From pbryan at ACRUX.NET Sun Apr 1 23:30:19 2001 From: pbryan at ACRUX.NET (Patrick A. Bryan) Date: Sun, 1 Apr 2001 22:30:19 -0500 Subject: IPsec traffic through Linksys home router In-Reply-To: <6987D2458480F042AD8ACA9D40F002665FC075@exchange.kanisa.com> Message-ID: Look at the firmware version on the router. If it is approx the Mar 8 2001 version, roll the firmware back to the previous version. -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of lk at KANISA.COM Sent: Saturday, March 31, 2001 12:06 PM To: VPN at SECURITYFOCUS.COM Subject: IPsec traffic through Linksys home router I just implemented a Nortel vpn at work with IPsec and pptp traffic enabled. Home I am using a Linksys router with my DSL connection and the IPsec traffic does not go through, althogh I enabled it on the router. When I use the dial-up internet connection with a modem, IPsec is working fine. How should I make the IPsec traffic work on a NAt-ed home network environment? Thanks, Nyugati VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From adrian at BRINTON.TO Sun Apr 1 23:26:55 2001 From: adrian at BRINTON.TO (Adrian Brinton) Date: Sun, 1 Apr 2001 20:26:55 -0700 Subject: NATing clients using IPSec protocol through ipchains Message-ID: <1430576BBA7FDF4CA5081AA22A9A291F3058@hercules.HOME.brinton.to> http://www.impsec.org/linux/masquerade/VPN-howto/VPN-Masquerade.html has some really good info on using Linux, NAT and ipchains with VPN clients and servers. Adrian -----Original Message----- From: Sandy Harris [mailto:sandy at STORM.CA] Sent: Thursday, March 29, 2001 9:33 PM To: VPN at SECURITYFOCUS.COM Subject: Re: NATing clients using IPSec protocol through ipchains Subba Rao wrote: > > One of M$ systems has a IPSec client and needs to access a private network. > The traffic will have to go through the Linux gateway which in turn uses > ipchains to filter traffic. How should a client using the IPSec protocol be > configured by ipchains? > > Thank you in advance for any info or pointers. > -- > http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/firewall.html#NA T VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Mon Apr 2 07:47:32 2001 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Mon, 2 Apr 2001 11:47:32 -0000 Subject: GRE ? References: <20010329084605.E5897@home.com> <3AC41A8D.72CAB14B@storm.ca> Message-ID: <001701c0bb6a$b40f8f60$9b15473f@globeaccess.net> Hi, What is GRE (Generic Routing Protocol ) ? Is it a VPN protocol ? Is it a encapsulation method ? Thanks Olivier VPN is sponsored by SecurityFocus.COM From fredy at ORION.CL Mon Apr 2 12:21:10 2001 From: fredy at ORION.CL (Fredy Santana) Date: Mon, 2 Apr 2001 10:21:10 -0600 Subject: comments on sonicwall In-Reply-To: <20010331163358.20842.qmail@web11507.mail.yahoo.com> References: <20010331163358.20842.qmail@web11507.mail.yahoo.com> Message-ID: Hi Robert: I had seen a lot of sonicwall pro working in your scenario. It has a pretty easy GUI (web based), it perfomance is about 80 Mbps over a 100 Mbps line and supports 100 VPN tunnels. In the latest firmware there is a good improvement to configure the VPN clients, you make a VPN profile and then you can create the configuration file from the Sonicwall GUI and import to the vpn client. This is a good way to minimize the errors in the configuration. Another good feature of VPN is you can wotk with certificates. Sonicwall have another firewall, the Sonicwall Pro VX, which have a better hw perfomance. It perfomance is about 100 Mbps and supports 1000 VPN tunnels. Regards from Chile robang at YAHOO.COM writes: >hi all, > >We've been using Nokia's checkpoint solution and it's >been working great. but due to budgeting, we're >looking for a less expensive comparable solution. I >was wondering if anyone is using Sonicwall Pro and >give me any feedback on how well that performs. It is >for an office of about 100 users and is mainly used >just for firewalling but also has a few VPN users. > >thanks in advance, >Robert > > > >__________________________________________________ >Do You Yahoo!? >Get email at your own domain with Yahoo! Mail. >http://personal.mail.yahoo.com/?.refer=text > >VPN is sponsored by SecurityFocus.COM Saludos Fredy R. Santana V. Ingeniero Civil El?ctrico - CCSA Orion 2000 - Servicios Profesionales en Seguridad Inform?tica La Concepcion 322 piso 12, Providencia. Santiago, Chile Fono: 56-2-6403944, Fax: 56-2-6403990 e-mail: fredy at orion.cl http://www.orion.cl VPN is sponsored by SecurityFocus.COM From venicio_boas at BR.SCHINDLER.COM Mon Apr 2 16:00:08 2001 From: venicio_boas at BR.SCHINDLER.COM (Venicio Vilas-Bôas) Date: Mon, 2 Apr 2001 17:00:08 -0300 Subject: Security over ATM Message-ID: Dear Tina Bird I am considering to use VPN for connect site to site. There are small sites with little traffic. Our solution is based in Cisco routers. For connect these sites was offered a solution denominated "IP intranet" which uses IP over ATM and IP over frame relay. This solution was being offered by Embratel ( One MCI carrier telecommunication in Brazil). I would like to know whether I can use this solution only (IP over ATM and IP over frame relay) instead of solution with VPN. The telecommunication people affirms that there are no problems in use this solution offered by carrier because the traffic passes through of one single backbone and the problem of security will be resolved. I have a lot of doubts because I read a article denominated "A survey on ATM Security" where they speak about security in ATM evolving: -Eavesdropping - Spoofing - Service Denial - Stealing of VCs - Traffic Analysis I would be grateful for some tips which will be help us to make a good decision. Kind regards Venicio VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Mon Apr 2 13:47:23 2001 From: dgillett at NIKU.COM (David Gillett) Date: Mon, 2 Apr 2001 10:47:23 -0700 Subject: Administrator and VPN In-Reply-To: <3AC4B563.AB19395D@globeaccess.net> Message-ID: Well, the difference between a system administrator and a network administrator is going to be in their job descriptions. A system administrator, historically, was responsible for configuration and access to a single host or a closely-linked group of hosts; in some organizations, this latter usage may have been extended to cover a network of hosts, or at least the servers on the network. A network administrator, on the other hand, is responsible for at least a domain or subnet, and -- unless the organization includes separate "network engineers", may also include switches, routers, and so on. I would venture that, IN AN ORGANIZATION THAT DIFFERENTIATES BETWEEN THESE TWO POSITIONS, it would be inappropriate for a system admin to set up a VPN without the network admin's knowledge. David Gillett Senior Network Engineer Niku Corp. > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of > Olivier Bekoin > Sent: Friday, March 30, 2001 8:34 AM > To: VPN at SECURITYFOCUS.COM > Subject: Administrator and VPN > > > This is a basic question but I although pose it. > What are the differences between network administrator and system > administrator ? > And which of the administrators must supervise the VPN ? if they are the > two kinds of administrators, what role each of them play in the VPN > administration ? > > thanks in advance > > Olivier > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Sun Apr 1 23:49:05 2001 From: jonc at HAHT.COM (Jon Carnes) Date: Sun, 1 Apr 2001 23:49:05 -0400 Subject: Basic VPN questions References: <4EBB5C35607E7F48B4AE162D956666EF016BA8@guam.corp.axcelerant.com> <005501c0b794$7ed70f00$0b04010a@JCARNES> <3AC5092A.8545DAA@GlobeAccess.net> Message-ID: <002301c0bb27$ddc04d60$0b04010a@JCARNES> Veneral case? - Protection. A good firewall and strong encryption, plus regular scans and updates. General case? - two endpoints on a public network, some form or encapsulating information and sending encrypted - or protected data - across the public network. By The Way, if you need more specific answers, please be more specific in your question. ----- Original Message ----- From: "Olivier, Bekoin" To: Sent: Friday, March 30, 2001 6:31 PM Subject: Basic VPN questions > > Hi all, > > What am i need to implement a VPN in eneral case ? > > Thanks > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lk at KANISA.COM Sun Apr 1 23:38:46 2001 From: lk at KANISA.COM (lk at KANISA.COM) Date: Sun, 1 Apr 2001 20:38:46 -0700 Subject: IPsec traffic through Linksys home router Message-ID: <6987D2458480F042AD8ACA9D40F002665FC079@exchange.kanisa.com> Why do I need to do that? The new firmware version has a lot more function than the old one... -----Original Message----- From: Patrick A. Bryan To: lk at KANISA.COM Cc: vpn at securityfocus.com Sent: 4/1/2001 8:30 PM Subject: RE: IPsec traffic through Linksys home router Look at the firmware version on the router. If it is approx the Mar 8 2001 version, roll the firmware back to the previous version. -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of lk at KANISA.COM Sent: Saturday, March 31, 2001 12:06 PM To: VPN at SECURITYFOCUS.COM Subject: IPsec traffic through Linksys home router I just implemented a Nortel vpn at work with IPsec and pptp traffic enabled. Home I am using a Linksys router with my DSL connection and the IPsec traffic does not go through, althogh I enabled it on the router. When I use the dial-up internet connection with a modem, IPsec is working fine. How should I make the IPsec traffic work on a NAt-ed home network environment? Thanks, Nyugati VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From egoyer at PRAENESTE.COM Mon Apr 2 09:23:46 2001 From: egoyer at PRAENESTE.COM (Etienne Goyer) Date: Mon, 2 Apr 2001 09:23:46 -0400 Subject: Administrator and VPN In-Reply-To: <3AC4B563.AB19395D@globeaccess.net> Message-ID: The difference is that you end up being one or the other based on what your boss feel is the most important part of your job the day he order your business card :) Seriously, we could say that a network admin is the guy (gal) who take care of hub, switch, router, firewall, the link to your ISP and customer, etc. A sysadmin is supposed to be taking care of server boxen (NT, Unix, mini, whatever). In small organization, this is usually the same guy (gal). In practice, unless you are very specialized, you end up doing both. > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of > Olivier Bekoin > Sent: Friday, March 30, 2001 11:34 AM > To: VPN at SECURITYFOCUS.COM > Subject: Administrator and VPN > > > This is a basic question but I although pose it. > What are the differences between network administrator and system > administrator ? > And which of the administrators must supervise the VPN ? if they are the > two kinds of administrators, what role each of them play in the VPN > administration ? > > thanks in advance > > Olivier > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Sun Apr 1 23:40:03 2001 From: jonc at HAHT.COM (Jon Carnes) Date: Sun, 1 Apr 2001 23:40:03 -0400 Subject: IPsec traffic through Linksys home router References: <6987D2458480F042AD8ACA9D40F002665FC075@exchange.kanisa.com> Message-ID: <001b01c0bb26$9abaf930$0b04010a@JCARNES> AFAIK, IPSec does not yet work through a LinkSys router. They expect to have it working RSN (real soon now)... There is a lot of great information on IPSec and NAT firewalls (and why IPSec can't work through a NAT - but a "broken" version of it can) in the archives. Also feel free to look at www.freeswan.org Jon Carnes ----- Original Message ----- From: To: Sent: Saturday, March 31, 2001 2:05 PM Subject: IPsec traffic through Linksys home router > I just implemented a Nortel vpn at work with IPsec and pptp traffic enabled. > Home I am using a Linksys router with my DSL connection and the IPsec > traffic does not go through, althogh I enabled it on the router. When I use > the dial-up internet connection with a modem, IPsec is working fine. > How should I make the IPsec traffic work on a NAt-ed home network > environment? > > Thanks, > > Nyugati VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Mon Apr 2 17:30:37 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Mon, 2 Apr 2001 14:30:37 -0700 Subject: GRE ? Message-ID: GRE = Generic Routing Encapsulation RFC 1701 http://www.faqs.org/rfcs/rfc1701.html Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. >-----Original Message----- >From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] >Sent: Monday, April 02, 2001 4:48 AM >To: VPN at SECURITYFOCUS.COM >Subject: GRE ? > > >Hi, > >What is GRE (Generic Routing Protocol ) ? >Is it a VPN protocol ? >Is it a encapsulation method ? > >Thanks > >Olivier > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010402/0509a08c/attachment.htm From cgripp at AXCELERANT.COM Mon Apr 2 18:31:30 2001 From: cgripp at AXCELERANT.COM (Christopher Gripp) Date: Mon, 2 Apr 2001 15:31:30 -0700 Subject: IPsec traffic through Linksys home router Message-ID: <4EBB5C35607E7F48B4AE162D956666EFA1A9@guam.corp.axcelerant.com> Let's be clear hear. ESP works fine, NAT breaks AH. An IPSec VPN could be either or both. We have it working with NS5's and the Linksys. Chris -----Original Message----- From: Jon Carnes [mailto:jonc at HAHT.COM] Sent: Sunday, April 01, 2001 8:40 PM To: VPN at SECURITYFOCUS.COM Subject: Re: IPsec traffic through Linksys home router AFAIK, IPSec does not yet work through a LinkSys router. They expect to have it working RSN (real soon now)... There is a lot of great information on IPSec and NAT firewalls (and why IPSec can't work through a NAT - but a "broken" version of it can) in the archives. Also feel free to look at www.freeswan.org Jon Carnes ----- Original Message ----- From: To: Sent: Saturday, March 31, 2001 2:05 PM Subject: IPsec traffic through Linksys home router > I just implemented a Nortel vpn at work with IPsec and pptp traffic enabled. > Home I am using a Linksys router with my DSL connection and the IPsec > traffic does not go through, althogh I enabled it on the router. When I use > the dial-up internet connection with a modem, IPsec is working fine. > How should I make the IPsec traffic work on a NAt-ed home network > environment? > > Thanks, > > Nyugati VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Mon Apr 2 18:41:51 2001 From: cgripp at AXCELERANT.COM (Christopher Gripp) Date: Mon, 2 Apr 2001 15:41:51 -0700 Subject: GRE ? Message-ID: <4EBB5C35607E7F48B4AE162D956666EFA1AA@guam.corp.axcelerant.com> http://www.ietf.org/rfc/rfc2784.txt?number=2784 -----Original Message----- From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] Sent: Monday, April 02, 2001 4:48 AM To: VPN at SECURITYFOCUS.COM Subject: GRE ? Hi, What is GRE (Generic Routing Protocol ) ? Is it a VPN protocol ? Is it a encapsulation method ? Thanks Olivier VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From pbryan at ACRUX.NET Mon Apr 2 19:37:33 2001 From: pbryan at ACRUX.NET (Patrick A. Bryan) Date: Mon, 2 Apr 2001 18:37:33 -0500 Subject: IPsec traffic through Linksys home router In-Reply-To: <6987D2458480F042AD8ACA9D40F002665FC079@exchange.kanisa.com> Message-ID: Because IPSec/PPTP NAT is broken in the latest incarnation...... -----Original Message----- From: lk at kanisa.com [mailto:lk at kanisa.com] Sent: Sunday, April 01, 2001 10:39 PM To: pbryan at acrux.net; lk at kanisa.com Cc: vpn at securityfocus.com Subject: RE: IPsec traffic through Linksys home router Why do I need to do that? The new firmware version has a lot more function than the old one... -----Original Message----- From: Patrick A. Bryan To: lk at KANISA.COM Cc: vpn at securityfocus.com Sent: 4/1/2001 8:30 PM Subject: RE: IPsec traffic through Linksys home router Look at the firmware version on the router. If it is approx the Mar 8 2001 version, roll the firmware back to the previous version. -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of lk at KANISA.COM Sent: Saturday, March 31, 2001 12:06 PM To: VPN at SECURITYFOCUS.COM Subject: IPsec traffic through Linksys home router I just implemented a Nortel vpn at work with IPsec and pptp traffic enabled. Home I am using a Linksys router with my DSL connection and the IPsec traffic does not go through, althogh I enabled it on the router. When I use the dial-up internet connection with a modem, IPsec is working fine. How should I make the IPsec traffic work on a NAt-ed home network environment? Thanks, Nyugati VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From David.Bovee at WATCHGUARD.COM Mon Apr 2 17:53:24 2001 From: David.Bovee at WATCHGUARD.COM (David Bovee) Date: Mon, 2 Apr 2001 14:53:24 -0700 Subject: GRE ? Message-ID: <8D82D0C76653D411834100508BC872A401584AE2@xs001sea.inside.sealabs.com> The latter--It is an IP encapsulation method, IP protocol 47. David Bovee 206-713-3380 direct/cell david.bovee at watchguard.com http://www.watchguard.com > -----Original Message----- > From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] > Sent: Monday, April 02, 2001 4:48 AM > To: VPN at SECURITYFOCUS.COM > Subject: GRE ? > > > Hi, > > What is GRE (Generic Routing Protocol ) ? > Is it a VPN protocol ? > Is it a encapsulation method ? > > Thanks > > Olivier > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From robang at YAHOO.COM Mon Apr 2 20:31:23 2001 From: robang at YAHOO.COM (Rob Ang) Date: Mon, 2 Apr 2001 17:31:23 -0700 Subject: comments on sonicwall In-Reply-To: Message-ID: <20010403003123.47749.qmail@web11505.mail.yahoo.com> thanks to everyone for their input on this subject. I appreciate everyone's comments. In my case, I think price will be the overriding factor so the sonicwall box may make the most sense though it seems most prefer Netscreen. thanks again! rob --- David Newman wrote: > > I compared the Sonicwall VX Pro with 11 other VPN > gateways last summer, and > found it to be a competent implementation and very > easy to use. It's not as > speedy as a similar box from Netscreen (my real > favorite among the low-cost > boxes), but then I think it costs less. > > The comparison is here: > > http://www.commweb.com/article/COM20000912S0009 > > Hope this helps. > > Regards, > David Newman > Network Test > > > > -----Original Message----- > > From: VPN Mailing List > [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Rob > > Ang > > Sent: Saturday, March 31, 2001 11:34 AM > > To: VPN at SECURITYFOCUS.COM > > Subject: comments on sonicwall > > > > > > hi all, > > > > We've been using Nokia's checkpoint solution and > it's > > been working great. but due to budgeting, we're > > looking for a less expensive comparable solution. > I > > was wondering if anyone is using Sonicwall Pro and > > give me any feedback on how well that performs. > It is > > for an office of about 100 users and is mainly > used > > just for firewalling but also has a few VPN users. > > > > thanks in advance, > > Robert > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Get email at your own domain with Yahoo! Mail. > > http://personal.mail.yahoo.com/?.refer=text > > > > VPN is sponsored by SecurityFocus.COM > > > __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text VPN is sponsored by SecurityFocus.COM From pbryan at ACRUX.NET Mon Apr 2 22:53:11 2001 From: pbryan at ACRUX.NET (Patrick A. Bryan) Date: Mon, 2 Apr 2001 21:53:11 -0500 Subject: IPsec traffic through Linksys home router In-Reply-To: <4EBB5C35607E7F48B4AE162D956666EFA1A9@guam.corp.axcelerant.com> Message-ID: Well, I guess it depends on the VPN solution you are using. Cisco's concentrators/clients will NAT both IP50 and IP51, via UDP.... -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Christopher Gripp Sent: Monday, April 02, 2001 5:32 PM To: VPN at SECURITYFOCUS.COM Subject: Re: IPsec traffic through Linksys home router Let's be clear hear. ESP works fine, NAT breaks AH. An IPSec VPN could be either or both. We have it working with NS5's and the Linksys. Chris -----Original Message----- From: Jon Carnes [mailto:jonc at HAHT.COM] Sent: Sunday, April 01, 2001 8:40 PM To: VPN at SECURITYFOCUS.COM Subject: Re: IPsec traffic through Linksys home router AFAIK, IPSec does not yet work through a LinkSys router. They expect to have it working RSN (real soon now)... There is a lot of great information on IPSec and NAT firewalls (and why IPSec can't work through a NAT - but a "broken" version of it can) in the archives. Also feel free to look at www.freeswan.org Jon Carnes ----- Original Message ----- From: To: Sent: Saturday, March 31, 2001 2:05 PM Subject: IPsec traffic through Linksys home router > I just implemented a Nortel vpn at work with IPsec and pptp traffic enabled. > Home I am using a Linksys router with my DSL connection and the IPsec > traffic does not go through, althogh I enabled it on the router. When I use > the dial-up internet connection with a modem, IPsec is working fine. > How should I make the IPsec traffic work on a NAt-ed home network > environment? > > Thanks, > > Nyugati VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Tue Apr 3 02:47:04 2001 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Tue, 3 Apr 2001 07:47:04 +0100 Subject: GRE ? Message-ID: Olivier, GRE is indeed an encapsulation protocol but it doesn't provide real data-protection. I could be a VPN in some cases but I wouldn't use it over the Internet. However, you could use it over an ipsec tunnel, in this way you can build very nice VPN networks. Guy -----Original Message----- From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] Sent: Monday, April 02, 2001 13:48 To: VPN at SECURITYFOCUS.COM Subject: GRE ? Hi, What is GRE (Generic Routing Protocol ) ? Is it a VPN protocol ? Is it a encapsulation method ? Thanks Olivier VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From rbunzli at CSC.COM Tue Apr 3 10:07:46 2001 From: rbunzli at CSC.COM (Bunzli, Robert) Date: Tue, 3 Apr 2001 07:07:46 -0700 Subject: IPsec traffic through Linksys home router Message-ID: Jon, what archives are you referring to??? Don't see any links to archives for this forum on TBird's web page. Please clarify, thanks Bob Jon Carnes @SECURITYFOCUS.COM> on 04/01/2001 08:40:03 PM Please respond to Jon Carnes Sent by: VPN Mailing List From ryan at SECURITYFOCUS.COM Tue Apr 3 14:42:56 2001 From: ryan at SECURITYFOCUS.COM (Ryan Russell) Date: Tue, 3 Apr 2001 12:42:56 -0600 Subject: IPsec traffic through Linksys home router In-Reply-To: Message-ID: http://www.securityfocus.com/templates/archive.pike?list=50 On Tue, 3 Apr 2001, Bunzli, Robert wrote: > Jon, what archives are you referring to??? Don't see any links to archives > for this forum on TBird's web page. Please clarify, thanks Bob Ryan VPN is sponsored by SecurityFocus.COM From Patrick.Bryan at ABBOTT.COM Tue Apr 3 10:48:51 2001 From: Patrick.Bryan at ABBOTT.COM (Patrick.Bryan at ABBOTT.COM) Date: Tue, 3 Apr 2001 09:48:51 -0500 Subject: IPsec traffic through Linksys home router Message-ID: Hmmm... I witnessed IPSec working through the Linksys router... With the firmware rollback, it worked fine.... Jon Carnes cc: Sent by: VPN Subject: Re: IPsec traffic through Linksys home router Mailing List 04/01/2001 10:40 PM Please respond to Jon Carnes AFAIK, IPSec does not yet work through a LinkSys router. They expect to have it working RSN (real soon now)... There is a lot of great information on IPSec and NAT firewalls (and why IPSec can't work through a NAT - but a "broken" version of it can) in the archives. Also feel free to look at www.freeswan.org Jon Carnes ----- Original Message ----- From: To: Sent: Saturday, March 31, 2001 2:05 PM Subject: IPsec traffic through Linksys home router > I just implemented a Nortel vpn at work with IPsec and pptp traffic enabled. > Home I am using a Linksys router with my DSL connection and the IPsec > traffic does not go through, althogh I enabled it on the router. When I use > the dial-up internet connection with a modem, IPsec is working fine. > How should I make the IPsec traffic work on a NAt-ed home network > environment? > > Thanks, > > Nyugati VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Tue Apr 3 04:35:29 2001 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Tue, 3 Apr 2001 09:35:29 +0100 Subject: Security over ATM Message-ID: <01903665B361D211BF6700805FAD5D93D9E6F6@mail.datarange.co.uk> venicio, VPN is a combination of 2 different things: 1. build a logical overlay network over a base network 2. encryption to give privacy etc. typically, you use both, where the underlying network is the Internet, but the technologies can be applied separately. You can also run VPN over any network - a lot of banks build a general purpose IP network, and then use VPN style systems for the high security traffic flows "over the top" of the general network. So, you can use VPN, or more likely just encryption, over the Frame / ATM / router network you build. You can encrypt traffic selectively, or just encrypt everything. Points to worry about: 1. If the routers belong to the carrier, you will have issues about making them configure things they regard as non standard (such as encryption). 2. If the carrier owbs the routers, they will need access anyway for monitoring, so potentially they could turn off encryption and you would not find out. 3. in most countries encryption is restricted legally - you need to check for the places your network will go. 4. encryption requires a lot of processing - you may need more powerful routers and / or encryption hardware accelerators to get enough router performance to run at the WAN link speeds you are using. 5. Encryption "costs" - it will eat some of your WAN bandwidth, increase latency and increase the complexity of building, maintaining and operating the network. There may be other side effects. 