I need to modify to routers. Any help would be much appreciated. VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Tue Jun 13 15:05:07 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Tue, 13 Jun 2000 15:05:07 -0400 Subject: VPN input References: <74A68BE138CED311AD5400105A25002109350C@mail42.inside.sealabs.com> <39461AAF.C5D0BEB6@jcpenney.com> Message-ID: <01b901bfd56a$5dcc1a10$6803010a@dhcp.haht.com> I've done a lot with MS networking across VPN's and WAN's, both for the company I work for, and as a contractor to other shops. For a limited number of sites staying with MS for the VPN is okay. However, if you have a lot of sites, or don't want to actively maintain your sites, and need really good security, then you should go with an out of box type of solution from a good vendor. Our company uses both MS-VPN and Linux firewall/VPN's. If you will be using DSL at each of the sites, they you may wish to consider having the DSL provider setup a Corporate network for you. The DSL provider sets up access to each site, but the connection is a private one, running behind a firewall at the providers site (not literally, but the effect is the same). Your corporate traffic *never* touches the internet. It stays locked on the DSL providers private network. You still have access to the internet, but you don't have to worry about setting up the vpn, the firewalls, or the routers. If you use MS for the VPN connection, it's best to use a separate firewall at each site and run your VPN behind it, so look for a firewall solution that allows you to pass PPTP and L2TP freely through it. This assumes that you are running a separate third party firewall, since the firewalling on NT isn't very good - though I haven't played with the very latest MS release due out in August. Note: you can run your MS VPN in parallel to your firewall, but since most firewalls pass PPTP and L2TP its better to keep them behind the firewall. You need to look at the amount of data you want to pass, and whether small delays will effect the flow dramatically. If you are logging into a database server across the vpn you may not be happy with the small delays that can occur via the internet. On the other hand, if you are just moving documents around and playing with email, or if you have a database server that can handle high latency, then VPN is for you! As a general rule for determining the highest transfer speed between any two sites, I take the smaller of the two bandwidths and divide it by 2. That's a very rough estimate but works well in setting the expectations of a client. My company's WAN is setup in a star configuration - all the branches vpn to our corporate offices, and the internet connection here is a T3. The smallest branch office connection is a shared T1 out of an office complex. Several of our home users have better/faster connections via cable modems and DSL. Note: we make our home users run personal firewalls before allowing them to attach to our Corporate network via vpn. The key to making the WAN work effectively, is to have a WINS server at each major location, as well as a BDC (Backup Domain Controller). At a site with less than 50 users, WINS can run effectively on the same machine as the BDC. This assumes that you want everyone to be on the same Domain, which avoids a lot of hassles with setting up trust relationships. If your Domain grows too large, you may want to consider something like NDS for NT. Novell Directory Services is quite valuable for managing large networks. For DSL service, I'm partial to Speakeasy.net. They do a very professional job for a great rate. (And I don't get any money for saying that...). Bringing a new site on is very easy: - Setup internet access at site - Load RRAS and PPTP onto server - Re-Load Service Pack 5 (or 6a) onto NT server - Attach to corporate network - Test network access from attached server - Add route to corporate network on remote router. Add route to remote site on corporate router. - Test network access from remote computer - Add BDC and WINS to remote network Note: BDC, WINS, and RRAS can all be run on the same NT server, as long as it has about 500Mb of RAM and is reasonably fast (P2-450 or better). This will work for up to about 50 average office users. If the site grows to more than 50 users (my rule of thumb), I would split the WINS off to another machine. If you have any specific questions, I would be happy to help. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Phil W Klassen" To: Sent: Tuesday, June 13, 2000 7:27 AM Subject: VPN input > JCPenney is in the process of evaluating DSL service. I pretty much feel > we need a VPN specific solution however JCPenney is a large MS shop, and > as such they would like to leverage a MS WIN2K server at the remote end. > > Does anyone have any experience deploying MS solutions for VPN, > inlcuding PPTP or L2TP and Routing and Remote Access ? if so any input > into your experinces would be appreciated. > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From evyncke at CISCO.COM Tue Jun 13 14:55:02 2000 From: evyncke at CISCO.COM (Eric Vyncke) Date: Tue, 13 Jun 2000 20:55:02 +0200 Subject: IPsec Tunnels modes with VPN In-Reply-To: <3DE1DF234B51D211A70600104BB3F6DA01BD9A20@NL-ROT-MAIL01> Message-ID: <4.2.0.58.20000613205228.00a52990@brussels.cisco.com> It depends on the usage of IPSec: - tunnel mode: mainly for site to site VPN where an IPSec enabled device (router, firewall, ...) encrypts the traffic in behalf of other devices. The original IP addresses and payload need to be encapsulated hence the name of tunnel (like GRE tunnel, ...) - transport mode: mainly for host to host - iteratie: never heard about this one ! Basically, transport mode is a little more efficient in header usage than using tunnel mode when the IPSec tunnel is from host to host. But, IPSec could have been simplified if only tunnel mode was defined Hope this helps -eric At 10:25 13/06/2000 +0200, Miranda Heesbeen wrote: >Hello everyone, > >Does somebody know why IPsec has different tunnel modes with VPN (tunnel, >transport and iteratie mode)? >What sort of functions (abilities) does these give the VPN? Or has it >nothing to do with eachother? >Thanks. > >Greetings, > >Miranda Heesbeen > >VPN is sponsored by SecurityFocus.COM Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke at cisco.com Mobile: +32-75-312.458 VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Tue Jun 13 16:18:15 2000 From: dgillett at NIKU.COM (David Gillett) Date: Tue, 13 Jun 2000 13:18:15 -0700 Subject: VPN input In-Reply-To: <01b901bfd56a$5dcc1a10$6803010a@dhcp.haht.com> Message-ID: <01bd01bfd574$822ccd00$f30410ac@niku.com> John, I'd like to drill down a little on one particular point: > My company's WAN is setup in a star configuration - all the branches vpn to > our corporate offices, .... Do you have cases where two remote locations need to exchange traffic? I'm facing a particular issue with wanting to convey traffic A<->C by having site B route packets between the A<->B tunnel and the B<->C tunnel, instead of creating a low-volume A<->C tunnel. I haven't found a way to make this happen yet. I'm asking in response to your message because this is inherent in using a star rather than a mesh configuration.... David Gillett Enterprise Networking Services Manager, Niku Corp. (650) 701-2702 "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jon Carnes Sent: Tuesday, June 13, 2000 12:05 PM To: VPN at SECURITYFOCUS.COM Subject: Re: VPN input I've done a lot with MS networking across VPN's and WAN's, both for the company I work for, and as a contractor to other shops. For a limited number of sites staying with MS for the VPN is okay. However, if you have a lot of sites, or don't want to actively maintain your sites, and need really good security, then you should go with an out of box type of solution from a good vendor. Our company uses both MS-VPN and Linux firewall/VPN's. If you will