From mats at decus.se Wed Aug 1 15:37:29 2001 From: mats at decus.se (Mats Akerberg) Date: Wed, 1 Aug 2001 21:37:29 +0200 (MET DST) Subject: VPN & IDS & FW???? Message-ID: Hi! I was looking for a home security solution with the following demands: 1) VPN based on IPSEC 2) Some sort of Personal Firewall 3) Some IDS 4) Locked down to prevent user from changing stuff (Centralized policy perhaps?) 5) Authentication with SecurID (RSAsecurity) I looked at NAI Gauntlet with PGPnet but they can't (as far as I can figure out) do 4 and 5. So what should I go for? I'm sure someone have thought about this :-). Thanks /Mats Mats Akerberg (mats at decus.se) http://www.decus.se/~mats PGP fingerprint 39 74 49 B0 40 0F 16 CA C1 EE AA 08 55 76 CE 6F VPN is sponsored by SecurityFocus.com From luislozano at webhostix.com Wed Aug 1 12:16:26 2001 From: luislozano at webhostix.com (Luis Roberto Lozano) Date: Wed, 1 Aug 2001 11:16:26 -0500 Subject: My VPN Does not Works =( Message-ID: I have installed a PPTP ona NT 4 Server i configure it with a Winroute 4 pro, and the problem is that the VPN Client (Win98 for example) desconects after 18 secconds what is ther problem here? VPN is sponsored by SecurityFocus.com From public at johncsullivan.com Thu Aug 2 07:29:28 2001 From: public at johncsullivan.com (John C. Sullivan) Date: Thu, 2 Aug 2001 07:29:28 -0400 Subject: IPSec Clients for OS2? Message-ID: <000e01c11b46$64c9ec20$0802a8c0@gbi.state.ga.us> Does anybody know of any IPSec clients for OS2? ************************************************* John C. Sullivan mailto:public at johncsullivan.com Fax:208-567-9333 http://www.johncsullivan.com ************************************************* VPN is sponsored by SecurityFocus.com From paolo at optivera.com Thu Aug 2 11:34:57 2001 From: paolo at optivera.com (Paolo Supino) Date: Thu, 02 Aug 2001 18:34:57 +0300 Subject: deploying VPN Message-ID: <3B697320.C412B786@optivera.com> Hi I'm about to deploy a VPN: OpenBSD IPSEC on the comapny side, FreeSWAN on some people's Linux machine and PGP on the windows clients. My current setup is such that I have 1 to the company LAN (1 lan in 1 office, small company) which is also the firewall and PAT (I know it causes problems). The gateway computer is too weak to be also the VPN peer on the company side (it's an old SUN SPARC 5), so I need to put another machine to be the the VPN peer. The question I have is where to put the machine and how to connect it to the internal LAN so it will be as transperent as possible and not weaken the security I have now. Suggestions and possible solutions would be greate :) Paolo VPN is sponsored by SecurityFocus.com From public at johncsullivan.com Wed Aug 1 16:49:37 2001 From: public at johncsullivan.com (John C. Sullivan) Date: Wed, 1 Aug 2001 16:49:37 -0400 Subject: "Freeware" IPSec Clients for WinNT 4.0 Message-ID: <014101c11acb$7aa68060$0802a8c0@gbi.state.ga.us> From sandy at storm.ca Thu Aug 2 14:47:40 2001 From: sandy at storm.ca (Sandy Harris) Date: Thu, 02 Aug 2001 14:47:40 -0400 Subject: IPSec Clients for OS2? References: <000e01c11b46$64c9ec20$0802a8c0@gbi.state.ga.us> Message-ID: <3B69A04C.8AA54F9F@storm.ca> "John C. Sullivan" wrote: > > Does anybody know of any IPSec clients for OS2? http://www.fx.dk/firewall/ipsec.html VPN is sponsored by SecurityFocus.com From sandy at storm.ca Thu Aug 2 14:51:31 2001 From: sandy at storm.ca (Sandy Harris) Date: Thu, 02 Aug 2001 14:51:31 -0400 Subject: "Freeware" IPSec Clients for WinNT 4.0 References: <014101c11acb$7aa68060$0802a8c0@gbi.state.ga.us> Message-ID: <3B69A133.43A6244B@storm.ca> "John C. Sullivan" wrote: > Does anyone know if there any freeware IPSec Clients for Windows NT 4.0? There's a list of Windows clients in the FreeS/WAN docs: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/interop.html#winclient Several of then have versions that are free for personal use. I don't know of any that are free for commercial or institutional use. VPN is sponsored by SecurityFocus.com From chris_barker at WestLB.co.jp Thu Aug 2 21:54:05 2001 From: chris_barker at WestLB.co.jp (chris_barker at WestLB.co.jp) Date: Fri, 3 Aug 2001 10:54:05 +0900 Subject: VPN & IDS & FW???? Message-ID: <49256A9D.000A4A02.00@tky-notes-03.westlb.co.jp> You could use the Cisco VPN client (=>v2.5) which satisfies 1,4 & 5 plus BlackICE for 2/3. BTW, 5 is more a function of your gateway than the client. Chris Barker Regional IT Security Officer WestLB Systems Tokyo Branch chris_barker at westlb.co.jp Mats Akerberg on 08/02/2001 04:37:29 AM From wprice at pgp.com Thu Aug 2 17:20:48 2001 From: wprice at pgp.com (Will Price) Date: Thu, 02 Aug 2001 14:20:48 -0700 Subject: VPN & IDS & FW???? References: Message-ID: <3B69C431.C34BDE87@pgp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mats: Number 4 is absolutely a feature of the PGP product. Almost every single list, checkbox, or other policy can be completely locked down by an administrator. The PGP Desktop Manageability Tools is what you're looking for to do that. You are correct that number 5 is not currently supported in the Gauntlet for Solaris product, however the eppliance 2.0 version of the Gauntlet product *does* support that now. The PGP client fully supports SecurID with many gateways. Mats Akerberg wrote: > I was looking for a home security solution with the following > demands: > > 1) VPN based on IPSEC > 2) Some sort of Personal Firewall > 3) Some IDS > 4) Locked down to prevent user from changing stuff (Centralized > policy > perhaps?) > 5) Authentication with SecurID (RSAsecurity) > > I looked at NAI Gauntlet with PGPnet but they can't (as far as I > can figure out) do 4 and 5. > So what should I go for? I'm sure someone have thought about this > :-). - -- Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBO2nEGqy7FkvPc+xMEQLKZQCgtLairuHeluRRWPjg/p/Iu7IFqeYAmwY7 F7hrX7qmbkYHlukZSWYASnbi =rcsY -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From kartik_04 at rediffmail.com Fri Aug 3 05:35:02 2001 From: kartik_04 at rediffmail.com (kartik narendra mehta) Date: 3 Aug 2001 09:35:02 -0000 Subject: info. required Message-ID: <20010803093502.30771.qmail@mailweb12.rediffmail.com> Sir, Can any one let me know how to setup and configure IPSec tunnel between Gauntlet firewall or Webshield E-ppliance and Cisco router (26xx) series. It would be of great help if any one can provide me with a solution. Thanks, Kartik _________________________________________________________ For Rs. 2,000,000 worth of Aptech scholarships click below http://events.rediff.com/aptechsch/scholarship.htm VPN is sponsored by SecurityFocus.com From Topi.Hautanen at F-Secure.com Fri Aug 3 06:58:42 2001 From: Topi.Hautanen at F-Secure.com (Topi Hautanen) Date: Fri, 03 Aug 2001 13:58:42 +0300 Subject: VPN & IDS & FW???? References: Message-ID: <3B6A83E2.EF9F3CB4@F-Secure.com> Hi Mats, take a look at: http://www.f-secure.com/products/vpnplus/ F-Secure VPN+ includes Distributed Firewall functionalities (even filtering inside VPN tunnels) as well as centralized, policy -based management. End-user's GUI can be locked from Policy manager. Regards, Topi Mats Akerberg wrote: > > Hi! > > I was looking for a home security solution with the following demands: > > 1) VPN based on IPSEC > 2) Some sort of Personal Firewall > 3) Some IDS > 4) Locked down to prevent user from changing stuff (Centralized policy > perhaps?) > 5) Authentication with SecurID (RSAsecurity) > > I looked at NAI Gauntlet with PGPnet but they can't (as far as I can figure > out) do 4 and 5. > So what should I go for? I'm sure someone have thought about this :-). > > Thanks > /Mats > > Mats Akerberg (mats at decus.se) > http://www.decus.se/~mats > PGP fingerprint 39 74 49 B0 40 0F 16 CA C1 EE AA 08 55 76 CE 6F > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From nectech at johncsullivan.com Thu Aug 2 17:26:45 2001 From: nectech at johncsullivan.com (John C. Sullivan) Date: Thu, 2 Aug 2001 17:26:45 -0400 Subject: My VPN Does not Works =( References: Message-ID: <017501c11b99$d57a68c0$0100a8c0@sullivan1> When I had a similar problem, it was because I had not reinstalled Service Packs after installing PPTP. **************************************** John C. Sullivan NEC Technolgies, Inc. mailto:nectech at johncsullivan.com fax: (208)567-9333 http://www.johncsullivan.com **************************************** ----- Original Message ----- From: "Luis Roberto Lozano" To: Sent: Wednesday, August 01, 2001 12:16 PM Subject: My VPN Does not Works =( > I have installed a PPTP ona NT 4 Server i configure it with a Winroute 4 > pro, and the problem is that the VPN Client (Win98 for example) desconects > after 18 secconds what is ther problem here? > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From byron at markettools.com Sun Aug 5 02:48:56 2001 From: byron at markettools.com (Byron Kennedy) Date: Sat, 4 Aug 2001 23:48:56 -0700 Subject: info. required Message-ID: Where are you having trouble? -----Original Message----- From: kartik narendra mehta [mailto:kartik_04 at rediffmail.com] Sent: Friday, August 03, 2001 2:35 AM To: vpn at securityfocus.com Subject: info. required Sir, Can any one let me know how to setup and configure IPSec tunnel between Gauntlet firewall or Webshield E-ppliance and Cisco router (26xx) series. It would be of great help if any one can provide me with a solution. Thanks, Kartik _________________________________________________________ For Rs. 2,000,000 worth of Aptech scholarships click below http://events.rediff.com/aptechsch/scholarship.htm VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From peter at securegateway.org Mon Aug 6 18:46:20 2001 From: peter at securegateway.org (Peter Robinson) Date: 6 Aug 2001 22:46:20 -0000 Subject: command line ipsec client for win32 Message-ID: <20010806224620.9061.qmail@securityfocus.com> Hi there all Does anyone know of a command line ipsec client for win32. I am preferably looking for source code. I am using Freeswan on Debian as a VPN gateway. Thanks for any replies Peter Robinson VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Tue Aug 7 09:49:34 2001 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Tue, 7 Aug 2001 14:49:34 +0100 Subject: IKE/IPSec problem Message-ID: Hi All, I've the following situation : HQ Network ------ VPN RTR ------ Leased Line ------ Internet -------- ISDN------- Remote VPN RTR ----remote network The scenario is : the Remote VPN RTR has an active SA with the VPN RTR. For a while there's no data going over the ISDN line so the idle timer drops the connection. Some moments after this , due maintenance or something , the central VPN RTR is rebooted or all the SA's are cleared. After the reboot the central VPN RTR has no active SA's while the Remote VPN RTR still has the 'old' established SA active. When the Remote wants to send data again, the ISDN link comes up and the Remote VPN RTR will start sending data using the old SA. From my tests, I had to manually clear the SA's on the Remote VPN RTR to get the IPSEC up and running again. Does anyone have experienced this also and found a solution for it ? The routers are Cisco 's 1720 and 7140... Many Thanks Guy VPN is sponsored by SecurityFocus.com From angus at tellme.com Tue Aug 7 14:53:58 2001 From: angus at tellme.com (Angus Davis) Date: Tue, 07 Aug 2001 11:53:58 -0700 Subject: interoperability experiences? Message-ID: <3B703946.8EE51B6F@tellme.com> Hello, We are currently evaluating new VPN vendors due to interoperability problems we've experienced in the past with our current vendor, Red Creek. Two options currently near the top of our list are the NetScreen 100 and the Nokia 440. I'm curious to know if anyone has any experience with either of these particular units, and in particular, any problems or successes you've had getting either of them to interoperate with other VPNs such as Checkpoint, Cisco, etc. via IPSec. If you know of other options we should consider that have phenomenal interoperability track records, please let me know. Thank you, -angus VPN is sponsored by SecurityFocus.com From sandy at storm.ca Tue Aug 7 17:09:20 2001 From: sandy at storm.ca (Sandy Harris) Date: Tue, 07 Aug 2001 17:09:20 -0400 Subject: interoperability experiences? References: <3B703946.8EE51B6F@tellme.com> Message-ID: <3B705900.494459AD@storm.ca> Angus Davis wrote: > We are currently evaluating new VPN vendors due to > interoperability problems ... The docs for Linux FreeS/WAN have links to some pages on this: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/web.html#interop > If you know of other options we should consider that have > phenomenal interoperability track records, please let me know. Check the FreeS/WAN interoperability doc: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/interop.html It lists 20-odd implementations FreeS/WAN interoperates with. VPN is sponsored by SecurityFocus.com From bkeepper at paladinss.com Wed Aug 8 02:44:25 2001 From: bkeepper at paladinss.com (bkeepper) Date: Tue, 7 Aug 2001 23:44:25 -0700 Subject: interoperability experiences? In-Reply-To: <3B703946.8EE51B6F@tellme.com> Message-ID: <000001c11fd5$9a485010$076f10ac@Paladinss.com> Angus, I can't respond to the list from this address, so you can forward it if you like. The Nokia IP440 runs Checkpoint as its firewall and VPN service so interoperability with other Checkpoint VPNs is a non-issue. I have successfully configured Checkpoint to Cisco PIX, Checkpoint to Netscreen, and Checkpoint to FreeS/WAN. I have also made PIX and Netscreen play nice. I have also made Windows 2000 IPSEC talk to Checkpoint (nice cause it's built in), but if you go Checkpoint/Nokia you are better off using Checkpoint's proprietary VPN client (SecuRemote/SecureClient - Remote is free, Client has built in personal firewalling, but they charge for it). All of these configs were accomplished using docs off the web. Ben -----Original Message----- From: Angus Davis [mailto:angus at tellme.com] Sent: Tuesday, August 07, 2001 11:54 AM To: vpn at securityfocus.com Subject: interoperability experiences? Hello, We are currently evaluating new VPN vendors due to interoperability problems we've experienced in the past with our current vendor, Red Creek. Two options currently near the top of our list are the NetScreen 100 and the Nokia 440. I'm curious to know if anyone has any experience with either of these particular units, and in particular, any problems or successes you've had getting either of them to interoperate with other VPNs such as Checkpoint, Cisco, etc. via IPSec. If you know of other options we should consider that have phenomenal interoperability track records, please let me know. Thank you, -angus VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Aug 8 01:17:46 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 8 Aug 2001 00:17:46 -0500 (CDT) Subject: New Mailing List: Log Analysis Message-ID: Hi VPN'ers -- In hopes of getting more people to read their log files, I'm kicking off a new mailing list at SecurityFocus. The Log Analysis mailing list is a forum for system administrators who are building and using a centralized logging infrastructure in their networks. Most of the discussion will focus on the care and feeding of syslog -- central loghosts, how to configure the devices in your network, how to secure your log infrastructure. We also talk about how to manage and process your log data. One of my primary goals for this list is to collect log data from attacks "in the wild," and to build configuration files for swatch and logsurfer that contain samples of these known attack signatures. Hopefully this will encourage more people to look at their logfiles regularly. I will also be publishing syslog configurations for devices as I collect them. This list is moderated by Tina Bird. Hi all -- I've finally gotten around to kicking off the LogAnalysis mailing list. I'm still working on the list charter, but since you were in the class, you've got the idea about what to talk about. To subscribe to the LogAnalysis mailing list, send an empty e-mail message to loganalysis-subscribe at securityfocus.com from the account you want to add. You'll be asked to confirm the subscription request, and sent a list of administrative commands for your subscription. And start talking! Cheers -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Wed Aug 8 09:21:40 2001 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Wed, 8 Aug 2001 14:21:40 +0100 Subject: IKE/IPSec problem Message-ID: Hi All, I've found some documentation about this on the Cisco Website : "One of the most common issues today in large-scale VPNs is the stale SA, which occurs when one device at the end of the tunnel maintains the tunnel state but the other remote end does not. The loss of state could occur during link failure, misconfiguration, troubleshooting, system maintenance, or complete device failure. IKE keepalives resolve this issue by removing the state of the old tunnel and setting up a new tunnel. Routing protocol resilience, however, keeps the tunnels up at all times and, therefore, is more likely to run into a stale SA problem. There is no feedback link between network reachability over a tunnel and tunnel status. In other words, if a network is no longer reachable over a tunnel, the tunnel is not torn down until it times out. When the remote device comes back on line, if it had lost tunnel state, it will attempt to establish a new tunnel. The device that remained active will receive a tunnel-establishment request for a tunnel for which it already has state. Believing the request to be a possible denial-of-service (DoS) attack, the device will ignore the request. This ignoring of the request could be an issue in everyday system administration when devices are taken off line for maintenance. Cisco recommends that when you are taking headend VPN devices off line for maintenance that you clear the IKE SAs on the remote devices to facilitate IKE reestablishment." The last sentence gives me a bad feeling, how could you clear all SA's on e.g. 2000 remotes ? Could this be done by simply issue the "clear cry isa" command on the headend routers ..... Does anyone have experience with this ? Many Thanks, Guy -----Original Message----- From: Raymakers, Guy Sent: Tuesday, August 07, 2001 3:50 PM To: 'VPN mailing list' Subject: IKE/IPSec problem Hi All, I've the following situation : HQ Network ------ VPN RTR ------ Leased Line ------ Internet -------- ISDN------- Remote VPN RTR ----remote network The scenario is : the Remote VPN RTR has an active SA with the VPN RTR. For a while there's no data going over the ISDN line so the idle timer drops the connection. Some moments after this , due maintenance or something , the central VPN RTR is rebooted or all the SA's are cleared. After the reboot the central VPN RTR has no active SA's while the Remote VPN RTR still has the 'old' established SA active. When the Remote wants to send data again, the ISDN link comes up and the Remote VPN RTR will start sending data using the old SA. From my tests, I had to manually clear the SA's on the Remote VPN RTR to get the IPSEC up and running again. Does anyone have experienced this also and found a solution for it ? The routers are Cisco 's 1720 and 7140... Many Thanks Guy VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From fredy at orion.cl Wed Aug 8 09:41:20 2001 From: fredy at orion.cl (Fredy Santana) Date: Wed, 08 Aug 2001 09:41:20 -0400 Subject: Philosophycal question... In-Reply-To: <000001c11fd5$9a485010$076f10ac@Paladinss.com> References: <000001c11fd5$9a485010$076f10ac@Paladinss.com> Message-ID: Hi: I have found some information that consider SSL and SSH like VPN's. I always had tought VPN is a encrypted communication channel, but a layer 3 (OSI model) communication chanel. If the definition of VPN is "A secure communication channel over a public network", SSL and SSH (layer 7 protocols) are a VPN. What are your opinions?, Is my definition of VPN wrong?? I hope your comments Saludos de Chile Fredy R. Santana V. Ingeniero Civil El?ctrico - CCSA - CCDA Orion 2000 - Servicios Profesionales en Seguridad Inform?tica La Concepcion 322 piso 12, Providencia. Santiago, Chile Fono: 56-2-6403944, Fax: 56-2-6403990 e-mail: fredy at orion.cl http://www.orion.cl VPN is sponsored by SecurityFocus.com From dirk.schuelgen at eutelis.de Wed Aug 8 05:52:27 2001 From: dirk.schuelgen at eutelis.de (dirk.schuelgen at eutelis.de) Date: Wed, 8 Aug 2001 11:52:27 +0200 Subject: VPN history Message-ID: Does anyone have something like a short "history of VPNs" When did they first appear, how did they evolve....? Any information or hint would help me a lot. Thanks guys. dis at eutelis.de Germany VPN is sponsored by SecurityFocus.com From jonc at haht.com Wed Aug 8 14:21:38 2001 From: jonc at haht.com (Jon Carnes) Date: Wed, 8 Aug 2001 14:21:38 -0400 Subject: VPN history References: Message-ID: <04f001c12036$f7278650$0b04010a@JCARNES> Read the archives from about 6 months ago. There are some long conversations that discuss just this topic. http://www.securityfocus.com/templates/archive.pike?list=50 I personally think IP-Tunnels were the first "traditional" VPN's, but those X400 guys have a different viewpoint. IP-Tunnels were first built on academic campuses to extend the reach of their network to remote buildings. Sysadmins would tunnel a "local" ip packet inside a routed ip packet. The routed ip packets would be reassembled at a central location and release the tunneled ip packet onto the local network. In effect extending the reach of the local network to a remote site. In 1994 at ON Technology we used an NLM called iptunnel to tunnel IPX using IP across the internet (from Novell server to Novell server). This linked all our remote sites together into an extended LAN. Which we later called a WAN. We thought we were hot-sh*t. ----- Original Message ----- From: To: Sent: Wednesday, August 08, 2001 5:52 AM Subject: VPN history > Does anyone have something like a short "history of VPNs" > When did they first appear, how did they evolve....? > Any information or hint would help me a lot. > Thanks guys. > > dis at eutelis.de > Germany > > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From gdemarco at ccigi.com Wed Aug 8 13:50:58 2001 From: gdemarco at ccigi.com (Greg De Marco) Date: Wed, 8 Aug 2001 13:50:58 -0400 Subject: vpn Message-ID: Hi, I am new to the world of vpn's and I want to have a connection from home to my office so that I can access data on certain access database applications and be able to update them as well. I would like a cheap but efficient solution to getting set up. Costs, set-up costs, equipment etc... Do you have any suggestions? ---- Gregory J. De Marco, President Canadian Corporate Information Group Inc. Tel: (905) 799-2251 * 1-800-467-8918 Fax: (905) 799-0827 * 1-888-244-9664 'Your Information Providers' VPN is sponsored by SecurityFocus.com From jroy at axcelerant.com Wed Aug 8 14:31:11 2001 From: jroy at axcelerant.com (Jerry Roy) Date: Wed, 8 Aug 2001 11:31:11 -0700 Subject: IKE/IPSec problem Message-ID: <4EBB5C35607E7F48B4AE162D956666EF0AF576@guam.corp.axcelerant.com> Hi Guy, Great find. I believe this does work. I have noticed that the node gets purged on the remote side when the clear crypto is is run on the head end. A few minutes go by but it does eventually happen. Question, how do I set the IKE keepalives? Best Regards, Jerry Roy -----Original Message----- From: Raymakers, Guy [mailto:guy.raymakers at eds.com] Sent: Wednesday, August 08, 2001 6:22 AM To: 'VPN mailing list' Subject: RE: IKE/IPSec problem Importance: High Hi All, I've found some documentation about this on the Cisco Website : "One of the most common issues today in large-scale VPNs is the stale SA, which occurs when one device at the end of the tunnel maintains the tunnel state but the other remote end does not. The loss of state could occur during link failure, misconfiguration, troubleshooting, system maintenance, or complete device failure. IKE keepalives resolve this issue by removing the state of the old tunnel and setting up a new tunnel. Routing protocol resilience, however, keeps the tunnels up at all times and, therefore, is more likely to run into a stale SA problem. There is no feedback link between network reachability over a tunnel and tunnel status. In other words, if a network is no longer reachable over a tunnel, the tunnel is not torn down until it times out. When the remote device comes back on line, if it had lost tunnel state, it will attempt to establish a new tunnel. The device that remained active will receive a tunnel-establishment request for a tunnel for which it already has state. Believing the request to be a possible denial-of-service (DoS) attack, the device will ignore the request. This ignoring of the request could be an issue in everyday system administration when devices are taken off line for maintenance. Cisco recommends that when you are taking headend VPN devices off line for maintenance that you clear the IKE SAs on the remote devices to facilitate IKE reestablishment." The last sentence gives me a bad feeling, how could you clear all SA's on e.g. 2000 remotes ? Could this be done by simply issue the "clear cry isa" command on the headend routers ..... Does anyone have experience with this ? Many Thanks, Guy -----Original