6. Since you are new to this, make sure your suppliers know how to help you. 7. Build a trial or pilot stage first so you learn how it works, and how your applications behave. good luck Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Venicio Vilas-B?as [mailto:venicio_boas at BR.SCHINDLER.COM] > Sent: 02 April 2001 21:00 > To: VPN at SECURITYFOCUS.COM > Subject: Security over ATM > Importance: High > > > Dear Tina Bird > > I am considering to use VPN for connect site to > site. There are > small sites with little traffic. Our solution is based in > Cisco routers. > For connect these sites was offered a solution denominated > "IP intranet" > which uses IP over ATM and IP over frame relay. This solution > was being > offered by Embratel ( One MCI carrier telecommunication in Brazil). > I would like to know whether I can use this solution only > (IP over ATM and > IP over frame relay) instead of solution with VPN. > The telecommunication people affirms that there are no > problems in use this > solution offered by carrier because the traffic passes through of one > single backbone and the problem of security will be resolved. > I have a lot of doubts because I read a article denominated > "A survey on > ATM Security" where they speak about security in ATM evolving: > > -Eavesdropping > - Spoofing > - Service Denial > - Stealing of VCs > - Traffic Analysis > > I would be grateful for some tips which will be help us to > make a good > decision. > > Kind regards > > Venicio > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From imra at AIRBORNE.COM Tue Apr 3 14:24:04 2001 From: imra at AIRBORNE.COM (Manny Ancheta) Date: Tue, 3 Apr 2001 18:24:04 -0000 Subject: Sonicwall ver 5.1.1 and Nortel Extranet Client Message-ID: <20010403182404.25253.qmail@securityfocus.com> I have a a SOHO10 without the VPN option. Whenever I start either a PPTP(MS VPN) or the Nortel Extranet Client to a Nortel Contivity VPN server, it does not work. But, if I used the SMC 4-port SOHO firewall, it allows at least one connection from internal home network. The SMC folks are saying that they are doing a VPN pass-thru. The Sonicwall requires you to buy their VPN software which is about 400.00 more. That really sucks. What is a VPN pass-thru? VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Tue Apr 3 15:18:11 2001 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Tue, 3 Apr 2001 20:18:11 +0100 Subject: GRE ? Message-ID: Yes, that's the reasons. Also it makes it easier to run routing protocols over a VPN link. Regards, Guy -----Original Message----- From: Morton, Matthew [mailto:mmorton at ball.com] Sent: Tuesday, April 03, 2001 8:41 PM To: Raymakers, Guy Subject: RE: GRE ? Quick question. And I assume the reason you would want to use GRE over an ipsec tunnel is so that you can support non-ip traffic? Is this correct? Thanks, Matt Morton -----Original Message----- From: Raymakers, Guy [mailto:guy.raymakers at EDS.COM] Sent: Tuesday, April 03, 2001 12:47 AM To: VPN at SECURITYFOCUS.COM Subject: Re: GRE ? Olivier, GRE is indeed an encapsulation protocol but it doesn't provide real data-protection. I could be a VPN in some cases but I wouldn't use it over the Internet. However, you could use it over an ipsec tunnel, in this way you can build very nice VPN networks. Guy -----Original Message----- From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] Sent: Monday, April 02, 2001 13:48 To: VPN at SECURITYFOCUS.COM Subject: GRE ? Hi, What is GRE (Generic Routing Protocol ) ? Is it a VPN protocol ? Is it a encapsulation method ? Thanks Olivier VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Tue Apr 3 15:43:00 2001 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Tue, 3 Apr 2001 19:43:00 -0000 Subject: VPN, Firewall and ipchains References: Message-ID: <001001c0bc76$4a269820$9b15473f@techsupport> LAN A ----- FW ----- Internet -----LAN B | | DMZ Hi all, Net A : 192.168.0.x Mask A : 255.255.255.192 gateway : 192.168.0.1 NetB : 10.0.0.x Mask B : 255.0.0.0 gateway : 10.0.0.1 NetDMZ : 192.168.0.65 Mask : 255.255.255.192 gateway : 192.168.0.66 FW have 3 lan cards and i will install redhat linux 7.0. I want to use ipchains to let VPN trafic pass through ? How can i set up it : 1- to permit remote dial up access to LAN A 2- to do site to site connectivity with LAN B Thanks VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Tue Apr 3 15:10:12 2001 From: cgripp at AXCELERANT.COM (Christopher Gripp) Date: Tue, 3 Apr 2001 12:10:12 -0700 Subject: Sonicwall ver 5.1.1 and Nortel Extranet Client Message-ID: <4EBB5C35607E7F48B4AE162D956666EFA1B8@guam.corp.axcelerant.com> It means that, their device is SUPPOSE to allow the use of an IPSec VPN from behind it and that it will "PASS THRU" the protocol without adverseloy affecting the ability of the VPN to properly negotiate. -----Original Message----- From: Manny Ancheta [mailto:imra at AIRBORNE.COM] Sent: Tuesday, April 03, 2001 11:24 AM To: VPN at SECURITYFOCUS.COM Subject: Sonicwall ver 5.1.1 and Nortel Extranet Client I have a a SOHO10 without the VPN option. Whenever I start either a PPTP(MS VPN) or the Nortel Extranet Client to a Nortel Contivity VPN server, it does not work. But, if I used the SMC 4-port SOHO firewall, it allows at least one connection from internal home network. The SMC folks are saying that they are doing a VPN pass-thru. The Sonicwall requires you to buy their VPN software which is about 400.00 more. That really sucks. What is a VPN pass-thru? VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From TKoopman at SONICWALL.COM Tue Apr 3 15:30:42 2001 From: TKoopman at SONICWALL.COM (Todd Koopman) Date: Tue, 3 Apr 2001 12:30:42 -0700 Subject: Sonicwall ver 5.1.1 and Nortel Extranet Client Message-ID: I can help clarify some of the issues on this one. 1) VPN Pass Through, or IPSEC Pass Through, is when a NAT device allows or supports the IPSEC protocol. This allows you to use an encrypted client behind the NAT device to connect to a VPN concentrator somewhere in the rest of the world. 2) The SonicWALL family supports VPN pass through of both IPSEC clients (like the Nortel Contivity, Altiga, Checkpoint, et al) and PPTP clients (Microsoft) 3) This is done natively and automatically by the SonicWALL products. You do not need to purchase the site-to-site VPN firmware upgrade. If any of you want the technical details of how we do this, just let me know. 4) Specific Problems Mentioned a) PPTP does not work. This is most likely caused by fragmented packets. The SonicWALL does not pass fragmented packets as part of its Denial of Service logic. However, the SonicWALL can be configured to allow fragmented packets over PPTP or IPSEC connections. Essentially, we will "trust" fragmented packets if they are part of an encrypted session we are tracking in the stateful packet inspection logic. b) Nortel Contivity does not work. We implemented the IPSEC Pass Through specifically for this client. It required us to maintain source port 500 for the IKE negotiation. However, the automatic pass through does not address the fact that the Contivity Extranet Switch initiates the IKE rekeying, not the client. This rekeying starts at the Contivity switch and is a new and unexpected session arriving at the SonicWALL on UDP port 500. This is dropped by the default rule set that blocks all incoming traffic unless it is a stateful session reply. The default rekeying time for the Extranet client is 3 minutes. Your solutions are either increase the rekeying timeout value on the Contivity switch or write a rule on the SonicWALL allowing inbound IKE (udp 500) traffic. 5) If you need any assistance with these issues, please contact your reseller or our post-sales customer support department. www.sonicwall.com/support has an on-line form you complete and submit to access our technical support. Best Regards Todd Koopman Systems Engineer SonicWALL -----Original Message----- From: Manny Ancheta [mailto:imra at AIRBORNE.COM] Sent: Tuesday, April 03, 2001 11:24 AM To: VPN at SECURITYFOCUS.COM Subject: Sonicwall ver 5.1.1 and Nortel Extranet Client I have a a SOHO10 without the VPN option. Whenever I start either a PPTP(MS VPN) or the Nortel Extranet Client to a Nortel Contivity VPN server, it does not work. But, if I used the SMC 4-port SOHO firewall, it allows at least one connection from internal home network. The SMC folks are saying that they are doing a VPN pass-thru. The Sonicwall requires you to buy their VPN software which is about 400.00 more. That really sucks. What is a VPN pass-thru? VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Ole.Vik at CONNECT.NO Tue Apr 3 17:42:55 2001 From: Ole.Vik at CONNECT.NO (Ole Vik) Date: Tue, 3 Apr 2001 23:42:55 +0200 Subject: Sonicwall ver 5.1.1 and Nortel Extranet Client Message-ID: <921702524Ole.Vik@connect.no> It is not clear to me what you are trying to do, but let me guess: You have an Internet connection with a SonicWALL SOHO/10 as your firewall before your LAN. You then try to run VPN from a PC on your LAN to somewhere outside your LAN (that is on the WAN side of the SonicWALL SOHO/10). This fails. You do not say if you are running NAT on your SonicWALL or NAT on your router (if you have one). The SonicWALL does not need the VPN option for you to run VPN (IPSEC) through it. The VPN option is used for cases where the SonicWALL is an IPSEC end-point (for either a PC client or a LAN-to-LAN connection). In your case you could use this, but then you would not need any client on your LAN PC. Passing IPSEC data over some routers running NAT does not work. This process (when it works) is called IPSEC pass-through, as the router (or a firewall) will pass the IPSEC data through correctly (a non-trivial, but possible, case when running NAT). -- Ole Vik On 3. april 2001 20:24, Manny Ancheta wrote: >I have a a SOHO10 without the VPN option. >Whenever I start either a PPTP(MS VPN) or the >Nortel Extranet Client to a Nortel Contivity VPN >server, it does not work. But, if I used the SMC 4-port >SOHO firewall, it allows at least one connection from >internal home network. > >The SMC folks are saying that they are doing a VPN >pass-thru. The Sonicwall requires you to buy their >VPN software which is about 400.00 more. That >really sucks. > >What is a VPN pass-thru? > > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From SFaust at ARCATL.ORG Thu Apr 5 09:13:33 2001 From: SFaust at ARCATL.ORG (Sean Faust) Date: Thu, 5 Apr 2001 09:13:33 -0400 Subject: VPN Solution Message-ID: <75314F44BB04D31193950060970439116FBE1D@ATL_EXC> Good Morning Everyone, I am currently neck deep in my first attempt to implement a VPN solution. We currently have the SES Internet Appliance box. When implementing PPTP using the WIN98 VPN adapter I constantly get Windows 691 error messages. I have been struggling for about a week now trying to get this too work. My question is does anyone have any suggestions for the client side, and any feedback regarding the Internet Appliance box whether good or bad will be greatly appreciated. Some of my remote clients sit on NAT networks where the Internet Appliance Virtual Tunnel client will not work so I am forced to use the Microsoft PPTP adapter. They can connect with the PPTP client to the Internet Appliance box but only with authentication turned off which is self defeating. Others I have spoken too have chosen other solutions such as the Nortel Connectivity box and say that set up was a breeze at both ends. Thank You Sean Faust Network Administrator American Red Cross - Atlanta Chapter 404-575-3123 Visit our website! www.redcross.org/atlanta VPN is sponsored by SecurityFocus.COM From Debashis.Ghosh at GEASN.GE.COM Thu Apr 5 04:07:59 2001 From: Debashis.Ghosh at GEASN.GE.COM (Ghosh, Debashis (CORP, CIM)) Date: Thu, 5 Apr 2001 16:07:59 +0800 Subject: Secureremote with Nortel Message-ID: <9D80D576D84CD411914B00508BCF74960214061D@sin01xbasnge.geasn.ge.com> Hi everyone, I have a checkpoint VPn1 infrastructure..... my company is migrating to Nortel..... has anyone tried using the SecureRemote client to connect to a Nortel VPN gateway (running IPSEC) ? Would appreciate all help on this one. Regards, Debashis VPN is sponsored by SecurityFocus.COM From Uwe.Scheffold at WAELISCHMILLER.COM Wed Apr 4 12:23:20 2001 From: Uwe.Scheffold at WAELISCHMILLER.COM (Uwe Scheffold) Date: Wed, 4 Apr 2001 18:23:20 +0200 Subject: VPN SuSE 7.0 Routing Message-ID: Hi out there, I try to install a VPN with Linux (SuSE 7.0) Computers. Here is the networksituation: Net 1 eth0 slave eth1 internet eth1 master eth0 Net 2 ==========| SuSE 7.0 |--------->|~~~|<---------| SuSE 7.0 |============ 192.168.2.0 I 217.89.33.11 217.6.96.3 II 192.168.1.0 I use the ssh pppd, system described in miniVPN howto. The connection between the two computers works fine, but after setup of routes, I can only ping from Computer I (net 2) to computer II (net 1). It is not possible to ping from II to I and not into the network 1 and 2. What went wrong? Here are the routing tables. Is anyboby able to see what is wrong here? Slave Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.101.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 217.89.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 192.168.101.2 255.255.255.0 UG 0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 217.89.33.9 0.0.0.0 UG 0 0 0 eth1 Master Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.101.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 217.6.96.0 0.0.0.0 255.255.255.248 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.1.0 192.168.101.1 255.255.255.0 UG 0 0 0 ppp0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 217.6.96.1 0.0.0.0 UG 0 0 0 eth1 Is there a better VPN solution for this network (FreeSwan etc.)? Best Regards: Uwe Scheffold VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Thu Apr 5 17:20:48 2001 From: dgillett at NIKU.COM (David Gillett) Date: Thu, 5 Apr 2001 14:20:48 -0700 Subject: VPN SuSE 7.0 Routing In-Reply-To: Message-ID: The only time I've see "A can ping B, B cannot ping A", it turned out to be a firewall configuration issue. Are you running ipchains on those boxes? David Gillett Senior Network Engineer Niku Corp. > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Uwe > Scheffold > Sent: Wednesday, April 04, 2001 9:23 AM > To: VPN at SECURITYFOCUS.COM > Subject: VPN SuSE 7.0 Routing > > > Hi out there, > > I try to install a VPN with Linux (SuSE 7.0) Computers. > > Here is the networksituation: > > Net 1 eth0 slave eth1 internet eth1 master eth0 Net 2 > ==========| SuSE 7.0 |--------->|~~~|<---------| SuSE 7.0 |============ > 192.168.2.0 I 217.89.33.11 217.6.96.3 II 192.168.1.0 > > I use the ssh pppd, system described in miniVPN howto. > > The connection between the two computers works fine, but after setup of > routes, I can only ping from Computer I (net 2) to computer II (net 1). It > is not possible to ping from II to I and not into the network 1 > and 2. What > went wrong? > > Here are the routing tables. Is anyboby able to see what is wrong here? > > Slave > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.101.2 0.0.0.0 255.255.255.255 UH 0 0 > 0 ppp0 > 217.89.33.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth1 > 192.168.2.0 192.168.101.2 255.255.255.0 UG 0 0 > 0 ppp0 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 217.89.33.9 0.0.0.0 UG 0 0 > 0 eth1 > > Master > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.101.1 0.0.0.0 255.255.255.255 UH 0 0 > 0 ppp0 > 217.6.96.0 0.0.0.0 255.255.255.248 U 0 0 > 0 eth1 > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth0 > 192.168.1.0 192.168.101.1 255.255.255.0 UG 0 0 > 0 ppp0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 217.6.96.1 0.0.0.0 UG 0 0 > 0 eth1 > > > Is there a better VPN solution for this network (FreeSwan etc.)? > > Best Regards: Uwe Scheffold > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Thu Apr 5 17:30:33 2001 From: sandy at STORM.CA (Sandy Harris) Date: Thu, 5 Apr 2001 17:30:33 -0400 Subject: VPN SuSE 7.0 Routing References: Message-ID: <3ACCE3F9.57FA193E@storm.ca> Uwe Scheffold wrote: > > Hi out there, > > I try to install a VPN with Linux (SuSE 7.0) Computers. > > Here is the networksituation: > > Net 1 eth0 slave eth1 internet eth1 master eth0 Net 2 > ==========| SuSE 7.0 |--------->|~~~|<---------| SuSE 7.0 |============ > 192.168.2.0 I 217.89.33.11 217.6.96.3 II 192.168.1.0 > > I use the ssh pppd, system described in miniVPN howto. > > The connection between the two computers works fine, but after setup of > routes, I can only ping from Computer I (net 2) to computer II (net 1). It > is not possible to ping from II to I and not into the network 1 and 2. What > went wrong? This sounds pretty much like a common FreeS/WAN problem documented at: http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/config.html#multitunnel I think you have more-or-less the same problem, just on a different system. > Is there a better VPN solution for this network (FreeSwan etc.)? SuSE in Europe has included FreeS/WAN IPSEC since 6.3. For 7.1 it's in the North American releases too. http://www.freeswan.org Of course I'm not unbiased. I write the FreeS/WAN documentation. VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Thu Apr 5 18:20:22 2001 From: jonc at HAHT.COM (Jon Carnes) Date: Thu, 5 Apr 2001 18:20:22 -0400 Subject: VPN SuSE 7.0 Routing References: Message-ID: <01e701c0be1e$9b0b4fc0$0b04010a@JCARNES> Yes! Using your diagram above as the true setup, then you're routes are definitely screwed up. On the Slave (Net 1): - 192.168.2.0 should be a local address (not via the PPP) - 192.168.1.0 is not local, but should point to the PPP link On the Master (Net2): - 192.168.1.0 should be a local address (not via the PPP) - 192.168.2.0 is not local, but should point to the PPP link - So now I think, your picture must be wrong! So if you are plugging in values and using the picture to put those in place, then you might have a problem there! === Assuming all is right and the picture is wrong and you did put in the right values for all your scripts that you are running, then the most common problem is not putting your routes on your primary internal routers. Look at the primary internal router for network 1 and make sure that it has a route pointing to network 2. The route should use your local end of the VPN as the gateway. The same goes for the internal router for network 2. === The next most common problem is that you have not opened the routes on your firewalls. Assuming you are running firewalls on each of the VPN endpoints, check to make sure that you have opened up the networks for bi-directional flow of TCP and UDP (and anything else you want to pass). Good Luck - Jon Carnes ----- Original Message ----- From: "Uwe Scheffold" To: Sent: Wednesday, April 04, 2001 12:23 PM Subject: VPN SuSE 7.0 Routing > Hi out there, > > I try to install a VPN with Linux (SuSE 7.0) Computers. > > Here is the networksituation: > > Net 1 eth0 slave eth1 internet eth1 master eth0 Net 2 > ==========| SuSE 7.0 |--------->|~~~|<---------| SuSE 7.0 |============ > 192.168.2.0 I 217.89.33.11 217.6.96.3 II 192.168.1.0 > > I use the ssh pppd, system described in miniVPN howto. > > The connection between the two computers works fine, but after setup of > routes, I can only ping from Computer I (net 2) to computer II (net 1). It > is not possible to ping from II to I and not into the network 1 and 2. What > went wrong? > > Here are the routing tables. Is anyboby able to see what is wrong here? > > Slave > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.101.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 > 217.89.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > 192.168.2.0 192.168.101.2 255.255.255.0 UG 0 0 0 ppp0 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 217.89.33.9 0.0.0.0 UG 0 0 0 eth1 > > Master > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.101.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 > 217.6.96.0 0.0.0.0 255.255.255.248 U 0 0 0 eth1 > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 192.168.1.0 192.168.101.1 255.255.255.0 UG 0 0 0 ppp0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 217.6.96.1 0.0.0.0 UG 0 0 0 eth1 > > > Is there a better VPN solution for this network (FreeSwan etc.)? > > Best Regards: Uwe Scheffold > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Fri Apr 6 13:01:31 2001 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Fri, 6 Apr 2001 17:01:31 -0000 Subject: GRE ? References: Message-ID: <000901c0bebb$3a92e0c0$9b15473f@techsupport> Can I compare GRE/IPSec association with L2TP / IPSec ? Olivier ----- Original Message ----- From: "Raymakers, Guy" To: Sent: Tuesday, April 03, 2001 7:18 PM Subject: Re: GRE ? > Yes, that's the reasons. Also it makes it easier to run routing protocols > over a VPN link. > > Regards, > Guy > > -----Original Message----- > From: Morton, Matthew [mailto:mmorton at ball.com] > Sent: Tuesday, April 03, 2001 8:41 PM > To: Raymakers, Guy > Subject: RE: GRE ? > > > Quick question. > And I assume the reason you would want to use GRE over an ipsec tunnel is so > that you can support non-ip traffic? > Is this correct? > Thanks, Matt Morton > > -----Original Message----- > From: Raymakers, Guy [mailto:guy.raymakers at EDS.COM] > Sent: Tuesday, April 03, 2001 12:47 AM > To: VPN at SECURITYFOCUS.COM > Subject: Re: GRE ? > > > Olivier, > > GRE is indeed an encapsulation protocol but it doesn't provide real > data-protection. I could be a VPN in some cases but I wouldn't use it over > the Internet. However, you could use it over an ipsec tunnel, in this way > you can build very nice VPN networks. > > Guy > > -----Original Message----- > From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] > Sent: Monday, April 02, 2001 13:48 > To: VPN at SECURITYFOCUS.COM > Subject: GRE ? > > > Hi, > > What is GRE (Generic Routing Protocol ) ? > Is it a VPN protocol ? > Is it a encapsulation method ? > > Thanks > > Olivier > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Sat Apr 7 11:26:02 2001 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Sat, 7 Apr 2001 15:26:02 -0000 Subject: type of VPN References: <3ACCE3F9.57FA193E@storm.ca> Message-ID: <000701c0bf77$0e694f90$9b15473f@techsupport> Hi, What 's VPN IP ? Are there exist other kind of "VPN" ? How can they call them if the exist ? Olivier VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Mon Apr 9 11:37:34 2001 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Mon, 9 Apr 2001 08:37:34 -0700 Subject: NetScreen to Cisco/Compatible 5002 Message-ID: <20010409153734.28319.qmail@web13907.mail.yahoo.com> Greetings, Has anyone set up branch office tunnels between a NetScreen (5, 10, or 100) and the Cisco/Compatible 5002? I'm thinking that IPSec rekeying won't work, but how about manual key with no rekeying or PFS? Any pitfalls? Thanks, Chris -- __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From ldl1971 at HOTMAIL.COM Mon Apr 9 20:50:22 2001 From: ldl1971 at HOTMAIL.COM (L. David Leija) Date: Mon, 9 Apr 2001 18:50:22 -0600 Subject: SNMP through Netscreen VPN Message-ID: We've deployed 2 Netscreen-10's and successfully established an AutoKey encrypted tunnel between them. We also utilize the SNMP/Perl monitoring software, MRTG. We are able to monitor data from the Netscreen on the near side of the tunnel, however we cannot get SNMP to talk to the remote Netscreen through the tunnel. We can ping it fine, we also have complete access to all resources on the remote site through the tunnel. However, SNMP always gets "SNMP Error:no response received" when trying to establish a session. Any clues on where the problem is? The VPN tunnel, the remote Netscreen, or MRTG. I don't thinks its MRTG as it is currently monitoring countless other devices successfully. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com VPN is sponsored by SecurityFocus.COM From DLeija at PENSON.COM Fri Apr 6 18:22:45 2001 From: DLeija at PENSON.COM (David Leija) Date: Fri, 6 Apr 2001 17:22:45 -0500 Subject: VPN & MRTG Message-ID: <15E71AB50D3ED311A20A0008C75B6B3103FB8874@EXPEN002> We've deployed 2 Netscreen-10's and successfully established an AutoKey encrypted tunnel between them. We also utilize the SNMP/Perl monitoring software, MRTG. We are able to monitor data from the Netscreen on the near side of the tunnel, however we cannot get SNMP to talk to the remote Netscreen through the tunnel. We can ping it fine, we also have complete access to all resources on the remote site through the tunnel. However, SNMP always gets "SNMP Error:no response received" when trying to establish a session. Any clues on where the problem is? The VPN tunnel, the remote Netscreen, or MRTG. I don't thinks its MRTG as it is currently monitoring countless other devices successfully. _______ ______ | |------------------------------------| | Home Branch------------| NS1 | Tunnel | NS2 |-------------Remote Branch |______|-------------------------------------|______| L. David Leija Penson Financial Services dleija at penson.com (214) 765-1228 VPN is sponsored by SecurityFocus.COM From Patrick.Bryan at ABBOTT.COM Mon Apr 9 17:27:43 2001 From: Patrick.Bryan at ABBOTT.COM (Patrick.Bryan at ABBOTT.COM) Date: Mon, 9 Apr 2001 16:27:43 -0500 Subject: IPSec through Raptor Message-ID: Hi - I am looking for information on passing IPSec / ESP through a Raptor.. obviously doing this necessitates the use of IP packet filtering, I am just looking for some info on how to do it on a Raptor.... for example 10.0.0.1 Client | | | v 10.0.0.2 - inside Firewall 123.123.123.123 - outside | | | v Vendor VPN Thanks.... VPN is sponsored by SecurityFocus.COM From darrin at REMAINSECURE.COM Mon Apr 9 13:37:19 2001 From: darrin at REMAINSECURE.COM (Darrin Mourer) Date: Mon, 9 Apr 2001 18:37:19 +0100 Subject: IPSec through Raptor Message-ID: <4718DC122AD5D4118EBF00062999B3914890@secdev.remainsecure.com> This doc should have everything you need... http://www.remainsecure.com/raptipsec.htm Darrin www.remainsecure.com -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Patrick.Bryan at ABBOTT.COM Sent: Monday, April 09, 2001 2:28 PM To: VPN at SECURITYFOCUS.COM Subject: IPSec through Raptor Hi - I am looking for information on passing IPSec / ESP through a Raptor.. obviously doing this necessitates the use of IP packet filtering, I am just looking for some info on how to do it on a Raptor.... for example 10.0.0.1 Client | | | v 10.0.0.2 - inside Firewall 123.123.123.123 - outside | | | v Vendor VPN Thanks.... VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jdell at TELEPLACE.COM Tue Apr 10 07:39:07 2001 From: jdell at TELEPLACE.COM (Jeff Dell) Date: Tue, 10 Apr 2001 07:39:07 -0400 Subject: NetScreen to Cisco/Compatible 5002 Message-ID: <92396D1409810F4193CE62753E99EBEF3E75A2@tphqexch01.Teleplace.com> I haven't used the 5002, but the pix works great with the netscreen 5/10/100. I have had zero problems. Jeff -----Original Message----- From: Chris Carlson [mailto:carlsonmail at YAHOO.COM] Sent: Monday, April 09, 2001 11:38 AM To: VPN at SECURITYFOCUS.COM Subject: NetScreen to Cisco/Compatible 5002 Greetings, Has anyone set up branch office tunnels between a NetScreen (5, 10, or 100) and the Cisco/Compatible 5002? I'm thinking that IPSec rekeying won't work, but how about manual key with no rekeying or PFS? Any pitfalls? Thanks, Chris -- __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From guy.raymakers at EDS.COM Tue Apr 10 02:24:30 2001 From: guy.raymakers at EDS.COM (Raymakers, Guy) Date: Tue, 10 Apr 2001 07:24:30 +0100 Subject: GRE ? Message-ID: I've never used L2TP over IPSEC but I guess it's comparable with GRE over IPSEC. -----Original Message----- From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] Sent: Friday, April 06, 2001 19:02 To: VPN at SECURITYFOCUS.COM Subject: Re: GRE ? Can I compare GRE/IPSec association with L2TP / IPSec ? Olivier ----- Original Message ----- From: "Raymakers, Guy" To: Sent: Tuesday, April 03, 2001 7:18 PM Subject: Re: GRE ? > Yes, that's the reasons. Also it makes it easier to run routing protocols > over a VPN link. > > Regards, > Guy > > -----Original Message----- > From: Morton, Matthew [mailto:mmorton at ball.com] > Sent: Tuesday, April 03, 2001 8:41 PM > To: Raymakers, Guy > Subject: RE: GRE ? > > > Quick question. > And I assume the reason you would want to use GRE over an ipsec tunnel is so > that you can support non-ip traffic? > Is this correct? > Thanks, Matt Morton > > -----Original Message----- > From: Raymakers, Guy [mailto:guy.raymakers at EDS.COM] > Sent: Tuesday, April 03, 2001 12:47 AM > To: VPN at SECURITYFOCUS.COM > Subject: Re: GRE ? > > > Olivier, > > GRE is indeed an encapsulation protocol but it doesn't provide real > data-protection. I could be a VPN in some cases but I wouldn't use it over > the Internet. However, you could use it over an ipsec tunnel, in this way > you can build very nice VPN networks. > > Guy > > -----Original Message----- > From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] > Sent: Monday, April 02, 2001 13:48 > To: VPN at SECURITYFOCUS.COM > Subject: GRE ? > > > Hi, > > What is GRE (Generic Routing Protocol ) ? > Is it a VPN protocol ? > Is it a encapsulation method ? > > Thanks > > Olivier > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Tue Apr 10 02:16:39 2001 From: lists at FIPS.DE (Philipp Buehler) Date: Tue, 10 Apr 2001 08:16:39 +0200 Subject: type of VPN In-Reply-To: <000701c0bf77$0e694f90$9b15473f@techsupport>; "Olivier Bekoin" on 07.04.2001 @ 17:26:02 METDST References: <3ACCE3F9.57FA193E@storm.ca> <000701c0bf77$0e694f90$9b15473f@techsupport> Message-ID: <20010410081638.B15847@pohl.fips.de> On 10/04/2001, Olivier Bekoin wrote To VPN at SECURITYFOCUS.COM: > What 's VPN IP ? Hm, I guess you mean VPN over IP > Are there exist other kind of "VPN" ? VPN is a pretty generic description. Its primary 'goal' is to describe a technology of choice which is capable to create a private topology over a public one. GRE, IPSec, L2TP, PPTP, IP-IP Tunnel, IP tunnelled in ATM/FR, .. many possible things :) VPN-IP would not describe which encryption (if needed, that's not typical per se) is used, so > How can they call them if the exist ? VPN, using IP as transport and IPSec for tunneling/encryption. (you can use IPSec w/o encryption too) Note: 'VPN' is too complex to put it in short words :-) ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Tue Apr 10 02:10:18 2001 From: lists at FIPS.DE (Philipp Buehler) Date: Tue, 10 Apr 2001 08:10:18 +0200 Subject: GRE ? In-Reply-To: <000901c0bebb$3a92e0c0$9b15473f@techsupport>; "Olivier Bekoin" on 06.04.2001 @ 19:01:31 METDST References: <000901c0bebb$3a92e0c0$9b15473f@techsupport> Message-ID: <20010410081018.A15847@pohl.fips.de> On 10/04/2001, Olivier Bekoin wrote To VPN at SECURITYFOCUS.COM: > Can I compare GRE/IPSec association with L2TP / IPSec ? No. GRE is for 'fixed' Tunnels and is on layer 3. L2TP provides authentication and the tunneling of L2 Protocols. Furthermore GRE is 'Generic..', generally you can tunnel any protcol in there, AFAIR L2TP is not that flexible. ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.COM From tomryan at CAMLAW.RUTGERS.EDU Tue Apr 10 09:49:49 2001 From: tomryan at CAMLAW.RUTGERS.EDU (Tom Ryan) Date: Tue, 10 Apr 2001 09:49:49 -0400 Subject: question about linksys etherfast cable/dsl router Message-ID: I have a linksys etherfast cable/dsl router hooked up to my cable modem. With this setup, I can not connect to my pptp server. If I remove the linksys from the equation and connect directly, all is well. The linksys is running firmware 1.35 (Should we upgrade to 1.36/1.37? what about config settings?) Thanx! tom -- _______________________________________________________________________ Tom Ryan Voice: 856-225-6361 Consulting System Administrator Fax: 856-969-7900 Rutgers School of Law - Camden VPN is sponsored by SecurityFocus.COM From dmercurio at CCGSECURITY.COM Tue Apr 10 16:26:34 2001 From: dmercurio at CCGSECURITY.COM (Dante Mercurio) Date: Tue, 10 Apr 2001 16:26:34 -0400 Subject: VPN Clients Message-ID: Besides Symantec's Raptor and the PGP client, does anyone know of any other VPN clients that include a personal firewall? Has anyone used a personal firewall such as Norton or McAfee with IRE client or other clients successfully? Thanks, M. Dante Mercurio, CCNA, MCSE+I, TNSP Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com VPN is sponsored by SecurityFocus.COM From NPPerera at ITQAN.CO.AE Wed Apr 11 10:11:22 2001 From: NPPerera at ITQAN.CO.AE (Namal Perera) Date: Wed, 11 Apr 2001 18:11:22 +0400 Subject: VPN Message-ID: <91B200CBBEC3D111992A00805F31E6CBB0C4A9@MINAMAIL> Hi, We have a Sonicwall firewall in our Dubai Office and a Gauntlet firewall at our Abu Dhabi office. We would like to create a VPN between the 2 sites, but our Sonicwall vendor says that the 2 firewalls are not compatible. Please confirm whether this is true and if not, please advice on how we may go about creating a VPN between the 2 sites. Regards, Namal Perera ITQAN - Al Bawardi Computers P.O. Box 4118, Abu Dhabi, UAE Tel : +971 2 6730 202 Ext: 250 Fax : +971 2 6730 323 Mob: +971 50 4465962 Email: npperera at itqan.co.ae VPN is sponsored by SecurityFocus.COM From Uwe.Scheffold at WAELISCHMILLER.COM Wed Apr 11 07:04:48 2001 From: Uwe.Scheffold at WAELISCHMILLER.COM (Uwe Scheffold) Date: Wed, 11 Apr 2001 13:04:48 +0200 Subject: SuSE 7.0, IPCHAINS, SSH, VPN, Modem hangup Message-ID: Hi out threre, I have a problem with ssh vpn. There is a installation, of a ssh-vpn on a Linux host. This host also works as firewall with masquerading (ipchains). After setup the ssh-vpn everything works fine. But after some time (10 min or so) the connetion terminates with: Apr 11 11:31:06 c523f pppd[8257]: sent [LCP ConfReq id=0x6 ] Apr 11 11:31:06 c523f pppd[8257]: rcvd [LCP ConfReq id=0x6 ] Apr 11 11:31:06 c523f pppd[8257]: sent [LCP ConfNak id=0x6 ] Apr 11 11:31:07 c523f pppd[8257]: Modem hangup Apr 11 11:31:07 c523f pppd[8257]: Connection terminated. Apr 11 11:31:07 c523f pppd[8257]: Hangup (SIGHUP) Apr 11 11:31:07 c523f pppd[8257]: Failed to open /dev/ttyp0: Input/output error Apr 11 11:31:07 c523f last message repeated 8 times Apr 11 11:31:07 c523f pppd[8257]: Exit. Is anybody able to seen the reason for this? Is it possible detect the brakedown of the connection and to restart the vpn? Best regards: Uwe VPN is sponsored by SecurityFocus.COM From dana at INTERPRISE.COM Wed Apr 11 17:52:25 2001 From: dana at INTERPRISE.COM (Dana J. Dawson) Date: Wed, 11 Apr 2001 16:52:25 -0500 Subject: question about linksys etherfast cable/dsl router References: Message-ID: <3AD4D219.FD2F9A6A@interprise.com> Tom Ryan wrote: > > I have a linksys etherfast cable/dsl router hooked up to my cable modem. > > With this setup, I can not connect to my pptp server. If I remove the > linksys from the equation and connect directly, all is well. > > The linksys is running firmware 1.35 (Should we upgrade to 1.36/1.37? what > about config settings?) > > Thanx! > tom > > -- > _______________________________________________________________________ > Tom Ryan Voice: 856-225-6361 > Consulting System Administrator Fax: 856-969-7900 > Rutgers School of Law - Camden > > VPN is sponsored by SecurityFocus.COM I believe 1.36 is when IPSec pass thru was released, but I'm running 1.37 in my Linksys BEFSR41 and it works just fine. I haven't run PPTP through it, but it works fine with the Cisco VPN 3000 client. Dana -- Dana J. Dawson dana at interprise.com Distinguished Principal Engineer CCIE #1937 Qwest Communications International, Inc. (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.COM From nvakhari at CLIO.RAD.SUNYSB.EDU Tue Apr 10 20:18:41 2001 From: nvakhari at CLIO.RAD.SUNYSB.EDU (Nimesh vakharia) Date: Tue, 10 Apr 2001 20:18:41 -0400 Subject: Stress test In-Reply-To: <4718DC122AD5D4118EBF00062999B3914890@secdev.remainsecure.com> Message-ID: What kind of tools are people using to stress test VPN/firewalls. There are a lot of packet generators (smartbits/ixia) out there but no one seems to be able to simulate stateful connections and get some substantial amount of data flowing through the connections... Are there any tools hardware/linux/solaris that anyone know about.... I've heard of Antara. what else is out there? thanks, Nimesh. VPN is sponsored by SecurityFocus.COM From evyncke at CISCO.COM Wed Apr 11 01:56:35 2001 From: evyncke at CISCO.COM (Eric Vyncke) Date: Wed, 11 Apr 2001 07:56:35 +0200 Subject: GRE ? In-Reply-To: <000901c0bebb$3a92e0c0$9b15473f@techsupport> References: Message-ID: <4.3.2.7.2.20010411075536.01c34090@brussels.cisco.com> At 17:01 6/04/2001 +0000, Olivier Bekoin wrote: >Can I compare GRE/IPSec association with L2TP / IPSec ? > Somehow. But L2TP is much more powerful than GRE as L2TP conveys all PPP frames including the ones used for user authentication (CHAP, PAP, EAP) and IP configuration (IPCP) -eric >Olivier >----- Original Message ----- >From: "Raymakers, Guy" >To: >Sent: Tuesday, April 03, 2001 7:18 PM >Subject: Re: GRE ? > > > > Yes, that's the reasons. Also it makes it easier to run routing protocols > > over a VPN link. > > > > Regards, > > Guy > > > > -----Original Message----- > > From: Morton, Matthew [mailto:mmorton at ball.com] > > Sent: Tuesday, April 03, 2001 8:41 PM > > To: Raymakers, Guy > > Subject: RE: GRE ? > > > > > > Quick question. > > And I assume the reason you would want to use GRE over an ipsec tunnel is >so > > that you can support non-ip traffic? > > Is this correct? > > Thanks, Matt Morton > > > > -----Original Message----- > > From: Raymakers, Guy [mailto:guy.raymakers at EDS.COM] > > Sent: Tuesday, April 03, 2001 12:47 AM > > To: VPN at SECURITYFOCUS.COM > > Subject: Re: GRE ? > > > > > > Olivier, > > > > GRE is indeed an encapsulation protocol but it doesn't provide real > > data-protection. I could be a VPN in some cases but I wouldn't use it over > > the Internet. However, you could use it over an ipsec tunnel, in this way > > you can build very nice VPN networks. > > > > Guy > > > > -----Original Message----- > > From: Olivier Bekoin [mailto:bekoin at GLOBEACCESS.NET] > > Sent: Monday, April 02, 2001 13:48 > > To: VPN at SECURITYFOCUS.COM > > Subject: GRE ? > > > > > > Hi, > > > > What is GRE (Generic Routing Protocol ) ? > > Is it a VPN protocol ? > > Is it a encapsulation method ? > > > > Thanks > > > > Olivier > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > > > > VPN is sponsored by SecurityFocus.COM > > > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From yevgeniy_polulyakh at HP.COM Mon Apr 9 19:56:05 2001 From: yevgeniy_polulyakh at HP.COM (POLULYAKH,YEVGENIY (HP-Cupertino,ex1)) Date: Mon, 9 Apr 2001 16:56:05 -0700 Subject: Raptor and win2000 Message-ID: Hi all, I'd like to know if a Raptor 6.0 using Raptor mobile 5.0 will support windows 2000 vpn clients. If it does not, what can be done (upgrades, patches) ? Thanks, Yevgeniy VPN is sponsored by SecurityFocus.COM From tl at SAN.RR.COM Mon Apr 9 21:26:40 2001 From: tl at SAN.RR.COM (Tom Lawless) Date: Mon, 9 Apr 2001 18:26:40 -0700 Subject: IPSec through Raptor References: Message-ID: <3AD26150.5050F4DB@san.rr.com> Patrick, Just finished documenting (screenshots even) how to do this with Raptor 6.5(with the powervpn module) and Alcatel VPN equipment. The Raptor configuration should be consistent regardless of the other product. If you think this may help let me know and I'll shoot you a copy. Cheers, Tom Patrick.Bryan at ABBOTT.COM wrote: > Hi - > > I am looking for information on passing IPSec / ESP through a Raptor.. > obviously doing this necessitates the use of IP packet filtering, I am just > looking for some info on how to do it on a Raptor.... for example > > 10.0.0.1 > Client > | > | > | > v > 10.0.0.2 - inside > Firewall > 123.123.123.123 - outside > | > | > | > v > Vendor VPN > > Thanks.... > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jdell at TELEPLACE.COM Tue Apr 10 07:36:59 2001 From: jdell at TELEPLACE.COM (Jeff Dell) Date: Tue, 10 Apr 2001 07:36:59 -0400 Subject: SNMP through Netscreen VPN Message-ID: <92396D1409810F4193CE62753E99EBEF3E75A1@tphqexch01.Teleplace.com> When a packet leaves the Netscreen that is not destined for it's Trusted or DMZ LANs the packet leaves the Netscreen with a source IP of the Untrusted Port. When the destination is the remote LAN through the VPN tunnel, the Netscreen will not go through the tunnel, because the VPN policy reads set policy outgoing "Inside Any" "Remote LAN" "ANY" Encrypt vpn-tunnel "VPN to NY" The source address is the problem here. It reads "Inside Any". The Untrusted Ip is not a part of "Inside Any". Therefore you must do the following on the local (lets call this the CA Netscreen) to correct the problem. 1. Create an entry for the Untrusted IP in the Trust side of the Address book . This will make this address available for selection in the Source pull down menu for the Outgoing policies. 2. Create a policy like the following. set policy outgoing "Untrusted Port" "Remote LAN" "ANY" Encrypt vpn-tunnel "VPN to NY" This completes one side of the problem. Basically, this policy will allow anything with a source IP of the Untrusted Port and a destination port of anything on the Remote LAN to be passed through the tunnel. The packet will get to the desired host on the other side of the tunnel. However, the packet will not get back, because the remote Netscreen does not have a policy to allow this. Therefore, we will need to do the following on the remote Netscreen (lets call this the NY Netscreen). 1. Create an Untrusted side address book entry for the Untrusted Port of the original CA Netscreen. 2. Create a policy like the following. set policy outgoing "Inside Any" "CA Untrust IP" "ANY" Encrypt vpn-tunnel "VPN to CA" Now the Netscreens are configured such that packets that originate from the CA Netscreen can reach the NY LAN and be returned. Jeff -----Original Message----- From: L. David Leija [mailto:ldl1971 at HOTMAIL.COM] Sent: Monday, April 09, 2001 8:50 PM To: VPN at SECURITYFOCUS.COM Subject: SNMP through Netscreen VPN We've deployed 2 Netscreen-10's and successfully established an AutoKey encrypted tunnel between them. We also utilize the SNMP/Perl monitoring software, MRTG. We are able to monitor data from the Netscreen on the near side of the tunnel, however we cannot get SNMP to talk to the remote Netscreen through the tunnel. We can ping it fine, we also have complete access to all resources on the remote site through the tunnel. However, SNMP always gets "SNMP Error:no response received" when trying to establish a session. Any clues on where the problem is? The VPN tunnel, the remote Netscreen, or MRTG. I don't thinks its MRTG as it is currently monitoring countless other devices successfully. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From chris_barker at WESTLB.CO.JP Wed Apr 11 20:59:51 2001 From: chris_barker at WESTLB.CO.JP (Chris Barker) Date: Thu, 12 Apr 2001 09:59:51 +0900 Subject: VPN Clients Message-ID: <49256A2C.0004F713.00@tky-notes-03.westlb.co.jp> The IRE client works fine with BlackICE if you have the right patchlevel of BlackICE. Chris Barker IT Security Officer WestLB Tokyo Branch Dante Mercurio on 04/11/2001 05:26:34 AM Please respond to Dante Mercurio From sandy at STORM.CA Thu Apr 12 03:37:48 2001 From: sandy at STORM.CA (Sandy Harris) Date: Thu, 12 Apr 2001 03:37:48 -0400 Subject: VPN References: <91B200CBBEC3D111992A00805F31E6CBB0C4A9@MINAMAIL> Message-ID: <3AD55B4C.CC25CA86@storm.ca> Namal Perera wrote: > We have a Sonicwall firewall in our Dubai Office and a Gauntlet firewall at > our Abu Dhabi office. We would like to create a VPN between the 2 sites, but > our Sonicwall vendor says that the 2 firewalls are not compatible. Please > confirm whether this is true and if not, please advice on how we may go > about creating a VPN between the 2 sites. We have users of the Linux FreeS/WAN IPSEC implementation reporting success interoperating with both: http://www.freeswan.org/freeswan_trees/freeswan-1.9/doc/interop.html#gauntlet http://www.freeswan.org/freeswan_trees/freeswan-1.9/doc/interop.html#sonicwall This may mean your vendor is wrong and the two could be persuaded to work together. This does not seem entirely certain, however, and I've no idea what details you'd have to work out to get it going. It almost certainly means that, assuming you have some Unix-ish skills around your shop or can rent some, you could solve your problem by putting Linux and FreeS/WAN on a spare PC and using it for one end of the VPN. If you have no Unix skills handy, or if they are too expensive or already overworked, then you should likely consider getting another Gauntlet, another Sonicwall, or perhaps one of the off-the-shelf solutions that uses FreeS/WAN: http://www.freeswan.org/freeswan_trees/freeswan-1.9/doc/intro.html#products VPN is sponsored by SecurityFocus.COM From theresa at TI.COM Thu Apr 12 08:39:13 2001 From: theresa at TI.COM (Brown, Theresa) Date: Thu, 12 Apr 2001 07:39:13 -0500 Subject: VPN Clients Message-ID: We have not found a VPN client that includes a firewall that works well for us. However, we are using the Cisco 3000 Client with Black Ice Defender 2.1 and 3.0. If you configure it for Nervous mode and set it to trust the VPN server, it works great. Kind Regards, Theresa Brown -----Original Message----- From: Dante Mercurio [mailto:dmercurio at CCGSECURITY.COM] Sent: Tuesday, April 10, 2001 3:27 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Clients Besides Symantec's Raptor and the PGP client, does anyone know of any other VPN clients that include a personal firewall? Has anyone used a personal firewall such as Norton or McAfee with IRE client or other clients successfully? Thanks, M. Dante Mercurio, CCNA, MCSE+I, TNSP Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Brandy.Miles at OPTEC.COM Thu Apr 12 11:05:59 2001 From: Brandy.Miles at OPTEC.COM (Miles, Brandy) Date: Thu, 12 Apr 2001 08:05:59 -0700 Subject: VPN Clients Message-ID: We are in the process of testing out sygate's personal firewall (it is not a VPN client too as far as I know)--it also has a central management piece to it. Anyone tried it or using it that has any feedback as well? So far the engineer testing it is impressed with the installation process and ease of use. -----Original Message----- From: Dante Mercurio [mailto:dmercurio at CCGSECURITY.COM] Sent: Tuesday, April 10, 2001 1:27 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Clients Besides Symantec's Raptor and the PGP client, does anyone know of any other VPN clients that include a personal firewall? Has anyone used a personal firewall such as Norton or McAfee with IRE client or other clients successfully? Thanks, M. Dante Mercurio, CCNA, MCSE+I, TNSP Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Kevin_Butters at NAI.COM Wed Apr 11 21:00:50 2001 From: Kevin_Butters at NAI.COM (Butters, Kevin) Date: Wed, 11 Apr 2001 18:00:50 -0700 Subject: VPN Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Not true. Testing performed locally showed site to site shared key VPN tunnels to work just fine. Kevin Butters Security Engineer Network Associates Inc. - -----Original Message----- From: Namal Perera [mailto:NPPerera at ITQAN.CO.AE] Sent: Wednesday, April 11, 2001 7:11 AM To: VPN at SECURITYFOCUS.COM Subject: VPN Hi, We have a Sonicwall firewall in our Dubai Office and a Gauntlet firewall at our Abu Dhabi office. We would like to create a VPN between the 2 sites, but our Sonicwall vendor says that the 2 firewalls are not compatible. Please confirm whether this is true and if not, please advice on how we may go about creating a VPN between the 2 sites. Regards, Namal Perera ITQAN - Al Bawardi Computers P.O. Box 4118, Abu Dhabi, UAE Tel : +971 2 6730 202 Ext: 250 Fax : +971 2 6730 323 Mob: +971 50 4465962 Email: npperera at itqan.co.ae VPN is sponsored by SecurityFocus.COM -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQEVAwUBOtT9z23fEaVlcM4HAQFjGQgAxBQebm+saiayhDDCjdmqpN3qMFbszoOp n7OUymyCtlVFDgV8242bEczbimEUTvDhJokev6DCl9xtqM03BWW+npIsx/QAvd4i jb8VxsxR6UhpL1TSKmbCCCpiR9rMEHdytUlB/CKb7f2QUWJDYU4dND7rhuPn2tWN ZQGgPGyH/1Z01Td6SwmfedIeSHR41TPR7s88a2rgHIKzFvYltzBNOv+n5nAFjcAy igFV2+Twyx7u2ft8Y7eJ/BPzMQ1aNqxar9nCnSk9S5XbjdJmUDCDxd/Ld8YjfgKg WbmWsUVfrw8/z9wuZLbdBRq6g32xY56dHGmdwQud4huaFvRHQk4Mow== =GJEs -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.COM From jrdepriest at FTB.COM Thu Apr 12 09:30:29 2001 From: jrdepriest at FTB.COM (DePriest, Jason R.) Date: Thu, 12 Apr 2001 08:30:29 -0500 Subject: VPN Clients Message-ID: I use RaptorMobile, but I do not use it's built-in firewall which, to me, looks no more advanced that what is already part of the OS for Windows NT and Windows 2000 (i.e. simple port-blocking). I use NeoWorx' NeoWatch personal firewall with it and, after setting certain systems on the other side of the tunnel as trusted, I have had absolutely no problems. In the past, I also used RaptorMobile with ZoneAlarm and BlackICE. -Jason -----Original Message----- From: Dante Mercurio [mailto:dmercurio at CCGSECURITY.COM] Sent: Tuesday, April 10, 2001 3:27 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Clients Besides Symantec's Raptor and the PGP client, does anyone know of any other VPN clients that include a personal firewall? Has anyone used a personal firewall such as Norton or McAfee with IRE client or other clients successfully? Thanks, M. Dante Mercurio, CCNA, MCSE+I, TNSP Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jonc at NC.RR.COM Wed Apr 11 23:19:24 2001 From: jonc at NC.RR.COM (Jon Carnes) Date: Wed, 11 Apr 2001 23:19:24 -0400 Subject: SuSE 7.0, IPCHAINS, SSH, VPN, Modem hangup In-Reply-To: References: Message-ID: <01041123192403.00910@Anncons.nc.rr.com> On Wednesday 11 April 2001 07:04, Uwe Scheffold wrote: > Hi out threre, > > I have a problem with ssh vpn. > > There is a installation, of a ssh-vpn on a Linux host. This host also works > as firewall with masquerading (ipchains). > After setup the ssh-vpn everything works fine. But after some time (10 min > or so) the connetion terminates with: > > Apr 11 11:31:06 c523f pppd[8257]: sent [LCP ConfReq id=0x6 > ] > Apr 11 11:31:06 c523f pppd[8257]: rcvd [LCP ConfReq id=0x6 > ] > Apr 11 11:31:06 c523f pppd[8257]: sent [LCP ConfNak id=0x6 0xec70b2f1>] > Apr 11 11:31:07 c523f pppd[8257]: Modem hangup > Apr 11 11:31:07 c523f pppd[8257]: Connection terminated. > Apr 11 11:31:07 c523f pppd[8257]: Hangup (SIGHUP) > Apr 11 11:31:07 c523f pppd[8257]: Failed to open /dev/ttyp0: Input/output > error > Apr 11 11:31:07 c523f last message repeated 8 times > Apr 11 11:31:07 c523f pppd[8257]: Exit. > > Is anybody able to seen the reason for this? > > Is it possible detect the brakedown of the connection and to restart the > vpn? > === Sounds like a PPPD problem, but it could be caused by a lot of different things. Are your endpoints running at about the same speed and with good connectivity to the internet? (low packet loss?) In any case, here is a sample set of scripts Running on RH7.0 boxes (some updates applied). We have a bunch of these, here is a real simple set that are a bit crude. The first script kicks off the vpn, the second checks on it regularly (run via cron every minute. === vpn-start === #!/bin/bash # Simple script to kick off a vpn connection (ppp via ssh) to Australia office # The script must be run by root out of the /usr/local/bin directory. # First setup a simple connection via SSH cd /usr/local/bin /usr/local/bin/pty-redir ssh -C -t -o 'Batchmode yes' aufirewall pppd # the output of this will detail the ttyp to use (ttyp0 is normal) sleep 10 # Next use PPPD to link the sites together - assuming ttyp0 is used /usr/sbin/pppd /dev/ttyp0 10.1.4.68:192.168.30.253 sleep 10 /sbin/route add -net 192.168.30.0 gw 192.168.30.253 netmask 255.255.255.0 /sbin/route add -net 192.168.31.0 gw 192.168.30.253 netmask 255.255.255.0 ssh -o 'Batchmode yes' aufirewall /etc/rc.d/vpn-route === vpn-chk === #!/bin/bash # Check the Australian VPN connection... ps ax |grep "ssh -C -t -o" |grep -v grep>/dev/null || /usr/local/bin/syd-vpn >/dev/null === We have some more sophisticated scripts for our other connects, but these are a good start because of their simplicity. Jon VPN is sponsored by SecurityFocus.COM From jgilbert at SAFENET-INC.COM Thu Apr 12 10:57:35 2001 From: jgilbert at SAFENET-INC.COM (Jane Gilbert) Date: Thu, 12 Apr 2001 10:57:35 -0400 Subject: VPN Clients Message-ID: <3E89A18A51CBD411BD1B0002A507C88B10D64B@MAX> Dante, The SafeNet (IRE) VPN client with an integrated ZoneAlarm personal firewall is scheduled to be released next week for general availability. It has already been released on a limited basis to our OEMs. Jane Gilbert SafeNet, Inc. -----Original Message----- From: Dante Mercurio [mailto:dmercurio at CCGSECURITY.COM] Sent: Tuesday, April 10, 2001 4:27 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Clients Besides Symantec's Raptor and the PGP client, does anyone know of any other VPN clients that include a personal firewall? Has anyone used a personal firewall such as Norton or McAfee with IRE client or other clients successfully? Thanks, M. Dante Mercurio, CCNA, MCSE+I, TNSP Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From Ole.Vik at CONNECT.NO Thu Apr 12 06:23:52 2001 From: Ole.Vik at CONNECT.NO (Ole Vik) Date: Thu, 12 Apr 2001 12:23:52 +0200 Subject: VPN Message-ID: <922439381Ole.Vik@connect.no> With the latest version of Gauntlet software, that product should support IPSEC VPN. It should work with SonicWALL VPN. -- Ole Vik, Connect AS, Blakstadmarka 26, 1386 Asker, Norway. Telephone +47-66 90 23 00. Telefax +47-66 90 23 05. On onsdag 11. april 2001 16:11, Namal Perera wrote: >Hi, > >We have a Sonicwall firewall in our Dubai Office and a Gauntlet firewall at >our Abu Dhabi office. We would like to create a VPN between the 2 sites, but >our Sonicwall vendor says that the 2 firewalls are not compatible. Please >confirm whether this is true and if not, please advice on how we may go >about creating a VPN between the 2 sites. > >Regards, > >Namal Perera > >ITQAN - Al Bawardi Computers >P.O. Box 4118, Abu Dhabi, UAE >Tel : +971 2 6730 202 Ext: 250 >Fax : +971 2 6730 323 >Mob: +971 50 4465962 >Email: npperera at itqan.co.ae > >VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From WAguilar at SYMANTEC.COM Thu Apr 12 08:44:25 2001 From: WAguilar at SYMANTEC.COM (William Aguilar) Date: Thu, 12 Apr 2001 08:44:25 -0400 Subject: Raptor and win2000 Message-ID: Yevgeniy, RaptorMobile 6.5.2 supports WinNT, Win98, Win2000. WinME support will be available soon! To support RaptorMobile 6.5.x connections you need to upgrade the firewall/vpn gateway to 6.5. Cheers, Will "POLULYAKH,YEVGEN IY To: VPN at SECURITYFOCUS.COM@SMTP at Exchange (HP-Cupertino,ex1 cc: )" Subject: Raptor and win2000 04/09/2001 07:56 PM Please respond to "POLULYAKH,YEVGEN IY (HP-Cupertino,ex1 )" Hi all, I'd like to know if a Raptor 6.0 using Raptor mobile 5.0 will support windows 2000 vpn clients. If it does not, what can be done (upgrades, patches) ? Thanks, Yevgeniy VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From JGRANT at STEWART.COM Wed Apr 11 12:17:23 2001 From: JGRANT at STEWART.COM (Joe Grant) Date: Wed, 11 Apr 2001 11:17:23 -0500 Subject: Basic Architecture Message-ID: This newbie needs help. I have a new branch office I would like to get back to our hq to provide access to our DEC Alpha Server. This box runs proprietary software on top of the OpenVMS OS. This branch has their own client-server network in place with a DSL connection to their ISP. They do not need access to our PDC or exchange server. A friend tells me I should get a Netopia R9100 router for my side of the connection. Another tells me I will need part or all of a T-1 line to connect this router to the web (DSL not available in our area). I will then need a public IP address so this branch and others in the future will have a target to connect to. Is this the best solution or is there a better and maybe less expensive way to give this branch access to the DEC? Any and all help is greatly appreciated! jgrant at stewart.com VPN is sponsored by SecurityFocus.COM From jonathan.risto at BELLNEXXIA.COM Thu Apr 12 07:37:38 2001 From: jonathan.risto at BELLNEXXIA.COM (Risto, Jonathan) Date: Thu, 12 Apr 2001 07:37:38 -0400 Subject: PIX firewall or Cisco router for VPN Message-ID: <69B481AB2D5AD31181AD0008C72B5F8103272BCF@toroondc756> Good day.. We are considering implementing VPN's between either PIX firewalls or between the 2600 series routers. I have been informed that there are problems with the PIX if the link is down for a time, and you need to reset the ISKMP keys by either a command or a reload on the PIX. Are there any other gotcha's on the PIX or on implementing the VPN on the routers that would pose problems? As well, if you have any URL's or personal experiences with the performance on the PIX for tunnels doing 3DES and it's scalability for tunnels it would be greatly appreciated. thanks Jonathan VPN is sponsored by SecurityFocus.COM From hermits at MAC.COM Thu Apr 12 11:58:11 2001 From: hermits at MAC.COM (hermit1) Date: Thu, 12 Apr 2001 08:58:11 -0700 Subject: VPN Clients In-Reply-To: Message-ID: <5.0.2.1.2.20010412085509.00a8e0b0@mail.mac.com> Checkpoint's firewall remote client includes a personal firewall, but it connects only to their firewall. The encryption is applied only to traffic to a defined address space, leaving other traffic untouched. I think you can impose a rule in the personal firewall that prevents any other traffic if you wish. hermit1 At 04:26 PM 4/10/01 -0400, Dante Mercurio wrote: >Besides Symantec's Raptor and the PGP client, does anyone know of any >other VPN clients that include a personal firewall? > >Has anyone used a personal firewall such as Norton or McAfee with IRE >client or other clients successfully? > >Thanks, >M. Dante Mercurio, CCNA, MCSE+I, TNSP >Consulting Services Manager >Continental Consulting Group, LLC >www.ccgsecurity.com >dmercurio at ccgsecurity.com > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Thu Apr 12 19:48:50 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Thu, 12 Apr 2001 16:48:50 -0700 Subject: BlackICE Defender with VPN Clients... Message-ID: Here's a link to a page on Network ICE's website which shows their interoperability with the BlackICE agent and various VPN clients. http://advice.networkice.com/advice/support/kb/q000210/ Basim S. Jaber Senior Systems Engineer VPN Services / Customer Implementation iPass Inc. http://www.ipass.