be using DSL at each of the sites, they you may wish to consider having the DSL provider setup a Corporate network for you. The DSL provider sets up access to each site, but the connection is a private one, running behind a firewall at the providers site (not literally, but the effect is the same). Your corporate traffic *never* touches the internet. It stays locked on the DSL providers private network. You still have access to the internet, but you don't have to worry about setting up the vpn, the firewalls, or the routers. If you use MS for the VPN connection, it's best to use a separate firewall at each site and run your VPN behind it, so look for a firewall solution that allows you to pass PPTP and L2TP freely through it. This assumes that you are running a separate third party firewall, since the firewalling on NT isn't very good - though I haven't played with the very latest MS release due out in August. Note: you can run your MS VPN in parallel to your firewall, but since most firewalls pass PPTP and L2TP its better to keep them behind the firewall. You need to look at the amount of data you want to pass, and whether small delays will effect the flow dramatically. If you are logging into a database server across the vpn you may not be happy with the small delays that can occur via the internet. On the other hand, if you are just moving documents around and playing with email, or if you have a database server that can handle high latency, then VPN is for you! As a general rule for determining the highest transfer speed between any two sites, I take the smaller of the two bandwidths and divide it by 2. That's a very rough estimate but works well in setting the expectations of a client. My company's WAN is setup in a star configuration - all the branches vpn to our corporate offices, and the internet connection here is a T3. The smallest branch office connection is a shared T1 out of an office complex. Several of our home users have better/faster connections via cable modems and DSL. Note: we make our home users run personal firewalls before allowing them to attach to our Corporate network via vpn. The key to making the WAN work effectively, is to have a WINS server at each major location, as well as a BDC (Backup Domain Controller). At a site with less than 50 users, WINS can run effectively on the same machine as the BDC. This assumes that you want everyone to be on the same Domain, which avoids a lot of hassles with setting up trust relationships. If your Domain grows too large, you may want to consider something like NDS for NT. Novell Directory Services is quite valuable for managing large networks. For DSL service, I'm partial to Speakeasy.net. They do a very professional job for a great rate. (And I don't get any money for saying that...). Bringing a new site on is very easy: - Setup internet access at site - Load RRAS and PPTP onto server - Re-Load Service Pack 5 (or 6a) onto NT server - Attach to corporate network - Test network access from attached server - Add route to corporate network on remote router. Add route to remote site on corporate router. - Test network access from remote computer - Add BDC and WINS to remote network Note: BDC, WINS, and RRAS can all be run on the same NT server, as long as it has about 500Mb of RAM and is reasonably fast (P2-450 or better). This will work for up to about 50 average office users. If the site grows to more than 50 users (my rule of thumb), I would split the WINS off to another machine. If you have any specific questions, I would be happy to help. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Phil W Klassen" To: Sent: Tuesday, June 13, 2000 7:27 AM Subject: VPN input > JCPenney is in the process of evaluating DSL service. I pretty much feel > we need a VPN specific solution however JCPenney is a large MS shop, and > as such they would like to leverage a MS WIN2K server at the remote end. > > Does anyone have any experience deploying MS solutions for VPN, > inlcuding PPTP or L2TP and Routing and Remote Access ? if so any input > into your experinces would be appreciated. > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Tue Jun 13 17:45:35 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Tue, 13 Jun 2000 17:45:35 -0400 Subject: VPN input References: <01bd01bfd574$822ccd00$f30410ac@niku.com> Message-ID: <026f01bfd580$c701b010$6803010a@dhcp.haht.com> ----- Original Message ----- From: "David Gillett" To: "'Jon Carnes'" ; Sent: Tuesday, June 13, 2000 4:18 PM Subject: RE: VPN input > John, > I'd like to drill down a little on one particular point: > > > My company's WAN is setup in a star configuration - all the branches vpn > to > > our corporate offices, .... > > Do you have cases where two remote locations need to exchange traffic? > I'm facing a particular issue with wanting to convey traffic A<->C by having > site B route packets between the A<->B tunnel and the B<->C tunnel, instead > of creating a low-volume A<->C tunnel. I haven't found a way to make this > happen yet. > > I'm asking in response to your message because this is inherent in using a > star rather than a mesh configuration.... > > David Gillett > Enterprise Networking Services Manager, Niku Corp. > (650) 701-2702 > "Transforming the Service Economy" > That works just fine here. The key is setting up the routing correctly. For your case, B is the corporate hub. A attaches to B. Similarly, C attaches to B. If the speeds are acceptable there is no reason to setup a direct link for A to C: you can let B relay the traffic. To make it work: - On A's router, add a route to network C that uses as a gateway B's router. - On C's router, add a route to network A that uses as a gateway B's router. If you are on network A then all your traffic for either B or C should go down the vpn to the B network. Traffic for the B network has reached its destination. Traffic for the C network will go to the router on network B and be directed to the C network (just like any local traffic going from network B to C). Once on the C network, your journey ends. Return packets will go to the network C router, travel down the vpn back to network B, go to the Router on Network B, and then be directed to the A Network via that vpn. Note: you must have a distinct network for each site. In other words, each site must use a different ip network. We use various 192.168.x.0 networks for our satellite offices. Their firewalls all use IP Masquerading, so the internal addresses don't really matter. As an example: Network A = 192.168.22.0 / 255.255.255.0 Network B = 192.168.1.0 / 255.255.255.0 Network C = 192.168.33.0 /255.255.255.0 Good Luck! Jon Carnes MIS - HAHT Software VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Tue Jun 13 18:17:15 2000 From: dgillett at NIKU.COM (David Gillett) Date: Tue, 13 Jun 2000 15:17:15 -0700 Subject: VPN input In-Reply-To: <026f01bfd580$c701b010$6803010a@dhcp.haht.com> Message-ID: <01e601bfd585$22261130$f30410ac@niku.com> Okay, I think I see how to translate that into the boxes we're using (NetScreen, mostly -10). The key is that instead of a rule at A sending encrypted traffic for C to B, I'll add a routing entry at A saying to use B as the gateway to reach C, and then let the normal A<->B tunnel rule apply. (I'm comfortable with local gateways; it hadn't occurred to me to specify a remote one.) Thanks! David Gillett Enterprise Networking Services Manager, Niku Corp. (650) 701-2702 "Transforming the Service Economy" -----Original Message----- From: Jon Carnes [mailto:jonc at haht.com] Sent: Tuesday, June 13, 2000 2:46 PM To: David Gillett; VPN at SECURITYFOCUS.COM Subject: Re: VPN input ----- Original Message ----- From: "David Gillett" To: "'Jon Carnes'" ; Sent: Tuesday, June 13, 2000 4:18 PM Subject: RE: VPN input > John, > I'd like to drill down a little on one particular point: > > > My company's WAN is setup in a star configuration - all the branches vpn > to > > our corporate