Message----- From: Raymakers, Guy Sent: Tuesday, August 07, 2001 3:50 PM To: 'VPN mailing list' Subject: IKE/IPSec problem Hi All, I've the following situation : HQ Network ------ VPN RTR ------ Leased Line ------ Internet -------- ISDN------- Remote VPN RTR ----remote network The scenario is : the Remote VPN RTR has an active SA with the VPN RTR. For a while there's no data going over the ISDN line so the idle timer drops the connection. Some moments after this , due maintenance or something , the central VPN RTR is rebooted or all the SA's are cleared. After the reboot the central VPN RTR has no active SA's while the Remote VPN RTR still has the 'old' established SA active. When the Remote wants to send data again, the ISDN link comes up and the Remote VPN RTR will start sending data using the old SA. From my tests, I had to manually clear the SA's on the Remote VPN RTR to get the IPSEC up and running again. Does anyone have experienced this also and found a solution for it ? The routers are Cisco 's 1720 and 7140... Many Thanks Guy VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From conny at gbg.dimension.se Thu Aug 9 08:00:03 2001 From: conny at gbg.dimension.se (Conny Stefors) Date: Thu, 09 Aug 2001 14:00:03 +0200 Subject: Solaris 8 and IPSEC Message-ID: <3B727B43.6CF76B3B@gbg.dimension.se> Hi, Is there anybody out there who is familiar with configuring VPN with the IPSEC feature in Solaris 8? I've read the man pages, but those are not enough for me ;-) What I want to accomplish is to have two Solaris 8 machines to have all the network communication between them encrypted with IPSEC. Cheers, //Conny VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Thu Aug 9 02:15:28 2001 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Thu, 9 Aug 2001 07:15:28 +0100 Subject: IKE/IPSec problem Message-ID: Jerry, It's in global config mode : crypto isakmp keepalive 10 . The value can go up to 3600. Best regrads, Guy -----Original Message----- From: Jerry Roy [mailto:jroy at axcelerant.com] Sent: Wednesday, August 08, 2001 8:31 PM To: VPN at securityfocus.com Subject: RE: IKE/IPSec problem Hi Guy, Great find. I believe this does work. I have noticed that the node gets purged on the remote side when the clear crypto is is run on the head end. A few minutes go by but it does eventually happen. Question, how do I set the IKE keepalives? Best Regards, Jerry Roy -----Original Message----- From: Raymakers, Guy [mailto:guy.raymakers at eds.com] Sent: Wednesday, August 08, 2001 6:22 AM To: 'VPN mailing list' Subject: RE: IKE/IPSec problem Importance: High Hi All, I've found some documentation about this on the Cisco Website : "One of the most common issues today in large-scale VPNs is the stale SA, which occurs when one device at the end of the tunnel maintains the tunnel state but the other remote end does not. The loss of state could occur during link failure, misconfiguration, troubleshooting, system maintenance, or complete device failure. IKE keepalives resolve this issue by removing the state of the old tunnel and setting up a new tunnel. Routing protocol resilience, however, keeps the tunnels up at all times and, therefore, is more likely to run into a stale SA problem. There is no feedback link between network reachability over a tunnel and tunnel status. In other words, if a network is no longer reachable over a tunnel, the tunnel is not torn down until it times out. When the remote device comes back on line, if it had lost tunnel state, it will attempt to establish a new tunnel. The device that remained active will receive a tunnel-establishment request for a tunnel for which it already has state. Believing the request to be a possible denial-of-service (DoS) attack, the device will ignore the request. This ignoring of the request could be an issue in everyday system administration when devices are taken off line for maintenance. Cisco recommends that when you are taking headend VPN devices off line for maintenance that you clear the IKE SAs on the remote devices to facilitate IKE reestablishment." The last sentence gives me a bad feeling, how could you clear all SA's on e.g. 2000 remotes ? Could this be done by simply issue the "clear cry isa" command on the headend routers ..... Does anyone have experience with this ? Many Thanks, Guy -----Original Message----- From: Raymakers, Guy Sent: Tuesday, August 07, 2001 3:50 PM To: 'VPN mailing list' Subject: IKE/IPSec problem Hi All, I've the following situation : HQ Network ------ VPN RTR ------ Leased Line ------ Internet -------- ISDN------- Remote VPN RTR ----remote network The scenario is : the Remote VPN RTR has an active SA with the VPN RTR. For a while there's no data going over the ISDN line so the idle timer drops the connection. Some moments after this , due maintenance or something , the central VPN RTR is rebooted or all the SA's are cleared. After the reboot the central VPN RTR has no active SA's while the Remote VPN RTR still has the 'old' established SA active. When the Remote wants to send data again, the ISDN link comes up and the Remote VPN RTR will start sending data using the old SA. From my tests, I had to manually clear the SA's on the Remote VPN RTR to get the IPSEC up and running again. Does anyone have experienced this also and found a solution for it ? The routers are Cisco 's 1720 and 7140... Many Thanks Guy VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jonc at haht.com Wed Aug 8 16:29:07 2001 From: jonc at haht.com (Jon Carnes) Date: Wed, 8 Aug 2001 16:29:07 -0400 Subject: Philosophycal question... References: Message-ID: <055a01c12048$c609cdf0$0b04010a@JCARNES> Interesting, since all my larger remote sites are attached via ppp/ssh vpn's. I only use them for site to site connections. The setup wouldn't be worth the trouble for individual connections. Yes, its not as "sexy" as IPsec, but it is simpler and extremely reliable - despite any rumours you may have heard to the contrary. Of course the New Linux Kernels are making it obsolete by the addition of the ipip and ipgre modules. Each of which makes setup of a site to site VPN quick and painless. Jon Carnes MIS - HAHT Commerce ----- Original Message ----- From: "Tina Bird" To: "Fredy Santana" Cc: Sent: Wednesday, August 08, 2001 11:28 AM Subject: Re: Philosophycal question... > Although the FAQ I maintain for this list doesn't >say< > this (time for another edit?), I distinguish between > SSL and SSH and "full blown" VPNs by their routing > capabilities. SSL and SSH are designed for access to > a single host (although you can hack SSH and PPP to > get routing to a private network). In my mind, VPNs > incorporate seamless routing between private networks > (at least that's the plan -- anyone's who's implemented > them knows that getting the routing right is often > the hardest part)... > > tbird > VPN is sponsored by SecurityFocus.com From bob.deboda at rvl.com Wed Aug 8 16:04:34 2001 From: bob.deboda at rvl.com (BOB DE BODA) Date: Thu, 9 Aug 2001 04:04:34 +0800 Subject: vpn between raptor and cisco Message-ID: <53EA599BC249D4118BCA00D0B782744A0211374E@hkexg05.hk.rvl.com> i need to make a site-to-site between my head office and a branch office. the head office uses raptor 6.0.2 on solaris and the branch uses cisco 1720 with ios 12.0 ipsec feature set. i have followed (step-by-step) the faq from firetower about doing this and i cant get it to work. i have added one line on the cisco instructions (using md5 instead of the default sha) and i was able to create the vpn tunnel. but packets cannot go thru. has anybody out there actually been able to create the vpn and pass packets? i have followed the postings about this in the firetower list, but no help. any help would be greatly appreciated. thanks! VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Wed Aug 8 19:22:52 2001 From: djdawso at qwest.com (Dana J. Dawson) Date: Wed, 08 Aug 2001 18:22:52 -0500 Subject: IKE/IPSec problem References: <4EBB5C35607E7F48B4AE162D956666EF0AF576@guam.corp.axcelerant.com> Message-ID: <3B71C9CC.63D714C@qwest.com> Jerry Roy wrote: > > Hi Guy, > > Great find. I believe this does work. I have noticed that the node gets > purged on the remote side when the clear crypto is is run on the head > end. A few minutes go by but it does eventually happen. Question, how do > I set the IKE keepalives? > > Best Regards, > > Jerry Roy Use the "crypto isakmp keepalive" command. Cisco says this can be processor-intensive, and doesn't recommend it in large configurations, but they have a new feature called "Dead Peer Detection" that's supposed to improve that situation. I don't know what the command for this is or what IOS it showed up in (if it's even out yet), but it's something to look into. In general, the areas of redundancy and resiliency are frequently still high effort activities with IPSec. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com From JFulmer at hrblock.com Thu Aug 9 15:20:33 2001 From: JFulmer at hrblock.com (Fulmer, John) Date: Thu, 9 Aug 2001 14:20:33 -0500 Subject: Philosophycal question... Message-ID: <0527AEA39397D31194550008C71618E3027A4B1B@whqntmgx02.hrblock.net> How does that work over unreliable networks. My own experiments in that (granted, a few years back) was that SSH+PPP doesn't recover from lost packets very well, and I would frequently get hung connections and no way to cleanly recover. Have you run into this, or tried it over questionable connections, like an overloaded frame or a spotty cable modem? Just wondering... jf -----Original Message----- From: Jon Carnes To: Tina Bird; Fredy Santana Cc: vpn at securityfocus.com Sent: 8/8/01 3:29 PM Subject: Re: Philosophycal question... Interesting, since all my larger remote sites are attached via ppp/ssh vpn's. I only use them for site to site connections. The setup wouldn't be worth the trouble for individual connections. Yes, its not as "sexy" as IPsec, but it is simpler and extremely reliable - despite any rumours you may have heard to the contrary. Of course the New Linux Kernels are making it obsolete by the addition of the ipip and ipgre modules. Each of which makes setup of a site to site VPN quick and painless. Jon Carnes MIS - HAHT Commerce VPN is sponsored by SecurityFocus.com From shope at energis-eis.co.uk Thu Aug 9 04:31:08 2001 From: shope at energis-eis.co.uk (Stephen Hope) Date: Thu, 9 Aug 2001 09:31:08 +0100 Subject: Philosophycal question... Message-ID: <73BE32DA9E55D511ACF30050BAEA04870495B5@email.datarange.co.uk> Fredy, The ISO model is a "reference design" rather than a formal set of rules - most protocols dont exactly conform in some details. In practise IP doesnt map exactly to ISO - which isnt all that surprising as IP predates ISO. Classic example is any kind of tunnel, where you end up with at least part of 2 stacks - the tunnel provides a lower level emulation over a higher level. EG IPsec VPN is providing IP (layer 3) over IPsec (transport layer or layer 4). SSL tunneling of general packets is layer 3 over layer 5.. and so on. more basic answer is that models are useful, but the whole point of a model is to simplfy real world complexity, and at some point every model will not reflect reality all that well. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Fredy Santana [mailto:fredy at orion.cl] > Sent: 08 August 2001 14:41 > To: vpn at securityfocus.com > Subject: Philosophycal question... > > > Hi: > > I have found some information that consider SSL and SSH like VPN's. I > always had tought VPN is a encrypted communication channel, > but a layer 3 > (OSI model) communication chanel. > > If the definition of VPN is "A secure communication channel > over a public > network", SSL and SSH (layer 7 protocols) are a VPN. > > What are your opinions?, Is my definition of VPN wrong?? > > I hope your comments > > Saludos de Chile > > > Fredy R. Santana V. > Ingeniero Civil El?ctrico - CCSA - CCDA > Orion 2000 - Servicios Profesionales en Seguridad Inform?tica > La Concepcion 322 piso 12, Providencia. > Santiago, Chile > Fono: 56-2-6403944, Fax: 56-2-6403990 > e-mail: fredy at orion.cl > http://www.orion.cl > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From ken at seefried.com Thu Aug 9 16:17:58 2001 From: ken at seefried.com (Ken Seefried) Date: Thu, 09 Aug 2001 20:17:58 GMT Subject: 3Com S500 Pathbuilder VPN Switch Message-ID: <20010809201758.11050.qmail@mail.seefried.com> I've got a 3Com S500 Pathbuilder VPN switch, and I was wondering if anyone knew where to find the latest (last, actually) software, which should be version 11.4. 3Com has not only end-of-lifed this product (along with tons of others), they've eradicated almost all mention of it from their web site. Any help would be appreciated. Ken VPN is sponsored by SecurityFocus.com From jonc at haht.com Thu Aug 9 16:44:38 2001 From: jonc at haht.com (Jon Carnes) Date: Thu, 9 Aug 2001 16:44:38 -0400 Subject: Philosophycal question... References: <0527AEA39397D31194550008C71618E3027A4B1B@whqntmgx02.hrblock.net> Message-ID: <060f01c12114$1bc9b130$0b04010a@JCARNES> > How does that work over unreliable networks. My own experiments in that > (granted, a few years back) was that SSH+PPP doesn't recover from lost > packets very well, and I would frequently get hung connections and no way to > cleanly recover. > > Have you run into this, or tried it over questionable connections, like an > overloaded frame or a spotty cable modem? > > Just wondering... > I've read all the reports and I agree with their logic. Theoretically the system should run out of control exponentially when packets are lost. In reality, I've never seen it. Our worse connection was from our DS3 in the USA to a cable modem in Australia. The latency was extremely high, and the connection on the Australian side was spotty. Still it all worked and it worked remarkably well. The maximum throughput was about 60% of the top throughput for the Australian end. The Australian end has grown since then, and they've moved to a much better connection. Now we get about 80% of maximum throughput using the exact same VPN, but a better router and a better ISP at the Australian site. Currently our worse connection is to a cable modem in one of our remote offices in California - using DHCP to set their cable modem's internet address. Each time the IP changes we loose connectivity but it pops backup up about 30 seconds after we get a new IP. Other than that, we get about 60% of the available bandwidth. In days of olde I used to run a ping across each connection and then reset any pipe that didn't respond properly. I haven't done that for the past two years though and every site is stable. I think the newer versions of PPP are better at maintaining connections, and though I have not explored it fully (it isn't broken, so I don't ask) the newer PPP must have some rather nice built-in mechanisms for handling tcp across spotty connections. I have played with running ppp/ssh on some really low bandwidth connections, and I find that it doesn't work at all for us if the other end is less than 32kb. The efficiency of the connection increases as the limiting bandwidth increases. Anything above 128kb seems to be ideal for us. This is using P3-350's for the anchor points of the VPN, and with our HQ's vpn endpoint capped at 3Mb. Does anyone know what sort of efficiency a similar setup using IPsec and low encryption would have? VPN is sponsored by SecurityFocus.com From burrell at telus.net Thu Aug 9 17:17:18 2001 From: burrell at telus.net (Georgina/Richard Burrell) Date: Thu, 9 Aug 2001 14:17:18 -0700 Subject: VPN Over Satellite Message-ID: <002701c12118$ac50e940$4b2166cf@expressvu.ca> Has anyone out their had any success in getting a VPN up and running using a satellite modem between a client and a server. I am trying to get my remote access, which works perfectly fine over the normal dial up, to work over my satellite connection and although I can get to the office router and through the firewall, I cannot get the NT Server to authenticate. Details: Client running WinME with a PCI Satellite Network Adapter using IP address 204.101.xxx.xxx, mask 255.255.255.0 and the standard Windows VPN adapter using IP address 192.168.xxx.xxx connecting to a Barricade router at address 24.65.xxx.xxx in front of an NT Server at address 192.168.xxx.xxx that authenticates. My dial up connection, which does uses the same configuration except for the 204.101.xxx.xxx address that is attached to the Satellite adapter, works perfectly everytime. Any suggestions. Richard Burrell Systems Manager Country Grocer VPN is sponsored by SecurityFocus.com From rsr at aegsys.com Thu Aug 9 17:23:18 2001 From: rsr at aegsys.com (Roy Rapoport) Date: Thu, 9 Aug 2001 14:23:18 -0700 (PDT) Subject: Performance Degradation Through VPN Message-ID: Due to some client concerns, I've been tasked with playing around with our pre-production VPN system to see if we can understand its performance a little better. This is a Netscreen 10 running the latest production code and the latest production code on a W2K laptop. One of the things I tried was doing some FTP downloads. So I wrote this program to do ten consecutive downloads from two systems, both through VPN and without using VPN (in other words, I'm connected via VPN; I use two IP addresses -- one is the internal IP address, one is the NAT'ed address through the firewall). Results for when I'm on DSL were pretty encouraging. I saw some performance degradation, but not a significant one -- only about 5.1% decrease in download capability. But go to dialup speeds, and things get pretty abysmal. At dialup speeds (reported connection 42.5k, DSLReports claims it was a 34k down/23k up tested line), I saw a whopping 79.4% decrease in download speeds (an average download speed of 4.18Kb/sec without the use of VPN went down to 2.29Kb/sec with VPN). Is this normal? Or should I be looking at the NSR configuration? -roy VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Thu Aug 9 22:01:37 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Thu, 9 Aug 2001 21:01:37 -0500 (CDT) Subject: manuals for a 3Com NetBuilder In-Reply-To: <000601c12138$c5a47860$9865fea9@web2k> Message-ID: whew, that's a good story. beats me whether manuals are available. list, anyone out there have pointers for this gentleman? On Thu, 9 Aug 2001, Matthew C. Montgomery wrote: > Date: Thu, 9 Aug 2001 19:07:04 -0600 > From: Matthew C. Montgomery > To: tbird at precision-guesswork.com > Subject: brouter > > Hey. > I got some specs on your site about this 3Com NetBuilder deal I just got. > It came from a building we were demolishing. THing is...I have NO idea what > I can do with it (actually 2 of them) Any manuals anywhere for these? > model/prod number is 20-0109-010.. > > > thanks > -Matt > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From shope at energis-eis.co.uk Fri Aug 10 06:22:10 2001 From: shope at energis-eis.co.uk (Stephen Hope) Date: Fri, 10 Aug 2001 11:22:10 +0100 Subject: manuals for a 3Com NetBuilder Message-ID: <73BE32DA9E55D511ACF30050BAEA04870495C7@email.datarange.co.uk> Tina and Matthew, there have a been a lot of different 3com routers over the years - Matthew will need the model numbers, and possibly info on the current code and interface options he has. Model should be Netbuilder 5xx or similar..... a lot of this kit was sold to government organisations, and that normally means the supplier and manufacturer commit to 5 to 7 years support at the time of sale, so you should be able to get something. it is possible that you may be able to get them to send you a doc CD - i used to use the LAN switching CDs a lot, and there were copies of all the manuals on there try the search engine - there does seem to be some docs there which dont have "front end" links. there are some links on the support pages to get you to a cop out if you cant find anything. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: 10 August 2001 03:02 > To: Matthew C. Montgomery > Cc: vpn at securityfocus.com > Subject: manuals for a 3Com NetBuilder > > > whew, that's a good story. beats me whether manuals are > available. list, anyone out there have pointers for this > gentleman? > > On Thu, 9 Aug 2001, Matthew C. Montgomery wrote: > > > Date: Thu, 9 Aug 2001 19:07:04 -0600 > > From: Matthew C. Montgomery > > To: tbird at precision-guesswork.com > > Subject: brouter > > > > Hey. > > I got some specs on your site about this 3Com NetBuilder > deal I just got. > > It came from a building we were demolishing. THing is...I > have NO idea what > > I can do with it (actually 2 of them) Any manuals anywhere > for these? > > model/prod number is 20-0109-010.. > > > > > > thanks > > -Matt > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From MTaveroff at coradiant.com Fri Aug 10 09:05:18 2001 From: MTaveroff at coradiant.com (MTaveroff at coradiant.com) Date: Fri, 10 Aug 2001 09:05:18 -0400 Subject: Compatibility? Message-ID: Anyone know if Netscreen 5 and the below VPN concentrator are compatible? VPN Concentrator Type: 3030 Bootcode Rev: Altiga Networks/VPN Concentrator Version 2.2.Rel Mar 22 2000 09:59:28 Software Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 3.0.3.A Jun 07 2001 18:38:05 Up For: 55d 2:59:55 Up Since: 06/14/2001 11:57:40 RAM Size: 128 MB Much appreciated! ___________________________ Manny Taveroff Technical Support Specialist Coradiant inc. mtaveroff at coradiant.com voice: 514-908-6327 fax: 514-487-7460 VPN is sponsored by SecurityFocus.com From MTaveroff at coradiant.com Fri Aug 10 08:44:13 2001 From: MTaveroff at coradiant.com (MTaveroff at coradiant.com) Date: Fri, 10 Aug 2001 08:44:13 -0400 Subject: VPN setup between Netscreen-5 & Nokia IP440.. Message-ID: Hello people, Just wondering if anyone has ever created a VPN between a Netscreen-5 & Nokia IP440. I would imagine it would be possible, but I'm curious as to what type of configurations they are compatible with. Any help would be appreciated. ; - / - Thanks! ___________________________ Manny Taveroff Technical Support Specialist Coradiant inc. mtaveroff at coradiant.com voice: 514-908-6327 fax: 514-487-7460 VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Fri Aug 10 09:30:37 2001 From: kent at dalliesin.com (Kent Dallas) Date: Fri, 10 Aug 2001 09:30:37 -0400 Subject: VPN Over Satellite In-Reply-To: <002701c12118$ac50e940$4b2166cf@expressvu.ca> Message-ID: <002f01c121a0$a5328500$0200a8c0@DALLASDELL2K> Richard, I don't have a solution for you, but I can suggest where the problem likely is. In the recent past, I worked for a VPN service provider, and we attempted to add satellite access to our suite of remote access solutions. As you note, the VPN seems to work fine, until you try to login to an NT domain. Actually, we were successful in getting past the NT login, but had all kinds of problems with NT networking after that. Your satellite solution sounds like a two way system (send and receive over the dish, right?). These systems introduce latency beyond what MS designed in its protocols - like more than a second, instead of a tenth of a second or less. The only options I see for you are: 1) Change parameters in the NT servers to try and tweak the implementation to behave over satellite. These are parameters only accessible via a registry hack, and will relate to timeouts and retransmit settings in the MS protocol stack. Of course, these changes are not "supported", and may break other currently working configurations (if you really want to try this, search the MS information base for "satellite"). 2) Don't use WINS/NetBIOS within your configuration. Use IIS to provide a web front-end to the applications you need to access. Straight http (even through highly latent broadband connections, with VPN) tends to be much more forgiving. 