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010412/b342ddff/attachment.htm From jonc at NC.RR.COM Fri Apr 13 11:18:34 2001 From: jonc at NC.RR.COM (Jon Carnes) Date: Fri, 13 Apr 2001 11:18:34 -0400 Subject: Basic Architecture In-Reply-To: References: Message-ID: <01041311183402.00915@Anncons.nc.rr.com> We really need a lot more details, but here are some options: - Direct dial: can you get by with 28Kb/s access and demand dial? - Use the LRP or FreeSwan projects in conjuction with some used PC's at each end to connect across the internet and run a VPN. The branch office sounds like it is already connected to the internet. Is your HQ office connected to the internet and how? What resources do you already have in place? What are you using for firewalls at each location? Do you have static external IP addresses for each site? What sort of services do you need to share? What sort of network load will sharing those resources cause? Your problem has become a very common one in our time. There are *many* solutions, but we need as much detail as possible in order to advise you on one that will fit your needs, budget, and capabilities. Jon On Wednesday 11 April 2001 12:17, Joe Grant wrote: > This newbie needs help. I have a new branch office I would like to get > back to our hq to provide access to our DEC Alpha Server. This box runs > proprietary software on top of the OpenVMS OS. This branch has their own > client-server network in place with a DSL connection to their ISP. They do > not need access to our PDC or exchange server. > > A friend tells me I should get a Netopia R9100 router for my side of the > connection. Another tells me I will need part or all of a T-1 line to > connect this router to the web (DSL not available in our area). I will > then need a public IP address so this branch and others in the future will > have a target to connect to. > > Is this the best solution or is there a better and maybe less expensive way > to give this branch access to the DEC? Any and all help is greatly > appreciated! > > jgrant at stewart.com > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From nbroderick at LANGUAGELINE.COM Fri Apr 13 12:35:30 2001 From: nbroderick at LANGUAGELINE.COM (Broderick, Nancy) Date: Fri, 13 Apr 2001 09:35:30 -0700 Subject: Help with FW-1 and Cisco 3000 VPN Client Message-ID: <6CD86DE88BD6D311A7400090277C07FD019D390C@llsexch> Hello, I am currently having problems connecting a Cisco 3000 VPN client version 2a through our Checkpoint Firewall-1 4.0 firewall Build 4031. Symptoms are as follows: I can start the VPN client to the remote site and can establish a connection. Immediately after the VPN connection is made I can ping the remote host and connect to the remote server. After approximately 1 to 2 minutes, the connection will time out. The Cisco client says I am still connected, but I can not ping the remote host. Other notes, There are a high number of packets being dropped. If I keep a ping -t going in the background, the connection stays up. I have the MTU on the client set to 1400 I have the appropriate ports open on the firewall. When I test it with the firewall rule base with 1 rule only, "Any Source, Any Destination, Accept", the symptoms are the same, connection still drops after a minute or so. If I connect directly to an ISP, the connection works fine. Same is true if I bypass the firewall and connect directly to our router. Below is a brief outline of the network. Any help would be greatly appreciated. Nancy Broderick LAN Administrator |Cisco3000| Vendor A | v |Router| | v (Internet) | v |Router Cisco 2500 Series| | v |CheckpointFW| NAT | v |Switch - Bay Stack 350T 10/100 Auto sense Switch| | v |Client| VPN is sponsored by SecurityFocus.COM From evyncke at CISCO.COM Sat Apr 14 16:12:32 2001 From: evyncke at CISCO.COM (Eric Vyncke) Date: Sat, 14 Apr 2001 22:12:32 +0200 Subject: Help with FW-1 and Cisco 3000 VPN Client In-Reply-To: <6CD86DE88BD6D311A7400090277C07FD019D390C@llsexch> Message-ID: <4.3.2.7.2.20010414221220.01d0d6c0@brussels.cisco.com> Have you tried the NAT mode on the client ? -eric At 09:35 13/04/2001 -0700, Broderick, Nancy wrote: >Hello, > >I am currently having problems connecting a Cisco 3000 VPN client version 2a >through our Checkpoint Firewall-1 4.0 firewall Build 4031. > >Symptoms are as follows: > >I can start the VPN client to the remote site and can establish a >connection. >Immediately after the VPN connection is made I can ping the remote host and >connect to the remote server. >After approximately 1 to 2 minutes, the connection will time out. The Cisco >client says I am still connected, but I can not ping the remote host. > >Other notes, >There are a high number of packets being dropped. >If I keep a ping -t going in the background, the connection stays up. >I have the MTU on the client set to 1400 >I have the appropriate ports open on the firewall. > >When I test it with the firewall rule base with 1 rule only, "Any Source, >Any Destination, Accept", the symptoms are the same, connection still drops >after a minute or so. >If I connect directly to an ISP, the connection works fine. Same is true if >I bypass the firewall and connect directly to our router. >Below is a brief outline of the network. > >Any help would be greatly appreciated. > >Nancy Broderick >LAN Administrator > > |Cisco3000| Vendor A > | > v > |Router| > | > v > (Internet) > | > v > |Router Cisco 2500 Series| > | > v > |CheckpointFW| > NAT > | > v > |Switch - Bay Stack 350T 10/100 Auto sense Switch| > | > v > |Client| > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dnewman at NETWORKTEST.COM Mon Apr 16 10:13:32 2001 From: dnewman at NETWORKTEST.COM (David Newman) Date: Mon, 16 Apr 2001 10:13:32 -0400 Subject: Netscreen config question In-Reply-To: <01041311183402.00915@Anncons.nc.rr.com> Message-ID: I'm looking to configure a Netscreen-5 as both router and VPN gateway. The trusted interface uses a private address with no problem. The untrusted side is asking for both an address and default gateway, and it will NOT accept identical entries here. It's a router -- it shouldn't need a default gateway. Is it acceptable to supply all zeros as the untrusted default gateway? Thanks. David Newman VPN is sponsored by SecurityFocus.COM From dfox138 at HOTMAIL.COM Sun Apr 15 16:35:04 2001 From: dfox138 at HOTMAIL.COM (David Fox) Date: Sun, 15 Apr 2001 16:35:04 -0400 Subject: Stress test References: Message-ID: I did one lately by asking 20 "power" users to download a service pack of 34MB from Microsoft, viewing cnn.com's newscast on demand, etc simultaenously, etc and monitoring the leased line bandwidth and CPUs of the firewalls. P.S. I spent two weeks finding and trying out various tools, but to no avail. Finally, I mobilized these users. ----- Original Message ----- From: "Nimesh vakharia" To: Sent: Tuesday, April 10, 2001 8:18 PM Subject: Stress test > What kind of tools are people using to stress test VPN/firewalls. There > are a lot of packet generators (smartbits/ixia) out there but no one seems > to be able to simulate stateful connections and get some substantial > amount of data flowing through the connections... Are there any tools > hardware/linux/solaris that anyone know about.... I've heard of Antara. > what else is out there? > > thanks, > > Nimesh. > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From carlsonmail at YAHOO.COM Mon Apr 16 12:26:48 2001 From: carlsonmail at YAHOO.COM (Chris Carlson) Date: Mon, 16 Apr 2001 09:26:48 -0700 Subject: Netscreen config question In-Reply-To: Message-ID: <20010416162648.81817.qmail@web13901.mail.yahoo.com> Uh, doesn't every router need a default gateway, i.e. the next hop for all traffic not defined by other routes? So, in your case, the NetScreen's default gateway would be the upstream router (either the one terminating the ISP connection) or the ISP's router itself. Since you're mostly likely doing this in a lab and your networks are pretty self-contained, I would think that static routes would cover it all, but I think you still need a default route. Chris -- --- David Newman wrote: > I'm looking to configure a Netscreen-5 as both > router and VPN gateway. The > trusted interface uses a private address with no > problem. The untrusted > side is asking for both an address and default > gateway, and it will NOT > accept identical entries here. > > It's a router -- it shouldn't need a default > gateway. Is it acceptable to > supply all zeros as the untrusted default gateway? > > Thanks. > > David Newman > > VPN is sponsored by SecurityFocus.COM __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Mon Apr 16 12:32:09 2001 From: cgripp at AXCELERANT.COM (Christopher Gripp) Date: Mon, 16 Apr 2001 09:32:09 -0700 Subject: Netscreen config question Message-ID: <4EBB5C35607E7F48B4AE162D956666EF016BFC@guam.corp.axcelerant.com> it is not a router.? it has a routing engine.? big diff.? it is meant to be deployed where there is a gateway of last resort for the untrusted interface. ? Chris -----Original Message----- From: David Newman Sent: Mon 4/16/2001 7:13 AM To: VPN at SECURITYFOCUS.COM Cc: Subject: Netscreen config question I'm looking to configure a Netscreen-5 as both router and VPN gateway. The trusted interface uses a private address with no problem.? The untrusted side is asking for both an address and default gateway, and it will NOT accept identical entries here. It's a router -- it shouldn't need a default gateway. Is it acceptable to supply all zeros as the untrusted default gateway? Thanks. David Newman VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From dklein at NETSCREEN.COM Mon Apr 16 12:18:58 2001 From: dklein at NETSCREEN.COM (David Klein) Date: Mon, 16 Apr 2001 09:18:58 -0700 Subject: Netscreen config question Message-ID: <9D048F4A422CD411A56500B0D0209C5B01382266@NS-CA> All routers need a default gateway (or a dynamic routing protocol). The Netscreens do not support dynamic routing protocols. Therefore you need to put the next routing hop in the default gateway field of the untrust interface. I.e., this would be the router (IP address) that the Netscreen uses to get to the "rest of the internet". If you are sticking this box on a DSL or Cable Modem, then the access provider should have provided you with your default gateway. If your DSL/CM does DHCP or PPPoE then it should pick this up automatically (if you enable DHCP or PPPoE on the untrust interface). If you are just putting this in a test lab and there is no default router to "elsewhere" then stick any IP address off of that external/untrust subnet as the default gateway (other then it's own). In general, a router does NOT want a default route to itself even though other systems may use it as a default route. > It's a router -- it shouldn't need a default gateway. Not true - all routers need a default gateway (or at least a routing table of all subnets it will forward packets to). > Is it acceptable to > supply all zeros as the untrusted default gateway? Certainly, but you'll only be able to route packets between the two directly attached network segments unless you put specific static routes for other networks in the routing table. Do a "set route ?" for more detail on that in the Command Line. Dave Klein Netscreen SE > -----Original Message----- > From: David Newman [mailto:dnewman at NETWORKTEST.COM] > Sent: Monday, April 16, 2001 9:14 AM > To: VPN at SECURITYFOCUS.COM > Subject: Netscreen config question > > > I'm looking to configure a Netscreen-5 as both router and VPN > gateway. The > trusted interface uses a private address with no problem. > The untrusted > side is asking for both an address and default gateway, and > it will NOT > accept identical entries here. > > It's a router -- it shouldn't need a default gateway. Is it > acceptable to > supply all zeros as the untrusted default gateway? > > Thanks. > > David Newman > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From dnewman at NETWORKTEST.COM Mon Apr 16 15:26:18 2001 From: dnewman at NETWORKTEST.COM (David Newman) Date: Mon, 16 Apr 2001 15:26:18 -0400 Subject: Netscreen config question In-Reply-To: <9D048F4A422CD411A56500B0D0209C5B01382266@NS-CA> Message-ID: Thanks to all who replied. David Klein hits the issue on the head here: > All routers need a default gateway (or a dynamic routing protocol). It's that latter bit that threw me. All the Cisco/Nortel/Juniper/Ajax routers I've ever configured didn't ask for a default gateway -- because, as routers, they run routing protocols to dynamically build routing tables. Duh! The Netscreen box *is* a router, in that it moves packets between subnets using IP network information as its path selection criterion; however, the NS5 is not a dynamic router in that it doesn't support routing protocols. Sorry to bother the list with a such a dumb and basic question. dn VPN is sponsored by SecurityFocus.COM From renuka_nadkarni at YAHOO.COM Mon Apr 16 14:11:10 2001 From: renuka_nadkarni at YAHOO.COM (Renuka Nadkarni) Date: Mon, 16 Apr 2001 11:11:10 -0700 Subject: Help with FW-1 and Cisco 3000 VPN Client In-Reply-To: <6CD86DE88BD6D311A7400090277C07FD019D390C@llsexch> Message-ID: <20010416181110.27256.qmail@web9306.mail.yahoo.com> > > I am currently having problems connecting a Cisco > 3000 VPN client version 2a > through our Checkpoint Firewall-1 4.0 firewall Build A I am very curious to know how you configured the 3000 VPN client. It talks to the Altiga/cisco3000 concentrator to get the VPn policy. so if you configure it against FW-1 where will it get its policy information? If you are talking about IRE/Cisco client then it is it different than Cisco 3000 client and can be configured separately as a VPN client like PGP client or so. Can you configure altiga/3000 client like that?? > | > v > |Router| > | > v > (Internet) > | > v > |Router Cisco 2500 Series| > | > v > |CheckpointFW| > NAT > | > v > |Switch - Bay Stack 350T 10/100 Auto sense > Switch| > | > v > |Client| > > VPN is sponsored by SecurityFocus.COM __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ VPN is sponsored by SecurityFocus.COM From lists at FIPS.DE Mon Apr 16 14:24:56 2001 From: lists at FIPS.DE (Philipp Buehler) Date: Mon, 16 Apr 2001 20:24:56 +0200 Subject: Stress test In-Reply-To: ; "David Fox" on 15.04.2001 @ 22:35:04 METDST References: Message-ID: <20010416202456.A7561@pohl.fips.de> On 16/04/2001, David Fox wrote To VPN at SECURITYFOCUS.COM: > P.S. I spent two weeks finding and trying out various tools, but to no > avail. Finally, I mobilized these users. elza can simulate a HTTP client ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.COM From nbroderick at LANGUAGELINE.COM Tue Apr 17 01:41:32 2001 From: nbroderick at LANGUAGELINE.COM (Broderick, Nancy) Date: Mon, 16 Apr 2001 22:41:32 -0700 Subject: FW: Help with FW-1 and Cisco 3000 VPN Client Message-ID: <6CD86DE88BD6D311A7400090277C07FD019D3944@llsexch> Just an update incase anyone else encounters this problem. I received this response from member of this VPN group and it was really a life-saver for me. It resolved all the connectivity problems we were having on the internal LAN. See the response below. Additional info = We are doing IPSEC/UDP and the client is configured for NAT. One final question, the only issue we are having now is through our dialup server. We dial up through our Shiva (Intel) Access Switch, a dedicated Remote Access server. Once a dialup connection is established, the client machine becomes a remote node on our network. We can browse the Internet and can browse anything on our internal LAN. The only problem is that when I try to start the VPN Client, I never get a connection, I never even get to the authentication prompt. It just keeps saying negotiating ... Client machines are NT 40 workstations,SP5, Dell Lattitude Laptops, 56k 3Com modem. Connection speeds vary from 28k to 50k, results are the same reguardless of connection speed. Any input is appreciated. Thank you very much. Sincerely, Nancy Broderick LAN Administrator -----Original Message----- From: Pete Davis [mailto:pete at ether.net] Sent: Friday, April 13, 2001 5:30 PM To: Broderick, Nancy Subject: Re: Help with FW-1 and Cisco 3000 VPN Client Are you doing IPSEC or IPSEC/UDP? With 2.5.2b, the keepalive frequency was increased. The problem you are describing is because the Checkpoint is tearing down the PAT mappings. If you are not doing IPSEC/UDP, you should do IPSEC/UDP with 2.5.2b. - Fix CSCds42237: IPsec/UDP sessions time out through some default stateful firewalls. UDP Keepalive sent every 20 seconds if no other activity. Activity check made every 10 seconds. The client is obtained from www.cisco.com / SW CENTER / VPN SOFTWARE / CISCO VPN 3000 Client. --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From dgillett at NIKU.COM Tue Apr 17 12:29:36 2001 From: dgillett at NIKU.COM (David Gillett) Date: Tue, 17 Apr 2001 09:29:36 -0700 Subject: Netscreen config question In-Reply-To: Message-ID: It's a router -- it needs to know where to send packets that are bound for other networks ("default gateway"). Note that its interfaces are only Ethernet. So you're going to have *another* router that connects to the DSL/T1/whatever line. The Ethernet side of that router should be on the same network as the untrusted side of the NetScreen, and the address of that router interface is what you need to tell the NetScreen to use as a default gateway. David Gillett Senior Network Engineer Niku Corp. > -----Original Message----- > From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of David > Newman > Sent: Monday, April 16, 2001 7:14 AM > To: VPN at SECURITYFOCUS.COM > Subject: Netscreen config question > > > I'm looking to configure a Netscreen-5 as both router and VPN gateway. The > trusted interface uses a private address with no problem. The untrusted > side is asking for both an address and default gateway, and it will NOT > accept identical entries here. > > It's a router -- it shouldn't need a default gateway. Is it acceptable to > supply all zeros as the untrusted default gateway? > > Thanks. > > David Newman > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From naveedullahk at YAHOO.COM Tue Apr 17 16:48:42 2001 From: naveedullahk at YAHOO.COM (Naveedullah Khan) Date: Tue, 17 Apr 2001 13:48:42 -0700 Subject: Anyone plz help me out Message-ID: <20010417204842.19254.qmail@web11006.mail.yahoo.com> Hi, I am going to implement a Vpn in my small network of 4 computers and I gave the Ip address of the subnet on my gateways in the ipsec.conf fiie but ipsec gives the following error when started : Fatal Error: No left parameter specified.. Plz help me i am in trouble coz of this error ===== "I find that the harder I work, the more luck I seem to have." NAVEEDULLAH KHAN Deptt. of Computer Science Karachi University __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ VPN is sponsored by SecurityFocus.COM From dale at GREP.NET Wed Apr 18 12:18:10 2001 From: dale at GREP.NET (Dale L. Handy, P.E.) Date: Wed, 18 Apr 2001 10:18:10 -0600 Subject: Win 9x to NT workgroup VPN Message-ID: <3ADDBE42.FAEFC04C@grep.net> Hopefully, this is not considered too far off-topic. I have users that are connecting via PPTP to a network. The NT users are able to map drives within the network. However, the Win 9x users (who are unwilling to move to NT) can connect and do other things, but are not able to map drives on the NT workgroup that they connect to. I have tried adding and removing protocols, and a few other things (which are unfortunately, not coming to mind right now). I can't seem to make any changes in how it works. Any ideas? -- "A ship in harbor is safe, but that is not what ships are for." -- Dale L. Handy, P.E. dale at grep.net -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2006 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010418/a3a26ddb/attachment.bin From shope at ENERGIS-EIS.CO.UK Wed Apr 18 05:05:55 2001 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Wed, 18 Apr 2001 10:05:55 +0100 Subject: Help with FW-1 and Cisco 3000 VPN Client Message-ID: <01903665B361D211BF6700805FAD5D93D9E76C@mail.datarange.co.uk> Nancy, the Shiva dial up client replaces some Win9x comms DLLs, so you may be getting some interactions in the 2 clients. This can break other things, such as win9x direct cable connection. Alternatively, you need to make sure that the routes are consistent when you start the VPN client - you need the RAS routes into your network to still be present as well as routes across the VPN tunnel. Check the routes on the PC with and without the VPN Command you need is "netstat -r" on Win95 from a command prompt - this will work on some other Win versions i believe. Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Broderick, Nancy [mailto:nbroderick at LANGUAGELINE.COM] > Sent: 17 April 2001 06:42 > To: VPN at SECURITYFOCUS.COM > Subject: FW: Help with FW-1 and Cisco 3000 VPN Client > > > Just an update incase anyone else encounters this problem. I > received this > response from member of this VPN group and it was really a > life-saver for > me. It resolved all the connectivity problems we were having on the > internal LAN. See the response below. Additional info = We are doing > IPSEC/UDP and the client is configured for NAT. > > One final question, the only issue we are having now is > through our dialup > server. We dial up through our Shiva (Intel) Access Switch, > a dedicated > Remote Access server. Once a dialup connection is > established, the client > machine becomes a remote node on our network. We can browse > the Internet and > can browse anything on our internal LAN. > > The only problem is that when I try to start the VPN Client, > I never get a > connection, I never even get to the authentication prompt. > It just keeps > saying negotiating ... > Client machines are NT 40 workstations,SP5, Dell Lattitude > Laptops, 56k 3Com > modem. Connection speeds vary from 28k to 50k, results are the same > reguardless of connection speed. > > Any input is appreciated. > Thank you very much. > > Sincerely, > > Nancy Broderick > LAN Administrator > -----Original Message----- > From: Pete Davis [mailto:pete at ether.net] > Sent: Friday, April 13, 2001 5:30 PM > To: Broderick, Nancy > Subject: Re: Help with FW-1 and Cisco 3000 VPN Client > > > Are you doing IPSEC or IPSEC/UDP? With 2.5.2b, the keepalive > frequency was increased. The problem you are describing is because the > Checkpoint is tearing down the PAT mappings. If you are not doing > IPSEC/UDP, > you should do IPSEC/UDP with 2.5.2b. > > > - Fix CSCds42237: IPsec/UDP sessions time out > through some default > > stateful firewalls. UDP > Keepalive sent every 20 > seconds if no other activity. > Activity check > made every 10 seconds. > > The client is obtained from www.cisco.com / SW CENTER / VPN > SOFTWARE / CISCO > VPN 3000 Client. > --- > Pete Davis - Product Manager (508) > 541-7300 x6154 > Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038 > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From shope at ENERGIS-EIS.CO.UK Wed Apr 18 05:00:17 2001 From: shope at ENERGIS-EIS.CO.UK (Stephen Hope) Date: Wed, 18 Apr 2001 10:00:17 +0100 Subject: Netscreen config question Message-ID: <01903665B361D211BF6700805FAD5D93D9E76B@mail.datarange.co.uk> Chris, basically no - it doesnt "need" a default route. A default is an escape clause for any routes you dont have more specific information for in the routing table - enterprise networks often have "complete" sets of rooutes, and so do the core routers within the Internet. I try to avoid default routes in enterprise networks - inconsistent use of defaults and other statics is a fairly common source of routing loops. And you can never tell what someone else will / has configured somewhere that is going to trip you up. Routers need enough routing information to send traffic to the sets of destinations they carry traffic for - that may be just a local LAN or 2 and a default, or more complex dynamic topologies. sometimes you need a default route (i.e. connect natively to the Internet), and sometimes you dont (i.e. a proxy gateway, or no internet connection). If you must have a default, the way i recommend is to configure it in 1 place, and let a routing protocol propagate it - that way there is less to get configured wrongly. One of the biggest problems i have with VPNs is the way that many designs require lots of manual route configs in different places scattered across a single logical network - and they have to be kept consistent over the life of the network. routing protocols reduce this problem, and i prefer kit that can use them - statics tend to bit a bit limiting in some ways: Too much manual config in different boxes to build a system No automatic consistency checks Difficult to build resilient topologies Only react to faults via "side effects" (e.g. detect a next hop failure via ARP cache timeout). but of course firewalls have a different perspective - i want a router network (or a VPN) that have resilience, and reacts to faults by rerouting, so routers need to "trust" each other to some extent - a firewall needs more paranoia. Stephen My opinions, not my employers. Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Chris Carlson [mailto:carlsonmail at YAHOO.COM] > Sent: 16 April 2001 17:27 > To: VPN at SECURITYFOCUS.COM > Subject: Re: Netscreen config question > > > Uh, doesn't every router need a default gateway, i.e. > the next hop for all traffic not defined by other > routes? > > So, in your case, the NetScreen's default gateway > would be the upstream router (either the one > terminating the ISP connection) or the ISP's router > itself. > > Since you're mostly likely doing this in a lab and > your networks are pretty self-contained, I would think > that static routes would cover it all, but I think you > still need a default route. > > Chris > -- > > > --- David Newman wrote: > > I'm looking to configure a Netscreen-5 as both > > router and VPN gateway. The > > trusted interface uses a private address with no > > problem. The untrusted > > side is asking for both an address and default > > gateway, and it will NOT > > accept identical entries here. > > > > It's a router -- it shouldn't need a default > > gateway. Is it acceptable to > > supply all zeros as the untrusted default gateway? > > > > Thanks. > > > > David Newman > > > > VPN is sponsored by SecurityFocus.COM > > > __________________________________________________ > Do You Yahoo!? > Get email at your own domain with Yahoo! Mail. > http://personal.mail.yahoo.com/ > > VPN is sponsored by SecurityFocus.COM > ----------------------------------------------------------------------------------------------------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Energis Integration Services. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. We have an anti-virus system installed on all our PC's and therefore any files leaving us via e-mail will have been checked for known viruses. Energis Integration Services accepts no responsibility once an e-mail and any attachments leave us. If you have received this email in error please notify Energis Integration Services Communications IT department on +44 (0) 1494 476222.. ----------------------------------------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.COM From humphrie at WFUBMC.EDU Wed Apr 18 13:38:43 2001 From: humphrie at WFUBMC.EDU (Tait Humphries) Date: Wed, 18 Apr 2001 13:38:43 -0400 Subject: upgrades for Nortel Contivity switch Message-ID: <3ADDD123.869C7EDD@wfubmc.edu> I want to upgrade our Contivity servers. Has anyone had any issues with version 3.5 running on a 4500? Also can I go straight from version 2.51 to 3.5 (or do I need to go to another version that is a little newer first)? Thanks, Tait Humphries -------------- next part -------------- A non-text attachment was scrubbed... Name: humphrie.vcf Type: text/x-vcard Size: 351 bytes Desc: Card for Tait Humphries Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010418/1594ebe8/attachment.vcf From larsen at QEC.COM Wed Apr 18 17:07:27 2001 From: larsen at QEC.COM (Jeff Larsen) Date: Wed, 18 Apr 2001 16:07:27 -0500 Subject: Getting Started... Message-ID: <3ADE020F.228BA9AD@qec.com> Hi folks, I have subscribed to this list because I have found very few other resources on the net that offer any help on how to choose a VPN service provider. We are a mid-sized company looking to connect 3 remote offices in Denver, Kansas City and Milwaukee to our main office in Minneapolis. We have talked with Qwest, McCleodUSA and Touch America, but how do you really gauge the quality of the services they are offering? Basically, I'm looking for flames or kudos for various service providers. What do you, the users, think of your provider? Who should we be talking to? Who should we avoid? Is there any significant difference in functionality or usability between basic frame relay and a VPN service? I know this is pretty basic stuff, but there seems to be a dearth of opinions on the subject. If you don't feel like spouting off, then perhaps you could direct me to some web resources which might help. If you don't want to make your opinions public, feel free to email me directly. Thanks, Jeff VPN is sponsored by SecurityFocus.COM From lavoie_stephane at HOTMAIL.COM Wed Apr 18 16:30:09 2001 From: lavoie_stephane at HOTMAIL.COM (Stephane Lavoie) Date: Wed, 18 Apr 2001 16:30:09 -0400 Subject: Win 9x to NT workgroup VPN References: <3ADDBE42.FAEFC04C@grep.net> Message-ID: Windows 95 and Windows NT have a compatibility issue regarding folder sharing. This is not du to VPN setting but to Microsoft (I have this problem on my LAN at work). The following is taken from the Microsoft bulletin: (http://support.microsoft.com/support/kb/articles/Q169/8/41.asp) ======================================================================= When you attempt to connect to a share on a Windows 95-based computer from a Windows NT 4.0 workstation or server or Windows 2000, the connection attempt may not succeed and you may receive an "Access Denied" error message if the following conditions exist: a.. The Windows 95 server has user-level security enabled (instead of share-level security), and the security provider is a Windows NT domain. b.. You are attempting to connect to the Windows 95-based computer by using a UNC name (\\servername\sharename) instead of by mapping a drive letter to the share. c.. The Windows NT 4.0 workstation or server has Service Pack 2 or Service Pack 3 installed. This behavior can also occur with Windows 98-based computers connecting to Windows 95-based computers, and from Windows 95-based computers with the DFS client installed talking to Windows 95-based computers. ======================================================================= Microsoft is very evasive on any way to solve this problem. They say there exist a VXD driver (available on request only). If you think this may be your problem (Try changing your sharing access level to see if its solving your problem), send me a personal mail, I will foward you the drivers. (The zip file is about 1.5 MB) Hope this can help. ----- Original Message ----- From: "Dale L. Handy, P.E." To: Sent: Wednesday, April 18, 2001 12:18 PM Subject: Win 9x to NT workgroup VPN > Hopefully, this is not considered too far off-topic. > > I have users that are connecting via PPTP to a network. The NT users > are able to map drives within the network. However, the Win 9x users > (who are unwilling to move to NT) can connect and do other things, but > are not able to map drives on the NT workgroup that they connect to. > > I have tried adding and removing protocols, and a few other things > (which are unfortunately, not coming to mind right now). I can't seem > to make any changes in how it works. > > Any ideas? > > -- > "A ship in harbor is safe, but that is not what ships are for." > > -- Dale L. Handy, P.E. > dale at grep.net > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010418/3325e401/attachment.htm From lkh at DGSYS.COM Wed Apr 18 21:50:27 2001 From: lkh at DGSYS.COM (Lowell Hanson) Date: Wed, 18 Apr 2001 21:50:27 -0400 Subject: upgrades for Nortel Contivity switch References: <3ADDD123.869C7EDD@wfubmc.edu> Message-ID: <3ADE4463.293A3898@dgsys.com> Hi Tait, We have been running 3.5 in our Lab since Beta testing last fall, and are now running it on a number of customer sites. We had no problems upgrading from multiple ages of OS versions. There are some specific issues with 3.5 which is always true with any version of software. A financial issue is that you must buy seperate licenses for Advanced Routing and Firewall features. Thanks! Lowell Tait Humphries wrote: > > I want to upgrade our Contivity servers. Has anyone had any issues with > version 3.5 running on a 4500? Also can I go straight from version 2.51 > to 3.5 (or do I need to go to another version that is a little newer > first)? > > Thanks, > Tait Humphries -- ------------------------------------------------------ Lowell K. Hanson Senior Consultant Phone:703-817-0627 mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh We can change the world, but must begin with ourselves" VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Wed Apr 18 04:21:00 2001 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Wed, 18 Apr 2001 08:21:00 GMT Subject: Anyone plz help me out References: <20010417204842.19254.qmail@web11006.mail.yahoo.com> Message-ID: <003701bfa90f$c702b430$9b15473f@globeaccess.net> Hi, What software do you use to implement your VPN ? Give us more details about what you want to do please ? Olivier ----- Original Message ----- From: Naveedullah Khan To: Sent: Tuesday, April 17, 2001 8:48 PM Subject: Anyone plz help me out > Hi, > I am going to implement a Vpn in my small network of > 4 computers and I gave the Ip address of the subnet on > my gateways in the ipsec.conf fiie but ipsec gives the > following error when started : > Fatal Error: No left parameter specified.. > > Plz help me i am in trouble coz of this error > > ===== > "I find that the harder I work, > the more luck I seem to have." > NAVEEDULLAH KHAN > Deptt. of Computer Science > Karachi University > > __________________________________________________ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From dlongar at IBSYS.COM Thu Apr 19 10:26:13 2001 From: dlongar at IBSYS.COM (Longar, Dennis) Date: Thu, 19 Apr 2001 09:26:13 -0500 Subject: Getting Started... Message-ID: <9E35C54B0C7AD411B5C1009027DE53991B14FC@MSPMX01> Here are some general comments. > -----Original Message----- > From: Jeff Larsen [mailto:larsen at QEC.COM] > Sent: Wednesday, April 18, 2001 4:07 PM > To: VPN at SECURITYFOCUS.COM > Subject: Getting Started... > > > Hi folks, > > I have subscribed to this list because I have found very few other > resources on the net that offer any help on how to choose a VPN > service provider. We are a mid-sized company looking to connect > 3 remote offices in Denver, Kansas City and Milwaukee to our main > office in Minneapolis. Are these the only locations that will have VPN? Or will you be adding more offices down the road? > We have talked with Qwest, McCleodUSA and Touch America, but > how do you really > gauge the quality of the services they are offering? > Basically, I'm looking > for flames or kudos for various service providers. What do > you, the users, > think of your provider? Who should we be talking to? Who > should we avoid? Most likely the best provider of VPN will be experienced and have a backbone that covers 95% of the area you want to connect. LEC's will have to hand your traffic off to another provider. For instance Qwest in Denver, KC, and Minneapolis can not have backbone connections in these cities, so they will hand your traffic off to one of there upstream providers. Now I don't know much about the services each provider you mentioned above will use, but a good question will be, "Does YOUR network reach between the cities I need to connect?" Your VPN's are going to run much better if they stay on one providers network the whole time. I haven't priced out a VPN service from anyone, so I don't really know how price competitive it is with frame relay. Frame relay is a good option, the only way I would say you could beat it is with 50% or more price reduction per month. Warning, I'm just pulling that number out of my ASS! 8-) Other good questions would be: What type of VPN do you use? PPTP, IPSEC, L2TP etc.. What type of equipment will you need to purchase? What is the level of security? How do you guarantee my traffic is secure? What are your network delays between cities X and Y? Will your traffic leave the providers backbone when going between city X and Y? What equipment will I need to make sure my network is secure on the remote end? What kind of tee shirt will I get from you for signing up for your service?? OK, I just had to see if you were reading this!! 8-) VPN's have some hidden costs if your looking for large scale deployment. Now I have only priced out, "do it yourself VPN" but the cost for equipment is higher than with Frame. The cost difference is mainly because of the need to provide a firewall at each site. There is also the hidden cost of a more complex setup to trouble shoot, install and maintain, Lastly there is also always that question in your mind as to weather your data/network is really safe. You may be able to save big money on VPN, but If your looking for a large scale (30-50 remote offices vpn), you may be able to negotiate cheap enough frame relay to not want to do VPN. > Is there any significant difference in functionality or > usability between > basic frame relay and a VPN service? > > I know this is pretty basic stuff, but there seems to be a dearth of > opinions on the subject. If your office numbers aren't going to grow, you can see real savings by doing it yourself. Pick your own equipment and install and setup local ISP connections etc... Depending on how reliable you want it, and your bandwidth requirements you could even check out DSL or Cablemodem for extremely cheap internet, and save even more, but it's all up to your requirements. > If you don't feel like spouting off, then perhaps you could direct me > to some web resources which might help. If you don't want to make your > opinions public, feel free to email me directly. I think I more spewed than spouted, but that's my opinion, like it or not!! -Dennis VPN is sponsored by SecurityFocus.COM From nickmacl at SEC.SPRINT.NET Thu Apr 19 12:29:13 2001 From: nickmacl at SEC.SPRINT.NET (Nick MacLauchlan) Date: Thu, 19 Apr 2001 12:29:13 -0400 Subject: upgrades for Nortel Contivity switch In-Reply-To: <3ADDD123.869C7EDD@wfubmc.edu>; from Tait Humphries on Wed, Apr 18, 2001 at 01:38:43PM -0400 References: <3ADDD123.869C7EDD@wfubmc.edu> Message-ID: <20010419122913.A20984@sec.sprint.net> ____ issues Upgrade to version 2.6 then upgrade again to 3.5. Personal recommendation DO NOT USE THE NORTEL FIREWALL. There will be a patched version of the firewall code, hopefully very soon. It is my understanding the box can become unstable with the 3.5 firewall running. Overall the 3.5 software appears to be just as stable as the 2.5x software and that is good news. On Wed, Apr 18, 2001 at 01:38:43PM -0400, Tait Humphries wrote: > Return-Path: > Received: from gate1sec.res.sprintlink.net (gate1sec.sec.sprint.net [199.0.235.1]) > by athens.sec.sprint.net (8.9.1/8.9.1) with SMTP id SAA24038 > for ; Wed, 18 Apr 2001 18:26:03 -0400 (EDT) > Received: from lists.securityfocus.com ([66.38.151.7]) by gate1sec.res.sprintlink.net > via smtpd (for athens.sec.sprint.net [199.0.235.33]) with SMTP; 18 Apr 2001 22:26:03 UT > Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7]) > by lists.securityfocus.com (Postfix) with ESMTP > id 0372D24DE8D; Wed, 18 Apr 2001 16:25:12 -0600 (MDT) > Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM > (LISTSERV-TCP/IP release 1.8d) with spool id 33728514 for > VPN at LISTS.SECURITYFOCUS.COM; Wed, 18 Apr 2001 16:25:11 -0600 > Approved-By: tbird at PRECISION-GUESSWORK.COM > Delivered-To: vpn at lists.securityfocus.com > Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by > lists.securityfocus.com (Postfix) with SMTP id A316C24DD76 for > ; Wed, 18 Apr 2001 11:42:34 -0600 (MDT) > Received: (qmail 17317 invoked by alias); 18 Apr 2001 17:42:36 -0000 > Delivered-To: VPN at SECURITYFOCUS.COM > Received: (qmail 17286 invoked from network); 18 Apr 2001 17:42:31 -0000 > Received: from unknown (HELO mail.wfubmc.edu) (152.11.200.6) by > mail.securityfocus.com with SMTP; 18 Apr 2001 17:42:31 -0000 > Received: from wfubmc.edu ([152.11.251.25]) by mail.wfubmc.edu (Netscape > Messaging Server 3.61) with ESMTP id AAA5A45 for > ; Wed, 18 Apr 2001 13:43:24 -0400 > X-Mailer: Mozilla 4.74 [en]C-CCK-MCD (WinNT; U) > X-Accept-Language: en > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary="------------64405D8253511201886D186F" > Message-ID: <3ADDD123.869C7EDD at wfubmc.edu> > Date: Wed, 18 Apr 2001 13:38:43 -0400 > Reply-To: Tait Humphries > Sender: VPN Mailing List > From: Tait Humphries > Subject: upgrades for Nortel Contivity switch > To: VPN at SECURITYFOCUS.COM > > I want to upgrade our Contivity servers. Has anyone had any issues with > version 3.5 running on a 4500? Also can I go straight from version 2.51 > to 3.5 (or do I need to go to another version that is a little newer > first)? > > Thanks, > Tait Humphries Content-Description: Card for Tait Humphries -- Nick MacLauchlan Manager Data Security (703) 689-7165 VPN is sponsored by SecurityFocus.COM From ajennamo at UNCC.EDU Thu Apr 19 13:11:37 2001 From: ajennamo at UNCC.EDU (Andrew Jesse Ennamorato) Date: Thu, 19 Apr 2001 13:11:37 -0400 Subject: A Question Message-ID: <200104191711.NAA24423@ms-sm2.uncc.edu> Have a question for anyone that has "road warriors" or mobile/remote users that connect (via a VPN) to their internal network. What are typical solutions for these types of users? i.e. What protocols are you using? (IPSec, PPTP, etc). I'm thinking most would be IPSec. Also, what types of platforms (Win2k/NT/98)? Also, are these users normally connecting to a hardware-type VPN, or more like a RAS/PPTP server? How common is a solution like Aventail or other proprietary VPN software systems? Thanks a bunch... Andy Ennamorato ajennamo at uncc.edu VPN is sponsored by SecurityFocus.COM From DLeija at PENSON.COM Thu Apr 19 11:38:59 2001 From: DLeija at PENSON.COM (David Leija) Date: Thu, 19 Apr 2001 10:38:59 -0500 Subject: SNMP through Netscreen VPN Message-ID: <15E71AB50D3ED311A20A0008C75B6B3103FB8898@EXPEN002> Thank you for your detailed explanation and suggestions. I think I've been able to absorb the content in your response. Yet I still can't initiate traffic directly from a Netscreen to a remote LAN IP. Consider the following: Lan1---NS1------------------------NS2---Lan2 As you suggested, I have added the untrusted interface IP to the trusted side of the address book. I then created a policy, using the new address as the source, directed such traffic to be encrypted, and use our existing and functional site to site VPN. I performed these steps on both units. My problem remains. From any host on Lan1, other then NS1, I can access any host on Lan2, including NS2. The reverse is also true in that from any host on Lan2 minus NS2, I can access any host on Lan1 including NS1. However, from NS1(telneted to the unit), cannot initiate traffic to any host on Lan2, including the trusted interface of NS2. The reverse is also true here. From NS2 I cannot access any host on Lan1 including the trusted interface of NS1. I believe my problem is for the most part as you described. I think that traffic initiating from a Netscreen uses its untrusted IP as the source IP and then follows it routing rules, sending the packets to whatever its upstream gateway is. I verified this by running 'exec trace-route' from a Netscreen to the remote lan. The output confirms that the packets are not being tunneled but simply routed upstream then lost. There must be something in addition to the steps already taken that is needed to permit this type of communication. I've already modified policy orders. Nothing. Do I need a completely separate VPN? Is there some issue that occurs when adding the IP of the untrusted interface to the trusted side of the address book? TIA L. David Leija Penson Financial Services dleija at penson.com (214) 765-1228 >From: Jeff Dell >Reply-To: Jeff Dell >To: VPN at SECURITYFOCUS.COM >Subject: Re: SNMP through Netscreen VPN >Date: Tue, 10 Apr 2001 07:36:59 -0400 > >When a packet leaves the Netscreen that is not destined for it's Trusted or >DMZ LANs the packet leaves the Netscreen with a source IP of the Untrusted >Port. When the destination is the remote LAN through the VPN tunnel, the >Netscreen will not go through the tunnel, because the VPN policy reads > >set policy outgoing "Inside Any" "Remote LAN" "ANY" Encrypt vpn-tunnel "VPN >to NY" > >The source address is the problem here. It reads "Inside Any". The >Untrusted Ip is not a part of "Inside Any". Therefore you must do the >following on the local (lets call this the CA Netscreen) to correct the >problem. > >1. Create an entry for the Untrusted IP in the Trust side of the Address >book . This will make this address available for selection in the Source >pull down menu for the Outgoing policies. > >2. Create a policy like the following. > >set policy outgoing "Untrusted Port" "Remote LAN" "ANY" Encrypt vpn-tunnel >"VPN to NY" > >This completes one side of the problem. Basically, this policy will allow >anything with a source IP of the Untrusted Port and a destination port of >anything on the Remote LAN to be passed through the tunnel. The packet will >get to the desired host on the other side of the tunnel. However, the >packet will not get back, because the remote Netscreen does not have a >policy to allow this. Therefore, we will need to do the following on the >remote Netscreen (lets call this the NY Netscreen). > >1. Create an Untrusted side address book entry for the Untrusted Port of >the original CA Netscreen. > >2. Create a policy like the following. > >set policy outgoing "Inside Any" "CA Untrust IP" "ANY" Encrypt vpn-tunnel >"VPN to CA" > >Now the Netscreens are configured such that packets that originate from the >CA Netscreen can reach the NY LAN and be returned. > >Jeff > >-----Original Message----- >From: L. David Leija [mailto:ldl1971 at HOTMAIL.COM] >Sent: Monday, April 09, 2001 8:50 PM >To: VPN at SECURITYFOCUS.COM >Subject: SNMP through Netscreen VPN > > >We've deployed 2 Netscreen-10's and successfully established an AutoKey >encrypted tunnel between them. We also utilize the SNMP/Perl monitoring >software, MRTG. We are able to monitor data from the Netscreen on the near >side of the tunnel, however we cannot get SNMP to talk to the remote >Netscreen through the tunnel. We can ping it fine, we also have complete >access to all resources on the remote site through the tunnel. However, SNMP >always gets "SNMP Error:no response received" when trying to establish a >session. Any clues on where the problem is? The VPN tunnel, the remote >Netscreen, or MRTG. I don't thinks its MRTG as it is currently monitoring >countless other devices successfully. > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com > >VPN is sponsored by SecurityFocus.COM > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From byron at MARKETTOOLS.COM Fri Apr 20 13:34:05 2001 From: byron at MARKETTOOLS.COM (Byron Kennedy) Date: Fri, 20 Apr 2001 10:34:05 -0700 Subject: SNMP through Netscreen VPN Message-ID: I've seen this exact scenario with our ns100-ns5 implementation as well. I mentioned it briefly with netscreen last week as we were addressing other issues. The tech did acknowledge that he's seen this occur on a number of occasions. It's a lower priority for us as the VPN is working (like you mention). I'm going to try and revist in the next week or so. If i make any ground I'll post results. cheers.byron -----Original Message----- From: David Leija [mailto:DLeija at PENSON.COM] Sent: Thursday, April 19, 2001 8:39 AM To: VPN at SECURITYFOCUS.COM Subject: SNMP through Netscreen VPN Thank you for your detailed explanation and suggestions. I think I've been able to absorb the content in your response. Yet I still can't initiate traffic directly from a Netscreen to a remote LAN IP. Consider the following: Lan1---NS1------------------------NS2---Lan2 As you suggested, I have added the untrusted interface IP to the trusted side of the address book. I then created a policy, using the new address as the source, directed such traffic to be encrypted, and use our existing and functional site to site VPN. I performed these steps on both units. My problem remains. From any host on Lan1, other then NS1, I can access any host on Lan2, including NS2. The reverse is also true in that from any host on Lan2 minus NS2, I can access any host on Lan1 including NS1. However, from NS1(telneted to the unit), cannot initiate traffic to any host on Lan2, including the trusted interface of NS2. The reverse is also true here. From NS2 I cannot access any host on Lan1 including the trusted interface of NS1. I believe my problem is for the most part as you described. I think that traffic initiating from a Netscreen uses its untrusted IP as the source IP and then follows it routing rules, sending the packets to whatever its upstream gateway is. I verified this by running 'exec trace-route' from a Netscreen to the remote lan. The output confirms that the packets are not being tunneled but simply routed upstream then lost. There must be something in addition to the steps already taken that is needed to permit this type of communication. I've already modified policy orders. Nothing. Do I need a completely separate VPN? Is there some issue that occurs when adding the IP of the untrusted interface to the trusted side of the address book? TIA L. David Leija Penson Financial Services dleija at penson.com (214) 765-1228 >From: Jeff Dell >Reply-To: Jeff Dell >To: VPN at SECURITYFOCUS.COM >Subject: Re: SNMP through Netscreen VPN >Date: Tue, 10 Apr 2001 07:36:59 -0400 > >When a packet leaves the Netscreen that is not destined for it's Trusted or >DMZ LANs the packet leaves the Netscreen with a source IP of the Untrusted >Port. When the destination is the remote LAN through the VPN tunnel, the >Netscreen will not go through the tunnel, because the VPN policy reads > >set policy outgoing "Inside Any" "Remote LAN" "ANY" Encrypt vpn-tunnel "VPN >to NY" > >The source address is the problem here. It reads "Inside Any". The >Untrusted Ip is not a part of "Inside Any". Therefore you must do the >following on the local (lets call this the CA Netscreen) to correct the >problem. > >1. Create an entry for the Untrusted IP in the Trust side of the Address >book . This will make this address available for selection in the Source >pull down menu for the Outgoing policies. > >2. Create a policy like the following. > >set policy outgoing "Untrusted Port" "Remote LAN" "ANY" Encrypt vpn-tunnel >"VPN to NY" > >This completes one side of the problem. Basically, this policy will allow >anything with a source IP of the Untrusted Port and a destination port of >anything on the Remote LAN to be passed through the tunnel. The packet will >get to the desired host on the other side of the tunnel. However, the >packet will not get back, because the remote Netscreen does not have a >policy to allow this. Therefore, we will need to do the following on the >remote Netscreen (lets call this the NY Netscreen). > >1. Create an Untrusted side address book entry for the Untrusted Port of >the original CA Netscreen. > >2. Create a policy like the following. > >set policy outgoing "Inside Any" "CA Untrust IP" "ANY" Encrypt vpn-tunnel >"VPN to CA" > >Now the Netscreens are configured such that packets that originate from the >CA Netscreen can reach the NY LAN and be returned. > >Jeff > >-----Original Message----- >From: L. David Leija [mailto:ldl1971 at HOTMAIL.COM] >Sent: Monday, April 09, 2001 8:50 PM >To: VPN at SECURITYFOCUS.COM >Subject: SNMP through Netscreen VPN > > >We've deployed 2 Netscreen-10's and successfully established an AutoKey >encrypted tunnel between them. We also utilize the SNMP/Perl monitoring >software, MRTG. We are able to monitor data from the Netscreen on the near >side of the tunnel, however we cannot get SNMP to talk to the remote >Netscreen through the tunnel. We can ping it fine, we also have complete >access to all resources on the remote site through the tunnel. However, SNMP >always gets "SNMP Error:no response received" when trying to establish a >session. Any clues on where the problem is? The VPN tunnel, the remote >Netscreen, or MRTG. I don't thinks its MRTG as it is currently monitoring >countless other devices successfully. > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com > >VPN is sponsored by SecurityFocus.COM > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From alastair.morrison at STRATH.AC.UK Fri Apr 20 05:25:00 2001 From: alastair.morrison at STRATH.AC.UK (Alastair Morrison) Date: Fri, 20 Apr 2001 10:25:00 +0100 Subject: v3.0 Cisco IPSec client on W2K Message-ID: <01C0C984.27FE30D0.alastair.morrison@strath.ac.uk> I have a Cisco 3030 concentrator running v3.0 code configured with a group (internally configured) enabled for IPSec. I have an NT4.0 machine running the v2.5 Cisco IPSec client. A W2K machine running the v3.0 Cisco IPSec client. The NT machine establishes a connection. The W2K machine fails with message - Remote peer is no longer responding. The corresponding Event log message(s) on the concentrator being - Duplicate first packet detected. Both clients are configured the same (such as they can be). I have tried changing various of the IPSec settings on the concentrator to no avail. I would appreciate any views on how to get the v3.0 client on W2K working. Please reply to my personal address as well as the list as I receive the list digest and the sooner I get some guidance on this particular issue the better! Thanks, Alastair Morrison Strathclyde University --------------------------------------------- alastair.morrison at strath.ac.uk Strathclyde University Glasgow UK VPN is sponsored by SecurityFocus.COM From byron at MARKETTOOLS.COM Fri Apr 20 13:41:44 2001 From: byron at MARKETTOOLS.COM (Byron Kennedy) Date: Fri, 20 Apr 2001 10:41:44 -0700 Subject: A Question Message-ID: win2k clients to a netscreen firewall/IPSec vpn gateway works great and is difficult to beat in terms of performance. You can use the Netscreen remote IRE ipsec client or the ipsec policies directly on the win2k client. Here's a independent VPN review last Sept: http://www.commweb.com/article/COM20000912S0009 take care. Byron ps- do you live in Charlotte? I graduated form uncc '94. -----Original Message----- From: Andrew Jesse Ennamorato [mailto:ajennamo at UNCC.EDU] Sent: Thursday, April 19, 2001 10:12 AM To: VPN at SECURITYFOCUS.COM Subject: A Question Have a question for anyone that has "road warriors" or mobile/remote users that connect (via a VPN) to their internal network. What are typical solutions for these types of users? i.e. What protocols are you using? (IPSec, PPTP, etc). I'm thinking most would be IPSec. Also, what types of platforms (Win2k/NT/98)? Also, are these users normally connecting to a hardware-type VPN, or more like a RAS/PPTP server? How common is a solution like Aventail or other proprietary VPN software systems? Thanks a bunch... Andy Ennamorato ajennamo at uncc.edu VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Fri Apr 20 10:03:32 2001 From: jonc at HAHT.COM (Jon Carnes) Date: Fri, 20 Apr 2001 10:03:32 -0400 Subject: A Question References: <200104191711.NAA24423@ms-sm2.uncc.edu> Message-ID: <00fb01c0c9a2$af2534f0$0b04010a@JCARNES> ----- Original Message ----- From: "Andrew Jesse Ennamorato" To: Sent: Thursday, April 19, 2001 1:11 PM Subject: A Question > Have a question for anyone that has "road warriors" or mobile/remote users that > connect (via a VPN) to their internal network. What are typical solutions for > these types of users? > > i.e. What protocols are you using? (IPSec, PPTP, etc). I'm thinking most would > be IPSec. > > Also, what types of platforms (Win2k/NT/98)? Also, are these users normally > connecting to a hardware-type VPN, or more like a RAS/PPTP server? How common is > a solution like Aventail or other proprietary VPN software systems? > We use PPTP attaching either to an NT server running RAS or a Linux server running PoPToP All our Road Warriors run a variant of Windows on their Laptops. We have little over 100 folks on the road. VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Fri Apr 20 14:12:52 2001 From: cgripp at AXCELERANT.COM (Christopher Gripp) Date: Fri, 20 Apr 2001 11:12:52 -0700 Subject: SNMP through Netscreen VPN Message-ID: <4EBB5C35607E7F48B4AE162D956666EFA244@guam.corp.axcelerant.