offices, .... > > Do you have cases where two remote locations need to exchange traffic? > I'm facing a particular issue with wanting to convey traffic A<->C by having > site B route packets between the A<->B tunnel and the B<->C tunnel, instead > of creating a low-volume A<->C tunnel. I haven't found a way to make this > happen yet. > > I'm asking in response to your message because this is inherent in using a > star rather than a mesh configuration.... > > David Gillett > Enterprise Networking Services Manager, Niku Corp. > (650) 701-2702 > "Transforming the Service Economy" > That works just fine here. The key is setting up the routing correctly. For your case, B is the corporate hub. A attaches to B. Similarly, C attaches to B. If the speeds are acceptable there is no reason to setup a direct link for A to C: you can let B relay the traffic. To make it work: - On A's router, add a route to network C that uses as a gateway B's router. - On C's router, add a route to network A that uses as a gateway B's router. If you are on network A then all your traffic for either B or C should go down the vpn to the B network. Traffic for the B network has reached its destination. Traffic for the C network will go to the router on network B and be directed to the C network (just like any local traffic going from network B to C). Once on the C network, your journey ends. Return packets will go to the network C router, travel down the vpn back to network B, go to the Router on Network B, and then be directed to the A Network via that vpn. Note: you must have a distinct network for each site. In other words, each site must use a different ip network. We use various 192.168.x.0 networks for our satellite offices. Their firewalls all use IP Masquerading, so the internal addresses don't really matter. As an example: Network A = 192.168.22.0 / 255.255.255.0 Network B = 192.168.1.0 / 255.255.255.0 Network C = 192.168.33.0 /255.255.255.0 Good Luck! Jon Carnes MIS - HAHT Software VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Wed Jun 14 04:42:29 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Wed, 14 Jun 2000 01:42:29 -0700 Subject: netscreen100 VPN References: <019001bfd55f$e3293040$6969080a@corp.ulogon.com> Message-ID: <39474575.37DF488B@pacbell.net> Make sure that you have a SA after sending a few ICMP's ns100> get sa If you got an SA then do ns100> set adm sys-ip 0.0.0.0 then do a ns100> set interface trust ping and you should be able to ping the trusted from a host on the trusted side of the local vpn. So the ICMP will go from the host that you are typing at to the local VPN throu the Internet the remore VPN and hit the trusted interface. Simple Huh? If you do not have a SA, then check the policies out. Just forghet about averything, meditate and concentrate and you ll see that it is all common sence.. If it does not makes sence it probably wont work... Use IKE and make the policies the same, or check that the SPI is the same as follows. VPN A Local 3001 Remote 3002 VPN B Local 3002 Remote 3001 You see the relation.... Check your routing.. Now if this does not work make sure that your router has no access lists for IP 50 and or 51 this is ESP and HA. And UDP 500 for the ISAKMP [IKE]. If this does not work then go to sleep and try tomorrow... Cheers.. Jose Muniz > qzhu wrote: > > Hello, there.. > > I got a problem when I try to build VPN connection between our company > and the other office. The netscreen100 firewall works fine, I can ping > each boxs' untrust IP. But I can not ping the trust IP which is behind > the firewall. I use the manual key, and put this VPN policy on the top > of outgoing policies page. > The two boxes are behind routers. I don't if I need to modify to > routers. Any help would be much appreciated. VPN is sponsored by SecurityFocus.COM From smorison at TEXT100.COM.AU Thu Jun 15 02:14:29 2000 From: smorison at TEXT100.COM.AU (Stephen Morison (TEXT100 AU)) Date: Thu, 15 Jun 2000 16:14:29 +1000 Subject: Router to Router VPN Message-ID: Hi, We're in the process of bringing online our first satellite office and I was wondering if you guys could lend some advice as to what would be the most efficient way to link up a couple of routers Office A: CISCO 2611 2MB Microwave Link Office B: CISCO805 128Kb/s Frame Relay Thanks Stephen Morison IT manager Text 100 Public Relations Global High Technology Public Relations Level 28, Northpoint 100 Miller Street North Sydney NSW 2060 Australia Telephone: +61 2 9956 5733 Facsimile: +61 2 9956 5406 Mobile: +61 416 224 669 Email: smorison at text100.com.au http://www.text100.com.au VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Thu Jun 15 11:33:52 2000 From: JJones at NWNETS.COM (Jeremy Jones (BOI)) Date: Thu, 15 Jun 2000 09:33:52 -0600 Subject: Routing over PPTP Tunnel Message-ID: <4128C0428F94D3118F1E00902773CED20BE5F6@NNSBOIS1> This is a fairly simple thing to do. The firewall at the Main Office would need to pass tcp port 1723 and protocol 47 (GRE) to the PPTP Server at the Main Office. The server at the Branch Office would make a call to the PPTP Server at the Main Office, and routes would need to be established at both sites. I currently have several clients with such a setup. One client has three remote offices connecting via PPTP to a main office, and the connection is as stable as the Internet connection. Printing, file sharing, database replication, and remote backups all work flawlesslly. Drop me an e-mail, Patrick, if you'd like any details on the setup of the firewalls, the servers, and the clients. Jeremy Jones, MA, MCSE, CCNA Systems Engineer Northwest Network Services (208) 343-5260 x106 http://www.nwnets.com mailto:jjones at nwnets.com -----Original Message----- From: Patrick Bryan [mailto:pbryan at ACRUX.NET] Sent: Tuesday, June 13, 2000 11:05 AM To: VPN at SECURITYFOCUS.COM Subject: Routing over PPTP Tunnel Hi there.. Recently I was asked to provide a plan to connect a clients main office to a branch office via PPTP.. in a scenario like the following: Main Office (Net A) ---> PPTP Server --<> Internet <>-- PPTP Server <-- Branch Office (NetB) Is this possible? The server in the main office is behind a firewall, and is providing connectivity to individual remote clients. The PPTP Server at the branch office would be dual homed, one nic to the internet, the other to the LAN. I am guessing the PPTP Box on netB would establish a connection the machine on neta. I can see this working, but I am unsure if for example I wanted to send a print job to a printer on NetB, if the PPTP Server on NetA would route it over the tunnel? Any input/experiences would be much appreciated. Pat VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From clbrewer at US.IBM.COM Thu Jun 15 12:32:43 2000 From: clbrewer at US.IBM.COM (Brewer, CL) Date: Thu, 15 Jun 2000 12:32:43 -0400 Subject: establishing an IPSEC tunnel through Raptor Firewall... Message-ID: I am trying to figure out the best way to establish an IPSEC tunnel through a Raptor firewall. I have Raptor 6.0.2 firewall and I am trying to tunnel an Aventail Connect client to an Aventail Server that is on the public network. Could someone tell what I need to do on the Raptor to allow for IPSEC to traverse ? Chad L. Brewer IBM Global Services VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Thu Jun 15 04:57:12 2000 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Thu, 15 Jun 2000 08:57:12 +0000 Subject: checklist of deploying VPN solution References: <200006131653.LAA24741@firewall.swedishamerican.org> Message-ID: <39489A68.5EC50976@globeaccess.net> Hi, I want to deploy VPN solution to our branch offices (3) with my headquater usually work. I have all sort of OS ( W95/W98, Mac OS, WNT, Linux, W2000) and all are Ethernet technology Generally, what checklist or what logical demarche can i use to deploy it ? What are essantials points on which am i look to success this operation ? Thank you in advance Olivier