3) Give it up, and dial in when you need access to the VPN. If you, or others on the list, come up with better solutions, I would appreciate hearing about them. I know some of the satellite vendors are trying to find a solution to this, but those solutions will likely require a specialized gateway on the NT network and on the satellite vendor network to "proxy" your MS networking requests (in other words - probably would require a separate and more expensive product). FYI, we ended up dropping the product development efforts, since none of the options above appeared to be widely applicable in the marketplace. Good Luck, Kent Dallas -----Original Message----- From: Georgina/Richard Burrell [mailto:burrell at telus.net] Sent: Thursday, August 09, 2001 5:17 PM To: VPN at securityfocus.com Subject: VPN Over Satellite Has anyone out their had any success in getting a VPN up and running using a satellite modem between a client and a server. I am trying to get my remote access, which works perfectly fine over the normal dial up, to work over my satellite connection and although I can get to the office router and through the firewall, I cannot get the NT Server to authenticate. Details: Client running WinME with a PCI Satellite Network Adapter using IP address 204.101.xxx.xxx, mask 255.255.255.0 and the standard Windows VPN adapter using IP address 192.168.xxx.xxx connecting to a Barricade router at address 24.65.xxx.xxx in front of an NT Server at address 192.168.xxx.xxx that authenticates. My dial up connection, which does uses the same configuration except for the 204.101.xxx.xxx address that is attached to the Satellite adapter, works perfectly everytime. Any suggestions. Richard Burrell Systems Manager Country Grocer VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From rsr at aegsys.com Fri Aug 10 11:53:44 2001 From: rsr at aegsys.com (Roy Rapoport) Date: Fri, 10 Aug 2001 08:53:44 -0700 (PDT) Subject: Performance Degradation Through VPN In-Reply-To: <8B888AAAAB0FD31189590008C791844303881B7D@zbl6c002.corpeast.baynetworks.com> Message-ID: On Fri, 10 Aug 2001, Lee Merrill wrote: > I think you are probably seeing the degradation due to the dialup and not > the netscreen. The VPN Device doesn't change its abilities based on the > input device. I test network latency and throughput and whenever I hear a > customer complaining about the inability to reach the advertised throughput, > its generally related to a configuration issue or a network bottle neck. > And usually that bottle neck is the ISP or related services provider. > > Check with netscreen on their documented throughput and latency. I am > willing to bet that neither the DSL nor dial up can fill the pipe that they > are able to provide. Apologies, Lee, I think I was unclear. I'm not complaining about my throughput speeds on dialup as compared to the theoretical ideal throughput speed. What I'm saying is this: On dialup, a straight-forward FTP transfer to a host I'm getting 4.18Kb/sec. On dialup, going through the VPN to the same host and doing the same operation, I'm getting 2.29Kb/sec. So the same bandwidth constraints, other than the VPN device, and I drop about 80% in performance. Does this make a little more sense? -roy VPN is sponsored by SecurityFocus.com From Matt at Powerconnect.com Fri Aug 10 11:19:26 2001 From: Matt at Powerconnect.com (Matthew C. Montgomery) Date: Fri, 10 Aug 2001 09:19:26 -0600 Subject: manuals for a 3Com NetBuilder In-Reply-To: <73BE32DA9E55D511ACF30050BAEA04870495C7@email.datarange.co.uk> Message-ID: <000401c121af$d88e1c70$9865fea9@web2k> all I have with it is a floppy disk labeled 3Com NetBuilder Brouter ver 6.2.2. It has to be pretty old as the product number is not '3C....' but just a number. The 3Com site itself didnt return anything for this one. but it boot up I love new toys...now what to do with it... -Matt -----Original Message----- From: Stephen Hope [mailto:shope at energis-eis.co.uk] Sent: Friday, August 10, 2001 4:22 AM To: 'Tina Bird'; Matthew C. Montgomery Cc: vpn at securityfocus.com Subject: RE: manuals for a 3Com NetBuilder Tina and Matthew, there have a been a lot of different 3com routers over the years - Matthew will need the model numbers, and possibly info on the current code and interface options he has. Model should be Netbuilder 5xx or similar..... a lot of this kit was sold to government organisations, and that normally means the supplier and manufacturer commit to 5 to 7 years support at the time of sale, so you should be able to get something. it is possible that you may be able to get them to send you a doc CD - i used to use the LAN switching CDs a lot, and there were copies of all the manuals on there try the search engine - there does seem to be some docs there which dont have "front end" links. there are some links on the support pages to get you to a cop out if you cant find anything. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: 10 August 2001 03:02 > To: Matthew C. Montgomery > Cc: vpn at securityfocus.com > Subject: manuals for a 3Com NetBuilder > > > whew, that's a good story. beats me whether manuals are > available. list, anyone out there have pointers for this > gentleman? > > On Thu, 9 Aug 2001, Matthew C. Montgomery wrote: > > > Date: Thu, 9 Aug 2001 19:07:04 -0600 > > From: Matthew C. Montgomery > > To: tbird at precision-guesswork.com > > Subject: brouter > > > > Hey. > > I got some specs on your site about this 3Com NetBuilder > deal I just got. > > It came from a building we were demolishing. THing is...I > have NO idea what > > I can do with it (actually 2 of them) Any manuals anywhere > for these? > > model/prod number is 20-0109-010.. > > > > > > thanks > > -Matt > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From AFalkovich at LNC.COM Fri Aug 10 15:05:00 2001 From: AFalkovich at LNC.COM (Falkovich, Alex -LNL-) Date: Fri, 10 Aug 2001 14:05:00 -0500 Subject: a decent firewall for inexperienced users Message-ID: <200108101932.OAA153542@opn1.lnc.com> We're setting up our remote users with broadband connection and VPN client (all CISCO gear) for remote access. Can some one please recommend a decent but inexpensive firewall (software as opposed to the hardware) for Windows 98? Thanks. Alex Falkovich Technology Services Lincoln Financial Group afalkovich at lnc.com VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Fri Aug 10 16:53:46 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Fri, 10 Aug 2001 13:53:46 -0700 Subject: Performance Degradation Through VPN In-Reply-To: References: <8B888AAAAB0FD31189590008C791844303881B7D@zbl6c002.corpeast.baynetworks.com> Message-ID: <3B73E76A.12559.1357F616@localhost> On 10 Aug 2001, at 8:53, Roy Rapoport wrote: > Does this make a little more sense? Well, actually, *I* am still a bit confused as to the situation, and so perhaps others are as well. I think I understand that in one scenario, you connect to your ISP and then talk FTP to the host. In the other scenario, you connect to your ISP, establish a VPN client connection to the NetScreen, and then talk FTP to the host. Okay so far, or have I totally misunderstood? Assuming I've followed you this far, it could be important to understand where the host is in relation to the NetScreen. Is it behind it, possibly NATted? Is it on the same external network segment? Is it at some remote colocation facility, about equally unrelated to your ISP and to the NetScreen's Internet connection? David Gillett VPN is sponsored by SecurityFocus.com From rsr at aegsys.com Fri Aug 10 18:22:56 2001 From: rsr at aegsys.com (Roy Rapoport) Date: Fri, 10 Aug 2001 15:22:56 -0700 (PDT) Subject: Performance Degradation Through VPN In-Reply-To: <3B73E76A.12559.1357F616@localhost> Message-ID: On Fri, 10 Aug 2001 dgillett at deepforest.org wrote: > > Does this make a little more sense? > > Well, actually, *I* am still a bit confused as to the situation, > and so perhaps others are as well. > > I think I understand that in one scenario, you connect to your ISP > and then talk FTP to the host. In the other scenario, you connect to > your ISP, establish a VPN client connection to the NetScreen, and > then talk FTP to the host. Okay so far, or have I totally > misunderstood? > > Assuming I've followed you this far, it could be important to > understand where the host is in relation to the NetScreen. Is it > behind it, possibly NATted? Is it on the same external network > segment? Is it at some remote colocation facility, about equally > unrelated to your ISP and to the NetScreen's Internet connection? Lets try a diagram: Scenario one: -[phone]-------- In English: I dial up to an ISP which then goes through the internet to hit the firewall (a PIX). The firewall has static translations and holes allowing VPN to go through; traffic hits the router, goes to the VPN system's untrusted interface, comes out the trusted interface, hits the same router, goes to host. I have control of everything from firewall and down. Everything between the firewall and the host is in the same physical colo facility connected via 100Mbit. There's no NAT'ing of the host, but there *is* NATing of the laptop as it comes in, because the VPN system is not the default route for anything (so in order for traffic to come back to the laptop, the laptop gets masqueraded/NATed as the VPN system). Now, scenario two is very similar: -[phone]------ There are holes opened up on the FW allowing me to FTP directly to the external IP address of the host (which is NAT'ed through the FW in this scenario) from the IP address I got from the provider. All systems are identical, BTW. The in question is a Cisco 6506 with several VLANs and internal routing. Four VLANS in question: One VLAN to connect to the PIX; one VLAN for the untrusted interface of the NSR; one VLAN for the trusted interface; and one VLAN for the host. And, of course, one ring to rule them all ... :) Any clearer? -roy VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Fri Aug 10 19:05:18 2001 From: djdawso at qwest.com (Dana J. Dawson) Date: Fri, 10 Aug 2001 18:05:18 -0500 Subject: Performance Degradation Through VPN References: Message-ID: <3B7468AE.7EC6EE75@qwest.com> I suspect that the biggest reason your dial-up VPN downloads are so much slower than your dial-up non-VPN downloads is that encrypted traffic doesn't compress well (in fact compression is frequently counter-productive with encrypted data). Try turning off compression in your modems and see if the numbers are closer. You could also try downloading an encrypted file across the non-VPN connection and see if goes slower. My guess is that it will. HTH Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com From nyjklein at panix.com Fri Aug 10 20:58:59 2001 From: nyjklein at panix.com (Jeff Klein) Date: Fri, 10 Aug 2001 19:58:59 -0500 Subject: Performance Degradation Through VPN In-Reply-To: <3B7468AE.7EC6EE75@qwest.com> Message-ID: Hello Dana, Which is why it's important to select an IPsec client that supports IPComp compression for dial-up VPN deployments. Jeff On 10-Aug-01, you wrote: > I suspect that the biggest reason your dial-up VPN downloads are so much > slower than your dial-up non-VPN downloads is that encrypted traffic > doesn't compress well > > Dana > VPN is sponsored by SecurityFocus.com From Lajos.Koppanyi at kanisa.com Fri Aug 10 20:27:36 2001 From: Lajos.Koppanyi at kanisa.com (Lajos.Koppanyi at kanisa.com) Date: Fri, 10 Aug 2001 17:27:36 -0700 Subject: Performance Degradation Through VPN Message-ID: <6660008AFBEDC447919DCACF69DFD802CB25@EXCHANGE2000.master.kanisa.com> Can you recommend a free IPSec client other than Microsoft? VPN is sponsored by SecurityFocus.com From sandy at storm.ca Fri Aug 10 20:55:27 2001 From: sandy at storm.ca (Sandy Harris) Date: Fri, 10 Aug 2001 20:55:27 -0400 Subject: Performance Degradation Through VPN References: <6660008AFBEDC447919DCACF69DFD802CB25@EXCHANGE2000.master.kanisa.com> Message-ID: <3B74827F.3C581E96@storm.ca> Lajos.Koppanyi at kanisa.com wrote: > > Can you recommend a free IPSec client other than Microsoft? FreeS/WAN for Linux, www.freeswan.org I know OpenBSD includes IPsec. I think FreeBSD and NetBSD do. Certainly it is available for those. I beleive Apple build it into Mac OS-X. For Windows, there are qwuite a few clients and at least some of them are free, at least for non-commercial use. One list is: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/interop.html#winclient VPN is sponsored by SecurityFocus.com From sandy at storm.ca Fri Aug 10 22:18:59 2001 From: sandy at storm.ca (Sandy Harris) Date: Fri, 10 Aug 2001 22:18:59 -0400 Subject: VPN history References: Message-ID: <3B749613.21E584B1@storm.ca> dirk.schuelgen at eutelis.de wrote: > > Does anyone have something like a short "history of VPNs" > When did they first appear, how did they evolve....? > Any information or hint would help me a lot. > Thanks guys. Check Steve Bellovin's page with his list of papers: http://www.research.att.com/~smb/papers/index.html He did one in the late 80s on "Security Problems in TCP/IP", or some title much like that, that was quite influential. Arguably the start of serious concern with maling the network secure, as opposed to just protecting sites. Another place to look would be the 1992 to date archive of the mailing list for the IETF working group that wrote the IPsec standards: http://www.sandelman.ottawa.on.ca/ipsec/ VPN is sponsored by SecurityFocus.com From lkh at dgsys.com Sat Aug 11 08:48:14 2001 From: lkh at dgsys.com (Lowell Hanson) Date: Sat, 11 Aug 2001 08:48:14 -0400 Subject: Performance Degradation Through VPN References: Message-ID: <3B75298E.813932DF@dgsys.com> Roy, The following URL points to some throughput testing which I did a while back with the Contivity Extranet Client and a Contivity Switch. One of the things illustrated on this page is the effects of Data Compression on transfer speeds. Thanks! Lowell http://www2.dgsys.com/~lkh/TechInfo/ContivityMTU_Compression.htm Roy Rapoport wrote: > > On Fri, 10 Aug 2001, Lee Merrill wrote: > > I think you are probably seeing the degradation due to the dialup and not > > the netscreen. The VPN Device doesn't change its abilities based on the > > input device. I test network latency and throughput and whenever I hear a > > customer complaining about the inability to reach the advertised throughput, > > its generally related to a configuration issue or a network bottle neck. > > And usually that bottle neck is the ISP or related services provider. > > > > Check with netscreen on their documented throughput and latency. I am > > willing to bet that neither the DSL nor dial up can fill the pipe that they > > are able to provide. > > Apologies, Lee, I think I was unclear. > > I'm not complaining about my throughput speeds on dialup as compared to the > theoretical ideal throughput speed. What I'm saying is this: > > On dialup, a straight-forward FTP transfer to a host I'm getting > 4.18Kb/sec. > > On dialup, going through the VPN to the same host and doing the same > operation, I'm getting 2.29Kb/sec. > > So the same bandwidth constraints, other than the VPN device, and I drop > about 80% in performance. > > Does this make a little more sense? > > -roy > > VPN is sponsored by SecurityFocus.com -- ------------------------------------------------------ Lowell K. Hanson Senior Consultant Phone:703-817-0627 mailto:lkh at dgsys.com HTTP://www2.dgsys.com/~lkh We can change the world, but must begin with ourselves" VPN is sponsored by SecurityFocus.com From sandy at storm.ca Sun Aug 12 12:21:07 2001 From: sandy at storm.ca (Sandy Harris) Date: Sun, 12 Aug 2001 12:21:07 -0400 Subject: Performance Degradation Through VPN References: <3B75298E.813932DF@dgsys.com> Message-ID: <3B76ACF3.5E813DFB@storm.ca> Lowell Hanson wrote: > The following URL points to some throughput testing ... There's some performance info for Linux FreeS/WAN on the web: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/performance.html I've recently added a section to that document which is not yet in the web version. It should be taken with some salt. I invented the estimation method as I went along and our developers have not yet reviewed it. It reads: Estimating CPU overheads We can come up with a formula that roughly relates CPU speed to the rate of IPsec processing possible. It is far from exact, but should be usable as a first approximation. An analysis of authentication overheads for high-speed networks, including some tests using FreeS/WAN, is on the NAI Labs site. In particular, see figure 3 in this PDF document. Their estimates of overheads, measured in Pentium II cycles per byte processed are: IPsec authentication encryption cycles per byte Linux IP stack alone no no no 5 IPsec without crypto yes no no 11 IPsec, authentication only yes SHA-1 no 24 IPsec with encryption yes yes yes not tested Overheads for IPsec with encryption were not tested in the NAI work, but Antoon Bosselaers' web page gives cost for his optimised Triple DES implementation as 928 Pentium cycles per block, or 116 per byte. Adding that to the 24 above, we get 140 cycles per byte for IPsec with encryption. At N cycles per byte, an N megahertz machine can handle a megabyte -- 8 megabits -- per second. If our estimate of 140 cycles per byte is correct, then to staturate a link with capacity C megabits per second, you need a machine running at C * 140/8 = C * 17.5 MHz. However, that estimate is not precise. It ignores the differences between: NAI's test packets and real traffic NAI's Pentium II cycles, Bosselaers' Pentium cycles, and your machine's cycles different 3DES implementations SHA-1 and MD5 and does not account some overheads you will likely have: firewall rules on your gateway communication on the client-side interface switching between multiple tunnels -- re-keying, cache reloading and so on so we suggest using C * 25 to get an estimate with a bit of a built-in safety factor. For example: for a 10 Mbit link, we estimate 10*25 = 250 MHz. Your old 266 MHz machine might do the job. for a T3 (45 Mbit/second), we estimate 45*25 = 1125 MHz. You need either a high-end Linux box or hardware acceleration. Such an estimate is far from exact, but should be usable as minimum requirement for planning. It matches empirical data reasonably well. For example, Metheringham's tests, described below, show a 733 topping out between 32 and 36 Mbit/second, pushing data as fast as it can down a 100 Mbit link. Our formula suggests you need an 800 to saturate a 32 Mbit link. The two results are consistent. VPN is sponsored by SecurityFocus.com From hayyan at arab.net.sa Mon Aug 13 06:53:33 2001 From: hayyan at arab.net.sa (Hayyan Alsayyed) Date: Mon, 13 Aug 2001 13:53:33 +0300 Subject: [vpn] I need a free vpn software server!! Message-ID: <046c01c123e6$32f71b70$14d40c0a@arabnet.alofoq> Dear Sirs I am a beginner in VPN field. I ask if you kindly tell me where I can find on the Internet a free or trial VPN Software Server ( VPN Server based on software). Thanks Hayyan VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Mon Aug 13 13:55:01 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Mon, 13 Aug 2001 10:55:01 -0700 Subject: [vpn] RE: IPSec Latency Message-ID: <4EBB5C35607E7F48B4AE162D956666EF339174@guam.corp.axcelerant.com> I believe the most recent client has this feature built in. It is actually a request for an ACK from the concentrator. Cisco calls it something lame like, 'are you thereThe intent is to allow the concentrator to distinguish, as you said, between an SA that is no longer active and simply inactivity (or latency in your case). I am not sure however if it is currently compatible with the 5xxx series. We usually see failure around 600ms or so. Here is the exact slide from a presentation I have. ---------------------- *IKE Keepalives (DPD messages) are used to enable VPN devices to detect tunnel failure on the devices located at the other end of the tunnels (e.g., reboot one device, loose Internet connection). A "worry-metric" determines how often a DPD message is sent in the absence of data received from the IKE peer. When data is received, the "worry timer" is reset. If the device's worry timer expires, a DPD message is sent. The "worry timers" are as follows: *Unity Client and VPN 3002-5 sec (not configurable) *VPN 3000 *Client-to-LAN-5 mins *LAN-to-LAN-10 sec *If you are configuring a group of mixed peers, and some of those peers support IKE Keepalives and others may not, enable IKE Keepalives for the entire group. During IKE negotiation, each of the clients will identify whether DPD messages are supported or not. To be enabled, the feature must be supported by both ends. Note: To reduce connectivity costs, disable IKE Keepalives if this group includes any Clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE Keepalive mechanism prevents connections from idling out and, therefore, from disconnecting. --------------------- Christopher S. Gripp Systems Engineer Axcelerant -----Original Message----- From: Cisco Chic [mailto:cisco_chic at yahoo.com] Sent: Monday, August 13, 2001 8:36 AM To: ipsec at lists.tislabs.com Subject: IPSec Latency Hi All, I was wondering if anyone has any information or sites which talk about how to tweak (if this can be done) IPSec tunnls (via keepalives) from a dial up client to a VPN5008? We have a latency of around 800 milliseconds on a network and we are trying to determine what the maximum delay can be in the network to keep the tunnel up via keepalives. How long can the delay be for the keepalives and who sends the keepalives or are the keepalives sent in both directions via remote dial up access. (we are using static routes) I know that a keepalive protocol is used by L2TP in order to allow it to distinguish between a tunnel outage and prolonged periods of tunnel inactivity. We are trying to find out if this can be done for IPSec. We have a open case with cisco tac currently to get more details and have been looking at third party web sites and RFCs. Can't find anything about latency but have found performance issues concerning bw, memory etc. Any information or sites you can direct me to would be great. Thanks!! __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ VPN is sponsored by SecurityFocus.com From smills at multi-ad.com Mon Aug 13 14:48:29 2001 From: smills at multi-ad.com (Steve Mills) Date: Mon, 13 Aug 2001 13:48:29 -0500 Subject: [vpn] vpn and cable modem Message-ID: I was to send this question to this address. At home, I connect to the internet through my AT&T Broadband ISP with their 3Com cable modem. When I need to connect to our office, I use TunnelBuilder for the Mac (using PPTP) to get to our VPN server. Since the CodeRed virus has been identified, I can no longer make the connection. AT&T says they're filtering port 80 (they might be filtering others for all I know). Do you think this could be the reason why I can't make the connection? If so, do you know of a way I could get around it? Thanks for any help you can give. VPN is sponsored by SecurityFocus.com From RNahmias at imperito.com Mon Aug 13 18:06:49 2001 From: RNahmias at imperito.com (Nahmias, Ran) Date: Mon, 13 Aug 2001 15:06:49 -0700 Subject: [vpn] I need a free vpn software server!! Message-ID: Hayyan, The company I work for offers free software based VPN trial and evaluation. Check out our web site at: www.imperito.com and let me know if you're interested. I will then connect you with one of the sales people :) ======================= Ran Nahmias Lead Systems Engineer Imperito Networks, Inc. - Instantly secure VPN solutions 2520 Mission College Blvd. Suite 102 Santa Clara, CA 95054 Telephone: (408) 450-6251 Mobile: (415) 505-2452 eFax: (415) 276-2092 http://www.imperito.com ======================= This e-mail is IMPERITO Networks Inc. confidential. If you receive this e-mail in error, please inform IMPERITO Networks Inc. immediately. Any opinions expressed in this e-mail are those of the author and do not necessarily represent the views of IMPERITO Networks Inc. -----Original Message----- From: Hayyan Alsayyed [mailto:hayyan at arab.net.sa] Sent: Monday, August 13, 2001 3:54 AM To: VPN at SECURITYFOCUS.COM Subject: [vpn] I need a free vpn software server!! Dear Sirs I am a beginner in VPN field. I ask if you kindly tell me where I can find on the Internet a free or trial VPN Software Server ( VPN Server based on software). Thanks Hayyan VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From RNahmias at imperito.com Mon Aug 13 15:22:37 2001 From: RNahmias at imperito.com (Nahmias, Ran) Date: Mon, 13 Aug 2001 12:22:37 -0700 Subject: [vpn] RE: VPN Over Satellite Message-ID: Richard, you should look into what the satellite connection is like. If your provider does any kind of unique (or not so unique...) encapsulation; i.e. PPPoE, PPPoA and so forth this might effect the authentication of the packets. Another issue might be related to MTUs (common with some DSL providers). On the log what error messages do you see - that might give a better indication to what the failure is. -ran -----Original Message----- From: Georgina/Richard Burrell [mailto:burrell at telus.net] Sent: Thursday, August 09, 2001 2:17 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Over Satellite Has anyone out their had any success in getting a VPN up and running using a satellite modem between a client and a server. I am trying to get my remote access, which works perfectly fine over the normal dial up, to work over my satellite connection and although I can get to the office router and through the firewall, I cannot get the NT Server to authenticate. Details: Client running WinME with a PCI Satellite Network Adapter using IP address 204.101.xxx.xxx, mask 255.255.255.0 and the standard Windows VPN adapter using IP address 192.168.xxx.xxx connecting to a Barricade router at address 24.65.xxx.xxx in front of an NT Server at address 192.168.xxx.xxx that authenticates. My dial up connection, which does uses the same configuration except for the 204.101.xxx.xxx address that is attached to the Satellite adapter, works perfectly everytime. Any suggestions. Richard Burrell Systems Manager Country Grocer VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Gary.R.Smith at motorola.com Tue Aug 14 09:18:50 2001 From: Gary.R.Smith at motorola.com (Smith Gary-GSMITH1) Date: Tue, 14 Aug 2001 08:18:50 -0500 Subject: [vpn] I need a free vpn software server!! Message-ID: <0DFC73466514D41186B700508B95104102C7EACE@tx14exm04.ftw.mot.com> Hello Hayyan, Check out http://www.vpn.outer.net/2e/vpnssh.html It describes how to set up a VPN using PPP over SSH. It may not be the fastest VPN solution on the planet but it will be useful as proof-of-concept. The software is all readily available on the net. Good luck, Gary Smith -----Original Message----- From: Hayyan Alsayyed [mailto:hayyan at arab.net.sa] Sent: Monday, August 