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David, For the trusted network in the policy are you using the default "Inside Any" if so I have seen problems with this. We build out a trusted network explicitly and then use it in the policy. I don't know if this will effect your issue but you could try it. Chris - -----Original Message----- From: David Leija [mailto:DLeija at PENSON.COM] Sent: Thursday, April 19, 2001 8:39 AM To: VPN at SECURITYFOCUS.COM Subject: SNMP through Netscreen VPN Thank you for your detailed explanation and suggestions. I think I've been able to absorb the content in your response. Yet I still can't initiate traffic directly from a Netscreen to a remote LAN IP. Consider the following: Lan1---NS1------------------------NS2---Lan2 As you suggested, I have added the untrusted interface IP to the trusted side of the address book. I then created a policy, using the new address as the source, directed such traffic to be encrypted, and use our existing and functional site to site VPN. I performed these steps on both units. My problem remains. From any host on Lan1, other then NS1, I can access any host on Lan2, including NS2. The reverse is also true in that from any host on Lan2 minus NS2, I can access any host on Lan1 including NS1. However, from NS1(telneted to the unit), cannot initiate traffic to any host on Lan2, including the trusted interface of NS2. The reverse is also true here. From NS2 I cannot access any host on Lan1 including the trusted interface of NS1. I believe my problem is for the most part as you described. I think that traffic initiating from a Netscreen uses its untrusted IP as the source IP and then follows it routing rules, sending the packets to whatever its upstream gateway is. I verified this by running 'exec trace-route' from a Netscreen to the remote lan. The output confirms that the packets are not being tunneled but simply routed upstream then lost. There must be something in addition to the steps already taken that is needed to permit this type of communication. I've already modified policy orders. Nothing. Do I need a completely separate VPN? Is there some issue that occurs when adding the IP of the untrusted interface to the trusted side of the address book? TIA L. David Leija Penson Financial Services dleija at penson.com (214) 765-1228 >From: Jeff Dell >Reply-To: Jeff Dell >To: VPN at SECURITYFOCUS.COM >Subject: Re: SNMP through Netscreen VPN >Date: Tue, 10 Apr 2001 07:36:59 -0400 > >When a packet leaves the Netscreen that is not destined for it's >Trusted or DMZ LANs the packet leaves the Netscreen with a source >IP of the Untrusted Port. When the destination is the remote LAN >through the VPN tunnel, the Netscreen will not go through the >tunnel, because the VPN policy reads > >set policy outgoing "Inside Any" "Remote LAN" "ANY" Encrypt >vpn-tunnel "VPN to NY" > >The source address is the problem here. It reads "Inside Any". The > Untrusted Ip is not a part of "Inside Any". Therefore you must do >the following on the local (lets call this the CA Netscreen) to >correct the problem. > >1. Create an entry for the Untrusted IP in the Trust side of the >Address book . This will make this address available for selection >in the Source pull down menu for the Outgoing policies. > >2. Create a policy like the following. > >set policy outgoing "Untrusted Port" "Remote LAN" "ANY" Encrypt >vpn-tunnel "VPN to NY" > >This completes one side of the problem. Basically, this policy will >allow anything with a source IP of the Untrusted Port and a >destination port of anything on the Remote LAN to be passed through >the tunnel. The packet will >get to the desired host on the other side of the tunnel. However, >the packet will not get back, because the remote Netscreen does not >have a policy to allow this. Therefore, we will need to do the >following on the remote Netscreen (lets call this the NY >Netscreen). > >1. Create an Untrusted side address book entry for the Untrusted >Port of the original CA Netscreen. > >2. Create a policy like the following. > >set policy outgoing "Inside Any" "CA Untrust IP" "ANY" Encrypt >vpn-tunnel "VPN to CA" > >Now the Netscreens are configured such that packets that originate >from the CA Netscreen can reach the NY LAN and be returned. > >Jeff > >-----Original Message----- >From: L. David Leija [ mailto:ldl1971 at HOTMAIL.COM > ] Sent: Monday, April 09, 2001 8:50 PM >To: VPN at SECURITYFOCUS.COM >Subject: SNMP through Netscreen VPN > > >We've deployed 2 Netscreen-10's and successfully established an >AutoKey encrypted tunnel between them. We also utilize the >SNMP/Perl monitoring software, MRTG. We are able to monitor data >from the Netscreen on the near side of the tunnel, however we >cannot get SNMP to talk to the remote Netscreen through the tunnel. >We can ping it fine, we also have complete access to all resources >on the remote site through the tunnel. However, SNMP >always gets "SNMP Error:no response received" when trying to >establish a session. Any clues on where the problem is? The VPN >tunnel, the remote Netscreen, or MRTG. I don't thinks its MRTG as >it is currently monitoring countless other devices successfully. > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com > > >VPN is sponsored by SecurityFocus.COM > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOuB7bWLRPLnfp/zREQJfigCffbpHDTG6DajK3kQZwhJukJo9p3AAoKHH v4vGLjcZHYCFumuJqxM2Jyhy =AAKt -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.COM From dpassamo at NORTELNETWORKS.COM Fri Apr 20 10:02:21 2001 From: dpassamo at NORTELNETWORKS.COM (David Passamonte) Date: Fri, 20 Apr 2001 07:02:21 -0700 Subject: upgrades for Nortel Contivity switch Message-ID: The issues being raised by Mr. MacLauchlan revolve around the NAT functionality of the Contivity Firewall. Nortel Networks does not see this as a Firewall issue and has received no feedback from customers on stability issues surrounding the Firewall functionality. The recommendation NOT USE the Firewall based on the NAT issues is misplaced. Nortel Networks has addressed the NAT stability issue with Sprint directly and a patch was provided to SPRINT and accepted by SPRINT on 4/5/01. The patch for this problem was included in our 3.6 code released on 4/10/01. If you are currently running v03_50.44 and are not using the NAT functionality you WILL NOT encounter any stability issues. If you have any questions about this issue please contact Nortel Networks technical support or your local account team and upgrade to software version 3.6 Currently SPRINT is re-selling this solution and has accepted all fixes that have been put in place to address the NAT issue. We have seen very good response to the firewall by the number of sales being placed through SPRINT and have no outstanding issues with any customers surrounding the Contivity Firewall functionality. -----Original Message----- From: Nick MacLauchlan [mailto:nickmacl at SEC.SPRINT.NET] Sent: Thursday, April 19, 2001 12:29 PM To: VPN at SECURITYFOCUS.COM Subject: Re: upgrades for Nortel Contivity switch ____ issues Upgrade to version 2.6 then upgrade again to 3.5. Personal recommendation DO NOT USE THE NORTEL FIREWALL. There will be a patched version of the firewall code, hopefully very soon. It is my understanding the box can become unstable with the 3.5 firewall running. Overall the 3.5 software appears to be just as stable as the 2.5x software and that is good news. On Wed, Apr 18, 2001 at 01:38:43PM -0400, Tait Humphries wrote: > Return-Path: > Received: from gate1sec.res.sprintlink.net (gate1sec.sec.sprint.net [199.0.235.1]) > by athens.sec.sprint.net (8.9.1/8.9.1) with SMTP id SAA24038 > for ; Wed, 18 Apr 2001 18:26:03 -0400 (EDT) > Received: from lists.securityfocus.com ([66.38.151.7]) by gate1sec.res.sprintlink.net > via smtpd (for athens.sec.sprint.net [199.0.235.33]) with SMTP; 18 Apr 2001 22:26:03 UT > Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7]) > by lists.securityfocus.com (Postfix) with ESMTP > id 0372D24DE8D; Wed, 18 Apr 2001 16:25:12 -0600 (MDT) > Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM > (LISTSERV-TCP/IP release 1.8d) with spool id 33728514 for > VPN at LISTS.SECURITYFOCUS.COM; Wed, 18 Apr 2001 16:25:11 -0600 > Approved-By: tbird at PRECISION-GUESSWORK.COM > Delivered-To: vpn at lists.securityfocus.com > Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by > lists.securityfocus.com (Postfix) with SMTP id A316C24DD76 for > ; Wed, 18 Apr 2001 11:42:34 -0600 (MDT) > Received: (qmail 17317 invoked by alias); 18 Apr 2001 17:42:36 -0000 > Delivered-To: VPN at SECURITYFOCUS.COM > Received: (qmail 17286 invoked from network); 18 Apr 2001 17:42:31 -0000 > Received: from unknown (HELO mail.wfubmc.edu) (152.11.200.6) by > mail.securityfocus.com with SMTP; 18 Apr 2001 17:42:31 -0000 > Received: from wfubmc.edu ([152.11.251.25]) by mail.wfubmc.edu (Netscape > Messaging Server 3.61) with ESMTP id AAA5A45 for > ; Wed, 18 Apr 2001 13:43:24 -0400 > X-Mailer: Mozilla 4.74 [en]C-CCK-MCD (WinNT; U) > X-Accept-Language: en > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary="------------64405D8253511201886D186F" > Message-ID: <3ADDD123.869C7EDD at wfubmc.edu> > Date: Wed, 18 Apr 2001 13:38:43 -0400 > Reply-To: Tait Humphries > Sender: VPN Mailing List > From: Tait Humphries > Subject: upgrades for Nortel Contivity switch > To: VPN at SECURITYFOCUS.COM > > I want to upgrade our Contivity servers. Has anyone had any issues with > version 3.5 running on a 4500? Also can I go straight from version 2.51 > to 3.5 (or do I need to go to another version that is a little newer > first)? > > Thanks, > Tait Humphries Content-Description: Card for Tait Humphries -- Nick MacLauchlan Manager Data Security (703) 689-7165 VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010420/03ac524c/attachment.htm From dklein at NETSCREEN.COM Sat Apr 21 17:38:09 2001 From: dklein at NETSCREEN.COM (David Klein) Date: Sat, 21 Apr 2001 14:38:09 -0700 Subject: SNMP through Netscreen VPN Message-ID: <9D048F4A422CD411A56500B0D0209C5B01382290@NS-CA> This solution can be utilized for sending syslog, e-mail logs, SNMP, and pings generated from one Netscreen through a tunnel to the remote LAN behind another netscreen. When a packet, that is created by a Netscreen, leaves the Netscreen it is sourced with the IP address of the egress interface. Therefore, a packet created by a Netscreen being routed out the untrust interface will be sourced with the IP address of the Untrusted Port. When the destination is the remote LAN through the VPN tunnel, the Netscreen's packet will not go through the tunnel. As an example, use the following network: 10.1.0.0/16 | NS north (untrust 1.1.1.1) | (internet) | NS south (untrust 2.2.2.2) | 10.2.0.0/16 Let's assume we are looking at the "NS south" netscreen. Then you've got some policy for the VPN that looks like: set policy outgoing "10.2.0.0/16" "10.1.0.0/16" "ANY" Encrypt vpn-tunnel "VPN-to-North" The Untrusted IP of 2.2.2.2 is not a part of "10.2.0.0/16" address block. Therefore you must do the following on the southern Netscreen to correct the problem: 1. Create an entry for the Untrusted IP in the Trust side of the Address book. For example, call it "Untrusted Port". This will make this address available for selection in the Source pull down menu for the Outgoing policies: set address trust "Untrusted Port" 2.2.2.2 255.255.255.255 2. Create a policy like the following: set policy outgoing "Untrusted Port" "10.1.0.0/16" "ANY" Encrypt vpn-tunnel "VPN-to-North" This completes one side of the problem. Basically, this policy will allow anything with a source IP of the Untrusted Port on the southern NS to send a packet to a destination address of anything on the Northern LAN to be passed through the tunnel. However, the packet will get to the desired host on the other side of the tunnel but the return packet will not get back, because the remote (or Northern) Netscreen does not have a policy to allow this. Therefore, you will need to do the following on the northern Netscreen: 1. So on "NS north" create an Untrusted side address book entry for the Untrusted Port on the southern Netscreen: set address untrust "remote NS untrust" 2.2.2.2 255.255.255.255 2. Create a policy like the following: set policy outgoing "10.1.0.0/16" "remote NS untrust" "ANY" Encrypt vpn-tunnel "VPN-to-South" Now the Netscreens are configured such that packets that originate from the southern Netscreen can reach the northern LAN and be returned. However, if packets are generated from the northern Netscreen, they will not be able to reach the southern LAN. The above process will need to be repeated in reverse. Or you can get the latest ScreenOS (version 2.6) where this has all been fixed. I.e., a "use VPN" checkbox has been added for each function that causes the Netscreen to source an IP packet (e.g., email alerts, SNMP, syslog, etc.). For ping, use the extended ping. Just type ping from the command line and follow the prompts to have the ping sourced from the internal interface while pinging down a VPN tunnel. Dave Klein > -----Original Message----- > From: Christopher Gripp [mailto:cgripp at AXCELERANT.COM] > Sent: Friday, April 20, 2001 1:13 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: SNMP through Netscreen VPN > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David, > For the trusted network in the policy are you using the default > "Inside Any" if so I have seen problems with this. We build out a > trusted network explicitly and then use it in the policy. I don't > know if this will effect your issue but you could try it. > > Chris > > - -----Original Message----- > From: David Leija [mailto:DLeija at PENSON.COM] > Sent: Thursday, April 19, 2001 8:39 AM > To: VPN at SECURITYFOCUS.COM > Subject: SNMP through Netscreen VPN > > > > Thank you for your detailed explanation and suggestions. I think I've > been > able to absorb the content in your response. Yet I still can't > initiate > traffic directly from a Netscreen to a remote LAN IP. Consider the > following: > > Lan1---NS1------------------------NS2---Lan2 > > As you suggested, I have added the untrusted interface IP to the > trusted > side of the address book. I then created a policy, using the new > address as > the source, directed such traffic to be encrypted, and use our > existing and > functional site to site VPN. I performed these steps on both units. > My > problem remains. From any host on Lan1, other then NS1, I can access > any > host on Lan2, including NS2. The reverse is also true in that from > any host > on Lan2 minus NS2, I can access any host on Lan1 including NS1. > However, > from NS1(telneted to the unit), cannot initiate traffic to any host > on Lan2, > including the trusted interface of NS2. The reverse is also true > here. From > NS2 I cannot access any host on Lan1 including the trusted interface > of NS1. > > > I believe my problem is for the most part as you described. I think > that > traffic initiating from a Netscreen uses its untrusted IP as the > source IP > and then follows it routing rules, sending the packets to whatever > its > upstream gateway is. I verified this by running 'exec trace-route' > from a > Netscreen to the remote lan. The output confirms that the packets are > not > being tunneled but simply routed upstream then lost. > > There must be something in addition to the steps already taken that > is > needed to permit this type of communication. I've already modified > policy > orders. Nothing. Do I need a completely separate VPN? Is there some > issue > that occurs when adding the IP of the untrusted interface to the > trusted > side of the address book? TIA > > L. David Leija > Penson Financial Services > dleija at penson.com > (214) 765-1228 > > > >From: Jeff Dell > >Reply-To: Jeff Dell > >To: VPN at SECURITYFOCUS.COM > >Subject: Re: SNMP through Netscreen VPN > >Date: Tue, 10 Apr 2001 07:36:59 -0400 > > > >When a packet leaves the Netscreen that is not destined for it's > >Trusted or DMZ LANs the packet leaves the Netscreen with a source > >IP of the Untrusted Port. When the destination is the remote LAN > >through the VPN tunnel, the Netscreen will not go through the > >tunnel, because the VPN policy reads > > > >set policy outgoing "Inside Any" "Remote LAN" "ANY" Encrypt > >vpn-tunnel "VPN to NY" > > > >The source address is the problem here. It reads "Inside Any". The > > Untrusted Ip is not a part of "Inside Any". Therefore you must do > >the following on the local (lets call this the CA Netscreen) to > >correct the problem. > > > >1. Create an entry for the Untrusted IP in the Trust side of the > >Address book . This will make this address available for selection > >in the Source pull down menu for the Outgoing policies. > > > >2. Create a policy like the following. > > > >set policy outgoing "Untrusted Port" "Remote LAN" "ANY" Encrypt > >vpn-tunnel "VPN to NY" > > > >This completes one side of the problem. Basically, this policy will > >allow anything with a source IP of the Untrusted Port and a > >destination port of anything on the Remote LAN to be passed through > >the tunnel. The packet > will > >get to the desired host on the other side of the tunnel. However, > >the packet will not get back, because the remote Netscreen does not > >have a policy to allow this. Therefore, we will need to do the > >following on the remote Netscreen (lets call this the NY > >Netscreen). > > > >1. Create an Untrusted side address book entry for the Untrusted > >Port of the original CA Netscreen. > > > >2. Create a policy like the following. > > > >set policy outgoing "Inside Any" "CA Untrust IP" "ANY" Encrypt > >vpn-tunnel "VPN to CA" > > > >Now the Netscreens are configured such that packets that originate > >from the CA Netscreen can reach the NY LAN and be returned. > > > >Jeff > > > >-----Original Message----- > >From: L. David Leija [ mailto:ldl1971 at HOTMAIL.COM > > ] Sent: Monday, April 09, 2001 8:50 PM > >To: VPN at SECURITYFOCUS.COM > >Subject: SNMP through Netscreen VPN > > > > > >We've deployed 2 Netscreen-10's and successfully established an > >AutoKey encrypted tunnel between them. We also utilize the > >SNMP/Perl monitoring software, MRTG. We are able to monitor data > >from the Netscreen on the near side of the tunnel, however we > >cannot get SNMP to talk to the remote Netscreen through the tunnel. > >We can ping it fine, we also have complete access to all resources > >on the remote site through the tunnel. However, > SNMP > >always gets "SNMP Error:no response received" when trying to > >establish a session. Any clues on where the problem is? The VPN > >tunnel, the remote Netscreen, or MRTG. I don't thinks its MRTG as > >it is currently monitoring countless other devices successfully. > > > >_________________________________________________________________ > >Get your FREE download of MSN Explorer at http://explorer.msn.com > > > > > >VPN is sponsored by SecurityFocus.COM > > > >VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use > > iQA/AwUBOuB7bWLRPLnfp/zREQJfigCffbpHDTG6DajK3kQZwhJukJo9p3AAoKHH > v4vGLjcZHYCFumuJqxM2Jyhy > =AAKt > -----END PGP SIGNATURE----- > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From dlongar at IBSYS.COM Mon Apr 23 09:48:55 2001 From: dlongar at IBSYS.COM (Longar, Dennis) Date: Mon, 23 Apr 2001 08:48:55 -0500 Subject: v3.0 Cisco IPSec client on W2K Message-ID: <9E35C54B0C7AD411B5C1009027DE53991B1510@MSPMX01> Well, give this a try. Have a 2K DOS prompt open at with the connect start tool. When you tell the 2K machine to connect to the VPN, in the DOS window ping the address of the 3030's public side. The strangest part of this is, I got one machine (my home machine) that will only connect if I ping during the connect, and my 2k test machine at my work, works fine without pinging the remote. So I've always just assumed it was my home computer setup, but if this works for you then it is a cisco bug. Let us all know if it works please! Thanks! -Dennis > -----Original Message----- > From: Alastair Morrison [mailto:alastair.morrison at strath.ac.uk] > Sent: Friday, April 20, 2001 4:25 AM > To: VPN at SECURITYFOCUS.COM > Subject: v3.0 Cisco IPSec client on W2K > > > I have a Cisco 3030 concentrator running v3.0 code configured > with a group (internally configured) enabled for IPSec. > > I have an NT4.0 machine running the v2.5 Cisco IPSec client. > A W2K machine running the v3.0 Cisco IPSec client. > > The NT machine establishes a connection. > > The W2K machine fails with message > - Remote peer is no longer responding. > The corresponding Event log message(s) on the concentrator being > - Duplicate first packet detected. > > Both clients are configured the same (such as they can be). > I have tried changing various of the IPSec settings on the > concentrator > to no avail. > > I would appreciate any views on how to get the v3.0 client on > W2K working. > Please reply to my personal address as well as the list as I > receive the list > digest and the sooner I get some guidance on this particular > issue the better! > > Thanks, > Alastair Morrison > Strathclyde University > > --------------------------------------------- > alastair.morrison at strath.ac.uk > Strathclyde University > Glasgow UK > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From tbird at PRECISION-GUESSWORK.COM Mon Apr 23 14:29:13 2001 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Mon, 23 Apr 2001 13:29:13 -0500 Subject: Novell BorderManager 3.5 VPN Denial of Service (fwd) Message-ID: ---------- Forwarded message ---------- Date: Fri, 20 Apr 2001 19:41:31 +0100 From: Richard Bartlett To: BUGTRAQ at SECURITYFOCUS.COM Subject: Novell BorderManager 3.5 VPN Denial of Service -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Date Published: April 20th 2001 Advisory ID: HI200101 Bugtraq ID: 2623 CVE CAN: N/A Title: Novell BorderManager 3.5 VPN Denial of Service Class: Denial of Service Remotely Exploitable: yes Locally Exploitable: yes Vulnerability Description: Novell BorderManager is described on Novell's web site as "a powerful Internet security management suite that offers industry leading firewall, authentication, virtual private network (VPN), and caching services to organizations of all sizes." Client to site VPN services can be halted by a SYN flood attack on port 353, causing the port to close and the service to cease functioning until the server is rebooted. Vulnerable Packages/Systems: [Confirmed] Novell BorderManager Enterprise Edition 3.5 [Suspected] Novell BorderManager 3.0 - 3.6 Solution/Vendor Information/Workaround: None provided Vendor notified on: 15th March 2001 It was specified in the email that the report was being made in accordance with RDPolicy 2.0. An automatic response was received from "The Novell Security Team", but no further communication was received. Technical Description: When using client to site VPN, one of the ports open on the outbound interface of the BorderManager server is 353, which allows for initial handshaking between VPN Client & Server to exchange the Keys. Sending out multiple SYN requests to a port on the server will cause exhaustion of the available TCP connections on the server. The following command will open multiple connections to port 353; for /l %%h in (1, 1, 300) do nc -d -z 192.168.1.1 353 Once ~256 connections are made the port fails to respond to further SYN requests, and the server logs show that all further connections are refused with the message 'No more TCP/IP client connections are available'. Until the server is rebooted or reinitialized all client-to-site VPN will fail (thereby forcing users to revert to an unsecure form of data transmission, e.g. FTP or POP3, which both use clear text passwords). The server tested on was left for over 48 hours to allow connections to be freed up by the system, but the port remained closed. Various measure were taken to resolve the issue. The server was patched with NetWare 5.1 Support Pack 2a, BorderManager 3.5 Support Pack 2 and BorderManager 3.5 Proxy and ACL update. The latest TCPIP.NLM was in use and the server had TCP Defend SYN Attacks ON. Solution: Re-loading VPMASTER.NLM failed to resolve the problem. Re-loading AUTHGW.NLM show the report re-opened the port, but client connections still failed. The only corrective action that consistently resolved the problem was rebooting the server. The following did work but not consistently; (1) Unload VPMASTER.NLM (2) Unload AUTHGW.NLM (3) Reinitialize system (4) Load AUTHGW.NLM (5) Load VPMASTER.NLM DISCLAIMER: The contents of this advisory are copyright (c) Hacker Immunity Ltd, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOuCCVTLlt6EzGMC5EQJ5xgCg2+CC0tsqGRARdOb4QjYNwzvwg4sAnA9k nSE5CQn2nVEdCylXI3CyAKzV =CWxx -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.COM From DLeija at PENSON.COM Mon Apr 23 11:32:39 2001 From: DLeija at PENSON.COM (David Leija) Date: Mon, 23 Apr 2001 10:32:39 -0500 Subject: SNMP through Netscreen VPN Message-ID: <15E71AB50D3ED311A20A0008C75B6B3103FB889F@EXPEN002> This was the solution! Thank you David. I got direct responses from several other list members indicating similar problems. The key is configuring an inbound policy to accept traffic from the remote unit. Hope this helps. -----Original Message----- From: David Klein [mailto:dklein at netscreen.com] Sent: Saturday, April 21, 2001 4:38 PM To: 'Christopher Gripp'; VPN at SECURITYFOCUS.COM; 'dleija at penson.com' Subject: RE: SNMP through Netscreen VPN This solution can be utilized for sending syslog, e-mail logs, SNMP, and pings generated from one Netscreen through a tunnel to the remote LAN behind another netscreen. When a packet, that is created by a Netscreen, leaves the Netscreen it is sourced with the IP address of the egress interface. Therefore, a packet created by a Netscreen being routed out the untrust interface will be sourced with the IP address of the Untrusted Port. When the destination is the remote LAN through the VPN tunnel, the Netscreen's packet will not go through the tunnel. As an example, use the following network: 10.1.0.0/16 | NS north (untrust 1.1.1.1) | (internet) | NS south (untrust 2.2.2.2) | 10.2.0.0/16 Let's assume we are looking at the "NS south" netscreen. Then you've got some policy for the VPN that looks like: set policy outgoing "10.2.0.0/16" "10.1.0.0/16" "ANY" Encrypt vpn-tunnel "VPN-to-North" The Untrusted IP of 2.2.2.2 is not a part of "10.2.0.0/16" address block. Therefore you must do the following on the southern Netscreen to correct the problem: 1. Create an entry for the Untrusted IP in the Trust side of the Address book. For example, call it "Untrusted Port". This will make this address available for selection in the Source pull down menu for the Outgoing policies: set address trust "Untrusted Port" 2.2.2.2 255.255.255.255 2. Create a policy like the following: set policy outgoing "Untrusted Port" "10.1.0.0/16" "ANY" Encrypt vpn-tunnel "VPN-to-North" This completes one side of the problem. Basically, this policy will allow anything with a source IP of the Untrusted Port on the southern NS to send a packet to a destination address of anything on the Northern LAN to be passed through the tunnel. However, the packet will get to the desired host on the other side of the tunnel but the return packet will not get back, because the remote (or Northern) Netscreen does not have a policy to allow this. Therefore, you will need to do the following on the northern Netscreen: 1. So on "NS north" create an Untrusted side address book entry for the Untrusted Port on the southern Netscreen: set address untrust "remote NS untrust" 2.2.2.2 255.255.255.255 2. Create a policy like the following: set policy outgoing "10.1.0.0/16" "remote NS untrust" "ANY" Encrypt vpn-tunnel "VPN-to-South" Now the Netscreens are configured such that packets that originate from the southern Netscreen can reach the northern LAN and be returned. However, if packets are generated from the northern Netscreen, they will not be able to reach the southern LAN. The above process will need to be repeated in reverse. Or you can get the latest ScreenOS (version 2.6) where this has all been fixed. I.e., a "use VPN" checkbox has been added for each function that causes the Netscreen to source an IP packet (e.g., email alerts, SNMP, syslog, etc.). For ping, use the extended ping. Just type ping from the command line and follow the prompts to have the ping sourced from the internal interface while pinging down a VPN tunnel. Dave Klein > -----Original Message----- > From: Christopher Gripp [mailto:cgripp at AXCELERANT.COM] > Sent: Friday, April 20, 2001 1:13 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: SNMP through Netscreen VPN > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David, > For the trusted network in the policy are you using the default > "Inside Any" if so I have seen problems with this. We build out a > trusted network explicitly and then use it in the policy. I don't > know if this will effect your issue but you could try it. > > Chris > > - -----Original Message----- > From: David Leija [mailto:DLeija at PENSON.COM] > Sent: Thursday, April 19, 2001 8:39 AM > To: VPN at SECURITYFOCUS.COM > Subject: SNMP through Netscreen VPN > > > > Thank you for your detailed explanation and suggestions. I think I've > been > able to absorb the content in your response. Yet I still can't > initiate > traffic directly from a Netscreen to a remote LAN IP. Consider the > following: > > Lan1---NS1------------------------NS2---Lan2 > > As you suggested, I have added the untrusted interface IP to the > trusted > side of the address book. I then created a policy, using the new > address as > the source, directed such traffic to be encrypted, and use our > existing and > functional site to site VPN. I performed these steps on both units. > My > problem remains. From any host on Lan1, other then NS1, I can access > any > host on Lan2, including NS2. The reverse is also true in that from > any host > on Lan2 minus NS2, I can access any host on Lan1 including NS1. > However, > from NS1(telneted to the unit), cannot initiate traffic to any host > on Lan2, > including the trusted