VPN is sponsored by SecurityFocus.COM From smorison at TEXT100.COM.AU Thu Jun 15 22:18:04 2000 From: smorison at TEXT100.COM.AU (Stephen Morison (TEXT100 AU)) Date: Fri, 16 Jun 2000 12:18:04 +1000 Subject: Routing over PPTP Tunnel Message-ID: Jeremy, Thanks however at this time there will not be any servers in the remote offices as it will be starting with 3 people. We originally thought about this however as we're not sure of the success of the office at this time they (the people who sign the cheques) didn't want to invest in a server. Stephen Morison IT manager Text 100 Public Relations Global High Technology Public Relations Level 28, Northpoint 100 Miller Street North Sydney NSW 2060 Australia Telephone: +61 2 9956 5733 Facsimile: +61 2 9956 5406 Mobile: +61 416 224 669 Email: smorison at text100.com.au http://www.text100.com.au -----Original Message----- From: Jeremy Jones (BOI) [mailto:JJones at NWNETS.COM] Sent: Friday, 16 June 2000 1:34 AM To: VPN at SECURITYFOCUS.COM Subject: Re: Routing over PPTP Tunnel This is a fairly simple thing to do. The firewall at the Main Office would need to pass tcp port 1723 and protocol 47 (GRE) to the PPTP Server at the Main Office. The server at the Branch Office would make a call to the PPTP Server at the Main Office, and routes would need to be established at both sites. I currently have several clients with such a setup. One client has three remote offices connecting via PPTP to a main office, and the connection is as stable as the Internet connection. Printing, file sharing, database replication, and remote backups all work flawlesslly. Drop me an e-mail, Patrick, if you'd like any details on the setup of the firewalls, the servers, and the clients. Jeremy Jones, MA, MCSE, CCNA Systems Engineer Northwest Network Services (208) 343-5260 x106 http://www.nwnets.com mailto:jjones at nwnets.com -----Original Message----- From: Patrick Bryan [mailto:pbryan at ACRUX.NET] Sent: Tuesday, June 13, 2000 11:05 AM To: VPN at SECURITYFOCUS.COM Subject: Routing over PPTP Tunnel Hi there.. Recently I was asked to provide a plan to connect a clients main office to a branch office via PPTP.. in a scenario like the following: Main Office (Net A) ---> PPTP Server --<> Internet <>-- PPTP Server <-- Branch Office (NetB) Is this possible? The server in the main office is behind a firewall, and is providing connectivity to individual remote clients. The PPTP Server at the branch office would be dual homed, one nic to the internet, the other to the LAN. I am guessing the PPTP Box on netB would establish a connection the machine on neta. I can see this working, but I am unsure if for example I wanted to send a print job to a printer on NetB, if the PPTP Server on NetA would route it over the tunnel? Any input/experiences would be much appreciated. Pat VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Brent_Jarvis at MITEL.COM Fri Jun 16 10:05:09 2000 From: Brent_Jarvis at MITEL.COM (Brent_Jarvis at MITEL.COM) Date: Fri, 16 Jun 2000 10:05:09 -0400 Subject: Certificate Pricing for Outsourced VPN services & certs Message-ID: <85256900.004D5FC1.00@kanmta01.software.mitel.com> From: Brent Jarvis at MITEL on 06/16/2000 10:05 AM We are looking at out-sourcing the management of our companies proposed VPN service. A company has suggested we consider using Certificates for authentication which they would provide and manage for a monthly fee. This company has PKI set-up to provide this service, where they would manage issuing/re-issuing and CRLs. They have provided a rough estimate of $5 US/month per certificate issued but I have no one to compare this cost with. Does anyone else use this service and is the pricing in-line? Thanks Brent Jarvis VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Thu Jun 22 03:08:52 2000 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Thu, 22 Jun 2000 08:08:52 +0100 Subject: Product Comparison Message-ID: Hi all, I'm doing some tests with the following hardware : Network Alchemy CryptoCluster Altiga VPN Concentrator Because of some serious time presure, I will probably not be able to perform all planned tests. So, I'm looking for someone who performed the same evaluation/comparison and can inform me why you chose the product you have right now ? Many Thanks, Guy VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Fri Jun 23 04:07:49 2000 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Fri, 23 Jun 2000 08:07:49 +0000 Subject: deploy vpn solution Message-ID: <39531AD5.3A2A9538@globeaccess.net> Hi, I want to deploy VPN solution to our 3 branch offices with my headquater they usually work. I have all sort of OS ( W95/W98, Mac OS, WNT, Linux,W2000) and all are Ethernet technology. Generally, what checklist or what logical demarche can i use to deploy it ? What are essantials points on which am i look to success this operation ? Thank you in advance Olivier VPN is sponsored by SecurityFocus.COM From luiz at CAMERASPORTS.COM.BR Wed Jun 21 16:49:19 2000 From: luiz at CAMERASPORTS.COM.BR (Luiz Fernando Vieira) Date: Wed, 21 Jun 2000 17:49:19 -0300 Subject: VPN connection Message-ID: <006901bfdbc2$33c2b540$440a0a0a@luizw2k> Dear sirs, I have a big WebSite in Brazil and I use a VPN to connect one of my web servers to another server in the US to have access to some information I need. The architecture is running very well. I am using the native Windows 2000 VPN. The problem is that I have to leave the server logged for the VPN to stay connected. If I have to reebot the server, I have to logon again and then double-click on the VPN icon to re-connect it. Are there anyway to make a VPN connection persistent or run as a service or something like that?? I would like to leave the VPN connected without have to login. And also, I would like it to re-connect automatically when the server comes up after a reeboot. If you could help me, I would be glad. TKS and Best Regards, Luiz Vieira VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Mon Jun 26 17:18:12 2000 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Mon, 26 Jun 2000 16:18:12 -0500 Subject: VPN: approval required (6220E153) (fwd) Message-ID: > > While performance testing various VPN Clients over Dial Up connections, > the lack of compression before encryption of the payload appears to be > creating significant performance degradation. > > The following data is just a sample which illustrates the point. Both of > these sets of measurements are from the same workstation dialed into the > same POP at 49.3 Mbits/second. The pings were done with 100 byte and > 1370 byte frames. I realize 1370 byte pings frames are not usually used, > but they do help illustrate my point. The two files used are about 400k > bytes in size. The Asc file is simply a part of a Unix dictionary file. > The Bin file is the same data encrypted. When the data is encrypted it > is no longer compressible because there are no repeating patterns. > > > Ping 100 Ping 1370 Get Bin/Asc Put Bin/Asc > Intraport2 214/222/231 921/944/954 36.52/34.55 24.30/22.71 > Contiviity-1500 148/173/247 166/183/190 44.32/64.69 21.47/26.39 > > When sniffing the PPP data we found that the 100 byte ping was one frame > long as would be expected. The 1370 byte frame become two 642 byte > frames and one 370 byte frame from the Workstation and the reply was one > 1474 byte frame. The 100 byte frame became 210 byte frames in both > directions. > > The PPP process normally tries to compress data before sending it to the > modem. The Contivity implementation uses the LZS compression algorithm > to compress the data prior to encrypting it and then sending it to the > PPP process for transmission. In our example the Ping data was all > zeroes so it is easily compressed into one frame. The Compatible Systems > / Cisco client did no compression prior to encryption causing the PPP > process to be unable to compress the data. > > So with that long preamble, and my assumption being