13, 2001 5:54 AM To: VPN at securityfocus.com Subject: [vpn] I need a free vpn software server!! Dear Sirs I am a beginner in VPN field. I ask if you kindly tell me where I can find on the Internet a free or trial VPN Software Server ( VPN Server based on software). Thanks Hayyan VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From sandy at storm.ca Mon Aug 13 22:25:10 2001 From: sandy at storm.ca (Sandy Harris) Date: Mon, 13 Aug 2001 22:25:10 -0400 Subject: [vpn] I need a free vpn software server!! References: <046c01c123e6$32f71b70$14d40c0a@arabnet.alofoq> Message-ID: <3B788C06.E136FEFC@storm.ca> Hayyan Alsayyed wrote: > I am a beginner in VPN field. I ask if you kindly tell me where I can find > on the Internet a free or trial VPN Software Server ( VPN Server based on > software). There are quite a few possibilities. FreeS/WAN is an IPsec implementation for Linux. All its documentation is online at www.freeswan.org. Hopefully, some of it would be helpful. Some Linux distributions ship with FreeS/WAN included. List at: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/intro.html#products OpenBSD (www.openbsd.org) is a security-oriented OS, likely good for firewall use, and ships with IPsec included. I beleive IPsec is available for both FreeBSD and NetBSD, but I'm hazy on details. Check www.freebsd.org and www.netbsd.org. Some commercial operating systems -- such as Windows 2000 and Mac OS-X -- include IPsec, so if you've already paid for one of them or need to buy one for other reasons, adding IPsec costs nothing. Most firewall and many router products include IPsec, or offer it as an option. If you have firewalls or routers, talk to your vendors. It would be in their interest to get you evaluation software. There's a list of Windows IPsec clients in the FreeS/WAN docs: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/interop.html#winclient Some of those vendors offer free evaluation copies or versions that are free for non-commercial use. Some have Mac or Unix versions of their products too. VPN is sponsored by SecurityFocus.com From RNahmias at imperito.com Tue Aug 14 11:41:44 2001 From: RNahmias at imperito.com (Nahmias, Ran) Date: Tue, 14 Aug 2001 08:41:44 -0700 Subject: [vpn] RE: VPN Over Satellite Message-ID: Richard, I had a conversation with a friend yesterday who has some previous experience with satellite communications. He said that the latency can be as high as 6 seconds and the Windows max TTL is only three. They have solved it by installing proxy servers (cache the packets) on both end thus increasing the TTL and enabling the tunnel to exist and stay alive. I hope this helps. -ran -----Original Message----- From: Georgina/Richard Burrell [mailto:burrell at telus.net] Sent: Thursday, August 09, 2001 2:17 PM To: VPN at SECURITYFOCUS.COM Subject: VPN Over Satellite Has anyone out their had any success in getting a VPN up and running using a satellite modem between a client and a server. I am trying to get my remote access, which works perfectly fine over the normal dial up, to work over my satellite connection and although I can get to the office router and through the firewall, I cannot get the NT Server to authenticate. Details: Client running WinME with a PCI Satellite Network Adapter using IP address 204.101.xxx.xxx, mask 255.255.255.0 and the standard Windows VPN adapter using IP address 192.168.xxx.xxx connecting to a Barricade router at address 24.65.xxx.xxx in front of an NT Server at address 192.168.xxx.xxx that authenticates. My dial up connection, which does uses the same configuration except for the 204.101.xxx.xxx address that is attached to the Satellite adapter, works perfectly everytime. Any suggestions. Richard Burrell Systems Manager Country Grocer VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From AlexY at aof.nursat.kz Tue Aug 14 07:23:40 2001 From: AlexY at aof.nursat.kz (Alex) Date: Tue, 14 Aug 2001 17:23:40 +0600 Subject: [vpn] Hi all. [VPN via NAT] Message-ID: <005901c124b3$a4d4a5f0$1000a8c0@extrabit.aof.local> Hi all.. Where can I find info about how VPN will work via NAT translation. If I have the VPN Server with local IP, behind FireWall. The VPN client is connecting to any ISP, and getting reall IP address. =20 They are connecting to FireWall reall IP, and FireWall will making NAT. Thanks. Alex. VPN is sponsored by SecurityFocus.com From MTaveroff at coradiant.com Tue Aug 14 14:01:33 2001 From: MTaveroff at coradiant.com (MTaveroff at coradiant.com) Date: Tue, 14 Aug 2001 14:01:33 -0400 Subject: [vpn] Checkpoint Firewall and Netscreen Configuration help.. Message-ID: Hey. Has anyone ever succesfully configured a VPN betweeen a checkpoint firewall and a netscreen-5 or 10? What type of config did you use? Any help would be appreciated. Thanks alot! - Manny ___________________________ Manny Taveroff Technical Support Specialist Coradiant inc. mtaveroff at coradiant.com voice: 514-908-6327 fax: 514-487-7460 VPN is sponsored by SecurityFocus.com From hmorri at neisd.net Tue Aug 14 17:31:35 2001 From: hmorri at neisd.net (Hubert Morris Jr.) Date: Tue, 14 Aug 2001 16:31:35 -0500 Subject: [vpn] VPN Message-ID: <3B7998B7.6B2056BC@neisd.net> *********************************************************** This message has been scanned for viruses by SMTP-Server. Tue, 14 Aug 2001 16:31:35 -0500 *********************************************************** We have a Nortel VPN Concentrator Contivity Extranet Switch 2600 Model # DM1401053. We only route IP not IPX. We have Compaq Proliant 6000 Servers using Novell NetWare 5.0. Our clients need to log into the novell "TREE" through the VPN. How is this done? I can login using the servers ip address but not the servers name or into the tree. They must be able to log into the novell tree to get all the novell resources, mappings, volumes etc... AGAIN how do you do this through a Nortel VPN switch. -------------- next part -------------- VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Aug 14 22:05:15 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 14 Aug 2001 19:05:15 -0700 Subject: [vpn] Checkpoint Firewall and Netscreen Configuration help.. Message-ID: <4EBB5C35607E7F48B4AE162D956666EF339189@guam.corp.axcelerant.com> It's long but I hope this helps... ----------------------------------------- We will assume this is for a secure connection, and will use 3DES encryption, and MD5 authentication hash. Checkpoint Firewall-1: Outside Interface: 216.102.216.156 Inside Interface: 192.168.10.1 Pre-shared IKE Key: interoperable ESP-Encryption: DES ESP-Authentication: MD5 Key Life Time: 28800 seconds NetScreen-5: Untrust Interface IP: 1.1.1.1 Trust Interface IP: 172.16.1.1 Pre-shared IKE Key: interoperable ESP-Encryption: 168bit 3DES-CBC ESP-Authentication: MD5 Key Life Time: 28800 seconds Workstation 172.16.1.10 Default Gateway: 172.16.1.1 Workstation 172.16.1.20 Default Gateway: 172.16.1.1 Workstation 192.168.10.20 Default Gateway 192.168.10.1 Workstation 192.168.10.30 Default Gateway 192.168.10.1 NetScreen Configuration On the NetScreen, a VPN tunnel must be defined and identified. Once this is created, a policy must be defined, using the source as the internal network, and the destination as the remote network, choosing a service that the administrator decides, and choosing an action of Encrypt. The policy gives you a choice of tunnels to choose from for the encryption. Choose the tunnel name that was identified. VPN Definition >From the GUI, click VPN button. By default, you will be in the AutoKey IKE configuration folder. Click New VPN Entry Enter the VPN Tunnel Name. For this example, we will call the tunnel Interoperable. The name of the tunnel is only unique to each side of the tunnel. The Gateway IP is the Outside IP of the Checkpoint Firewall-1 gateway. In this example, it is 2.2.2.1 Preshared Key is interoperable ESP-Encryption Algorithm: 168bit 3DES-CBC ESP-Authentication Method: MD5 Key Life Time: 28800 seconds VPN Tunnel Configuration in NetScreen-5 VPN Policy We now want to create a firewall policy that will use the VPN tunnel, Interoperate, to encrypt the data. For this example, we will create a simple policy to allow anything from the LAN on the Checkpoint Firewall-1 network to get to any device on the LAN on the NetScreen-5 network. We need to create an address book entry, "NetScreen" on the trust side, and an address book entry, "Checkpoint" on the untrust side. Click Address button under lists. This will default to the Trusted folder. Click New Address NetScreen in Address Name field Enter 172.16.1.0 in IP Address field Enter 255.255.255.0 in NetMask field, and click OK. Trust side NetScreen Address Book Entry Click the Untrusted folder Click New Address Enter "Checkpoint" in Address Name field Enter 192.168.10.0 in IP Address field Enter 255.255.255.0 in NetMask field and click OK. Untrusted side Checkpoint Address Book Entry Click Policy button under Network. It should default to the Outgoing folder. If it is not, select the Outgoing folder. Click New Policy Select NetScreen for source address, Checkpoint for destination address, Any for Service, Encrypt for Action, and select Interoperable for the VPN tunnel. VPN Policy on NetScreen-5 When configuring the VPN policy, make sure this is the first policy on the Outgoing direction. If it is not, move the policy by clicking the up arrow. Checkpoint Configuration Configuration on the Checkpoint side needs to define the following: ? Encryption Domain - all devices to be encrypted, defined by the group object ? Network objects ? Group objects, consisting of both networks ? Gateways for both the Checkpoint and Netscreen networks ? Encryption properties for each gateway ? Encryption Domain - all devices that will be encrypted ? Checkpoint uses the concept of Encryption Domains to define what devices will be encrypted. This would be analogous to the VPN Tunnel terminology used by NetScreen. The benefit of this is the flexibility to define what host belongs to a group to be encrypted, instead of specifying exact hosts that need to belong to the VPN. Defining the Encryption Domain To define the Encryption Domain, network objects are created. Those network objects are placed in a Group. In this example, the Group contains members of the Encryption Domain. This information is needed to complete the gateway configurations shown later in this document. First, define the network addresses on both the Checkpoint and the Netscreen sides. ? Click the Manage menu, and select Network Objects ? Click the New button, and select Network ? Name the Checkpoint network, Checkpoint-net, as shown below. Network Object Dialog Box ? Create another network object for the Netscreen side, and call it Netscreen-net, using IP address 172.16.1.0, and NetMask 255.255.255.0. Modify the location, and click the external button. A group needs to be created consisting of the two networks involved in the Encryption Domain. ? Click Manage menu, and select Network Objects again ? Select New Group ? Specify Interoperable in the Name field ? Select Checkpoint-net and Netscreen-net to be members of this new group Group Properties Defining the Gateway To create the gateways, define a new network object, Workstation, and specify gateway properties. ? Click Manage menu, and select Network Objects ? Select New Workstation ? For the Checkpoint, enter Checkpoint_FW in the Name field, and enter IP address 216.102.216.156. Specify type as Gateway, and click Firewall-1 installed. Definition of the Gateway ? Specify the Interfaces. Valid addresses will default to Any. Click This net. This is required only on the Checkpoint side. When you define the Netscreen gateway, you can ignore the Interface tab. Gateway Interfaces ? Specify encryption properties by clicking the Encryption tab. Specify the Encryption Domain by clicking Other, and select the group interoperable. Interoperable is the group of device that will participate in the encryption between the two networks. To select IKE encryption, select ISAKMP/OAKLEY on the right side. Gateway Encryption Properties ? Click Edit button, and the ISAKMP properties dialog box appears. In this example, we will be specifying DES Encryption, and MD5 authentication. Click Pre-Shared Secret, and click Edit Secrets. ISAKMP Properties Configuration ? The shared secrets dialog box will automatically select the peer gateway. Select Netscreen, and click Edit. Enter the secret interoperable, and click set. Click Ok. Pre-shared Secrets Dialog Box Security Policy Define the policy by selecting Source and Destination address as the group, Interoperable, with a service of Any, and select the action Encrypt. >From the Edit menu, select Add Rule. This should be the very first rule by selecting Top. This is one very attractive feature with Checkpoint Firewall-1 - the ability to choose where a rule is placed, either the top of the policy list, or the bottom of the policy list. Security Policy The two gateways have now been configured to interoperate with each other, using IKE, with DES encryption, and MD5 Hash Authentication. -----Original Message----- From: MTaveroff at coradiant.com [mailto:MTaveroff at coradiant.com] Sent: Tuesday, August 14, 2001 11:02 AM To: vpn at securityfocus.com Subject: [vpn] Checkpoint Firewall and Netscreen Configuration help.. Hey. Has anyone ever succesfully configured a VPN betweeen a checkpoint firewall and a netscreen-5 or 10? What type of config did you use? Any help would be appreciated. Thanks alot! - Manny ___________________________ Manny Taveroff Technical Support Specialist Coradiant inc. mtaveroff at coradiant.com voice: 514-908-6327 fax: 514-487-7460 VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From AlexY at aof.nursat.kz Tue Aug 14 23:26:03 2001 From: AlexY at aof.nursat.kz (Alex) Date: Wed, 15 Aug 2001 09:26:03 +0600 Subject: [vpn] Hi all. [VPN via NAT] Message-ID: <000d01c1253b$83a01850$1000a8c0@extrabit.aof.local> Hi Yi Fei. Thanks for answer.. The ports wich should be allowed to translate are depended from exactly VPN realisation ? And one more question, why some kind of Firewall-proxy, like ISA and WinGate are included support for MS VPN's (PPTP or L2TP)? I will continue my plans with this point of solution. See ya. ~hi,Alex: ~ Our company's VPN can work via NAT translation. ~Now we use netscreen firewall in NAT mode and our VPN. ~Our Company is in Beijing of China. ~ My office tel is (8610-64984264). ~yifei ~> Hi all.. ~> ~> Where can I find info about how VPN will work via NAT translation. ~> ~> If I have the VPN Server with local IP, behind FireWall. ~> ~> The VPN client is connecting to any ISP, and getting reall IP address. =20 ~> ~> They are connecting to FireWall reall IP, and FireWall will making NAT. ~> ~> ~> ~> Thanks. ~> ~> Alex. ~> ~> ~> ~> VPN is sponsored by SecurityFocus.com ~> VPN is sponsored by SecurityFocus.com From rburrell at countrygrocer.com Tue Aug 14 23:59:34 2001 From: rburrell at countrygrocer.com (Richard Burrell) Date: Tue, 14 Aug 2001 20:59:34 -0700 Subject: [vpn] RE: VPN Over Satellite References: Message-ID: <002601c1253e$b2c46520$2e6365cc@expressvu.ca> Ron; Thanks for the input. I have all along suspected that it was a latency issue, but wasn't sure how much the satellite connection added on. Now I have some ideas as to how to approach the solution. I wasn't entirely clear in the original posting, but this is also a one way satellite signal. The send portion still travels along the dial up lines and only the receive end travels over the satellite. I will post results as I work my way through the problem. Any ideas that you have along the way are appreciated. Richard Burrell Country Grocer VPN is sponsored by SecurityFocus.com From Richard.McMahon at Appropria.com Wed Aug 15 08:43:11 2001 From: Richard.McMahon at Appropria.com (Richard McMahon) Date: Wed, 15 Aug 2001 13:43:11 +0100 Subject: [vpn] Hi all. [VPN via NAT] Message-ID: If it is IPSEC you will probably have big problems as it will not pass the protocol properly, you are best giving the VPN server a live address and not a mapped one. -----Original Message----- From: Alex [mailto:AlexY at aof.nursat.kz] Sent: 14 August 2001 12:24 To: VPN at securityfocus.com Subject: [vpn] Hi all. [VPN via NAT] Hi all.. Where can I find info about how VPN will work via NAT translation. If I have the VPN Server with local IP, behind FireWall. The VPN client is connecting to any ISP, and getting reall IP address. =20 They are connecting to FireWall reall IP, and FireWall will making NAT. Thanks. Alex. VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From byron at markettools.com Wed Aug 15 15:36:47 2001 From: byron at markettools.com (Byron Kennedy) Date: Wed, 15 Aug 2001 12:36:47 -0700 Subject: [vpn] Sygate Secure Enterprise Message-ID: Hello- I'm curious if anyone out there has experience using the Sygate Secure Enterprise product for securing VPN endpoints? We're evaluating this as a solution for host based security on our laptops and other remote VPN hosts (Netscreen VPN w/ Netscreen remote). I'd appreciate any feedback (successes or failures) or any general advise. thx! Byron VPN is sponsored by SecurityFocus.com From sbest at best.com Wed Aug 15 17:20:08 2001 From: sbest at best.com (Scott C. Best) Date: Wed, 15 Aug 2001 14:20:08 -0700 (PDT) Subject: [vpn] Hi all. [VPN via NAT] In-Reply-To: Message-ID: Richard: Not be be contradictory, but my experience with IPSec across a NAT'ing firewall (leaf.sf.net) are much more positive. Of course, the AH protocol of IPSec won't work with port-forwarding, but tunnel-mode ESP without AH will. And, importantly, I use ipfwd instead of ipmasqadm to handle IP protocols 50 and 51, sending them across the firewall to the *broadcast address* of the internal LAN. Now I can run multiple IPSec VPN clients on my LAN, which each connect simultaneously to independent VPN servers. The application layer clients seem to be able to handle the confusion. I tried this with some PPTP clients as well with equal "success". Tradeoff is, obviously, the sacrifice of benefits of the AH protocol. But what works feels good. cheers, Scott On Wed, 15 Aug 2001, Richard McMahon wrote: > If it is IPSEC you will probably have big problems as it will not pass the > protocol properly, you are best giving the VPN server a live address and not > a mapped one. > > -----Original Message----- > From: Alex [mailto:AlexY at aof.nursat.kz] > Sent: 14 August 2001 12:24 > To: VPN at securityfocus.com > Subject: [vpn] Hi all. [VPN via NAT] > > > Hi all.. > > Where can I find info about how VPN will work via NAT translation. > > If I have the VPN Server with local IP, behind FireWall. > > The VPN client is connecting to any ISP, and getting reall IP address. =20 > > They are connecting to FireWall reall IP, and FireWall will making NAT. > > > > Thanks. > > Alex. > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From marc at jacquinot.com Wed Aug 15 19:04:39 2001 From: marc at jacquinot.com (Marc Jacquinot) Date: Wed, 15 Aug 2001 19:04:39 -0400 Subject: [vpn] firewall-independent VPN Message-ID: <5.1.0.14.2.20010815184037.00a0da40@mail.atl.mindspring.com> I've been looking for VPN solutions for a couple of days now. Can anyone tell me what's the most popular approach assuming you have Win 98/Me/2000/XP clients and a Windows 2000 server. Of course the server side device can be a Linux or other Unix-like OS. I would prefer a solution that can be added to an existing firewall, which is not Checkpoint's Firewall-1. I've seen a huge number of VPN solutions that hook into Checkpoint's OPSEC, but hope that there other ways to set up a VPN, too. Furthermore the solution should be scalable on the server side and flexible on the client-side regarding the credentials required for authentication. I am particularly interested in solutions that are open to third party smart cards or tokens via standard smart card and public key interfaces. Many questions, I know. I count on your security focused expertise. Thanks in advance, Marc VPN is sponsored by SecurityFocus.com From RNahmias at imperito.com Wed Aug 15 18:48:48 2001 From: RNahmias at imperito.com (Nahmias, Ran) Date: Wed, 15 Aug 2001 15:48:48 -0700 Subject: [vpn] Sygate Secure Enterprise Message-ID: Byron, I work for a software based VPN company and we have tested Sygate brutally in the last few weeks. We came across them in one of our biggest accounts who have deployed the Sygate Secure Enterprise a while ago and really likes the product (thousands of users !!!). In the various testing I've done with the Sygate products I found it to be an excellent product. Nothing to compete with it (and their excellent support) in today's PCFW market !!! I'll be happy to answer more questions. -ran ======================= Ran Nahmias Senior Systems Engineer Imperito Networks, Inc. - Instantly secure VPN solutions 2520 Mission College Blvd. Suite 102 Santa Clara, CA 95054 Telephone: (408) 450-6251 Mobile: (415) 505-2452 eFax: (415) 276-2092 http://www.imperito.com ======================= This e-mail is IMPERITO Networks Inc. confidential. If you receive this e-mail in error, please inform IMPERITO Networks Inc. immediately. Any opinions expressed in this e-mail are those of the author and do not necessarily represent the views of IMPERITO Networks Inc. -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Wednesday, August 15, 2001 12:37 PM To: 'VPN at securityfocus.com' Subject: [vpn] Sygate Secure Enterprise Hello- I'm curious if anyone out there has experience using the Sygate Secure Enterprise product for securing VPN endpoints? We're evaluating this as a solution for host based security on our laptops and other remote VPN hosts (Netscreen VPN w/ Netscreen remote). I'd appreciate any feedback (successes or failures) or any general advise. thx! Byron VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Richard.McMahon at Appropria.com Thu Aug 16 08:09:56 2001 From: Richard.McMahon at Appropria.com (Richard McMahon) Date: Thu, 16 Aug 2001 13:09:56 +0100 Subject: [vpn] Hi all. [VPN via NAT] Message-ID: Scott, Dont worry thats why lists exist for people to share experiences and offer their opinion, regardless of contradiction or not. I was more talking about it not being a good thing to have a IPSEC VPN server behind a NAT engine. PPTP should work fine with NAT as it does things differently to IPSEC. Our 3com ss firewall now does not react well to multiple hosts behind a NAT box. It worked fine with the old firmware but the upgrade has stopped this function from operating (first person in works others fail to connect). The current encryption method for our clients is Encrypt & Authenticate (ESP DES HMAC MD5) so as far as I can see it should work, but unfortunately it doesnt. Equally unfortunate is that we have to use the new firmware because it fixes bugs in things we require ;). I will need to play arround with it more to see if I can get it to work again. Cheers, Richard -----Original Message----- From: Scott C. Best [mailto:sbest at best.com] Sent: 15 August 2001 22:20 To: Richard McMahon Cc: 'VPN at securityfocus.com' Subject: RE: [vpn] Hi all. [VPN via NAT] Richard: Not be be contradictory, but my experience with IPSec across a NAT'ing firewall (leaf.sf.net) are much more positive. Of course, the AH protocol of IPSec won't work with port-forwarding, but tunnel-mode ESP without AH will. And, importantly, I use ipfwd instead of ipmasqadm to handle IP protocols 50 and 51, sending them across the firewall to the *broadcast address* of the internal LAN. Now I can run multiple IPSec VPN clients on my LAN, which each connect simultaneously to independent VPN servers. The application layer clients seem to be able to handle the confusion. I tried this with some PPTP clients as well with equal "success". Tradeoff is, obviously, the sacrifice of benefits of the AH protocol. But what works feels good. cheers, Scott On Wed, 15 Aug 2001, Richard McMahon wrote: > If it is IPSEC you will probably have big problems as it will not pass the > protocol properly, you are best giving the VPN server a live address and not > a mapped one. > > -----Original Message----- > From: Alex [mailto:AlexY at aof.nursat.kz] > Sent: 14 August 2001 12:24 > To: VPN at securityfocus.com > Subject: [vpn] Hi all. [VPN via NAT] > > > Hi all.. > > Where can I find info about how VPN will work via NAT translation. > > If I have the VPN Server with local IP, behind FireWall. > > The VPN client is connecting to any ISP, and getting reall IP address. =20 > > They are connecting to FireWall reall IP, and FireWall will making NAT. > > > > Thanks. > > Alex. > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From antonio.norman at physio.strykercorp.com Thu Aug 16 09:18:04 2001 From: antonio.norman at physio.strykercorp.com (Norman, Antonio) Date: Thu, 16 Aug 2001 08:18:04 -0500 Subject: [vpn] VPN Management Message-ID: Hello- I'm looking for a piece of software that can management (2)3030 Cisco Concentrators and 300+ VPN 3002 hardware clients. I would like to be able to push config files to the clients and have access incase the tunnel went down. VPN is sponsored by SecurityFocus.com From michel.nakhla at intelsat.com Thu Aug 16 19:08:00 2001 From: michel.nakhla at intelsat.com (michel.nakhla at intelsat.com) Date: Thu, 16 Aug 2001 19:08:00 -0400 Subject: [vpn] "IETF stops work on VPN protocol" article by Tim Greene Message-ID: <490B4C213EC8D211851F00105A29CA5A09610BF1@admex1.adm.intelsat.int> Tim Greene has reported in Network World Fusion that the IETF has stopped working on IKE. Link to article is given below. Does any one have more details on this? Regards Michel B. Nakhla Intelsat http://www.nwfusion.com/news/2001/0803ietf.html ############################################################ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Intelsat, Ltd. and its subsidiaries. ############################################################ VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Fri Aug 17 00:43:09 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Thu, 16 Aug 2001 21:43:09 -0700 Subject: [vpn] VPN Management Message-ID: <4EBB5C35607E7F48B4AE162D956666EF3391AD@guam.corp.axcelerant.com> I am pretty sure cisco makes this software. It's part of the CiscoWorks suite I believe. Chris -----Original Message----- From: Norman, Antonio [mailto:antonio.norman at physio.strykercorp.com] Sent: Thursday, August 16, 2001 6:18 AM To: 'VPN at securityfocus.com' Subject: [vpn] VPN Management Hello- I'm looking for a piece of software that can management (2)3030 Cisco Concentrators and 300+ VPN 3002 hardware clients. I would like to be able to push config files to the clients and have access incase the tunnel went down. VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Fri Aug 17 12:10:54 2001 From: kent at dalliesin.com (Kent Dallas) Date: Fri, 17 Aug 2001 12:10:54 -0400 Subject: [vpn] "IETF stops work on VPN protocol" article by Tim Greene In-Reply-To: <490B4C213EC8D211851F00105A29CA5A09610BF1@admex1.adm.intelsat.int> Message-ID: <000e01c12737$32482d00$0800a8c0@DALLASDELL2K> Michel, Tim Greene's original article was based on the following communication posted to the IPSec mailing list on August 2nd. "Stopped work on IKE" would not be a fair description - "redoubled efforts to fix problems with IKE without adding to its problems" would be a bit more descriptive. Regards, Kent Dallas Dalliesin, Inc. *********START********* In the several years since the standardization of the IPSEC protocols (ESP, AH, and ISAKMP/IKE), there have come to light several security problems with the protocols, most notably the key-agreement protocol, IKE. Formal and semi-formal analyses by Meadows, Schneier et al, and Simpson, have shown that the security problems in IKE stem directly from its complexity. It seems only a matter of time before more analyses show more serious security issues in the protocol design that stem directly from its complexity. It seems also, only a matter of time, before serious *implementation* problems become apparent, again due to the complex nature of the protocol, and the complex implementation that must surely follow. Despite the obviously complex nature of IKE, several proposals have been put forward to extend ISAKMP/IKE in various ways, for various purposes. Proposals such as IKECFG, XAUTH, Hybrid-AUTH, CRACK, and others do nothing to improve the complexity situation with regard to IKE as a whole. While many of these proposals are, individually, based on sound engineering and reasonably prudent practice, when cast in the larger context of IKE, it seems clear that they can do nothing to improve the complexity picture. It is with that in mind that the Security Area directors in the IETF, with the consultation of appropriate people on the IESG and IAB, hereby place a temporary moratorium on the addition of new features to IKE. It is fairly clear that work on IKE should focus on fixing identified weaknesses in the protocol, rather than adding features that detract from the goal of simplicity and correctness. We are concerned that trying to reuse too much of the IKE code base in new protocols -- PIC and GDOI come to mind -- will lead to more complex (and hence vulnerable) implementations. We suggest that implementors resist this temptation, with the obvious exception of common library functions that perform functions such as large modular exponentiations. Attempts to share state or to optimize message exchanges are likely to lead to disaster. The Security Area Directors have asked the IPSEC working group to come up with a replacement for IKE. This work is underway and is known in the community as "Son of IKE". This effort is at serious risk of suffering the "second system effect", where all the features that were left out of the first version, end up in the second. For this to happen would be a spectacular disaster, and very much detract from the goal: to produce a more secure, simpler, and more robust version of IKE. Arriving at this point has been exceedingly difficult and harrowing. Understandably, egos have been bruised, and the "change not the IKE, for it is subtle and quick to anger" position has been taken as a personal afront by some members of the IPSEC community. Nothing could be further from the intent of either of the Security Area directors. If IKE is vulnerable, we must all share a burden of responsibility for allowing it to get to the state it is in and we must all work together to correct the problems. The IPSEC community must act prudently in moving forward with a replacement for IKE. The IPSEC auxillary groups (IPSRA, MSEC, IPSP) must act with good judgment (chairs and members alike) in designing protocols that don't interfere with the goal of security and simplifying our IPSEC key-agreement protocol. Marcus Leech (IESG) Jeff Schiller (IESG) Steve Bellovin (IAB) *********END********* Just yesterday (8/16), Tim Greene posted this follow-up article to the NW VPN mailing list. *********START********* Today's focus: Son of IKE By Tim Greene Recently a group within the Internet Engineering Task Force put in writing a hold on formal work to expand the uses of Internet Key Exchange, commonly known as IKE. The protocol is used to exchange and manage encryption keys used in VPNs, but a group within the IETF thinks IKE is too complex and that this complexity could lead to security weaknesses although no specific flaws have been identified. Indeed, vendors that already use it in their VPN equipment have determined it is safe enough to use, but nevertheless work has already begun on a more streamlined protocol that addresses some of the security concerns. This protocol, conversationally known as Son of IKE, will be designed with the idea in mind of correcting the perceived shortcomings of IKE. In the meantime, work will continue on two key improvements to IKE. The first is the ability for VPN traffic to pass through firewalls that perform network address translation (NAT). Currently, NAT can pose a problem, but individual vendors have devised their own ways to get around it. The second improvement is support for Stream Control Transmission Protocol, which can improve the delivery of complex Web pages by allowing different components of it to be treated as separate streams within a single SCTP session. This work will take some time and it is likely that Son of IKE, like IKE itself, will evolve with time. When vendors feel comfortable with improvements or even a revised protocol, they will start using it in devices they sell. The discouraging thing about this is not unique to IKE, but is rather a necessary result of all standards work: it takes a lot of time to come up with a stable standard everyone will rally around. Such standardization is necessary, though, to reach much-sought-after interoperability among devices that are made by different vendors. Wouldn't it be nice if everyone's VPN gear played nice with each other like dialup modems generally do? While this lengthy process is not ideal, it is unavoidable. After more than five years, vendors still have regularly scheduled VPN interoperability bakeoffs. Smaller makers of VPN gear work toward interoperability with the larger ones so their equipment becomes more attractive. Making equipment from more than one vendor work together still takes time and skill to accomplish. So get used to this as a fact of life for a bit longer. It may mean you stick with equipment made by a single vendor or equipment from multiple vendors who have gone the extra mile to make interoperability easier. Waiting for Son of IKE may sound like the title of a monster movie, but for you, the reality doesn't have to be a horror show. _______________________________________________________________ To contact Tim Greene: Tim Greene is a senior editor at Network World, covering virtual private networking gear, remote access, core switching and local phone companies. You can reach him at mailto:tgreene at nww.com. *********END********* -----Original Message----- From: michel.nakhla at intelsat.com [mailto:michel.nakhla at intelsat.com] Sent: Thursday, August 16, 2001 7:08 PM To: vpn at securityfocus.com Subject: [vpn] "IETF stops work on VPN protocol" article by Tim Greene Tim Greene has reported in Network World Fusion that the IETF has stopped working on IKE. Link to article is given below. Does any one have more details on this? Regards Michel B. Nakhla Intelsat http://www.nwfusion.com/news/2001/0803ietf.html ############################################################ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Intelsat, Ltd. and its subsidiaries. ############################################################ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From mark.riehl at agilecommunications.com Fri Aug 17 21:26:55 2001 From: mark.riehl at agilecommunications.com (Mark Riehl) Date: Fri, 17 Aug 2001 21:26:55 -0400 Subject: [vpn] Looking for VPN hardware suggestions Message-ID: <3829BAF586F6224BBD29208ADDBE30661FBB36@agile.www.agilecommunications.com> All We've got a main office and ~15 remote sites. All of the remote sites have broadband connections (either DSL or cable). We'd like to set up a VPN between the main office and the remote sites. Over the VPN, we'd like to be able to set up folder and printer sharing under Windows (forwarding the NetBios packets through the firewalls). Ideally, we'd like to be able to share printers as well. At the main site, we plan to have an email server, web server, and file server. So far, we've looked at three potential solutions: 1. WatchGuard Firebox II at the main office and a WatchGuard SOHO tc at each remote site. 2. SonicWall Pro at the main office and a SonicWall Tele2 at each remote site. 3. Cisco Pix 506 boxes at each site. I'd like to hear opinions on these three solutions. Price wise, the Cisco is the most expensive, and the WatchGuard is the least expensive. Any suggestions? Thanks, Mark -- Mark Riehl Agile Communications, Inc. Email: mark.riehl at agilecommunications.com VPN is sponsored by SecurityFocus.com From beegled at home.com Sat Aug 18 16:47:26 2001 From: beegled at home.com (David B. Beegle) Date: Sat, 18 Aug 2001 13:47:26 -0700 Subject: [vpn] Win2K and VPN Message-ID: <001201c12826$fd91e5b0$a114b018@C1743067A> Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com From ThomasDelaet at digibel.org Sat Aug 18 17:26:56 2001 From: ThomasDelaet at digibel.org (ThomasDelaet at digibel.org) Date: 18 Aug 2001 21:26:56 -0000 Subject: [vpn] VPN between 2 NAT-networks (Newbie) Message-ID: <20010818212656.18657.qmail@pluto.intra.net> Hi, This is the setup I have : Windows 2000 Client(neptunus)(10.x address) | | Gateway ( I don't have any control over this one) | | Internet | | Gateway (my home gateway connected with cable modem to the Internet running openbsd) | | My home network with Linux Samba server(pluto)(10.x address) My question is if it's possible to set up a VPN between neptunus and my home network and let neptunus join the samba nt domain ? My cable provider blocks all incoming ports under 1024 If it's necessary I can use a socks server with the windows 2000 client (neptunus) Thanks a lot in advance, Kind Regards, Thomas VPN is sponsored by SecurityFocus.com From rit at jacked-in.org Sun Aug 19 12:24:17 2001 From: rit at jacked-in.org (Brendan W. McAdams) Date: Sun, 19 Aug 2001 12:24:17 -0400 Subject: [vpn] Win2k -> Cisco PIX VPN Message-ID: <3B7FE831.2020001@jacked-in.org> I've yet to have any luck using Win2K's built in IPSec to talk to my OpenBSD VPN Boxen; however, I've heard that it isn't so bad with Cisco's PIXen... I've just obtained two PIX and am looking to move some of my VPN to them. Anyone have a good guide on straight connecting Win2k IPSec into PIX? VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Sun Aug 19 19:55:15 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Sun, 19 Aug 2001 18:55:15 -0500 (CDT) Subject: [vpn] Response for "Where do I start?" FAQ? Message-ID: Anyone out there want to take a stab at writing a response for the vast number of "I want to learn about VPN/I'm writing a paper/I need to install a VPN" questions we've been getting lately? If so, contact me off-line and I'll forward the list postings that are likely to be helpful -- no time to write it myself at the moment... thanks for the help -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Mon Aug 20 10:01:32 2001 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Mon, 20 Aug 2001 09:01:32 -0500 Subject: [vpn] Concentrator Placement Message-ID: Recently I have been tasked with writing a paper on VPN concentrator placement. Anyone out there have any opinions on this? VPN is sponsored by SecurityFocus.com From capegeo at opengroup.org Mon Aug 20 19:58:04 2001 From: capegeo at opengroup.org (George Capehart) Date: Mon, 20 Aug 2001 19:58:04 -0400 Subject: [vpn] [Fwd: Re: [fw-wiz] Link encryptors vs. IPSec] Message-ID: <3B81A40C.AE371B70@opengroup.org> Thanks. I'm looking forward to the replies. -------- Original Message -------- Subject: Re: [fw-wiz] Link encryptors vs. IPSec Date: Mon, 20 Aug 2001 09:42:19 -0500 (CDT) From: Tina Bird To: George Capehart George -- Could you please send this to the VPN mailing list (vpn at securityfocus.com)? This is >>exactly< the kind of question that group likes to work on... Thanks very much -- Tina Bird VPN List Moderator On Sat, 18 Aug 2001, George Capehart wrote: > Date: Sat, 18 Aug 2001 00:27:55 -0400 > From: George Capehart > To: firewall-wizards at nfr.com > Subject: [fw-wiz] Link encryptors vs. IPSec > > Hello Wizards, > > I have a slightly off-topic question that mjr probably won't let > through, but since I can't think of a more appropriate list, I'll ask it > here. (Pointers to more appropriate lists/newsgroups would be > appreciated). Since it is somewhat off-topic, I would be happy to > accept private replies. If it is of interest, I will publish a summary > of the responses I receive. Here goes: > > The requirement is to provide over-the-wire privacy between two > organizations. There are two links between the organizations, a > dedicated leased line as the primary link, an ISDN dialup line as the > backup link. For various reasons out of my control, one of the > organizations wants all of the traffic that flows through its border > routers to be in the clear so that they can monitor it. The other > organization does not want traffic between the organizations to be > subject to eavesdropping. The two classes of options to solve the > problem seem to be: > - Use link encryptors (like Cylink) between the routers and the > telecomm interfaces, or > - Use IPSec on the public side of the routers. > > I am agnostic with respect to the solution. I have a personal bias, but > it's based on the KISS principle and it seems to me that the link > encryptor option is a little simpler than is using IPSec. At least that > has been my (admittedly limited) experience. I do not want to start a > flame war, but I would truly like to hear the opinions and experiences > of others who have worked with one or both (preferably both) of the > options. I need information that can help me weight the decision one > way or the other. > > I know that the details are very scarce. This is because the solution > to this problem will drive many other design assumptions and decisions. > > Thanks in advance. > > Best regards, > > George Capehart > -- > George W. Capehart Phone: +1 704.953.1209 > Fax: +1 704.853.2624 > > SMS Messaging: http://www.mobile.att.net/mc/personal/pager_show.html > or > mailto: 7049531209 at mobile.att.net > > "Does getiud() halt the spawning of child processes?" > _______________________________________________ > firewall-wizards mailing list > firewall-wizards at nfr.com > http://list.nfr.com/mailman/listinfo/firewall-wizards > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From Sayali.Karanjkar at Sun.COM Tue Aug 21 00:32:40 2001 From: Sayali.Karanjkar at Sun.COM (Sayali Karanjkar) Date: Tue, 21 Aug 2001 12:32:40 +0800 Subject: [vpn] VPN setup query Message-ID: <3B81E468.1CE60C67@Sun.COM> Hi all, Is it possible to set up a secure tunnel between two machines connected via a switch and both have only one interface each? they are running Solaris 8 and I need to do this for some testing. please guide me for this. thanks -- Regards-- Sayali VPN is sponsored by SecurityFocus.com From byron at markettools.com Tue Aug 21 19:00:02 2001 From: byron at markettools.com (Byron Kennedy) Date: Tue, 21 Aug 2001 16:00:02 -0700 Subject: [vpn] Win2K and VPN Message-ID: Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Tom_Casacchia at satyam.com Tue Aug 21 15:35:08 2001 From: Tom_Casacchia at satyam.com (Tom_Casacchia) Date: Tue, 21 Aug 2001 14:35:08 -0500 Subject: [vpn] VPN Security Message-ID: To whom it may concern: Do you know of some good articles which strictly focus on the security risks associated with VPN's. I've seen a few but they do not get specific as to what they are, what causes them and the solution. I've heard of VPN Hijacking, and some vulnerabilities with Microsoft PPTP. Thanks, Tom VPN is sponsored by SecurityFocus.com From beegled at home.com Tue Aug 21 21:34:20 2001 From: beegled at home.com (David B. Beegle) Date: Tue, 21 Aug 2001 18:34:20 -0700 Subject: [vpn] Win2K and VPN In-Reply-To: Message-ID: <000001c12aaa$91873a10$a114b018@C1743067A> >From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From hayyan at arab.net.sa Wed Aug 22 03:10:15 2001 From: hayyan at arab.net.sa (Hayyan Alsayyed) Date: Wed, 22 Aug 2001 10:10:15 +0300 Subject: [vpn] Is it possible to test Semantic firewall without any hardware ? Message-ID: <025001c12ad9$7f2956d0$14d40c0a@arabnet.alofoq> Dear Sirs I ask if you kindly recommend a good book about VPN from a to z. Is it possible to implement and test a solution like Semantic enterprise firewall without any hardware equipments? Can I prepare academic studies on a VPN field to obtain for example a Master degree in that field. Thanks in advance for help Hayyan VPN is sponsored by SecurityFocus.com From lynch00 at msn.com Wed Aug 22 12:13:26 2001 From: lynch00 at msn.com (Chris Lynch, MCSE CCNAv2) Date: Wed, 22 Aug 2001 09:13:26 -0700 Subject: [vpn] Win2K and VPN In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The reason why you cannot connect to your companies network. A VPN server needs to be setup in order for you to connect to the network. You cannot just specify the domain name or NDS tree and expect to log in. That just will not work. What you need to do is talk with your manager and get him to approve access for you to the VPN connection. That is if you company has one. Once he approves it, then it will be submitted to the IT department. They should then create an account for you and give you all the information on what you will need to do. This is how your company should do things. Chris Lynch, MCSE CCNA Network Engineer NRT, Inc. Chris.lynch at nospam.nrtinc.com - -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron - -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBO4PaJQsvmhohONWyEQLQcgCeP3Emw3UJ02Tx1K7RyK6MWiEeRAIAn08p MzwwU3wp8yz/BkH+Mzmvq6cF =lHmV -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From greg at nowicki.org Wed Aug 22 13:10:46 2001 From: greg at nowicki.org (Gregory (Greg) D. Nowicki) Date: Wed, 22 Aug 2001 11:10:46 -0600 (MDT) Subject: [vpn] Win2K and VPN In-Reply-To: <000001c12aaa$91873a10$a114b018@C1743067A> References: <000001c12aaa$91873a10$a114b018@C1743067A> Message-ID: <998500246.3b83e796e770c@webmail.demandindustries.net> David, No, you're not wrong. From your first e-mail, it appears you have the correct priviledges to do this. We saw the same problem (using NT on the client end) and found that the server end had not opened a hole in their firewall for gre packets. So, got a firewall in place between the two of you? Greg Quoting "David B. Beegle" : > >From what I understand, it shouldn't cost any money at all. I have a > cable > modem and I should be able to just use a "Network and Dial-up > Connection" to > connect to my company's network as long as I know the IP address, > right? > The people I do work with that have it working don't have any special > hardware of software. My IT department told me that I could just > login > using the same login and password that I use at work. They won't help > set > it up because they do not own the computer that I use at home. All I > did > was run the "Make New Connection" wizard and I assumed that would do > it, > which of course it did not. Was I wrong? > > David > > -----Original Message----- > From: Byron Kennedy [mailto:byron at markettools.com] > Sent: Tuesday, August 21, 2001 4:00 PM > To: 'beegled at home.com'; vpn at securityfocus.com > Subject: RE: [vpn] Win2K and VPN > > Depending on your environment, your question may very well require a > blackboard and some budget. It's not really like plugging in a mouse. > otherwise, why wouldn't your IT department just setup the VPN for you? > > Byron > > -----Original Message----- > From: David B. Beegle [mailto:beegled at home.com] > Sent: Saturday, August 18, 2001 1:47 PM > To: vpn at securityfocus.com > Subject: [vpn] Win2K and VPN > > > Hello, > > I want to set-up a VPN connection from my home computer to my > company's > network. I am using Win2K Pro and my IT department has told me that > my > account does allow for VPN connections. My problem is that I don't > know > much about computers except how to use Microsoft Office really, which > is > what I do most of my work in; I'm a business analyst. So, my quandary > is > that I have run the wizard in Windows 2000 and walked through it and > input > all of the information it asks for but the connection still won't work. > I > can't even connect. It acts like it is going to or is trying to connect > and > then tells me that my login credentials have failed. I am using the > same > login and password that I use when I'm at work, my IT department did > at > least tell me that that is what I should be using. I always read on > one > site recently that my Windows 2000 account that I have set-up for myself > on > my computer at home, needs to use the same login and password as my > account > on the network at work for the VPN connection to work so I did change it > to > match. I know I am not giving much information here but I am not sure > what > is pertinent and what isn't. Any ideas on what I should maybe look at? > Any > help is greatly appreciated. Thank you. > > David Beegle > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From JoshV at bcgsys.com Wed Aug 22 13:22:43 2001 From: JoshV at bcgsys.com (Joshua Vince) Date: Wed, 22 Aug 2001 13:22:43 -0400 Subject: [vpn] Win2K and VPN Message-ID: Looks like from your e-mail address you are using AT&T's @Home service? They are known to block VPN traffic, because (according to them), if you need VPN, you should have a business account. Joshua R. Vince Sr. Network Engineer CCNP MCSE MCP+I BCG Systems, Inc. 800-968-6661 mailto:joshv at bcgsys.com -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Tuesday, August 21, 2001 9:34 PM To: 'Byron Kennedy'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN >From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Wed Aug 22 14:05:53 2001 From: kent at dalliesin.com (Kent Dallas) Date: Wed, 22 Aug 2001 14:05:53 -0400 Subject: [vpn] Win2K and VPN In-Reply-To: Message-ID: <001501c12b35$165b0750$0200a8c0@DALLASDELL2K> Joshua, Actually, AT&T has publicly stated that they do NOT block VPN access on residential cable modem accounts, and actually have contributed to the pressure within the cable industry to NOT do so. I am personally on AT&T cable modem service, and I can run IPSec, PPTP, L2TP, and have not run into any "network blocking" problems. The only cable provider I am aware of which limits use of VPN on consumer accounts through their Acceptable Use Policy is Comcast at home. And I have been unable to determine if they ACTUALLY block anything, or simply threaten to do so if they see abnormally high amounts of utilization (I know of at least one user on a Comcast at home system that successfully uses IPSec, but configurations may vary from system to system). As Gregory Nowicki points out, a firewall on the client side could be the problem, but if it is configured in a reasonable manner (allows Internet sessions initiated from behind it out on any port), then it shouldn't be the problem. But it is still a good question - David, are you using a firewall? If not, you should be... A firewall on the corporate side shouldn't be a problem, since other users seem to be successful. Kent Dallas