interface of NS2. The reverse is also true > here. From > NS2 I cannot access any host on Lan1 including the trusted interface > of NS1. > > > I believe my problem is for the most part as you described. I think > that > traffic initiating from a Netscreen uses its untrusted IP as the > source IP > and then follows it routing rules, sending the packets to whatever > its > upstream gateway is. I verified this by running 'exec trace-route' > from a > Netscreen to the remote lan. The output confirms that the packets are > not > being tunneled but simply routed upstream then lost. > > There must be something in addition to the steps already taken that > is > needed to permit this type of communication. I've already modified > policy > orders. Nothing. Do I need a completely separate VPN? Is there some > issue > that occurs when adding the IP of the untrusted interface to the > trusted > side of the address book? TIA > > L. David Leija > Penson Financial Services > dleija at penson.com > (214) 765-1228 > > > >From: Jeff Dell > >Reply-To: Jeff Dell > >To: VPN at SECURITYFOCUS.COM > >Subject: Re: SNMP through Netscreen VPN > >Date: Tue, 10 Apr 2001 07:36:59 -0400 > > > >When a packet leaves the Netscreen that is not destined for it's > >Trusted or DMZ LANs the packet leaves the Netscreen with a source > >IP of the Untrusted Port. When the destination is the remote LAN > >through the VPN tunnel, the Netscreen will not go through the > >tunnel, because the VPN policy reads > > > >set policy outgoing "Inside Any" "Remote LAN" "ANY" Encrypt > >vpn-tunnel "VPN to NY" > > > >The source address is the problem here. It reads "Inside Any". The > > Untrusted Ip is not a part of "Inside Any". Therefore you must do > >the following on the local (lets call this the CA Netscreen) to > >correct the problem. > > > >1. Create an entry for the Untrusted IP in the Trust side of the > >Address book . This will make this address available for selection > >in the Source pull down menu for the Outgoing policies. > > > >2. Create a policy like the following. > > > >set policy outgoing "Untrusted Port" "Remote LAN" "ANY" Encrypt > >vpn-tunnel "VPN to NY" > > > >This completes one side of the problem. Basically, this policy will > >allow anything with a source IP of the Untrusted Port and a > >destination port of anything on the Remote LAN to be passed through > >the tunnel. The packet > will > >get to the desired host on the other side of the tunnel. However, > >the packet will not get back, because the remote Netscreen does not > >have a policy to allow this. Therefore, we will need to do the > >following on the remote Netscreen (lets call this the NY > >Netscreen). > > > >1. Create an Untrusted side address book entry for the Untrusted > >Port of the original CA Netscreen. > > > >2. Create a policy like the following. > > > >set policy outgoing "Inside Any" "CA Untrust IP" "ANY" Encrypt > >vpn-tunnel "VPN to CA" > > > >Now the Netscreens are configured such that packets that originate > >from the CA Netscreen can reach the NY LAN and be returned. > > > >Jeff > > > >-----Original Message----- > >From: L. David Leija [ mailto:ldl1971 at HOTMAIL.COM > > ] Sent: Monday, April 09, 2001 8:50 PM > >To: VPN at SECURITYFOCUS.COM > >Subject: SNMP through Netscreen VPN > > > > > >We've deployed 2 Netscreen-10's and successfully established an > >AutoKey encrypted tunnel between them. We also utilize the > >SNMP/Perl monitoring software, MRTG. We are able to monitor data > >from the Netscreen on the near side of the tunnel, however we > >cannot get SNMP to talk to the remote Netscreen through the tunnel. > >We can ping it fine, we also have complete access to all resources > >on the remote site through the tunnel. However, > SNMP > >always gets "SNMP Error:no response received" when trying to > >establish a session. Any clues on where the problem is? The VPN > >tunnel, the remote Netscreen, or MRTG. I don't thinks its MRTG as > >it is currently monitoring countless other devices successfully. > > > >_________________________________________________________________ > >Get your FREE download of MSN Explorer at http://explorer.msn.com > > > > > >VPN is sponsored by SecurityFocus.COM > > > >VPN is sponsored by SecurityFocus.COM > > VPN is sponsored by SecurityFocus.COM > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use > > iQA/AwUBOuB7bWLRPLnfp/zREQJfigCffbpHDTG6DajK3kQZwhJukJo9p3AAoKHH > v4vGLjcZHYCFumuJqxM2Jyhy > =AAKt > -----END PGP SIGNATURE----- > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From mleclair at SEAGULL.COM Fri Apr 20 17:36:54 2001 From: mleclair at SEAGULL.COM (Michael LeClair) Date: Fri, 20 Apr 2001 14:36:54 -0700 Subject: Fw: What ports need to be opened on remote fw to use Checkpoint SecuRemote VPN w/IKE? Message-ID: <3AE0ABF6.B25CECFA@seagull.com> Help. We are trying to get a Checkpoint-1 SecuRemote VPN connection to work with a Checkpoint-1 (Nokia) firewall using IKE from behind a Watchguard Firebox II fw. The admin of the gateway fw said to open the following ports: 1.) TCP 256 2.) UDP 259 3.) UDP 50 4.) UDP 51 5.) UDP 500 ... but, even though authentication is successful, a connection to the client machines on their network behind their Checkpoint fw are not accessible (can't telnet, ping, ftp, etc, all of which should be available). As an aside, I have seen incoming packet rejections on port 0 on our Watchguard firewall from the Checkpoint-1 fw, but this port number may not be accurate. I even saw somewhere that there may be a potential DOS on port 0 using SecuRemote (supposedly reboots Unix clients?). Any expert help would be appreciated. mike VPN is sponsored by SecurityFocus.COM From MaXsecurity at INTERFREE.IT Mon Apr 23 15:06:52 2001 From: MaXsecurity at INTERFREE.IT (MaX Security) Date: Mon, 23 Apr 2001 21:06:52 +0200 Subject: ipsec & compression Message-ID: <12396380405.20010423210652@interfree.it> Hi to all, Do you know if it is possible to compress data using securemote? Is it possible using additional module? If it is not possible to compress data before encrypting using the checkpoint vpn client, do you know if there are other win9x client that permit compression before the encryption phase (something similar to rfc 2393). Best Regards, MaX VPN is sponsored by SecurityFocus.COM From sandy at STORM.CA Tue Apr 24 00:04:51 2001 From: sandy at STORM.CA (Sandy Harris) Date: Tue, 24 Apr 2001 00:04:51 -0400 Subject: Fw: What ports need to be opened on remote fw to use CheckpointSecuRemote VPN w/IKE? References: <3AE0ABF6.B25CECFA@seagull.com> Message-ID: <3AE4FB63.B5E98248@storm.ca> Michael LeClair wrote: > > Help. > > We are trying to get a Checkpoint-1 SecuRemote VPN connection to work > with a Checkpoint-1 (Nokia) firewall using IKE from behind a Watchguard > Firebox II fw. > > The admin of the gateway fw said to open the following ports: > > 1.) TCP 256 > 2.) UDP 259 Checking http://www.isi.edu/in-notes/iana/assignments/port-numbers I see TCP and UDP 256 are for RAP, which I know nothing about. > 3.) UDP 50 > 4.) UDP 51 > 5.) UDP 500 > > ... but, even though authentication is successful, a connection to the > client machines on their network behind their Checkpoint fw are not > accessible (can't telnet, ping, ftp, etc, all of which should be > available). > > As an aside, I have seen incoming packet rejections on port 0 on our > Watchguard firewall from the Checkpoint-1 fw, but this port number may > not be accurate. I even saw somewhere that there may be a potential DOS > on port 0 using SecuRemote (supposedly reboots Unix clients?). > > Any expert help would be appreciated. > > mike > > VPN is sponsored by SecurityFocus.COM IPSEC uses **protocols** (not ports) 50 (ESP) and 51 (AH) for the actual VPN data. Negotiations to set up up those connections use IKE on UDP port 500. One reference is the firewalls section of the FreeS/WAN (Linux IPSEC) documnentation: http://www.freeswan.org/freeswan_trees/freeswan-1.9/doc/firewall.html VPN is sponsored by SecurityFocus.COM From seanm at COMTECH.COM.AU Mon Apr 23 23:19:12 2001 From: seanm at COMTECH.COM.AU (Sean McCreanor) Date: Tue, 24 Apr 2001 13:19:12 +1000 Subject: FW: What ports need to be opened on remote fw to use Checkpoint SecuRemote VPN w/IKE? Message-ID: <001801c0cc6d$55c94810$9223b694@comtech.com.au> Point 3 & 4 need clarification. These should be IP protocol 50 and 51 (more than likely ESP is being used which is IP protocol 50). This would probably explain why IKE phase 1 is negotiating (and authentication is sucessful) but maybe the IPSec SA's are not being established (IKE phase 2). The second question would be whether this is a single host or multiple hosts that is attempting to establish the IPSec tunnel with SR. If it is multiple hosts, IPSec encapsulated in UDP would be required if the hosts were being 'hide' NAT'ed behind the Watchguard firewall. This modification needs to be manually done in the userc.C file. Hope this helps. Sean. Sean McCreanor Security Engineer Com Tech Communications 121-127 Harrington Street Sydney Australia 2000 Phone +61 2 8249 5086 Mobile +61 418 485 312 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM] On Behalf Of Michael LeClair Sent: Saturday, 21 April 2001 7:37 AM To: VPN at SECURITYFOCUS.COM Subject: Fw: What ports need to be opened on remote fw to use Checkpoint SecuRemote VPN w/IKE? Help. We are trying to get a Checkpoint-1 SecuRemote VPN connection to work with a Checkpoint-1 (Nokia) firewall using IKE from behind a Watchguard Firebox II fw. The admin of the gateway fw said to open the following ports: 1.) TCP 256 2.) UDP 259 3.) UDP 50 4.) UDP 51 5.) UDP 500 ... but, even though authentication is successful, a connection to the client machines on their network behind their Checkpoint fw are not accessible (can't telnet, ping, ftp, etc, all of which should be available). As an aside, I have seen incoming packet rejections on port 0 on our Watchguard firewall from the Checkpoint-1 fw, but this port number may not be accurate. I even saw somewhere that there may be a potential DOS on port 0 using SecuRemote (supposedly reboots Unix clients?). Any expert help would be appreciated. mike VPN is sponsored by SecurityFocus.COM -------------- next part -------------- A non-text attachment was scrubbed... Name: Sean McCreanor (seanm at comtech.com.au).vcf Type: text/x-vcard Size: 2124 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010424/ab04f913/attachment.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3596 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010424/ab04f913/attachment.bin From tbird at PRECISION-GUESSWORK.COM Tue Apr 24 12:46:46 2001 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 24 Apr 2001 11:46:46 -0500 Subject: ipsec & compression In-Reply-To: <12396380405.20010423210652@interfree.it> Message-ID: I thought that a lot of VPN clients built compression in? I don't know about SecuRemote in particular, but I do know that a lot of the other products I've reviewed discuss compression algorithms in their technical documentation. It has to be done before the encryption to be effective. On Mon, 23 Apr 2001, MaX Security wrote: > Date: Mon, 23 Apr 2001 21:06:52 +0200 > From: MaX Security > To: VPN at SECURITYFOCUS.COM > Subject: ipsec & compression > > Hi to all, > > Do you know if it is possible to compress data using securemote? Is it > possible using additional module? > > If it is not possible to compress data before encrypting using the > checkpoint vpn client, do you know if there are other win9x client > that permit compression before the encryption phase (something similar > to rfc 2393). > > Best Regards, > MaX > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From bekoin at GLOBEACCESS.NET Wed Apr 25 06:30:23 2001 From: bekoin at GLOBEACCESS.NET (Olivier Bekoin) Date: Wed, 25 Apr 2001 10:30:23 -0000 Subject: NAT and IKE References: <12396380405.20010423210652@interfree.it> Message-ID: <000a01c0cd72$bd22bc70$bb15473f@techsupport> Hi all, Is the NAT is compatible with IKE protocol ? Thanks VPN is sponsored by SecurityFocus.COM From mark at DONKMAIL.COM Wed Apr 25 07:45:59 2001 From: mark at DONKMAIL.COM (Mark and Christine Reid) Date: Wed, 25 Apr 2001 21:45:59 +1000 Subject: Bordermanager 3.6 Message-ID: <000501c0cd7d$4c3c4c00$0200a8c0@qld.bigpond.net.au> Hi all, Bordermanager 3.6 vpn is apparently supposed to work with the client behind NAT. However, I've been trying to configure my linux 2.2 firewall box to make this work. I've had no success. Would anyone care you give me some pointers ? I would really like to hear from someone who has gotten this to work. thanks -Mark VPN is sponsored by SecurityFocus.COM From seanm at COMTECH.COM.AU Wed Apr 25 18:40:13 2001 From: seanm at COMTECH.COM.AU (Sean McCreanor) Date: Thu, 26 Apr 2001 08:40:13 +1000 Subject: ipsec & compression In-Reply-To: Message-ID: <000801c0cdd8$b1202dc0$c723b694@comtech.com.au> Most other clients can do compression (Cisco's Unity Client for example - but this is dependant on the termination point, currently only the VPN 3000 Concentrators support commpression, this apparently will be available in both PIX and IOS in the near future), however as far as I am aware, Check Point Firewall-1 4.1 and SecuRemote do not have compression. Check Point NG (5.0) does, although this is currently in beta. It may be worth checking it out. Sean. Sean McCreanor Security Engineer Com Tech Communications 121-127 Harrington Street Sydney Australia 2000 Phone +61 2 8249 5086 Mobile +61 418 485 312 -----Original Message----- From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM] On Behalf Of Tina Bird Sent: Wednesday, 25 April 2001 2:47 AM To: VPN at SECURITYFOCUS.COM Subject: Re: ipsec & compression I thought that a lot of VPN clients built compression in? I don't know about SecuRemote in particular, but I do know that a lot of the other products I've reviewed discuss compression algorithms in their technical documentation. It has to be done before the encryption to be effective. On Mon, 23 Apr 2001, MaX Security wrote: > Date: Mon, 23 Apr 2001 21:06:52 +0200 > From: MaX Security > To: VPN at SECURITYFOCUS.COM > Subject: ipsec & compression > > Hi to all, > > Do you know if it is possible to compress data using securemote? Is it > possible using additional module? > > If it is not possible to compress data before encrypting using the > checkpoint vpn client, do you know if there are other win9x client > that permit compression before the encryption phase (something similar > to rfc 2393). > > Best Regards, > MaX > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM -------------- next part -------------- A non-text attachment was scrubbed... Name: Sean McCreanor (seanm at comtech.com.au).vcf Type: text/x-vcard Size: 2124 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010426/46ae122e/attachment.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3596 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010426/46ae122e/attachment.bin From tbird at PRECISION-GUESSWORK.COM Tue Apr 24 12:49:31 2001 From: tbird at PRECISION-GUESSWORK.COM (Tina Bird) Date: Tue, 24 Apr 2001 11:49:31 -0500 Subject: Fw: What ports need to be opened on remote fw to use CheckpointSecuRemote VPN w/IKE? In-Reply-To: <3AE4FB63.B5E98248@storm.ca> Message-ID: TCP/256 and 259 are Checkpoint-proprietary management protocols. They're probably not required to be open on the firewall for IPsec to work (tho' it's always a little hard to say). The other situation I've seen that can create the problem Michael is describing is getting the IPsec configuration correct on both ends of the connection, but not having a rule in the firewall policy that allows traffic to flow between the two endpoints. That is, on a FW-1 you have to have a rule that allows IPsec protocols between the two gateways -- but you >also< have to have a rule that allows traffic between the client and the remote LAN, or the local LAN and remote LAN. I don't know if Watchguard works the same way, but that's another thing to check. cheers -- tbird On Tue, 24 Apr 2001, Sandy Harris wrote: > Date: Tue, 24 Apr 2001 00:04:51 -0400 > From: Sandy Harris > To: VPN at SECURITYFOCUS.COM > Subject: Re: Fw: What ports need to be opened on remote fw to use CheckpointSecuRemote VPN w/IKE? > > Michael LeClair wrote: > > > > Help. > > > > We are trying to get a Checkpoint-1 SecuRemote VPN connection to work > > with a Checkpoint-1 (Nokia) firewall using IKE from behind a Watchguard > > Firebox II fw. > > > > The admin of the gateway fw said to open the following ports: > > > > 1.) TCP 256 > > 2.) UDP 259 > > Checking > http://www.isi.edu/in-notes/iana/assignments/port-numbers > I see TCP and UDP 256 are for RAP, which I know nothing about. > > > 3.) UDP 50 > > 4.) UDP 51 > > 5.) UDP 500 > > > > ... but, even though authentication is successful, a connection to the > > client machines on their network behind their Checkpoint fw are not > > accessible (can't telnet, ping, ftp, etc, all of which should be > > available). > > > > As an aside, I have seen incoming packet rejections on port 0 on our > > Watchguard firewall from the Checkpoint-1 fw, but this port number may > > not be accurate. I even saw somewhere that there may be a potential DOS > > on port 0 using SecuRemote (supposedly reboots Unix clients?). > > > > Any expert help would be appreciated. > > > > mike > > > > VPN is sponsored by SecurityFocus.COM > > IPSEC uses **protocols** (not ports) 50 (ESP) and 51 (AH) for the actual > VPN data. Negotiations to set up up those connections use IKE on UDP port > 500. > > One reference is the firewalls section of the FreeS/WAN (Linux IPSEC) > documnentation: > > http://www.freeswan.org/freeswan_trees/freeswan-1.9/doc/firewall.html > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM From MaXsecurity at INTERFREE.IT Tue Apr 24 15:37:12 2001 From: MaXsecurity at INTERFREE.IT (MaX Security) Date: Tue, 24 Apr 2001 21:37:12 +0200 Subject: ipsec & compression In-Reply-To: References: Message-ID: <98184614305.20010424213712@interfree.it> A Checkpoint employee told me about the compression with securemote that: "This will be available in the next release using the deflate algorithm." I was surprised as you are that it is not possible with the current version to compress data before encrypting them because it makes a vpn connection on a ppp connection a lot slower with the vpn than without. Bye, MaX TB> I thought that a lot of VPN clients built compression TB> in? I don't know about SecuRemote in particular, but I TB> do know that a lot of the other products I've reviewed TB> discuss compression algorithms in their technical TB> documentation. It has to be done before the encryption TB> to be effective. VPN is sponsored by SecurityFocus.COM From dpassamo at NORTELNETWORKS.COM Wed Apr 25 08:24:13 2001 From: dpassamo at NORTELNETWORKS.COM (David Passamonte) Date: Wed, 25 Apr 2001 05:24:13 -0700 Subject: IPSec & compression Message-ID: To support compression the VPN gateway, in this case Check Point, will have to support compression as well. As I recall Check Point didn't support IPComp(RFC 2393) or Deflate in 4.1, but maybe they rolled it into 5.0. The SafeNet client supports Deflate in SoftPK 5.0 and they do interoperate with Check Point. But then again, your kind of dependant on the gateway supporting the algorithm. Check out the Check Point 5.0 enhancements if you haven't yet. Chances are if they added this support to the gateway they put it in the client as well. -----Original Message----- From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM] Sent: Tuesday, April 24, 2001 12:47 PM To: VPN at SECURITYFOCUS.COM Subject: Re: ipsec & compression I thought that a lot of VPN clients built compression in? I don't know about SecuRemote in particular, but I do know that a lot of the other products I've reviewed discuss compression algorithms in their technical documentation. It has to be done before the encryption to be effective. On Mon, 23 Apr 2001, MaX Security wrote: > Date: Mon, 23 Apr 2001 21:06:52 +0200 > From: MaX Security > To: VPN at SECURITYFOCUS.COM > Subject: ipsec & compression > > Hi to all, > > Do you know if it is possible to compress data using securemote? Is it > possible using additional module? > > If it is not possible to compress data before encrypting using the > checkpoint vpn client, do you know if there are other win9x client > that permit compression before the encryption phase (something similar > to rfc 2393). > > Best Regards, > MaX > > VPN is sponsored by SecurityFocus.COM > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010425/f19644fb/attachment.htm From Patrick.Bryan at ABBOTT.COM Wed Apr 25 13:07:19 2001 From: Patrick.Bryan at ABBOTT.COM (Patrick.Bryan at ABBOTT.COM) Date: Wed, 25 Apr 2001 12:07:19 -0500 Subject: NT Domain Login via Cisco IPSec Client Message-ID: Anyone have any information on how to authenticate to a NT Domain upon bootup using the Cisco IPSec client? This would be for a Cable / DSL connection.. Thanks..... VPN is sponsored by SecurityFocus.COM From ELAW at DR.DK Thu Apr 26 08:07:37 2001 From: ELAW at DR.DK (Lawaetz, Erik) Date: Thu, 26 Apr 2001 13:07:37 +0100 Subject: Cisco VPN3K and MS CA CRL? Message-ID: <3F467ECB5463D2119DD40008C7A4319A090C9C3C@exch02.dr.dk> > We're working on a setup with a Cisco VPN 3000 concentrator (running > version 3.0.1) > and two Windows 2000 CA servers (root and sub CA). > We wish to supply all VPN clients with certificates and verify them both > based on certificates and Radius. > We're using the Cisco VPN Client version 3.0. > We plan to take the root CA offline and rely solely on the sub CA. > Does anyone have experience with such a setup? > > Currently we can basically connect but I've got a few questions regarding > the use of certificates: > * We've managed to create a Certificate Revocation List (CRL) on the > sub CA, and we've tried to enable CRL checking on the VPN3K. > Any way we can check whether the VPN3K actually gets the CRL? > There seems to be no way one can verify it on the box, and little/no debug > info. > We can tell it ain't working since our clients can no longer validate when > we enable CRL checking, but we've got no clue as to why the CRL check > fails. > * In the Cisco VPN Client you can either choose a group name and > password (shared secret) or a certifcate as authentication method. > Choosing the latter automatically puts the user in the base group when > they log into the VPN3K. > How can I both use certificates and split users into separate groups? > I'd like to be able to split my users into groups, and specifically apply > group filters to external users. > > --Erik > > --------------------------------- > Erik Lawaetz > Danish Broadcasting Corporation > http://www.dr.dk/ > http://www.lawaetz.dk/ > > VPN is sponsored by SecurityFocus.COM From AFalkovich at LNC.COM Thu Apr 26 11:33:00 2001 From: AFalkovich at LNC.COM (Alex Falkovich) Date: Thu, 26 Apr 2001 10:33:00 -0500 Subject: Cisco's IPSec transparrent feature Message-ID: <3AE8400D.44B3.A933.002@MHS> Does anyone know what version of Cisco VPN client has the IPSec transparent feature and automatic MTU setting? Also will both of these work with the VPN 3000 switch or will we need to upgrade to the VPN 5000 model? Thanks. _ Alex VPN is sponsored by SecurityFocus.COM From JSlaby at GIGAWEB.COM Wed Apr 25 14:00:31 2001 From: JSlaby at GIGAWEB.COM (Slaby, James) Date: Wed, 25 Apr 2001 14:00:31 -0400 Subject: IPsec VPNs and cable ISPs who use DHCP Message-ID: <8F5B5E5ED5F9D311B9340090273FAAE90140471A@delivery.gigaweb.com> How can I get my CheckPoint VPN-1 gateway to allow connections from remote users with SecuRemote clients attempting to connect via a cable ISP (e.g., Cablevision) when the provider uses DHCP and thus periodically assigns a new IP address to the remote user? Thanks, Jim Slaby VPN is sponsored by SecurityFocus.COM From chris at SYMAC.COM Thu Apr 26 05:38:42 2001 From: chris at SYMAC.COM (Chris Carr) Date: Thu, 26 Apr 2001 10:38:42 +0100 Subject: PPTP on a Cisco Router Message-ID: <510C7449827AD4119DC20020AF2B5FB34BA9@NEPTUNE> Can you please advise what IP address the xxx.xxx.xxx.xxx refers to in the script for the Cisco router for allowing PPTP. Thanks --------------- Chris Carr Symac -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010426/03f79185/attachment.htm From elf at NAUTICOM.NET Thu Apr 26 14:37:39 2001 From: elf at NAUTICOM.NET (Alhana Starbreeze) Date: Thu, 26 Apr 2001 14:37:39 -0400 Subject: newbie question: Nt4 vpn connection Message-ID: <3AE86AF3.64B41190@nauticom.net> OK, I'm a newbie here, but I've been reading up as much as I can on VPNs, and here is my situation. I set up a VPN with our Netopia R9100 router and I installed PPTP and set up DUN so that after I connect to my ISP I can connect to the IP of the router. I can connect just fine with several NT boxes and 2000 boxes. However, when I connect with any NT4 workstation, the 2000 boxes on the LAN can see them, but the NT boxes cannot see any network resources. I can ping the IPs of the servers from the NT machines, but I cannot browse, or connect via run -> \\server\share. I have checked the lmhosts file, and it all looks kosher. The 2000 machines can both connect to the VPN and see the network resources just fine. I followed the documentation on Netopia's site to the T. I've tried installing SP6a on the NT boxes, and also upping them to the 128-bit encryption version. I'm wondering if the gateways are causing an issue since the ISP i am dialing into is also who provides our DSL. Any thoughts? -- kimmie mckinnis icq:186072/aol:starbreiz http://www.nauticom.net/www/elf elf at nauticom.net VPN is sponsored by SecurityFocus.COM From AFalkovich at LNC.COM Thu Apr 26 14:38:00 2001 From: AFalkovich at LNC.COM (Alex Falkovich) Date: Thu, 26 Apr 2001 13:38:00 -0500 Subject: Cisco 3000 (Altiga) Win2K client? Message-ID: <3AE86B6B.44B3.ADD8.002@MHS> Basim, will the new Cisco VPN W2K client 3.0.1 do vpn with w2k workstations without using a cert? thanks. _ Alex >>> VPN Mailing List 01/10/01 11:33PM >>> I've been working directly with Cisco on this one for quite some time now. I have a copy of the beta 2.6 Cisco VPN 3000 client for Win2K. It works the same as the Win9x/NT one does, but it now installs on Win2K (works really good, I might add). Please don't bother to ask me to email out copies of any beta clients as I am bound under NDA to not do so. I haven't confirmed this, but according to Cisco's product marketing for VPN 3000, this v2.6 client will not ship and will only be used as a stepping stone beta to test the Win2K interoperability, although the v2.6 client may be released internally for Cisco themselves. The version 3.0 client due out in end of Q1 (and possibly later) will be the new "unified" client which will talk to the VPN 3000 Series, VPN 5000 Series, IOS Gateway VPN routers, and PIX firewalls. With respect to getting the native Win2K VPN client to work using IPsec on the VPN 3000 switch, it will most certainly work, but it requires the use of certificate-based authentication as well as Active Directory. You'll need to obtain a "server certificate" from the cert authority for the VPN switch and a certificate for each VPN client (i.e. user). I can't seem to find the doc for implementing this on the VPN 3000 units. If I find it later, I'll try to remember to post it to the list. In the meantime, if you need to connect Win2K users to your 3000 switch(es), you can still do so via PPTP (hold your comments, please!). Simply enable PPTP as one of the services on the 3000 switch(es) and you can then use the native Win2K PPTP VPN client. However, the only way to connect Win2K IPsec clients on the VPN 3000 Concentrator is via L2TP, so you'll eventually need to enable that service too. Basim S. Jaber Senior Systems Engineer / Remote Access Specialist VPN Services Division iPass Inc. Redwood Shores, CA http://www.iPass.COM >-----Original Message----- >From: David Gillett [mailto:dgillett at niku.com] >Sent: Wednesday, January 10, 2001 2:28 PM >To: VPN at SECURITYFOCUS.COM >Subject: Cisco 3000 (Altiga) Win2K client? > > I seem to recall that a lot of posters had heard rumours of this around >Oct-Nov last year. Nobody seemed to be able to get a date from any Cisco >employee, but a VAR I talked to told me he expected it to be out of beta >around Nov 15th/2000. > Well, here we are Jan/2001, and the volume of 2000 users wanting to >connect to our 3000 is growing. Has anyone heard anything since November? > > Alternatively, has anyone gotten this to work