true that other > clients do compress prior to encryption, my question is: > > Why do not other manufacturers of VPN clients compress data prior to > encryption? Another question is might be, does my analysis make sense? > > Thanks! Lowell > -- > ------------------------------------------------------ > Lowell K. Hanson Senior Consultant Phone:703-817-0627 > mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh > We can change the world, but must begin with ourselves" > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire VPN is sponsored by SecurityFocus.COM From smorison at TEXT100.COM.AU Mon Jun 26 22:42:48 2000 From: smorison at TEXT100.COM.AU (Stephen Morison (TEXT100 AU)) Date: Tue, 27 Jun 2000 12:42:48 +1000 Subject: VPN connection Message-ID: I know there were registry hacks for NT4.0 that allowed auto login. if you can find one for autologin for w2k you should be able to specify that it connects to the VPN as part of the login. (or as a auto-login), it might be worth checking the User tools under control panel --> admin tools regards Stephen Morison -----Original Message----- From: Luiz Fernando Vieira To: VPN at SECURITYFOCUS.COM Sent: 22/06/00 6:49 Subject: VPN connection Dear sirs, I have a big WebSite in Brazil and I use a VPN to connect one of my web servers to another server in the US to have access to some information I need. The architecture is running very well. I am using the native Windows 2000 VPN. The problem is that I have to leave the server logged for the VPN to stay connected. If I have to reebot the server, I have to logon again and then double-click on the VPN icon to re-connect it. Are there anyway to make a VPN connection persistent or run as a service or something like that?? I would like to leave the VPN connected without have to login. And also, I would like it to re-connect automatically when the server comes up after a reeboot. If you could help me, I would be glad. TKS and Best Regards, Luiz Vieira VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Tue Jun 27 13:50:28 2000 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Tue, 27 Jun 2000 10:50:28 -0700 Subject: VPN: approval required (6220E153) (fwd) Message-ID: <20000627175028.5837.qmail@web2306.mail.yahoo.com> Lowell, You hit on a very good point here. In fact, I worked closely with the precursor to the Nortel Contivity product (New Oak NOC 4000) in late '97, early '98 and really pushed them into putting compression into their client. I'm SOOooo glad that they did. However, at that time, I don't believe that there was an IPSec standard that stated how compression was to occur, and if you did it in a proprietary way, then you broke any IPSec interoperability. (Interoperability was all the rage two years ago, most probably driven by the ANX. Did you see that the Big 3 Auto manufacturers have moved to a Web-based B2B exchange, no doubt using SSL and certs? So much for IPSec ANX....) Contivity did it in a cool manner though. The client defaulted to no compression UNLESS it received a "compression ON" flag from the Contivity server at client connection time. That way, if you tried to interoperate with another IPSec server, it'd still work, but with no compression. I think that LZS compression is formally part of the IPSec standard now. If so, I wonder why other VPN vendors aren't using it.....??? FYI... if you're using a VPN client that does compression, make sure you turn off software and hardware compression on your MODEM, since it actually gets slower and larger when the modem tries to compress an encrypted stream. Of course, this will hurt dial-up connections to the Internet when the VPN client isn't engaged. At a previous company, we wrote a custom installer package to help distribute pre-configured VPN clients, which was also configured to turn off compression on the modem. Happy trails, Chris -- --- Tina Bird wrote: > > > > While performance testing various VPN Clients over > Dial Up connections, > > the lack of compression before encryption of the > payload appears to be > > creating significant performance degradation. > > > > The following data is just a sample which > illustrates the point. Both of > > these sets of measurements are from the same > workstation dialed into the > > same POP at 49.3 Mbits/second. The pings were done > with 100 byte and > > 1370 byte frames. I realize 1370 byte pings frames > are not usually used, > > but they do help illustrate my point. The two > files used are about 400k > > bytes in size. The Asc file is simply a part of a > Unix dictionary file. > > The Bin file is the same data encrypted. When the > data is encrypted it > > is no longer compressible because there are no > repeating patterns. > > > > > > Ping 100 Ping 1370 Get > Bin/Asc Put Bin/Asc > > Intraport2 214/222/231 921/944/954 > 36.52/34.55 24.30/22.71 > > Contiviity-1500 148/173/247 166/183/190 > 44.32/64.69 21.47/26.39 > > > > When sniffing the PPP data we found that the 100 > byte ping was one frame > > long as would be expected. The 1370 byte frame > become two 642 byte > > frames and one 370 byte frame from the Workstation > and the reply was one > > 1474 byte frame. The 100 byte frame became 210 > byte frames in both > > directions. > > > > The PPP process normally tries to compress data > before sending it to the > > modem. The Contivity implementation uses the LZS > compression algorithm > > to compress the data prior to encrypting it and > then sending it to the > > PPP process for transmission. In our example the > Ping data was all > > zeroes so it is easily compressed into one frame. > The Compatible Systems > > / Cisco client did no compression prior to > encryption causing the PPP > > process to be unable to compress the data. > > > > So with that long preamble, and my assumption > being true that other > > clients do compress prior to encryption, my > question is: > > > > Why do not other manufacturers of VPN clients > compress data prior to > > encryption? Another question is might be, does my > analysis make sense? > > > > Thanks! Lowell > > -- > > > ------------------------------------------------------ > > Lowell K. Hanson Senior Consultant > Phone:703-817-0627 > > mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh > > We can change the world, but must begin with > ourselves" > > > > "Doubt is an uncomfortable situation, but certainty > is an > absurd one." -- Voltaire > > VPN is sponsored by SecurityFocus.COM __________________________________________________ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From clbrewer at US.IBM.COM Tue Jun 27 14:22:45 2000 From: clbrewer at US.IBM.COM (Brewer, CL) Date: Tue, 27 Jun 2000 14:22:45 -0400 Subject: VPN connection Message-ID: If you goto properties--->options----Under "Dialing options" uncheck "Prompt for name and password, certificate, etc" Then you can call the session with the command "rasphone -d xxxxx" Where xxxxx = your session name. For more info see http://www.jsiinc.com/tip0200/rh0228.htm Chad L. Brewer IBM Global Services -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000627/03b63e07/attachment.htm From nasraoui at CHICKMAIL.COM Wed Jun 28 04:18:34 2000 From: nasraoui at CHICKMAIL.COM (fethi nasraoui) Date: Wed, 28 Jun 2000 01:18:34 -0700 Subject: server to server VPN Windows NT4 connection Message-ID: Hi all, I have tow remotes sites, and i wante to connecte him with a server to server VPN Windows NT4 connection.Are there anyone how know a web-site which explain the server to server VPN Windows NT4 connection. If anyone could help me, I would be glad. Best Regards, *********************************** chickclick.com http://www.chickclick.com girl sites that don't fake it. http://www.chickmail.com sign up for your free email. http://www.chickshops.com boutique shopping from chickclick.com *********************************** VPN is sponsored by SecurityFocus.COM From passemar at HOTMAIL.COM Thu Jun 29 07:06:20 2000 From: passemar