Dalliesin, Inc. -----Original Message----- From: Joshua Vince [mailto:JoshV at bcgsys.com] Sent: Wednesday, August 22, 2001 1:23 PM To: beegled at home.com; Byron Kennedy; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Looks like from your e-mail address you are using AT&T's @Home service? They are known to block VPN traffic, because (according to them), if you need VPN, you should have a business account. Joshua R. Vince Sr. Network Engineer CCNP MCSE MCP+I BCG Systems, Inc. 800-968-6661 mailto:joshv at bcgsys.com -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Tuesday, August 21, 2001 9:34 PM To: 'Byron Kennedy'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN >From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com -------------- next part -------------- VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Wed Aug 22 13:55:40 2001 From: kent at dalliesin.com (Kent Dallas) Date: Wed, 22 Aug 2001 13:55:40 -0400 Subject: [vpn] Win2K and VPN In-Reply-To: <000001c12aaa$91873a10$a114b018@C1743067A> Message-ID: <001401c12b33$a96d17b0$0200a8c0@DALLASDELL2K> David, I suspect Byron's point was that, without additional information, it is impossible to give you decent pointers. The couple of pieces of new information in your latest email tells us: 1) Other co-workers are successfully using the "VPN solution" (that's good) 2) The VPN solution is based on the capabilities built into MS Win2K (client) and either WinNT or Win2K (server), and not a third party VPN (which limits it to MS PPTP, L2TP, or MS IPSec/L2TP). Are you getting "Error 691: Access was denied because the username and/or password was invalid on the domain"? If so, you may be very close, and the only problem may be the format of your username (or fat fingering the password, caps lock off - right?). At work, you probably have a domain logon screen, that includes your username, your password, and your NT domain. On your home machine, and the VPN connection, it only asks for your username and password, right? Are you, somehow, providing the NT domain? Besides this list, three other options available to you: 1) Review your configuration, especially username formats and also connection properties, with those of co-workers who have successful setups, match everything exactly, and see if you get further (or at least get a different error message). This is probably your best option. Or, 2) Research the problem on Microsoft's knowledge base 3) Befriend one of your IT folks who are strong in MS and beg for help Even without more information, here are a couple of tweaks you may try to see if they will work (I have not previously used MS VPN on my Win2K box, but I was just successful configuring it with these changes - which may or may not work in your environment). In the VPN Connection Properties, choose Security, then select Advanced (Custom Settings). Then select Optional Encryption from the top drop down list, and select the checkboxes for PAP, CHAP, and both MS CHAP options (do not check the "automatically use my Windows logon name...") If these tweaks at least allow you to create the VPN connection successfully, you may still have some domain logon and name service challenges, but you will at least be closer. Good Luck, Kent Dallas Dalliesin, Inc. -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Tuesday, August 21, 2001 9:34 PM To: 'Byron Kennedy'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN >From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From byron at markettools.com Wed Aug 22 17:43:38 2001 From: byron at markettools.com (Byron Kennedy) Date: Wed, 22 Aug 2001 14:43:38 -0700 Subject: [vpn] Win2K and VPN Message-ID: Hey guys- David, sorry if i came across short. I'm admittedly somewhat of an idealist :). Kent's right, it really is tough to give sound/specific pointers (though his content below is great), and quite honestly, I found it odd or somewhat unfair that you were being forced to a VPN forum -> to have us figure out what type of vpn/perimter security setup you have and help trouble-shoot it when the firm's IT department must have a step-by-step setup for windows 2000 for the user community or at least attempt to recreate your error. If they don't and won't budge then there must be some other variable here. What about this: I hear what you say below regarding their not owning the system and not wanting to support it. Being the idealist that I am I would tell them to step me through it using one of the machines they DO own with the same OS and/or provide documentation and then see where things don't mesh or break down. What's different in the client configs? Hopefully, Kent's recommends will help nail any specifics. good luck.Byron PS- I currently use IPSec over AT&T cable access here in the SF bay area. -----Original Message----- From: Kent Dallas [mailto:kent at dalliesin.com] Sent: Wednesday, August 22, 2001 10:56 AM To: beegled at home.com; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN David, I suspect Byron's point was that, without additional information, it is impossible to give you decent pointers. The couple of pieces of new information in your latest email tells us: 1) Other co-workers are successfully using the "VPN solution" (that's good) 2) The VPN solution is based on the capabilities built into MS Win2K (client) and either WinNT or Win2K (server), and not a third party VPN (which limits it to MS PPTP, L2TP, or MS IPSec/L2TP). Are you getting "Error 691: Access was denied because the username and/or password was invalid on the domain"? If so, you may be very close, and the only problem may be the format of your username (or fat fingering the password, caps lock off - right?). At work, you probably have a domain logon screen, that includes your username, your password, and your NT domain. On your home machine, and the VPN connection, it only asks for your username and password, right? Are you, somehow, providing the NT domain? Besides this list, three other options available to you: 1) Review your configuration, especially username formats and also connection properties, with those of co-workers who have successful setups, match everything exactly, and see if you get further (or at least get a different error message). This is probably your best option. Or, 2) Research the problem on Microsoft's knowledge base 3) Befriend one of your IT folks who are strong in MS and beg for help Even without more information, here are a couple of tweaks you may try to see if they will work (I have not previously used MS VPN on my Win2K box, but I was just successful configuring it with these changes - which may or may not work in your environment). In the VPN Connection Properties, choose Security, then select Advanced (Custom Settings). Then select Optional Encryption from the top drop down list, and select the checkboxes for PAP, CHAP, and both MS CHAP options (do not check the "automatically use my Windows logon name...") If these tweaks at least allow you to create the VPN connection successfully, you may still have some domain logon and name service challenges, but you will at least be closer. Good Luck, Kent Dallas Dalliesin, Inc. -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Tuesday, August 21, 2001 9:34 PM To: 'Byron Kennedy'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN >From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From lynch00 at msn.com Wed Aug 22 20:41:43 2001 From: lynch00 at msn.com (Chris Lynch, MCSE CCNAv2) Date: Wed, 22 Aug 2001 17:41:43 -0700 Subject: [vpn] Win2K and VPN In-Reply-To: <001501c12b35$165b0750$0200a8c0@DALLASDELL2K> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It very well can be the type of VPN connection you are trying to make. Check the settings of the VPN connection you created against what your other co-workers have. I bet you it has something to do with the type of encryption, like MSCHAP, CHAP, PAP, etc. Chris - -----Original Message----- From: Kent Dallas [mailto:kent at dalliesin.com] Sent: Wednesday, August 22, 2001 11:06 AM To: 'Joshua Vince'; beegled at home.com Cc: vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Joshua, Actually, AT&T has publicly stated that they do NOT block VPN access on residential cable modem accounts, and actually have contributed to the pressure within the cable industry to NOT do so. I am personally on AT&T cable modem service, and I can run IPSec, PPTP, L2TP, and have not run into any "network blocking" problems. The only cable provider I am aware of which limits use of VPN on consumer accounts through their Acceptable Use Policy is Comcast at home. And I have been unable to determine if they ACTUALLY block anything, or simply threaten to do so if they see abnormally high amounts of utilization (I know of at least one user on a Comcast at home system that successfully uses IPSec, but configurations may vary from system to system). As Gregory Nowicki points out, a firewall on the client side could be the problem, but if it is configured in a reasonable manner (allows Internet sessions initiated from behind it out on any port), then it shouldn't be the problem. But it is still a good question - David, are you using a firewall? If not, you should be... A firewall on the corporate side shouldn't be a problem, since other users seem to be successful. Kent Dallas Dalliesin, Inc. - -----Original Message----- From: Joshua Vince [mailto:JoshV at bcgsys.com] Sent: Wednesday, August 22, 2001 1:23 PM To: beegled at home.com; Byron Kennedy; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Looks like from your e-mail address you are using AT&T's @Home service? They are known to block VPN traffic, because (according to them), if you need VPN, you should have a business account. Joshua R. Vince Sr. Network Engineer CCNP MCSE MCP+I BCG Systems, Inc. 800-968-6661 mailto:joshv at bcgsys.com - -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Tuesday, August 21, 2001 9:34 PM To: 'Byron Kennedy'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN - From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David - -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron - -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBO4RRRwsvmhohONWyEQLskACg3uQCrC2Er32ShFzmUHnk6Wnh/HcAoM/F 6PQS+SIquCRDpR1b7F8CCxZ7 =iyeO -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From rkern at prolynx.com Thu Aug 23 00:09:40 2001 From: rkern at prolynx.com (richard kern) Date: 23 Aug 2001 04:09:40 -0000 Subject: [vpn] WIN2k and VPN - new Message-ID: <20010823040940.6105.qmail@securityfocus.com> I'm looking for some insight here. I have two new installs of WIN2K pro dialing into the VPN. The VPN connects but nothing shows up in network neighborhood. A trial install was showing the domain and other clients on the network but with limited access even with 'admin' rights. Now nothing is visible. Only change between now and the first time is a password reset. Comments? Thanks Richard VPN is sponsored by SecurityFocus.com From beegled at home.com Thu Aug 23 01:37:42 2001 From: beegled at home.com (David B. Beegle) Date: Wed, 22 Aug 2001 22:37:42 -0700 Subject: [vpn] Win2K and VPN In-Reply-To: <998500246.3b83e796e770c@webmail.demandindustries.net> Message-ID: <000701c12b95$bb348f70$a114b018@C1743067A> My company does use a firewall. That's about all I know. Do I need to know the firewall settings? David -----Original Message----- From: Gregory (Greg) D. Nowicki [mailto:greg at nowicki.org] Sent: Wednesday, August 22, 2001 10:11 AM To: beegled at home.com; David B. Beegle Cc: vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN David, No, you're not wrong. From your first e-mail, it appears you have the correct priviledges to do this. We saw the same problem (using NT on the client end) and found that the server end had not opened a hole in their firewall for gre packets. So, got a firewall in place between the two of you? Greg Quoting "David B. Beegle" : > >From what I understand, it shouldn't cost any money at all. I have a > cable > modem and I should be able to just use a "Network and Dial-up > Connection" to > connect to my company's network as long as I know the IP address, > right? > The people I do work with that have it working don't have any special > hardware of software. My IT department told me that I could just > login > using the same login and password that I use at work. They won't help > set > it up because they do not own the computer that I use at home. All I > did > was run the "Make New Connection" wizard and I assumed that would do > it, > which of course it did not. Was I wrong? > > David > > -----Original Message----- > From: Byron Kennedy [mailto:byron at markettools.com] > Sent: Tuesday, August 21, 2001 4:00 PM > To: 'beegled at home.com'; vpn at securityfocus.com > Subject: RE: [vpn] Win2K and VPN > > Depending on your environment, your question may very well require a > blackboard and some budget. It's not really like plugging in a mouse. > otherwise, why wouldn't your IT department just setup the VPN for you? > > Byron > > -----Original Message----- > From: David B. Beegle [mailto:beegled at home.com] > Sent: Saturday, August 18, 2001 1:47 PM > To: vpn at securityfocus.com > Subject: [vpn] Win2K and VPN > > > Hello, > > I want to set-up a VPN connection from my home computer to my > company's > network. I am using Win2K Pro and my IT department has told me that > my > account does allow for VPN connections. My problem is that I don't > know > much about computers except how to use Microsoft Office really, which > is > what I do most of my work in; I'm a business analyst. So, my quandary > is > that I have run the wizard in Windows 2000 and walked through it and > input > all of the information it asks for but the connection still won't work. > I > can't even connect. It acts like it is going to or is trying to connect > and > then tells me that my login credentials have failed. I am using the > same > login and password that I use when I'm at work, my IT department did > at > least tell me that that is what I should be using. I always read on > one > site recently that my Windows 2000 account that I have set-up for myself > on > my computer at home, needs to use the same login and password as my > account > on the network at work for the VPN connection to work so I did change it > to > match. I know I am not giving much information here but I am not sure > what > is pertinent and what isn't. Any ideas on what I should maybe look at? > Any > help is greatly appreciated. Thank you. > > David Beegle > > > VPN is sponsored by SecurityFocus.com > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From beegled at home.com Thu Aug 23 01:44:09 2001 From: beegled at home.com (David B. Beegle) Date: Wed, 22 Aug 2001 22:44:09 -0700 Subject: [vpn] Win2K and VPN Message-ID: <000001c12b98$9fa21ef0$a114b018@C1743067A> I had read that in a couple of places when searching the net for a solution to my problem. The local office here told me they do not block VPN connections. Of course you always have to wonder if I talked to somebody who actually knew what they were talking about. David -----Original Message----- From: Joshua Vince [mailto:JoshV at bcgsys.com] Sent: Wednesday, August 22, 2001 10:23 AM To: beegled at home.com; Byron Kennedy; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Looks like from your e-mail address you are using AT&T's @Home service? They are known to block VPN traffic, because (according to them), if you need VPN, you should have a business account. Joshua R. Vince Sr. Network Engineer CCNP MCSE MCP+I BCG Systems, Inc. 800-968-6661 mailto:joshv at bcgsys.com -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Tuesday, August 21, 2001 9:34 PM To: 'Byron Kennedy'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN >From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com -------------- next part -------------- VPN is sponsored by SecurityFocus.com From beegled at home.com Thu Aug 23 01:38:57 2001 From: beegled at home.com (David B. Beegle) Date: Wed, 22 Aug 2001 22:38:57 -0700 Subject: [vpn] Win2K and VPN In-Reply-To: Message-ID: <000801c12b95$e837d860$a114b018@C1743067A> There was a form on our intranet that ones fills out to be granted access. I filled it out and was contacted about a day later and they told me they had granted those privileges to my account and that I would use the same login and password that I do on my office PC. David -----Original Message----- From: Chris Lynch, MCSE CCNAv2 [mailto:lynch00 at msn.com] Sent: Wednesday, August 22, 2001 9:13 AM To: 'Byron Kennedy'; beegled at home.com; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The reason why you cannot connect to your companies network. A VPN server needs to be setup in order for you to connect to the network. You cannot just specify the domain name or NDS tree and expect to log in. That just will not work. What you need to do is talk with your manager and get him to approve access for you to the VPN connection. That is if you company has one. Once he approves it, then it will be submitted to the IT department. They should then create an account for you and give you all the information on what you will need to do. This is how your company should do things. Chris Lynch, MCSE CCNA Network Engineer NRT, Inc. Chris.lynch at nospam.nrtinc.com - -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron - -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBO4PaJQsvmhohONWyEQLQcgCeP3Emw3UJ02Tx1K7RyK6MWiEeRAIAn08p MzwwU3wp8yz/BkH+Mzmvq6cF =lHmV -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From beegled at home.com Thu Aug 23 01:52:47 2001 From: beegled at home.com (David B. Beegle) Date: Wed, 22 Aug 2001 22:52:47 -0700 Subject: [vpn] Win2K and VPN In-Reply-To: <001401c12b33$a96d17b0$0200a8c0@DALLASDELL2K> Message-ID: <000901c12b98$a387e4a0$a114b018@C1743067A> Before replying to this message, I read another message submitted by you Kent, another message submitted by Byron Kennedy and another from Chris Lynch. I just want to than you all so much for the help. You are wonderful. It was the encryption thingy settings that were the problem. I can connect to the network now!!!! After spending what has seemed like forever trying to work through this, I am now able to connect. Yeah!!!! Thank you guys!!!! To answer another question of yours Kent, yes I have a firewall installed on my computer that a friend recommended to me, Zone Alarm. I guess now I have another question, I am unable to do anything like browse through computers in the network neighborhood when I connect. Is this because of this firewall I have put on my computer? David -----Original Message----- From: Kent Dallas [mailto:kent at dalliesin.com] Sent: Wednesday, August 22, 2001 10:56 AM To: beegled at home.com; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN David, I suspect Byron's point was that, without additional information, it is impossible to give you decent pointers. The couple of pieces of new information in your latest email tells us: 1) Other co-workers are successfully using the "VPN solution" (that's good) 2) The VPN solution is based on the capabilities built into MS Win2K (client) and either WinNT or Win2K (server), and not a third party VPN (which limits it to MS PPTP, L2TP, or MS IPSec/L2TP). Are you getting "Error 691: Access was denied because the username and/or password was invalid on the domain"? If so, you may be very close, and the only problem may be the format of your username (or fat fingering the password, caps lock off - right?). At work, you probably have a domain logon screen, that includes your username, your password, and your NT domain. On your home machine, and the VPN connection, it only asks for your username and password, right? Are you, somehow, providing the NT domain? Besides this list, three other options available to you: 1) Review your configuration, especially username formats and also connection properties, with those of co-workers who have successful setups, match everything exactly, and see if you get further (or at least get a different error message). This is probably your best option. Or, 2) Research the problem on Microsoft's knowledge base 3) Befriend one of your IT folks who are strong in MS and beg for help Even without more information, here are a couple of tweaks you may try to see if they will work (I have not previously used MS VPN on my Win2K box, but I was just successful configuring it with these changes - which may or may not work in your environment). In the VPN Connection Properties, choose Security, then select Advanced (Custom Settings). Then select Optional Encryption from the top drop down list, and select the checkboxes for PAP, CHAP, and both MS CHAP options (do not check the "automatically use my Windows logon name...") If these tweaks at least allow you to create the VPN connection successfully, you may still have some domain logon and name service challenges, but you will at least be closer. Good Luck, Kent Dallas Dalliesin, Inc. -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Tuesday, August 21, 2001 9:34 PM To: 'Byron Kennedy'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN >From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From beegled at home.com Thu Aug 23 03:38:24 2001 From: beegled at home.com (David B. Beegle) Date: Thu, 23 Aug 2001 00:38:24 -0700 Subject: [vpn] Win2K and VPN Message-ID: <000001c12ba9$c393b830$a114b018@C1743067A> I'd like to scratch that last thing I said. I guess I am able to browse through some computers but am not able to browse through some of those that I normally do from work. Any ideas why I would be able to browse through some and not others? David -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Wednesday, August 22, 2001 10:53 PM To: 'kent at dalliesin.com'; 'vpn at securityfocus.com' Subject: RE: [vpn] Win2K and VPN Before replying to this message, I read another message submitted by you Kent, another message submitted by Byron Kennedy and another from Chris Lynch. I just want to than you all so much for the help. You are wonderful. It was the encryption thingy settings that were the problem. I can connect to the network now!!!! After spending what has seemed like forever trying to work through this, I am now able to connect. Yeah!!!! Thank you guys!!!! To answer another question of yours Kent, yes I have a firewall installed on my computer that a friend recommended to me, Zone Alarm. I guess now I have another question, I am unable to do anything like browse through computers in the network neighborhood when I connect. Is this because of this firewall I have put on my computer? David -----Original Message----- From: Kent Dallas [mailto:kent at dalliesin.com] Sent: Wednesday, August 22, 2001 10:56 AM To: beegled at home.com; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN David, I suspect Byron's point was that, without additional information, it is impossible to give you decent pointers. The couple of pieces of new information in your latest email tells us: 1) Other co-workers are successfully using the "VPN solution" (that's good) 2) The VPN solution is based on the capabilities built into MS Win2K (client) and either WinNT or Win2K (server), and not a third party VPN (which limits it to MS PPTP, L2TP, or MS IPSec/L2TP). Are you getting "Error 691: Access was denied because the username and/or password was invalid on the domain"? If so, you may be very close, and the only problem may be the format of your username (or fat fingering the password, caps lock off - right?). At work, you probably have a domain logon screen, that includes your username, your password, and your NT domain. On your home machine, and the VPN connection, it only asks for your username and password, right? Are you, somehow, providing the NT domain? Besides this list, three other options available to you: 1) Review your configuration, especially username formats and also connection properties, with those of co-workers who have successful setups, match everything exactly, and see if you get further (or at least get a different error message). This is probably your best option. Or, 2) Research the problem on Microsoft's knowledge base 3) Befriend one of your IT folks who are strong in MS and beg for help Even without more information, here are a couple of tweaks you may try to see if they will work (I have not previously used MS VPN on my Win2K box, but I was just successful configuring it with these changes - which may or may not work in your environment). In the VPN Connection Properties, choose Security, then select Advanced (Custom Settings). Then select Optional Encryption from the top drop down list, and select the checkboxes for PAP, CHAP, and both MS CHAP options (do not check the "automatically use my Windows logon name...") If these tweaks at least allow you to create the VPN connection successfully, you may still have some domain logon and name service challenges, but you will at least be closer. Good Luck, Kent Dallas Dalliesin, Inc. -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Tuesday, August 21, 2001 9:34 PM To: 'Byron Kennedy'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN >From what I understand, it shouldn't cost any money at all. I have a cable modem and I should be able to just use a "Network and