with the native Win2K IPSEC >stuff? Something in the release notes made me think it relied on Active >Directory, but I'm hoping I misunderstood that bit. > >David Gillett VPN is sponsored by SecurityFocus.COM From elf at NAUTICOM.NET Thu Apr 26 15:33:54 2001 From: elf at NAUTICOM.NET (Alhana Starbreeze) Date: Thu, 26 Apr 2001 15:33:54 -0400 Subject: Newbie question: NT4 can connect but cannot access network resources Message-ID: <3AE87821.C6C9FE35@nauticom.net> I apologize if ya'll got this twice, my mail client was being goofy and I wasn't sure if it actually sent. OK, I'm a newbie here, but I've been reading up as much as I can on VPNs, and here is my situation. I set up a VPN with our Netopia R9100 router and I installed PPTP and set up DUN so that after I connect to my ISP I can connect to the IP of the router. I can connect just fine with several NT boxes and 2000 boxes. However, when I connect with any NT4 workstation, the 2000 boxes on the LAN can see them, but the NT boxes cannot see any network resources. I can ping the IPs of the servers from the NT machines, but I cannot browse, or connect via run -> \\server\share. I have checked the lmhosts file, and it all looks kosher. The 2000 machines can both connect to the VPN and see the network resources just fine. I followed the documentation on Netopia's site to the T. I've tried installing SP6a on the NT boxes, and also upping them to the 128-bit encryption version. We are running NAT on our intranet since we started to run out of IPs, I'm sure if this would have an effect on this problem or not. I'm wondering if the gateways are causing an issue since the ISP i am dialing into is also who provides our DSL. Any thoughts? -- kimmie mckinnis icq:186072/aol:starbreiz http://www.nauticom.net/www/elf elf at nauticom.net VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Thu Apr 26 16:03:33 2001 From: pete at ETHER.NET (Pete Davis) Date: Thu, 26 Apr 2001 16:03:33 -0400 Subject: Cisco's IPSec transparrent feature In-Reply-To: <3AE8400D.44B3.A933.002@MHS> References: <3AE8400D.44B3.A933.002@MHS> Message-ID: <20010426160333.A17291@ether.net> Transparency has been around forever, 2.x? Automatic MTU adjustment is done with v3.x and greater. This will work with a VPN 3000 Concentrator. --pete On Thu, Apr 26, 2001 at 10:33:00AM -0500, Alex Falkovich wrote: > Does anyone know what version of Cisco VPN client has the IPSec transparent > feature and automatic MTU setting? Also will both of these work with the VPN > 3000 switch or will we need to upgrade to the VPN 5000 model? > > Thanks. > > _ Alex > > VPN is sponsored by SecurityFocus.COM --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From pete at ETHER.NET Thu Apr 26 16:05:07 2001 From: pete at ETHER.NET (Pete Davis) Date: Thu, 26 Apr 2001 16:05:07 -0400 Subject: NT Domain Login via Cisco IPSec Client In-Reply-To: References: Message-ID: <20010426160507.B17291@ether.net> The Cisco VPN Client 3.x and greater supports Start Before Login. This allows the client to run either as a GINA or a Service. When you hit CTRL-ALT-DELETE, you first log in to your VPN client prior to logging in to your machine. If you are using PPPoE, you must link the PPPoE Dialer as a 3rd party dialer to the VPN Client to take advantage of this functionality. --pete On Wed, Apr 25, 2001 at 12:07:19PM -0500, Patrick.Bryan at ABBOTT.COM wrote: > Anyone have any information on how to authenticate to a NT Domain upon bootup > using the Cisco IPSec client? This would be for a Cable / DSL connection.. > > Thanks..... > > VPN is sponsored by SecurityFocus.COM --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From bjaber at IPASS.COM Thu Apr 26 16:07:59 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Thu, 26 Apr 2001 13:07:59 -0700 Subject: Cisco's IPSec transparrent feature Message-ID: Version 3.0.x That version of the client will only work on the VPN 3000 Concentrator series once you've updated the server code to v3.0.x or later. The new "unified" Cisco VPN client (v3.0.x) right now will connect to the VPN 3000 and PIX gateways, and plans to connect to the VPN 5000 and IO routers are in the works. Contact Cisco for more info. Basim S. Jaber Senior VPN Systems Engineer VPN Services / Customer Implementation iPass Inc. >-----Original Message----- >From: Alex Falkovich [mailto:AFalkovich at LNC.COM] >Sent: Thursday, April 26, 2001 8:33 AM >To: VPN at SECURITYFOCUS.COM >Subject: Cisco's IPSec transparrent feature > > >Does anyone know what version of Cisco VPN client has the >IPSec transparent >feature and automatic MTU setting? Also will both of these >work with the VPN >3000 switch or will we need to upgrade to the VPN 5000 model? > >Thanks. > >_ Alex > >VPN is sponsored by SecurityFocus.COM > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010426/393d0216/attachment.htm From bjaber at IPASS.COM Thu Apr 26 16:06:17 2001 From: bjaber at IPASS.COM (Basim Jaber) Date: Thu, 26 Apr 2001 13:06:17 -0700 Subject: NT Domain Login via Cisco IPSec Client Message-ID: Patrick, For WinNT and Win2K clients, in the Cisco VPN client v3.0.x, there is a new feature called "Connect on logon" (or something to the effect). When you enable that setting, every time you logon to the system (i.e. CTRL-ALT-DEL), the Cisco VPN client pops up on top of the normal WINLOGON credential screen. You tyen select the appropriate VPN connection entry, click Connect, the VPN connects and then disappears and the normal WINLOGON screen is available to logon directly to the DC. For Win9x/ME, this is not an issue as there is a setting in the VPN client for "Logon to Microsoft Network". Make sure its enabled. Basim S. Jaber Senior VPN Systems Engineer VPN Services / Customer Implementation iPass Inc. >-----Original Message----- >From: Patrick.Bryan at ABBOTT.COM [mailto:Patrick.Bryan at ABBOTT.COM] >Sent: Wednesday, April 25, 2001 10:07 AM >To: VPN at SECURITYFOCUS.COM >Subject: NT Domain Login via Cisco IPSec Client > > >Anyone have any information on how to authenticate to a NT >Domain upon bootup >using the Cisco IPSec client? This would be for a Cable / DSL >connection.. > >Thanks..... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010426/ea04f18e/attachment.htm From pete at ETHER.NET Thu Apr 26 16:10:18 2001 From: pete at ETHER.NET (Pete Davis) Date: Thu, 26 Apr 2001 16:10:18 -0400 Subject: Cisco VPN3K and MS CA CRL? In-Reply-To: <3F467ECB5463D2119DD40008C7A4319A090C9C3C@exch02.dr.dk> References: <3F467ECB5463D2119DD40008C7A4319A090C9C3C@exch02.dr.dk> Message-ID: <20010426161018.A17318@ether.net> > > * We've managed to create a Certificate Revocation List (CRL) on the > > sub CA, and we've tried to enable CRL checking on the VPN3K. > > Any way we can check whether the VPN3K actually gets the CRL? If CRL checking is enabled, users will not be able to authenticate without the VPN 3K getting the CRL. You can turn up CERT/CERTDBG/CERTDECODE and LDAP debugging to levels 1-13 temporarily to verify that this is happening. > > We can tell it ain't working since our clients can no longer validate when > > we enable CRL checking, but we've got no clue as to why the CRL check > > fails. Turn on the above logging, this will provide some clue as to what is going on. > > * In the Cisco VPN Client you can either choose a group name and > > password (shared secret) or a certifcate as authentication method. > > Choosing the latter automatically puts the user in the base group when > > they log into the VPN3K. > > How can I both use certificates and split users into separate groups? > > I'd like to be able to split my users into groups, and specifically apply > > group filters to external users. If an OU exists in the Certificate, a user will be assigned permissions from that particular group. This would include things such as a filter that was assigned to the group. --p --- Pete Davis - Product Manager (508) 541-7300 x6154 Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038 VPN is sponsored by SecurityFocus.COM From JSlaby at GIGAWEB.COM Sun Apr 29 16:02:06 2001 From: JSlaby at GIGAWEB.COM (Slaby, James) Date: Sun, 29 Apr 2001 16:02:06 -0400 Subject: expiration, generation, management of pre-shared keys Message-ID: <8F5B5E5ED5F9D311B9340090273FAAE901404754@delivery.gigaweb.com> I'm considering using pre-shared keys (instead of digital certificates) to authenticate remote site gateways in my site-to-site Internet VPN. Is there a best practice for how often such pre-shared keys should be expired? Assuming I have distributed my original pre-shared keys securely (e.g., on CD-ROM via bonded courier), can I generate new keys from expired ones? What methods are commonly used to do so? At what number of remote sites does the management of pre-shared keys become such a burden that digital certificates become preferable? Thanks, Jim Slaby Senior Industry Analyst Giga Information Group +1 617 577 4767 jslaby at gigaweb.com VPN is sponsored by SecurityFocus.COM From Ed.Tech at LC.CA.GOV Thu Apr 26 15:32:08 2001 From: Ed.Tech at LC.CA.GOV (Tech, Ed) Date: Thu, 26 Apr 2001 12:32:08 -0700 Subject: VPN's Strategic Location? Message-ID: Hello Everyone, We are in the testing mode of a Cisco VPN 3030 concentrator which seats behind a CheckPoint Firewall. Please provide pros and cons of different locations for a VPN concentrator. Another setup is to have it side by side with a Firewall behind the Internet router. What are the pros and cons of this setup as oppose to having the VPN box seat behind a firewall? Also, I've read that the Cisco VPN 3030 uses IPSec over UDP. This is the highest or most secure tunnelling protocol that the VPN 3030 can implement. Why is this not as secure as what they call a Native IPSec? Will IPSec over UDP affects the most secure placement of the VPN 3030? Please provide your opinions folks. thanks to everyone, Ed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010426/dfd0af08/attachment.htm From DJDERWOOD at AOL.COM Sat Apr 28 19:35:25 2001 From: DJDERWOOD at AOL.COM (DJDERWOOD at AOL.COM) Date: Sat, 28 Apr 2001 19:35:25 EDT Subject: VPN white paper for college Message-ID: I am writing a college term paper on security issues of VPNs and their future. Besides your site, can you point me in the direction of some good references to assist me in my research? thanks, DJ Miller Webster University -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010428/334be17a/attachment.htm From suhas at APPLITECHSOLUTION.COM Sun Apr 29 06:08:15 2001 From: suhas at APPLITECHSOLUTION.COM (Suhas Kulkarni) Date: Sun, 29 Apr 2001 15:38:15 +0530 Subject: VPN OS Message-ID: <000801c0d094$51110120$2e0101c8@suhas> Which Operating Systems are supported by VPN? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010429/5b089159/attachment.htm From dlongar at IBSYS.COM Mon Apr 30 10:03:01 2001 From: dlongar at IBSYS.COM (Longar, Dennis) Date: Mon, 30 Apr 2001 09:03:01 -0500 Subject: Cisco 3000 (Altiga) Win2K client? Message-ID: <9E35C54B0C7AD411B5C1009027DE53991B1546@MSPMX01> I think you might have mis-read part of the message. The cisco client does not require cert. The Microsoft client for Win2K does. So if you want to use the native MS client that comes with 2K (there is a IPSEC transport option in 2k) it require that you use Certificates. I guess I didn't play with it enough to see if it required only MS certificates, but... most likely. Thanks! -Dennis > -----Original Message----- > From: Alex Falkovich [mailto:AFalkovich at LNC.COM] > Sent: Thursday, April 26, 2001 1:38 PM > To: VPN at SECURITYFOCUS.COM > Subject: Re: Cisco 3000 (Altiga) Win2K client? > > > Basim, > will the new Cisco VPN W2K client 3.0.1 do vpn with w2k > workstations without > using a cert? > > thanks. > > _ Alex > > > >>> VPN Mailing List 01/10/01 11:33PM >>> > I've been working directly with Cisco on this one for quite > some time now. > I have a copy of the beta 2.6 Cisco VPN 3000 client for > Win2K. It works the > same as the Win9x/NT one does, but it now installs on Win2K > (works really > good, I might add). Please don't bother to ask me to email > out copies of > any beta clients as I am bound under NDA to not do so. > > I haven't confirmed this, but according to Cisco's product > marketing for VPN > 3000, this v2.6 client will not ship and will only be used as > a stepping > stone beta to test the Win2K interoperability, although the > v2.6 client may > be released internally for Cisco themselves. The version 3.0 > client due out > in end of Q1 (and possibly later) will be the new "unified" > client which > will talk to the VPN 3000 Series, VPN 5000 Series, IOS > Gateway VPN routers, > and PIX firewalls. > > With respect to getting the native Win2K VPN client to work > using IPsec on > the VPN 3000 switch, it will most certainly work, but it > requires the use of > certificate-based authentication as well as Active Directory. > You'll need > to obtain a "server certificate" from the cert authority for > the VPN switch > and a certificate for each VPN client (i.e. user). I can't > seem to find the > doc for implementing this on the VPN 3000 units. If I find > it later, I'll > try to remember to post it to the list. > > In the meantime, if you need to connect Win2K users to your > 3000 switch(es), > you can still do so via PPTP (hold your comments, please!). > Simply enable > PPTP as one of the services on the 3000 switch(es) and you > can then use the > native Win2K PPTP VPN client. However, the only way to > connect Win2K IPsec > clients on the VPN 3000 Concentrator is via L2TP, so you'll > eventually need > to enable that service too. > > Basim S. Jaber > Senior Systems Engineer / Remote Access Specialist > VPN Services Division > iPass Inc. Redwood Shores, CA > http://www.iPass.COM > > > >-----Original Message----- > >From: David Gillett [mailto:dgillett at niku.com] > >Sent: Wednesday, January 10, 2001 2:28 PM > >To: VPN at SECURITYFOCUS.COM > >Subject: Cisco 3000 (Altiga) Win2K client? > > > > I seem to recall that a lot of posters had heard rumours > of this around > >Oct-Nov last year. Nobody seemed to be able to get a date > from any Cisco > >employee, but a VAR I talked to told me he expected it to be > out of beta > >around Nov 15th/2000. > > Well, here we are Jan/2001, and the volume of 2000 users wanting to > >connect to our 3000 is growing. Has anyone heard anything > since November? > > > > Alternatively, has anyone gotten this to work with the > native Win2K IPSEC > >stuff? Something in the release notes made me think it > relied on Active > >Directory, but I'm hoping I misunderstood that bit. > > > >David Gillett > > VPN is sponsored by SecurityFocus.COM > VPN is sponsored by SecurityFocus.COM From jonc at HAHT.COM Mon Apr 30 10:30:17 2001 From: jonc at HAHT.COM (Jon Carnes) Date: Mon, 30 Apr 2001 10:30:17 -0400 Subject: newbie question: Nt4 vpn connection References: <3AE86AF3.64B41190@nauticom.net> Message-ID: <003e01c0d182$13cd7700$0b04010a@JCARNES> Sounds like either a WINS problem, or a Domain authentication problem. Have the NT boxes been properly added to the Domain? There is a Windows tool (from the tool kit - BROWSTAT.EXE), that will help you troubleshoot the problem. It lets you look at all the NetBIOS information. Jon Carnes ----- Original Message ----- From: "Alhana Starbreeze" To: Sent: Thursday, April 26, 2001 2:37 PM Subject: newbie question: Nt4 vpn connection > OK, I'm a newbie here, but I've been reading up as much as I can on > VPNs, and here is my situation. > > I set up a VPN with our Netopia R9100 router and I installed PPTP and > set up DUN so that after I connect to my ISP I can connect to the IP of > the router. I can connect just fine with several NT boxes and 2000 > boxes. However, when I connect with any NT4 workstation, the 2000 boxes > on the LAN can see them, but the NT boxes cannot see any network > resources. I can ping the IPs of the servers from the NT machines, but I > cannot browse, or connect via run -> \\server\share. I have checked the > lmhosts file, and it all looks kosher. > > The 2000 machines can both connect to the VPN and see the network > resources just fine. I followed the documentation on Netopia's site to > the T. > > I've tried installing SP6a on the NT boxes, and also upping them to the > 128-bit encryption version. > > I'm wondering if the gateways are causing an issue since the ISP i am > dialing into is also who provides our DSL. > > Any thoughts? > > -- > kimmie mckinnis > icq:186072/aol:starbreiz > http://www.nauticom.net/www/elf > elf at nauticom.net > > VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From stuart at ZEN.CO.UK Mon Apr 30 11:17:48 2001 From: stuart at ZEN.CO.UK (Stuart Birchall) Date: Mon, 30 Apr 2001 16:17:48 +0100 Subject: anyone recommend a good IPSEC client? References: Message-ID: <01ad01c0d188$b7ad28b0$530917d4@office.zen.co.uk> Hi all, can anyone recommend a good IPsec client that supports IKE, in a MS Windows environment? We use Gnatboxes, but the bundled client (Safenet Soft PK) has numerous problems. Thanks for any tips. Stu Birchall -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010430/138b738d/attachment.htm From cgripp at AXCELERANT.COM Mon Apr 30 13:16:18 2001 From: cgripp at AXCELERANT.COM (Christopher Gripp) Date: Mon, 30 Apr 2001 10:16:18 -0700 Subject: VPN's Strategic Location? Message-ID: <4EBB5C35607E7F48B4AE162D956666EFA26C@guam.corp.axcelerant.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In most instances I prefer putting the VPN on a DMZ interface connecting to the firewall. Since the traffic will hit the FW unencrypted you can do fun things like authenticate the traffic on a very granular basis, such as by protocol, source or dest address. Christopher S. Gripp Systems Engineer Axcelerant Connecting Everyone In Your Business World Visit us @ http://www.axcelerant.com - -----Original Message----- From: Tech, Ed [mailto:Ed.Tech at LC.CA.GOV] Sent: Thursday, April 26, 2001 12:32 PM To: VPN at SECURITYFOCUS.COM Subject: VPN's Strategic Location? Hello Everyone, We are in the testing mode of a Cisco VPN 3030 concentrator which seats behind a CheckPoint Firewall. Please provide pros and cons of different locations for a VPN concentrator. Another setup is to have it side by side with a Firewall behind the Internet router. What are the pros and cons of this setup as oppose to having the VPN box seat behind a firewall? Also, I've read that the Cisco VPN 3030 uses IPSec over UDP. This is the highest or most secure tunnelling protocol that the VPN 3030 can implement. Why is this not as secure as what they call a Native IPSec? Will IPSec over UDP affects the most secure placement of the VPN 3030? Please provide your opinions folks. thanks to everyone, Ed -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOu2dH2LRPLnfp/zREQJY9gCbBQ+7FGhbnDI0CBtFHhrPFZRYASAAn3Ho 38jldP0YUqMWhT8dvvqujkgd =K7+7 -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.COM From evyncke at CISCO.COM Mon Apr 30 16:14:24 2001 From: evyncke at CISCO.COM (Eric Vyncke) Date: Mon, 30 Apr 2001 22:14:24 +0200 Subject: VPN's Strategic Location? In-Reply-To: Message-ID: <4.3.2.7.2.20010430221205.03f7d8f0@brussels.cisco.com> Ed, Just about our encapsulation of IPSec in UDP. AFAIK, it does not change the security of IPSec per se as it does not change the IKE or IPSec protocols. It is just to allow NAT traversal, so, it will not change the security or the placement of the VPN vs the firewall. Note: if your firewall is also doing NAT, then if you place the VPN3000 behind the firewall, you will need to use the UDP encapsulation (except if FW-1 can NAT an IKE/IPSec tunnel). -eric At 12:32 26/04/2001 -0700, Tech, Ed wrote: >Hello Everyone, >We are in the testing mode of a Cisco VPN 3030 concentrator which seats >behind a CheckPoint Firewall. >Please provide pros and cons of different locations for a VPN concentrator. >Another setup is to have it side by side with a Firewall behind the >Internet router. >What are the pros and cons of this setup as oppose to having the VPN box >seat behind a firewall? >Also, I've read that the Cisco VPN 3030 uses IPSec over UDP. >This is the highest or most secure tunnelling protocol that the VPN 3030 >can implement. >Why is this not as secure as what they call a Native IPSec? >Will IPSec over UDP affects the most secure placement of the VPN 3030? >Please provide your opinions folks. >thanks to everyone, >Ed VPN is sponsored by SecurityFocus.COM From evyncke at CISCO.COM Mon Apr 30 16:03:52 2001 From: evyncke at CISCO.COM (Eric Vyncke) Date: Mon, 30 Apr 2001 22:03:52 +0200 Subject: PPTP on a Cisco Router In-Reply-To: <510C7449827AD4119DC20020AF2B5FB34BA9@NEPTUNE> Message-ID: <4.3.2.7.2.20010430220314.01c47238@brussels.cisco.com> Chris, Can you be more specific in your question ? If it appears in the Cisco documentation, can you provide us with an excerpt ? -eric At 10:38 26/04/2001 +0100, Chris Carr wrote: >Can you please advise what IP address the xxx.xxx.xxx.xxx refers to in the >script for the Cisco router for allowing PPTP. > >Thanks > >--------------- >Chris Carr >Symac > VPN is sponsored by SecurityFocus.COM From evyncke at CISCO.COM Mon Apr 30 16:11:17 2001 From: evyncke at CISCO.COM (Eric Vyncke) Date: Mon, 30 Apr 2001 22:11:17 +0200 Subject: expiration, generation, management of pre-shared keys In-Reply-To: <8F5B5E5ED5F9D311B9340090273FAAE901404754@delivery.gigaweb. com> Message-ID: <4.3.2.7.2.20010430220644.03f8ef08@brussels.cisco.com> James, Most of your questions relate to your security policy, so, I'm not the best person to answer. Generating the new keys based on the old ones does not provide you with perfect forward secrecy: if someone cracked or get a copy of the old key, it can easily derive the new ones. The last point about when to use certificates instead of pre-shared keys is more generic and here is my point of view. It is not based on the number of sites but rather whether you have a star topology or a fully meshed topology. With the later topology adding or replacing a pre-shared key will quickly be a real burden (as you need to update all other devices). It is thus not really related to the number of nodes but rather on the rate of changes (add, delete or modify) and on the topology. Regards -eric At 16:02 29/04/2001 -0400, Slaby, James wrote: >I'm considering using pre-shared keys (instead of digital certificates) to >authenticate remote site gateways in my site-to-site Internet VPN. Is there >a best practice for how often such pre-shared keys should be expired? > >Assuming I have distributed my original pre-shared keys securely (e.g., on >CD-ROM via bonded courier), can I generate new keys from expired ones? What >methods are commonly used to do so? > >At what number of remote sites does the management of pre-shared keys become >such a burden that digital certificates become preferable? > >Thanks, >Jim Slaby >Senior Industry Analyst >Giga Information Group >+1 617 577 4767 >jslaby at gigaweb.com > >VPN is sponsored by SecurityFocus.COM VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Mon Apr 30 12:40:44 2001 From: cgripp at AXCELERANT.COM (Christopher Gripp) Date: Mon, 30 Apr 2001 09:40:44 -0700 Subject: VPN OS Message-ID: <4EBB5C35607E7F48B4AE162D956666EFA263@guam.corp.axcelerant.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That is a rather broad question. If you are talking about a hardware2hardware IPSec vpn then any OS running a TCP/IP stack will work. Most major OS's also have their own software implementation. MS has theirs, Linux has theirs, etc. Christopher S. Gripp Systems Engineer Axcelerant Connecting Everyone In Your Business World Visit us @ http://www.axcelerant.com -----Original Message----- From: Suhas Kulkarni [mailto:suhas at APPLITECHSOLUTION.COM] Sent: Sunday, April 29, 2001 3:08 AM To: VPN at SECURITYFOCUS.COM Subject: VPN OS Which Operating Systems are supported by VPN? -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOu2UyWLRPLnfp/zREQI2nwCgqaqWzpNdNeJa+RtHTMvZvt0YuA8AoOqB Cijz1kc5xEtZ09yIXvPY3ATA =mkfy -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.COM From cgripp at AXCELERANT.COM Mon Apr 30 13:13:20 2001 From: cgripp at AXCELERANT.COM (Christopher Gripp) Date: Mon, 30 Apr 2001 10:13:20 -0700 Subject: expiration, generation, management of pre-shared keys Message-ID: <4EBB5C35607E7F48B4AE162D956666EFA26B@guam.corp.axcelerant.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would expire the preshared keys every 30 days. Make sure you use a good bit length, something more than the standard 8 character password. As for number of sites, assuming it is a fully meshed VPN and that most techies don't like keeping an Excel spreadsheet full of their security information, I would say 10. Each key should be different for each sites SA. My question is why not use digital certs?!? Christopher S. Gripp Systems Engineer Axcelerant Connecting Everyone In Your Business World Visit us @ http://www.axcelerant.com - -----Original Message----- From: Slaby, James [mailto:JSlaby at GIGAWEB.COM] Sent: Sunday, April 29, 2001 1:02 PM To: VPN at SECURITYFOCUS.COM Subject: expiration, generation, management of pre-shared keys I'm considering using pre-shared keys (instead of digital certificates) to authenticate remote site gateways in my site-to-site Internet VPN. Is there a best practice for how often such pre-shared keys should be expired? Assuming I have distributed my original pre-shared keys securely (e.g., on CD-ROM via bonded courier), can I generate new keys from expired ones? What methods are commonly used to do so? At what number of remote sites does the management of pre-shared keys become such a burden that digital certificates become preferable? Thanks, Jim Slaby Senior Industry Analyst Giga Information Group +1 617 577 4767 jslaby at gigaweb.com VPN is sponsored by SecurityFocus.COM -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOu2cbWLRPLnfp/zREQIyaQCfXIQq1uGb2pdNjwKdl19qHBvJ3pQAnRN0 Kfnz0Eg/KB00/SStqwH777JC =ZpdQ -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.COM From carlile at OLES.COM Mon Apr 30 19:39:53 2001 From: carlile at OLES.COM (Ron Carlile) Date: Mon, 30 Apr 2001 23:39:53 -0000 Subject: WIN ME VPN CLIENT Message-ID: <20010430233953.280.qmail@securityfocus.com> I need help trying to figure out how to restore a VPN client on WIN ME. The machine was setup and running on a Dell 8100. The VPN client connected to our server for the first week. Then the user tried reinstalling the OS and got cold feet part way through the process and aborted the installation. After that when ever he tried connecting through the cable connection (which connects to the internet with no issues) the screen says it is trying to dial the vpn server which it fails to do. In the network stack the vpn adapter does not have TCP\IP protocol associated with it. I cannot add the TCP\IP protocol, when I try the TCP\IP displays. I have reloaded ME twice and run countless utilities with no luck. The only other symptom that I noticed was on boot up, the Windows network logon screen would pop up even though it was not selected. Anything that keeps me from wiping the drive and starting from squre one would be helpful. Ron VPN is sponsored by SecurityFocus.COM From chris at SDK.CA Mon Apr 30 17:54:22 2001 From: chris at SDK.CA (Chris Leavoy) Date: Mon, 30 Apr 2001 17:54:22 -0400 Subject: No subject Message-ID: <001401c0d1c0$1d6b2120$1401a8c0@untitled> We are in the process of remote access to the LAN at my place of employment. To prepare myself for this great task I setup pptpd on my Linux server at home. After a few hours, I managed to get it working, and win2k boxes connecting to my home server. Everything seems to be working as it is suppose to. But there are still somethings I need to add. Because of the applications and other things that we do, I need to somehow make broadcast traffic be forwarded/sent across all interfaces on the main Linux router. In other words, packets sent to 192.168.1.255 (broadcast ip) must be caught by the linux router, and then sent out all of the ppp and tun devices. I guess I am looking for some pointers on how this could be accoplished, and maybe a few resources where I can read up on it. My network setup is as follows Main server, Linux 2.2.18 eth0: 192.168.1.3 netmask 255.255.255.0 eth1: internet ppp*: remote access computers (connected over the internet) ppp clients are given an ip in the 192.168.1.96-127 range. ThankYou __________________________________________________ Chris Leavoy chris at sdk.ca www.sdk.ca/chris/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20010430/598f44c3/attachment.htm