at HOTMAIL.COM (Antony Passemard) Date: Thu, 29 Jun 2000 04:06:20 PDT Subject: FW1 and Securemote Message-ID: <20000629110620.10154.qmail@hotmail.com> Hello everyone, Here is my problem : I have a Firewall-1 4.0 SP5 on an NT machine and I'm trying to connect using a SecuRemote Client 4.1 on an NT4 Workstation. I created the site alright on the securemote. I'm doing my tests by pinging an internal server on the LAN behind the Firewall with the option -t. Now, here are the two things that happens to me : FIRST PROBLEM : I connect to the Internet through my ISP I try to ping my internal server on the LAN The securemote asks me for the username and Pwd And it works great. Then I disconnect from the internet (not killing the Securemote process) I reconnect to the Internet through my ISP right away and try to ping that same server => The securemote times out, and I have to ignore its errors messages saying that it can't reach the destination site, and then after 4 minutes of pinging it connects (without asking for username and pwd, which is normal), and everything works fine... First question : Why does it have to wait that long to be able to reconnect ??? SECOND PROBLEM : After disconnecting, I wait 10 minutes (it could be 5 or 22220.. doesn't matter, but no less than 4 minutes) I reconnect to the Internet and try to ping my wonderful server... => The Securemote doesn't time out, but I have to wait 40 seconds before the first ping gets through... Second question : Why does it have to wait that long to be able to reconnect ??? (looks familiar ;-) By the way, the Beta Securemote for Windows 2000 behaves alright in those two cases, so I don't really think it comes from the FW configuration, but I might be wrong. Thanks a lot for your help. Antony. ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com VPN is sponsored by SecurityFocus.COM From JJones at NWNETS.COM Thu Jun 29 10:36:18 2000 From: JJones at NWNETS.COM (Jeremy Jones (BOI)) Date: Thu, 29 Jun 2000 08:36:18 -0600 Subject: server to server VPN Windows NT4 connection Message-ID: <4128C0428F94D3118F1E00902773CED20BE60F@NNSBOIS1> You'll want to create a demand dial setup that connects the two offices vial PPTP. There's a technet article at http://support.microsoft.com/support/kb/articles/Q177/3/35.ASP. Write me if you have any more specific questions, as this article really just gives the bare minimum. Jeremy -----Original Message----- From: fethi nasraoui [mailto:nasraoui at CHICKMAIL.COM] Sent: Wednesday, June 28, 2000 2:19 AM To: VPN at SECURITYFOCUS.COM Subject: server to server VPN Windows NT4 connection Hi all, I have tow remotes sites, and i wante to connecte him with a server to server VPN Windows NT4 connection.Are there anyone how know a web-site which explain the server to server VPN Windows NT4 connection. If anyone could help me, I would be glad. Best Regards, *********************************** chickclick.com http://www.chickclick.com girl sites that don't fake it. http://www.chickmail.com sign up for your free email. http://www.chickshops.com boutique shopping from chickclick.com *********************************** VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Thu Jun 29 11:34:57 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Thu, 29 Jun 2000 11:34:57 -0400 Subject: server to server VPN Windows NT4 connection References: Message-ID: <005001bfe1df$a6dc5f40$6803010a@dhcp.haht.com> Here's an overview of the process of connecting two NT4.0 servers together via PPTP (Microsoft's VPN service) === Set up the NT 4.0 servers to do PPTP (VPN) === If both machines have internet access and you have DHCP setup on the networks then you need to: 1) Login to each machine as administrator 2) Load the PPTP protocol on each machine (right click on Network Neighborhood and choose properties, go to the Protocols tab, and click on Add). Set number of virtual private networks to at least 2 3) Load Routing and Remote Access Service (RRAS) on each machine (in Network properties, go to Services tab, click on Add). Configure the virtual connections for both incoming and outgoing connections. Under Network make sure that you allow access to the entire network (not just the server) for each protocol that you want. 4) Okay out and reboot 5) Login as administrator. Ignore any errors that show on reboot, and apply Service Pack 5 (or Service Pack 6a, but I still feel that 5 is better) 6) Once the SP is done, reboot. 7) The system should come up with no errors, but may have some warnings. Note: that SP 5 is still not completely installed at this time. Login as administrator. Once everything is settled down. Reboot again. Don't you love working with Microsoft products! At this point you should be ready to actually setup your VPN Note that www.microsoft.com has several knowledge base articles that detail the setup of RRAS on a server, and also detail its use for a network VPN connection. === Set up the VPN entry on your Dial-up service === There are several ways of setting up the vpn at this point, so I will just walk you through a manual connection. You can use the RRAS Administrator to make it more permanent, or to make it attach on demand. !) The two networks you are going to connect must use different IP networks (! 1) From the Desktop, double-click on My Computer, double-click on Dial-up Networking, add a new entry. 2) In the Dial using box there should be a drop down arrow, click on the arrow and choose one of the RASPPTPM entries. 3) For phone number, plug in the ip address of the other server. Note: this must be a valid ip address that the server can find. To check this, open a dos box on the server and try to ping the address. If you cannot ping the address, you will need to find out why and correct this problem first! 4) Give the entry a Name that makes sense to you. 5) Click on the Server tab and make sure that the server type is PPP. Then choose the network protocols that you wish to use. I'm assuming that you want to use at least TCP/IP. If your network is small, feel free to use NetBEUI as well. At this point, I would not enable any compression. 6) Save the entry at this point and Dial the waiting server. 7) You must have a user account and password on the other server (or its domain), and you must also have Attach via Dial-up privileges (in User Manager, choose properties for the account you are going to use, click on the Dialin button, and then check Grant dialin permission for user). At this point your server should have complete access to the remote network. Note: only the server will be able to access the remote network. Your server now becomes the router to that remote network. === Setting up the Routing between the networks === Now go to your networks main router/gateway (which may be your NT server), and add a route to the remote network which specifies your NT server as the gateway. On NT the command looks something like this: route add 192.168.2.0 MASK 255.255.255.0 192.168.3.10 In this example (adding local route to remote network): your network is 192.168.3.0 your NT server has the address 192.168.3.10 the remote network is 192.168.2.0 Your still not able to go from network to network till you go to the remote network and add a route back to your network on their main router/gateway. route add 192.168.3.0 MASK 255.255.255.0 192.168.2.10 In this example (add route at remote site to your local network): the remote network is 192.168.2.0 the NT server on this remote network is 192.168.2.10 the address of your local network is 192.168.3.0 Once each sites main router/gateway knows where to send the network packets, you will be able to see all machines on each network (meaning you will be able to ping each machine). === If you want to be able to browse from network to network, then things get a wee bit trickier... At that point, you should look at setting up a WINS server at each site. Hope this is helpful, Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "fethi