Dial-up Connection" to connect to my company's network as long as I know the IP address, right? The people I do work with that have it working don't have any special hardware of software. My IT department told me that I could just login using the same login and password that I use at work. They won't help set it up because they do not own the computer that I use at home. All I did was run the "Make New Connection" wizard and I assumed that would do it, which of course it did not. Was I wrong? David -----Original Message----- From: Byron Kennedy [mailto:byron at markettools.com] Sent: Tuesday, August 21, 2001 4:00 PM To: 'beegled at home.com'; vpn at securityfocus.com Subject: RE: [vpn] Win2K and VPN Depending on your environment, your question may very well require a blackboard and some budget. It's not really like plugging in a mouse. otherwise, why wouldn't your IT department just setup the VPN for you? Byron -----Original Message----- From: David B. Beegle [mailto:beegled at home.com] Sent: Saturday, August 18, 2001 1:47 PM To: vpn at securityfocus.com Subject: [vpn] Win2K and VPN Hello, I want to set-up a VPN connection from my home computer to my company's network. I am using Win2K Pro and my IT department has told me that my account does allow for VPN connections. My problem is that I don't know much about computers except how to use Microsoft Office really, which is what I do most of my work in; I'm a business analyst. So, my quandary is that I have run the wizard in Windows 2000 and walked through it and input all of the information it asks for but the connection still won't work. I can't even connect. It acts like it is going to or is trying to connect and then tells me that my login credentials have failed. I am using the same login and password that I use when I'm at work, my IT department did at least tell me that that is what I should be using. I always read on one site recently that my Windows 2000 account that I have set-up for myself on my computer at home, needs to use the same login and password as my account on the network at work for the VPN connection to work so I did change it to match. I know I am not giving much information here but I am not sure what is pertinent and what isn't. Any ideas on what I should maybe look at? Any help is greatly appreciated. Thank you. David Beegle VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From DiazResJ at ncr.disa.mil Thu Aug 23 10:16:17 2001 From: DiazResJ at ncr.disa.mil (Diaz-Resto, Jesus (Contractor)) Date: Thu, 23 Aug 2001 10:16:17 -0400 Subject: [vpn] VPN help request Message-ID: <985107C86DF3D411A8B60020484016A3769E6B@rbmail103.chamb.disa.mil> Good morning, I wa surfing accross the net looking for info on VPN related subjects and came accross your web page. It is an excellent site with a lot of good info and links. My situation is that I'm starting a new project testing VPN and surfing accross the net I see no place that define the basic requirement for a VPN. I need something like recommended amount of tunnels, max allowable thougthput, latency etc.. I hpoe you can provide some help. J.M. Diaz-Resto JITC/INTEROP Senior Computer Engineer diazresj at ncr.disa.mil Comm: (301) 744-2640 DSN: 354-2640 VPN is sponsored by SecurityFocus.com From shope at energis-eis.co.uk Thu Aug 23 07:46:28 2001 From: shope at energis-eis.co.uk (Stephen Hope) Date: Thu, 23 Aug 2001 12:46:28 +0100 Subject: [vpn] [Fwd: Re: [fw-wiz] Link encryptors vs. IPSec] Message-ID: <73BE32DA9E55D511ACF30050BAEA0487458D5B@email.datarange.co.uk> George, this is a bit broad brush but should help... i work for a company that has provided all 3 solutions that come to find for your requirement - Cylink link encryptors, routers with encryption, and VPN gateways. but we dont operate in the US, so no sales bias.... 1. link encryptors (we supply Cylink mainly to banks). V. secure, and allows security admin to be separate from routers and network hardware. only works over "single hops" - serial link or a frame PVC. uses proprietary management - you need management for some configs (not leased line). uses diffie hellman and auto key exchange. designed for the seriously paranoid - e.g. open the case and the current keys get wiped. basically - very easy to use once set up. very secure - standard for some banking applications. meets some military specs around the world. for the app you describe, you would need 2 different pairs of link encryptors, 1 for leased line, and 1 for ISDN - i have not used any dialup kit in this config. note - cylink make Ethernet to Ethernet encapsulation encyptors, which can be used as "black box" VPN gateways as well. 2. routers with encryption - comes in s/w and hardware varients, and you need hardware to offload the CPU of the routers for "reasonable" performance, esp. with 3DES. for cisco, management is integrated into the IOS. you can encrypt across both link types, or you could define a "tunnel" between LAN interfaces and encrypt that, then use route and traffic filters to force the flows over the encrypted link. Because the routers sees both "raw" and encrypted link, you need to use filtering to protect it if the link is accessible to others (and if it wasnt, you wouldnt need encrytpion?). this should give you the minimum cost, although encryption will mean a hardware accelerator and maybe a bugger routers. use the recent cisco boxes if that manufacturer suits - 17xx, 26xx, 36xx as they support the hardware encryptors. 3. vpn gateways - if you structure your design as is the WAN links are internet like, then the topology is exactly what VPN gateways were designed to secure - the ISDN and leased line with the routers that drive them sit on the "insecure" side of the gateways. some firewalls can provide the vpn gateway - i have worked with both cisco PIX and Nokia / checkpoint, and both work well. Main issue which are problems here are managing the routers. more generally - you need to test it thoroughly - a security scanner and some traffic load software will be needed. I dont know of any way to verify that an encryptor is working at the "strength" it claims, but if i have to trust a manufacturer for this then i would be most comfortable with the Cylink kit as their stuff gets verified by various commercial and military users. let me know what happens, and if i can help with more detail - good luck. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: George Capehart [mailto:capegeo at opengroup.org] > Sent: 21 August 2001 00:58 > To: vpn at securityfocus.com > Subject: [vpn] [Fwd: Re: [fw-wiz] Link encryptors vs. IPSec] > > > Thanks. I'm looking forward to the replies. > > -------- Original Message -------- > Subject: Re: [fw-wiz] Link encryptors vs. IPSec > Date: Mon, 20 Aug 2001 09:42:19 -0500 (CDT) > From: Tina Bird > To: George Capehart > > George -- Could you please send this to the VPN mailing > list (vpn at securityfocus.com)? This is >>exactly< the kind > of question that group likes to work on... > > Thanks very much -- Tina Bird > VPN List Moderator > > On Sat, 18 Aug 2001, George Capehart wrote: > > > Date: Sat, 18 Aug 2001 00:27:55 -0400 > > From: George Capehart > > To: firewall-wizards at nfr.com > > Subject: [fw-wiz] Link encryptors vs. IPSec > > > > Hello Wizards, > > > > I have a slightly off-topic question that mjr probably won't let > > through, but since I can't think of a more appropriate > list, I'll ask it > > here. (Pointers to more appropriate lists/newsgroups would be > > appreciated). Since it is somewhat off-topic, I would be happy to > > accept private replies. If it is of interest, I will > publish a summary > > of the responses I receive. Here goes: > > > > The requirement is to provide over-the-wire privacy between two > > organizations. There are two links between the organizations, a > > dedicated leased line as the primary link, an ISDN dialup > line as the > > backup link. For various reasons out of my control, one of the > > organizations wants all of the traffic that flows through its border > > routers to be in the clear so that they can monitor it. The other > > organization does not want traffic between the organizations to be > > subject to eavesdropping. The two classes of options to solve the > > problem seem to be: > > - Use link encryptors (like Cylink) between the routers and the > > telecomm interfaces, or > > - Use IPSec on the public side of the routers. > > > > I am agnostic with respect to the solution. I have a > personal bias, but > > it's based on the KISS principle and it seems to me that the link > > encryptor option is a little simpler than is using IPSec. > At least that > > has been my (admittedly limited) experience. I do not want > to start a > > flame war, but I would truly like to hear the opinions and > experiences > > of others who have worked with one or both (preferably both) of the > > options. I need information that can help me weight the > decision one > > way or the other. > > > > I know that the details are very scarce. This is because > the solution > > to this problem will drive many other design assumptions > and decisions. > > > > Thanks in advance. > > > > Best regards, > > > > George Capehart > > -- > > George W. Capehart Phone: +1 > 704.953.1209 > > Fax: +1 > 704.853.2624 > > > > SMS Messaging: > http://www.mobile.att.net/mc/personal/pager_show.html > > or > > mailto: 7049531209 at mobile.att.net > > > > "Does getiud() halt the spawning of child processes?" > > _______________________________________________ > > firewall-wizards mailing list > > firewall-wizards at nfr.com > > http://list.nfr.com/mailman/listinfo/firewall-wizards > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From kimcox97 at yahoo.com Thu Aug 23 12:56:38 2001 From: kimcox97 at yahoo.com (kim cox) Date: Thu, 23 Aug 2001 09:56:38 -0700 (PDT) Subject: [vpn] wireless lan vpn Message-ID: <20010823165638.4242.qmail@web20310.mail.yahoo.com> I have a wireless LAN (802.11b) that I am trying to tunnel through an IPSec VPN. The network configuration is: laptops--->wireless AP--->VPN---internal network---->fw(w/ NAPT)--->Internet I want to terminate the VPN tunnel at the VPN immediately behind the wireless access point and provide access to the internal network (10.10.10.0 network) and the Internet (have only one public IP). I have added default routes to the fw and VPN and normal, non-vpn traffic works fine. When I try to set up the VPN tunnel, I have issues. First, I'm not sure how to create a tunnel that controls all IP traffic (The VPN is a Rapidstream VPN using SafeNet's VPN client). I tried creating a tunnel just to the 10.10.10.0 network (the default gateway for the VPN is the internal interface of the firewall 10.10.10.1). The tunnel was successfully created, but none of the traffic would go through correctly. Any ideas or suggestions? Am I going about this 802.11b VPN thing the wrong way? Thanks, Kim __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ VPN is sponsored by SecurityFocus.com From beegled at home.com Fri Aug 24 00:54:17 2001 From: beegled at home.com (David B. Beegle) Date: Thu, 23 Aug 2001 21:54:17 -0700 Subject: [vpn] Win2K and VPN Message-ID: <000301c12c58$d4e535a0$a114b018@C1743067A> The problem I am now running into is that I am able to browse through some computers on the network without a problem and not able to browse through some other computers at all, which I do have permissions for when I am at work using my computer there. Is there something special I need to do to let the network know I have access to the specific computers? Thank you. David -----Original Message----- From: Gregory (Greg) D. Nowicki [mailto:greg at nowicki.org] Sent: Thursday, August 23, 2001 8:28 AM To: beegled at home.com Subject: RE: [vpn] Win2K and VPN Quoting "David B. Beegle" : > My company does use a firewall. That's about all I know. Do I need to > know > the firewall settings? > > David > [snip] David, Reading e-mail farther on, it looks like you solved your problem. If you were running a local firewall, you would need to open a hole in it for you to pass gre (pptp/vpn) traffic. It would be the same on the corporate end. Good luck, Greg VPN is sponsored by SecurityFocus.com From DReinlieb at tribry.com Fri Aug 24 10:59:24 2001 From: DReinlieb at tribry.com (David R. Reinlieb) Date: Fri, 24 Aug 2001 10:59:24 -0400 Subject: [vpn] Proxy Message-ID: Hey, great site. I have a server setup with Proxy Server, and a client PC setup with Proxy Client. VPN traffic will not pass through the server from the client PC. How can I fix this, opening ports? I could not find it on your site. Please HELP. Dave Reinlieb VPN is sponsored by SecurityFocus.com From c-michael.braun at wcom.com Fri Aug 24 16:45:57 2001 From: c-michael.braun at wcom.com (Michael J. Braun) Date: Fri, 24 Aug 2001 16:45:57 -0400 Subject: [vpn] V-One Message-ID: <0GIL00I40B1MX3@pmismtp02.wcomnet.com> Any one have any insight, hands-on experience, or good comments on the V-One product suite? I'm looking in particular for functionality, bugginess, performance and scalablity in general. Thanks Mike Braun Network Engineer c-michael.braun at wcom.com VPN is sponsored by SecurityFocus.com From beegled at home.com Fri Aug 24 20:27:07 2001 From: beegled at home.com (David B. Beegle) Date: Fri, 24 Aug 2001 17:27:07 -0700 Subject: [vpn] Win2K and VPN In-Reply-To: <998675463.3b869407d0b2c@webmail.demandindustries.net> Message-ID: <000001c12cfc$b8f74c80$a114b018@C1743067A> I know this stuff is completely basic for you guys but for me this is like magic. Thanks so much for the help!!!! I really appreciate it. This is fantastic. Thank you all. -----Original Message----- From: Gregory (Greg) D. Nowicki [mailto:greg at nowicki.org] Sent: Friday, August 24, 2001 10:51 AM To: beegled at home.com Subject: RE: [vpn] Win2K and VPN Quoting "David B. Beegle" : > The problem I am now running into is that I am able to browse through > some > computers on the network without a problem and not able to browse > through > some other computers at all, which I do have permissions for when I am > at > work using my computer there. Is there something special I need to do > to > let the network know I have access to the specific computers? Thank > you. > > David > [snip] As I said in my earlier e-mail to you, browsing may not always work. But mapping a network drive using "net use" commands always should. Greg VPN is sponsored by SecurityFocus.com From mike at advanced-info.com Mon Aug 27 11:08:55 2001 From: mike at advanced-info.com (Michael J. Daveler) Date: Mon, 27 Aug 2001 11:08:55 -0400 Subject: [vpn] VPN Benchmark Testing Message-ID: FYI: A Network Computing article points to a hands-on VPN tool that will allow you to test VPN products in a real-world situation and assess performance against industry benchmarks. The tool, called CMPmetrics for VPNs, requires the Chariot testing software, which has a link to a trial version. The article is posted at http://www.nwc.com/cmpmetrics/downloadvpn.html . ---------------------------------------------------------------------- Michael J. Daveler, President Advanced Information Solutions, Inc. Telephone: (215) 579-0575 Fax: (267) 200-0530 EMAIL: mike at advanced-info.com Web page: http://www.advanced-info.com Member: Computer Security Institute; American Management Association ---------------------------------------------------------------------- -------------- next part -------------- VPN is sponsored by SecurityFocus.com From JLebowitsch at imperito.com Mon Aug 27 14:22:29 2001 From: JLebowitsch at imperito.com (Lebowitsch, Jonathan) Date: Mon, 27 Aug 2001 11:22:29 -0700 Subject: [vpn] ISPs that block IPSec traffic Message-ID: Hi all, does anyone have a current list of such ISPs ======================= Jonathan (Yoni) Lebowitsch Senior Systems Engineer Imperito Networks Tel: (408) 450-6272 Mobile: (415) 336-5436 Fax: (408) 450-6201 www.imperito.com ======================= VPN is sponsored by SecurityFocus.com From MTaveroff at coradiant.com Tue Aug 28 08:15:42 2001 From: MTaveroff at coradiant.com (MTaveroff at coradiant.com) Date: Tue, 28 Aug 2001 08:15:42 -0400 Subject: [vpn] PIX firewall 520 version 5.1(3) and Netscreen-5 Message-ID: Hello, Does anyone have any experience working with a PIX firewall 520 version 5.1(3) and netscreen-5? I would like to create a secure VPN tunnel between the two and not too sure which type of config to use. Any help would be appreciated. Thanks, - M VPN is sponsored by SecurityFocus.com From carlsonmail at yahoo.com Tue Aug 28 10:27:58 2001 From: carlsonmail at yahoo.com (Chris Carlson) Date: Tue, 28 Aug 2001 07:27:58 -0700 (PDT) Subject: [vpn] How many are considering managed services? Message-ID: <20010828142758.55948.qmail@web13901.mail.yahoo.com> Hi all, Quick poll (and discussion) for the list: How many are considering or currently have managed security services? While most of the participants that publish to this list are technical and no doubt would elect to manage their own VPN, you probably are feeling the business pressures and reasons to outsource: - 24x7 support and monitoring - keep up with security events and patches - get new versions and features more quickly - cost savings - etc. Is this a common theme in enterprises today? I think the VPN vendors and ISP people lurking on this list would be curious, too! :-) Also, if you're considering or have managed security services from your ISP or dedicated MSP, what other services are you thinking about? - Anti-Virus - URL Filtering - Bandwidth Management - etc. This list has been a little quiet (I know it's summer vacation time), so I'd thought I'd perk it up with active discussions! Thanks all! Chris -- __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ VPN is sponsored by SecurityFocus.com From conny at gbg.dimension.se Tue Aug 28 10:33:56 2001 From: conny at gbg.dimension.se (Conny Stefors) Date: Tue, 28 Aug 2001 16:33:56 +0200 Subject: [vpn] [Fwd: Solaris 8 and IPSEC] Message-ID: <3B8BABD4.3519374A@gbg.dimension.se> Is there really not anybody with this competence on the list? Conny Stefors wrote: > > Hi, > Is there anybody out there who is familiar with configuring VPN with the > IPSEC feature in Solaris 8? > > I've read the man pages, but those are not enough for me ;-) > > What I want to accomplish is to have two Solaris 8 machines to have all > the network communication between them encrypted with IPSEC. > > Cheers, > //Conny VPN is sponsored by SecurityFocus.com From Dan.McGinn-Combs at geac.com Tue Aug 28 10:40:45 2001 From: Dan.McGinn-Combs at geac.com (Dan McGinn-Combs) Date: Tue, 28 Aug 2001 10:40:45 -0400 Subject: [vpn] [Fwd: Solaris 8 and IPSEC] Message-ID: <67E150D4D792D411A7B900D0B74D55A2025E3B4B@atlexg02.gama.us.geac.com> Perhaps the competent ones are quiet. -----Original Message----- From: Conny Stefors [mailto:conny at gbg.dimension.se] Sent: Tuesday, August 28, 2001 10:34 AM To: vpn at securityfocus.com Subject: [vpn] [Fwd: Solaris 8 and IPSEC] Is there really not anybody with this competence on the list? Conny Stefors wrote: > > Hi, > Is there anybody out there who is familiar with configuring VPN with the > IPSEC feature in Solaris 8? > > I've read the man pages, but those are not enough for me ;-) > > What I want to accomplish is to have two Solaris 8 machines to have all > the network communication between them encrypted with IPSEC. > > Cheers, > //Conny VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jrdepriest at ftb.com Tue Aug 28 10:38:51 2001 From: jrdepriest at ftb.com (DePriest, Jason R.) Date: Tue, 28 Aug 2001 09:38:51 -0500 Subject: [vpn] How many are considering managed services? Message-ID: We are considering the following VPN solutions: Intelispan Inteligate managed VPN solution, Qwest managed VPN solution, Symantec Enterprise VPN (formerly Axent PowerVPN), Nokia CryptoCluster 500. The managed solutions have the following benefits: they send out the client software to the end-users, they also send software (if requested) to make sure that the end-user system has the latest patches installed on it, all we have to provide them is a dedicated leased line connection into our network, and, best of all, they provide a 24/7 help desk for end-users to call. They are more expensive from the end-user's perspective because there is a monthly fee involved instead of the in house VPN solutions that we would more than likely make available for "free" as an extension of Intranet and Email access. We are leaning towards Intelispan and the other division involved in this process is leaning towards Qwest. Regardless of which way we go, managed several thousand VPN clients is definitely the job of a specialty company and not something you want an already overtaxed IT department trying to do when they have time. Thank you! Jason R DePriest, GSEC, GCFW Intranet Web Administrator II voice - (901) 523-5975 fax - (901) 523-5527 -----Original Message----- From: Chris Carlson [mailto:carlsonmail at yahoo.com] Sent: Tuesday, August 28, 2001 9:28 AM To: vpn at securityfocus.com Subject: [vpn] How many are considering managed services? Hi all, Quick poll (and discussion) for the list: How many are considering or currently have managed security services? While most of the participants that publish to this list are technical and no doubt would elect to manage their own VPN, you probably are feeling the business pressures and reasons to outsource: - 24x7 support and monitoring - keep up with security events and patches - get new versions and features more quickly - cost savings - etc. Is this a common theme in enterprises today? I think the VPN vendors and ISP people lurking on this list would be curious, too! :-) Also, if you're considering or have managed security services from your ISP or dedicated MSP, what other services are you thinking about? - Anti-Virus - URL Filtering - Bandwidth Management - etc. This list has been a little quiet (I know it's summer vacation time), so I'd thought I'd perk it up with active discussions! Thanks all! Chris -- __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From rdelatorre at intercontinentalbank.com.uy Tue Aug 28 10:52:47 2001 From: rdelatorre at intercontinentalbank.com.uy (Ricardo de la Torre) Date: Tue, 28 Aug 2001 11:52:47 -0300 Subject: [vpn] How many are considering managed services? Message-ID: <31590F048259D211A5C600805FCB060223B85D@exchange.intercontinentalbank.com.uy> It's interesting! I am both curious and seriously considering outsourcing. Several reasons include costs, lack of own resources, monitoring and maintenance (I would consider different offers and analyze the whole pack of value added services for the money). Cheers, Ricardo. > -----Mensaje original----- > De: Chris Carlson [SMTP:carlsonmail at yahoo.com] > Enviado el: Tuesday, August 28, 2001 11:28 AM > Para: vpn at securityfocus.com > Asunto: [vpn] How many are considering managed services? > > Hi all, > > Quick poll (and discussion) for the list: > > How many are considering or currently have managed > security services? > > While most of the participants that publish to this > list are technical and no doubt would elect to manage > their own VPN, you probably are feeling the business > pressures and reasons to outsource: > > - 24x7 support and monitoring > - keep up with security events and patches > - get new versions and features more quickly > - cost savings > - etc. > > Is this a common theme in enterprises today? I think > the VPN vendors and ISP people lurking on this list > would be curious, too! :-) > > Also, if you're considering or have managed security > services from your ISP or dedicated MSP, what other > services are you thinking about? > > - Anti-Virus > - URL Filtering > - Bandwidth Management > - etc. > > > This list has been a little quiet (I know it's summer > vacation time), so I'd thought I'd perk it up with > active discussions! > > Thanks all! > > Chris > -- > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Tue Aug 28 08:41:45 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Tue, 28 Aug 2001 07:41:45 -0500 (CDT) Subject: [vpn] [Fwd: Solaris 8 and IPSEC] In-Reply-To: <67E150D4D792D411A7B900D0B74D55A2025E3B4B@atlexg02.gama.us.geac.com> Message-ID: In all of the vast numbers of people to whom I've spoken about VPN, I've never met one in person (or via the Internet) who had used the Solaris IPsec functionality. That may be the only answer there is, Conny -- you might have more luck pursuing assistance within Sun *ahem*. I am hereby stifling non-technical postings in this thread. On Tue, 28 Aug 2001, Dan McGinn-Combs wrote: > Date: Tue, 28 Aug 2001 10:40:45 -0400 > From: Dan McGinn-Combs > To: vpn at securityfocus.com > Subject: RE: [vpn] [Fwd: Solaris 8 and IPSEC] > > Perhaps the competent ones are quiet. > > -----Original Message----- > From: Conny Stefors [mailto:conny at gbg.dimension.se] > Sent: Tuesday, August 28, 2001 10:34 AM > To: vpn at securityfocus.com > Subject: [vpn] [Fwd: Solaris 8 and IPSEC] > > > Is there really not anybody with this competence on the list? > > Conny Stefors wrote: > > > > Hi, > > Is there anybody out there who is familiar with configuring VPN with the > > IPSEC feature in Solaris 8? > > > > I've read the man pages, but those are not enough for me ;-) > > > > What I want to accomplish is to have two Solaris 8 machines to have all > > the network communication between them encrypted with IPSEC. > > > > Cheers, > > //Conny > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com > LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From schlitt at world.std.com Tue Aug 28 12:02:55 2001 From: schlitt at world.std.com (Dan Schlitt) Date: Tue, 28 Aug 2001 12:02:55 -0400 (EDT) Subject: [vpn] [Fwd: Solaris 8 and IPSEC] In-Reply-To: <67E150D4D792D411A7B900D0B74D55A2025E3B4B@atlexg02.gama.us.geac.com> Message-ID: I spent some time playing with the Solaris 8 IPSEC. My specific interest was in interoperability with IPSEC packages for NT. That was a complete failure. However I would think that a Sun to Sun setup would be workable. As I recall I found a useful document in addition to the man pages. Since all of that stuff is packed away right now I can't provide the reference. My best guess right now is that it was in the documentation that came among the Solaris 8 CDs. /dan -- Dan Schlitt schlitt at world.std.com On Tue, 28 Aug 2001, Dan McGinn-Combs wrote: > Perhaps the competent ones are quiet. > > -----Original Message----- > From: Conny Stefors [mailto:conny at gbg.dimension.se] > Sent: Tuesday, August 28, 2001 10:34 AM > To: vpn at securityfocus.com > Subject: [vpn] [Fwd: Solaris 8 and IPSEC] > > > Is there really not anybody with this competence on the list? > > Conny Stefors wrote: > > > > Hi, > > Is there anybody out there who is familiar with configuring VPN with the > > IPSEC feature in Solaris 8? > > > > I've read the man pages, but those are not enough for me ;-) > > > > What I want to accomplish is to have two Solaris 8 machines to have all > > the network communication between them encrypted with IPSEC. > > > > Cheers, > > //Conny > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From pk_786 at lycos.com Tue Aug 28 14:22:23 2001 From: pk_786 at lycos.com (poornima kalahasty) Date: Tue, 28 Aug 2001 23:52:23 +0530 Subject: [vpn] Doubts Regarding VPN Message-ID: Dear Sir/Madam I would like to clarify as to: 1) what are Pay sites and whether they can be called as VPNs? 2)What are tunnels? why do we go for tunnels in VPN? can it be implemented without tunneling protocols? 3) what are standard tunneling protocols? Are they used in combination or separately? Thanking you yours truly k.poornima Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Aug 28 14:36:52 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 28 Aug 2001 11:36:52 -0700 Subject: [vpn] How many are considering managed services? Message-ID: <4EBB5C35607E7F48B4AE162D956666EF016C9E@guam.corp.axcelerant.com> Well, We do the outsourcing and our model is focused entirely on the Remote access piece. We leave the Anti-Virus, URL filtering, etc to the company. We have been approached to provide similar services for existing customers and may include them sometime in the future. I would say outsourcing is more common among larger enterprises than in the small to midsize companies. For example, we have mostly F1000 accounts. The economies of scale are more evident when you are talking 5000 users as opposed to 500. Although, we do have customer even in the 100-300 user range also. Certain companies, and it is more of a philosophy I think, prefer outsourcing as much as possible while others have the normal apprehensions regarding the matter. One of the benefits most managed solutions don't provide is a large footprint. For instance, if you go with AT&T or Qwest to manage the VPN then the only users they will support are those with their service. We have contracts with numerous providers across the country and manage connections for all of them. We also provide the provisioning services for the telecommuter line if needed. So, whether you have pre-existing service or need to qualify for and order new service we do that piece too. That is probably our biggest differentiator. We are essentially provider and vendor agnostic. YOU decide what you want and we do all the dirty work; design, test, order, deploy, support (24x7), reporting on SLA's, etc. Things that an internal group would probably prefer not to deal with. Christopher S. Gripp Systems Engineer Axcelerant -----Original Message----- From: Chris Carlson [mailto:carlsonmail at yahoo.com] Sent: Tuesday, August 28, 2001 7:28 AM To: vpn at securityfocus.com Subject: [vpn] How many are considering managed services? Hi all, Quick poll (and discussion) for the list: How many are considering or currently have managed security services? While most of the participants that publish to this list are technical and no doubt would elect to manage their own VPN, you probably are feeling the business pressures and reasons to outsource: - 24x7 support and monitoring - keep up with security events and patches - get new versions and features more quickly - cost savings - etc. Is this a common theme in enterprises today? I think the VPN vendors and ISP people lurking on this list would be curious, too! :-) Also, if you're considering or have managed security services from your ISP or dedicated MSP, what other services are you thinking about? - Anti-Virus - URL Filtering - Bandwidth Management - etc. This list has been a little quiet (I know it's summer vacation time), so I'd thought I'd perk it up with active discussions! Thanks all! Chris -- __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Aug 28 14:40:32 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 28 Aug 2001 11:40:32 -0700 Subject: [vpn] ISPs that block IPSec traffic Message-ID: <4EBB5C35607E7F48B4AE162D956666EF3391F7@guam.corp.axcelerant.com> As far as we know they have all said they might/will but haven't. If anyone knows otherwise I would be interested in hearing about them. If they are doing it I'd imagine it is a smaller ISP just jumping on the bandwagon they heard coming. Christopher S. Gripp Systems Engineer Axcelerant -----Original Message----- From: Lebowitsch, Jonathan [mailto:JLebowitsch at imperito.com] Sent: Monday, August 27, 2001 11:22 AM To: 'vpn at securityfocus.com' Subject: [vpn] ISPs that block IPSec traffic Hi all, does anyone have a current list of such ISPs ======================= Jonathan (Yoni) Lebowitsch Senior Systems Engineer Imperito Networks Tel: (408) 450-6272 Mobile: (415) 336-5436 Fax: (408) 450-6201 www.imperito.com ======================= VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From dorsey at colquitt.org Tue Aug 28 18:57:29 2001 From: dorsey at colquitt.org (J . Dorsey) Date: Tue, 28 Aug 2001 17:57:29 -0500 Subject: [vpn] inbound acl on PIX VPN Message-ID: <20010828175729.A23323@colquitt.org> How can I apply an acl (or other control) to traffic received by a PIX firewall through a VPN tunnel? My search turned up only controls on inbound traffic on interfaces, and outbound VPN traffic. I could control this at the other end of the tunnel, but the other end may be untrusted. I'm currently at 5.2(X) on the PIX. Any help or pointer to TFM is appreciated. Cheers, John VPN is sponsored by SecurityFocus.com From mikef at pocketlint.com Tue Aug 28 22:18:03 2001 From: mikef at pocketlint.com (Mike Forrester) Date: Tue, 28 Aug 2001 20:18:03 -0600 Subject: [vpn] [Fwd: Solaris 8 and IPSEC] In-Reply-To: Message-ID: You might also want to try the focus-sun list if you don't get your answer here. There are a few Sun engineers that subscribe to the list who can probably help you out. Mike > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: Tuesday, August 28, 2001 6:42 AM > To: Dan McGinn-Combs > Cc: vpn at securityfocus.com > Subject: RE: [vpn] [Fwd: Solaris 8 and IPSEC] > > > In all of the vast numbers of people to whom I've > spoken about VPN, I've never met one in person > (or via the Internet) who had used the Solaris IPsec > functionality. That may be the only answer there > is, Conny -- you might have more luck pursuing > assistance within Sun *ahem*. > > I am hereby stifling non-technical postings in this > thread. > > On Tue, 28 Aug 2001, Dan McGinn-Combs wrote: > > > Date: Tue, 28 Aug 2001 10:40:45 -0400 > > From: Dan McGinn-Combs > > To: vpn at securityfocus.com > > Subject: RE: [vpn] [Fwd: Solaris 8 and IPSEC] > > > > Perhaps the competent ones are quiet. > > > > -----Original Message----- > > From: Conny Stefors [mailto:conny at gbg.dimension.se] > > Sent: Tuesday, August 28, 2001 10:34 AM > > To: vpn at securityfocus.com > > Subject: [vpn] [Fwd: Solaris 8 and IPSEC] > > > > > > Is there really not anybody with this competence on the list? > > > > Conny Stefors wrote: > > > > > > Hi, > > > Is there anybody out there who is familiar with configuring > VPN with the > > > IPSEC feature in Solaris 8? > > > > > > I've read the man pages, but those are not enough for me ;-) > > > > > > What I want to accomplish is to have two Solaris 8 machines > to have all > > > the network communication between them encrypted with IPSEC. > > > > > > Cheers, > > > //Conny > > > > VPN is sponsored by SecurityFocus.com > > > > VPN is sponsored by SecurityFocus.com > > > > LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Wed Aug 29 02:42:11 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Tue, 28 Aug 2001 23:42:11 -0700 Subject: [vpn] How many are considering managed services? In-Reply-To: <20010828142758.55948.qmail@web13901.mail.yahoo.com> Message-ID: <3B8C2C53.24860.7225240F@localhost> On 28 Aug 2001, at 7:27, Chris Carlson wrote: > While most of the participants that publish to this > list are technical and no doubt would elect to manage > their own VPN, you probably are feeling the business > pressures and reasons to outsource: > > - 24x7 support and monitoring > - keep up with security events and patches > - get new versions and features more quickly > - cost savings > - etc. To my mind, one of the compelling reasons why startups would be likely to elect to outsource is that they often (*) have more cash in the bank than diversity of expertise on the payroll. Buy-versus- build becomes a fairly simple decision to make. (*) This opinion was formed, of course, months ago, if not even a year, when VC funding was much more plentiful than it seems to be at the moment. The decision between paying an outside vendor, and paying an employee who you can let go if you outsource, is probably less straightforward. David Gillett VPN is sponsored by SecurityFocus.com From carlsonmail at yahoo.com Wed Aug 29 09:51:54 2001 From: carlsonmail at yahoo.com (Chris Carlson) Date: Wed, 29 Aug 2001 06:51:54 -0700 (PDT) Subject: [vpn] How many are considering managed services? In-Reply-To: <3B8C2C53.24860.7225240F@localhost> Message-ID: <20010829135154.51600.qmail@web13903.mail.yahoo.com> --- dgillett at deepforest.org wrote: > On 28 Aug 2001, at 7:27, Chris Carlson wrote: > > > - 24x7 support and monitoring > > - keep up with security events and patches > > - get new versions and features more quickly > > - cost savings > > - etc. > > To my mind, one of the compelling reasons why > startups would be > likely to elect to outsource is that they often (*) > have more cash in > the bank than diversity of expertise on the payroll. > Buy-versus- > build becomes a fairly simple decision to make. > Well, not necessarily start-ups. 24x7 support is expensive, especially if they don't have enough work to do besides warm a seat at 3AM in case something happens. With managed services, you get that economies of scale, such that someone at 3AM in an outsourced SOC can support 10 or 20 customers, since not much happens at that time, but when something does happen to one of the customers, you want to RESPOND RIGHT NOW! I see with with managed IDS (intrusion detection); a lot of companies feel that IDS is an extension or overlay for their security protection, something they would like, but not spend $100,000 in IDS SW/HW and 3-5 personnel for 24x7, but outsource at $2,000/mo per sensor. And if the outsourcer isn't that good, well it won't affect the security that you're maintaining in-house. (uh, hopefully) A lot of the financial institutions are doing just that, layering their protection by outsourcing the IDS portion. They still-have in-house folks manage the firewalls and review logs, and have other third-party companies do ethical hacking to make sure that the IDS outsourcer isn't falling asleep. As for VPNs, that close to call. How are people viewing VPNs: as a security technology that must be clamped down tight because you're going over the Internet, or as a cost-effective connection lower than leased lines or Frame Relay. NO ONE rolls their own leased lines or Frame Relay, meaning you have to buy the circuits from a carrier and they can see ALL your data. Financial and military encrypt over Frame Relay; how many of you do? Firewall protection is another matter. If the outsourcers messes up, then that could be a huge exposure. But how about other "non-core" security services: anti-virus protection, URL filtering, bandwidth management, device health check, host-based IDS, etc.? Outsourcers are supposed to take the load off IT staff and help them do their core job better. Setting up 6 different point solutions to better "manage" their Internet connection and resources might not be their core job. Hence the decision to outsource. Wow... pretty deep for a summer discussion, eh? :-) Thoughts anyone? Chris -- __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Wed Aug 29 10:35:21 2001 From: djdawso at qwest.com (Dana J. Dawson) Date: Wed, 29 Aug 2001 09:35:21 -0500 Subject: [vpn] inbound acl on PIX VPN References: <20010828175729.A23323@colquitt.org> Message-ID: <3B8CFDA9.8D53F0E5@qwest.com> "J . Dorsey" wrote: > > How can I apply an acl (or other control) to traffic received by > a PIX firewall through a VPN tunnel? > > My search turned up only controls on inbound traffic on > interfaces, and outbound VPN traffic. I could control this at the other > end of the tunnel, but the other end may be untrusted. > > I'm currently at 5.2(X) on the PIX. Any help or pointer to TFM > is appreciated. > > Cheers, > John > > VPN is sponsored by SecurityFocus.com If you use the "sysopt connection permit-ipsec" command, you're telling the PIX to implicitly trust anything coming in via IPSec (i.e. the IPSec protocols & ports, as well as the IPSec encapsulated traffic). From the documentation, it sounds like you could do what you want by leaving that command out and adding the appropriate permit lines in your ACL to allow your IPSec traffic. Good luck! Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com From martin.bilgrav at eds.com Thu Aug 30 05:56:43 2001 From: martin.bilgrav at eds.com (Bilgrav, Martin) Date: Thu, 30 Aug 2001 10:56:43 +0100 Subject: [vpn] RE: inbound acl on PIX VPN Message-ID: Hiya, In your Crypto map you specify an ACL for the traffic that is identified as trafic that needs encryption. Then in this ACL you make your statements. and remember to make this acl reversable if your are useing pix-to-pix tunnels. hth Martin Bilgrav -----Original Message----- From: J . Dorsey [mailto:dorsey at colquitt.org] Sent: Wednesday, August 29, 2001 12:57 AM To: VPN mailing list Subject: inbound acl on PIX VPN How can I apply an acl (or other control) to traffic received by a PIX firewall through a VPN tunnel? My search turned up only controls on inbound traffic on interfaces, and outbound VPN traffic. I could control this at the other end of the tunnel, but the other end may be untrusted. I'm currently at 5.2(X) on the PIX. Any help or pointer to TFM is appreciated. Cheers, John VPN is sponsored by SecurityFocus.com From Sean.McCreanor at didata.com.au Wed Aug 29 23:37:23 2001 From: Sean.McCreanor at didata.com.au (Sean McCreanor) Date: Thu, 30 Aug 2001 13:37:23 +1000 Subject: [vpn] inbound acl on PIX VPN In-Reply-To: <20010828175729.A23323@colquitt.org> Message-ID: <000301c13105$14be5520$b822b694@metapod> Hi John, The only way to do this I is believe is to restrict the actual crypto ACL's for the inbound traffic i.e. rather than applying a permit ip type ACL, be more restrictive with something like permit tcp/udp and define the services. The other thing to keep in mind is to ensure that the ACL's are symmetrical on both termination points otherwise you may get unpredictable behavior. With IOS you could do this with a 'single legged' router, i.e. terminating the VPN on a single Ethernet i/f and routing the decrypted traffic back out this interface. You just need to define an ACL for the decrypted traffic and apply it inbound to the interface. The router will decrypt the traffic that matches the crypto map, and then apply the access-list to the traffic once it is decrypted. Anyway, hope this helps. Sean. Sean McCreanor Security Engineer Dimension Data Australia 121-127 Harrington Street Sydney Australia 2000 Phone +61 2 8249 5086 Mobile +61 418 485 312 -----Original Message----- From: J . Dorsey [mailto:dorsey at colquitt.org] Sent: Wednesday, 29 August 2001 8:57 AM To: VPN mailing list Subject: [vpn] inbound acl on PIX VPN How can I apply an acl (or other control) to traffic received by a PIX firewall through a VPN tunnel? My search turned up only controls on inbound traffic on interfaces, and outbound VPN traffic. I could control this at the other end of the tunnel, but the other end may be untrusted. I'm currently at 5.2(X) on the PIX. Any help or pointer to TFM is appreciated. Cheers, John VPN is sponsored by SecurityFocus.com ****************************************************************************** - NOTICE - This message is confidential, and may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. Internet communications are not secure. You should scan this message and any attachments for viruses. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments. Com Tech Communications Pty Ltd has changed its name to Dimension Data Australia Pty Limited. (The ACN remains 003 371 239) ****************************************************************************** VPN is sponsored by SecurityFocus.com From jlz at synlab.com Thu Aug 30 16:18:52 2001 From: jlz at synlab.com (Jian Zhen) Date: Thu, 30 Aug 2001 13:18:52 -0700 Subject: [vpn] How many are considering managed services? In-Reply-To: <20010828142758.55948.qmail@web13901.mail.yahoo.com>; from carlsonmail@yahoo.com on Tue, Aug 28, 2001 at 07:27:58AM -0700 References: <20010828142758.55948.qmail@web13901.mail.yahoo.com> Message-ID: <20010830131852.A94001@wormhole.synlab.com> [Full Disclosure: I work for Managed Security Services of Exodus Communications.] [Disclaimer: Anything I say here will be my own opinion and not my employer's.] There are many reasons why outsourcing sometimes is a cheaper and better way to go. Note that I said "sometimes", because everything depends on your requirement. If your requirement is that every security device must be in house and only 2 Admin will have access to them, then outsourcing is not for you. So first thing you need to do is document your requirements. So here are some reasons why I think outsourcing is an option. 1. Cost - MSSPs such as Exodus MSS can get much better deals from vendors than you can on your own. So the cost of hardware and software will be cheaper. Let's do some simple calculations, if you decide to firewalls inhouse, the cost of a pair of PIX 525 retail + maintenance + 3DES license is about $40k. The cost of a dedicated security engineer + training will cost you about $110k (low figure). Take that over 3 years (that's usually how long the companies will depreciate equipment.) That gives you over $10k/month. You can get it for much cheaper with an MSSP. 2. Hardware Upgrades - This section maybe different for different MSSPs, so be sure to ask if you are looking to outsource. Basically, hardware will be obsolete quickly. If you buy your own hardware, in 3 years, you will have to spend money upgrading. But if you go with an MSSP, you can get the hardware upgrade for free. For example, let's say Nokia decides to upgrade their IP330 platform from the current processor to a faster one, the MSSP will be able to upgrade you for free where as you would have to spend money on your own. 3. Software Upgrades - Same as hardware here. You can get software upgrades for free where as you might have to pay your own way. For example, from Check Point 4.1 to Check Point NG. 4. Vendor Support - Because MSSPs buys so many equipment/software from vendors, they have much better support from them also. They usually have dedicated support from these vendors 24x7. So any problem that arises will get to the right people immediately, instead of having to go through the normal channels. MSSPs can also get patches/fixes/updates much faster too. Now not all MSSPs have the same support contract with vendors, so buyers beware. 5. 24x7 Support - We are not talking about somebody carrying a pager here, we are talking about having trained security engineers awake and doing work any hour of the day. This is one of the biggest advantages for outsourcing. Somebody mentioned Scale of Economy in another email, that's exactly right. The MSSPs can have dedicated engineers working 24x7 whereas you might have your guys waking up in the middle of the night, all grumpy, to fix some problems. 6. Expertise/Experience - Because the MSSPs work with firewalls/VPNs/IDS all the time, it is much more likely that they will have encountered the problem that you are experiencing. In this situations, the MSSP may be able to fix you problem in 30 mins, whereas you may have to spend hours figuring out what happened and try to fix it. 7. Software Updates/Patches - This is perhaps one of the biggest issues with security nowadays. Many organizations simply don't have the resource or time to keep up with all the security patches or updates on their security devices. The MSSPs will HAVE to do that as part of their SLA. Again, this is where Scale of Economy plays a big part in. The MSSPs can upgrade all of their security devices such as firewall or VPN with the appropriate patches when they receive it from the vendors (usually sooner because of their relationships). 8. Training - Most of the MSSPs require their engineers to be trained on the devices they service, and they are willing to spend the money to get them trained. Training is certainly not cheap, a PIX or Firewall-1 course can cost anywhere from $3k - $5k. Many of the engineers are also experienced in designing complex & secure networks. I for one am not very fond of certifications. I think anyone with half of a brain can pass the certification exams, for example. So when/if you are looking for an outsourcer, beware of anyone telling you that all their engineers are certified. It really doesn't mean jack. Certifications provide some value, not a whole lot tho. It is the hands-on training and experience that count the most. 9. Spare Equipment - This again is another huge value MSSPs can provide at very little or no cost to you. Because MSSPs manage so many equipment, they cannot wait for vendors to ship them spare equipment when something dies, so they have extra equipment ready to deploy. And trust me, equipment do die. :) 10. There are other benefits such as configuration backup and restore, 24x7 active monitoring, statistical (CPU/etc) monitoring, QA, security solution recommendations, etc. There are however some disadvantages to outsourcing: - you lose some or all control of the device itself, you still have control of the policy however. - the MSSP will not know everything about your organization as you would, so you have the responsibility to work with the MSSP to make sure that they understand what you need. - your security requirement may be more strict than that of the MSSPs (e.g., your requirement says only 2 people have access to the firewall, but the MSSP may have more engineers working on the firewall.) So definitely find out all the different requirements you have, see if the MSSP can meet them. Make sure you ask all the questions you have, and don't let the MSSP bs you into something that you are not sure about. In other words, do your research first. Ok, just my 2c. If you have any questions/comments, you are welcome to email me at jlz at exodus.net or on this list. Thx // Jian Chris Carlson (carlsonmail at yahoo.com) [010828 07:31]: > Hi all, > > Quick poll (and discussion) for the list: > > How many are considering or currently have managed > security services? > > While most of the participants that publish to this > list are technical and no doubt would elect to manage > their own VPN, you probably are feeling the business > pressures and reasons to outsource: > > - 24x7 support and monitoring > - keep up with security events and patches > - get new versions and features more quickly > - cost savings > - etc. > > Is this a common theme in enterprises today? I think > the VPN vendors and ISP people lurking on this list > would be curious, too! :-) > > Also, if you're considering or have managed security > services from your ISP or dedicated MSP, what other > services are you thinking about? > > - Anti-Virus > - URL Filtering > - Bandwidth Management > - etc. > > > This list has been a little quiet (I know it's summer > vacation time), so I'd thought I'd perk it up with > active discussions! > > Thanks all! > > Chris > -- > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > > VPN is sponsored by SecurityFocus.com -- Jian L. Zhen VPN is sponsored by SecurityFocus.com