nasraoui" To: Sent: Wednesday, June 28, 2000 4:18 AM Subject: server to server VPN Windows NT4 connection > Hi all, > I have tow remotes sites, and i wante to connecte him with a server to server VPN Windows NT4 connection.Are there anyone how know a web-site which explain the server to server VPN Windows NT4 connection. > > If anyone could help me, I would be glad. > > Best Regards, > > > > *********************************** > chickclick.com > http://www.chickclick.com > girl sites that don't fake it. > http://www.chickmail.com > sign up for your free email. > http://www.chickshops.com > boutique shopping from chickclick.com > *********************************** > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From smorison at TEXT100.COM.AU Wed Jun 28 20:50:48 2000 From: smorison at TEXT100.COM.AU (Stephen Morison (TEXT100 AU)) Date: Thu, 29 Jun 2000 10:50:48 +1000 Subject: server to server VPN Windows NT4 connection Message-ID: Do you have TechNet? There are some really helpful articles in it relating to Router to Router VPN's (router being either hardware of software). One that covers just about everything is "WAN Design at Shinozaki Automotive Corp" you should also be able to get that off the technet website. One specific to RRAS is "PPTP Provides Secure Connectivity to Your Corporate Network" Good luck :) Stephen Morison IT manager Text 100 Public Relations Global High Technology Public Relations Level 28, Northpoint 100 Miller Street North Sydney NSW 2060 Australia Telephone: +61 2 9956 5733 Facsimile: +61 2 9956 5406 Mobile: +61 416 224 669 Email: smorison at text100.com.au http://www.text100.com.au -----Original Message----- From: fethi nasraoui [mailto:nasraoui at CHICKMAIL.COM] Sent: Wednesday, 28 June 2000 6:19 PM To: VPN at SECURITYFOCUS.COM Subject: server to server VPN Windows NT4 connection Hi all, I have tow remotes sites, and i wante to connecte him with a server to server VPN Windows NT4 connection.Are there anyone how know a web-site which explain the server to server VPN Windows NT4 connection. If anyone could help me, I would be glad. Best Regards, *********************************** chickclick.com http://www.chickclick.com girl sites that don't fake it. http://www.chickmail.com sign up for your free email. http://www.chickshops.com boutique shopping from chickclick.com *********************************** VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jms at EMPIREPRECISION.COM Thu Jun 29 08:36:21 2000 From: jms at EMPIREPRECISION.COM (John Simpatico) Date: Thu, 29 Jun 2000 08:36:21 -0400 Subject: vpn Message-ID: I am trying to connect a Win 98 client to my office server via VPN. I connect through the VPN, I get authenticated and then when I go the network neighborhood and look to see if the network is showing up but there is nothing there. I was able to connect when I went to the RUN in the start menu and type \\[and the ip of my server], but it came up very slowly and I only had access to the one server I tried to call up other servers the same way but no other server would respond. I know that things would not come up as fast as if I was on physically on the network, but I am connecting through a cable line, so thought that it would be much faster than how it came up. If anyone has any suggestions they would be greatly appreciated. John Simpatico VPN is sponsored by SecurityFocus.COM From Per.Jacobsen at UNI-C.DK Thu Jun 29 06:10:01 2000 From: Per.Jacobsen at UNI-C.DK (Per C. H. Jacobsen) Date: Thu, 29 Jun 2000 12:10:01 +0200 Subject: Host-to-host VPN/encryption Message-ID: <395B2079.F2491D7D@uni-c.dk> Hi all, I hope someone can help me with some productsuggestions / solutions. The scenario is as follows : NT ----HUB---FW---ROUTER---INTERNET---ROUTER---FW---HUB---NT What I need is a SOFTWARE product to communicate securely (strong encryption) from NT to NT, regardless of which hardware vendors is inbetween. If NAT is implemented in the FW's it's static. The solution must be easy to implement and maintain, and should be based on directly client to client communication, in opposition to most VPN solutions "out there" that is based on some kind of security server to distribute security policies to the clients. Needless to say the environments "trusts" eachother, therefore security policies and configurations should be limited to the client on the NT. Thanks Per Jacobsen, UNI-C VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Thu Jun 29 14:37:46 2000 From: dgillett at NIKU.COM (David Gillett) Date: Thu, 29 Jun 2000 11:37:46 -0700 Subject: vpn In-Reply-To: Message-ID: <06ea01bfe1f9$1eeb0bd0$f30410ac@niku.com> Unfortunately, this largely parallels our own experience with Windows 9x as a VPN client. We find that \\servername and \\ip.ad.dr.ess work, but Network Neighborhood generally doesn't. (If \\servername doesn't work, your machine may not be receiving a WINS server address from DHCP.) [9x VPN clients seem to often have trouble talking to the "browsers" who maintain the Network Neighborhood lists. We eventually moved VPN clients to their own subnet/segment so when they invoke a master browser election, it doesn't impact the on-site network.] David Gillett Enterprise Networking Services Manager, Niku Corp. (650) 701-2702 "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of John Simpatico Sent: Thursday, June 29, 2000 5:36 AM To: VPN at SECURITYFOCUS.COM Subject: vpn I am trying to connect a Win 98 client to my office server via VPN. I connect through the VPN, I get authenticated and then when I go the network neighborhood and look to see if the network is showing up but there is nothing there. I was able to connect when I went to the RUN in the start menu and type \\[and the ip of my server], but it came up very slowly and I only had access to the one server I tried to call up other servers the same way but no other server would respond. I know that things would not come up as fast as if I was on physically on the network, but I am connecting through a cable line, so thought that it would be much faster than how it came up. If anyone has any suggestions they would be greatly appreciated. John Simpatico VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From MuniX-1 at PACBELL.NET Thu Jun 29 04:06:47 2000 From: MuniX-1 at PACBELL.NET (Jose Muniz) Date: Thu, 29 Jun 2000 01:06:47 -0700 Subject: server to server VPN Windows NT4 connection References: Message-ID: <395B0397.6D18ADA3@pacbell.net> Hello Fethi; Well, I am really hard trying to meditate and put myself in your spot, and this is what I think that you are trying to do.. You want to connect both of your remote sites "." It would be better and more cost efective if you connect both of your sites with a gateway to gateway VPN. That could also accept connections from traveling users.. Just something to think about.. Jose Muniz. fethi nasraoui wrote: > > Hi all, > I have tow remotes sites, and i wante to connecte him with a server to server VPN Windows NT4 connection.Are there anyone how know a web-site which explain the server to server VPN Windows NT4 connection. > > If anyone could help me, I would be glad. > > Best Regards, > > *********************************** > chickclick.com > http://www.chickclick.com > girl sites that don't fake it. > http://www.chickmail.com > sign up for your free email. > http://www.chickshops.com > boutique shopping from chickclick.com > *********************************** > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From ryan at SECURITYFOCUS.COM Thu Jun 29 16:11:39 2000 From: ryan at SECURITYFOCUS.COM (Ryan Russell) Date: Thu, 29 Jun 2000 13:11:39 -0700 Subject: Host-to-host VPN/encryption In-Reply-To: <395B2079.F2491D7D@uni-c.dk> Message-ID: Let me ask some questions to clarify the requirements if I may... On Thu, 29 Jun 2000, Per C. H. Jacobsen wrote: > Hi all, > I hope someone can help me with some productsuggestions / > solutions. > The scenario is as follows : > NT ----HUB---FW---ROUTER---INTERNET---ROUTER---FW---HUB---NT Is one of these NT boxes a roaming "client"? I.e. is this a remote-access VPN, or a WAN-replacement VPN? Do the two NT boxes always have the same IP address is another way to phrase it. > > What I need is a SOFTWARE product to communicate securely > (strong encryption) from NT to NT, regardless of which > hardware vendors is inbetween. The router model rarely matters. You're more worried about firewalls, NAT, ec.. > If NAT is implemented in the FW's it's static. This will cause you some trouble. > The solution must be easy to implement and maintain, and > should be based on directly client to client communication, Does this imply that both of the NT boxes will be roaming? How do they find eachother if that's the case? > in opposition to most VPN solutions "out there" that is > based on some kind of security server to distribute security > policies to the clients. Not clear... you do want a central distribution of security policies, or you don't? > Needless to say the environments "trusts" eachother, > therefore security policies and configurations should be > limited to the client on the NT. This statement isn't real clear either. Ryan VPN is sponsored by SecurityFocus.COM From Per.Jacobsen at UNI-C.DK Fri Jun 30 07:32:58 2000 From: Per.Jacobsen at UNI-C.DK (Per C. H. Jacobsen) Date: Fri, 30 Jun 2000 13:32:58 +0200 Subject: Host-to-host VPN/encryption References: Message-ID: <395C856A.49FA3E13@uni-c.dk> Hi Ryan, thanks for your interest 1. Yes, the NT boxes allways has the same IP-address. Thats why NAT don't worry me. 2. Neither the FW's nor the routers actually worries me. When I wrote "regardless of hardware vendors", it's because I don't want any of them to be part of a solution. 3. The NT boxes knows each others address (no roaming). 4. I DO NOT want central distribution of security policies, all configuration and policies must reside on the single NT itself. Let me cut to the bone... I've tried SSH ported to NT by Sergey Okhapkin. The basic functionality is okay : A SSH daemon on each NT listening on port 22 and a redirecting SSH command forwarding everything from port XXXX to port 22 and on to the other hosts port 22. However I would like the same simple functionality from a better tested, more userfriendly, slightly improved and 100% functioning piece of software. Per Ryan Russell wrote: > Let me ask some questions to clarify the requirements if I may... > > On Thu, 29 Jun 2000, Per C. H. Jacobsen wrote: > > > Hi all, > > I hope someone can help me with some productsuggestions / > > solutions. > > The scenario is as follows : > > NT ----HUB---FW---ROUTER---INTERNET---ROUTER---FW---HUB---NT > > Is one of these NT boxes a roaming "client"? I.e. is this a remote-access > VPN, or a WAN-replacement VPN? Do the two NT boxes always have the same > IP address is another way to phrase it. > > > > > What I need is a SOFTWARE product to communicate securely > > (strong encryption) from NT to NT, regardless of which > > hardware vendors is inbetween. > > The router model rarely matters. You're more worried about firewalls, > NAT, ec.. > > > If NAT is implemented in the FW's it's static. > > This will cause you some trouble. > > > The solution must be easy to implement and maintain, and > > should be based on directly client to client communication, > > Does this imply that both of the NT boxes will be roaming? > How do they find eachother if that's the case? > > > in opposition to most VPN solutions "out there" that is > > based on some kind of security server to distribute security > > policies to the clients. > > Not clear... you do want a central distribution of security policies, or > you don't? > > > Needless to say the environments "trusts" eachother, > > therefore security policies and configurations should be > > limited to the client on the NT. > > This statement isn't real clear either. > > Ryan VPN is sponsored by SecurityFocus.COM From jmyrick at BENCHMARK-CORP.COM Fri Jun 30 10:48:09 2000 From: jmyrick at BENCHMARK-CORP.COM (Joe M. Myrick) Date: Fri, 30 Jun 2000 09:48:09 -0500 Subject: VPNet box. Message-ID: <35A8CBCF8E05D411BC6C00C04F1FFA7C19EF@BMLP-PDC> Is anyone currently using any VPNet products, specifically the VSU series? We are considering them for connecting our remote sites via SDSL. If you are currently using them or have had any experience with them, I'd like to know what you think about them. Thanks, Joe... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000630/50d3b892/attachment.htm From velascom at MINDSPRING.COM Thu Jun 29 23:13:35 2000 From: velascom at MINDSPRING.COM (Marlon Velasco) Date: Thu, 29 Jun 2000 22:13:35 -0500 Subject: Vpn does not work with dsl/cable router Message-ID: <000601bfe241$2e5c3650$a16cfea9@nym2000> I recently purchased a linksys dsl\cable router to share my internet connection among multiple computers. Since installing this router my vpn client does not work anymore. What do I need to configure in the router to allow vpn access? Thanks, Marlon VPN is sponsored by SecurityFocus.COM From openhk at YAHOO.COM Fri Jun 30 01:38:49 2000 From: openhk at YAHOO.COM (Paco Law) Date: Thu, 29 Jun 2000 22:38:49 -0700 Subject: SHIVA ?? Message-ID: <20000630053849.20150.qmail@web6003.mail.yahoo.com> I'm looking for a VPN solution. Is anyone using SHIVA VPN products? Any comments? How about RADGUARD? It's very simple to setup... Thanks! Regards, Ray __________________________________________________ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From cmoellenkamp at RELIANTENERGY.COM Fri Jun 30 13:56:13 2000 From: cmoellenkamp at RELIANTENERGY.COM (Moellenkamp, Chris) Date: Fri, 30 Jun 2000 12:56:13 -0500 Subject: No subject Message-ID: Anyone out there using iPlanet Webtop for their VPN solution. We are considering it and VPN-1 from Checkpoint. Any comments would be welcomed. Thanks VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Fri Jun 30 14:45:48 2000 From: dgillett at NIKU.COM (David Gillett) Date: Fri, 30 Jun 2000 11:45:48 -0700 Subject: Vpn does not work with dsl/cable router In-Reply-To: <000601bfe241$2e5c3650$a16cfea9@nym2000> Message-ID: <074e01bfe2c3$690c7f30$f30410ac@niku.com> Odds are pretty good that the LinkSys is allowing "sharing" by performing NAT -- Network Address Translation. Some VPN products, especially newer ones, can be configured to cope with this; some older ones cannot. David Gillett Enterprise Networking Services Manager, Niku Corp. (650) 701-2702 "Transforming the Service Economy" -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Marlon Velasco Sent: Thursday, June 29, 2000 8:14 PM To: VPN at SECURITYFOCUS.COM Subject: Vpn does not work with dsl/cable router I recently purchased a linksys dsl\cable router to share my internet connection among multiple computers. Since installing this router my vpn client does not work anymore. What do I need to configure in the router to allow vpn access? Thanks, Marlon VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Fri Jun 30 18:12:58 2000 From: jonc at HAHT.COM (Jon Carnes) Date: Fri, 30 Jun 2000 18:12:58 -0400 Subject: Vpn does not work with dsl/cable router References: <000601bfe241$2e5c3650$a16cfea9@nym2000> Message-ID: <002b01bfe2e0$6c10df60$6803010a@dhcp.haht.com> Upgrade your firmware. You probably have an older version. We use LinkSys routers at our trade shows and at some of our remote sites, all of them allow PPTP (ms-vpn) through. Jon Carnes MIS - HAHT Software ----- Original Message ----- From: "Marlon Velasco" To: Sent: Thursday, June 29, 2000 11:13 PM Subject: Vpn does not work with dsl/cable router > I recently purchased a linksys dsl\cable router to share my internet > connection among multiple computers. Since installing this router my vpn > client does not work anymore. What do I need to configure in the router to > allow vpn access? > > Thanks, > Marlon > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM